function::cve_count_metric - Linux
Overview
function::cve_count_metric
is a Linux command that calculates the number of vulnerabilities, Common Vulnerabilities and Exposures (CVEs), present in a given dependency tree. It works by analyzing the metadata associated with each dependency, extracting CVE information, and counting the occurrences.
Syntax
function::cve_count_metric [options] [<target>]
Options/Flags
The following options are available:
-j
: Specify the number of parallel workers to use. Default: 1--scope
: Evaluate vulnerabilities for a specific scope:dev
,test
, orprod
. Default:prod
--severity
: Filter vulnerabilities by their severity level:low
,medium
,high
, orcritical
. Default: all--format
: Output format:json
,table
, orcount
. Default:table
--ignore-non-critical
: Ignore non-critical vulnerabilities. Default: false
Examples
# Count all CVEs in a dependency tree
function::cve_count_metric
# Count vulnerabilities only for the production scope
function::cve_count_metric --scope prod
# Count high-severity vulnerabilities for the development scope
function::cve_count_metric --scope dev --severity high
Common Issues
- Ensure that the dependency metadata contains accurate CVE information.
- Beware that false positives can occur due to vulnerabilities being reported for outdated versions of dependencies.
Integration
function::cve_count_metric
can be integrated with other tools as follows:
functions-framework-nodejs
: Use the command as a custom metric provider.cloud-build
: Embed the command in CI/CD workflows to monitor the number of vulnerabilities in built artifacts.
Related Commands
function::cve_list_metric
: Lists CVEs present in a dependency tree.function::dependency_list_metric
: Lists dependencies, optionally filtered by their severity.