Skip to content

docs: update comparison.md with DependencyCheck and dep-scan analysis… #720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MRX-72 wants to merge 1 commit into
base: main
Choose a base branch
from
+130 −21
Open

docs: update comparison.md with DependencyCheck and dep-scan analysis… #720

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
151 changes: 130 additions & 21 deletions website/docs/comparison.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,29 +15,31 @@ This page compares CVE Lite CLI against the tools developers most commonly consi
- [CVE Lite CLI vs OSV-Scanner](#cve-lite-cli-vs-osv-scanner)
- [CVE Lite CLI vs Snyk CLI](#cve-lite-cli-vs-snyk-cli)
- [CVE Lite CLI vs Socket CLI](#cve-lite-cli-vs-socket-cli)
- [CVE Lite CLI vs OWASP DependencyCheck](#cve-lite-cli-vs-owasp-dependencycheck)
- [CVE Lite CLI vs OWASP dep-scan](#cve-lite-cli-vs-owasp-dep-scan)
- [Best fit](#best-fit)

---

## Practical comparison

| Capability | CVE Lite CLI | Dependabot | npm audit | OSV-Scanner | Snyk CLI | Socket CLI |
|---|:---:|:---:|:---:|:---:|:---:|:---:|
| JS/TS lockfile scanning | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| npm + pnpm + Yarn support | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ |
| Developer-time local scanning | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ |
| No account or GitHub repo required | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ |
| Works in any CI provider | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| Usage-aware reachability scanning | ✅ | ❌ | ❌ | ❌ | ✅ | ⚠️ |
| Direct vs transitive visibility | ✅ | ⚠️ | ⚠️ | ✅ | ✅ | ✅ |
| Validated copy-and-run fix commands | ✅ | ❌ | ❌ | ❌ | ✅ | ⚠️ |
| Transitive parent update guidance | ✅ | ❌ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| Fix version validation before suggesting | ✅ | ❌ | ❌ | ❌ | ⚠️ | ❌ |
| Clear top-priority fix guidance | ✅ | ❌ | ❌ | ❌ | ✅ | ⚠️ |
| Suggested remediation plan | ✅ | ❌ | ❌ | ⚠️ | ✅ | ⚠️ |
| JSON + SARIF output | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| Offline/local advisory DB workflow | ✅ | ❌ | ❌ | ⚠️ | ❌ | ❌ |
| No automatic PR noise | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
| Capability | CVE Lite CLI | Dependabot | npm audit | OSV-Scanner | Snyk CLI | Socket CLI | DependencyCheck | dep-scan |
|---|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|
| JS/TS lockfile scanning | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| npm + pnpm + Yarn support | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Developer-time local scanning | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ |
| No account or GitHub repo required | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ | ✅ | ⚠️ |
| Works in any CI provider | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Usage-aware reachability scanning | ✅ | ❌ | ❌ | ❌ | ✅ | ⚠️ | ❌ | ✅ |
| Direct vs transitive visibility | ✅ | ⚠️ | ⚠️ | ✅ | ✅ | ✅ | ⚠️ | ✅ |
| Validated copy-and-run fix commands | ✅ | ❌ | ❌ | ❌ | ✅ | ⚠️ | ❌ | ⚠️ |
| Transitive parent update guidance | ✅ | ❌ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ❌ | ❌ |
| Fix version validation before suggesting | ✅ | ❌ | ❌ | ❌ | ⚠️ | ❌ | ❌ | ✅ |
| Clear top-priority fix guidance | ✅ | ❌ | ❌ | ❌ | ✅ | ⚠️ | ⚠️ | ✅ |
| Suggested remediation plan | ✅ | ❌ | ❌ | ⚠️ | ✅ | ⚠️ | ❌ | ⚠️ |
| JSON + SARIF output | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ⚠️ | ⚠️ |
| Offline/local advisory DB workflow | ✅ | ❌ | ❌ | ⚠️ | ❌ | ❌ | ⚠️ | ✅ |
| No automatic PR noise | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |

<sub>✅ = built-in strength · ⚠️ = partial or workflow-dependent · ❌ = not a core strength</sub>

Expand All @@ -47,10 +49,10 @@ Transitive parent update guidance is one of CVE Lite CLI's core differentiators.

## Offline support

| Capability | CVE Lite CLI | Dependabot | npm audit | OSV-Scanner | Snyk CLI | Socket CLI |
|---|:---:|:---:|:---:|:---:|:---:|:---:|
| Local advisory DB workflow | ✅ | ❌ | ❌ | ⚠️ | ❌ | ❌ |
| Zero runtime advisory API calls | ✅ | ❌ | ❌ | ⚠️ | ❌ | ❌ |
| Capability | CVE Lite CLI | Dependabot | npm audit | OSV-Scanner | Snyk CLI | Socket CLI | DependencyCheck | dep-scan |
|---|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|
| Local advisory DB workflow | ✅ | ❌ | ❌ | ⚠️ | ❌ | ❌ | ⚠️ | ✅ |
| Zero runtime advisory API calls | ✅ | ❌ | ❌ | ⚠️ | ❌ | ❌ | ❌ | ✅ |

<sub>✅ = built-in strength · ⚠️ = partial or workflow-dependent · ❌ = not a core strength</sub>

Expand Down Expand Up @@ -407,6 +409,113 @@ vendor-neutral approach to vulnerability remediation.

