陌讯skills聚合平台

cve-audit

📁 mearman/marketplace 📅 2 days ago
1
总安装量
1
周安装量
#46297
全站排名
安装命令
npx skills add https://github.com/mearman/marketplace --skill cve-audit

Agent 安装分布

amp 1
opencode 1
kimi-cli 1
codex 1
claude-code 1

Skill 文档

CVE Dependency Audit

Automatically scan your project’s dependencies and identify known Common Vulnerabilities and Exposures (CVEs). Supports Node.js, Python, Ruby, Go, and Maven projects.

Quick Start

# Scan current directory
npx tsx scripts/audit.ts

# Scan specific directory
npx tsx scripts/audit.ts /path/to/project

# Only show critical vulnerabilities
npx tsx scripts/audit.ts --severity critical

# Get fresh data (bypass cache)
npx tsx scripts/audit.ts --no-cache

# Output as JSON
npx tsx scripts/audit.ts --json

Run from the cve-search plugin directory: ~/.claude/plugins/cache/cve-search/

Usage

npx tsx scripts/audit.ts [directory] [options]

Options

Option Description
[directory] Directory to scan (default: current directory)
--severity <level> Filter by severity: critical, high, medium, low
--no-cache Bypass cache and fetch fresh data
--json Output results as JSON
--help Show help message

Supported Package Managers

The skill automatically detects and parses dependency files from multiple ecosystems:

Node.js / npm

  • File: package.json
  • Detects: dependencies, devDependencies, peerDependencies
  • Example: "express": "^4.18.0"

Python / pip

  • File: requirements.txt
  • Detects: Pinned versions and ranges
  • Example: django==3.2.10 or requests>=2.25.0

Ruby / Bundler

  • File: Gemfile
  • Detects: Gem dependencies with versions
  • Example: gem 'rails', '~> 6.1.0'

Go / Go Modules

  • File: go.mod
  • Detects: Direct and indirect dependencies
  • Example: require github.com/user/repo v1.2.3

Java / Maven

  • File: pom.xml
  • Detects: Project and transitive dependencies
  • Example: <artifactId>log4j-core</artifactId>

How It Works

  1. Discovery: Scans for supported dependency files in the directory
  2. Parsing: Extracts package names and versions from each file
  3. Searching: Queries CVE database for each dependency
  4. Filtering: Identifies which vulnerabilities affect installed versions
  5. Reporting: Displays results sorted by severity

Output Format

Standard Output

🔍 Scanning for dependencies in /home/user/myproject...

Found dependency files: package.json, requirements.txt

Scanning 45 dependencies for CVEs...

📊 Audit Results

Total vulnerabilities found: 8
  🔴 Critical: 1 | 🟠 High: 2 | 🟡 Medium: 4 | 🔵 Low: 1

Showing 3 critical/high vulnerabilities:

📦 express@4.18.0 - 2 vulnerability(ies)

  🔴 CVE-2024-1234
     Score: 9.2 | Buffer overflow in request parsing

  🟠 CVE-2024-5678
     Score: 7.1 | Path traversal in static file handling

─────────────────────────────────────────────────────────────

🐍 django@3.2.10 - 1 vulnerability(ies)

  🟠 CVE-2024-9999
     Score: 7.5 | SQL injection in ORM query handling

─────────────────────────────────────────────────────────────

⚠️  Recommendations:
  1. Update dependencies to patched versions
  2. Review CVE details at https://cve.mitre.org/
  3. Use --no-cache for latest vulnerability data

JSON Output

npx tsx scripts/audit.ts --json

Returns structured data:

{
  "dependencies": [
    {
      "name": "express",
      "version": "4.18.0",
      "source": "npm",
      "file": "/path/to/package.json"
    }
  ],
  "vulnerabilities": [
    {
      "cveId": "CVE-2024-1234",
      "dependency": { "name": "express", "version": "4.18.0", ... },
      "severity": "CRITICAL",
      "score": 9.2,
      "summary": "Buffer overflow in request parsing",
      "affectsVersion": true
    }
  ],
  "summary": {
    "total": 8,
    "critical": 1,
    "high": 2,
    "medium": 4,
    "low": 1
  }
}

