av exposure
Blast-radius lookup: when a CVE hits the news, see at a glance which of your organisation’s projects are exposed to it - and through which packages.
Synopsis
Section titled “Synopsis”av exposure <cveId> [flags]The binary ships as alertavuln; av is the common alias - they are
interchangeable in every example.
Description
Section titled “Description”av exposure lists every project in your organisation that already has an
alert for the given CVE. For each exposed project it shows the project name
and ID, the number of alerts for that CVE, and the packages that matched. You
must be logged in (av login) first.
The lookup reads the alerts AlertaVuln’s event-driven pipeline has already raised - it does not trigger a new scan. A project appears in the result only if it currently holds at least one alert for the CVE.
With --json the command prints the raw result - cveId plus a projects
array of projectId, projectName, packages, and alertCount - instead
of a table.
Options
Section titled “Options”| Flag | Default | Description |
|---|---|---|
--json |
false |
Output raw JSON instead of a table |
Examples
Section titled “Examples”Check the organisation-wide blast radius of a CVE the moment it makes headlines:
av exposure CVE-2021-44228Get the exposed project names as raw data for a runbook or chat notification:
av exposure CVE-2021-44228 --json | jq -r '.projects[].projectName'Use it as an incident-response gate - jq -e exits non-zero when any project
is exposed:
av exposure CVE-2021-44228 --json | jq -e '.projects | length == 0'Exit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
0 |
Lookup completed - including when exposed projects were found |
1 |
Command failed: not logged in, bad arguments, or an API error |
See also
Section titled “See also”av check- pre-flight a package for known CVEs before you add it