zhongwei/gh-bejranonda-llm-autonomous-agent-plugin-for-claude
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c5931553a6d2a912d65193a92024e9c1a689f60a
gh-bejranonda-llm-autonomou…/commands/analyze/dependencies.md
Zhongwei Li c5931553a6 Initial commit
2025-11-29 18:00:50 +08:00

672 lines
15 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
name: analyze:dependencies
description: Scan dependencies for CVE vulnerabilities across 11 package managers with fix recommendations
delegates-to: autonomous-agent:orchestrator
---
# Dependency Vulnerability Scanner
Comprehensive dependency vulnerability scanning across 11 package managers and ecosystems, with CVE database integration and automated fix recommendations.
## Usage
```bash
/analyze:dependencies [PATH] [OPTIONS]
```
**Examples**:
```bash
/analyze:dependencies # Scan current project
/analyze:dependencies backend/ # Scan specific directory
/analyze:dependencies --critical-only # Show only critical vulnerabilities
/analyze:dependencies --with-fixes # Include upgrade recommendations
```
## Supported Ecosystems
### Python (pip, pipenv, poetry)
**Tools**: pip-audit, safety
**Manifests**: requirements.txt, Pipfile, pyproject.toml, poetry.lock
### JavaScript/Node.js (npm, yarn, pnpm)
**Tools**: npm audit, yarn audit, pnpm audit
**Manifests**: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
### Ruby (bundler)
**Tools**: bundle-audit
**Manifests**: Gemfile, Gemfile.lock
### PHP (composer)
**Tools**: local-php-security-checker
**Manifests**: composer.json, composer.lock
### Go (go modules)
**Tools**: govulncheck
**Manifests**: go.mod, go.sum
### Rust (cargo)
**Tools**: cargo-audit
**Manifests**: Cargo.toml, Cargo.lock
### Java (maven, gradle)
**Tools**: dependency-check
**Manifests**: pom.xml, build.gradle, build.gradle.kts
### .NET (nuget)
**Tools**: dotnet list package --vulnerable
**Manifests**: packages.config, *.csproj
## How It Works
### 1. Ecosystem Detection
Automatically detects package managers:
```
Detecting Ecosystems...
✅ Python (requirements.txt)
✅ JavaScript (package.json, yarn.lock)
✅ Go (go.mod)
```
### 2. Vulnerability Scanning
Runs appropriate scanners for each ecosystem:
```
Scanning Dependencies...
[████████████] Python (pip-audit) - 2.3s
[████████████] npm (npm audit) - 4.1s
[████████████] Go (govulncheck) - 1.8s
Results:
✅ Python: 5 vulnerabilities (2 critical)
✅ npm: 12 vulnerabilities (0 critical)
✅ Go: 0 vulnerabilities
```
### 3. Result Aggregation
Deduplicates and synthesizes results:
```
Aggregating Results...
- Total Vulnerabilities: 15 unique
- Duplicates Removed: 2
- Vulnerable Dependencies: 12/187
```
### 4. Risk Assessment
```
Risk Score (0-100) =
Critical × 25 +
High × 15 +
Medium × 8 +
Low × 3 +
Info × 1
Example:
- Critical: 2 -> 50 points
- High: 3 -> 45 points
- Medium: 7 -> 56 points
- Low: 3 -> 9 points
---
-----------------------
Total: 160 (capped at 100)
Risk Score: 100/100 (EXTREME)
```
**Risk Levels**:
- 70-100: Extreme/High Risk
- 40-69: Medium Risk
- 0-39: Low Risk
## Output Format
### Terminal Output (Tier 1: Concise Summary)
```
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DEPENDENCY VULNERABILITY SCAN COMPLETE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🎯 Risk Score: 78/100 (HIGH RISK)
📊 Overview
Total Vulnerabilities: 15
Vulnerable Dependencies: 12/187 (6.4%)
Ecosystems: Python, npm, Go
