Assessment¶
Turn your software inventories and host package lists into prioritized, enriched vulnerability findings — in one reliable API.
At Vulners we continuously collect and normalize vulnerability intelligence from 220+ upstream sources—vendor advisories, NVD/CVE, Linux distro feeds, package registries, exploit/PoC trackers, and government/ISAC alerts—into a single graph‑linked corpus. Every record is deduplicated, cross‑referenced (CVE↔advisory↔patch↔exploit), and time‑stamped with standard fields (e.g., CVSS vectors, CWE, affected products) in consistent JSON.
Assessment (via the Audit API) brings this corpus to your actual inventories - software components and host package lists—and deterministically maps what you run to applicable advisories and CVEs. The response is enriched with real‑world risk signals (EPSS, KEV inclusion, exploit activity, and Vulners AI Risk indicators) so a single request returns an actionable picture of vulnerabilities for your environment—ready for your UI, CI/CD gates, SIEM/SOAR, or ticketing.
Deterministic matching powered by configuration analysis. For software components, Assessment evaluates against affected configurations curated by both NVD and Vulners - ensuring coverage across vendor advisories and official CVE records. For Linux packages, matching follows meticulously maintained versioning rules specific to each distribution (Debian, Ubuntu, RHEL, etc.), accounting for backports, security patches, and distro-specific version schemes. This dual approach delivers accurate, false-positive-resistant results whether you're assessing commercial software or OS-level packages.
Make Vulners Assessment the engine behind your continuous vulnerability checks—without scanners or stitched feeds. This page gives you both the why and the how so you can call the API, wire up enrichment in tickets and dashboards, and start shipping improvements the same day.
Instantly turn software inventories or host data into vulnerability reports. Make vulnerability assessment a seamless feature in your product.
Why this matters¶
Security teams don’t need yet another scanner—they need deterministic mapping from what they already track to the vulnerabilities that matter. Assessment embeds directly where your data lives (CMDB, XDR, SBOMs), returning actionable JSON in milliseconds so you can prioritize and fix issues without adding infrastructure or workflow friction.
What you get¶
-
Built in, not bolted on. Pass inventories and receive CVE mappings without network probes or credentials.
-
CI/CD speed. Typical responses land around ~0.1s per component, suitable for pre-release gates and large estates.
-
Actionable outputs. Clean JSON with correlated context (advisories, KEV/wild exploitation indicators, metrics) you can drop into tickets, dashboards, and policy gates.
-
DevSecOps-native. Add a “Scan for vulnerabilities” button to your product and ship branded reports while Vulners maintains definitions and logic.
Product overview (business description)¶
Key flow:
-
Provide software or host inventory.
-
Audit API matches components to canonical identifiers and applicable advisories/CVEs.
-
Response includes issues plus enriched metrics and exploitation flags for prioritization.
Quickstart¶
Software inventory → CVEs¶
Use this when you have discrete software components (e.g., browsers, apps, libraries) identified by version.
Full documentation on API call: audit.software().
Example script¶
import vulners
import json
my_fields = [
"title",
"short_description",
"description",
"type",
"href",
"published",
"modified",
"ai_score",
"metrics",
"exploitation",
"cvelist",
"webApplicability",
"cvelistMetrics"
]
software = [
"cpe:2.3:a:google:chrome:138.0.7204.184:*:*:*:*:*:*:*",
]
API_KEY = "VULNERS_API_KEY"
v = vulners.VulnersApi(api_key=API_KEY)
results = v.audit.software(software, fields=my_fields, match="partial")
# Save response to JSON file
with open(f'vulners_audit_software_{software}.json', 'w') as f:
json.dump(results, f, indent=4)
Sample output (software)¶
[
{
"input": "cpe:2.3:a:google:chrome:138.0.7204.184:*:*:*:*:*:*:*",
"matched_criteria": "cpe:2.3:a:google:chrome:138.0.7204.184:*:*:*:*:*:*:*",
"vulnerabilities": [
{
"id": "GCSA-5889235098647486089",
"type": "chrome",
"reasons": [],
"title": "Stable Channel Update for Desktop",
"published": "2025-09-17T00:00:00",
"cvelist": [
"CVE-2025-10500",
"CVE-2025-10501",
"CVE-2025-10502",
"CVE-2025-10585"
],
"cvelistMetrics": [
{
"epss": {},
"cve": "CVE-2025-10585",
"cvss": {},
"published": "2025-09-24T17:15:39",
"exploitation": {
"wildExploited": true,
"wildExploitedSources": []
},
"ai_score": {}
},
{
"...": "and 3 more entries"
}
],
"...": "and 7 more keys"
},
{
"id": "CVE-2025-10500",
"type": "cve",
"reasons": [
{
"config": "vulners",
"criterias": []
},
{
"config": "nvd",
"criterias": []
}
],
"...": "and 12 more keys"
},
{
"...": "and 53 more vulnerabilities"
}
]
}
]
- The content and fields returned in each record are controlled by the
fieldsparameter. The sample above shows all available fields. For more detailed information about any advisory or CVE, query it by ID using the Intelligence API (see Intelligence documentation). - The response includes vendor advisories (e.g., Chrome channel updates) alongside mapped CVEs. CVE records are included when either NVD or Vulners affected configurations match the request parameters.
