Question about how vulnerabilities are listed in fleet. I have noticed I am getting vulnerabilities listed in fleet but the box has a updated os packages and nothing installed via a language package manager like npm or pip. My best guess is that it matching a version of package and accounting for vendor patches I just wanted to confirm this was the case or if I am missing something

Hey @Mathias Palmersheim! Yes, Fleet gathers software inventory, then looks for CVEs that match the version of that software installed on the host.