|
| 1 | +# How to Read Verbose Output |
| 2 | + |
| 3 | +This guide explains how to read CVE Lite CLI verbose output quickly and turn it into next actions. |
| 4 | + |
| 5 | +Use this command: |
| 6 | + |
| 7 | +```bash |
| 8 | +npx cve-lite-cli /path/to/project --verbose --all |
| 9 | +``` |
| 10 | + |
| 11 | +The screenshots below use a real OWASP Juice Shop scan. |
| 12 | + |
| 13 | +## 1) Start with the summary |
| 14 | + |
| 15 | +The top of verbose output tells you how much risk you are dealing with and where it sits. |
| 16 | + |
| 17 | + |
| 18 | + |
| 19 | +What to read first: |
| 20 | + |
| 21 | +- severity totals (`critical`, `high`, `medium`, `low`) |
| 22 | +- direct vs transitive split in `Quick take` |
| 23 | +- unique advisories count |
| 24 | + |
| 25 | +What to do next: |
| 26 | + |
| 27 | +- if `critical` or `high` is non-zero, move straight to `Copy And Run These Fix Commands` |
| 28 | + |
| 29 | +## 2) Use command groups for first-pass fixes |
| 30 | + |
| 31 | +Verbose mode groups runnable commands by severity and fix type. |
| 32 | + |
| 33 | + |
| 34 | + |
| 35 | +How to use this section: |
| 36 | + |
| 37 | +- run critical/high command groups first |
| 38 | +- run direct fix groups next |
| 39 | +- rescan after each command group |
| 40 | + |
| 41 | +Why this helps: |
| 42 | + |
| 43 | +- you avoid manual package-by-package trial and error |
| 44 | +- you get package-manager-native commands ready to copy and run |
| 45 | + |
| 46 | +## 3) Read validation tables for confidence |
| 47 | + |
| 48 | +Direct fix tables include scanned/excluded counts when target validation was possible. |
| 49 | + |
| 50 | + |
| 51 | + |
| 52 | +How to interpret: |
| 53 | + |
| 54 | +- `Versions scanned`: candidate versions checked above current |
| 55 | +- `Still known vulnerable`: versions rejected because they remained vulnerable |
| 56 | +- `Recommended target`: selected upgrade target from the evaluated set |
| 57 | + |
| 58 | +What this means: |
| 59 | + |
| 60 | +- higher scanned/excluded counts usually mean the tool saved repeated install-rescan cycles |
| 61 | + |
| 62 | +## 4) Use parent-upgrade tables for transitive issues |
| 63 | + |
| 64 | +Transitive issues often require upgrading parent packages, not the vulnerable nested package directly. |
| 65 | + |
| 66 | + |
| 67 | + |
| 68 | +How to use this section: |
| 69 | + |
| 70 | +- read `Package` and `Current` to understand what you control |
| 71 | +- use `Recommended target` as the next parent upgrade candidate |
| 72 | +- use `Context` to see which vulnerable dependency that upgrade addresses |
| 73 | + |
| 74 | +## 5) Confirm with priority list and paths |
| 75 | + |
| 76 | +The bottom sections explain remaining risk and exact dependency chains. |
| 77 | + |
| 78 | + |
| 79 | + |
| 80 | +What to use: |
| 81 | + |
| 82 | +- `Top priority fixes`: urgency order |
| 83 | +- `Suggested fix plan`: staged remediation sequence |
| 84 | +- `Dependency paths to inspect`: parent chain verification |
| 85 | + |
| 86 | +## 10-minute workflow |
| 87 | + |
| 88 | +1. Run `--verbose --all`. |
| 89 | +2. Apply critical/high command groups. |
| 90 | +3. Apply direct command groups with validated targets. |
| 91 | +4. Apply parent-upgrade command groups for transitive paths. |
| 92 | +5. Rescan and repeat until urgent findings are reduced. |
| 93 | + |
| 94 | +This approach keeps remediation practical: start with executable commands, then handle deeper dependency decisions with path context. |
0 commit comments