CVEium
Sign Up

Automated CVE Matching

How CVEium CIS matches your SBOM components to known CVEs using the Disclosure Intelligence Service.

Match job lifecycle

When an SBOM is uploaded, a match job is created with the following lifecycle:

  1. Pending: The job is queued for processing
  2. Processing: Components are being matched against the CVE database
  3. Completed: All matches have been found and stored
  4. Failed: An error occurred (the job will be retried automatically)

You can see the match job status on the SBOM page. Most jobs complete within a few seconds.

Retry mechanism

If a match job fails, it is automatically retried with exponential backoff:

  • 1st retry: after 1 minute
  • 2nd retry: after 5 minutes
  • 3rd retry: after 15 minutes
  • 4th retry: after 1 hour

After 5 failed attempts, the job is moved to the dead letter queue and will not be retried. Contact support if you encounter persistent failures.

Matching strategies

CVEium uses two matching strategies in order of priority:

PURL-based matching (high confidence)

When a component has a Package URL (PURL), CVEium:

  1. Parses the PURL into ecosystem type and package name
  2. Maps the PURL type to a vulnerability ecosystem (e.g., npm maps to NPM, maven maps to MAVEN)
  3. Queries the CVE database for vulnerabilities affecting that package in that ecosystem

PURL matches have a confidence score of 0.85 and are labeled as purl_namespace match type.

Name-based fallback (lower confidence)

When no PURL is available or PURL matching finds no results, CVEium falls back to:

  1. Comparing the component name against known affected package names in the CVE database
  2. This is a case-insensitive name match without ecosystem context

Name-based matches have a confidence score of 0.60 and are labeled as name_version match type.

Email notifications

When new CVE matches are found (either from an initial scan or periodic re-scan), CVEium sends email notifications to team owners and admins. The email includes:

  • The product name and release version
  • Total number of new matches
  • Severity breakdown (critical, high, medium, low)
  • KEV count (if any matches are known exploited vulnerabilities)
  • A direct link to the triage page

Periodic CVE sync

CVEium runs a background process that checks for newly published CVEs and re-evaluates existing SBOMs. This ensures your vulnerability data stays current even after the initial scan.