OWASP Adopts CVE Lite CLI to Boost Dependency Scanning
Source: DevOps.com
Dependency scanning with CVE Lite CLI
Checking for dependency vulnerabilities in freshly developed software is usually done near the end of the build process. Remediation at that point can be tricky.
Now, JavaScript and TypeScript developers can check for vulnerabilities themselves as they – or their agents – write their source code, using an open‑source project called CVE Lite CLI.
Last month, the Open Worldwide Application Security Project (OWASP) accepted CVE Lite CLI as an incubating project. Sonu Kapoor specifically created CVE Lite CLI to check vulnerabilities earlier in the development cycle.
Kapoor’s approach can be seen as a form of “shift‑left,” where the developer assumes more responsibility for the security of their code. It differs from the typical production‑workflow scanning, where security is a separate test that runs at the end of the development cycle.
Once installed, the app can scan your lockfiles (the dependency‑tree configuration) and check the installed dependencies for any vulnerabilities by referencing the Open Source Vulnerabilities (OSV) database. If a vulnerability is found, it generates a set of ready‑to‑copy commands that can be pasted into the command line to update the affected package using your package manager (npm, pnpm, Yarn, and Bun are currently supported).
CVE Lite CLI can also work offline, caching all CVEs in a local database.
Parent‑Aware Guidance
Other interface‑based vulnerability‑remediation tools include:
- GitHub’s Dependabot
- npm’s npm audit
- Google’s OSV‑Scanner
- Snyk CLI
- Socket CLI
CVE Lite is smart about transitive dependencies, pinpointing the exact root level of an errant package.
“Transitive parent update guidance is one of CVE Lite CLI’s core differentiators,” the documentation claims. “Instead of telling users to install a vulnerable transitive package directly, the CLI points at the parent package that controls the dependency path.”
A direct dependency is easy to replace. Transitive dependencies—dependencies embedded within other dependencies—are trickier to sort out.
CVE Lite knows when a package is transitive. Many package managers, if they can’t find the embedded package or if the parent package prevents updating the problematic dependency, will simply place the new version of the embedded dependency in the root directory, which is effectively useless.
CVE Lite takes a different approach: instead of updating the vulnerable package itself, it updates the parent package.
CVE Lite CLI can even work with the Node.js hoist model, where all packages reside in the node_modules folder, reducing the problem of recursive nesting (though this can obscure the dependency tree for most scanners).
Limitations
There are a few immediate limits with this developer‑first approach that must be considered in an overall security‑defense strategy:
- CVE Lite provides no runtime protection, so organizations will need separate tooling for that function.
- It relies on a single CVE database and may miss vulnerabilities not reported there.
- The offline cache must be refreshed regularly when the software is online.
The Problem of Vendoring
Hidden dependencies remain a quagmire for the open‑source community, especially as unpatched vulnerabilities are the major source of supply‑chain attacks – see the Mini Shai‑Hulud attack earlier this month, in which 170 npm and PyPI packages were poisoned.
A user may install an app that comes with its own set of dependencies. Unless the app itself is updated (if it is updated at all), it may contain libraries or other code with known vulnerabilities. This is sometimes called vendoring, where a software provider introduces hidden vulnerabilities through third‑party software.
Mitchell Hashimoto, creator of the popular Ghostty terminal, recommends forking any dependencies you use, trimming them to just what you need, and then embedding them in your code and never updating them—at least until something breaks.
“I’ve always said that updating is way riskier than latent bugs (which can be tracked and CVEs monitored),” he wrote on X. “If you are updating a dependency, it’s on you to analyze every single commit in the full transitive set of dependencies.”
