|
17 | 17 |
|
18 | 18 | --- |
19 | 19 |
|
20 | | -<p align="center"> |
21 | | - <img src="./assets/diagram.png" alt="CVE Lite CLI workflow" width="700"/> |
22 | | -</p> |
23 | | - |
24 | | ---- |
25 | | - |
26 | 20 | ## What is CVE Lite CLI |
27 | 21 |
|
28 | 22 | **CVE Lite CLI** helps developers scan their projects for known package vulnerabilities without signing up for an expensive platform. It is built for the moment right before release, when you want a clear answer, a practical fix plan, and a tool you can actually afford to use. |
@@ -162,16 +156,19 @@ This section is here to make the scope clear. CVE Lite CLI aims to complement th |
162 | 156 |
|
163 | 157 | ## How it works |
164 | 158 |
|
165 | | -CVE Lite CLI follows a simple workflow: |
| 159 | +### Architectural Philosophy |
| 160 | +CVE Lite CLI is designed as a **local-first, metadata-only** scanner. Unlike traditional SaaS security platforms that require code uploads or heavy agent installations, this tool operates directly within the developer's environment. It focuses on the "moment of release"—providing a high-speed, low-noise assessment of the dependency tree by analyzing resolved versions in project lockfiles. |
166 | 161 |
|
167 | | -1. Read a supported lockfile from your project. |
168 | | -2. Resolve package names and versions locally. |
169 | | -3. Match those packages against OSV advisory data. |
170 | | -4. Classify findings as direct or transitive where possible. |
171 | | -5. Highlight the most important fixes first. |
172 | | -6. Produce terminal, JSON, or SARIF output. |
| 162 | +<p align="center"> |
| 163 | + <img src="./assets/diagram.png" alt="CVE Lite CLI Workflow" width="800"/> |
| 164 | +</p> |
173 | 165 |
|
174 | | -The goal is to keep vulnerability scanning practical, understandable, and easy to act on. |
| 166 | +### Workflow Specifications |
| 167 | +* **Trust Boundary & Privacy:** The scan is non-intrusive. Only package names and exact versions are extracted. No source code, environment variables, or proprietary logic is ever transmitted to the external OSV (Open Source Vulnerability) API. |
| 168 | +* **Lockfile-Driven Accuracy:** By parsing `package-lock.json`, `pnpm-lock.yaml`, or `yarn.lock`, the tool avoids the "it works on my machine" discrepancy. It scans the *exact* dependency tree that will be deployed. |
| 169 | +* **Intelligent Triage:** The Analysis engine utilizes the lockfile's graph structure to distinguish between dependencies you manage directly and those brought in by third-party packages (transitive). This allows for a "Fix the Root" strategy rather than chasing individual nested vulnerabilities. |
| 170 | +* **Performance Optimization:** A local TTL (Time-To-Live) cache stores advisory results. This ensures that subsequent scans—common in iterative development or CI/CD retry loops—are near-instant and respect external API rate limits. |
| 171 | +* **Standards-Based Output:** Results are available in **SARIF (Static Analysis Results Interchange Format)**, ensuring compatibility with modern DevSecOps dashboards and IDE integrations. |
175 | 172 |
|
176 | 173 | ## What makes it stand out |
177 | 174 |
|
|
0 commit comments