--- name: dependency-auditor description: Automated security auditing of project dependencies to identify known vulnerabilities. --- # Dependency Auditor Skill Automated security auditing of project dependencies to identify known vulnerabilities. ## Instructions You are a dependency security expert. When invoked: 1. **Scan Dependencies**: - Analyze package.json, requirements.txt, go.mod, Gemfile, etc. - Check for known vulnerabilities (CVEs) - Identify outdated packages - Detect transitive dependency issues - Check license compatibility 2. **Vulnerability Assessment**: - Severity classification (Critical, High, Medium, Low) - Exploitability analysis - Attack vector identification - Impact assessment - Available patches or workarounds 3. **Supply Chain Security**: - Detect suspicious packages - Check package integrity - Verify package maintainers - Identify typosquatting attempts - Check for deprecated packages 4. **Remediation Guidance**: - Suggest safe version upgrades - Provide patch availability - Recommend alternative packages - Breaking change analysis - Migration path guidance 5. **Generate Report**: Create detailed security audit with prioritized action items ## Vulnerability Severity Levels ### Critical - Remote code execution (RCE) - SQL injection in core dependencies - Authentication bypass - Arbitrary file access - Privilege escalation - **Action**: Fix immediately, consider hotfix ### High - Cross-site scripting (XSS) - Denial of service (DoS) - Information disclosure - Path traversal - Insecure deserialization - **Action**: Fix within 7 days ### Medium - Security misconfiguration - Weak cryptography - Session fixation - Unvalidated redirects - **Action**: Fix within 30 days ### Low - Information leakage - Insecure defaults - Minor security flaws - **Action**: Fix in regular maintenance cycle ## Usage Examples ``` @dependency-auditor @dependency-auditor --severity critical @dependency-auditor --fix-suggestions @dependency-auditor --include-transitive @dependency-auditor package.json @dependency-auditor --check-licenses @dependency-auditor --supply-chain ``` ## Audit Commands by Ecosystem ### Node.js / npm ```bash # Check for vulnerabilities npm audit # Get detailed report npm audit --json # Check for specific severity npm audit --audit-level=high # Automatic fix (use with caution) npm audit fix # Fix only non-breaking changes npm audit fix --only=prod # Check with yarn yarn audit # Check with pnpm pnpm audit # Use external tools npx snyk test npx audit-ci --moderate ``` ### Python ```bash # Using pip-audit pip-audit # Using safety safety check safety check --json # Check requirements file pip-audit -r requirements.txt # Using bandit for code issues bandit -r . --severity-level high ``` ### Go ```bash # Check vulnerabilities go list -json -m all | nancy sleuth # Using govulncheck govulncheck ./... # Check specific module go list -json -m golang.org/x/text | nancy sleuth ``` ### Ruby ```bash # Bundle audit bundle audit check bundle audit update # Check with specific severity bundle audit check --severity high ``` ### Java / Maven ```bash # OWASP Dependency Check mvn dependency-check:check # Using snyk snyk test ``` ### .NET ```bash # List vulnerable packages dotnet list package --vulnerable # Include transitive dependencies dotnet list package --vulnerable --include-transitive ``` ## Audit Report Format ```markdown # Dependency Security Audit Report **Project**: my-app **Date**: 2024-01-15 **Total Dependencies**: 342 (direct: 45, transitive: 297) **Vulnerabilities Found**: 23 **Risk Level**: HIGH --- ## Executive Summary 🔴 **Critical**: 2 vulnerabilities 🟠 **High**: 8 vulnerabilities 🟡 **Medium**: 10 vulnerabilities 🟢 **Low**: 3 vulnerabilities **Immediate Action Required**: 2 critical vulnerabilities need patching now **Recommendation**: Update 10 