OWASP/cve-lite-cli

v1.16.0 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 21d Vulnerability Scanning

✓ No known CVEs patched

✓ No known CVEs patched in this version

Topics

security cve javascript nodejs owasp security-tools

Summary

AI summary

Added CycloneDX SBOM support and SARIF upload to GitHub Code Scanning.

Full changelog

--cdx writes a CycloneDX 1.4 JSON SBOM (cve-lite-scan-<timestamp>.cdx.json) to the current directory. The SBOM includes all lockfile packages as components — not just vulnerable ones — making it suitable as a compliance artifact even on a clean scan. Vulnerability data is attached for any CVE findings, deduplicated by CVE ID with multiple affects references when the same CVE affects more than one package. Runnable fix commands are included as recommendations when available.
GitHub Action gains a cdx input (default "false") to enable CycloneDX SBOM output from the Action.
Self-scan CI workflow now generates a SARIF file and uploads findings to GitHub Code Scanning via github/codeql-action/upload-sarif.

--sarif and --cdx now suppress terminal table output, matching the behaviour of --json. Running any export flag shows only the spinner progress and the saved file path. Use --verbose alongside an export flag to restore full terminal output.

Output file writing (JSON, SARIF, CycloneDX) extracted from index.ts into a dedicated write-outputs.ts dispatcher module, keeping index.ts lean as new export formats are added.

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Track OWASP/cve-lite-cli

Get notified when new releases ship.

About OWASP/cve-lite-cli