Overview
boring.tools continuously matches your SBOMs against multiple vulnerability databases and surfaces CVEs that affect your dependencies. Every time a new SBOM is generated or uploaded, it is automatically queued for scanning — no manual action required.
Scanning runs in real time. You can watch progress directly on the SBOM detail page as each package is checked.
Vulnerability data sources
| Source | Description |
|---|---|
| OSV.dev | Open, community-driven database covering npm, Go, PyPI, Cargo, Maven, and more |
| NVD / NIST | National Vulnerability Database |
| GitHub Security Advisories | GitHub’s curated advisory feed |
boring.tools maintains a local mirror of OSV.dev that is synced continuously (every 10 minutes). This means matching is fast and works even without outbound internet access at scan time.
Severity levels
Vulnerabilities are scored using CVSS and classified into four severity levels:
| Severity | CVSS range | What to do |
|---|---|---|
| Critical | 9.0–10.0 | Immediate action required |
| High | 7.0–8.9 | Address as soon as possible |
| Medium | 4.0–6.9 | Plan to remediate |
| Low | 0.1–3.9 | Monitor and assess |
CVSS v3.x scores are used by default; CVSS v4.0 is used as a fallback where available. Vulnerabilities without a CVSS score are shown as Unknown severity.
CVE database search
The CVE Database section in the sidebar gives you full-text search across the local OSV mirror. This is independent of your projects — you can look up any CVE or package vulnerability directly.
Search filters
| Filter | Description |
|---|---|
| Search | Full-text search by CVE ID (e.g. CVE-2024-1234), GHSA ID, or package name (e.g. lodash) |
| Ecosystem | Filter by package ecosystem (npm, Go, PyPI, Cargo, Maven, etc.) |
| Severity | Filter by severity level (Critical, High, Medium, Low) |
| Min CVSS | Only show CVEs with a CVSS score at or above this value (0–10) |
Results appear as you type (300ms debounce). Use Reset to clear all filters.
Search results table
| Column | Description |
|---|---|
| Severity | Color-coded badge |
| ID | CVE or GHSA identifier, links to the detail page |
| CVSS | Numeric score |
| Summary | Short description of the vulnerability |
| Ecosystems | Which package ecosystems are affected |
| Modified | When the vulnerability record was last updated |
Results are paginated (25 per page). Click Load more to fetch the next page.
CVE detail page
Click any CVE ID — from the database search, from an SBOM’s vulnerability table, or from a project dashboard — to open the full detail page.
The detail page shows:
- CVE ID and all aliases (GHSA IDs, OSV IDs)
- Severity badge and CVSS score
- Full description
- Affected package versions and the version that contains a fix (if available)
- Latest available version with a link to the package registry
- Which of your projects and SBOMs are affected — direct links back into your projects
- Links to OSV.dev and NVD/NIST for the original advisory
Viewing vulnerabilities per project
Dashboard level
The main Dashboard shows a global summary across all your projects — total CVE counts broken down by severity, with a trend chart.
Project level
Open any project to see its vulnerability summary and trend chart. The summary reflects the latest scanned SBOM for the project.
SBOM level
Open an individual SBOM to see the full vulnerability table for that specific snapshot. You can sort by severity, CVSS score, or published date, and search/filter across all columns.
Vulnerability delta
When boring.tools generates a new SBOM via Git integration, the scan result includes a delta compared to the previous scan:
- New — CVEs that appear in this scan but not the previous one (shown in red as
+N) - Resolved — CVEs from the previous scan that no longer appear (shown in green as
-N)
This is visible in the Scan runs table in both the SBOM detail view and the Git integration repository view. It makes it easy to see whether a deployment introduced new risk or resolved existing vulnerabilities.
Re-scanning an SBOM
You can re-run the vulnerability scan for any SBOM at any time. Open the SBOM detail page and click Re-scan in the top right. This is useful after the OSV mirror has been updated and you want to check for newly disclosed CVEs against an older SBOM.
If a scan is already running, the button shows Scanning… and is disabled until it completes.