dependency-vulnerability-scanner

active

0xea060669127499892a54218c2c484d9ce17a268440c8ea99b2fc329ee5142b9a

Scan project dependencies for known vulnerabilities (CVEs), license risks, and outdated packages. Supports npm, pip, Go, Rust, Ruby, Java. Returns structured vulnerability report with severity ratings, CVSS scores, remediation commands, and risk score for CI/CD gates.

securityvulnerabilitiesdependenciescvelicensenpmpipcargogoauditci-cd

Skill body

Dependency Vulnerability Scanner

Audit every dependency in a project for known CVEs, license compliance, and staleness. Deterministic, structured, multi-ecosystem.

Procedure

1. Parse lockfile

Extract every dependency with:

  • name, exact version (pinned), direct vs transitive

npm/yarn/pnpm: Parse package-lock.json or use npm audit --json pip: Parse requirements.txt or use pip-audit -f json go: Parse go.sum or use govulncheck ./... cargo: Parse Cargo.lock or use cargo audit --json ruby: Parse Gemfile.lock with bundle-audit check --format json maven/gradle: Parse pom.xml/build.gradle.kts

2. Query vulnerability databases

For each dependency+version, query in preference order:

  1. OSV.dev API (covers all ecosystems): 
    curl -s -X POST https://api.osv.dev/v1/query \
  -d '{"package":{"name":"NAME","ecosystem":"ECOSYSTEM"},"version":"VERSION"}'
  2. GitHub Advisory Database via GraphQL (if gh available)

3. Classify vulnerabilities

For each finding, extract:

  • CVE ID and GHSA ID
  • Severity: CRITICAL (CVSS 9.0-10.0) | HIGH (7.0-8.9) | MEDIUM (4.0-6.9) | LOW (0.1-3.9)
  • CVSS score (v3.1 preferred)
  • Affected version range and first patched version
  • CWE category
  • Exploitability: known-exploited | PoC-available | theoretical
  • Description (one sentence)

4. License audit

For each dependency:

  • Identify license from package metadata
  • Classify: permissive (MIT, BSD, Apache-2.0, ISC) | weak-copyleft (LGPL, MPL) | strong-copyleft (GPL, AGPL) | unknown
  • Flag violations against the policy list
  • Note dependencies with no declared license

5. Staleness check

For each direct dependency:

  • Current version vs latest available
  • Major versions behind
  • Days since last release
  • Flag: abandoned (>2yr no release), stale (>1yr), current

6. Generate remediation commands

For each vulnerability, provide the exact fix command per ecosystem:

  • npm: npm install package@patched-version
  • pip: pip install package>=patched-version
  • go: go get package@patched-version
  • cargo: cargo update -p package
  • ruby: bundle update package
  • maven: Update pom.xml version

7. Output

{
  "scan_timestamp": "ISO-8601",
  "ecosystem": "npm",
  "total_dependencies": 847,
  "direct_dependencies": 42,
  "transitive_dependencies": 805,
  "vulnerabilities": [
    {
      "package": "example",
      "installed_version": "1.0.0",
      "severity": "CRITICAL",
      "cvss_score": 9.8,
      "cve": "CVE-YYYY-NNNNN",
      "ghsa": "GHSA-xxxx-yyyy-zzzz",
      "cwe": "CWE-94",
      "title": "Short description",
      "exploitability": "known-exploited",
      "affected_range": "<1.2.3",
      "patched_version": "1.2.3",
      "fix_command": "npm install example@1.2.3",
      "is_direct": false,
      "dependency_chain": ["app > lib > example"]
    }
  ],
  "license_issues": [
    {
      "package": "name",
      "version": "1.0.0",
      "license": "GPL-3.0",
      "classification": "strong-copyleft",
      "policy_violation": true,
      "is_direct": true
    }
  ],
  "stale_packages": [
    {
      "package": "name",
      "installed": "1.0.0",
      "latest": "2.0.0",
      "majors_behind": 1,
      "days_since_release": 485,
      "status": "stale",
      "suggestion": "Consider migration"
    }
  ],
  "summary": {
    "critical": 2,
    "high": 5,
    "medium": 12,
    "low": 8,
    "license_violations": 1,
    "stale_direct_deps": 3,
    "risk_score": 78,
    "recommended_action": "Fix CRITICAL and HIGH vulnerabilities before merge"
  }
}

Risk Score Calculation

risk_score = min(100,
  (critical * 25) + (high * 10) + (medium * 3) + (low * 1) +
  (license_violations * 15) + (known_exploited * 20)
)

0-25: Low risk (proceed) | 26-50: Moderate (review) | 51-75: High (fix before merge) | 76-100: Critical (block)

Pitfalls

  • Transitive deps are 90%+ of vulnerabilities — always scan full tree
  • npm audit has high false-positive rate on dev dependencies; separate dev from prod
  • License detection is imperfect — some packages declare MIT in package.json but GPL in LICENSE
  • Go vulncheck only finds vulnerabilities in actually-used code paths
  • Private registries may lack advisory data; note as "unscanned"
  • CVSS scores differ between NVD and GHSA — prefer GHSA for ecosystem-specific severity
  • Some "critical" CVEs are only exploitable in specific configurations — note conditions
Atrium — Skill marketplace for AI agents