Back to Details

loom-dependency-scan

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Dependency Scan

依赖项扫描

Overview

概述

This skill focuses on identifying security vulnerabilities, outdated packages, and license compliance issues in project dependencies. It covers multiple package ecosystems (JavaScript/Node.js, Python, Rust, Go, Ruby, Java, .NET, PHP) and provides remediation guidance, SBOM generation, and supply chain security analysis.
本技能专注于识别项目依赖项中的安全漏洞、过期包以及许可证合规问题。它覆盖多种包生态系统(JavaScript/Node.js、Python、Rust、Go、Ruby、Java、.NET、PHP),并提供修复指导、SBOM生成和供应链安全分析功能。

When to Use

适用场景

  • Scanning dependencies for CVEs and security advisories
  • Checking for outdated or unmaintained packages
  • Generating Software Bill of Materials (SBOM)
  • Verifying license compliance and compatibility
  • Analyzing supply chain risks and transitive dependencies
  • Setting up automated dependency updates (Dependabot, Renovate, Snyk)
  • Investigating security alerts from GitHub/GitLab
  • Auditing dependencies before production deployment
  • 扫描依赖项的CVE漏洞和安全公告
  • 检查过期或无人维护的包
  • 生成软件物料清单(SBOM)
  • 验证许可证合规性与兼容性
  • 分析供应链风险和传递性依赖项
  • 设置依赖项自动更新(Dependabot、Renovate、Snyk)
  • 调查GitHub/GitLab的安全警报
  • 生产部署前审计依赖项

Instructions

操作指南

1. Identify Dependencies

1. 识别依赖项

  • Parse manifest files (package.json, requirements.txt, etc.)
  • Build complete dependency tree
  • Identify direct vs transitive dependencies
  • Check for phantom dependencies
  • 解析清单文件(package.json、requirements.txt等)
  • 构建完整的依赖树
  • 区分直接依赖与传递性依赖
  • 检查幽灵依赖项

2. Vulnerability Scanning

2. 漏洞扫描

  • Check against CVE databases
  • Identify severity levels
  • Find affected versions
  • Check for available patches
  • 对照CVE数据库进行检查
  • 识别漏洞严重级别
  • 找出受影响的版本
  • 检查是否有可用补丁

3. Assess Risks

3. 风险评估

  • Evaluate exploitability
  • Check for active exploitation
  • Assess impact on application
  • Prioritize remediations
  • 评估漏洞可利用性
  • 检查是否存在活跃利用情况
  • 评估对应用程序的影响
  • 确定修复优先级

4. Report and Remediate

4. 报告与修复

  • Document all findings
  • Provide upgrade paths
  • Suggest alternatives
  • Create remediation plan
  • 记录所有发现
  • 提供升级路径
  • 建议替代方案
  • 创建修复计划

5. Language-Specific Scanning

5. 特定语言扫描

JavaScript/Node.js:
  • Use 
    npm audit
    or 
    yarn audit
    for vulnerability scanning
  • Check 
    package-lock.json
    or 
    yarn.lock
    for reproducibility
  • Consider 
    npm-check-updates
    for upgrade analysis
  • Use 
    license-checker
    for license compliance
Python:
  • Use 
    pip-audit
    or 
    safety
    for CVE scanning
  • Check 
    requirements.txt
    and 
    Pipfile.lock
  • Use 
    pip-compile
    with 
    --generate-hashes
    for integrity
  • Consider 
    pipdeptree
    for dependency visualization
Rust:
  • Use 
    cargo audit
    for RustSec advisories
  • Check 
    Cargo.lock
    for reproducible builds
  • Use 
    cargo outdated
    for version analysis
  • Consider 
    cargo deny
    for policy enforcement
Go:
  • Use 
    govulncheck
    for vulnerability scanning
  • Check 
    go.sum
    for module integrity
  • Use 
    go list -m all
    to enumerate dependencies
  • Consider 
    nancy
    for OSS Index checking
JavaScript/Node.js:
  • 使用
    npm audit
    yarn audit
    进行漏洞扫描
  • 检查
    package-lock.json
    yarn.lock
    以确保构建可复现
  • 考虑使用
    npm-check-updates
    进行升级分析
  • 使用
    license-checker
    进行许可证合规检查
Python:
  • 使用
    pip-audit
    safety
    进行CVE扫描
  • 检查
    requirements.txt
    Pipfile.lock
  • 使用
    pip-compile
    并添加
    --generate-hashes
    参数确保完整性
  • 考虑使用
    pipdeptree
    可视化依赖关系
Rust:
  • 使用
    cargo audit
    检查RustSec安全公告
  • 检查
    Cargo.lock
    以确保构建可复现
  • 使用
    cargo outdated
    进行版本分析
  • 考虑使用
    cargo deny
    执行策略检查
Go:
  • 使用
    govulncheck
    进行漏洞扫描
  • 检查
    go.sum
    确保模块完整性
  • 使用
    go list -m all
    枚举所有依赖项
  • 考虑使用
    nancy
    检查OSS Index

