Software#
The Software section includes server packages, registered CPEs, and more. All software displayed in FutureVuls is associated with a server. Additionally, information such as OSS licenses, EOL, and malicious packages is detected and displayed in a list.
Behavior When Upgrading Software
When software on a server is upgraded, the old version of the software is deleted, and the new version is created as a new entry with a different ID (serverSoftwareID).
Example: When upgrading openssl 1.1.1 to openssl 1.1.1u
- Old:
serverSoftwareID=10(openssl 1.1.1) → Deleted - New:
serverSoftwareID=99(openssl 1.1.1u) → Newly created
Software List#
On the Software tab, you can search for software within a group and click on each column to view details.
The software list can also be displayed from the second pane of Vulnerabilities, Servers, and Roles.
Vulnerabilities > Vulnerable Software- Only software related to the specified vulnerability will be displayed.
Servers > Software- Only software related to the specified server will be displayed.
Roles > Software- Only software related to servers belonging to the specified role will be displayed.

| Item | Details |
|---|---|
| Patch Availability | Indicates whether a patch is available for the related vulnerable software (only displayed in Vulnerability List > Vulnerable Software). |
| Software | The name of the software or CPE. |
| CPE | Displays the CPE in Formatted String format. |
| Location | The path to the Lockfile or other location containing the library. |
| Software Type | The type of software. |
| CPE Assignment Type | The CPE assignment method (Automatic/Manual/Unassigned) and its verification status. For details, see Automatic CPE Assignment. |
| Updatable | Indicates whether a newer version of the package is available. |
| Version | The version of the software or CPE. |
| Latest Version | When scanning with the Vuls scanner in fast-root scan mode, the latest available version is displayed for all Linux systems.In fast scan mode, some OSes (like AlmaLinux, Rocky Linux) can retrieve the latest version without root privileges, so it will be displayed.This is not displayed for CPEs, or when using Paste Scan, offline scan mode, trivy, or if the scan target is Windows. |
| OSS License | The license type of the software. Displayed for software assigned a PURL. ・-: Awaiting license information or PURL not assigned. ・unknown: Could not retrieve license information. ・License Name Displayed: Successfully retrieved license information. ※ For software of type "library", this may be displayed even if no PURL is assigned. |
| Server Name | The name of the server where the software is registered. |
| Open Tasks | The number of tasks related to the software where the status is NEW and the task is not hidden. |
| Ongoing Tasks | The number of tasks related to the software where the status is INVESTIGATING, ONGOING, or DEFER, and the task is not hidden. |
| Completed Tasks | The number of tasks related to the software where the status is not NEW, INVESTIGATING, ONGOING, or DEFER, or the task is hidden. |
| All Tasks | The total number of tasks related to the software. |
| ID | The ID of the software. |
| Process Restart Required | Indicates whether the software's process needs to be restarted. |
| Repository | The repository that manages the software. |
| Open Ports | Ports that are currently accessible. Port information is obtained using the lsof -i -P -n command. |
| Running Processes | Indicates whether the related process is running on the server and listening on an open port. Process execution status is available when scanning a Linux-based OS with the Vuls scanner for OS-package-related software. ・-: The process execution status is unknown. ・Play Icon: The process is running, but there are no listening ports. ・Signal Icon: The process is running, and there is a listening port. |
| CPE Status | If the registered CPE has been deprecated in the NVD, it will be displayed as Deprecated. |
| Out of Management Scope | Indicates whether the software is unmanaged. If unmanaged, new tasks created during a scan and existing tasks with a NEW status will be created as hidden.Additionally, the Supply Chain Risk status will become RISK_ACCEPTED. |
| Vulnerable Software Tags | Tags set on the vulnerable software. |
| CPE Auto-update | Indicates whether the CPE is automatically updated. |
| Malicious Package | Indicates whether the package contains malicious code created by an attacker. Software with an assigned PURL is subject to detection. |
| CPE Assigned Date | The date and time the CPE was assigned. |
| Supplementary Information | Supplementary information. |
| EOL Expired | Indicates whether the EOL date has passed. ・✓: EOL date has passed. ・✖: EOL date has not passed. ・-: No EOL date information. ※ If extended support is registered, this indicates whether the extended support period has expired. |
| EOL Deadline | Displays the EOL date. ※ If the EOL date is unknown but has passed, it will be displayed as expired. |
| EOL (Extended Support) | Indicates if extended support is registered. If so, EOL is determined based on the extended support expiration date. |
| First Detection Time | The date and time the software was first detected. |
| Latest Detection Time | The date and time the software was last detected. |
| Development Dependency | Indicates whether the software is a development dependency (devDependencies). If so, a [DevDependency] badge is displayed. |
| Relationship | The dependency type of the library. Distinguishes between "direct dependencies (direct)", which are referenced directly by the application, and "indirect dependencies (indirect, transitive dependencies)", which are pulled in via other libraries. You can also filter by dependency type. |
| Dependency Origins | For indirect dependency libraries, shows which direct dependency library needs to be updated to resolve them. This makes it easier to decide how to address vulnerabilities in indirect dependencies. |
About Deriving Dependency Type and Dependency Source
The dependency type and dependency source information are derived from library scan results. For libraries imported from an SBOM, the dependency state is derived based on the dependency relationships described in the SBOM. If dependency relationships are not described in the SBOM, or are described incorrectly, a dependency state that differs from the actual state may be displayed. If necessary, also check the dependency relationships at the source where the SBOM was generated.
Update Related Tasks#
You can select multiple software entries and bulk update tasks related to them. The bulk update options differ depending on whether you are viewing software under a server or a vulnerability.
Task Bulk Update Limit
The limit for bulk updating tasks is 10,000. If you exceed 10,000, please perform the update in multiple batches.
When opening Software from the second pane of the Server List or Role List#
This updates only the tasks related to the specified software on the specified server.

