Findings & Reports
Learn how to read the findings table, understand confidence tiers, filter results, and export data.
Findings Table
What each column means.
| Column | Description |
|---|---|
| CVE ID | The vulnerability identifier (e.g., CVE-2024-1234). Linked to NVD for details. |
| Package | The affected package name, ecosystem, and version. |
| Severity | CRITICAL, HIGH, MEDIUM, or LOW — derived from CVSS base score. |
| CVSS | Base score (0-10) and vector string from NVD. |
| EPSS | Exploit Prediction Scoring System score — probability of exploitation in the next 30 days. |
| KEV | Whether this CVE appears in CISA's Known Exploited Vulnerabilities catalog. |
| Confidence | ConfirmedInstalled or HeuristicUnverified — see below. |
| Fix | Fixed version if known, with upgrade recommendation. |
Confidence Tiers
How certain are we about each finding.
ConfirmedInstalled
The package was found in an installed-state database (dpkg status, RPM DB, apk installed, lock files). The scanner is highly confident this package is present at the reported version.
HeuristicUnverified
The package was detected via heuristic methods (filename patterns, binary string extraction, embedded library analysis). The finding may be a false positive — review the evidence items for details.
Filtering & Sorting
Find the findings that matter.
The findings page supports filtering by:
- Severity — Focus on CRITICAL and HIGH first.
- Ecosystem — Filter to specific package managers (npm, PyPI, Maven, etc.).
- Confidence tier — Show only ConfirmedInstalled for highest signal.
- KEV status — Prioritize actively exploited vulnerabilities.
- Text search — Search by CVE ID, package name, or description.
Report JSON Structure
What the full report contains.
The report JSON contains the following top-level fields:
{
"scanner": { "name": "scanrook", "version": "..." },
"target": { "type": "container|archive|binary|...", "source": "..." },
"scan_status": "complete|partial_failed|unsupported",
"inventory_status": "complete|partial|missing",
"findings": [ ... ],
"files": [ ... ],
"summary": {
"total_findings": 42,
"critical": 2, "high": 8, "medium": 20, "low": 12,
"confirmed_critical": 2, "confirmed_high": 6, ...
}
}SBOM Export
Export the package inventory.
ScanRook can generate SBOMs in CycloneDX and SPDX formats via the CLI:
scanrook sbom import --file report.json --format jsonUse sbom diff to compare two SBOM snapshots and track package changes over time.