CVE Lite CLI: A Solution to Vulnerable Dependencies
Including npm packages in software development projects can save time, but it can also introduce unseen vulnerabilities. This is where CVE Lite CLI comes in - a lightweight command line security scanner that operates on lockfiles during software development.
CVE Lite CLI is an OSV-powered dependency scanner that supports npm, pnpm, and Yarn, focusing on JavaScript and Typescript files. It is an open-source tool developed by Sonu Kapoor, now community-supported and recently adopted as an OWASP Incubator Project.
The Problem of Vulnerable Dependencies
Kapoor, a software developer with 25 years of experience, understands the frustrations and delays in the secure software development process. He explains that each project built doesn't simply contain the developer's own code, but also hundreds of open-source packages, each of which might pull in other packages with their own dependencies.
This can lead to a typical JavaScript project involving thousands of dependencies, most of which the developer has never heard of and doesn't know how they got included. At this stage, the developer is flying blind, unaware of potential security vulnerabilities in these packages.
SBOMs and Scanners
Software Bill of Materials (SBOMs) were introduced to solve this problem, especially within Open-Source Software (OSS). However, SBOMs cannot be trusted, especially within OSS. Developers must use scanners to locate vulnerabilities in unknown but automatically included npm packages.
Scanners exist, but they can often only be used at a non-optimal time and do not provide fully optimal assistance. This is where CVE Lite CLI comes in - a free, open-source command line tool that scans projects in seconds and tells the developer exactly which included packages contain a vulnerability.
How CVE Lite CLI Works
CVE Lite CLI uses its own internal algorithm to analyze any vulnerable dependency and provide the safest command to include an alternative non-vulnerable package that won't break the application. The tool allows the developer to produce secure code as part of the process of coding.
Unlike other scanners that can only be used at a non-optimal time, CVE Lite CLI runs on the developer's own device, can be used on demand instantly, completes its scan within seconds, and helps fix any discovered vulnerabilities. It automatically scans the new npm that its recommended command brings in, ensuring that the proposed fix is a genuine fix.
The Benefits of CVE Lite CLI
CVE Lite CLI prevents frustration and time-wasting by running local scans within seconds, allowing the developer to see the problem, fix the problem, and then move on. It eliminates the need for waiting for hours for a scan to complete, only to find that the fix is not optimal.
Kapoor cites an example from experience where a developer went through more than 25 separate iterations of seeking a safe alternative to a vulnerable npm package. With CVE Lite CLI, this frustration and time-wasting can be avoided, and the developer can focus on producing secure code.
Conclusion
CVE Lite CLI is a game-changer for developers who want to produce secure code without the frustration and time-wasting associated with vulnerable dependencies. By scanning projects in seconds and providing the safest commands to fix vulnerabilities, CVE Lite CLI is an essential tool for any developer who wants to ensure the security of their code.
Source: SecurityWeek