CVE Sync
Monozu Cloud automatically synchronizes vulnerability data from public sources and matches CVEs to tenant assets using CPE (Common Platform Enumeration) identifiers.
Data sources
Section titled “Data sources”| Source | Data | URL |
|---|---|---|
| NVD CVE API | CVE records, CVSS scores, CPE applicability | https://services.nvd.nist.gov/rest/json/cves/2.0 |
| CISA KEV | Known Exploited Vulnerabilities list | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json |
| MITRE ATT&CK | Threat technique taxonomy | MITRE STIX JSON |
| ExploitDB | Exploit catalog (optional) | Backend/internal/domain/cvefeed/ |
Sync flow
Section titled “Sync flow”flowchart TD
A[Scheduled NVD job] --> B[Fetch NVD CVE API - paginated]
B --> C[Parse CVE records - id / cvss / cpe]
C --> D[Upsert cve_catalog - global table]
E[Scheduled CISA job] --> F[Fetch CISA KEV JSON]
F --> G[Mark KEV CVEs in cve_catalog]
D --> H[Trigger vulnerability matching - per tenant]
G --> H
H --> I[Select assets with CPE identifiers]
I --> J[Match CPE against cve_catalog]
J --> K{Match found?}
K -->|Yes| L[INSERT/UPDATE vulnerabilities - tenant-scoped]
K -->|No| M[Skip]
L --> N{CVSS above threshold or KEV?}
N -->|Yes| O[Generate security_alert]
N -->|No| P[Store as vulnerability only]
Database tables
Section titled “Database tables”| Table | Tenant-scoped | Description |
|---|---|---|
cve_catalog | No (global) | Deduplicated CVE records from NVD/CISA |
cve_scores_cache | No (global) | Cached CVSS scores (V19 migration) |
vulnerabilities | Yes | Per-tenant CVE matches tied to assets |
security_alerts | Yes | High-severity auto-generated alerts |
CPE matching
Section titled “CPE matching”Assets in CMDB can have CPE identifiers assigned (e.g. cpe:2.3:o:siemens:scalance:*:*). The matching job queries the cve_catalog for CVEs whose applicability statement covers the asset’s CPE.
CPE data is set by operators in the asset details form (/assets/:id/edit).
Manual scan trigger
Section titled “Manual scan trigger”Users can trigger on-demand vulnerability scans per asset or for all assets:
POST /api/v1/vulnerabilities/scan # All assetsPOST /api/v1/vulnerabilities/scan/:asset_id # Single assetCVSS threshold and KEV prioritization
Section titled “CVSS threshold and KEV prioritization”The vulnerability matching job respects per-tenant configuration:
- CVSS score threshold — only create alerts for CVEs above a configured CVSS score
- KEV auto-alert — any CVE on CISA KEV automatically generates a high-priority alert
These settings are configured in Settings → Vulnerability Scanner in the Cloud SPA.
Key files
Section titled “Key files”| Component | Location |
|---|---|
| CVE feed sync job | Backend/internal/domain/cvefeed/ |
| Vulnerability matching | Backend/internal/domain/vulnerabilities/service.go |
| Scanner settings | Backend/internal/domain/settings/ |
| Frontend (vuln list) | Frontend/src/routes/vulnerabilities/ |