Vulnerability Management¶
rimae/scan aggregates vulnerability intelligence from 70+ sources across 10 categories, enriches every CVE with exploit and threat data, and presents it through the CVE Explorer interface.
CVE Explorer¶
The CVE Explorer is the primary interface for browsing the vulnerability database.
Searching and Filtering¶
The explorer supports the following filters, all combinable:
| Filter | Type | Description |
|---|---|---|
| Search | Free text | Searches CVE ID and description (case-insensitive, substring match). |
| Severity | Select | Critical (CVSS 9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9). |
| NVD Status | Select | Analyzed, Awaiting Analysis, Received, Rejected. |
| KEV Only | Toggle | Show only CVEs in the CISA Known Exploited Vulnerabilities catalog. |
| Has Exploit | Toggle | Show only CVEs with a Metasploit module, Nuclei template, or ExploitDB entry. |
| CVSS range | Numeric | Minimum and maximum CVSS v3.1 score. |
| EPSS range | Numeric | Minimum and maximum EPSS probability (0.0-1.0). |
Results default to most-recently-published first. Sortable columns include CVE ID, published date, last modified date, CVSS v3.1, CVSS v4, EPSS score, and EPSS percentile.
List View Columns¶
Each row in the explorer shows:
- CVE ID -- clickable link to the detail view.
- Published -- publication date.
- Description -- truncated to 120 characters.
- CVSS v3.1 -- colour-coded score bar.
- EPSS % -- exploit probability as a percentage.
- KEV -- badge indicating CISA KEV status.
- Exploits -- badges for Metasploit, Nuclei, ExploitDB.
CVE Detail View¶
The detail page for a single CVE includes:
- Full description text.
- CVSS v3.1 score and vector string.
- CVSS v4 score and vector string (when available).
- Red Hat CVSS score (when the Red Hat Security API provides a different assessment).
- CWE IDs linked to the vulnerability.
- NVD status (Analyzed, Awaiting Analysis, etc.).
- EPSS score and percentile with last-updated timestamp.
- KEV details -- confirmed status, due date, extended KEV inclusion, ransomware use flag.
- Exploit availability -- ExploitDB ID, Metasploit module path, Nuclei template ID.
- Source flags -- which crawlers contributed data for this CVE.
- Affected asset count -- how many assets in your environment are matched.
Vulnerability Sources¶
rimae/scan crawls data from the following source categories. Each source implements a BaseCrawler with fetch() and parse() methods, automatic retry with exponential backoff, and scan-run audit logging.
Note on default state: Not all sources are enabled out of the box. Approximately 9 sources are disabled by default because their fetch URLs are known to be broken or have changed, and 6 additional sources require authentication (API keys) before they can be crawled. Check Settings > Vulnerability Sources after installation to review and enable sources as needed.
Note on MITRE CVEList: The MITRE source uses a git clone of the CVEList repository. The first run can be very slow (30+ minutes) as it clones the full history into
/var/cache/rimae-scan. Subsequent runs use incrementalgit pulland are much faster.Note on EPSS: The EPSS feed URL has changed to
https://epss.empiricalsecurity.com. If you are upgrading from a previous version, verify that the EPSS source'sfetch_urlhas been updated in Settings > Vulnerability Sources.
CVE Databases¶
Primary vulnerability databases that provide CVE identifiers and base scoring.
| Source | Module | Description |
|---|---|---|
| NVD | nvd |
NIST National Vulnerability Database -- CVE records with CVSS v3.1 and v4 vectors. |
| MITRE | mitre |
MITRE CVE List -- authoritative CVE assignments. |
| CIRCL | circl |
CIRCL CVE Search -- Luxembourg CERT's CVE aggregation. |
| OSV | osv |
Open Source Vulnerabilities database -- ecosystem-native advisories. |
| VulnCheck | vulncheck |
VulnCheck API -- enriched CVE data with exploit intelligence. |
Exploit Signals¶
Sources that indicate whether a CVE has publicly available exploit code.