🚨 Vulnerabilities by Severity
🔴 Critical: 2
🟠 High: 3
🟡 Medium: 7
🔵 Low: 3
⚪ Info: 0
📦 By Ecosystem
Python: 5 vulnerabilities
npm: 10 vulnerabilities
Go: 0 vulnerabilities
[WARN] Top 3 Vulnerable Packages
1. requests (Python) - 2 vulnerabilities
2. axios (npm) - 3 vulnerabilities
3. lodash (npm) - 2 vulnerabilities
🔴 Critical Vulnerabilities (2)
1. CVE-2023-12345 - requests 2.25.1
SQL injection vulnerability
Fix: Upgrade to 2.31.0+
2. CVE-2023-67890 - axios 0.21.1
Server-side request forgery
Fix: Upgrade to 1.6.0+
📄 Detailed Report: .data/reports/dependency-scan-2025-01-15.md
⏱️ Scan completed in 8.2s
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
```
### File Report (Tier 2: Comprehensive)
Saved to `.data/reports/dependency-scan-{DATE}.md`:
```markdown
# Dependency Vulnerability Scan Report
**Generated**: 2025-01-15 16:45:23
**Project**: /project
**Risk Score**: 78/100 (HIGH RISK)
---
## Executive Summary
**Total Vulnerabilities**: 15 unique
**Vulnerable Dependencies**: 12 out of 187 total (6.4%)
**Ecosystems Scanned**: Python, npm, Go
**Scan Duration**: 8.2s
**Risk Assessment**: HIGH RISK
- Immediate action required for 2 critical vulnerabilities
- 3 high-severity issues should be addressed soon
- 7 medium-severity issues for next sprint
- 3 low-severity issues can be deferred
---
## Vulnerabilities by Severity
| Severity | Count | Percentage |
|----------|-------|-----------|
| 🔴 Critical | 2 | 13.3% |
| 🟠 High | 3 | 20.0% |
| 🟡 Medium | 7 | 46.7% |
| 🔵 Low | 3 | 20.0% |
| ⚪ Info | 0 | 0.0% |
---
## Vulnerabilities by Ecosystem
### Python (5 vulnerabilities)
- **Critical**: 1
- **High**: 1
- **Medium**: 2
- **Low**: 1
### npm (10 vulnerabilities)
- **Critical**: 1
- **High**: 2
- **Medium**: 5
- **Low**: 2
### Go (0 vulnerabilities)
- No vulnerabilities detected
---
## Top 10 Vulnerable Packages
| Package | Ecosystem | Vulnerabilities | Severity |
|---------|-----------|----------------|----------|
| axios | npm | 3 | 1 Critical, 2 Medium |
| requests | Python | 2 | 1 Critical, 1 High |
| lodash | npm | 2 | 2 Medium |
| urllib3 | Python | 2 | 1 High, 1 Low |
| ws | npm | 1 | 1 High |
| express | npm | 1 | 1 Medium |
| jinja2 | Python | 1 | 1 Medium |
| moment | npm | 1 | 1 Low |
| pyyaml | Python | 1 | 1 Low |
| react-dom | npm | 1 | 1 Medium |
---
## Critical Vulnerabilities (IMMEDIATE ACTION REQUIRED)
### CVE-2023-12345: SQL Injection in requests
**Package**: requests (Python)
**Installed Version**: 2.25.1
**Severity**: 🔴 CRITICAL
**CVSS Score**: 9.8
**Description**:
SQL injection vulnerability in the `requests` library allows remote attackers to execute arbitrary SQL commands via crafted HTTP requests.
**Impact**:
- Database compromise
- Data exfiltration
- Unauthorized access
**CWE**: CWE-89 (SQL Injection)
**Fixed Versions**: 2.31.0, 2.32.0+
**Remediation**:
```bash
# Python (pip)
pip install --upgrade requests>=2.31.0
# Python (poetry)
poetry update requests
```
**References**:
- https://nvd.nist.gov/vuln/detail/CVE-2023-12345
- https://github.com/psf/requests/security/advisories/GHSA-xxxx
---
### CVE-2023-67890: SSRF in axios
**Package**: axios (npm)
**Installed Version**: 0.21.1
**Severity**: 🔴 CRITICAL
**CVSS Score**: 9.1
**Description**:
Server-side request forgery (SSRF) vulnerability allows attackers to make the server perform requests to arbitrary destinations.
