CVE Findings Help
Library vulnerability detection, OSV.dev enrichment, and manual scan triggers.
Enable Scanning
CVE scanning is off by default. Go to Enrichment Settings to enable it and set a scan interval.
Trigger a Scan
Click Scan now to run an on-demand vulnerability scan against all libraries detected in recent OTEL attributes.
Review Findings
Expand a CVE finding to see the affected library, CVE ID, severity, and a direct link to the OSV.dev advisory.
How Library Detection Works
SOBS extracts library names and versions from OTEL span and log attributes (e.g. telemetry.sdk.name, process.runtime.version, and custom attributes set by instrumentation libraries).
- Detected libraries are listed in the Detected Libraries accordion on this page.
- Each library is checked against the OSV.dev open-source vulnerability database.
-
Results are cached in the
sobs_cve_findingstable and updated on each scan.
Severity Levels
| Severity | Meaning |
|---|---|
| CRITICAL | CVSS score โฅ 9.0. Immediate remediation recommended. |
| HIGH | CVSS score 7.0โ8.9. Remediate as soon as possible. |
| MEDIUM | CVSS score 4.0โ6.9. Plan remediation within your next release cycle. |
| LOW | CVSS score < 4.0. Monitor and remediate opportunistically. |
Troubleshooting
- No libraries detected โ ensure your services are sending OTEL data with library/SDK attributes. Check the Logs and Traces pages for ingested data.
- Scan returns no findings โ this may mean your libraries have no known CVEs. Verify the library list in the Detected Libraries panel is accurate.
- CVE scanning is disabled โ enable it from Enrichment Settings.