zhongwei/gh-bejranonda-llm-autonomous-agent-plugin-for-claude
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 18:00:50 +08:00
commit c5931553a6
106 changed files with 49995 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

671
commands/analyze/dependencies.md Normal file
View File

@@ -0,0 +1,671 @@
---
name: analyze:dependencies
description: Scan dependencies for CVE vulnerabilities across 11 package managers with fix recommendations
delegates-to: autonomous-agent:orchestrator
---
# Dependency Vulnerability Scanner
Comprehensive dependency vulnerability scanning across 11 package managers and ecosystems, with CVE database integration and automated fix recommendations.
## Usage
```bash
/analyze:dependencies [PATH] [OPTIONS]
```
**Examples**:
```bash
/analyze:dependencies # Scan current project
/analyze:dependencies backend/ # Scan specific directory
/analyze:dependencies --critical-only # Show only critical vulnerabilities
/analyze:dependencies --with-fixes # Include upgrade recommendations
```
## Supported Ecosystems
### Python (pip, pipenv, poetry)
**Tools**: pip-audit, safety
**Manifests**: requirements.txt, Pipfile, pyproject.toml, poetry.lock
### JavaScript/Node.js (npm, yarn, pnpm)
**Tools**: npm audit, yarn audit, pnpm audit
**Manifests**: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
### Ruby (bundler)
**Tools**: bundle-audit
**Manifests**: Gemfile, Gemfile.lock
### PHP (composer)
**Tools**: local-php-security-checker
**Manifests**: composer.json, composer.lock
### Go (go modules)
**Tools**: govulncheck
**Manifests**: go.mod, go.sum
### Rust (cargo)
**Tools**: cargo-audit
**Manifests**: Cargo.toml, Cargo.lock
### Java (maven, gradle)
**Tools**: dependency-check
**Manifests**: pom.xml, build.gradle, build.gradle.kts
### .NET (nuget)
**Tools**: dotnet list package --vulnerable
**Manifests**: packages.config, *.csproj
## How It Works
### 1. Ecosystem Detection
Automatically detects package managers:
```
Detecting Ecosystems...
✅ Python (requirements.txt)
✅ JavaScript (package.json, yarn.lock)
✅ Go (go.mod)
```
### 2. Vulnerability Scanning
Runs appropriate scanners for each ecosystem:
```
Scanning Dependencies...
[████████████] Python (pip-audit) - 2.3s
[████████████] npm (npm audit) - 4.1s
[████████████] Go (govulncheck) - 1.8s
Results:
✅ Python: 5 vulnerabilities (2 critical)
✅ npm: 12 vulnerabilities (0 critical)
✅ Go: 0 vulnerabilities
```
### 3. Result Aggregation
Deduplicates and synthesizes results:
```
Aggregating Results...
- Total Vulnerabilities: 15 unique
- Duplicates Removed: 2
- Vulnerable Dependencies: 12/187
```
### 4. Risk Assessment
```
Risk Score (0-100) =
Critical × 25 +
High × 15 +
Medium × 8 +
Low × 3 +
Info × 1
Example:
- Critical: 2 -> 50 points
- High: 3 -> 45 points
- Medium: 7 -> 56 points
- Low: 3 -> 9 points
---
-----------------------
Total: 160 (capped at 100)
Risk Score: 100/100 (EXTREME)
```
**Risk Levels**:
- 70-100: Extreme/High Risk
- 40-69: Medium Risk
- 0-39: Low Risk
## Output Format
### Terminal Output (Tier 1: Concise Summary)
```
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DEPENDENCY VULNERABILITY SCAN COMPLETE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🎯 Risk Score: 78/100 (HIGH RISK)
📊 Overview
Total Vulnerabilities: 15
Vulnerable Dependencies: 12/187 (6.4%)
Ecosystems: Python, npm, Go
