Back to Details

dependency-scan

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Dependency Scan

依赖扫描

Analyze package dependencies for known vulnerabilities.
分析软件包依赖是否存在已知漏洞。

Quick Start

快速开始

/dependency-scan                  # Scan all detected package managers
/dependency-scan --npm            # Node.js packages only
/dependency-scan --pip            # Python packages only
/dependency-scan --fix            # Auto-fix where possible
/dependency-scan                  # 扫描所有识别到的包管理器
/dependency-scan --npm            # 仅扫描Node.js软件包
/dependency-scan --pip            # 仅扫描Python软件包
/dependency-scan --fix            # 尽可能自动修复漏洞

What This Skill Does

该技能功能

  1. Identifies package managers in your project
  2. Parses dependency manifests (package.json, requirements.txt, etc.)
  3. Checks vulnerability databases for known CVEs
  4. Reports severity and remediation options
  5. Optionally auto-fixes by updating to patched versions
  1. 识别项目中的包管理器
  2. 解析依赖清单文件(package.json、requirements.txt等)
  3. 在漏洞数据库中检索已知CVE
  4. 上报风险等级与修复方案
  5. 可选自动修复:升级到已打补丁的版本

Supported Package Managers

支持的包管理器

EcosystemFilesTool Used
Node.jspackage.json, package-lock.jsonnpm audit
Pythonrequirements.txt, Pipfile, pyproject.tomlpip-audit, safety
RubyGemfile, Gemfile.lockbundler-audit
Javapom.xml, build.gradledependency-check
Gogo.mod, go.sumgovulncheck
RustCargo.toml, Cargo.lockcargo-audit
PHPcomposer.json, composer.lockcomposer audit
.NET*.csproj, packages.configdotnet list --vulnerable
生态文件使用工具
Node.jspackage.json, package-lock.jsonnpm audit
Pythonrequirements.txt, Pipfile, pyproject.tomlpip-audit, safety
RubyGemfile, Gemfile.lockbundler-audit
Javapom.xml, build.gradledependency-check
Gogo.mod, go.sumgovulncheck
RustCargo.toml, Cargo.lockcargo-audit
PHPcomposer.json, composer.lockcomposer audit
.NET*.csproj, packages.configdotnet list --vulnerable

Scan Modes

扫描模式

Full Scan

全量扫描

/dependency-scan
Scans all detected package managers, reports all severity levels.
/dependency-scan
扫描所有识别到的包管理器,上报所有风险等级的漏洞。

Specific Ecosystem

指定生态扫描

/dependency-scan --npm
/dependency-scan --pip
/dependency-scan --go
/dependency-scan --npm
/dependency-scan --pip
/dependency-scan --go

Severity Filter

风险等级过滤

/dependency-scan --severity critical,high
/dependency-scan --severity medium
/dependency-scan --severity critical,high
/dependency-scan --severity medium

Auto-Fix Mode

自动修复模式

/dependency-scan --fix
/dependency-scan --fix --dry-run    # Preview changes
Attempts to update vulnerable packages to patched versions.
/dependency-scan --fix
/dependency-scan --fix --dry-run    # 预览变更内容
尝试将存在漏洞的软件包升级到已打补丁的版本。

Output Format

输出格式

Summary View

摘要视图

DEPENDENCY SCAN RESULTS
=======================

Scanned: package.json, requirements.txt
Packages analyzed: 127 (78 npm, 49 pip)

VULNERABILITIES BY SEVERITY
  Critical: 2
  High: 4
  Medium: 8
  Low: 12

TOP ISSUES

[!] CRITICAL: lodash < 4.17.21
    CVE-2021-23337: Command Injection
    Affected: lodash@4.17.19
    Fix: npm update lodash

[!] CRITICAL: urllib3 < 2.0.6
    CVE-2023-43804: Cookie Leak
    Affected: urllib3@1.26.0
    Fix: pip install urllib3>=2.0.6

[H] HIGH: express < 4.19.2
    CVE-2024-29041: Open Redirect
    Affected: express@4.18.0
    Fix: npm update express
DEPENDENCY SCAN RESULTS
=======================

Scanned: package.json, requirements.txt
Packages analyzed: 127 (78 npm, 49 pip)

VULNERABILITIES BY SEVERITY
  Critical: 2
  High: 4
  Medium: 8
  Low: 12

TOP ISSUES

[!] CRITICAL: lodash < 4.17.21
    CVE-2021-23337: Command Injection
    Affected: lodash@4.17.19
    Fix: npm update lodash

[!] CRITICAL: urllib3 < 2.0.6
    CVE-2023-43804: Cookie Leak
    Affected: urllib3@1.26.0
    Fix: pip install urllib3>=2.0.6

[H] HIGH: express < 4.19.2
    CVE-2024-29041: Open Redirect
    Affected: express@4.18.0
    Fix: npm update express

Detailed View

详情视图

/dependency-scan --details
DETAILED VULNERABILITY REPORT
=============================

CVE-2021-23337
--------------
Package: lodash
Installed: 4.17.19
Patched: 4.17.21
Severity: CRITICAL (CVSS 9.8)

Description:
  Command Injection in lodash template function allows
  arbitrary command execution via crafted template strings.

