Glossary / واژهنامه / المعجم / Глоссарий / 术语表 / Glossaire¶
Central definitions for CVE Intelligence Panel. Chapters link here with anchors such as [Full scan](#full-scan).
Core terms¶
| English | فارسی | العربية | Русский | 中文 | Français |
|---|---|---|---|---|---|
| CVE | شناسه CVE | CVE | CVE | CVE | CVE |
| Stack | پشته ابزار | المكدس | Стек | 技术栈 | Stack |
| Full scan | اسکن کامل | فحص كامل | Полное сканирование | 完整扫描 | Scan complet |
| Watch | نظارت سریع | مراقبة | Быстрый мониторинг | 快速监控 | Veille |
| Setup wizard | ویزارد راهاندازی | معالج الإعداد | Мастер настройки | 首次设置向导 | Assistant de configuration |
| Scan cache | کش اسکن | ذاكرة الفحص | Кэш сканирования | 扫描缓存 | Cache de scan |
| Server rate limit | محدودیت نرخ سرور | حد معدل الخادم | Лимит запросов сервера | 服务端速率限制 | Limite de débit serveur |
| Severity | شدت | الخطورة | Уровень | 严重程度 | Sévérité |
| KEV | فهرست KEV | KEV | KEV | KEV | KEV |
| CVSS | امتیاز CVSS | CVSS | CVSS | CVSS 评分 | CVSS |
| EPSS | EPSS | EPSS | EPSS | EPSS | EPSS |
| CWE | CWE | CWE | CWE | CWE | CWE |
| Compliance mapping | نگاشت انطباق | تعيين الامتثال | Соответствие | 合规映射 | Cartographie conformité |
| RBAC | RBAC | RBAC | RBAC | RBAC | RBAC |
| Airgap | airgap | airgap | Airgap | 离线隔离 | Airgap |
| Multi-tenant | چندمستاجری | تعدد المستأجرين | Мультитenant | 多租户 | Multi-tenant |
| NotificationService | سرویس اعلان | خدمة الإشعارات | NotificationService | 通知服务 | NotificationService |
| Drizzle ORM | Drizzle ORM | Drizzle ORM | Drizzle ORM | Drizzle ORM | Drizzle ORM |
| Playwright E2E | E2E Playwright | E2E Playwright | E2E Playwright | Playwright E2E | E2E Playwright |
| Test coverage | پوشش تست | تغطية الاختبار | Покрытие тестами | 测试覆盖率 | Couverture de tests |
| GitLab Advisories | توصیههای GitLab | GitLab Advisories | GitLab Advisories | GitLab 公告 | GitLab Advisories |
| Distro feed | فید توزیع | فيد التوزيع | Фид дистрибутива | 发行版源 | Flux distro |
CVE¶
CVE (Common Vulnerabilities and Exposures) is a public identifier for a known vulnerability, usually in the form CVE-YYYY-NNNNN. The panel aggregates records from several feeds and may show the same CVE once per matched stack tool when multiple products are affected.
Stack¶
The stack is the list of infrastructure or software names you monitor (for example Redis, HAProxy, OpenSSL, Kubernetes). Matching against feeds is heuristic (tool name and text overlap), not a formal SBOM link.
Full scan¶
A full scan queries all configured sources, including NVD, for each stack tool. It is slower because of NVD rate limits but provides the broadest baseline inventory.
Watch¶
Watch (live watch) polls OSV, GitHub Advisories, and RSS on a short interval (2 / 5 / 15 minutes). NVD is skipped so new issues surface quickly without API throttling during polling.
Setup wizard¶
The setup wizard is a first-run, four-step modal (stack → settings → sources → finish) shown after the legal disclaimer. Completing it sets cve-radar:setup-complete in the browser. Existing users with a saved stack are migrated without repeating the wizard.
Scan cache¶
The scan cache stores the last successful scan in cve-radar:last-scan, keyed by normalized stack tool names via src/lib/scanCache.ts. On reload, matching stacks restore dashboard data without an immediate full scan.
Server rate limit¶
The Express middleware limits POST /scan and POST /watch separately per client IP per minute (RATE_LIMIT_SCAN_PER_MIN, RATE_LIMIT_WATCH_PER_MIN). Exceeding the quota returns HTTP 429 with code: "RATE_LIMITED". POST /scan/validate is exempt.
Severity¶
| Level | Meaning |
|---|---|
| CRITICAL | Highest priority; may overlap with KEV |
| HIGH | Urgent patching |
| MEDIUM | Schedule remediation |
| LOW | Track and batch |
KEV¶
CISA KEV (Known Exploited Vulnerabilities catalog) flags CVEs with confirmed exploitation. When an ID appears in KEV, the panel sets exploited_in_wild on the finding.
CVSS¶
CVSS is a numeric severity score when provided by the upstream source. The panel uses source severity labels when CVSS is missing.
EPSS¶
EPSS (Exploit Prediction Scoring System) is a probability score (0–1) from FIRST.org estimating likelihood of exploitation in the wild. Enabled by default (EPSS_ENABLED=true; set false only for airgap or ops). When on, the server adds epss and a combined riskScore (CVSS + EPSS + KEV boost) on each CVE.