🚨 Vulnerabilities by Severity
🔴 Critical: 2
🟠 High: 3
🟡 Medium: 7
🔵 Low: 3
⚪ Info: 0
📦 By Ecosystem
Python: 5 vulnerabilities
npm: 10 vulnerabilities
Go: 0 vulnerabilities
[WARN] Top 3 Vulnerable Packages
1. requests (Python) - 2 vulnerabilities
2. axios (npm) - 3 vulnerabilities
3. lodash (npm) - 2 vulnerabilities
🔴 Critical Vulnerabilities (2)
1. CVE-2023-12345 - requests 2.25.1
SQL injection vulnerability
Fix: Upgrade to 2.31.0+
2. CVE-2023-67890 - axios 0.21.1
Server-side request forgery
Fix: Upgrade to 1.6.0+
📄 Detailed Report: .data/reports/dependency-scan-2025-01-15.md
⏱️ Scan completed in 8.2s
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
```
### File Report (Tier 2: Comprehensive)
Saved to `.data/reports/dependency-scan-{DATE}.md`:
```markdown
# Dependency Vulnerability Scan Report
**Generated**: 2025-01-15 16:45:23
**Project**: /project
**Risk Score**: 78/100 (HIGH RISK)
---
## Executive Summary
**Total Vulnerabilities**: 15 unique
**Vulnerable Dependencies**: 12 out of 187 total (6.4%)
**Ecosystems Scanned**: Python, npm, Go
**Scan Duration**: 8.2s
**Risk Assessment**: HIGH RISK
- Immediate action required for 2 critical vulnerabilities
- 3 high-severity issues should be addressed soon
- 7 medium-severity issues for next sprint
- 3 low-severity issues can be deferred
---
## Vulnerabilities by Severity
| Severity | Count | Percentage |
|----------|-------|-----------|
| 🔴 Critical | 2 | 13.3% |
| 🟠 High | 3 | 20.0% |
| 🟡 Medium | 7 | 46.7% |
| 🔵 Low | 3 | 20.0% |
| ⚪ Info | 0 | 0.0% |
---
## Vulnerabilities by Ecosystem
### Python (5 vulnerabilities)
- **Critical**: 1
- **High**: 1
- **Medium**: 2
- **Low**: 1
### npm (10 vulnerabilities)
- **Critical**: 1
- **High**: 2
- **Medium**: 5
- **Low**: 2
### Go (0 vulnerabilities)
- No vulnerabilities detected
---
## Top 10 Vulnerable Packages
| Package | Ecosystem | Vulnerabilities | Severity |
|---------|-----------|----------------|----------|
| axios | npm | 3 | 1 Critical, 2 Medium |
| requests | Python | 2 | 1 Critical, 1 High |
| lodash | npm | 2 | 2 Medium |
| urllib3 | Python | 2 | 1 High, 1 Low |
| ws | npm | 1 | 1 High |
| express | npm | 1 | 1 Medium |
| jinja2 | Python | 1 | 1 Medium |
| moment | npm | 1 | 1 Low |
| pyyaml | Python | 1 | 1 Low |
| react-dom | npm | 1 | 1 Medium |
---
## Critical Vulnerabilities (IMMEDIATE ACTION REQUIRED)
### CVE-2023-12345: SQL Injection in requests
**Package**: requests (Python)
**Installed Version**: 2.25.1
**Severity**: 🔴 CRITICAL
**CVSS Score**: 9.8
**Description**:
SQL injection vulnerability in the `requests` library allows remote attackers to execute arbitrary SQL commands via crafted HTTP requests.
**Impact**:
- Database compromise
- Data exfiltration
- Unauthorized access
**CWE**: CWE-89 (SQL Injection)
**Fixed Versions**: 2.31.0, 2.32.0+
**Remediation**:
```bash
# Python (pip)
pip install --upgrade requests>=2.31.0
# Python (poetry)
poetry update requests
```
**References**:
- https://nvd.nist.gov/vuln/detail/CVE-2023-12345
- https://github.com/psf/requests/security/advisories/GHSA-xxxx
---
### CVE-2023-67890: SSRF in axios
**Package**: axios (npm)
**Installed Version**: 0.21.1
**Severity**: 🔴 CRITICAL
**CVSS Score**: 9.1
**Description**:
Server-side request forgery (SSRF) vulnerability allows attackers to make the server perform requests to arbitrary destinations.
