Vectra Guard integrates with the OSV (Open Source Vulnerabilities) database to detect known CVEs in your project dependencies before installation.
CVE Sync Command Sync vulnerability data to a local cache:
What it does:
Discovers all manifests and lockfiles in the target directory
Extracts package names and versions
Queries OSV database for known vulnerabilities
Caches results locally for fast access
Example output: β Discovered 15 packages from package.json β Discovered 128 packages from package-lock.json CVE sync complete: 143 fetched, 0 skipped, 0 errors
Sync updates your local CVE cache. Run this periodically to get the latest vulnerability data.
Force Refresh Force re-fetch all vulnerabilities, ignoring cache age:
vg cve sync --path . --force
Supported Ecosystems Vectra Guard automatically detects packages from:
Ecosystem Files Detected npm package.json, package-lock.json, npm-shrinkwrap.jsonpip requirements.txt, Pipfile, Pipfile.lock, pyproject.tomlGo go.mod, go.sumCargo Cargo.toml, Cargo.lockMaven pom.xmlGradle build.gradle, build.gradle.kts
Scanning Manifests Scan your project dependencies for vulnerabilities:
Example output: β Discovered 15 packages from package.json π CVE report (15 packages, 2 advisories) β lodash@4.17.20 (npm) - CVE-2020-28500 (CVSS 5.3, moderate): Regular Expression Denial of Service (ReDoS) - CVE-2021-23337 (CVSS 7.4, high): Command Injection in lodash β
No other vulnerabilities found.
Packages with known CVEs should be updated immediately or reviewed carefully before installation.
Refresh During Scan Scan and refresh CVE data in one command:
vg cve scan --path . --refresh
Use --refresh to ensure you have the latest vulnerability data during scanning.
Explaining Vulnerabilities Get detailed information about vulnerabilities for a specific package:
vg cve explain lodash@4.17.20 --ecosystem npm
Example output: π CVE report (1 packages, 2 advisories) β lodash@4.17.20 (npm) - CVE-2020-28500 (CVSS 5.3, moderate): Regular Expression Denial of Service (ReDoS) Summary: Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. - CVE-2021-23337 (CVSS 7.4, high): Command Injection in lodash Summary: Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Explain All Versions Explain all cached versions of a package:
vg cve explain lodash --ecosystem npm
This shows vulnerabilities across all versions youβve previously synced.
Force Refresh Single Package vg cve explain express@4.18.0 --ecosystem npm --refresh
Integration with OSV Database Vectra Guard uses the OSV API to fetch vulnerability data:
How OSV Integration Works
Package Discovery - Vectra Guard parses manifest/lockfilesAPI Query - For each package, queries https://api.osv.dev/v1/queryResponse Parsing - Extracts CVE IDs, CVSS scores, severity, and summariesLocal Cache - Stores results in ~/.vectra-guard/cve/cache.jsonCache Refresh - Respects cve.update_interval_hours config
Example OSV Response
Configuration
{ "vulns" : [ { "id" : "GHSA-abc123" , "aliases" : [ "CVE-2020-28500" ], "summary" : "Regular Expression Denial of Service (ReDoS)" , "database_specific" : { "severity" : "MODERATE" , "cvss_score" : 5.3 }, "affected" : [ { "package" : { "ecosystem" : "npm" , "name" : "lodash" }, "ranges" : [ { "type" : "SEMVER" , "events" : [ { "introduced" : "0" }, { "fixed" : "4.17.21" } ] } ] } ] } ] }
Cache Location CVE data is cached at:
Default: ~/.vectra-guard/cve/cache.jsonCustom: Set cve.cache_dir in config
Cache Refresh Policy Cached entries are considered fresh for:
Default: 24 hoursCustom: Set cve.update_interval_hours in config
Cached data speeds up repeated scans. Use --force or --refresh to update.
Configuration Enable and configure CVE scanning:
cve : enabled : true # Enable CVE scanning sources : [ "osv" ] # Data sources (only OSV supported) cache_dir : ~/.vectra-guard/cve # Cache directory update_interval_hours : 24 # Cache refresh interval
CVE scanning requires cve.enabled: true in your config. If disabled, all CVE commands will error.