| Source | Module | Description |
|---|---|---|
| CISA KEV | cisa_kev |
Known Exploited Vulnerabilities catalog -- confirmed in-the-wild exploitation. |
| EPSS | epss |
Exploit Prediction Scoring System -- probability of exploitation in next 30 days. |
| ExploitDB | exploitdb |
Exploit Database -- public exploit code archive. |
| Metasploit | metasploit |
Metasploit Framework modules database. |
| Nuclei | nuclei |
ProjectDiscovery Nuclei templates for automated scanning. |
OS Advisories¶
Distribution-specific security advisories with package-level fix information.
| Source | Module | Description |
|---|---|---|
| Ubuntu | ubuntu |
Ubuntu Security Notices (USN). |
| Alma Linux | alma |
AlmaLinux Security Advisories (ALSA). |
| Debian DSA | debian_dsa |
Debian Security Advisories. |
| Red Hat | redhat |
Red Hat Security Advisories (RHSA/RHBA). |
| ESXi | esxi |
VMware ESXi security bulletins. |
| Proxmox | proxmox |
Proxmox VE security advisories. |
Vendor Advisories¶
Advisories from specific software vendors covering applications detected in your inventory.
| Source | Module | Description |
|---|---|---|
| Broadcom | broadcom |
Broadcom/Symantec security advisories. |
| Ceph | ceph |
Ceph storage platform advisories. |
| chrony | chrony |
chrony NTP advisories. |
| Docker | docker_advisories |
Docker platform security bulletins. |
| Google Cloud SDK | google_cloud_sdk |
Google Cloud CLI security notices. |
| Grafana | grafana |
Grafana Labs security advisories. |
| HashiCorp | hashicorp |
HashiCorp product advisories (Terraform, Vault, etc.). |
| ISC | isc |
Internet Systems Consortium (BIND, Kea). |
| Jenkins | jenkins |
Jenkins security advisories. |
| Kubernetes | kubernetes |
Kubernetes security announcements. |
| Smallstep | smallstep |
step-ca and step CLI advisories. |
CSAF Feeds¶
Structured advisories in Common Security Advisory Framework format.
| Source | Module | Description |
|---|---|---|
| CERT-Bund | cert_bund_csaf |
German Federal Office for Information Security. |
| CISA | cisa_csaf |
US Cybersecurity and Infrastructure Security Agency. |
| Cisco | cisco_csaf |
Cisco product advisories in CSAF format. |
| Microsoft | microsoft_csaf |
Microsoft Security Response Center CSAF feed. |
| NCSC-NL | ncsc_nl_csaf |
Dutch National Cyber Security Centre CSAF feed. |
| Red Hat | redhat_csaf |
Red Hat CSAF feed (supplements RHSA). |
| Siemens | siemens_csaf |
Siemens ProductCERT CSAF advisories. |
Ecosystem Advisories¶
Language/package-ecosystem specific vulnerability databases.
| Source | Module | Description |
|---|---|---|
| GitHub Advisory (GHSA) | ghsa |
GitHub Security Advisory database. |
| Go Vulnerability DB | go_vuln |
Go team's vulnerability database. |
| npm Advisories | npm_advisory |
npm registry security advisories. |
| OSSF Malicious Packages | ossf_malicious |
OpenSSF malicious package detection. |
| PHP Security | php_security |
PHP Security Advisories Database. |
| PyPA | pypa |
Python Packaging Authority advisory database. |
| RubyGems | rubygems |
RubyGems advisory database. |
| RustSec | rustsec |
Rust Security Advisory Database. |
| Sonatype | sonatype |
Sonatype OSS Index (Maven/Java ecosystem). |
National CERTs¶
Government cybersecurity agencies that publish advisories.
| Source | Module | Description |
|---|---|---|
| ACSC | acsc |
Australian Cyber Security Centre. |
| ANSSI | anssi |
French National Cybersecurity Agency. |
| BSI | bsi |
German Federal Office for Information Security. |
| CCN-CERT | ccn_cert |
Spanish National Cryptologic Centre. |
| ENISA | enisa |
European Union Agency for Cybersecurity. |
| JPCERT | jpcert |
Japan Computer Emergency Response Team. |
| JVN | jvn |
Japan Vulnerability Notes. |
| NCSC-NL | ncsc_nl |
Dutch National Cyber Security Centre. |
| NCSC-UK | ncsc_uk |
UK National Cyber Security Centre. |
| US-CERT | us_cert |
US Computer Emergency Readiness Team. |
Container Security¶
Container image vulnerability databases.
