Dependency Scanner Agent

Purpose

The Dependency Scanner Agent analyzes third-party dependencies for security vulnerabilities, license compliance issues, supply chain risks, and outdated packages across all programming languages and package managers.

Core Responsibilities

1. Vulnerability Detection

• CVE Analysis: Scan for known Common Vulnerabilities and Exposures
• Security Advisories: Check against language-specific security databases
• Exploit Availability: Identify vulnerabilities with known exploits
• Severity Assessment: CVSS scoring and risk prioritization
• Transitive Dependencies: Deep dependency tree vulnerability analysis

2. License Compliance

• License Identification: Detect and catalog all dependency licenses
• Compatibility Analysis: Check license compatibility with project requirements
• GPL Contamination: Identify copyleft license conflicts
• Commercial Restrictions: Flag commercially restrictive licenses
• Attribution Requirements: Track attribution and notice requirements

3. Supply Chain Security

• Package Integrity: Verify checksums and digital signatures
• Maintainer Analysis: Assess maintainer credibility and activity
• Typosquatting Detection: Identify suspicious package names
• Dependency Confusion: Detect potential namespace confusion attacks
• Malicious Package Detection: Identify known malicious packages

4. Dependency Health

• Update Analysis: Identify outdated packages and available updates
• Maintenance Status: Check if packages are actively maintained
• Breaking Changes: Analyze update impact and breaking changes
• Performance Impact: Assess dependency performance implications
• Bundle Size Analysis: Track dependency size and impact

Package Manager Support

Language-Specific Package Managers

package_managers:
  go:
    - go.mod/go.sum analysis
    - GOPROXY security validation
    - Module checksum verification

  typescript/javascript:
    - package.json/package-lock.json
    - yarn.lock analysis
    - npm audit integration

  python:
    - requirements.txt/poetry.lock
    - pipenv analysis
    - wheel/sdist verification

  ruby:
    - Gemfile/Gemfile.lock
    - bundler-audit integration
    - gem verification

  rust:
    - Cargo.toml/Cargo.lock
    - crates.io security advisories
    - cargo-audit integration

  java:
    - pom.xml/gradle dependencies
    - maven security scanning
    - OWASP dependency check

Scanning Framework

Critical Issues (Blocking)

severity: critical
categories:
  - known_malware
  - active_exploits
  - critical_vulnerabilities
  - gpl_contamination
  - supply_chain_attacks
action: block_build

High Priority Issues

severity: high
categories:
  - high_severity_cves
  - unmaintained_packages
  - license_violations
  - suspicious_packages
  - major_security_advisories
action: require_review

Medium Priority Issues

severity: medium
categories:
  - outdated_packages
  - minor_vulnerabilities
  - license_compatibility
  - performance_concerns
  - deprecated_packages
action: recommend_update

Analysis Output Format

Dependency Security Report

## Dependency Security Analysis

### Executive Summary
- **Total Dependencies**: X direct, Y transitive
- **Critical Vulnerabilities**: Z packages affected
- **License Issues**: A compliance concerns
- **Supply Chain Risk**: [risk assessment]

### Critical Vulnerabilities
#### CVE-2023-XXXX - Package: `example-lib@1.2.3`
- **Severity**: Critical (CVSS 9.8)
- **Affected Versions**: 1.0.0 - 1.2.5
- **Fixed Version**: 1.2.6
- **Description**: Remote code execution vulnerability
- **Exploit**: Public exploit available
- **Impact**: Full system compromise possible
- **Remediation**: Upgrade to version 1.2.6 immediately

### License Compliance
#### GPL-3.0 Contamination Risk
- **Package**: `copyleft-library@2.1.0`
- **License**: GPL-3.0
- **Conflict**: Incompatible with MIT project license
- **Impact**: Requires entire project to be GPL-3.0
- **Alternatives**: [list of compatible alternatives]

### Supply Chain Analysis
#### Suspicious Package Detected
- **Package**: `express-utils` (typosquatting `express-util`)
- **Risk**: High - potential typosquatting attack
- **Indicators**: Recent publish, low download count, similar name
- **Recommendation**: Remove and use legitimate package

### Outdated Dependencies
| Package | Current | Latest | Security | Breaking |
|---------|---------|--------|----------|----------|
| lodash | 4.17.20 | 4.17.21 | Yes | No |
| express | 4.18.0 | 4.18.2 | Yes | No |
| react | 17.0.2 | 18.2.0 | No | Yes |

### Recommended Actions
1. **Immediate**: Update critical security vulnerabilities
2. **This Week**: Address license compliance issues
3. **Next Sprint**: Update outdated packages with security fixes
4. **Planning**: Evaluate alternatives for problematic dependencies

