Documentation > Professional+ > Vulnerability Scanning
⭐ PRO+

Vulnerability Scanning Module

CVE-based security scanning with risk assessment and remediation guidance to protect your infrastructure from known vulnerabilities.

Overview

The Vulnerability Scanning module correlates your installed software against multiple CVE databases to identify security vulnerabilities. It provides risk scoring, severity classification, and actionable remediation steps to help you prioritize and address security issues.

35
Risk Score
MEDIUM

Risk Scoring System

Each host receives a risk score from 0-100, calculated based on the number and severity of vulnerabilities found:

Risk Score Risk Level Recommended Action
75-100 CRITICAL Immediate patching required - critical vulnerabilities present
50-74 HIGH Priority attention - schedule patches within 24-48 hours
25-49 MEDIUM Plan remediation - address in next maintenance window
1-24 LOW Monitor - low severity issues, patch when convenient
0 NONE No known vulnerabilities detected

CVE Data Sources

Vulnerability data is aggregated from multiple authoritative sources:

🏛️

NIST NVD

National Vulnerability Database - comprehensive CVE data with CVSS scoring

🐧

Ubuntu Security

Ubuntu Security Notices (USN) for Debian/Ubuntu package vulnerabilities

🎩

Red Hat Security

Red Hat Security Advisories (RHSA) for RHEL/CentOS/Fedora vulnerabilities

😈

FreeBSD VuXML

FreeBSD Vulnerability XML database for BSD package vulnerabilities

Severity Classification

Vulnerabilities are classified by severity using CVSS scores:

Critical (9.0-10.0) Severe impact - remote code execution, privilege escalation
High (7.0-8.9) Significant impact - data exposure, service disruption
Medium (4.0-6.9) Moderate impact - limited access or denial of service
Low (0.1-3.9) Minor impact - information disclosure, minor bugs

Scanning Process

The vulnerability engine performs the following steps:

  1. Collects software inventory from the host agent
  2. Matches installed packages against the CVE database
  3. Compares versions to identify vulnerable software
  4. Calculates risk score based on severity distribution
  5. Generates remediation recommendations

CVE Database Refresh

The CVE database can be configured to refresh automatically:

  • Configurable refresh interval (1-168 hours)
  • Enable/disable specific data sources
  • Optional NVD API key for higher rate limits
  • Manual refresh option for immediate updates

Configure CVE refresh settings in Settings > CVE Database Refresh.

Using Vulnerability Scanning

Viewing Scan Results

Vulnerability scan results are accessible from the Vulnerabilities tab on the Host Detail page. The tab displays:

  • Overall risk score and risk level
  • Vulnerability counts by severity
  • Detailed CVE information with package names
  • Remediation guidance and fixed versions

Running a Scan

Click the "Run Scan" button on the Vulnerabilities tab to perform a new vulnerability scan. Scan results are cached until a new scan is requested.

Scan History

Track vulnerability trends over time to monitor your security posture improvement. Historical data helps validate patching efforts and identify regression.

API Access

Vulnerability scanning is available via the REST API:

# Get vulnerability scan for a host
GET /api/host/{host_id}/vulnerability-scan

# Run new vulnerability scan
POST /api/host/{host_id}/vulnerability-scan

# Get scan history
GET /api/host/{host_id}/vulnerability-scan/history

# Get CVE refresh settings
GET /api/cve-refresh/settings

# Trigger CVE database refresh
POST /api/cve-refresh/refresh

Requirements

  • Enterprise license with vuln_engine module
  • Network connectivity for CVE database updates
  • SysManage agent reporting software inventory
  • PostgreSQL database for CVE storage