CVE Lite CLI is designed to check dependency vulnerabilities earlier in the development cycle, reducing the difficulty of late-stage remediation. It supports an offline workflow by caching CVEs in a local database. It provides parent-aware guidance for transitive dependencies by identifying the root-level package that introduces an errant dependency. Instead of updating the embedded dependency directly, it updates the parent package to avoid ineffective changes that some package managers make when embedded packages cannot be updated. It can also work with the Node.js Hoist model, where packages are placed in node_modules, which reduces recursive nesting while making dependency trees harder for other scanners. The approach has limits because it does not provide runtime protection and relies on additional tooling for that purpose.
"Checking for dependency vulnerabilities in freshly developed software is usually done near the end of the build process. Remediation at that point can be tricky. Last month, the Open Worldwide Application Security Project (OWASP) accepted CVE Lite CLI as an incubating project. Sonu Kapoor specifically created CVE Lite CLI to check vulnerabilities earlier in the development cycle."
"Kapoor's approach can be seen as a form of "shift left," where the developer assumes more responsibility in ensuring the security of their code. It differs from how vulnerability scanning is typically done within production workflows, where security is a separate test that happens at the end of the development cycle. CVE Lite CLI can also work offline, caching all the CVEs on a local database."
"CVE Lite is smart with the transitive dependencies, pinpointing the exact root level of an errant package. A direct dependency is easy to replace. Transitive dependencies, or dependencies embedded within other dependencies, are trickier to sort out. But CVE Lite is smart enough to know when the package is transitive. A lot of package managers, if they can't find the embedded package, or if the parent package prevents it from updating the problematic dependency, will just put the new version of the embedded dependency in the root directory, which is effectively useless."
"CVE Lite takes a different approach: Instead of updating the package itself, it updates the parent package. CVE Lite CLI can even work with the Node.js Hoist model, where all the packages reside in the node_modules folder, reducing the problem of recursive nesting, though obscuring the dependency tree for most scanners. There are a few immediate limits with this developer-first approach which must be considered in an overall security defense strategy. CVE Lite doesn't provide any runtime protection, so an organization will need separate tooling for that function."
#dependency-vulnerability-scanning #shift-left-security #transitive-dependency-management #offline-cve-caching #nodejs-package-management
Read at DevOps.com
Unable to calculate read time
Collection
[
|
...
]