Nsasoft has shipped NSAuditor AI Enterprise Edition 0.9.2, a targeted intelligence engine patch that fixes a subtle evidence integrity issue: security scans that returned “0 CVE findings” were previously ambiguous — the result could mean a service was genuinely patched, or it could mean the scanner hit a coverage limitation and silently returned nothing.

Why This Matters for Security Audits

For organizations running SOC 2 or HIPAA compliance audits, scan evidence quality is as important as scan breadth. Under SOC 2 CC7.1 (Monitoring) and HIPAA §164.308(a)(8) (Evaluation), an auditor reviewing scan evidence needs to distinguish “no vulnerabilities found” from “scanner could not produce vulnerability evidence for this service.” Pre-0.9.2, those two outcomes were indistinguishable.

Four Gap Classes Now Made Visible

EE 0.9.2 converts four previously silent code paths into explicit [COVERAGE GAP] INFO findings, each carrying an actionable gapClass value:

• no_version_detected — the service responded but didn’t expose a version string. The scanner intentionally avoids wildcard CPE matches (too many false positives), but now flags the limitation explicitly.
• cpe_map_miss — a known NVD alias issue (e.g. “Apache” vs “apache_http_server”) caused the CVE lookup to find nothing. The gap class names the string that needs alias mapping.
• nvd_lookup_failure — rate limits or network errors during NVD API calls previously caused services to be silently dropped from results. Now surfaced with full error context for triage.
• nvd_response_not_array — a malformed or unexpected NVD response now surfaces as a diagnosable gap rather than disappearing.

CRITICAL and HIGH CVEs Now Always Surface

The update also closes a severity-ordering flaw. Previously, the per-service CVE volume cap was applied in the order NVD returned results — meaning a service with many CVEs could have its most severe findings truncated if they happened to appear later in the NVD response. Post-0.9.2, the pipeline sorts by CVSS score before applying any cap, and a hardcoded bypass ensures CRITICAL and HIGH severity CVEs always emit. If lower-severity results are truncated, a [COVERAGE NOTE] finding surfaces the count.

Scope and Availability

EE 0.9.2 is an EE-only release — CE and agent-skill packages are unchanged at their current versions. The SOC 2 and HIPAA coverage matrices remain unchanged at 10/4/33 and 7/3/45 respectively, with all 24 plugins intact. This is a pure evidence quality improvement on existing covered controls.

npm install -g nsauditor-ai@0.1.70 @nsasoft/nsauditor-ai-ee@0.9.2

More at nsauditor.com/ai/enterprise/