Matching every installed software package on a device against vulnerability databases (CVE, GHSA, OSV) to identify known security advisories that apply to the installed version, and surfacing whether a patched version is available upstream.
Network vulnerability scanners probe a target from outside, identifying reachable services and their versions, then look up CVEs. On a laptop, most installed software does not expose a network service — your text editor, your PDF reader, your video conferencing client — and yet they are exactly the surface most exploited by client-side attacks. Package-level scanning reads the package-manager database directly, so it knows exact versions of every installed package regardless of whether it listens on a port.
dpkg / apt (Debian, Ubuntu), rpm / dnf (RHEL, Fedora, Rocky), apk (Alpine), pacman (Arch). Lorika reads the package database directly, so versions are exact — not best-guess from binary inspection.
Homebrew packages, system app bundles via CFBundleIdentifier + CFBundleShortVersionString, Apple-signed apps from the App Store with their bundled framework versions.
MSI installer database, winget package list, Microsoft Store apps. Includes both per-user and system-wide installs.
OSV.dev — aggregator of GHSA, NVD/CVE, Debian / Alpine / Ubuntu advisories, plus ecosystem-specific feeds for npm, PyPI, RubyGems, crates.io, Go, NuGet, Packagist, and others.
An honest CVE dashboard has five severity buckets, not four. Some advisories ship without a CVSS or GHSA rating; silently dropping them ("we only count rated CVEs") under-reports the problem and produces a total that doesn't add up to the per-severity sum. Lorika exposes the Unknown bucket explicitly so the totals reconcile and the operator can decide what to do with unrated items, rather than the tool deciding for them.
Free for up to 10 devices. OSV.dev matching, every ecosystem, severity-weighted into the Security Score.
Get started free →