---

## CVE Lite CLI vs OWASP DependencyCheck

[OWASP DependencyCheck](https://owasp.org/www-project-dependency-check/) is an OWASP Flagship project and one of the earliest SCA tools, started in 2012. It is a general-purpose scanner that supports Java, .NET, Node.js, Python, Ruby, Go, and more through a CPE-based analysis engine with ecosystem-specific analyzers.

CVE Lite CLI and DependencyCheck represent different eras of SCA tool design. DependencyCheck identifies vulnerabilities by matching dependencies to CPE identifiers and cross-referencing them against the NVD database. CVE Lite CLI parses lockfiles directly and queries OSV for advisory data.

### Why architecture matters for JS/TS scanning

DependencyCheck relies on separate analyzers for each package ecosystem. For JavaScript, it delegates to the `npm audit`, `pnpm audit`, and `yarn audit` CLI commands — it does not parse lockfiles itself. This means:

@sonukapoor sonukapoor Jun 20, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked the DependencyCheck source and this isn't quite accurate for npm. The NodeAuditAnalyzer doesn't invoke the npm CLI at all - it parses package-lock.json directly using Jakarta JSON-P and POSTs the constructed payload to the npm audit REST API at registry.npmjs.org. No npm binary is involved. The pnpm and Yarn analyzers do shell out to the CLI via ProcessBuilder, so that part is correct. Worth splitting this into two cases so the description holds up to scrutiny - something like: "The npm analyzer parses package-lock.json directly and calls the npm audit REST API. The pnpm and Yarn analyzers invoke the respective CLI tools and require them to be installed." The internet-required consequence stays the same across all three.

- **Requires the package manager CLI to be installed** on the scan machine. If `pnpm` or `yarn` is not present, the corresponding analyzer fails silently or is skipped.
- **Requires internet access at scan time** for JS/TS projects. The Node Audit, PNPM Audit, and Yarn Audit analyzers all call `registry.npmjs.org` via the package manager CLI. Even if you mirror the NVD data locally, JS scanning still makes outbound calls.

@sonukapoor sonukapoor Jun 20, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This follows from the above - the CLI requirement is accurate for pnpm and Yarn but not for npm. Once the parent paragraph is split by analyzer, this bullet can be scoped to just pnpm and Yarn.

- **Results depend on npm audit's output model**, which counts every node in a dependency chain as a separate vulnerability — inflating counts on non-trivial projects.

CVE Lite CLI parses the lockfile directly, works without any package manager installed, and never calls `registry.npmjs.org` during a scan.

### No copy-and-run fix commands

DependencyCheck produces reports (HTML, XML, JSON, CSV, JUnit) that list CVEs by dependency. It does not produce scoped install commands. Developers receive a list of vulnerable libraries and must manually determine the correct upgrade path — including which parent package to update for transitive dependencies.

CVE Lite CLI consolidates multiple CVEs per package into a single finding and hands you the exact `npm install package@version` command, validated against OSV.

### Where DependencyCheck has the edge

- **Multi-ecosystem**: Comprehensive support for Java, .NET, Python, Ruby, Go, and more. CVE Lite is focused on JavaScript and TypeScript.
- **OWASP Flagship status**: DependencyCheck is the highest-level OWASP project classification, with a longer track record and broader institutional adoption.
- **Maven/Gradle/Ant integration**: Native plugins for Java build toolchains. CVE Lite is a standalone CLI.
- **CPE-based identification**: Can identify vulnerabilities in compiled JARs and binaries where no lockfile or package manifest exists.
- **NVD data mirroring**: Supports full local mirroring of NVD data for offline use — though JS analyzers still need the npm registry.

### Where CVE Lite CLI goes further

- **Lockfile-native parsing**: Reads `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`, and `bun.lock` directly. No package manager CLI required.
- **Validated copy-and-run fix commands**: One command per finding, validated against OSV before presentation.
- **Transitive parent guidance**: Identifies the parent package that controls the vulnerable transitive dependency and tells you whether to run `npm update <parent>` or `npm install <parent>@<version>`.
- **True offline for JS**: Sync advisory data once, scan offline indefinitely with zero outbound calls — including for JS/TS projects.
- **Usage-aware reachability**: `--usage` tells you which vulnerable packages are actually imported in your source code.
- **Root-cause finding counts**: One vulnerable package = one finding, not one per CVE per dependency tree node.

