Dependency Vulnerability Scanner

Comprehensive dependency vulnerability scanning across 11 package managers and ecosystems, with CVE database integration and automated fix recommendations.

Usage

/analyze:dependencies [PATH] [OPTIONS]

Examples:

/analyze:dependencies                  # Scan current project
/analyze:dependencies backend/         # Scan specific directory
/analyze:dependencies --critical-only  # Show only critical vulnerabilities
/analyze:dependencies --with-fixes     # Include upgrade recommendations

Supported Ecosystems

Python (pip, pipenv, poetry)

Tools: pip-audit, safety Manifests: requirements.txt, Pipfile, pyproject.toml, poetry.lock

JavaScript/Node.js (npm, yarn, pnpm)

Tools: npm audit, yarn audit, pnpm audit Manifests: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml

Ruby (bundler)

Tools: bundle-audit Manifests: Gemfile, Gemfile.lock

PHP (composer)

Tools: local-php-security-checker Manifests: composer.json, composer.lock

Go (go modules)

Tools: govulncheck Manifests: go.mod, go.sum

Rust (cargo)

Tools: cargo-audit Manifests: Cargo.toml, Cargo.lock

Java (maven, gradle)

Tools: dependency-check Manifests: pom.xml, build.gradle, build.gradle.kts

.NET (nuget)

Tools: dotnet list package --vulnerable Manifests: packages.config, *.csproj

How It Works

1. Ecosystem Detection

Automatically detects package managers:

Detecting Ecosystems...
✅ Python (requirements.txt)
✅ JavaScript (package.json, yarn.lock)
✅ Go (go.mod)

2. Vulnerability Scanning

Runs appropriate scanners for each ecosystem:

Scanning Dependencies...
[████████████] Python    (pip-audit)  - 2.3s
[████████████] npm       (npm audit)  - 4.1s
[████████████] Go        (govulncheck) - 1.8s

Results:
✅ Python:     5 vulnerabilities (2 critical)
✅ npm:        12 vulnerabilities (0 critical)
✅ Go:         0 vulnerabilities

3. Result Aggregation

Deduplicates and synthesizes results:

Aggregating Results...
- Total Vulnerabilities: 15 unique
- Duplicates Removed: 2
- Vulnerable Dependencies: 12/187

4. Risk Assessment

Risk Score (0-100) =
    Critical × 25 +
    High × 15 +
    Medium × 8 +
    Low × 3 +
    Info × 1

Example:
- Critical: 2 -> 50 points
- High: 3 -> 45 points
- Medium: 7 -> 56 points
- Low: 3 -> 9 points
---

-----------------------
Total: 160 (capped at 100)
Risk Score: 100/100 (EXTREME)

Risk Levels:

• 70-100: Extreme/High Risk
• 40-69: Medium Risk
• 0-39: Low Risk

Output Format

Terminal Output (Tier 1: Concise Summary)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  DEPENDENCY VULNERABILITY SCAN COMPLETE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

🎯 Risk Score: 78/100 (HIGH RISK)

📊 Overview
   Total Vulnerabilities: 15
   Vulnerable Dependencies: 12/187 (6.4%)
   Ecosystems: Python, npm, Go

🚨 Vulnerabilities by Severity
   🔴 Critical: 2
   🟠 High: 3
   🟡 Medium: 7
   🔵 Low: 3
   ⚪ Info: 0

📦 By Ecosystem
   Python: 5 vulnerabilities
   npm: 10 vulnerabilities
   Go: 0 vulnerabilities

[WARN]️  Top 3 Vulnerable Packages
   1. requests (Python) - 2 vulnerabilities
   2. axios (npm) - 3 vulnerabilities
   3. lodash (npm) - 2 vulnerabilities

🔴 Critical Vulnerabilities (2)
   1. CVE-2023-12345 - requests 2.25.1
      SQL injection vulnerability
      Fix: Upgrade to 2.31.0+