When opening Software from the second pane of the Vulnerability List#
The following options can be selected:
- Update only the tasks related to the selected vulnerability among the tasks for the specified software.
- Update all tasks related to the specified software.

Software Types#
All detected software (OS Package, Library Package, AWS Lambda Package, GitHub Package, WordPress Package, Private Package) can be viewed in FutureVuls, regardless of whether they have vulnerabilities.
Additionally, when scanning in fast-root scan mode (default), you can also check the latest version of the software.
For more information on scan modes, please see here.
CPEs can be managed by manually registering them on the FutureVuls screen. They are registered with the software type "Private Package". FutureVuls generally displays CPEs in Formatted String format (though registration in URI format is also possible).
Software Information#
In the software details, you can view and update the details of the software. The items displayed vary depending on the type of software.

The following items are displayed in the software details:
| Item | Details |
|---|---|
| Management Setting | Displays the management status of the software. |
| OSS License | Displays the OSS license information for the software. |
| EOL | Displays the EOL (End of Life) information for the software. |
| Software Health | Displays health information for dependent OSS, such as maintenance status, security posture, and recommended actions. For details, see Software Details > Software Health. |
| Malicious Package Source URL | If a malicious package is detected, the source URL is displayed. |
| CPE Assignment | Displays the configuration status of CPE/PURL Assignment. CPE and PURL can be assigned simultaneously. |
| PURL Assignment | Displays the configuration status of CPE/PURL Assignment. CPE and PURL can be assigned simultaneously. |
| CPE Auto-Assignment Status | Displays whether the CPE is auto-assigned. A [Verified] badge indicates it was auto-assigned based on the Windows application name and CPE assignment dictionary prepared by FutureVuls. If a manually assigned CPE differs from the recommended CPE in the assignment dictionary, a conflict warning icon is displayed, and the recommended CPE can be viewed in a tooltip. |
| Vulnerabilities and Tasks Related to This Software | Displays CVE-IDs and tasks related to the software. |
Scan Methods that Automatically Assign PURL to Software
To detect OSS licenses, EOL, and malicious packages, the software must have a PURL assigned. (Some EOL detection methods do not require PURL assignment.)
PURL is automatically assigned to software detected by the following seven scan methods:
- Scan specifying a Lockfile with Vuls Scanner
- Scan specifying a file system path with Trivy
- Lockfile Paste Scan
- Scan dependent libraries installed in a container image with Trivy
- Import Application SBOM
- Import Amazon Inspector SBOM
- GitHub Security Alerts Integration
For software detected by the following scan methods, PURL must be assigned manually:
- CPE Scan ※ If only EOL detection is needed, manual PURL assignment is not required.
Management Settings#
You can configure management settings for software.
With "Configure managed software", you can set specific software as unmanaged. You can also disable automatic CPE assignment for specific software. For details, refer to Disable Automatic CPE Assignment for Specific Software.
When vulnerabilities or supply chain risks are detected for software set as unmanaged, the following actions are performed automatically:
Vulnerability Detection#
Tasks for newly detected vulnerabilities during a scan and existing tasks with a NEW status are created as hidden (Always hidden).
This does not affect already created tasks with a status other than NEW. Hidden tasks can be unhidden from the task details screen.
For software you do not intend to patch or uninstall, setting it to unmanaged will automatically hide related tasks.
Supply Chain Risk Detection#
Supply chain risks with a status other than CLOSED will automatically transition to RISK_ACCEPTED.
Software Details > Software Health#
As a countermeasure against software supply chain attacks, understanding the health of dependent OSS is becoming increasingly important. In the software details, information to help you decide whether to continue using an OSS is consolidated and displayed in the "Software Health" section.
The following information is displayed to support your decision.
Note that Summary, Health, Security, Operations, Development, and Recommendations are summaries generated by an LLM based on collected data. The display is not a fixed set of items; the content varies for each package.
| Item | Details |
|---|---|
| Status | Displays the maintenance status as a badge such as Active, along with a short status description like Actively maintained with recent releases. |
| Summary | A description of the software's overview, use cases, position in the ecosystem, the release status of the latest stable version, and more. |
| Advisory | The number of known advisories and the maximum CVSS score. |
| Health | An overview of the overall health of the software. An overall health level (High / Medium / Low) that integrates maintenance status, community size, Scorecard, and EOL signals. |
| Security | An assessment for security personnel. Summarizes the interpretation of the Scorecard, known vulnerabilities (count, Critical/High count, maximum CVSS), EOL risk, the presence of a security policy, and more. |
| Operations | An assessment for operators. Summarizes the ongoing maintenance burden, the scale of dependencies, hosting and deployment considerations, and more. |
| Development | An assessment for developers. Summarizes the complexity of integration (the footprint of direct and transitive dependencies), the need for documentation and version tracking, and more. |
| Recommendations | Recommended actions for the software. Multiple recommendations are displayed with severity badges (CRITICAL / HIGH / MEDIUM / LOW / INFO). |
| Repository | Basic information such as the repository URL, the Stable / Latest versions and their release dates, the License, and the number of Stars. |
| Related Links | Links to various external pages that serve as the basis for decisions, such as REPOSITORY / REGISTRY / DEPS.DEV / HOMEPAGE / SCORECARD. |
About the Evaluated Version
The Software Health analysis evaluates the latest stable version of the package. Please note that it is not an evaluation of the specific version detected on the server (e.g., express@4.17.1).
Software Details > EOL#
You can check EOL information in the software details. For details on EOL detection targets and methods, please refer to here.
※ For OS Packages other than RHEL Application Streams, please check EOL information from the server details screen.