### Recommended approach

If your stack is primarily Java or .NET with some JavaScript, DependencyCheck is a proven choice that covers all ecosystems in one tool. If you are JavaScript or TypeScript-first and want actionable fix commands, clear transitive guidance, and genuine offline scanning, CVE Lite CLI is purpose-built for that workflow. The two tools can be run side by side — they use different data sources (NVD vs OSV) and different identification methods (CPE vs lockfile graph), so each may surface findings the other misses.

---

## CVE Lite CLI vs OWASP dep-scan

[OWASP dep-scan](https://owasp.org/www-project-dep-scan/) is a next-generation security and risk audit tool donated to OWASP by AppThreat Ltd in 2023. It scans local repositories, container images, and Kubernetes manifests, generating CycloneDX SBOMs via cdxgen and checking packages against a local vulnerability database (VDB).

Dep-scan and CVE Lite CLI share several design principles: both run locally without sending data to a cloud platform, both support offline scanning with a local advisory database, and both are fully open source under the MIT license. But they differ meaningfully in output model and scope.

### Different output models

Dep-scan produces CycloneDX Vulnerability Disclosure Report (VDR) JSON and optional CSAF 2.0 VEX documents. Its output is oriented toward ASPM and VM platform ingestion — structured SBOM data that feeds into broader security toolchains.

CVE Lite CLI produces terminal output designed for a developer sitting at a command line: severity, direct vs transitive classification, the specific parent package to upgrade, and a copy-and-run install command.

**dep-scan output — transitive finding:**
```json
"recommendation": "upgrade to 4.12.18"
```

**CVE Lite CLI output — same project:**
```
MEDIUM hono@4.12.9
Transitive dependency
Fix: upgrade to 4.12.18

> npm install hono@4.12.18
```

### Fix suggestion approach

Dep-scan's suggest mode (enabled by default) finds the optimal fix version by cross-referencing the advisory database. If version `4.12.18` fixes a CVE but version `4.12.16` has a different known vulnerability, suggest mode will skip `4.12.16` and recommend `4.12.18`. CVE Lite CLI performs the same kind of validation against OSV — but presents the result as a package-manager-specific command rather than a version number in a JSON report.

### Where dep-scan has the edge

- **Reachability analysis**: Dep-scan has advanced reachability analysis (FrameworkReachability and SemanticReachability) that computes data-flow call graphs for Java, JavaScript, TypeScript, and Python. CVE Lite's `--usage` is import-level only.
- **Multi-ecosystem and container scanning**: Dep-scan scans container images, Kubernetes manifests, and OS packages alongside application dependencies.
- **SBOM generation**: Generates CycloneDX SBOMs, VDR, and CSAF VEX documents as first-class output — useful for toolchain integration.
- **Package risk audit**: Detects dependency confusion attacks, typosquatting risks, and maintenance risks via `--risk-audit`.
- **License scanning**: Reports license compliance issues alongside vulnerability findings.
- **Server mode**: Can run as a persistent server for integration with ASPM platforms.
- **Custom vulnerability data**: Supports loading private CVEs and overriding false positives via local CVE 5.2 JSON/YAML files.

### Where CVE Lite CLI goes further

- **Transitive parent update guidance**: Dep-scan reports the vulnerable package and suggests a fix version; it does not identify the parent package that controls the transitive dependency or tell you what command to run.
- **Copy-and-run fix commands**: CVE Lite outputs scoped `npm install`, `npm update`, or package-manager-specific commands. Dep-scan outputs a version recommendation in VDR JSON that requires interpretation.
- **Package-manager-native commands**: For npm lockfiles, CVE Lite distinguishes between `npm update <parent>` (when the current range can absorb a safe version) and `npm install <parent>@<version>` (when the range must change).
- **Zero-config for JS/TS**: Install via npm, point at a lockfile, get results. Dep-scan requires Python, cdxgen, and VDB setup.
- **SARIF output**: CVE Lite supports SARIF for GitHub Code Scanning integration.

### Why finding counts may differ

Dep-scan checks packages against its VDB (which aggregates NVD, OSV, GitHub, and NPM advisories). CVE Lite checks against OSV. This means:

- A vulnerability indexed in NVD but not yet in OSV will appear in dep-scan but not in CVE Lite.
- OSV-specific advisories (e.g., from OSS-Fuzz) will appear in CVE Lite but may not be in dep-scan's VDB until its next sync.
- Dep-scan groups findings by CVE within each package; CVE Lite groups all CVEs for a package into one finding.

### Recommended approach

Use dep-scan when you need broad multi-ecosystem coverage with advanced reachability analysis, SBOM generation, and ASPM platform integration. Use CVE Lite CLI when you want fast, actionable terminal output for JavaScript and TypeScript dependency scanning with clear fix commands and parent-aware transitive guidance. The two tools share an offline-first philosophy and complement each other well in a layered security workflow.

---

## Best fit

CVE Lite CLI is the only free, OWASP-recognized vulnerability scanner for JavaScript and TypeScript that delivers validated fix commands and parent-aware transitive remediation — without requiring an account, a cloud platform, or internet access at scan time.
Expand Down