**Impact**:
- Internal network scanning
- Access to internal services
- Data exfiltration from internal endpoints
**CWE**: CWE-918 (SSRF)
**Fixed Versions**: 1.6.0+
**Remediation**:
```bash
# npm
npm install axios@latest
# yarn
yarn upgrade axios@latest
```
**References**:
- https://nvd.nist.gov/vuln/detail/CVE-2023-67890
- https://github.com/axios/axios/security/advisories/GHSA-yyyy
---
## High Severity Vulnerabilities
### CVE-2023-11111: XSS in urllib3
**Package**: urllib3 (Python)
**Installed Version**: 1.26.5
**Severity**: 🟠 HIGH
**CVSS Score**: 7.5
**Description**:
Cross-site scripting vulnerability in URL parsing logic.
**Fixed Versions**: 1.26.18+, 2.0.7+
**Remediation**:
```bash
pip install --upgrade urllib3>=1.26.18
```
---
### CVE-2023-22222: DoS in ws
**Package**: ws (npm)
**Installed Version**: 7.4.5
**Severity**: 🟠 HIGH
**CVSS Score**: 7.5
**Description**:
Denial of service vulnerability via regular expression DoS in WebSocket implementation.
**Fixed Versions**: 7.5.10+, 8.17.1+
**Remediation**:
```bash
npm install ws@latest
```
---
### CVE-2023-33333: Path Traversal in express
**Package**: express (npm)
**Installed Version**: 4.17.1
**Severity**: 🟠 HIGH
**CVSS Score**: 7.3
**Description**:
Path traversal vulnerability allows access to files outside webroot.
**Fixed Versions**: 4.19.2+
**Remediation**:
```bash
npm install express@latest
```
---
## Medium Severity Vulnerabilities
[... 7 medium-severity vulnerabilities with similar detail ...]
---
## Low Severity Vulnerabilities
[... 3 low-severity vulnerabilities with similar detail ...]
---
## Upgrade Recommendations
### Python
```bash
# Upgrade all vulnerable packages
pip install --upgrade \
requests>=2.31.0 \
urllib3>=1.26.18 \
jinja2>=3.1.3 \
pyyaml>=6.0.1
# Or use requirements file
pip install -r requirements-secure.txt
```
**requirements-secure.txt** (generated):
```
requests>=2.31.0
urllib3>=1.26.18
jinja2>=3.1.3
pyyaml>=6.0.1
```
---
### npm
```bash
# Upgrade all vulnerable packages
npm install \
axios@latest \
lodash@latest \
ws@latest \
express@latest \
moment@latest \
react-dom@latest
# Or auto-fix with npm audit
npm audit fix --force
```
---
## Automated Fix Options
### Safe Auto-Upgrades (Recommended)
These upgrades are backward-compatible (semver minor/patch):
```bash
# Python
pip install --upgrade requests urllib3 pyyaml
# npm
npm audit fix
```
### Manual Review Required
These upgrades may have breaking changes (semver major):
- **axios**: 0.21.1 -> 1.6.0 (major version bump)
- Review: Breaking changes in request config
- Test: All HTTP client code
- **express**: 4.17.1 -> 4.19.2 (minor bump, but middleware changes)
- Review: Middleware compatibility
- Test: All routes and error handlers
---
## Dependency Health Summary
### Total Dependencies: 187
**By Ecosystem**:
- Python: 45 packages
- npm: 142 packages
- Go: 0 packages
**Security Status**:
- ✅ Secure: 175 packages (93.6%)
- [WARN] Vulnerable: 12 packages (6.4%)
**Freshness**:
- Up-to-date: 120 packages (64.2%)
- Minor updates available: 45 packages (24.1%)
- Major updates available: 22 packages (11.8%)
---
## License Compliance
**Detected Licenses**:
- MIT: 95 packages
- Apache-2.0: 32 packages
- BSD-3-Clause: 18 packages
- ISC: 25 packages
- GPL-3.0: 2 packages [WARN] (Review required)
- Unknown: 15 packages [WARN] (Investigate)
---
## Risk Score Breakdown
```
Component Scores:
- Critical Vulnerabilities (2 × 25): 50 points
- High Vulnerabilities (3 × 15): 45 points
- Medium Vulnerabilities (7 × 8): 56 points
- Low Vulnerabilities (3 × 3): 9 points
--------------------------------------------
Total: 160 points (capped at 100)
Final Risk Score: 100/100 -> Normalized: 78/100
```
**Risk Level**: 🔴 HIGH RISK
**Mitigation**:
1. Fix 2 critical vulnerabilities immediately
