Can someone explain me how osquery detects if software is vulnerable or not? like are you checking with some open source database or something else?

Osquery itself is a tool to gather device information. Osquery can for example pull a list of software and it’s version then tools such as #fleet can cross reference this against the https://nvd.nist.gov/ for known CVE’s