RFC: AI-powered vulnerability explanations via --explain flag

[sonukapoor]

What we're considering

We're exploring an opt-in --explain flag that calls an LLM (Claude via the Anthropic API, with more providers possible) to generate a short plain-English explanation for your vulnerability findings — directly in the terminal or in the HTML report.

No source code is sent. The prompt contains only the package name, version, severity, CVE ID, OSV summary, and fix version. It's entirely opt-in and requires you to supply your own API key in a local .cve-lite.json config file.

What it would look like in the terminal:

cve-lite . --explain

[1] CRITICAL  lodash@4.17.20
            Direct dependency
            Fix: upgrade to 4.17.21

    [1] 🤖 This vulnerability allows an attacker to modify the prototype of
       a base object via the set() function, potentially leading to denial
       of service or code execution when untrusted user input is passed
       to lodash utilities like _.set() or _.merge().

Or target a specific finding:

cve-lite . --explain 2
cve-lite . --explain CVE-2021-23337

In the HTML report (--report --explain): all findings include a full-width AI explanation section when the expanded row is opened.

---

We'd love your feedback

Would you use this feature? A quick 👍 or 👎 on this post helps.

More specifically:

1. Is having a quick plain-English explanation of a CVE useful, or do you find CVE summaries sufficient?
2. Would you prefer the LLM call happen locally (e.g. Ollama) rather than through a cloud API?
3. Is the "bring your own API key" model acceptable, or would you rather this be opt-in at the project/org level?
4. Any concerns about sending package metadata (no source code) to a third-party API?

---

Pros

• Developer-friendly triage: plain-English explanations reduce the time spent reading NVD/OSV advisory pages for unfamiliar CVEs
• Targeted use: works per-finding so you can ask about the one CVE you don't recognise without explaining all 30
• No source code leaves the machine: only package name, version, severity, and CVE summary are sent
• Zero new runtime dependencies: uses Node's built-in fetch
• Works offline for the scan itself: --explain is layered on top after the local scan completes
• HTML report integration: bulk explanations are most useful in a shareable report rather than flooding the terminal

Cons

• Requires a cloud API key: not usable in air-gapped environments or without an Anthropic account (Ollama support could address this)
• Adds latency: each LLM call takes 1–3 seconds; terminal output is capped at 3 findings to keep this acceptable
• Cost: API calls are not free; for teams running many scans this adds up
• LLM explanations can be wrong: the model may mischaracterise a CVE; explanations should be treated as a starting point, not authoritative
• Config management: API keys in .cve-lite.json need to stay out of source control (the tool warns you if .gitignore is missing the entry)

---

The implementation is complete on a branch and working end-to-end. We're holding off on merging until we hear from the community whether this is a direction worth pursuing.