{"id":4144,"date":"2026-05-26T14:45:48","date_gmt":"2026-05-26T14:45:48","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/05\/26\/owasp-adopts-cve-lite-cli-to-boost-dependency-scanning\/"},"modified":"2026-05-26T14:45:48","modified_gmt":"2026-05-26T14:45:48","slug":"owasp-adopts-cve-lite-cli-to-boost-dependency-scanning","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/05\/26\/owasp-adopts-cve-lite-cli-to-boost-dependency-scanning\/","title":{"rendered":"OWASP Adopts CVE Lite CLI to Boost Dependency Scanning"},"content":{"rendered":"<div><img data-opt-id=896461433  fetchpriority=\"high\" decoding=\"async\" width=\"770\" height=\"330\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/05\/cve_lite_cli_security_scan_770x330.jpg\" class=\"attachment-large size-large wp-post-image\" alt=\"\" \/><\/div>\n<p><img data-opt-id=1996412299  fetchpriority=\"high\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/05\/cve_lite_cli_security_scan_770x330-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail wp-post-image\" alt=\"\" \/><\/p>\n<p><span>Checking for dependency vulnerabilities in freshly developed software is usually done near the end of the build process. Remediation at that point can be tricky.\u00a0<\/span><\/p>\n<p><span>Now, JavaScript and TypeScript developers can check for vulnerabilities themselves as they \u2013 or their agents \u2013 write their source code, using an open source project called <\/span><a href=\"https:\/\/owasp.org\/cve-lite-cli\/\"><span>CVE Lite CLI<\/span><\/a><span>.\u00a0<\/span><\/p>\n<p><span>Last month, the <\/span><a href=\"https:\/\/owasp.org\/\"><span>Open Worldwide Application Security Project <\/span><\/a><span>(OWASP) accepted CVE Lite CLI as an incubating project. <\/span><a href=\"https:\/\/sonukapoor.com\/\"><span>Sonu Kapoor <\/span><\/a><span>specifically created CVE Lite CLI to check vulnerabilities earlier in the development cycle.\u00a0<\/span><\/p>\n<p><span>Kapoor\u2019s approach can be seen as a form of \u201cshift left,\u201d where the developer assumes more responsibility in ensuring the security of their code. It differs from how vulnerability scanning is typically done within production workflows, where security is a separate test that happens at the end of the development cycle.\u00a0<\/span><\/p>\n<p><span>Once installed, the app can scan your lockfiles \u2013 the dependency tree configuration \u2013\u00a0 and check the installed dependencies for any vulnerabilities they may have, by referencing the <\/span><a href=\"https:\/\/osv.dev\/\"><span>Open Source Vulnerabilities<\/span><\/a><span> database. If a vulnerability is found, it then generates a set of ready-to-copy commands that can be pasted into the command line to update from your given package manager (npm, pnpm, Yarn and Bun are currently supported).<\/span><\/p>\n<p><span>CVE Lite CLI can also work offline, caching all the CVEs on a local database.\u00a0<\/span><\/p>\n<h3><b>Parent-Aware Guidance<\/b><\/h3>\n<p><span>Other interface-based vulnerability remediation tools include GitHub\u2019s <\/span><a href=\"https:\/\/docs.github.com\/en\/code-security\/tutorials\/secure-your-dependencies\/dependabot-quickstart-guide\"><span>Dependabot<\/span><\/a><span>, The Node Package Manager\u2019s <\/span><a href=\"https:\/\/docs.npmjs.com\/cli\/v10\/commands\/npm-audit?\"><span>npm audit<\/span><\/a><span>, Google\u2019s <\/span><a href=\"https:\/\/github.com\/google\/osv-scanner\"><span>OSV-Scanner<\/span><\/a><span>, <\/span><a href=\"https:\/\/github.com\/snyk\/cli\"><span>Snyk CLI<\/span><\/a><span> and the <\/span><a href=\"https:\/\/socket.dev\/features\/cli\"><span>Socket CLI<\/span><\/a><span>.<\/span><\/p>\n<p><span>CVE Lite is smart with the transitive dependencies, pinpointing the exact root level of an errant package.