Vulnerabilities¶
Lorika continuously scans your software inventory against multiple CVE databases.
Data sources¶
| Source | What it provides |
|---|---|
| OSV.dev | Open source vulnerabilities (Linux packages, language ecosystems) |
| CISA KEV | Known Exploited Vulnerabilities — actively exploited in the wild |
| FIRST.org EPSS | Exploit probability score (0-1) |
| NVD | CVSS details, CPE matching |
| Vulners | Exploit availability, Metasploit modules |
| VirusTotal | Hash-based malware check (optional) |
Finding a vulnerability¶
Go to Vulnerabilities in the sidebar. Each row shows:
- Package name and version
- CVE IDs with CVSS severity
- KEV badge if actively exploited
- EPSS score
- Patch status:
- Fix available — update to newer version
- No patch — compensating controls needed
No-patch handling¶
When a CVE has no vendor patch, Lorika provides:
- Clear "No patch available" badge
- Compensating controls (WAF rules, network segmentation, remove if unused)
- Context for auditors: accepted risk vs. remediation required
Acting on findings¶
- Top risks appear on the dashboard
- Full list in Vulnerabilities page with filters
- Each vuln links to RICE-scored recommendation
- Mark as resolved after remediation