function::cve_count_metric - Linux


function::cve_count_metric is a Linux command that calculates the number of vulnerabilities, Common Vulnerabilities and Exposures (CVEs), present in a given dependency tree. It works by analyzing the metadata associated with each dependency, extracting CVE information, and counting the occurrences.


function::cve_count_metric [options] [<target>]


The following options are available:

  • -j: Specify the number of parallel workers to use. Default: 1
  • --scope: Evaluate vulnerabilities for a specific scope: dev, test, or prod. Default: prod
  • --severity: Filter vulnerabilities by their severity level: low, medium, high, or critical. Default: all
  • --format: Output format: json, table, or count. Default: table
  • --ignore-non-critical: Ignore non-critical vulnerabilities. Default: false


# Count all CVEs in a dependency tree

# Count vulnerabilities only for the production scope
function::cve_count_metric --scope prod

# Count high-severity vulnerabilities for the development scope
function::cve_count_metric --scope dev --severity high

Common Issues

  • Ensure that the dependency metadata contains accurate CVE information.
  • Beware that false positives can occur due to vulnerabilities being reported for outdated versions of dependencies.


function::cve_count_metric can be integrated with other tools as follows:

  • functions-framework-nodejs: Use the command as a custom metric provider.
  • cloud-build: Embed the command in CI/CD workflows to monitor the number of vulnerabilities in built artifacts.

Related Commands

  • function::cve_list_metric: Lists CVEs present in a dependency tree.
  • function::dependency_list_metric: Lists dependencies, optionally filtered by their severity.