Attack Vector: Remote, no auth required
Exploitability: Public exploit available

References:
  - https://nvd.nist.gov/vuln/detail/CVE-2021-23337
  - https://github.com/lodash/lodash/issues/5085

Remediation:
  npm update lodash
  # or
  npm install lodash@4.17.21
/dependency-scan --details
DETAILED VULNERABILITY REPORT
=============================

CVE-2021-23337
--------------
Package: lodash
Installed: 4.17.19
Patched: 4.17.21
Severity: CRITICAL (CVSS 9.8)

Description:
  Command Injection in lodash template function allows
  arbitrary command execution via crafted template strings.

Attack Vector: Remote, no auth required
Exploitability: Public exploit available

References:
  - https://nvd.nist.gov/vuln/detail/CVE-2021-23337
  - https://github.com/lodash/lodash/issues/5085

Remediation:
  npm update lodash
  # or
  npm install lodash@4.17.21

Vulnerability Sources

漏洞来源

Databases Consulted

查询的数据库

DatabaseCoverage
NVD (National Vulnerability Database)All CVEs
GitHub Advisory DatabaseGitHub-reported
OSV (Open Source Vulnerabilities)Multi-ecosystem
npm Security AdvisoriesNode.js specific
PyPI Advisory DatabasePython specific
RustSec Advisory DatabaseRust specific
数据库覆盖范围
NVD (国家漏洞数据库)所有CVE
GitHub Advisory DatabaseGitHub上报的漏洞
OSV (开源漏洞库)多生态覆盖
npm Security AdvisoriesNode.js专属漏洞
PyPI Advisory DatabasePython专属漏洞
RustSec Advisory DatabaseRust专属漏洞

CVSS Scoring

CVSS评分标准

ScoreSeverity
9.0-10.0Critical
7.0-8.9High
4.0-6.9Medium
0.1-3.9Low
分数风险等级
9.0-10.0严重
7.0-8.9高危
4.0-6.9中危
0.1-3.9低危

Commands Used

使用的命令

Node.js (npm)

Node.js (npm)

bash
npm audit --json
npm audit fix           # Auto-fix
npm audit fix --force   # Breaking changes OK
bash
npm audit --json
npm audit fix           # 自动修复
npm audit fix --force   # 允许引入破坏性变更

Python (pip-audit)

Python (pip-audit)

bash
pip-audit
pip-audit --fix
pip-audit -r requirements.txt
bash
pip-audit
pip-audit --fix
pip-audit -r requirements.txt

Python (safety)

Python (safety)

bash
safety check
safety check -r requirements.txt
bash
safety check
safety check -r requirements.txt

Ruby (bundler-audit)

Ruby (bundler-audit)

bash
bundle-audit check
bundle-audit update     # Update advisory DB
bash
bundle-audit check
bundle-audit update     # 更新漏洞库

Go (govulncheck)

Go (govulncheck)

bash
govulncheck ./...
bash
govulncheck ./...

Rust (cargo-audit)

Rust (cargo-audit)

bash
cargo audit
cargo audit fix         # Auto-fix
bash
cargo audit
cargo audit fix         # 自动修复

Auto-Fix Behavior

自动修复规则

Safe Fixes

安全修复

Updates within semver-compatible range:
  • Patch versions (1.2.3 → 1.2.4)
  • Minor versions if locked to major (^1.2.3 → ^1.3.0)
仅在语义化版本兼容范围内升级:
  • 补丁版本升级(1.2.3 → 1.2.4)
  • 若锁定了主版本则允许次版本升级(^1.2.3 → ^1.3.0)

Breaking Fixes

破坏性修复

May introduce breaking changes:
  • Major version updates
  • Requires 
    --force
    flag
可能引入破坏性变更:
  • 主版本升级
  • 需要添加
    --force
    参数

Fix Report

修复报告

AUTO-FIX REPORT
===============

Fixed: 8 vulnerabilities
  lodash: 4.17.19 → 4.17.21
  axios: 0.21.0 → 0.21.1
  minimist: 1.2.5 → 1.2.6

Unable to fix: 2 vulnerabilities
  react-scripts: No patch available (major version required)
  webpack-dev-server: Conflicts with other dependencies

Review package.json changes before committing.
AUTO-FIX REPORT
===============

Fixed: 8 vulnerabilities
  lodash: 4.17.19 → 4.17.21
  axios: 0.21.0 → 0.21.1
  minimist: 1.2.5 → 1.2.6

Unable to fix: 2 vulnerabilities
  react-scripts: No patch available (major version required)
  webpack-dev-server: Conflicts with other dependencies

Review package.json changes before committing.