   2. CVE-2023-67890 - axios 0.21.1
      Server-side request forgery
      Fix: Upgrade to 1.6.0+

📄 Detailed Report: .data/reports/dependency-scan-2025-01-15.md

⏱️  Scan completed in 8.2s
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

File Report (Tier 2: Comprehensive)

Saved to .data/reports/dependency-scan-{DATE}.md:

# Dependency Vulnerability Scan Report
**Generated**: 2025-01-15 16:45:23
**Project**: /project
**Risk Score**: 78/100 (HIGH RISK)

---

## Executive Summary

**Total Vulnerabilities**: 15 unique
**Vulnerable Dependencies**: 12 out of 187 total (6.4%)
**Ecosystems Scanned**: Python, npm, Go
**Scan Duration**: 8.2s

**Risk Assessment**: HIGH RISK
- Immediate action required for 2 critical vulnerabilities
- 3 high-severity issues should be addressed soon
- 7 medium-severity issues for next sprint
- 3 low-severity issues can be deferred

---

## Vulnerabilities by Severity

| Severity | Count | Percentage |
|----------|-------|-----------|
| 🔴 Critical | 2 | 13.3% |
| 🟠 High | 3 | 20.0% |
| 🟡 Medium | 7 | 46.7% |
| 🔵 Low | 3 | 20.0% |
| ⚪ Info | 0 | 0.0% |

---

## Vulnerabilities by Ecosystem

### Python (5 vulnerabilities)
- **Critical**: 1
- **High**: 1
- **Medium**: 2
- **Low**: 1

### npm (10 vulnerabilities)
- **Critical**: 1
- **High**: 2
- **Medium**: 5
- **Low**: 2

### Go (0 vulnerabilities)
- No vulnerabilities detected

---

## Top 10 Vulnerable Packages

| Package | Ecosystem | Vulnerabilities | Severity |
|---------|-----------|----------------|----------|
| axios | npm | 3 | 1 Critical, 2 Medium |
| requests | Python | 2 | 1 Critical, 1 High |
| lodash | npm | 2 | 2 Medium |
| urllib3 | Python | 2 | 1 High, 1 Low |
| ws | npm | 1 | 1 High |
| express | npm | 1 | 1 Medium |
| jinja2 | Python | 1 | 1 Medium |
| moment | npm | 1 | 1 Low |
| pyyaml | Python | 1 | 1 Low |
| react-dom | npm | 1 | 1 Medium |

---

## Critical Vulnerabilities (IMMEDIATE ACTION REQUIRED)

### CVE-2023-12345: SQL Injection in requests
**Package**: requests (Python)
**Installed Version**: 2.25.1
**Severity**: 🔴 CRITICAL
**CVSS Score**: 9.8

**Description**:
SQL injection vulnerability in the `requests` library allows remote attackers to execute arbitrary SQL commands via crafted HTTP requests.