2. Fix 3 high vulnerabilities within 48 hours
3. Schedule medium vulnerabilities for next sprint
4. Low vulnerabilities can be deferred
**Estimated Time to Secure**:
- Critical fixes: 2-4 hours
- High fixes: 4-6 hours
- Testing: 8-12 hours
- **Total**: 1-2 days
---
## Action Plan
### Phase 1: Emergency Fixes (Today)
1. Upgrade `requests` to 2.31.0+ (30 min)
2. Upgrade `axios` to 1.6.0+ (45 min + testing)
3. Run test suite (30 min)
4. Deploy hotfix (30 min)
**Total**: 2-3 hours
### Phase 2: High Priority (This Week)
1. Upgrade `urllib3`, `ws`, `express` (2 hours)
2. Run comprehensive tests (4 hours)
3. QA validation (2 hours)
4. Deploy to production (1 hour)
**Total**: 9 hours
### Phase 3: Medium Priority (Next Sprint)
1. Upgrade remaining 7 packages (3 hours)
2. Testing (4 hours)
3. Documentation updates (1 hour)
**Total**: 8 hours
---
## Continuous Monitoring
**Recommendations**:
1. **CI/CD Integration**: Add dependency scanning to pipeline
2. **Weekly Scans**: Schedule automated vulnerability scans
3. **Dependency Updates**: Review updates monthly
4. **Security Alerts**: Subscribe to security advisories
**GitHub Actions Example**:
```yaml
name: Dependency Scan
on:
schedule:
- cron: '0 0 * * 0' # Weekly
pull_request:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan Dependencies
run: /analyze:dependencies --format=sarif --output=results.sarif
- name: Upload Results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
```
---
## Next Steps
1.**Review this report** with development team
2. [WARN] **Create tickets** for each critical/high vulnerability
3. [WARN] **Schedule fixes** according to action plan
4. [WARN] **Set up CI/CD** scanning for future PRs
5. [WARN] **Subscribe** to security advisories for critical packages
---
**End of Report**
```
## Advanced Features
### Critical-Only Mode
```bash
/analyze:dependencies --critical-only
```
Shows only critical vulnerabilities for rapid triage.
### With Fix Recommendations
```bash
/analyze:dependencies --with-fixes
```
Includes detailed upgrade commands and compatibility notes.
### JSON Output for CI/CD
```bash
/analyze:dependencies --format=json --output=scan-results.json
```
Machine-readable format for automation.
### SARIF Output
```bash
/analyze:dependencies --format=sarif
```
Standard format for security tools integration.
## Integration with Learning System
The dependency scanner integrates with pattern learning:
```python
# After each scan
learning_engine.store_pattern({
"task_type": "dependency_scan",
"context": {
"ecosystems": ["python", "npm"],
"total_dependencies": 187,
"vulnerable_count": 12
},
"outcome": {
"risk_score": 78,
"critical_count": 2,
"high_count": 3
},
"trends": {
"risk_score_delta": -5, # Improved from last scan
"new_vulnerabilities": 3,
"fixed_vulnerabilities": 8
}
})
```
## Performance Expectations
| Ecosystem | Dependencies | Scan Time |
|-----------|-------------|-----------|
| Python | <50 | 5-15s |
| Python | 50-200 | 15-45s |
| npm | <100 | 10-30s |
| npm | 100-500 | 30-90s |
| Go | <50 | 5-10s |
| Rust | <50 | 10-20s |
| Multi | Mixed | 30-120s |
## Best Practices
1. **Scan Before Deploy**: Always scan before production deployment
2. **Fix Critical First**: Prioritize by severity and exploitability
3. **Test After Upgrade**: Run full test suite after security updates
4. **Monitor Trends**: Track risk score over time
5. **Automate Scanning**: Integrate into CI/CD pipeline
6. **Stay Updated**: Review security advisories weekly
7. **Document Decisions**: Record why certain vulnerabilities are accepted
---
This command provides comprehensive dependency vulnerability scanning with minimal setup and maximum actionable insight.
Reference in New Issue View Git Blame Copy Permalink