EOL information is updated periodically. If you want to reflect the latest information, please perform a manual scan.
If you have an extended support contract, EOL detection will be based on the extended support expiration date.
Software Details > OSS License#
You can check OSS license information in the software details.

For software with an assigned PURL, FutureVuls collects OSS license information using its own logic.
OSS license information is updated periodically. It may take up to 2 hours for license information to be displayed after a server scan.
Whether license information is available does not affect vulnerability detection.
AGPL, GPL Licenses#
- If the license information is classified as AGPL or GPL, a link to a help page is displayed.
- Exercise caution when using libraries with these licenses in services or applications where disclosing source code is impractical.

- Licenses classified as AGPL and GPL have a copyleft nature, which requires that derivative works using the library also be under the same license.
- The license terms also permit the following:
- To study how the program works, modify it, and access the source code.
- To redistribute copies.
- To improve the program and release improvements to the public.
- The main difference between AGPL and GPL is the conditions under which copyleft and its restrictions apply.
- AGPL series: Requires the application of license terms even when providing software services over a network.
- GPL series: Requires the application of license terms when distributing the software.
- Details of each license and their legal texts are available at www.gnu.org.
Software Details > Malicious Package#
In "Malicious Package", you can check information on malicious packages provided by OSV (Open Source Vulnerability) via a URL.


You can check for malicious package information for software with an assigned PURL.
If a malicious package is detected, it can also be centrally managed in the Supply Chain Risk tab. You can handle it with a unified workflow alongside EOL, including assigning responsible persons, setting deadlines, and sharing response policies through comments. An instant notification is also sent upon detection.
Malicious package checks are performed periodically. Therefore, it may take up to 2 hours after a server scan to determine if a package is malicious.
About cases where MAL-xx (MAL-ID) is displayed as a CVE-ID in the Vulnerability Tab
An ID like MAL-xx (e.g., MAL-2025-47141) may appear in the "CVE ID" column of the Vulnerability Tab.
This is a vulnerability ID detected as a malicious package by services like Amazon Inspector, which is imported and displayed as is in FutureVuls.
This MAL-xx is not detected by the FutureVuls malicious package detection feature (which cross-references with OSV information) described on this page.
Malicious Package Information Sources#
The information sources are the OpenSSF's (Open Source Security Foundation) "ossf / malicious-packages" repository, which manages malicious package information, and the "API" provided by OSV.