Workflow Examples Example 1: Pre-Install Check # Before installing dependencies vg cve sync --path . vg cve scan --path . # If no critical CVEs found, proceed vg exec -- npm install
Example 2: Continuous Monitoring # Daily CVE refresh vg cve sync --path . --force # Scan all projects for dir in ~/projects/* ; do echo "Scanning $dir " vg cve scan --path " $dir " done
Example 3: CI/CD Integration # .github/workflows/security.yml name : Security Scan on : [ push , pull_request ] jobs : cve-scan : runs-on : ubuntu-latest steps : - uses : actions/checkout@v3 - name : Install Vectra Guard run : | curl -fsSL https://raw.githubusercontent.com/xadnavyaai/vectra-guard/main/install.sh | bash echo "$HOME/.local/bin" >> $GITHUB_PATH - name : CVE Scan run : | vg cve sync --path . vg cve scan --path .
Example 4: Agent Integration # Agent workflow SESSION = $( vg session start --agent "cursor-ai" ) export VECTRAGUARD_SESSION_ID = $SESSION # Check for CVEs before install vg cve sync --path . if vg cve scan --path . | grep -q "β " ; then echo "Vulnerabilities found - review before proceeding" exit 1 fi # Safe to install vg exec -- npm install vg session end $SESSION
Real CVE Examples Example: lodash ReDoS $ vg cve explain lodash@4.17.20 --ecosystem npm π CVE report (1 packages, 1 advisories ) β lodash@4.17.20 (npm) - CVE-2020-28500 (CVSS 5.3, moderate ): Regular Expression Denial of Service ( ReDoS )
Impact: Application can be made unresponsive with crafted inputFix: Upgrade to lodash@4.17.21 or laterExample: express-validator Command Injection $ vg cve explain express-validator@6.15.0 --ecosystem npm π CVE report (1 packages, 1 advisories ) β express-validator@6.15.0 (npm) - CVE-2023-XXXXX (CVSS 8.2, high ): Prototype Pollution
Impact: Attacker may execute arbitrary codeFix: Upgrade to latest versionTerminal Output Human-readable output with color coding:
π CVE report (12 packages, 2 advisories) β package-name@version (ecosystem) - CVE-ID (CVSS X.X, severity): Short summary - CVE-ID (severity): Short summary (if no CVSS) β
No known vulnerabilities found.
CVE Severity Levels CVSS Score Severity Action 9.0-10.0 Critical Update immediately 7.0-8.9 High Update as soon as possible 4.0-6.9 Moderate Review and plan update 0.1-3.9 Low Review when convenient unknown Unknown Review package reputation
Best Practices Run CVE sync before new installs: vg cve sync --path . && vg cve scan --path .
Refresh weekly to catch new CVEs: # Add to cron 0 9 * * 1 cd /path/to/project && vg cve sync --path . --force
Check specific packages before adding: vg cve explain new-package@1.0.0 --ecosystem npm --refresh
Integrate with CI/CD pipelines to catch vulnerabilities before deployment.
Always verify CVE fixes by checking package changelogs and testing thoroughly.
Troubleshooting CVE Awareness Disabled Error: cve awareness disabled (set cve.enabled=true)
Fix: # vectra-guard.yaml cve : enabled : true
No Manifests Found No supported manifests/lockfiles found.
Fix:
Ensure youβre in the project directory
Check that manifest files exist (package.json, requirements.txt, etc.)
Verify file permissions
OSV Lookup Failed β osv lookup failed for package@version (ecosystem): network error
Possible causes:
Network connectivity issues
OSV API temporarily unavailable
Rate limiting (rare)
Fix:
Check internet connection
Retry after a few minutes
Use cached data if available
Cache Directory Not Found Fix: # Create cache directory mkdir -p ~/.vectra-guard/cve # Or set custom location cve: cache_dir: /path/to/cache
Limitations Current limitations:
Only OSV database supported (covers most ecosystems)
Network required for initial sync
Some private/internal packages may not be in OSV
CVSS scores may be missing for some vulnerabilities
Future Enhancements Planned improvements:
Next Steps
Command Protection Validate and protect risky commands
Sessions & Audit Track CVE scans in audit logs