**Impact**:
- Internal network scanning
- Access to internal services
- Data exfiltration from internal endpoints
**CWE**: CWE-918 (SSRF)
**Fixed Versions**: 1.6.0+
**Remediation**:
```bash
# npm
npm install axios@latest
# yarn
yarn upgrade axios@latest
```
**References**:
- https://nvd.nist.gov/vuln/detail/CVE-2023-67890
- https://github.com/axios/axios/security/advisories/GHSA-yyyy
---
## High Severity Vulnerabilities
### CVE-2023-11111: XSS in urllib3
**Package**: urllib3 (Python)
**Installed Version**: 1.26.5
**Severity**: 🟠 HIGH
**CVSS Score**: 7.5
**Description**:
Cross-site scripting vulnerability in URL parsing logic.
**Fixed Versions**: 1.26.18+, 2.0.7+
**Remediation**:
```bash
pip install --upgrade urllib3>=1.26.18
```
---
### CVE-2023-22222: DoS in ws
**Package**: ws (npm)
**Installed Version**: 7.4.5
**Severity**: 🟠 HIGH
**CVSS Score**: 7.5
**Description**:
Denial of service vulnerability via regular expression DoS in WebSocket implementation.
**Fixed Versions**: 7.5.10+, 8.17.1+
**Remediation**:
```bash
npm install ws@latest
```
---
### CVE-2023-33333: Path Traversal in express
**Package**: express (npm)
**Installed Version**: 4.17.1
**Severity**: 🟠 HIGH
**CVSS Score**: 7.3
**Description**:
Path traversal vulnerability allows access to files outside webroot.
**Fixed Versions**: 4.19.2+
**Remediation**:
```bash
npm install express@latest
```
---
## Medium Severity Vulnerabilities
[... 7 medium-severity vulnerabilities with similar detail ...]
---
## Low Severity Vulnerabilities
[... 3 low-severity vulnerabilities with similar detail ...]
---
## Upgrade Recommendations
### Python
```bash
# Upgrade all vulnerable packages
pip install --upgrade \
requests>=2.31.0 \
urllib3>=1.26.18 \
jinja2>=3.1.3 \
pyyaml>=6.0.1
# Or use requirements file
pip install -r requirements-secure.txt
```
**requirements-secure.txt** (generated):
```
requests>=2.31.0
urllib3>=1.26.18
jinja2>=3.1.3
pyyaml>=6.0.1
```
---
### npm
```bash
# Upgrade all vulnerable packages
npm install \
axios@latest \
lodash@latest \
ws@latest \
express@latest \
moment@latest \
react-dom@latest
# Or auto-fix with npm audit
npm audit fix --force
```
---
## Automated Fix Options
### Safe Auto-Upgrades (Recommended)
These upgrades are backward-compatible (semver minor/patch):
```bash
# Python
pip install --upgrade requests urllib3 pyyaml
# npm
npm audit fix
```
### Manual Review Required
These upgrades may have breaking changes (semver major):
- **axios**: 0.21.1 -> 1.6.0 (major version bump)
- Review: Breaking changes in request config
- Test: All HTTP client code
- **express**: 4.17.1 -> 4.19.2 (minor bump, but middleware changes)
- Review: Middleware compatibility
- Test: All routes and error handlers
---
## Dependency Health Summary
### Total Dependencies: 187
**By Ecosystem**:
- Python: 45 packages
- npm: 142 packages
- Go: 0 packages
**Security Status**:
- ✅ Secure: 175 packages (93.6%)
- [WARN] Vulnerable: 12 packages (6.4%)
**Freshness**:
- Up-to-date: 120 packages (64.2%)
- Minor updates available: 45 packages (24.1%)
- Major updates available: 22 packages (11.8%)
---
## License Compliance
**Detected Licenses**:
- MIT: 95 packages
- Apache-2.0: 32 packages
- BSD-3-Clause: 18 packages
- ISC: 25 packages
- GPL-3.0: 2 packages [WARN] (Review required)
- Unknown: 15 packages [WARN] (Investigate)
---
## Risk Score Breakdown
```
Component Scores:
- Critical Vulnerabilities (2 × 25): 50 points
- High Vulnerabilities (3 × 15): 45 points
- Medium Vulnerabilities (7 × 8): 56 points
- Low Vulnerabilities (3 × 3): 9 points
--------------------------------------------
Total: 160 points (capped at 100)
Final Risk Score: 100/100 -> Normalized: 78/100
```