6. SBOM Generation

6. SBOM生成

Generate Software Bill of Materials for supply chain transparency:
CycloneDX:
  • npm install -g @cyclonedx/cyclonedx-npm && cyclonedx-npm --output-file sbom.json
  • cargo install cargo-cyclonedx && cargo cyclonedx
  • pip install cyclonedx-bom && cyclonedx-py
SPDX:
  • Use 
    syft
    (universal tool): 
    syft . -o spdx-json > sbom.spdx.json
  • Use 
    trivy
    for container images: 
    trivy image --format spdx-json myimage:tag
Purpose: Track all components for vulnerability management, license compliance, and incident response.
生成软件物料清单以提升供应链透明度:
CycloneDX:
  • npm install -g @cyclonedx/cyclonedx-npm && cyclonedx-npm --output-file sbom.json
  • cargo install cargo-cyclonedx && cargo cyclonedx
  • pip install cyclonedx-bom && cyclonedx-py
SPDX:
  • 使用通用工具
    syft
    syft . -o spdx-json > sbom.spdx.json
  • 使用
    trivy
    扫描容器镜像:
    trivy image --format spdx-json myimage:tag
用途: 跟踪所有组件,用于漏洞管理、许可证合规和事件响应。

7. License Compliance Checking

7. 许可证合规检查

Ensure all dependencies have compatible licenses:
Automated Tools:
  • Node.js: 
    npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC'
  • Rust: 
    cargo deny check licenses
  • Python: 
    pip-licenses
  • Universal: 
    fossology
    , 
    scancode-toolkit
License Categories:
  • Permissive: MIT, Apache-2.0, BSD (generally safe)
  • Weak Copyleft: MPL, LGPL (check linking requirements)
  • Strong Copyleft: GPL, AGPL (may require source disclosure)
  • Unknown/Missing: Investigate before use
确保所有依赖项的许可证兼容:
自动化工具:
  • Node.js: 
    npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC'
  • Rust: 
    cargo deny check licenses
  • Python: 
    pip-licenses
  • 通用工具: 
    fossology
    , 
    scancode-toolkit
许可证类别:
  • 宽松许可证:MIT、Apache-2.0、BSD(通常安全)
  • 弱Copyleft许可证:MPL、LGPL(需检查链接要求)
  • 强Copyleft许可证:GPL、AGPL(可能要求公开源代码)
  • 未知/缺失许可证:使用前需调查

Best Practices

最佳实践

  1. Regular Scanning: Automate daily/weekly scans
  2. Lock Files: Use lockfiles for reproducibility
  3. Minimal Dependencies: Only include what's needed
  4. Verify Sources: Use trusted registries
  5. Review Updates: Don't blindly update
  6. License Compliance: Ensure compatible licenses
  7. SBOM: Maintain software bill of materials
  1. 定期扫描:自动化每日/每周扫描
  2. 锁定文件:使用锁定文件确保构建可复现
  3. 最小化依赖:仅包含必需的依赖项
  4. 验证来源:使用可信的包注册表
  5. 审核更新:不要盲目更新依赖项
  6. 许可证合规:确保许可证兼容
  7. SBOM维护:持续维护软件物料清单

Examples

示例

Example 1: Scanning Commands by Ecosystem

示例1:各生态系统的扫描命令

bash
undefined
bash
undefined

JavaScript/Node.js

JavaScript/Node.js

npm audit npm audit --json > audit-report.json npm outdated npx npm-check-updates
npm audit npm audit --json > audit-report.json npm outdated npx npm-check-updates

Python

Python

pip-audit safety check pip list --outdated pip-compile --generate-hashes
pip-audit safety check pip list --outdated pip-compile --generate-hashes

Rust

Rust

cargo audit cargo outdated cargo deny check
cargo audit cargo outdated cargo deny check

Go

Go

go list -m all | nancy sleuth govulncheck ./...
go list -m all | nancy sleuth govulncheck ./...

Ruby

Ruby

bundle audit bundle outdated
bundle audit bundle outdated

Java/Maven

Java/Maven

mvn dependency-check:check mvn versions:display-dependency-updates
mvn dependency-check:check mvn versions:display-dependency-updates

.NET

.NET

dotnet list package --vulnerable dotnet list package --outdated
dotnet list package --vulnerable dotnet list package --outdated

PHP

PHP

composer audit composer outdated
undefined
composer audit composer outdated
undefined

Example 2: GitHub Actions Dependency Scanning

示例2:GitHub Actions依赖项扫描

yaml
name: Dependency Scanning

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: "0 6 * * *" # Daily at 6 AM

jobs:
  dependency-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: "fs"
          scan-ref: "."
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH"

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: "trivy-results.sarif"

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "20"

      - name: Run npm audit
        run: |
          npm ci
          npm audit --audit-level=high

      - name: Check for outdated packages
        run: npm outdated || true

      - name: License check
        run: npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC'

  snyk-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high
yaml
name: Dependency Scanning

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: "0 6 * * *" # Daily at 6 AM

jobs:
  dependency-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: "fs"
          scan-ref: "."
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH"

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: "trivy-results.sarif"

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "20"

