CVE Scanning Overview
Learn how CXRay identifies and reports Common Vulnerabilities and Exposures in your software dependencies and components.
What is CVE Scanning?
CVE (Common Vulnerabilities and Exposures) scanning is the process of identifying known security vulnerabilities in software components, libraries, and dependencies. CXRay maintains an up-to-date database of CVEs and matches them against your project's dependencies.
How CXRay CVE Scanning Works
- Dependency Detection: Identifies all dependencies in your project
- Database Matching: Compares against the CVE database
- Vulnerability Assessment: Evaluates severity and impact
- Reporting: Provides detailed reports with remediation guidance
Supported Package Managers
CXRay supports CVE scanning for the following package managers:
- JavaScript/Node.js: npm, yarn, pnpm
- Python: pip, poetry, pipenv
- Java: Maven, Gradle
- Ruby: Bundler, gem
- Go: go modules
- Rust: Cargo
- PHP: Composer
- .NET: NuGet
- C/C++: Conan, vcpkg
CVE Data Sources
CXRay aggregates vulnerability data from multiple authoritative sources:
- NVD (National Vulnerability Database)
- GitHub Advisory Database
- OSV (Open Source Vulnerabilities)
- Vendor-specific databases
Quick Example
# Scan for CVEs in current project
cxray scan --type cve .
# Scan with specific severity threshold
cxray scan --type cve --severity high,critical .
# Export CVE results as JSON
cxray scan --type cve --output json > cve-results.json
Understanding CVE Reports
A typical CVE report includes:
- CVE ID: Unique identifier (e.g., CVE-2023-12345)
- Severity: Critical, High, Medium, Low
- CVSS Score: Numerical score (0-10)
- Affected Component: Package name and version
- Description: Details about the vulnerability
- Remediation: Recommended fixes or patches