Remediation Queue¶
The remediation queue is rimae/scan's central workspace for triaging and resolving vulnerability matches. It presents all correlated vulnerabilities in priority order with filtering, bulk actions, and export capabilities.
Priority Ordering¶
The queue uses a multi-factor sort to surface the most urgent items first:
- CISA KEV confirmed -- vulnerabilities with confirmed in-the-wild exploitation appear at the top.
- Metasploit module available -- trivially exploitable via a ready-to-use framework module.
- Nuclei template available -- automated scanning template exists.
- ExploitDB entry -- public exploit code is available.
- EPSS score (descending) -- higher probability of exploitation ranks higher.
- CVSS score (descending) -- higher base severity ranks higher.
- Affected asset count (descending) -- wider blast radius ranks higher.
This ordering ensures that vulnerabilities with active exploitation evidence are always triaged before those with only a high CVSS score.
Queue Columns¶
Each row in the queue displays:
| Column | Description |
|---|---|
| Select | Checkbox for bulk operations. |
| CVE ID | Links to the CVE detail view. |
| Severity | Colour-coded severity badge (Critical, High, Medium, Low). |
| Score | Composite score bar (0-10). See Composite Scoring. |
| KEV | Badge for CISA KEV status (confirmed or extended). |
| Exploits | Badges indicating Metasploit, Nuclei, and ExploitDB availability. |
| EPSS % | Exploit probability as a percentage. |
| Assets | Number of affected assets. |
| Patch | Green check if a fix version is known; grey X otherwise. |
| Fixed Ver. | The version that resolves the vulnerability (when known). |
| Status | Current workflow status. |
Filtering¶
The filter bar supports the following criteria, all combinable:
| Filter | Type | Options |
|---|---|---|
| Severity | Select | All, Critical, High, Medium, Low |
| Status | Select | All, Open, In Review, Accepted Risk, Resolved |
| Patch Available | Toggle | Show only patchable or only unpatchable |
| KEV | Toggle | Show only KEV-confirmed matches |
| Has Exploit | Toggle | Show only matches with public exploit code |
Additional API-level filters (not exposed in the default UI filter bar):
| Parameter | Description |
|---|---|
asset_id |
Filter to a specific asset. |
cve_id |
Filter to a specific CVE. |
min_score / max_score |
Composite score range (0.0-10.0). |
Status Workflow¶
Every vulnerability match progresses through one of four statuses:
| Status | Meaning |
|---|---|
| open | Default state. The vulnerability has been detected but not yet triaged. |
| in_review | An analyst has acknowledged the match and is investigating or planning remediation. |
| resolved | The vulnerability has been remediated (patched, mitigated, or the affected component was removed). Automatically set by the correlation engine when a match disappears in a subsequent run. |
| accepted_risk | The organisation has decided to accept this risk. Requires a justification note. |
Warning: Setting a match to
accepted_riskwithout astatus_notewill be rejected by the API. This ensures all risk acceptance decisions are documented for audit purposes.
Automatic Resolution¶
The correlation engine automatically resolves matches when they are no longer produced during a run. This happens when:
- The affected package is upgraded past the fixed version.
- The affected package is removed from the asset.
- The advisory is retracted or corrected.
Automatically resolved matches receive a resolved_at timestamp and status resolved.
Audit Trail¶
Every status change (individual or bulk) creates an AuditLog record containing:
- Actor (username who made the change).
- Action type (
vuln_match_status_changeorvuln_match_bulk_status_change). - Target match ID.
- Old status and new status values.
- Status note (if provided).
Bulk Actions¶
Select multiple rows using the checkboxes, then apply one of three bulk actions:
| Action | Effect |
|---|---|
| Mark In Review | Sets all selected matches to in_review. |
| Accept Risk | Opens a modal requiring a justification note, then sets all selected matches to accepted_risk. |
| Mark Resolved | Sets all selected matches to resolved with current timestamp. |
The selection counter shows how many items are selected. Use the header checkbox to toggle all visible rows.
Match Detail View¶
Clicking a match opens the detail view, which enriches the queue data with:
- Asset hostname -- the affected host.
- CVE description -- full vulnerability description text.
- CVSS v3.1 score and vector -- the full vector string for severity context.
- Published date -- when the CVE was first published.
- KEV due date -- CISA-mandated remediation deadline (for federal agencies).
- Score breakdown -- per-signal weights and values from the composite scorer.
- Source references -- which advisory sources contributed to this match.
Export¶
The Export button generates downloadable reports from the current queue (respecting active filters). Four formats are supported:
| Format | Content Type | Description |
|---|---|---|
| CSV | text/csv |
Flat tabular data for spreadsheet import. |
| JSON | application/json |
Structured data for programmatic consumption. |
| HTML | text/html |
Branded report using configurable templates. |
application/pdf |
Print-ready branded report. |
Report Types¶
The export API supports multiple report templates:
| Template | Description |
|---|---|
vuln_report |
Full vulnerability detail report. |
asset_report |
Asset-centric vulnerability summary. |
remediation_queue |
Current queue state with all filters applied. |
executive_summary |
High-level summary for management review. |
Branding¶
HTML and PDF exports use configurable branding:
- Product name (defaults to "rimae/scan").
- Primary and accent colours.
- Custom header and footer text.
- Option to hide rimae/scan attribution for white-label deployments.
Branding is configured via Settings > Branding.
Export Fields¶
Each exported row includes:
| Field | Description |
|---|---|
cve_id |
CVE identifier. |
asset_hostname |
Affected host. |
package_name |
Vulnerable package. |
installed_version |
Currently installed version. |
fixed_version |
Version that fixes the vulnerability. |
composite_score |
Weighted composite score (0-10). |
cvss_score |
CVSS base score. |
epss_score |
EPSS probability. |
kev_confirmed |
CISA KEV status. |
has_public_exploit |
Whether public exploit code exists. |
patch_available |
Whether a fix is available. |
status |
Current workflow status. |
first_seen_at |
When the match was first detected. |
last_confirmed_at |
When the match was last verified by correlation. |
Related Documentation¶
- Dashboard -- open vuln counts and patch coverage
- Correlation Engine -- how matches are created and scored
- Vulnerabilities -- CVE detail and enrichment data
- Asset Inventory -- the assets these matches are correlated against