From 3bc832a4cfaab810f8ab4447c8e436f7c6cfbc41 Mon Sep 17 00:00:00 2001 From: Zhongwei Li Date: Sun, 30 Nov 2025 08:22:07 +0800 Subject: [PATCH] Initial commit --- .claude-plugin/plugin.json | 15 ++ README.md | 3 + commands/check-deps.md | 51 +++++++ plugin.lock.json | 65 +++++++++ skills/dependency-checker/SKILL.md | 54 +++++++ skills/dependency-checker/assets/README.md | 7 + .../assets/report_template.md | 137 ++++++++++++++++++ .../dependency-checker/references/README.md | 8 + skills/dependency-checker/scripts/README.md | 7 + 9 files changed, 347 insertions(+) create mode 100644 .claude-plugin/plugin.json create mode 100644 README.md create mode 100644 commands/check-deps.md create mode 100644 plugin.lock.json create mode 100644 skills/dependency-checker/SKILL.md create mode 100644 skills/dependency-checker/assets/README.md create mode 100644 skills/dependency-checker/assets/report_template.md create mode 100644 skills/dependency-checker/references/README.md create mode 100644 skills/dependency-checker/scripts/README.md diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json new file mode 100644 index 0000000..b3361e2 --- /dev/null +++ b/.claude-plugin/plugin.json @@ -0,0 +1,15 @@ +{ + "name": "dependency-checker", + "description": "Check dependencies for known vulnerabilities, outdated packages, and license compliance", + "version": "1.0.0", + "author": { + "name": "Jeremy Longshore", + "email": "[email protected]" + }, + "skills": [ + "./skills" + ], + "commands": [ + "./commands" + ] +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..30040cc --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# dependency-checker + +Check dependencies for known vulnerabilities, outdated packages, and license compliance diff --git a/commands/check-deps.md b/commands/check-deps.md new file mode 100644 index 0000000..145c7df --- /dev/null +++ b/commands/check-deps.md @@ -0,0 +1,51 @@ +--- +description: Check dependencies for vulnerabilities and outdated packages +shortcut: depcheck +--- + +# Dependency Checker + +Analyze project dependencies for known vulnerabilities, outdated packages, and license compliance issues. + +## Analysis Process + +1. **Detect Package Manager** + - Identify package.json (npm/yarn/pnpm) + - Identify requirements.txt/Pipfile (pip) + - Identify composer.json (PHP) + - Identify Gemfile (Ruby) + - Identify go.mod (Go) + +2. **Vulnerability Scanning** + - Check against CVE databases + - Identify known security advisories + - Report CVSS scores + - Check transitive dependencies + +3. **Version Analysis** + - Identify outdated packages + - Check for available security patches + - Report breaking vs. non-breaking updates + - Suggest safe upgrade paths + +4. **License Compliance** + - Scan dependency licenses + - Flag incompatible licenses + - Report license obligations + +## Report Output + +Generate comprehensive dependency report with: +- Vulnerable packages with CVE details +- Outdated packages with available versions +- License compliance issues +- Recommended updates with impact analysis +- Upgrade commands for each package manager + +## Best Practices + +- Run before every deployment +- Update dependencies regularly +- Review transitive dependencies +- Use lock files (package-lock.json, Pipfile.lock) +- Test after updating dependencies diff --git a/plugin.lock.json b/plugin.lock.json new file mode 100644 index 0000000..6e0bb55 --- /dev/null +++ b/plugin.lock.json @@ -0,0 +1,65 @@ +{ + "$schema": "internal://schemas/plugin.lock.v1.json", + "pluginId": "gh:jeremylongshore/claude-code-plugins-plus:plugins/security/dependency-checker", + "normalized": { + "repo": null, + "ref": "refs/tags/v20251128.0", + "commit": "bdb4e78aa805b3b297f11674eeec08b30ed02aea", + "treeHash": "63934f5758b783780427fc2b6c732685e79b50a88755c8a3d95cb19fa34624ba", + "generatedAt": "2025-11-28T10:18:23.114639Z", + "toolVersion": "publish_plugins.py@0.2.0" + }, + "origin": { + "remote": "git@github.com:zhongweili/42plugin-data.git", + "branch": "master", + "commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390", + "repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data" + }, + "manifest": { + "name": "dependency-checker", + "description": "Check dependencies for known vulnerabilities, outdated packages, and license compliance", + "version": "1.0.0" + }, + "content": { + "files": [ + { + "path": "README.md", + "sha256": "cd8c6ada5787013aaa3c91f7a8a607d5b9b373d4b78862b818d43c5b5af424eb" + }, + { + "path": ".claude-plugin/plugin.json", + "sha256": "50363b20ea7da1faef7a0e3cfe3c46a0af396804780d1d6eb94d41431c71d13b" + }, + { + "path": "commands/check-deps.md", + "sha256": "a81df86ff295a5293e0e7eb44c8be1a1228eaf1704793fab7e499084813754d2" + }, + { + "path": "skills/dependency-checker/SKILL.md", + "sha256": "6afe10ee2439ac426fd9ad529ccf804cf74bf85c3c2ab255f117b886f2320b18" + }, + { + "path": "skills/dependency-checker/references/README.md", + "sha256": "0921ee1a1d7f2c519d1b947e6ab4c87b95da9b3ee728f0c213d05f7a1a63a09c" + }, + { + "path": "skills/dependency-checker/scripts/README.md", + "sha256": "b44bdaa79ba29a77ce6f83863efe108a34be7a9ee5ed6bd7ba8d3d83313f77ad" + }, + { + "path": "skills/dependency-checker/assets/report_template.md", + "sha256": "bd3b022e69952a5eb648d6da96851fc164b77d8f583d21cd04038a9e741833d1" + }, + { + "path": "skills/dependency-checker/assets/README.md", + "sha256": "5b084b6ad8496e67826e7c2fbfef85904272b4236e0a8b8642faea4e5712e501" + } + ], + "dirSha256": "63934f5758b783780427fc2b6c732685e79b50a88755c8a3d95cb19fa34624ba" + }, + "security": { + "scannedAt": null, + "scannerVersion": null, + "flags": [] + } +} \ No newline at end of file diff --git a/skills/dependency-checker/SKILL.md b/skills/dependency-checker/SKILL.md new file mode 100644 index 0000000..11d49b3 --- /dev/null +++ b/skills/dependency-checker/SKILL.md @@ -0,0 +1,54 @@ +--- +name: analyzing-dependencies +description: | + This skill analyzes project dependencies for security vulnerabilities, outdated packages, and license compliance issues. It helps identify potential risks in your project's dependencies using the dependency-checker plugin. Use this skill when you need to check dependencies for vulnerabilities, identify outdated packages that need updates, or ensure license compatibility. Trigger phrases include "check dependencies", "dependency check", "find vulnerabilities", "scan for outdated packages", "/depcheck", and "license compliance". This skill supports npm, pip, composer, gem, and go modules projects. +allowed-tools: Read, Write, Edit, Grep, Glob, Bash +version: 1.0.0 +--- + +## Overview + +This skill empowers Claude to automatically analyze your project's dependencies for security vulnerabilities, outdated packages, and license compliance issues. It uses the dependency-checker plugin to identify potential risks and provides insights for remediation. + +## How It Works + +1. **Detecting Package Manager**: The skill identifies the relevant package manager (npm, pip, composer, gem, go modules) based on the presence of manifest files (e.g., package.json, requirements.txt, composer.json). +2. **Scanning Dependencies**: The skill utilizes the dependency-checker plugin to scan the identified dependencies against known vulnerability databases (CVEs), outdated package lists, and license information. +3. **Generating Report**: The skill presents a comprehensive report summarizing the findings, including vulnerability summaries, detailed vulnerability information, outdated packages with recommended updates, and license compliance issues. + +## When to Use This Skill + +This skill activates when you need to: +- Check a project for known security vulnerabilities in its dependencies. +- Identify outdated packages that may contain security flaws or performance issues. +- Ensure that the project's dependencies comply with licensing requirements. + +## Examples + +### Example 1: Identifying Vulnerabilities Before Deployment + +User request: "Check dependencies for vulnerabilities before deploying to production." + +The skill will: +1. Detect the relevant package manager (e.g., npm). +2. Scan the project's dependencies for known vulnerabilities using the dependency-checker plugin. +3. Generate a report highlighting any identified vulnerabilities, their severity, and recommended fixes. + +### Example 2: Updating Outdated Packages + +User request: "Scan for outdated packages and suggest updates." + +The skill will: +1. Detect the relevant package manager (e.g., pip). +2. Scan the project's dependencies for outdated packages. +3. Generate a report listing the outdated packages and their available updates, including major, minor, and patch releases. + +## Best Practices + +- **Regular Scanning**: Schedule dependency checks regularly (e.g., weekly or monthly) to stay informed about new vulnerabilities