Use Cases

Security Audit Before Deployment

Verify your production dependencies are safe:

npx tsx scripts/audit.ts /app/backend --severity critical

Dependency Health Check

Regular checks to catch newly discovered vulnerabilities:

npx tsx scripts/audit.ts . --no-cache

Generate Compliance Reports

Export vulnerability data for security reviews:

npx tsx scripts/audit.ts . --json > vulnerability-report.json

Focus on Critical Issues

Alert on only the most severe vulnerabilities:

npx tsx scripts/audit.ts . --severity critical --json

Multi-Project Assessment

Audit multiple projects in a monorepo:

npx tsx scripts/audit.ts services/auth
npx tsx scripts/audit.ts services/api
npx tsx scripts/audit.ts services/web

Severity Levels

Level CVSS Range Icon Meaning
CRITICAL 9.0-10.0 🔴 Immediate patching required
HIGH 7.0-8.9 🟠 Schedule patching soon
MEDIUM 4.0-6.9 🟡 Monitor and plan updates
LOW 0.1-3.9 🔵 Low risk, update when convenient
UNKNOWN N/A ⚪ Unable to determine severity

Caching

Results are cached for 24 hours by default. CVE information doesn’t change frequently, so caching improves performance.

Use --no-cache when:

  • Running scheduled security audits
  • Recently discovered vulnerabilities may not be cached
  • Doing a fresh security assessment
  • Setting up CI/CD pipelines

Exit Codes

Code Meaning
0 Success (no vulnerabilities found or filtered)
1 Vulnerabilities found (or error occurred)

Examples

Audit Node.js project with package.json

cd ~/myapp
npx tsx scripts/audit.ts
# Scans package.json and devDependencies

Audit Python project

cd ~/myproject
npx tsx scripts/audit.ts . --severity high
# Scans requirements.txt, shows only HIGH and CRITICAL

Audit Go project with fresh data

npx tsx scripts/audit.ts /path/to/go/project --no-cache
# Scans go.mod with latest CVE data

Generate JSON report for all vulnerabilities

npx tsx scripts/audit.ts --json > audit-report.json
# Machine-readable format for parsing/integration

CI/CD Integration

# Fail if any critical vulnerabilities found
npx tsx scripts/audit.ts --severity critical
if [ $? -ne 0 ]; then
  echo "Critical vulnerabilities detected!"
  exit 1
fi

Limitations

  • Version matching: Uses simple semantic versioning comparison
  • Direct dependencies only: Scans only direct dependencies listed in source files (not transitive dependencies from lock files)
  • Ruby Gemfile: Only scans gems with explicit version specifications in Gemfile (use Gemfile.lock for complete dependency information)
  • Platform-specific vulnerabilities: Shows all known CVEs regardless of platform
  • Rate limiting: OpenCVE API may limit requests (automatic backoff handled)
  • Accuracy: Depends on CVE database accuracy and product name matching

Performance

  • Typical scan time: 10-60 seconds (depending on dependency count and network)
  • Caching: Significantly reduces repeat scan time
  • Parallel searches: Could be optimized with concurrent API requests

Troubleshooting

“No supported dependency files found”

  • Ensure your project has one of the supported files:
    • package.json (Node.js)
    • requirements.txt (Python)
    • Gemfile (Ruby)
    • go.mod (Go)
    • pom.xml (Maven)

Some dependencies not scanned

  • Dependency names must match OpenCVE database naming
  • Some packages use different names in CVE vs package manager
  • Try searching individual dependencies with cve-lookup skill

No vulnerabilities found

  • Your dependencies may be up-to-date
  • Try with --no-cache to check latest database
  • Verify dependency files are valid

Rate limit errors

  • Wait a moment and retry
  • Use cached results from previous queries
  • Reduce severity level to scan fewer CVEs

Related Skills

  • cve-lookup: Search for individual CVEs by ID or product name
  • Combine with version managers to get patches
  • Use results with dependency update tools

References

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。