docs: update comparison.md with DependencyCheck and dep-scan analysis…#720
docs: update comparison.md with DependencyCheck and dep-scan analysis…#720MRX-72 wants to merge 1 commit into
Conversation
sonukapoor
left a comment
sonukapoor
left a comment
There was a problem hiding this comment.
The complementary-tools framing in the closing sections is the right call for peer OWASP projects - that tone works well. One factual correction needed in the DependencyCheck mechanism before I can approve.
| ### Why architecture matters for JS/TS scanning | ||
|
|
||
| DependencyCheck relies on separate analyzers for each package ecosystem. For JavaScript, it delegates to the `npm audit`, `pnpm audit`, and `yarn audit` CLI commands — it does not parse lockfiles itself. This means: | ||
|
|
There was a problem hiding this comment.
I checked the DependencyCheck source and this isn't quite accurate for npm. The NodeAuditAnalyzer doesn't invoke the npm CLI at all - it parses package-lock.json directly using Jakarta JSON-P and POSTs the constructed payload to the npm audit REST API at registry.npmjs.org. No npm binary is involved. The pnpm and Yarn analyzers do shell out to the CLI via ProcessBuilder, so that part is correct. Worth splitting this into two cases so the description holds up to scrutiny - something like: "The npm analyzer parses package-lock.json directly and calls the npm audit REST API. The pnpm and Yarn analyzers invoke the respective CLI tools and require them to be installed." The internet-required consequence stays the same across all three.
| DependencyCheck relies on separate analyzers for each package ecosystem. For JavaScript, it delegates to the `npm audit`, `pnpm audit`, and `yarn audit` CLI commands — it does not parse lockfiles itself. This means: | ||
|
|
||
| - **Requires the package manager CLI to be installed** on the scan machine. If `pnpm` or `yarn` is not present, the corresponding analyzer fails silently or is skipped. | ||
| - **Requires internet access at scan time** for JS/TS projects. The Node Audit, PNPM Audit, and Yarn Audit analyzers all call `registry.npmjs.org` via the package manager CLI. Even if you mirror the NVD data locally, JS scanning still makes outbound calls. |
There was a problem hiding this comment.
This follows from the above - the CLI requirement is accurate for pnpm and Yarn but not for npm. Once the parent paragraph is split by analyzer, this bullet can be scoped to just pnpm and Yarn.
2 participants
Closes #295
Summary
This PR expands the tool comparison documentation (
website/docs/comparison.md) to include comprehensive, research-backed sections for OWASP DependencyCheck and OWASP dep-scan.Why this change
As noted in #295, both DependencyCheck and dep-scan are OWASP projects sitting in roughly the same niche as CVE Lite CLI. It is important to clearly document the architectural and philosophical differences—specifically highlighting CVE Lite's lockfile-native parsing vs. CPE analysis, and its developer-focused terminal output vs. ASPM/SBOM generation—so developers can choose the right tool for their specific workflow.
What changed
Practical comparisonmatrix table to include capability columns for both tools.Offline supportmatrix table to accurately reflect the offline capabilities/limitations of both tools.## CVE Lite CLI vs OWASP DependencyChecksection.## CVE Lite CLI vs OWASP dep-scansection.Validation
npm testsuccessfully.npm run buildto ensure the documentation site compiles without errors or broken links.User-facing impact
Does this change:
Notes
Expanding this comparison page helps lay the groundwork for the eventual structural split proposed in #362.