Configuration

配置

Ignore Known Issues

忽略已知问题

Create 
.dependency-scan-ignore
:
yaml
undefined
创建
.dependency-scan-ignore
文件:
yaml
undefined

Ignore specific CVEs (document reason!)

忽略指定CVE(请备注理由!)

ignore:
  • id: CVE-2021-23337 reason: "Not exploitable in our usage, lodash template not used" expires: 2024-12-31
  • id: GHSA-xxx-xxx reason: "Development dependency only"
ignore:
  • id: CVE-2021-23337 reason: "我们的使用场景不存在漏洞风险,未使用lodash模板功能" expires: 2024-12-31
  • id: GHSA-xxx-xxx reason: "仅为开发环境依赖"

Ignore packages

忽略指定软件包

packages:
  • name: lodash versions: ["< 4.17.0"] # Only old versions
undefined
packages:
  • name: lodash versions: ["< 4.17.0"] # 仅忽略旧版本
undefined

Severity Thresholds

风险阈值

yaml
undefined
yaml
undefined

.dependency-scan.yaml

.dependency-scan.yaml

thresholds: fail_on: critical # Fail CI on critical warn_on: high # Warn on high ignore_below: low # Don't report low
fix: auto_fix: true allow_major: false # No major version bumps
undefined
thresholds: fail_on: critical # 遇到严重漏洞时CI失败 warn_on: high # 遇到高危漏洞时发出警告 ignore_below: low # 不展示低危漏洞
fix: auto_fix: true allow_major: false # 禁止自动升级主版本
undefined

CI/CD Integration

CI/CD集成

GitHub Actions

GitHub Actions

yaml
- name: Dependency Scan
  run: |
    /dependency-scan --severity critical,high --fail-on-findings

- name: Auto-fix and PR
  if: failure()
  run: |
    /dependency-scan --fix
    git add .
    gh pr create --title "Security: Update vulnerable dependencies"
yaml
- name: Dependency Scan
  run: |
    /dependency-scan --severity critical,high --fail-on-findings

- name: Auto-fix and PR
  if: failure()
  run: |
    /dependency-scan --fix
    git add .
    gh pr create --title "Security: Update vulnerable dependencies"

Pre-Commit

Pre-Commit

bash
#!/bin/sh
bash
#!/bin/sh

Run on package.json changes

当package.json或requirements.txt变更时运行

if git diff --cached --name-only | grep -q "package.json|requirements.txt"; then /dependency-scan --severity critical,high fi
undefined
if git diff --cached --name-only | grep -q "package.json|requirements.txt"; then /dependency-scan --severity critical,high fi
undefined

Dependency Health

依赖健康度

Beyond CVEs

除CVE外的额外检查

/dependency-scan --health
Additional checks:
  • Outdated packages: Major versions behind
  • Deprecated packages: No longer maintained
  • License issues: Incompatible licenses
  • Maintenance: Last update, open issues
/dependency-scan --health
额外检查项:
  • 过时软件包:落后多个主版本
  • 已弃用软件包:不再维护
  • 许可证问题:许可证不兼容
  • 维护状态:最近更新时间、公开问题数量

Health Report

健康报告

DEPENDENCY HEALTH
=================

Outdated (major behind): 5
  react: 17.0.2 → 18.2.0
  typescript: 4.9.5 → 5.3.3

Deprecated: 1
  request: Use got, axios, or node-fetch

Unmaintained (>2 years): 2
  moment: Consider dayjs or date-fns

License Issues: 0
DEPENDENCY HEALTH
=================

Outdated (major behind): 5
  react: 17.0.2 → 18.2.0
  typescript: 4.9.5 → 5.3.3

Deprecated: 1
  request: Use got, axios, or node-fetch

Unmaintained (>2 years): 2
  moment: Consider dayjs or date-fns

License Issues: 0

Related Skills

相关技能

  • /security-scan
    - Full security analysis
  • /secrets-scan
    - Credential detection
  • /config-scan
    - Configuration security
  • /security-scan
    - 全量安全分析
  • /secrets-scan
    - 凭证检测
  • /config-scan
    - 配置安全检测