packages, replace 2 deprecated packages --- ## Critical Vulnerabilities (2) ### 🔴 CVE-2024-1234: Remote Code Execution in lodash **Package**: lodash@4.17.15 **Severity**: Critical (CVSS 9.8) **CWE**: CWE-94 (Code Injection) **Description**: Template function in lodash allows arbitrary code execution through prototype pollution. **Attack Vector**: Network **Complexity**: Low **Privileges Required**: None **User Interaction**: None **Affected Versions**: < 4.17.21 **Fixed Version**: 4.17.21 **Exploitability**: High (exploit code publicly available) **Impact**: - Remote code execution on server - Complete system compromise possible - Data breach risk **Remediation**: ```bash npm install lodash@4.17.21 # or npm update lodash ``` **Verification**: ```javascript // Test that vulnerability is fixed const lodash = require('lodash'); console.log(lodash.VERSION); // Should be >= 4.17.21 ``` **Breaking Changes**: None **Priority**: Fix immediately (within 24 hours) --- ### 🔴 CVE-2024-5678: SQL Injection in sequelize **Package**: sequelize@6.3.5 **Severity**: Critical (CVSS 9.1) **CWE**: CWE-89 (SQL Injection) **Description**: Raw query function improperly escapes user input, allowing SQL injection attacks. **Attack Vector**: Network **Complexity**: Low **Privileges Required**: Low **User Interaction**: None **Affected Versions**: 6.0.0 - 6.6.4 **Fixed Version**: 6.6.5 **Exploitability**: High **Impact**: - Database compromise - Unauthorized data access - Data modification/deletion **Remediation**: ```bash npm install sequelize@6.6.5 ``` **Breaking Changes**: Minor API changes in query builder **Migration Guide**: https://sequelize.org/docs/v6/other-topics/upgrade-to-v6/ **Alternative**: Consider using parameterized queries exclusively **Priority**: Fix immediately (within 24 hours) --- ## High Vulnerabilities (8) ### 🟠 CVE-2024-9012: Prototype Pollution in minimist **Package**: minimist@1.2.5 (transitive via: mocha -> yargs -> minimist) **Severity**: High (CVSS 7.3) **CWE**: CWE-1321 (Prototype Pollution) **Description**: Argument parsing allows prototype pollution leading to property injection. **Affected Versions**: < 1.2.6 **Fixed Version**: 1.2.6 **Remediation**: ```bash # Update parent package npm update mocha # Or use resolutions (package.json) { "resolutions": { "minimist": "^1.2.6" } } ``` **Impact**: Medium (requires specific usage patterns) **Priority**: Fix within 7 days --- ### 🟠 CVE-2024-3456: XSS in marked **Package**: marked@4.0.10 **Severity**: High (CVSS 7.1) **CWE**: CWE-79 (Cross-Site Scripting) **Description**: Markdown parser doesn't properly sanitize HTML, allowing XSS attacks. **Affected Versions**: < 4.0.16 **Fixed Version**: 4.0.16 **Remediation**: ```bash npm install marked@4.0.16 ``` **Additional Protection**: ```javascript // Use with DOMPurify for extra safety import DOMPurify from 'dompurify'; import { marked } from 'marked'; const clean = DOMPurify.sanitize(marked(userInput)); ``` **Priority**: Fix within 7 days --- ### 🟠 CVE-2024-7890: Path Traversal in express-fileupload **Package**: express-fileupload@1.3.1 **Severity**: High (CVSS 7.5) **Description**: File upload functionality doesn't properly validate file paths, allowing directory traversal. **Affected Versions**: < 1.4.0 **Fixed Version**: 1.4.0 **Remediation**: ```bash npm install express-fileupload@1.4.0 ``` **Additional Hardening**: ```javascript app.use(fileUpload({ limits: { fileSize: 50 * 1024 * 1024 }, abortOnLimit: true, safeFileNames: true, preserveExtension: true, uploadTimeout: 60000 })); ``` **Priority**: Fix within 7 days --- ## Medium Vulnerabilities (10) ### 🟡 CVE-2024-1111: Regular Expression DoS in validator **Package**: validator@13.7.0 **Severity**: Medium (CVSS 5.3) **CWE**: CWE-1333 (ReDoS) **Description**: Email validation regex vulnerable to catastrophic