Skip to content
monsys.ai

CVE Matching

Monsys correlates the installed packages on each host with multiple CVE feeds and assigns a weighted risk score to each match.

Sources

  • NVD v2 — National Vulnerability Database, with CVSS 3.1 scores and CPE-string matches (including version-range constraints).
  • OSV.dev — package-specific vulnerabilities for apt, rpm, pip, npm, cargo, gem.
  • EPSS — Exploit Prediction Scoring System (FIRST.org). Provides a probability (0–1) that a CVE will be exploited within 30 days.

Matching Algorithm

  1. For each installed package (name, version) CPE-name matching and OSV ecosystem query are performed in parallel.
  2. For NVD hits, version-range constraints (versionStartIncluding, versionEndExcluding …) are applied — the installed version must fall within the vulnerable range.
  3. OSV hits that have already been found by NVD are deduplicated on CVE-id.

Risk Score Formula

risk = cvss * (epss > 0 ? epss : 0.05)
     * 1.5 if published > 30 days ago
     * 2.0 if known public exploit (ExploitDB / Metasploit)
     * 1.5 if affected service listens on public interface
capped at 10.0

Limitations

  • Debian/Ubuntu backporting: Canonical patches security holes often in an older version. Our matcher cannot distinguish between “1.18.0” upstream and “1.18.0-6ubuntu0.4” (where the fix is). This causes false positives for LTS distros.
  • Windows: WMIC/winget only show installed MSI’s, not portable apps.
  • Beta/RC versions: NVD CPE strings cover release versions; pre-releases may not match correctly.