Vendor Advisory Sync¶

SentriKat automatically tracks vendor security advisories to determine whether vulnerabilities in your environment have already been patched by your OS or software vendor.

How It Works¶

SentriKat queries four vendor advisory feeds daily:

When a vendor publishes a fix for a CVE that affects your inventory, SentriKat detects it automatically and updates the vulnerability's confidence tier.

Three-Tier Confidence System¶

Every matched vulnerability gets one of three confidence tiers:

AFFECTED (Red)¶

No vendor fix has been detected for this vulnerability on your systems.

• Action required: This is a real, unpatched vulnerability
• Shows in: All alert channels, dashboards, reports
• Behavior: Standard alert escalation applies

LIKELY RESOLVED (Amber)¶

A vendor fix has been detected, but SentriKat cannot fully verify it was applied.

• Why amber? The vendor published a fix, but SentriKat couldn't confirm the installed version matches or exceeds the fix version
• Shows in: Dashboards and reports (stays visible for compliance)
• Behavior: No automatic acknowledgment - human review recommended
• Legal protection: Never silently hides a potential vulnerability

RESOLVED (Green)¶

The vendor fix has been confirmed via distro-native version comparison.

• How? SentriKat compared the installed package version against the fixed version using the OS-native versioning scheme
• Shows in: Resolved section of dashboard
• Behavior: Auto-acknowledged (no alert noise)
• Confidence: High - verified using the same logic as your package manager

Distro-Native Version Comparison¶

Generic string comparison fails on Linux package versions. SentriKat uses the same versioning logic as your package manager:

Debian / Ubuntu (dpkg)¶

2.31-13+deb11u7  >  2.31-13+deb11u5  (epoch:upstream-debian)

Understands epoch prefixes, upstream versions, and Debian revision suffixes.

RHEL / CentOS / Fedora (RPM)¶

4.18.0-425.19.2.el8_7  >  4.18.0-425.3.1.el8_7  (N-V-R.dist)

Handles RPM's name-version-release format with distribution tags.

Alpine (APK)¶

1.36.1-r15  >  1.36.1-r2  (version-rN)

Correctly compares Alpine's revision numbering.

Windows (KB-based)¶

For Windows agents, SentriKat tracks installed KBs and compares against Microsoft's advisory data to determine if the required update has been applied.

Agent Requirements¶

To get the most accurate results from vendor advisory sync, ensure your agents report:

• distro_package_version: The exact package version as reported by the OS package manager
• installed_kbs (Windows only): List of installed Windows update KB numbers

Configuration¶

Vendor advisory sync runs automatically with no configuration required. The sync schedule is:

• KEV catalog sync: Daily at 02:00 UTC
• Vendor advisory sync: Daily at 03:00 UTC (after KEV sync)
• Version comparison: Immediately after each advisory sync

To view sync status: Admin > System > Sync Status

FAQ¶

Q: Does vendor advisory sync require internet access? A: Yes. SentriKat needs outbound HTTPS access to the four vendor APIs. If your instance is air-gapped, advisory data can be imported manually via the API.

Q: Can I add custom advisory feeds? A: Not currently, but this is planned for a future release. You can use the REST API to import custom advisory data.

Q: Why is a vulnerability amber and not green? A: Amber means the vendor published a fix, but SentriKat couldn't confirm the exact installed version. This can happen when agents report versions in a non-standard format, or when the package name doesn't exactly match the advisory.

Q: Can I override a confidence tier manually? A: Yes. Navigate to the vulnerability detail page and use the "Override Confidence" action. Manual overrides are logged in the audit trail.