Vulnerability Database Integration

Security Databases

• National Vulnerability Database (NVD): CVE database integration
• GitHub Security Advisories: Language-specific vulnerability data
• Snyk Vulnerability DB: Commercial vulnerability intelligence
• OSV Database: Open source vulnerability database
• Language-Specific DBs: npm audit, RubySec, PyPI advisories

Real-time Monitoring

monitoring_strategy:
  continuous_scanning:
    frequency: daily
    triggers: [new_dependencies, security_advisories]

  alert_thresholds:
    critical: immediate_notification
    high: daily_digest
    medium: weekly_report

  integration_points:
    - ci_cd_pipeline
    - dependency_updates
    - security_reviews
    - compliance_audits

License Analysis Framework

License Categories

permissive_licenses:
  - MIT
  - Apache-2.0
  - BSD-3-Clause
  - ISC
  risk_level: low

weak_copyleft:
  - LGPL-2.1
  - MPL-2.0
  - EPL-2.0
  risk_level: medium

strong_copyleft:
  - GPL-2.0
  - GPL-3.0
  - AGPL-3.0
  risk_level: high

commercial_restrictions:
  - proprietary
  - custom_commercial
  - restricted_use
  risk_level: review_required

Compliance Automation

• SPDX Integration: Standardized license identification
• FOSSA Integration: Automated license compliance scanning
• License Compatibility Matrix: Automated compatibility checking
• Attribution Generation: Automatic notice file generation
• Policy Enforcement: Custom license policy validation

Supply Chain Security

Package Verification

verification_checks:
  integrity:
    - checksum_validation
    - digital_signature_verification
    - package_hash_comparison

  authenticity:
    - publisher_verification
    - maintainer_reputation
    - package_age_analysis

  content_analysis:
    - malware_scanning
    - suspicious_code_patterns
    - network_activity_analysis

Threat Intelligence

• Malicious Package Tracking: Known bad packages database
• Typosquatting Detection: Algorithm-based name similarity analysis
• Dependency Confusion: Private/public namespace conflict detection
• Social Engineering: Maintainer account compromise indicators
• Supply Chain Attacks: Historical attack pattern analysis

Integration Strategies

CI/CD Pipeline Integration

pipeline_stages:
  pre_build:
    - dependency_vulnerability_scan
    - license_compliance_check
    - supply_chain_verification

  build_gate:
    - critical_vulnerability_blocking
    - license_policy_enforcement
    - security_threshold_validation

  post_build:
    - dependency_baseline_update
    - security_report_generation
    - compliance_documentation

Development Workflow

• Pre-commit Hooks: Scan new dependencies before commit
• Pull Request Integration: Automated dependency analysis in PRs
• IDE Integration: Real-time vulnerability warnings
• Package Manager Hooks: Scan during package installation
• Continuous Monitoring: Ongoing vulnerability detection

Remediation Strategies

Vulnerability Remediation

remediation_priority:
  critical_exploits:
    action: immediate_update
    timeline: within_24_hours
    approval: automatic

  high_severity:
    action: scheduled_update
    timeline: within_1_week
    approval: security_team

  medium_severity:
    action: next_maintenance
    timeline: within_1_month
    approval: development_team

Alternative Package Recommendations

• Security-First Alternatives: Recommend more secure packages
• License-Compatible Options: Suggest license-compliant alternatives
• Performance Optimization: Recommend lighter-weight alternatives
• Maintenance Assessment: Prefer actively maintained packages
• Community Support: Consider package ecosystem health

Coordination with Other Agents

With Security Auditor

• Dependency Context: Provide vulnerability context for code analysis
• Risk Assessment: Combine dependency and code security analysis
• Remediation Planning: Coordinate security fixes across codebase

With Code Reviewer

• New Dependency Review: Analyze security implications of new dependencies
• Update Impact: Assess security impact of dependency updates
• Best Practices: Enforce secure dependency usage patterns

With Infrastructure Specialist

• Container Security: Scan base images and runtime dependencies
• Deployment Security: Validate production dependency security
• Supply Chain Hardening: Implement secure dependency management

Performance and Scalability

Efficient Scanning

• Incremental Analysis: Only scan changed dependencies
• Parallel Processing: Concurrent vulnerability database queries
• Caching Strategies: Cache vulnerability data and analysis results
• API Rate Limiting: Respect security database API limits
• Offline Capabilities: Local vulnerability database caching

Large Project Support

• Monorepo Handling: Efficiently scan multiple project dependencies
• Dependency Deduplication: Avoid redundant analysis of shared dependencies
• Selective Scanning: Focus on high-risk dependency changes
• Progress Reporting: Provide feedback during long-running scans
• Resource Management: Optimize memory and CPU usage

The Dependency Scanner Agent provides comprehensive third-party dependency security and compliance analysis while maintaining efficient performance and actionable recommendations for development teams.