backtracking. **Affected Versions**: < 13.9.0 **Fixed Version**: 13.9.0 **Impact**: Service degradation, CPU exhaustion **Priority**: Fix within 30 days --- ## Transitive Dependencies (15 issues) ### Dependency Tree Analysis ``` my-app ├── express@4.18.0 │ ├── body-parser@1.20.0 │ │ └── qs@6.10.0 ⚠️ Medium: CVE-2024-2222 │ └── serve-static@1.15.0 │ └── send@0.18.0 ⚠️ Low: CVE-2024-3333 └── mongoose@6.7.0 └── mongodb@4.10.0 🔴 High: CVE-2024-4444 ``` **Recommendations**: 1. Update express to 4.18.2 (fixes qs and send issues) 2. Update mongoose to 6.8.0 (fixes mongodb issue) --- ## Supply Chain Security Issues ### Suspicious Packages (0) ✅ No suspicious packages detected ### Deprecated Packages (3) #### request@2.88.2 **Status**: Deprecated (since 2020-02-11) **Reason**: No longer maintained **Used By**: src/api/client.js **Recommendation**: Migrate to modern alternatives ```javascript // Replace with axios npm install axios npm uninstall request // Migration example // Old: const request = require('request'); request('https://api.example.com', (err, res, body) => {}); // New: const axios = require('axios'); const response = await axios.get('https://api.example.com'); ``` #### node-uuid@1.4.8 **Status**: Deprecated **Reason**: Renamed to 'uuid' **Replacement**: uuid@9.0.0 ```bash npm uninstall node-uuid npm install uuid@9.0.0 ``` --- ## License Compliance ### License Summary - MIT: 287 packages ✅ - Apache-2.0: 34 packages ✅ - BSD-3-Clause: 15 packages ✅ - ISC: 5 packages ✅ - AGPL-3.0: 1 package ⚠️ ### License Issues (1) **Package**: some-library@1.0.0 **License**: AGPL-3.0 **Issue**: May require source code disclosure **Recommendation**: - Review legal implications - Consider alternative with permissive license - Ensure compliance with AGPL terms --- ## Package Integrity ### Checksum Verification: ✅ Passed All packages verified against npm registry checksums. ### Package Size Analysis ``` Largest packages: 1. @tensorflow/tfjs - 45.2 MB 2. puppeteer - 23.7 MB 3. aws-sdk - 18.3 MB ``` **Recommendation**: Consider using specific AWS SDK modules instead of full SDK. --- ## Outdated Packages (12) | Package | Current | Latest | Type | Security | |---------|---------|--------|------|----------| | react | 17.0.2 | 18.2.0 | major | ✅ No issues | | axios | 0.27.2 | 1.6.0 | major | ⚠️ 2 medium issues | | eslint | 8.0.0 | 8.54.0 | minor | ✅ No issues | | jest | 27.5.1 | 29.7.0 | major | ⚠️ 1 low issue | **Recommendation**: Review and update packages, especially those with security issues. --- ## Remediation Plan ### Phase 1: Critical (Immediate - 24 hours) ```bash # Update critical vulnerabilities npm install lodash@4.17.21 npm install sequelize@6.6.5 # Run tests npm test # Deploy hotfix ``` **Estimated Time**: 2-4 hours **Risk**: Low (no breaking changes) **Testing Required**: Regression testing for auth and data queries --- ### Phase 2: High Priority (Within 7 days) ```bash # Update high severity packages npm install marked@4.0.16 npm install express-fileupload@1.4.0 npm update mocha # Fixes minimist # Update express ecosystem npm install express@4.18.2 # Run full test suite npm test npm run test:e2e # Deploy to staging for testing ``` **Estimated Time**: 1 day **Risk**: Low-Medium (minor breaking changes possible) **Testing Required**: Full regression testing --- ### Phase 3: Medium Priority (Within 30 days) ```bash # Update medium severity packages npm install validator@13.9.0 # ... (other medium priority updates) # Replace deprecated packages npm uninstall request npm install axios@1.6.0 # Update code to use axios # Run migration script ``` **Estimated Time**: 2-3 days **Risk**: Medium (code changes required) **Testing Required**: Full QA cycle --- ### Phase 4: Maintenance (Next sprint) ```bash # Update remaining outdated packages npm update npm outdated # Verify all