- Enrichment fields like
cvelistMetricsinclude exploitation signals such aswildExploited: true, helping you raise priority for actively abused issues. For code simplicity, you can extract CVE metrics from thecvelistMetricsfield for both advisories and CVE records.
Linux host assessment¶
Use this when you have a package list from a host (apt, yum/dnf, apk, etc.). The API returns applicable advisories per package with correlated CVE metrics.
Full documentation on API call: audit.linux_audit().
Example script (verbatim)¶
import vulners
import json
# Configuration - Edit these as needed
OS_NAME = "debian" # Operating system name (e.g., "centos", "ubuntu", "debian", "redhat")
OS_VERSION = "12" # Operating system version (e.g., "7", "8", "20.04", "11")
packages = [
"git 1:2.39.5-0+deb12u2 amd64",
]
API_KEY = "VULNERS_API_KEY"
v = vulners.VulnersApi(api_key=API_KEY)
results = v.audit.linux_audit(
os_name=OS_NAME, os_version=OS_VERSION, packages=packages, cvelist_metrics=True)
# Save response to JSON file
with open(f'vulners_audit_linux_{OS_NAME}_{OS_VERSION}.json', 'w') as f:
json.dump(results, f, indent=4)
Sample output (Linux)¶
{
"result": {
"issues": [
{
"package": "git 1:2.39.5-0+deb12u2 amd64",
"fixedPackage": "> git_1:2.39.5-0+deb12u2_all.deb",
"applicableAdvisories": [
{
"id": "DEBIANCVE:CVE-2025-48384",
"operator": "le",
"version": "1:2.39.5-0+deb12u2",
"published": "2025-07-08T19:15:42",
"cvelistMetrics": [
{
"epss": {
"cve": "CVE-2025-48384",
"epss": 0.06811,
"percentile": 0.90871,
"date": "2025-10-09"
},
"cve": "CVE-2025-48384",
"cvss": {
"score": 8.0,
"severity": "HIGH",
"version": "3.1",
"vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"source": "[email protected]"
},
"published": "2025-07-08T19:15:42",
"exploitation": {
"wildExploited": true,
"wildExploitedSources": [
{
"type": "cisa",
"idList": [
"CISA:80E9D0DAF37EBEC68C16F3340B15CB1E"
]
},
{
"type": "cisa_kev",
"idList": [
"CISA-KEV-CVE-2025-48384"
]
}
]
},
"ai_score": {
"value": 6.4,
"uncertainty": 1.6
}
}
]
},
{
"...": "and 6 more advisories"
}
]
}
],
"errors": []
}
}
- Each issue ties a concrete installed package to applicable advisories which links to CVE mentioned in advisory.
- To retrieve CVE metrics (EPSS, CVSS, exploitation flags, AI Risk scores) for all CVEs listed in an advisory, set the
cvelist_metricsparameter totruein your API request. ThecvelistMetricsstructure provides the most common prioritization signals for every CVE referenced by the advisory. - For more detailed information about any advisory or CVE, query it by ID using the Intelligence API (see Intelligence documentation).
Implementation patterns¶
-
CMDB/XDR → Assessment. Continuously enrich your asset inventory with fresh vulnerability context.
-
CI/CD gates. Block or warn builds when new components introduce exploitable risk.
-
Ticket-first workflows. Auto-open remediation tickets with the JSON payload, linking back to advisories and CVEs.
-
Tenant-aware reporting. Embed white-label reports in your product, scoped by customer inventories.
Production checklist¶
-
✅ Handle idempotent re-scans to keep results in sync with changing advisories.
-
✅ Store component → findings with timestamps for diffing and alerting.
-
✅ Bubble up exploited/KEV issues above raw severity.
-
✅ Provide SBOM import and host package ingestion endpoints.
-
✅ Add a “Scan for vulnerabilities” action in your UI.
Practical details¶
-
Latency: ~0.1s per component typical (supports large estates and inline CI checks).
-
Input formats: Software identifiers (name+version, CPEs) and host package lists.
-
Outputs: JSON designed for programmatic use and branded reports.
-
Prioritization signals: Exploitation in the wild, KEV inclusion, EPSS, CVSS, advisory recency.
Example output, annotated¶
-
Software: Advisory documents (e.g., Chrome channel updates) plus CVE records and
cvelistMetricsper CVE. -
Linux:
issues[]for each installed package withapplicableAdvisories[], each carrying CVE metrics (EPSS, CVSS, exploitation flags).
FAQ¶
Q: Do I need to run network scans?
A: No. Assessment works off inventories you already have—CMDB, XDR, SBOMs, or package lists.
Q: How fast is it?
A: Typical responses are ~0.1s per component, supporting near-real-time enrichment and CI/CD use.
Q: How do I prioritize?
A: Use the enrichment fields—exploitation.wildExploited, KEV inclusion, EPSS, and CVSS—to raise actively abused issues above quiet highs.
Q: Can I white-label this?
A: Yes. Embed Assessment in your product to ship native reports and workflows while Vulners maintains definitions and matching logic.
TL;DR¶
- Embed Assessment where your data already lives.
- Map inventories to the right CVEs deterministically.
- Act using enriched, exploitation-aware JSON—fast enough for CI/CD and large estates.