HomeGlossary › Package-Level CVE Scanning
Glossary

What is package-level CVE scanning?

Matching every installed software package on a device against vulnerability databases (CVE, GHSA, OSV) to identify known security advisories that apply to the installed version, and surfacing whether a patched version is available upstream.

Why package-level beats network scanning for endpoints

Network vulnerability scanners probe a target from outside, identifying reachable services and their versions, then look up CVEs. On a laptop, most installed software does not expose a network service — your text editor, your PDF reader, your video conferencing client — and yet they are exactly the surface most exploited by client-side attacks. Package-level scanning reads the package-manager database directly, so it knows exact versions of every installed package regardless of whether it listens on a port.

What gets scanned

Linux

dpkg / apt (Debian, Ubuntu), rpm / dnf (RHEL, Fedora, Rocky), apk (Alpine), pacman (Arch). Lorika reads the package database directly, so versions are exact — not best-guess from binary inspection.

macOS

Homebrew packages, system app bundles via CFBundleIdentifier + CFBundleShortVersionString, Apple-signed apps from the App Store with their bundled framework versions.

Windows

MSI installer database, winget package list, Microsoft Store apps. Includes both per-user and system-wide installs.

Database

OSV.dev — aggregator of GHSA, NVD/CVE, Debian / Alpine / Ubuntu advisories, plus ecosystem-specific feeds for npm, PyPI, RubyGems, crates.io, Go, NuGet, Packagist, and others.

The "Unknown" bucket

An honest CVE dashboard has five severity buckets, not four. Some advisories ship without a CVSS or GHSA rating; silently dropping them ("we only count rated CVEs") under-reports the problem and produces a total that doesn't add up to the per-severity sum. Lorika exposes the Unknown bucket explicitly so the totals reconcile and the operator can decide what to do with unrated items, rather than the tool deciding for them.

Related terms

Scan every package on your fleet

Free for up to 10 devices. OSV.dev matching, every ecosystem, severity-weighted into the Security Score.

Get started free →