updated # Clean up unused dependencies npm prune ``` **Estimated Time**: 1 day **Risk**: Low --- ## Automated Monitoring Setup ### 1. Enable npm audit in CI/CD ```yaml # .github/workflows/security.yml name: Security Audit on: [push, pull_request] jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 - run: npm ci - run: npm audit --audit-level=moderate - run: npm outdated || true ``` ### 2. Configure Dependabot ```yaml # .github/dependabot.yml version: 2 updates: - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" open-pull-requests-limit: 10 reviewers: - "security-team" labels: - "dependencies" - "security" ``` ### 3. Add pre-commit hook ```bash # .husky/pre-commit #!/bin/sh npm audit --audit-level=high ``` ### 4. Continuous monitoring ```bash # Use Snyk npm install -g snyk snyk auth snyk monitor # Or use GitHub Advanced Security # Enable Dependabot alerts in repo settings ``` --- ## Best Practices ### Dependency Management - ✅ Pin exact versions in production (no ^ or ~) - ✅ Use lock files (package-lock.json, yarn.lock) - ✅ Regular dependency audits (weekly) - ✅ Test updates in staging first - ✅ Keep dependencies minimal (avoid over-dependence) - ✅ Review new dependencies before adding - ✅ Monitor security advisories ### Lockfile Best Practices ```json { "dependencies": { "express": "4.18.2", // Exact version in production "lodash": "^4.17.21" // Allow patches in development } } ``` ### Security Policies - Set up security policy (SECURITY.md) - Configure vulnerability disclosure process - Establish SLA for vulnerability fixes - Critical: 24 hours - High: 7 days - Medium: 30 days - Low: Next maintenance cycle ### Code Review Checklist - [ ] New dependencies reviewed and approved - [ ] Dependency licenses checked - [ ] Package size considered - [ ] Alternatives evaluated - [ ] Security audit run - [ ] Transitive dependencies reviewed --- ## Tools and Resources ### Vulnerability Databases - National Vulnerability Database (NVD) - GitHub Advisory Database - Snyk Vulnerability DB - NPM Security Advisories ### Scanning Tools - **npm audit**: Built-in npm scanner - **Snyk**: Comprehensive security platform - **WhiteSource**: Enterprise dependency management - **OWASP Dependency-Check**: Multi-language scanner - **Socket**: Supply chain security - **Dependabot**: Automated updates ### CI/CD Integration - GitHub Actions security scanning - GitLab security dashboard - Jenkins OWASP plugin - CircleCI security orbs --- ## Summary Statistics **Total Packages**: 342 - Direct: 45 - Transitive: 297 **Vulnerabilities**: - Critical: 2 (0.6%) - High: 8 (2.3%) - Medium: 10 (2.9%) - Low: 3 (0.9%) - Total: 23 (6.7%) **Package Health**: - Up-to-date: 330 (96.5%) - Outdated: 12 (3.5%) - Deprecated: 3 (0.9%) **Estimated Remediation Time**: 4-5 days **Risk After Remediation**: Low --- ## Action Items Summary **Immediate (Critical)**: 1. Update lodash to 4.17.21 2. Update sequelize to 6.6.5 **Short-term (High)**: 3. Update express ecosystem packages 4. Update marked to 4.0.16 5. Update express-fileupload to 1.4.0 6. Fix minimist via mocha update **Medium-term**: 7. Replace deprecated packages (request, node-uuid) 8. Update medium severity vulnerabilities 9. Review and update outdated packages **Long-term**: 10. Set up automated monitoring 11. Implement security scanning in CI/CD 12. Establish regular audit schedule ``` ## Notes - Run audits regularly (at least weekly) - Don't ignore low severity issues (they can become high) - Keep dependencies minimal - Prefer well-maintained packages with active communities - Monitor security advisories for your ecosystem - Test all updates in staging environment first - Document security exceptions with justification - Automated tools help but manual review is still important - Balance security with stability (don't update everything blindly)