Skip to main content

How to Read Verbose Output

This guide explains how to read CVE Lite CLI verbose output quickly and turn it into next actions.

Use this command:

npx cve-lite-cli /path/to/project --verbose --all

The screenshots below use a real OWASP Juice Shop scan.

1) Start with the summary

The top of verbose output tells you how much risk you are dealing with and where it sits.

Juice Shop verbose summary and top priority fixes

What to read first:

  • severity totals (critical, high, medium, low)
  • direct vs transitive split in Quick take
  • unique advisories count

What to do next:

  • if critical or high is non-zero, move straight to Copy And Run These Fix Commands

2) Use command groups for first-pass fixes

Verbose mode groups runnable commands by severity and fix type.

Juice Shop copy-and-run command groups

How to use this section:

  • run critical/high command groups first
  • run direct fix groups next
  • rescan after each command group

Why this helps:

  • you avoid manual package-by-package trial and error
  • you get package-manager-native commands ready to copy and run

3) Use suggested fix plan as execution order

The suggested fix plan gives a remediation sequence so teams can execute in order instead of jumping between findings.

Juice Shop suggested fix plan and coverage notes

How to interpret:

  • Usage: how many source files import the vulnerable dependency (requires --usage flag)
  • Versions scanned: candidate versions checked above current
  • Still known vulnerable: versions rejected because they remained vulnerable
  • Breaking?: flagged with a if the recommended target is a major version bump and may introduce breaking changes

What this means:

  • higher scanned/excluded counts usually mean the tool saved repeated install-rescan cycles

4) Use the findings table for risk inventory

The main findings table is your full inventory of affected packages, severity, relationship type, fixed-version hints, and advisory IDs.

Juice Shop findings table

How to use this section:

  • read Package and Current to understand what you control
  • use Usage to quickly identify if the dependency is actually imported or just noise
  • use Fixed to see what the safe target version is

5) Confirm dependency paths and parent upgrades

The dependency-path section is where you verify transitive chains and parent-upgrade direction.

Juice Shop dependency path hints and remaining risk

What to use:

  • Top priority fixes: urgency order
  • Suggested fix plan: staged remediation sequence
  • Dependency paths to inspect: parent chain verification

10-minute workflow

  1. Run --verbose --all.
  2. Apply critical/high command groups.
  3. Apply direct command groups with validated targets.
  4. Apply parent-upgrade command groups for transitive paths.
  5. Rescan and repeat until urgent findings are reduced.

This approach keeps remediation practical: start with executable commands, then handle deeper dependency decisions with path context.