**Risk Level**: 🔴 HIGH RISK
**Mitigation**:
1. Fix 2 critical vulnerabilities immediately
2. Fix 3 high vulnerabilities within 48 hours
3. Schedule medium vulnerabilities for next sprint
4. Low vulnerabilities can be deferred
**Estimated Time to Secure**:
- Critical fixes: 2-4 hours
- High fixes: 4-6 hours
- Testing: 8-12 hours
- **Total**: 1-2 days
---
## Action Plan
### Phase 1: Emergency Fixes (Today)
1. Upgrade `requests` to 2.31.0+ (30 min)
2. Upgrade `axios` to 1.6.0+ (45 min + testing)
3. Run test suite (30 min)
4. Deploy hotfix (30 min)
**Total**: 2-3 hours
### Phase 2: High Priority (This Week)
1. Upgrade `urllib3`, `ws`, `express` (2 hours)
2. Run comprehensive tests (4 hours)
3. QA validation (2 hours)
4. Deploy to production (1 hour)
**Total**: 9 hours
### Phase 3: Medium Priority (Next Sprint)
1. Upgrade remaining 7 packages (3 hours)
2. Testing (4 hours)
3. Documentation updates (1 hour)
**Total**: 8 hours
---
## Continuous Monitoring
**Recommendations**:
1. **CI/CD Integration**: Add dependency scanning to pipeline
2. **Weekly Scans**: Schedule automated vulnerability scans
3. **Dependency Updates**: Review updates monthly
4. **Security Alerts**: Subscribe to security advisories
**GitHub Actions Example**:
```yaml
name: Dependency Scan
on:
schedule:
- cron: '0 0 * * 0' # Weekly
pull_request:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan Dependencies
run: /analyze:dependencies --format=sarif --output=results.sarif
- name: Upload Results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
```
---
## Next Steps
1.**Review this report** with development team
2. [WARN] **Create tickets** for each critical/high vulnerability
3. [WARN] **Schedule fixes** according to action plan
4. [WARN] **Set up CI/CD** scanning for future PRs
5. [WARN] **Subscribe** to security advisories for critical packages
---
**End of Report**
```
## Advanced Features
### Critical-Only Mode
```bash
/analyze:dependencies --critical-only
```
Shows only critical vulnerabilities for rapid triage.
### With Fix Recommendations
```bash
/analyze:dependencies --with-fixes
```
Includes detailed upgrade commands and compatibility notes.
### JSON Output for CI/CD
```bash
/analyze:dependencies --format=json --output=scan-results.json
```
Machine-readable format for automation.
### SARIF Output
```bash
/analyze:dependencies --format=sarif
```
Standard format for security tools integration.
## Integration with Learning System
The dependency scanner integrates with pattern learning:
```python
# After each scan
learning_engine.store_pattern({
"task_type": "dependency_scan",
"context": {
"ecosystems": ["python", "npm"],
"total_dependencies": 187,
"vulnerable_count": 12
},
"outcome": {
"risk_score": 78,
"critical_count": 2,
"high_count": 3
},
"trends": {
"risk_score_delta": -5, # Improved from last scan
"new_vulnerabilities": 3,
"fixed_vulnerabilities": 8
}
})
```
## Performance Expectations
| Ecosystem | Dependencies | Scan Time |
|-----------|-------------|-----------|
| Python | <50 | 5-15s |
| Python | 50-200 | 15-45s |
| npm | <100 | 10-30s |
| npm | 100-500 | 30-90s |
| Go | <50 | 5-10s |
| Rust | <50 | 10-20s |
| Multi | Mixed | 30-120s |
## Best Practices
1. **Scan Before Deploy**: Always scan before production deployment
2. **Fix Critical First**: Prioritize by severity and exploitability
3. **Test After Upgrade**: Run full test suite after security updates
4. **Monitor Trends**: Track risk score over time
5. **Automate Scanning**: Integrate into CI/CD pipeline
6. **Stay Updated**: Review security advisories weekly
7. **Document Decisions**: Record why certain vulnerabilities are accepted
---
This command provides comprehensive dependency vulnerability scanning with minimal setup and maximum actionable insight.