Dependency Scan

Overview

This skill focuses on identifying security vulnerabilities, outdated packages, and license compliance issues in project dependencies. It covers multiple package ecosystems (JavaScript/Node.js, Python, Rust, Go, Ruby, Java, .NET, PHP) and provides remediation guidance, SBOM generation, and supply chain security analysis.

When to Use

Scanning dependencies for CVEs and security advisories
Checking for outdated or unmaintained packages
Generating Software Bill of Materials (SBOM)
Verifying license compliance and compatibility
Analyzing supply chain risks and transitive dependencies
Setting up automated dependency updates (Dependabot, Renovate, Snyk)
Investigating security alerts from GitHub/GitLab
Auditing dependencies before production deployment

Instructions

1. Identify Dependencies

Parse manifest files (package.json, requirements.txt, etc.)
Build complete dependency tree
Identify direct vs transitive dependencies
Check for phantom dependencies

2. Vulnerability Scanning

Check against CVE databases
Identify severity levels
Find affected versions
Check for available patches

3. Assess Risks

Evaluate exploitability
Check for active exploitation
Assess impact on application
Prioritize remediations

4. Report and Remediate

Document all findings
Provide upgrade paths
Suggest alternatives
Create remediation plan

5. Language-Specific Scanning

JavaScript/Node.js:

Use
```
npm audit
```
or
```
yarn audit
```
for vulnerability scanning
Check
```
package-lock.json
```
or
```
yarn.lock
```
for reproducibility
Consider
```
npm-check-updates
```
for upgrade analysis
Use
```
license-checker
```
for license compliance

Python:

Use
```
pip-audit
```
or
```
safety
```
for CVE scanning
Check
```
requirements.txt
```
and
```
Pipfile.lock
```
Use
```
pip-compile
```
with
```
--generate-hashes
```
for integrity
Consider
```
pipdeptree
```
for dependency visualization

Rust:

Use
```
cargo audit
```
for RustSec advisories
Check
```
Cargo.lock
```
for reproducible builds
Use
```
cargo outdated
```
for version analysis
Consider
```
cargo deny
```
for policy enforcement

Go:

Use
```
govulncheck
```
for vulnerability scanning
Check
```
go.sum
```
for module integrity
Use
```
go list -m all
```
to enumerate dependencies
Consider
```
nancy
```
for OSS Index checking

6. SBOM Generation

Generate Software Bill of Materials for supply chain transparency:

CycloneDX:

npm install -g @cyclonedx/cyclonedx-npm && cyclonedx-npm --output-file sbom.json

cargo install cargo-cyclonedx && cargo cyclonedx

pip install cyclonedx-bom && cyclonedx-py

SPDX:

Use

syft

(universal tool):

syft . -o spdx-json > sbom.spdx.json

Use

trivy

for container images:

trivy image --format spdx-json myimage:tag

Purpose: Track all components for vulnerability management, license compliance, and incident response.

7. License Compliance Checking

Ensure all dependencies have compatible licenses:

Automated Tools:

Node.js:

npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC'

Rust:
```
cargo deny check licenses
```
Python:
```
pip-licenses
```
Universal:
```
fossology
```
,
```
scancode-toolkit
```

License Categories:

Permissive: MIT, Apache-2.0, BSD (generally safe)
Weak Copyleft: MPL, LGPL (check linking requirements)
Strong Copyleft: GPL, AGPL (may require source disclosure)
Unknown/Missing: Investigate before use

Best Practices

Regular Scanning: Automate daily/weekly scans
Lock Files: Use lockfiles for reproducibility
Minimal Dependencies: Only include what's needed
Verify Sources: Use trusted registries
Review Updates: Don't blindly update
License Compliance: Ensure compatible licenses
SBOM: Maintain software bill of materials

Examples

Example 1: Scanning Commands by Ecosystem

bash

# JavaScript/Node.js
npm audit
npm audit --json > audit-report.json
npm outdated
npx npm-check-updates

# Python
pip-audit
safety check
pip list --outdated
pip-compile --generate-hashes

# Rust
cargo audit
cargo outdated
cargo deny check

# Go
go list -m all | nancy sleuth
govulncheck ./...

# Ruby
bundle audit
bundle outdated

# Java/Maven
mvn dependency-check:check
mvn versions:display-dependency-updates

# .NET
dotnet list package --vulnerable
dotnet list package --outdated

# PHP
composer audit
composer outdated

Example 2: GitHub Actions Dependency Scanning

yaml

name: Dependency Scanning

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: "0 6 * * *" # Daily at 6 AM

jobs:
  dependency-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: "fs"
          scan-ref: "."
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH"

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: "trivy-results.sarif"

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "20"

      - name: Run npm audit
        run: |
          npm ci
          npm audit --audit-level=high

      - name: Check for outdated packages
        run: npm outdated || true

      - name: License check
        run: npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC'

  snyk-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

Example 3: Dependency Analysis Report Template

markdown

# Dependency Security Report

**Generated:** 2024-01-15
**Project:** my-application
**Total Dependencies:** 245 (42 direct, 203 transitive)

## Summary

| Severity | Count | Status             |
| -------- | ----- | ------------------ |
| Critical | 2     | Action Required    |
| High     | 5     | Action Required    |
| Medium   | 12    | Review Recommended |
| Low      | 8     | Monitor            |

## Critical Vulnerabilities

### CVE-2024-1234 - Remote Code Execution in lodash

- **Package:** lodash@4.17.20
- **Severity:** Critical (CVSS 9.8)
- **Affected Versions:** < 4.17.21
- **Fixed Version:** 4.17.21
- **Path:** my-app > express > lodash
- **Description:** Prototype pollution vulnerability allowing RCE
- **Remediation:** `npm update lodash`

### CVE-2024-5678 - SQL Injection in sequelize

- **Package:** sequelize@6.28.0
- **Severity:** Critical (CVSS 9.1)
- **Affected Versions:** < 6.29.0
- **Fixed Version:** 6.29.0
- **Path:** my-app > sequelize
- **Description:** SQL injection via raw query methods
- **Remediation:** `npm update sequelize`

## License Compliance

| License      | Count | Compliance           |
| ------------ | ----- | -------------------- |
| MIT          | 180   | Approved             |
| Apache-2.0   | 45    | Approved             |
| BSD-3-Clause | 15    | Approved             |
| GPL-3.0      | 3     | Review Required      |
| Unknown      | 2     | Investigation Needed |

## Recommendations

1. **Immediate:** Update lodash and sequelize to fix critical vulnerabilities
2. **Short-term:** Review GPL-licensed dependencies for compatibility
3. **Ongoing:** Enable Dependabot/Renovate for automated updates

Example 4: Renovate Configuration

json

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:base", ":semanticCommits", ":preserveSemverRanges"],
  "schedule": ["before 6am on Monday"],
  "vulnerabilityAlerts": {
    "enabled": true,
    "labels": ["security"]
  },
  "packageRules": [
    {
      "matchUpdateTypes": ["major"],
      "labels": ["major-update"],
      "automerge": false
    },
    {
      "matchUpdateTypes": ["minor", "patch"],
      "matchCurrentVersion": "!/^0/",
      "automerge": true,
      "automergeType": "pr",
      "platformAutomerge": true
    },
    {
      "matchPackagePatterns": ["^@types/"],
      "automerge": true,
      "groupName": "type definitions"
    },
    {
      "matchDepTypes": ["devDependencies"],
      "automerge": true,
      "groupName": "dev dependencies"
    }
  ],
  "prConcurrentLimit": 5,
  "prHourlyLimit": 2
}

loom-dependency-scan

NPX Install

Tags

SKILL.md Content