**Impact**:
- Database compromise
- Data exfiltration
- Unauthorized access

**CWE**: CWE-89 (SQL Injection)

**Fixed Versions**: 2.31.0, 2.32.0+

**Remediation**:
```bash
# Python (pip)
pip install --upgrade requests>=2.31.0

# Python (poetry)
poetry update requests

References:

• https://nvd.nist.gov/vuln/detail/CVE-2023-12345
• https://github.com/psf/requests/security/advisories/GHSA-xxxx

---

CVE-2023-67890: SSRF in axios

Package: axios (npm) Installed Version: 0.21.1 Severity: 🔴 CRITICAL CVSS Score: 9.1

Description: Server-side request forgery (SSRF) vulnerability allows attackers to make the server perform requests to arbitrary destinations.

Impact:

• Internal network scanning
• Access to internal services
• Data exfiltration from internal endpoints

CWE: CWE-918 (SSRF)

Fixed Versions: 1.6.0+

Remediation:

# npm
npm install axios@latest

# yarn
yarn upgrade axios@latest

References:

• https://nvd.nist.gov/vuln/detail/CVE-2023-67890
• https://github.com/axios/axios/security/advisories/GHSA-yyyy

---

High Severity Vulnerabilities

CVE-2023-11111: XSS in urllib3

Package: urllib3 (Python) Installed Version: 1.26.5 Severity: 🟠 HIGH CVSS Score: 7.5

Description: Cross-site scripting vulnerability in URL parsing logic.

Fixed Versions: 1.26.18+, 2.0.7+

Remediation:

pip install --upgrade urllib3>=1.26.18

---

CVE-2023-22222: DoS in ws

Package: ws (npm) Installed Version: 7.4.5 Severity: 🟠 HIGH CVSS Score: 7.5

Description: Denial of service vulnerability via regular expression DoS in WebSocket implementation.

Fixed Versions: 7.5.10+, 8.17.1+

Remediation:

npm install ws@latest

---

CVE-2023-33333: Path Traversal in express

Package: express (npm) Installed Version: 4.17.1 Severity: 🟠 HIGH CVSS Score: 7.3

Description: Path traversal vulnerability allows access to files outside webroot.

Fixed Versions: 4.19.2+

Remediation:

npm install express@latest

---

Medium Severity Vulnerabilities

[... 7 medium-severity vulnerabilities with similar detail ...]

---

Low Severity Vulnerabilities

[... 3 low-severity vulnerabilities with similar detail ...]

---

Upgrade Recommendations

Python

# Upgrade all vulnerable packages
pip install --upgrade \
  requests>=2.31.0 \
  urllib3>=1.26.18 \
  jinja2>=3.1.3 \
  pyyaml>=6.0.1

# Or use requirements file
pip install -r requirements-secure.txt

requirements-secure.txt (generated):

requests>=2.31.0
urllib3>=1.26.18
jinja2>=3.1.3
pyyaml>=6.0.1

---

npm

# Upgrade all vulnerable packages
npm install \
  axios@latest \
  lodash@latest \
  ws@latest \
  express@latest \
  moment@latest \
  react-dom@latest

# Or auto-fix with npm audit
npm audit fix --force

---

Automated Fix Options

Safe Auto-Upgrades (Recommended)

These upgrades are backward-compatible (semver minor/patch):

# Python
pip install --upgrade requests urllib3 pyyaml

# npm
npm audit fix

Manual Review Required

These upgrades may have breaking changes (semver major):

• axios: 0.21.1 -> 1.6.0 (major version bump)

  • Review: Breaking changes in request config
  • Test: All HTTP client code

• express: 4.17.1 -> 4.19.2 (minor bump, but middleware changes)

  • Review: Middleware compatibility
  • Test: All routes and error handlers

---

Dependency Health Summary

Total Dependencies: 187

By Ecosystem:

• Python: 45 packages
• npm: 142 packages
• Go: 0 packages

Security Status:

• ✅ Secure: 175 packages (93.6%)
• [WARN]️ Vulnerable: 12 packages (6.4%)

Freshness:

• Up-to-date: 120 packages (64.2%)
• Minor updates available: 45 packages (24.1%)
• Major updates available: 22 packages (11.8%)

---

License Compliance

Detected Licenses:

• MIT: 95 packages
• Apache-2.0: 32 packages
• BSD-3-Clause: 18 packages
• ISC: 25 packages
• GPL-3.0: 2 packages [WARN]️ (Review required)
• Unknown: 15 packages [WARN]️ (Investigate)

---

Risk Score Breakdown

Component Scores:
- Critical Vulnerabilities (2 × 25): 50 points
- High Vulnerabilities (3 × 15): 45 points
- Medium Vulnerabilities (7 × 8): 56 points
- Low Vulnerabilities (3 × 3): 9 points
--------------------------------------------
Total: 160 points (capped at 100)

Final Risk Score: 100/100 -> Normalized: 78/100

Risk Level: 🔴 HIGH RISK

Mitigation:

1. Fix 2 critical vulnerabilities immediately
2. Fix 3 high vulnerabilities within 48 hours
3. Schedule medium vulnerabilities for next sprint
4. Low vulnerabilities can be deferred

Estimated Time to Secure:

• Critical fixes: 2-4 hours
• High fixes: 4-6 hours
• Testing: 8-12 hours
• Total: 1-2 days

---

Action Plan

Phase 1: Emergency Fixes (Today)

1. Upgrade requests to 2.31.0+ (30 min)
2. Upgrade axios to 1.6.0+ (45 min + testing)
3. Run test suite (30 min)
4. Deploy hotfix (30 min)

Total: 2-3 hours

Phase 2: High Priority (This Week)

1. Upgrade urllib3, ws, express (2 hours)
2. Run comprehensive tests (4 hours)
3. QA validation (2 hours)
4. Deploy to production (1 hour)

Total: 9 hours

Phase 3: Medium Priority (Next Sprint)

1. Upgrade remaining 7 packages (3 hours)
2. Testing (4 hours)
3. Documentation updates (1 hour)

Total: 8 hours

---

Continuous Monitoring

Recommendations:

1. CI/CD Integration: Add dependency scanning to pipeline
2. Weekly Scans: Schedule automated vulnerability scans
3. Dependency Updates: Review updates monthly
4. Security Alerts: Subscribe to security advisories

GitHub Actions Example:

name: Dependency Scan
on:
  schedule:
    - cron: '0 0 * * 0'  # Weekly
  pull_request:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Scan Dependencies
        run: /analyze:dependencies --format=sarif --output=results.sarif
      - name: Upload Results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif

---

Next Steps

1. ✅ Review this report with development team
2. [WARN]️ Create tickets for each critical/high vulnerability
3. [WARN]️ Schedule fixes according to action plan
4. [WARN]️ Set up CI/CD scanning for future PRs
5. [WARN]️ Subscribe to security advisories for critical packages

---

End of Report

## Advanced Features

### Critical-Only Mode

