Drill down on a specific advisory to see the following details:
  • Overview of the severity, exploitability label, date published, and last update
  • Description of the vulnerability quoted from NVD or GitHub advisories with a link to view the CVE listing directly in the NVD database

Internal advisory tabs

Advisory data is organized internally by tabs to make the information easy to interpret.

Origin packages

Affected origin packages are shown in expandable cards. The list can be filtered by the origin package.
When drilling down from the Advisories table, a filter is applied by default for the specific origin package. Clear the filter to see all affected packages.
Every origin package card shows the affected images, the current advisory status (fixed, unaffected, pending upstream fix, etc.), fixed version (if available), and last update. Expand the card to see the status history. If the package and/or image are already fixed, the fixed image version and fixed package version will be listed. download.png If the package was already fixed, but the image build is pending, this will be clearly shown.

Severity

The Severity tab shows severity details with the CVSS vector details and CVSS version information.

Exploitability

The exploitability tab shows details about CISA KEV and EPSS probability and percentile rank scores.

References

The references tab shows links to recommended reference material.

Status history

For every affected package, expand the listing to view a history of the advisory statuses. You will see when the advisory came under review and the different updates provided with the rationale, when applicable. Examples for status notes:
  • If a package is listed as unaffected by the CVE, it will explain why the advisory is a false-positive. For example, the vulnerable code may not be present in the Minimus package.
  • If a fix is not planned, the note will explain why. For example the package may have reached its end-of-life (EOL).