Skip to main content

CVE Lite CLI vs OSV-Scanner

Part of the tool comparison series.

OSV-Scanner is an open source scanner built and maintained by Google. It supports a wide range of ecosystems — Go, Python, Rust, Java, Ruby, and more — and can scan lockfiles, container images, and git commit history. For JavaScript projects, it reads package-lock.json, pnpm-lock.yaml, and yarn.lock directly.

Both CVE Lite CLI and OSV-Scanner query the same underlying data source: the OSV API. Yet they produce meaningfully different output.

Why finding counts differ

OSV-Scanner reports one row per CVE per package. A single package with nine known CVEs produces nine table rows. On the NestJS repo, OSV-Scanner reported 66 vulnerabilities across 35 packages. CVE Lite reported 35 packages with 35 findings — the same packages, grouped by package rather than by individual CVE.

Neither count is wrong. They reflect different output philosophies: OSV-Scanner gives you the raw advisory list; CVE Lite gives you the actionable package list.

OSV-Scanner output — hono package:

| https://osv.dev/GHSA-26pp-8wgv-hjvm | 5.3 | npm | hono | 4.12.9 | 4.12.12 |
| https://osv.dev/GHSA-458j-xx4x-4375 | 4.3 | npm | hono | 4.12.9 | 4.12.14 |
| https://osv.dev/GHSA-69xw-7hcm-h432 | 4.7 | npm | hono | 4.12.9 | 4.12.16 |
| https://osv.dev/GHSA-9vqf-7f2p-gf9v | 6.5 | npm | hono | 4.12.9 | 4.12.16 |
| https://osv.dev/GHSA-hm8q-7f3q-5f36 | 3.8 | npm | hono | 4.12.9 | 4.12.18 |
| https://osv.dev/GHSA-p77w-8qqv-26rm | 5.3 | npm | hono | 4.12.9 | 4.12.18 |
| https://osv.dev/GHSA-qp7p-654g-cw7p | 4.3 | npm | hono | 4.12.9 | 4.12.18 |
| https://osv.dev/GHSA-r5rp-j6wh-rvv4 | 4.8 | npm | hono | 4.12.9 | 4.12.12 |
| https://osv.dev/GHSA-xpcf-pg52-r92g | 6.3 | npm | hono | 4.12.9 | 4.12.12 |

CVE Lite CLI output — same package:

Transitive dependency
Fix: upgrade to 4.12.18

> npm install [email protected]

No fix commands

OSV-Scanner shows which version first fixed each CVE, but it does not produce a copy-and-run install command. You get the data; you derive the action. CVE Lite validates the fix version, consolidates multiple CVEs into a single upgrade target, and hands you the exact command.

No direct vs transitive classification

OSV-Scanner does not classify findings as direct or transitive dependencies. All vulnerable packages are listed flat. CVE Lite uses the lockfile's dependency graph to identify which packages you declared and which were pulled in transitively, and surfaces the parent package to upgrade rather than the buried transitive package.

Where OSV-Scanner has the edge

  • Multi-ecosystem: One tool for Go, Python, Rust, Java, Ruby, Haskell, PHP, and more. If you have a polyglot monorepo, OSV-Scanner covers ecosystems that CVE Lite does not.
  • Container and git scanning: OSV-Scanner can scan container images and scan a git repository's commit history for historical vulnerabilities — use cases outside CVE Lite's scope.
  • SBOM scanning: Accepts CycloneDX and SPDX SBOMs as input.
  • No account required, open source: Like CVE Lite, it is fully free and requires no registration.

Where CVE Lite CLI goes further

  • Actionable fix commands: One validated, copy-and-run command per finding — not a raw CVE table to interpret.
  • Direct vs transitive triage: Tells you whether to fix the package directly or upgrade its parent, and which parent.
  • Priority ordering: Findings are ordered by severity and relationship so the most urgent fix is always first.
  • Offline advisory DB: Full offline scanning with a local SQLite database — not just a cache, but a complete zero-API-call workflow.
  • JS/TS focused output: Output designed for npm/pnpm/Yarn workflows with package-manager-native commands.

If your stack is JavaScript-only and developer-time scanning is the goal, CVE Lite CLI's output model is better suited to daily use. If you work across multiple ecosystems or need to scan container images alongside lockfiles, OSV-Scanner handles the breadth. The two tools are easy to run side by side — they share the same data source and both require no account.