      - name: Run npm audit
        run: |
          npm ci
          npm audit --audit-level=high

      - name: Check for outdated packages
        run: npm outdated || true

      - name: License check
        run: npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC'

  snyk-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

Example 3: Dependency Analysis Report Template

示例3:依赖项分析报告模板

markdown
undefined
markdown
undefined

Dependency Security Report

依赖项安全报告

Generated: 2024-01-15 Project: my-application Total Dependencies: 245 (42 direct, 203 transitive)
生成时间: 2024-01-15 项目: my-application 总依赖项数量: 245(42个直接依赖,203个传递性依赖)

Summary

摘要

SeverityCountStatus
Critical2Action Required
High5Action Required
Medium12Review Recommended
Low8Monitor
严重级别数量状态
关键2需立即处理
5需立即处理
12建议审核
8需监控

Critical Vulnerabilities

关键漏洞

CVE-2024-1234 - Remote Code Execution in lodash

CVE-2024-1234 - lodash中的远程代码执行漏洞

  • Package: lodash@4.17.20
  • Severity: Critical (CVSS 9.8)
  • Affected Versions: < 4.17.21
  • Fixed Version: 4.17.21
  • Path: my-app > express > lodash
  • Description: Prototype pollution vulnerability allowing RCE
  • Remediation: 
    npm update lodash
  • 包: lodash@4.17.20
  • 严重级别: 关键(CVSS 9.8)
  • 受影响版本: < 4.17.21
  • 修复版本: 4.17.21
  • 依赖路径: my-app > express > lodash
  • 描述: 原型污染漏洞可导致远程代码执行
  • 修复建议: 
    npm update lodash

CVE-2024-5678 - SQL Injection in sequelize

CVE-2024-5678 - sequelize中的SQL注入漏洞

  • Package: sequelize@6.28.0
  • Severity: Critical (CVSS 9.1)
  • Affected Versions: < 6.29.0
  • Fixed Version: 6.29.0
  • Path: my-app > sequelize
  • Description: SQL injection via raw query methods
  • Remediation: 
    npm update sequelize
  • 包: sequelize@6.28.0
  • 严重级别: 关键(CVSS 9.1)
  • 受影响版本: < 6.29.0
  • 修复版本: 6.29.0
  • 依赖路径: my-app > sequelize
  • 描述: 原始查询方法存在SQL注入风险
  • 修复建议: 
    npm update sequelize

License Compliance

许可证合规情况

LicenseCountCompliance
MIT180Approved
Apache-2.045Approved
BSD-3-Clause15Approved
GPL-3.03Review Required
Unknown2Investigation Needed
许可证数量合规状态
MIT180已批准
Apache-2.045已批准
BSD-3-Clause15已批准
GPL-3.03需审核
未知2需调查

Recommendations

建议

  1. Immediate: Update lodash and sequelize to fix critical vulnerabilities
  2. Short-term: Review GPL-licensed dependencies for compatibility
  3. Ongoing: Enable Dependabot/Renovate for automated updates
undefined
  1. 立即处理: 更新lodash和sequelize以修复关键漏洞
  2. 短期措施: 审核GPL许可证依赖项的兼容性
  3. 持续操作: 启用Dependabot/Renovate实现依赖项自动更新
undefined

Example 4: Renovate Configuration

示例4:Renovate配置

json
{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:base", ":semanticCommits", ":preserveSemverRanges"],
  "schedule": ["before 6am on Monday"],
  "vulnerabilityAlerts": {
    "enabled": true,
    "labels": ["security"]
  },
  "packageRules": [
    {
      "matchUpdateTypes": ["major"],
      "labels": ["major-update"],
      "automerge": false
    },
    {
      "matchUpdateTypes": ["minor", "patch"],
      "matchCurrentVersion": "!/^0/",
      "automerge": true,
      "automergeType": "pr",
      "platformAutomerge": true
    },
    {
      "matchPackagePatterns": ["^@types/"],
      "automerge": true,
      "groupName": "type definitions"
    },
    {
      "matchDepTypes": ["devDependencies"],
      "automerge": true,
      "groupName": "dev dependencies"
    }
  ],
  "prConcurrentLimit": 5,
  "prHourlyLimit": 2
}
json
{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:base", ":semanticCommits", ":preserveSemverRanges"],
  "schedule": ["before 6am on Monday"],
  "vulnerabilityAlerts": {
    "enabled": true,
    "labels": ["security"]
  },
  "packageRules": [
    {
      "matchUpdateTypes": ["major"],
      "labels": ["major-update"],
      "automerge": false
    },
    {
      "matchUpdateTypes": ["minor", "patch"],
      "matchCurrentVersion": "!/^0/",
      "automerge": true,
      "automergeType": "pr",
      "platformAutomerge": true
    },
    {
      "matchPackagePatterns": ["^@types/"],
      "automerge": true,
      "groupName": "type definitions"
    },
    {
      "matchDepTypes": ["devDependencies"],
      "automerge": true,
      "groupName": "dev dependencies"
    }
  ],
  "prConcurrentLimit": 5,
  "prHourlyLimit": 2
}