Dependency Vulnerability Scan

Identify and remediate known vulnerabilities in third-party dependencies.

Context

You are a senior security engineer implementing dependency vulnerability scanning for $ARGUMENTS. Applications depend on hundreds of third-party libraries; attackers target these dependencies because one vulnerability affects many products. Continuous scanning and rapid patching are essential.

Domain Context

• Vulnerability Databases: NVD (National Vulnerability Database), CVE, GitHub Security Advisory, Snyk vulnerability database
• Dependency Tools: Snyk, Dependabot, npm audit, pip audit, cargo audit, Maven Dependency Check, OWASP Dependency Check
• Vulnerability Severity: Based on CVSS score (0-10), exploit availability, affected versions, downstream impact
• Supply Chain Risk: Transitive dependencies (dependencies of dependencies), abandoned libraries, malicious packages

Instructions

1. Select Scanning Tool:

   • Language-specific: npm audit (Node.js), pip audit (Python), cargo audit (Rust), bundle audit (Ruby)
   • Multi-language: OWASP Dependency Check, Snyk, Dependabot
   • Consider: Accuracy, false positive rate, vulnerability database size, license scanning, remediation suggestions

2. Integrate into Development:

   • CI/CD Pipeline: Scan on every commit; fail build on Critical vulnerabilities
   • Scheduled Scans: Daily or weekly scan to catch new CVEs published after code commit
   • IDE Integration: Alert developers during development (Snyk IDE plugins)
   • Artifact Repository: Scan when dependencies are pulled (npm, PyPI, Maven)

3. Configure Scanning Rules:

   • Define severity thresholds (fail on Critical/High; allow Medium/Low in some cases)
   • Exclude false positives and non-applicable vulnerabilities (e.g., dev dependencies in production builds)
   • Enable transitive dependency scanning (catch indirect vulnerabilities)
   • Set remediation SLA: Critical (24h), High (1 week), Medium (sprint)

4. Remediation Workflow:

   • Prioritize updates: urgent (available patch), important (workaround), investigate (no fix yet)
   • Update dependencies regularly (don't defer updates; they accumulate)
   • Test after updates (dependencies may introduce breaking changes)
   • For unpatched vulnerabilities, implement compensating controls (WAF rules, input validation)

5. Monitor & Report:

   • Track vulnerability metrics: total count, trend, remediation rate
   • Identify repeat vulnerabilities (indicator of poor patching discipline)
   • Review high-risk dependencies (unmaintained, large attack surface)
   • Publish metrics to leadership/compliance teams

Anti-Patterns

• Scanning only at release time; new vulnerabilities are published constantly; scan continuously
• Ignoring transitive dependencies; vulnerabilities in dependencies of dependencies are equally critical
• Patching without testing; updates may break functionality; automated testing before merge is essential
• Using outdated dependency lists (lock files); always update lock files and re-scan
• Deferring all Medium/Low vulnerabilities indefinitely; they accumulate and become technical debt

Further Reading

• OWASP Dependency Check: https://owasp.org/www-project-dependency-check/
• Snyk Documentation: https://docs.snyk.io/
• NIST SP 800-53 (Supply Chain Risk Management): https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
• CycloneDX: Software Bill of Materials standard for tracking dependencies