function::cve_count_metric - Linux
Overview
function::cve_count_metric is a Linux command that calculates the number of vulnerabilities, Common Vulnerabilities and Exposures (CVEs), present in a given dependency tree. It works by analyzing the metadata associated with each dependency, extracting CVE information, and counting the occurrences.
Syntax
function::cve_count_metric [options] [<target>]
Options/Flags
The following options are available:
-j: Specify the number of parallel workers to use. Default: 1--scope: Evaluate vulnerabilities for a specific scope:dev,test, orprod. Default:prod--severity: Filter vulnerabilities by their severity level:low,medium,high, orcritical. Default: all--format: Output format:json,table, orcount. Default:table--ignore-non-critical: Ignore non-critical vulnerabilities. Default: false
Examples
# Count all CVEs in a dependency tree
function::cve_count_metric
# Count vulnerabilities only for the production scope
function::cve_count_metric --scope prod
# Count high-severity vulnerabilities for the development scope
function::cve_count_metric --scope dev --severity high
Common Issues
- Ensure that the dependency metadata contains accurate CVE information.
- Beware that false positives can occur due to vulnerabilities being reported for outdated versions of dependencies.
Integration
function::cve_count_metric can be integrated with other tools as follows:
functions-framework-nodejs: Use the command as a custom metric provider.cloud-build: Embed the command in CI/CD workflows to monitor the number of vulnerabilities in built artifacts.
Related Commands
function::cve_list_metric: Lists CVEs present in a dependency tree.function::dependency_list_metric: Lists dependencies, optionally filtered by their severity.