NSAuditor AI EE 0.9.2 — CVE Evidence Gaps Now Surface as Actionable Diagnostics
EE 0.9.2 closes 4 silent-zero CVE coverage gap classes: ambiguous zero-finding scans now surface actionable [COVERAGE GAP] diagnostics, and CRITICAL/HIGH CVEs always emit regardless of per-service volume caps.
Nsasoft has released NSAuditor AI Enterprise Edition 0.9.2, an EE-only patch that closes a subtle but significant evidence integrity gap in the scanner’s CVE-lookup pipeline. Prior to this release, four code paths in the intelligence engine returned empty CVE results silently — making a scan result of “0 CVE findings” ambiguous for auditors performing SOC 2 CC7.1 monitoring or HIPAA §164.308(a)(8) evaluation.
The Problem: Silent Zeros in the CVE Pipeline
For institutional audit evidence, an empty result and a gap in coverage are not the same thing. Pre-0.9.2, NSAuditor AI EE had four paths that would return [] without any indication to the operator or auditor that coverage was incomplete:
- No version detected: When a service banner lacks a version string, CPE wildcard matching produces unacceptable false-positive density, so the scanner intentionally skips it — but previously did so silently.
- CPE alias drift: Apache HTTP Server is indexed in the NVD as
apache_http_server, notapacheorhttpd. Alias mismatches caused silent lookup failures. - NVD lookup failure: Under load without an NVD API key, the public rate limit (5 requests per 30 seconds) caused services to be silently dropped from CVE results.
- Malformed NVD response: When the NVD returned a non-array response, the pipeline silently returned empty results rather than surfacing the error.
The Fix: [COVERAGE GAP] Diagnostics
EE 0.9.2 converts every silent zero into an explicit [COVERAGE GAP] INFO finding. Each finding carries evidence.raw.gapClass with one of four actionable diagnosis values:
no_version_detected— service banner present, version absent; known CPE wildcard limitationcpe_map_miss— names the program string that needs alias-table augmentationnvd_lookup_failure— surfaceserrorName+errorMessagefor triage;console.warnpreserved on stderrnvd_response_not_array— malformed NVD response class, now surfaced and closeable
Downstream SOC 2 and HIPAA evidence harvesters can filter on the [COVERAGE title prefix to programmatically distinguish coverage gaps from clean verdicts.
Severity Ordering Before the Volume Cap
EE 0.9.2 also closes an inverse-severity selection class. Pre-0.9.2, when a service had more CVEs than the per-service cap, the cap was applied in NVD response order. This meant a service with 80+ CVEs could silently truncate a CVSS 9.8 RCE if the NVD returned it at position 26 in the response.
Post-0.9.2, the pipeline sorts CVEs by CVSS score (descending) before applying any cap, and a NEVER_CAP_SEVERITIES bypass guarantees that CRITICAL and HIGH CVEs always emit. When truncation does occur — MEDIUM, LOW, and unscored CVEs only — a new [COVERAGE NOTE] INFO finding surfaces the truncatedCount and cap for operator visibility.
EE-Only Scope and Coverage Matrix
EE 0.9.2 is a standalone EE publish — CE 0.1.70 and agent-skill 0.1.37 are unchanged. This is the first non-trio publish since EE 0.4.5, reflecting deliberate scope discipline: a quality uplift on covered ground does not require paired downstream releases.
The coverage matrix is UNCHANGED: 10 controls / 4 partial / 33 OOS for SOC 2, and 7 covered / 3 partial / 45 OOS for HIPAA §164.312. Plugin count remains at 24. The 5,988/5,988 test suite passes, extending the 71-session 100% green streak.
Installation
npm install -g nsauditor-ai@0.1.70 @nsasoft/nsauditor-ai-ee@0.9.2Full documentation: nsauditor.com/ai/enterprise/