\u00a0<\/span><\/p>\n<p><span>\u201cTransitive parent update guidance is one of CVE Lite CLI\u2019s core differentiators,\u201d the <\/span><a href=\"https:\/\/owasp.org\/cve-lite-cli\/docs\/comparison\"><span>documentation claims<\/span><\/a><span>. \u201cInstead of telling users to install a vulnerable transitive package directly, the CLI points at the parent package that controls the dependency path.\u201d<\/span><\/p>\n<p><span>A direct dependency is easy to replace. Transitive dependencies, or dependencies embedded within other dependencies, are trickier to sort out.\u00a0<\/span><\/p>\n<p><span>But CVE Lite is smart enough to know when the package is transitive. A lot of package managers, if they can\u2019t find the embedded package, or if the parent package prevents it from updating the problematic dependency, will just put the new version of the embedded dependency in the root directory, which is effectively useless.\u00a0<\/span><\/p>\n<p><span>CVE Lite takes a different approach: Instead of updating the package itself, it updates the parent package.\u00a0<\/span><\/p>\n<p><span>CVE Lite CLI can even work with the Node.js Hoist model, where all the packages reside in the node_modules folder, reducing the problem of recursive nesting, though obscuring the dependency tree for most scanners.<\/span><\/p>\n<p><span>There are a few immediate limits with this developer-first approach which must be considered in an overall security defense strategy.<\/span><\/p>\n<p><span>CVE Lite doesn\u2019t provide any runtime protection, so an organization will need separate tooling for that function. It is wholly dependent on a single CVE database, and thus may miss some vulnerabilities that don\u2019t get reported there. The offline cache will continually need to be updated when the software is online.\u00a0<\/span><\/p>\n<h3><b>The Problem of Vendoring<\/b><\/h3>\n<p><span>Hidden dependencies remain a quagmire for the open source community in general, especially as unpatched vulnerabilities are the major source of supply chain attacks \u2013 witness the <\/span><a href=\"https:\/\/www.securityweek.com\/tanstack-mistral-ai-uipath-hit-in-fresh-supply-chain-attack\/\"><span>Mini Shai-Hulud attack<\/span><\/a><span> earlier this month in which 170 npm and PyPI packages were poisoned.\u00a0<\/span><\/p>\n<p><span>A user may install an app that comes with its own set of dependencies. Unless the app itself is updated (if it is updated at all), it may contain libraries or other code that will have known vulnerabilities. This is sometimes called \u201c<\/span><a href=\"https:\/\/stackoverflow.com\/questions\/26217488\/what-is-vendoring\"><span>vendoring<\/span><\/a><span>,\u201d where a software provider introduces hidden vulnerabilities through third-party software.\u00a0\u00a0\u00a0\u00a0<\/span><\/p>\n<p><span>Mitchell Hashimoto, creator of the popular Ghostty terminal, recommends forking any dependencies you use, trimming them to just what you need, and then embed them in your code and never update them, at least until something breaks.\u00a0<\/span><\/p>\n<p><span>\u201cI\u2019ve always said that updating is way riskier than latent bugs (which can be tracked and CVEs monitored),\u201d he <\/span><a href=\"https:\/\/x.com\/mitchellh\/status\/2057171518027887035\"><span>wrote on X<\/span><\/a><span>. \u201cIf you are updating a dependency, it\u2019s on you to analyze every single commit in the full transitive set of dependencies.\u201d<\/span><\/p>\n<p><a href=\"https:\/\/devops.com\/owasp-adopts-cve-lite-cli-to-boost-dependency-scanning\/\" target=\"_blank\" class=\"feedzy-rss-link-icon\">Read More<\/a><\/p>\n<p>\u200b<\/p>","protected":false},"excerpt":{"rendered":"<p>Checking for dependency vulnerabilities in freshly developed software is usually done near the end of the build process. Remediation at [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4145,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4144","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4144"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4144\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4145"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}