CVE Intelligence
CVE Intelligence is HarborGuard's built-in vulnerability database, aggregated from four authoritative sources and cross-referenced against the packages currently deployed across your scanned images.
Sources
| Source | What it provides |
|---|---|
| NVD (NIST National Vulnerability Database) | Authoritative CVE records with CVSS v3.1 / v4 scoring, CPE matches, and CWE mappings. |
| OSV (Open Source Vulnerabilities) | Ecosystem-aware advisories from Google for npm, PyPI, Go, RubyGems, crates.io, and others. |
| GHSA (GitHub Security Advisories) | Curated advisories with proposed fix versions and reviewed exploitability notes. |
| CISA KEV (Known Exploited Vulnerabilities) | The U.S. CISA catalogue of CVEs with confirmed exploitation in the wild. |
Cross-referencing and deduplication
When the same vulnerability appears in multiple sources (NVD assigns a CVE, GHSA publishes an advisory, OSV imports the GHSA), HarborGuard stitches them into a single intelligence record keyed by CVE ID. Source-specific identifiers (GHSA-xxxx, OSV-xxxx) are kept on the record so you can trace any field back to its origin.
For each record, HarborGuard computes:
- The affected packages across all sources, normalised to PURL form.
- The canonical CVSS score — preferring NVD, falling back to GHSA when NVD has not scored the CVE yet.
- The KEV flag — set when CISA has added the CVE to the Known Exploited Vulnerabilities catalogue.
- The org impact — the count of your scanned images currently affected, computed by joining the affected-package set against your dependency inventory.