You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+17Lines changed: 17 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -174,6 +174,21 @@ Support for stricter network-controlled environments is planned on the roadmap,
174
174
- custom advisory endpoint support for internal mirrors or proxies
175
175
- local advisory database input for controlled or air-gapped workflows
176
176
177
+
## Detecting malicious package incidents
178
+
179
+
CVE Lite CLI can help detect malicious package incidents and supply-chain compromises **once the affected versions are represented in OSV or equivalent advisory data available through the configured advisory endpoint**.
180
+
181
+
In practice, that means the tool can catch incidents such as a compromised npm package **when the exact malicious version appears in your lockfile** and the advisory data has already been published and indexed. This makes the tool useful for real-world release checks after a malicious package disclosure becomes known.
182
+
183
+
It is important to be precise about the current scope:
184
+
185
+
- CVE Lite CLI is **advisory-driven**, not a behavioral malware detector
186
+
- it does **not** perform static malware analysis on package contents
187
+
- it does **not** detect a package compromise before advisory intelligence exists for it
188
+
- it works best with lockfiles because they capture the exact resolved version that was actually installed
189
+
190
+
So the practical model is: **local lockfile scan + advisory matching**. When malicious versions are published to OSV or mirrored through a compatible internal endpoint, CVE Lite CLI can flag those exact versions during a scan.
191
+
177
192
## How it works
178
193
179
194
### Architectural Philosophy
@@ -422,6 +437,8 @@ If your goal is a practical developer-first CVE scan right before release, CVE L
422
437
423
438
To keep the project honest, here is what it does **not** do in the current version:
424
439
440
+
- it does not detect malicious packages before they are represented in advisory data
441
+
- it does not perform behavioral malware detection or package content analysis
425
442
- it does not prove exploitability
426
443
- it does not verify runtime reachability
427
444
- it does not scan container images, binaries, secrets, or IaC
0 commit comments