| Source | Module | Description |
|---|---|---|
| Grype DB | grype_db |
Anchore Grype vulnerability database. |
| Trivy DB | trivy_db |
Aqua Security Trivy vulnerability database. |
Threat Intelligence¶
Sources that provide context on active exploitation and threat actor activity.
| Source | Module | Description |
|---|---|---|
| GreyNoise | greynoise |
Internet-wide scan and attack traffic analysis. |
| AlienVault OTX | otx |
Open Threat Exchange pulse data. |
| SANS ISC | sans_isc |
SANS Internet Storm Center diary and threat feeds. |
| ThreatFox | threatfox |
Abuse.ch IOC sharing platform. |
Supply Chain¶
Software supply chain security data.
| Source | Module | Description |
|---|---|---|
| deps.dev | deps_dev |
Google Open Source Insights dependency data. |
| OpenSSF Scorecard | openssf_scorecard |
OpenSSF security health metrics for open source projects. |
Weakness Taxonomies¶
Vulnerability classification and attack pattern databases.
| Source | Module | Description |
|---|---|---|
| CWE | cwe |
Common Weakness Enumeration. |
| CAPEC | capec |
Common Attack Pattern Enumeration and Classification. |
| MITRE ATT&CK | mitre_attack |
MITRE ATT&CK framework techniques mapped to CVEs. |
Severity Scoring¶
rimae/scan uses multiple scoring systems to assess vulnerability severity.
CVSS (Common Vulnerability Scoring System)¶
- CVSS v3.1 is the primary severity indicator, sourced from NVD.
- CVSS v4 is used when available (preferred by the composite scorer).
- Red Hat CVSS provides an alternative vendor assessment.
- Severity labels map to CVSS ranges: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9).
EPSS (Exploit Prediction Scoring System)¶
EPSS provides the probability (0-1) that a CVE will be exploited in the wild within the next 30 days. The percentile rank contextualises this against all scored CVEs. EPSS data is refreshed on each crawler cycle.
CISA KEV¶
CVEs confirmed in the CISA Known Exploited Vulnerabilities catalog indicate real-world exploitation. KEV entries include:
- Confirmed -- listed in the main CISA KEV catalog.
- Extended -- listed in the extended KEV dataset.
- Due date -- CISA-mandated remediation deadline for federal agencies.
- Ransomware use -- flag indicating confirmed use in ransomware campaigns.
Composite Score¶
The Correlation Engine computes a weighted composite score (0-10) that combines CVSS, EPSS, KEV status, and exploit availability. See the Composite Scoring Formula section for details.
Enrichment Data¶
Each CVE record is enriched with exploit intelligence:
| Field | Source | Description |
|---|---|---|
has_exploitdb_entry |
ExploitDB | Public exploit code exists. |
exploitdb_id |
ExploitDB | Specific ExploitDB entry ID. |
has_metasploit_module |
Metasploit | A ready-to-use Metasploit module exists. |
metasploit_module |
Metasploit | Module path in the Metasploit framework. |
has_nuclei_template |
Nuclei | An automated Nuclei scan template exists. |
nuclei_template_id |
Nuclei | Template identifier. |
ransomware_use_confirmed |
CISA KEV | CVE has been used in ransomware operations. |
Source Health Monitoring¶
Each vulnerability source tracks its crawl status on the Dashboard:
- Last crawled at -- timestamp of the most recent successful fetch.
- Last crawl status -- OK, partial (some records failed), or error.
- Enabled -- whether the source is active.
Sources can be enabled, disabled, and configured via Settings > Vulnerability Sources.
Related Documentation¶
- Dashboard -- KPI cards summarising vulnerability counts
- Correlation Engine -- matching CVEs to your assets
- Remediation Queue -- prioritised queue of actionable matches
- GitHub Scanning -- dependency vulnerability scanning