CWE¶
CWE (Common Weakness Enumeration) classifies vulnerability types (for example CWE-89 SQL injection). NVD exposes CWE in weakness metadata; OSV may include cwe_ids. The panel stores cwe[] on each finding when upstream data is available.
Compliance mapping¶
When enabled by default (COMPLIANCE_ENABLED=true; set false only for airgap or ops), the server maps known CWE IDs (and select CVE families) to audit-oriented control references such as NIST SP 800-53 and PCI-DSS requirements. Results appear as compliance_controls[] for dashboard filters and CSV export. The static seed map lives in shared/compliance/.
RBAC¶
RBAC (role-based access control) applies when API_SECRET is set. The server reads API_ROLE (admin, scanner, viewer, auditor) and blocks routes that role may not call (for example viewer cannot POST /api/scan). See Self-hosted operations.
Airgap¶
Airgap mode (AIRGAPPED=true) disables public NVD/OSV/KEV/GitHub/RSS upstreams and requires local NVD/KEV mirror URLs plus either an OSV mirror or OSV_BULK_PATH (offline JSON tree from scripts/sync-osv-bulk.sh). Scans fail closed if required mirrors are missing. See Self-hosted operations.
Multi-tenant¶
With DATABASE_URL, CVE Radar stores per-tenant stacks and scan history in PostgreSQL. Clients send X-Tenant-Id on v1 API routes. Without Postgres, state stays in browser localStorage only.
NotificationService¶
NotificationService (server/services/notifications/NotificationService.ts) dispatches outbound alerts when watch mode returns non-empty newVulns. Channel adapters cover Slack, Discord, Telegram, SMTP email, and a generic JSON webhook. Legacy ALERT_WEBHOOK_URL still works via server/services/alerts.ts. Configure via NOTIFICATION_* env vars (see Configuration and Alerts).
Drizzle ORM¶
Drizzle ORM provides type-safe PostgreSQL schema definitions in server/db/schema.ts and getDb() in server/db/drizzle.ts. Runtime CRUD for tenants and scan history uses Drizzle query builders on the shared pg pool; SQL migrations live in server/db/migrations/*.sql and are tracked in _schema_migrations so each file runs once per database.
Playwright E2E¶
Playwright E2E tests in tests/e2e/ run against the Vite dev server (CSV export flow). Install browsers once with npm run test:e2e:install, then run npm run test:e2e. CI coverage uses npm run test:ci (~257 specs, ~94% lines / ~82% branches); unit and API tests use make test. See Operations — test coverage.
Test coverage¶
Test coverage is measured with Node’s built-in V8 collector (npm run test:ci → coverage/lcov.info → Codecov/SonarCloud). The suite spans tests/server/, tests/client/, tests/integration/, and optional tests/e2e/. When adding specs, update chapter 10 (×6) and tests/README.md per agent rule code-to-docs-sync.
Data source IDs¶
| ID | Provider |
|---|---|
NVD |
National Vulnerability Database (NIST) |
OSV |
Open Source Vulnerabilities |
GitHub |
GitHub Security Advisories |
CISA_KEV |
CISA catalog JSON |
TheHackerNews |
RSS — The Hacker News |
TuxCare |
RSS — TuxCare CVE tracker |
UI & settings¶
| Term | Description |
|---|---|
| Locale | UI language: fa, en, ar, ru, zh, fr |
| Auto-translate | Server + client translation of CVE title/description to active locale |
| Font scale | Browser text zoom 85%–140% (cve-radar:font-scale) |
| SubNav | Unified right sidebar: navigation, tools, filters, sources |
| sources_updated_at | Per-source ISO timestamp after successful fetch |
API paths¶
| Method | Path | Role |
|---|---|---|
| GET | /api/health |
Liveness, version, env flags |
| GET | /api/capabilities |
Limits, features, translate locales |
| GET | /api/sources |
Built-in source catalog |
| GET | /api/openapi.json |
OpenAPI 3.1 specification |
| POST | /api/scan/validate |
Validate stack without scanning |
| POST | /api/scan |
Full scan |
| POST | /api/watch |
Watch poll + newVulns |
| POST | /api/translate |
Batch CVE text translation |
The same routes are available under /api/v1/…. See the API chapter.
GitLab Advisories¶
GitLab Advisories queries the public GitLab Advisory Database (GraphQL) for package identifiers derived from the stack tool list. Enabled by default; set GITLAB_ADVISORY_ENABLED=false to disable. In air-gap mode, provide GITLAB_ADVISORY_MIRROR_URL or the source is skipped.
Distro feed¶
A distro feed is a built-in Linux distribution security source (Alpine, Ubuntu_USN, RedHat, Debian, AmazonLinux) that matches OS package names from shared/distroPackages.ts against the monitored stack. Red Hat and MITRE CVE run as enrichment passes (metadata on existing CVE rows) rather than standalone vulnerability rows.
OpenAPI¶
Machine-readable contract served from server/openapi/spec.json at GET /api/openapi.json. Use it for codegen, contract tests, and the docs site API Explorer mock.