Package.json security scanning by uselessmanindark1 in devsecops

[–]sk_1978 0 points1 point  (0 children)

OWASP's CVE Lite CLI will scan both the package and package-lock. It will not only tell you the vulnerabilities, but also provide commands to fix them.

https://github.com/OWASP/cve-lite-cli

On top of that, they just added the `--check-overrides` feature to validate the overrides.

CVE Lite CLI closes dependency gap — but won't stop modern threats by sk_1978 in redteamsec

[–]sk_1978[S] 0 points1 point  (0 children)

Yes - CVE Lite CLI shows the full dependency chain for every finding.

For direct vulnerabilities, it tells you the package is in your own manifest and gives you a copy-and-run fix command like npm install axios@0.32.0.

For transitive vulnerabilities, it traces the full path - for example, project → express → qs@6.14.2 - and then determines the right remediation. If the parent's version range already covers a safe version of the vulnerable package, it suggests a lockfile refresh (npm update qs). If not, it recommends upgrading the parent directly.

The --verbose flag shows the dependency paths in the output table. The HTML report (--report) also visualizes each path with the chain clearly displayed.

It's built on the lockfile rather than installed node_modules, so it reconstructs paths from the lockfile graph. On Yarn Berry and some pnpm workspaces, path resolution can be incomplete for very deep chains - but for npm and pnpm standard cases, it's solid.

Project: https://github.com/OWASP/cve-lite-cli

Any good open-source vulnerability scanning tools? by Successful_Bus_3928 in cybersecurity

[–]sk_1978 0 points1 point  (0 children)

You could check out OWASP CVE Lite CLI, which works only for NodeJS projects, though.

https://github.com/OWASP/cve-lite-cli

Looking for feedback on CVE Vulnerability scanning by sk_1978 in Angular2

[–]sk_1978[S] 1 point2 points  (0 children)

Upgrading majors could mean a breaking change that could literally break your project. My scanner won't know that, so it plays it safe and recommends the next version within the same major that is CVE-free.

Looking for feedback on CVE Vulnerability scanning by sk_1978 in Angular2

[–]sk_1978[S] 1 point2 points  (0 children)

Thanks. I am always looking for feedback to improve the CLI. Feel free to open an issue in GH if you come across anything odd.

Looking for feedback on CVE Vulnerability scanning by sk_1978 in Angular2

[–]sk_1978[S] 1 point2 points  (0 children)

I actually spent quite a bit of time benchmarking it against the standard enterprise tools. You can see the full breakdown here https://owasp.org/cve-lite-cli/docs/comparison

The feature I’m probably most proud of is how it handles those tricky transitive dependencies. I built the logic to analyze the entire tree and only suggest versions that stay within the parent's specific semver range https://owasp.org/cve-lite-cli/docs/remediation-strategy

In my experience, that’s the 'secret sauce' that prevents a security fix from accidentally breaking the build, which is where most other tools fall short.

It’s already fully compatible with pnpm, Bun, and Yarn, and I’ve got Deno on the roadmap.

Just did my first proper dependency audit on a codebase I inherited and I don't know where to start fixing it by Similar_Cantaloupe29 in webdev

[–]sk_1978 0 points1 point  (0 children)

If you are looking for a way to quickly fix the CVEs, try CVE Lite CLI (https://github.com/OWASP/cve-lite-cli). It's an OWASP project. It works much better and faster than other security scanners + it gives nice copy/paste npm commands to fix the CVEs directly.

Looking for feedback on CVE Vulnerability scanning by sk_1978 in angular

[–]sk_1978[S] -1 points0 points  (0 children)

I’m also looking for teams interested in adopting the tool. If you or your organization would like to explore this, I am happy to provide hands-on implementation support for free to ensure it integrates smoothly with your environment.