and updates. +- **Pre-Deployment Checks**: Always run a dependency check before deploying any code to production to prevent introducing vulnerable dependencies. +- **Review and Remediation**: Carefully review the generated reports and take appropriate action to remediate identified vulnerabilities and update outdated packages. + +## Integration + +This skill seamlessly integrates with other Claude Code tools, allowing you to use the identified vulnerabilities to guide further actions, such as automatically creating pull requests to update dependencies or generating security reports for compliance purposes. \ No newline at end of file diff --git a/skills/dependency-checker/assets/README.md b/skills/dependency-checker/assets/README.md new file mode 100644 index 0000000..c03c36a --- /dev/null +++ b/skills/dependency-checker/assets/README.md @@ -0,0 +1,7 @@ +# Assets + +Bundled resources for dependency-checker skill + +- [ ] report_template.md: A template for generating dependency check reports. +- [ ] example_npm_audit_report.json: An example npm audit report for demonstration purposes. +- [ ] example_pip_audit_report.json: An example pip audit report for demonstration purposes. diff --git a/skills/dependency-checker/assets/report_template.md b/skills/dependency-checker/assets/report_template.md new file mode 100644 index 0000000..e61e310 --- /dev/null +++ b/skills/dependency-checker/assets/report_template.md @@ -0,0 +1,137 @@ +# Dependency Check Report + +**Project Name:** [Enter Project Name Here] + +**Report Date:** [Enter Date Here - e.g., 2024-01-27] + +**Report Version:** [Enter Report Version, if applicable - e.g., 1.0] + +**Prepared By:** [Enter Your Name/Team Here] + +## 1. Executive Summary + +[Provide a brief overview of the dependency check results. Highlight key findings, such as the number of vulnerabilities found, outdated packages, and license compliance issues. For example: "This report summarizes the results of a dependency check performed on the 'Project Name' project. We identified X high-severity vulnerabilities, Y outdated packages, and Z potential license compliance issues. Immediate action is recommended to address the identified vulnerabilities."] + +## 2. Project Details + +* **Project Repository:** [Enter Project Repository URL Here - e.g., `https://github.com/example/project`] +* **Package Manager(s) Used:** [List Package Managers - e.g., npm, pip, composer] +* **Scan Target(s):** [Specify which files/directories were scanned - e.g., `package.json`, `requirements.txt`, entire project directory] +* **Dependency Checker Tool Used:** [Specify the tool used to perform the dependency check - e.g., `npm audit`, `pip-audit`, `dependency-check`] +* **Tool Version:** [Enter the version of the dependency checker tool used - e.g., 8.19.3] + +## 3. Vulnerability Analysis + +### 3.1. Vulnerability Summary + +| Severity | Number of Vulnerabilities | Description +| Critical | [Enter Number] | [Provide a brief description of the general impact of critical vulnerabilities. For example: "Critical vulnerabilities can potentially lead to remote code execution and complete system compromise."] + +### 3.2. Detailed Vulnerability Reports + +[For each vulnerability found, provide the following details in a table or list format:] + +* **Vulnerability ID (e.g., CVE-2023-1234):** [Enter CVE or other vulnerability identifier] +* **Package Name:** [Enter the name of the vulnerable package] +* **Vulnerable Version(s):** [Specify the version(s) of the package affected] +* **Severity:** [Critical, High, Medium, Low] +* **Description:** [Provide a brief description of the vulnerability] +* **CVSS Score:** [Enter the CVSS score if available] +* **CVSS Vector:** [Enter the CVSS vector string if available] +* **Affected Component:** [Specify the affected component or function] +* **Remediation:** [Provide specific instructions on how to fix the vulnerability. This might include upgrading to a specific version, applying a patch, or removing the dependency. Example: "Upgrade to version 2.0.1 or later. This version contains a fix for the reported vulnerability."] +* **References:** [Include links to relevant resources, such as the CVE entry, security advisories, or blog posts. e.g., `https://nvd.nist.gov/vuln/detail/CVE-2023-1234`] + +**Example:** + +| Vulnerability ID | Package Name | Vulnerable Version(s) | Severity | Description | CVSS