Vulnerability Detection

Sttor continuously checks discovered packages against vulnerability intelligence and flags issues with clear context.

Each Vulnerability Finding Typically Includes

Package name + version
Vulnerability identifier(s) (e.g., CVE where applicable)
Severity and impacted version range
Fix availability (patched version / recommended upgrade)
Where it appears (direct vs transitive path)

Noise reduction principles (so SCA stays usable)

Deduping repeated findings across files/paths
Collapsing “same vuln, multiple occurrences” into one issue with references
Prioritizing findings that are reachable (see next section)