```bash
/analyze:dependencies --critical-only

Shows only critical vulnerabilities for rapid triage.

With Fix Recommendations

/analyze:dependencies --with-fixes

Includes detailed upgrade commands and compatibility notes.

JSON Output for CI/CD

/analyze:dependencies --format=json --output=scan-results.json

Machine-readable format for automation.

SARIF Output

/analyze:dependencies --format=sarif

Standard format for security tools integration.

Integration with Learning System

The dependency scanner integrates with pattern learning:

# After each scan
learning_engine.store_pattern({
    "task_type": "dependency_scan",
    "context": {
        "ecosystems": ["python", "npm"],
        "total_dependencies": 187,
        "vulnerable_count": 12
    },
    "outcome": {
        "risk_score": 78,
        "critical_count": 2,
        "high_count": 3
    },
    "trends": {
        "risk_score_delta": -5,  # Improved from last scan
        "new_vulnerabilities": 3,
        "fixed_vulnerabilities": 8
    }
})

Performance Expectations

Ecosystem	Dependencies	Scan Time
Python	<50	5-15s
Python	50-200	15-45s
npm	<100	10-30s
npm	100-500	30-90s
Go	<50	5-10s
Rust	<50	10-20s
Multi	Mixed	30-120s

Best Practices

1. Scan Before Deploy: Always scan before production deployment
2. Fix Critical First: Prioritize by severity and exploitability
3. Test After Upgrade: Run full test suite after security updates
4. Monitor Trends: Track risk score over time
5. Automate Scanning: Integrate into CI/CD pipeline
6. Stay Updated: Review security advisories weekly
7. Document Decisions: Record why certain vulnerabilities are accepted

---

This command provides comprehensive dependency vulnerability scanning with minimal setup and maximum actionable insight.