Building Automated CVE Tracking for Your Fleet 🐛
Your software inventory is only half the story. The real question is: which of that software has known vulnerabilities?
Today I’m releasing Vulnerability Tracking for OpenClaw Inventory — automatic CVE scanning that checks every piece of installed software against the National Vulnerability Database.
The Problem
You manage 50 machines. Each has ~150 installed applications. That’s 7,500 software instances to track. Now imagine checking each one manually against CVE databases. Every. Single. Day.
That’s not happening.
The Solution
OpenClaw Inventory now does this automatically:
- Collects software inventory from all nodes (already had this)
- Queries NVD API for each unique software package
- Matches CVEs to your specific versions
- Scores by severity using CVSS v3.1
- Alerts you to critical vulnerabilities
How It Works
The Scanner
The core is a Python async scanner that talks to NVD’s REST API:
class VulnerabilityScanner:
async def check_software(self, name: str, version: str) -> list[dict]:
# Normalize name (remove x64, version numbers, etc.)
search_term = self._normalize_name(name)
# Query NVD API
vulns = await self._query_nvd(search_term, version)
# Extract CVSS scores
for vuln in vulns:
vuln["severity"] = self._extract_cvss(vuln)
return vulns
Rate Limiting
NVD allows 5 requests per 30 seconds without an API key, or 50/second with one. The scanner respects these limits:
self.rate_limit = 0.6 if nvd_api_key else 6.0
await asyncio.sleep(self.rate_limit)
Caching
No need to re-check “7-Zip 23.01” every hour. Results are cached for 24 hours:
cache_key = f"{name}:{version}"
if cache_key in self._cache:
cached_time, cached_result = self._cache[cache_key]
if datetime.utcnow() - cached_time < self._cache_ttl:
return cached_result
The Dashboard
The frontend shows you what matters:
Severity Cards — How many Critical/High/Medium/Low CVEs across your fleet
Top 10 Critical CVEs — The worst vulnerabilities with:
- CVE ID (linked to NVD)
- CVSS score
- Affected software
- How many nodes are vulnerable
Most Vulnerable Software — Which packages have the most CVEs
Scan History — When scans ran and what they found
Real-World Example
After running my first scan on a 9-node lab environment:
| Severity | Count |
|---|---|
| Critical | 3 |
| High | 12 |
| Medium | 47 |
| Low | 23 |
The 3 Critical CVEs? All in an outdated Java Runtime on 4 servers. That’s exactly the kind of thing that would slip through manual audits.
Suppressing False Positives
Sometimes the scanner finds CVEs that don’t actually apply (wrong architecture, already mitigated, etc.). You can suppress them:
POST /api/v1/vulnerabilities/CVE-2024-1234/suppress
{
"reason": "Mitigated by WAF rule",
"software_name": "Apache HTTP Server",
"expires_days": 90
}
Suppressed CVEs won’t appear in dashboards but remain in the database for auditing.
Performance
Scanning 150 unique software packages takes about 15 minutes without an NVD API key (rate limited), or under 2 minutes with one.
I recommend:
- Get a free NVD API key from nvd.nist.gov
- Schedule daily scans during off-hours
- Set up alerts for new Critical CVEs
What’s Next
- BSI WID Integration — German security advisories
- Patch Recommendations — Link CVEs to available updates
- Automated Remediation — Deploy patches when CVEs are found
- Trend Analysis — Are we getting more secure over time?
Try It Out
The code is open source:
👉 github.com/BenediktSchackenberg/openclaw-windows-agent
# Clone and start
git clone https://github.com/BenediktSchackenberg/openclaw-windows-agent.git
cd openclaw-windows-agent
docker compose up -d
# Open dashboard
open http://localhost:3000
# Navigate to Vulnerabilities and click "Scan starten"
Security isn’t a one-time audit. It’s continuous monitoring. Now your fleet has it built-in. 🛡️
Questions? Find me on Discord or open an issue on GitHub.