Score | Remediation | References | +|------------------|--------------|-------------------------|----------|-------------------------------------------------------------------|------------|----------------------------------------------------------------------|-------------------------------------------------------------------------------| +| CVE-2023-5678 | lodash | < 4.17.21 | High | Prototype pollution vulnerability in `_.set` function. | 7.5 | Upgrade to lodash version 4.17.21 or later. | [https://nvd.nist.gov/vuln/detail/CVE-2023-5678](https://nvd.nist.gov/vuln/detail/CVE-2023-5678) | +| CVE-2023-9012 | requests | 2.20.0 - 2.28.1 | Medium | Potential denial of service due to header parsing. | 5.3 | Upgrade to requests version 2.28.2 or later. | [https://nvd.nist.gov/vuln/detail/CVE-2023-9012](https://nvd.nist.gov/vuln/detail/CVE-2023-9012) | + +[Add more vulnerability details as needed, following the above format.] + +## 4. Outdated Package Analysis + +### 4.1. Outdated Package Summary + +[Provide a summary of the number of outdated packages found.] + +* **Total Number of Outdated Packages:** [Enter Number] +* **Packages with Major Version Updates:** [Enter Number] +* **Packages with Minor Version Updates:** [Enter Number] +* **Packages with Patch Version Updates:** [Enter Number] + +### 4.2. Detailed Outdated Package Reports + +[For each outdated package, provide the following details in a table or list format:] + +* **Package Name:** [Enter the name of the outdated package] +* **Current Version:** [Enter the currently installed version] +* **Latest Version:** [Enter the latest available version] +* **Update Type:** [Major, Minor, Patch] +* **Reason for Update:** [Provide a brief explanation of why the package should be updated. This might include bug fixes, performance improvements, or new features. Example: "Security fixes, performance improvements, and new features."] +* **Potential Impact:** [Describe the potential impact of not updating the package. Example: "Missing out on security fixes, potential performance bottlenecks, and lack of access to new features."] + +**Example:** + +| Package Name | Current Version | Latest Version | Update Type | Reason for Update | Potential Impact | +|--------------|-----------------|----------------|-------------|-------------------------------------------------|-----------------------------------------------------------------------------| +| axios | 0.27.2 | 1.6.0 | Major | New features, performance improvements, bug fixes | Missing out on significant performance improvements and new API features. | +| moment | 2.29.3 | 2.29.4 | Patch | Security fixes and bug fixes | Potential security vulnerabilities and minor bugs. | + +[Add more outdated package details as needed, following the above format.] + +## 5. License Compliance Analysis + +### 5.1. License Summary + +[Provide a summary of the licenses used by the project's dependencies. Mention any potentially problematic licenses.] + +* **Total Number of Unique Licenses Found:** [Enter Number] +* **List of Licenses Used:** [List the licenses, e.g., MIT, Apache-2.0, GPL-3.0] +* **Potentially Problematic Licenses:** [List any licenses that might require special attention, such as GPL or AGPL. Explain why they are potentially problematic. Example: "GPL-3.0 - This license requires that any derivative works also be licensed under GPL-3.0, which may not be compatible with the project's licensing goals."] + +### 5.2. Detailed License Reports + +[For each dependency, provide the following details in a table or list format:] + +* **Package Name:** [Enter the name of the package] +* **License:** [Enter the license used by the package] +* **License URL:** [Provide a link to the license text or SPDX identifier. e.g., `https://opensource.org/licenses/MIT`] +* **License Risk:** [Assess the risk associated with the license. This might include compatibility issues, restrictions on commercial use, or requirements for attribution. Example: "Low - MIT is a permissive license with minimal restrictions."] +* **Notes:** [Add any relevant notes about the license or its usage. Example: "Ensure proper attribution is provided as required by the MIT license."] + +**Example:** + +| Package Name | License | License URL | License Risk | Notes | +|--------------|-------------|-------------------------------------------|--------------|------------------------------------------------------------------------------------------------------| +| lodash | MIT | https://opensource.org/licenses/MIT | Low | Ensure proper attribution is provided as required by the MIT license. | +| react | MIT | https://opensource.org/licenses/MIT | Low | Ensure proper attribution is provided as required by the MIT license. | +| express | MIT | https://opensource.org/licenses/MIT | Low | Ensure proper attribution is provided as required by the MIT license. | +| marked | MIT | https://opensource.org/licenses/MIT | Low | Ensure proper attribution is provided as required by the MIT license. | +| moment | MIT | https://opensource.org/licenses/MIT | Low | Ensure proper attribution is provided as required by the MIT license. | + +[Add more license details as needed, following the above format.] + +## 6. Recommendations + +[Provide specific recommendations based on the findings of the dependency check. This might include:] + +* **Prioritized Action Items:** [List the most critical issues that need to be addressed first, such as high-severity vulnerabilities.] +* **Upgrade Strategies:** [Suggest upgrade strategies for outdated packages, such as upgrading to the latest stable version or using a dependency management tool to automate updates.] +* **License Compliance Best Practices:** [Provide recommendations for ensuring license compliance, such as reviewing license agreements and providing proper attribution.] +* **Continuous Monitoring:** [Emphasize the importance of continuous dependency monitoring to detect and address new vulnerabilities and license compliance issues.] +* **Further Investigation:** [Highlight areas that require further investigation, such as dependencies with unknown licenses or vulnerabilities with unclear remediation steps.] + +**Example:** + +* Address the high-severity vulnerabilities identified in the Vulnerability Analysis section immediately. +* Upgrade all outdated packages to the latest stable versions to benefit from bug fixes, performance improvements, and new features. +* Review the license agreements for all dependencies, especially those with potentially problematic licenses, to ensure compliance. +* Implement a continuous dependency monitoring system to automatically detect and alert on new vulnerabilities and license compliance issues. +* Investigate dependencies with unknown licenses to determine their licensing terms and ensure compliance. + +## 7. Conclusion + +[Summarize the key findings and recommendations of the report. Reiterate the importance of addressing the identified issues to improve the security and maintainability of the project. For example: "This report highlights several important issues related to the security, maintainability, and license compliance of the 'Project Name' project. By addressing the identified vulnerabilities, outdated packages, and license compliance issues, the project team can significantly improve the overall quality and security of the project. Continuous monitoring and proactive dependency management are essential for maintaining a healthy and secure codebase."] \ No newline at end of file diff --git a/skills/dependency-checker/references/README.md b/skills/dependency-checker/references/README.md new file mode 100644 index 0000000..c05ec89 --- /dev/null +++ b/skills/dependency-checker/references/README.md @@ -0,0 +1,8 @@ +# References + +Bundled resources for dependency-checker skill + +- [ ] npm_audit_format.md: Documentation on the format of npm audit reports. +- [ ] pip_audit_format.md: Documentation on the format of pip audit reports. +- [ ] license_compatibility_matrix.md: A matrix detailing license compatibility between common open-source licenses. +- [ ] dependency_checker_best_practices.md: A guide to best practices for dependency management and security. diff --git a/skills/dependency-checker/scripts/README.md b/skills/dependency-checker/scripts/README.md new file mode 100644 index 0000000..6ddfe2e --- /dev/null +++ b/skills/dependency-checker/scripts/README.md @@ -0,0 +1,7 @@ +# Scripts + +Bundled resources for dependency-checker skill + +- [ ] dependency_check.sh: A shell script to execute dependency checks using various package managers. +- [ ] vulnerability_report_parser.py: A Python script to parse vulnerability reports and format them for Claude. +- [ ] license_compliance_checker.py: A Python script to check license compatibility of dependencies.