依赖漏洞扫描器 - 一键安全审计 npm/pip/Cargo 项目依赖，修复 CVE 漏洞

dependency-vulnerability-scanner by dexploarer/claudius-skills

1 周安装量

4 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/dexploarer/claudius-skills --skill dependency-vulnerability-scanner

自动化开发运维安全

🇨🇳中文介绍

依赖漏洞扫描器

扫描项目依赖项中的已知安全漏洞并提供修复指导。

使用时机

"检查易受攻击的依赖项"
"对我的依赖项进行安全审计"
"扫描 CVE"
"检查 npm/pip 漏洞"
"更新易受攻击的包"

使用说明

1. 检测包管理器

# Node.js
[ -f "package.json" ] && echo "npm/yarn"

# Python
[ -f "requirements.txt" ] && echo "pip"

# Ruby
[ -f "Gemfile" ] && echo "bundler"

# Go
[ -f "go.mod" ] && echo "go modules"

# Rust
[ -f "Cargo.toml" ] && echo "cargo"

2. 运行安全审计

npm (Node.js)

基础审计：

npm audit

# 输出：
# 发现 3 个漏洞 (2 个中等，1 个高危)
# 运行 `npm audit fix` 来修复它们

详细报告：

npm audit --json > audit-report.json
npm audit --production  # 仅生产环境依赖项

自动修复：

npm audit fix            # 安全修复
npm audit fix --force    # 可能引入破坏性变更

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

Safety (Python 替代方案)

pip install safety

# 检查已安装的包
safety check

# 检查 requirements
safety check --file requirements.txt

# 完整报告
safety check --full-report

gem install bundler-audit

# 更新漏洞数据库
bundle audit update

# 运行审计
bundle audit check

# 自动更新
bundle audit check --update

# 安装
npm install -g snyk

# 认证
snyk auth

# 测试项目
snyk test

# 持续监控
snyk monitor

# 修复漏洞
snyk fix

OWASP Dependency-Check

# 下载
wget https://github.com/jeremylong/DependencyCheck/releases/download/v8.0.0/dependency-check-8.0.0-release.zip
unzip dependency-check-8.0.0-release.zip

# 运行扫描
./dependency-check/bin/dependency-check.sh \
  --project "My Project" \
  --scan ./

# 生成 HTML 报告
--format HTML --out ./reports

3. 解析和分类结果

严重 : 需要立即采取行动
高危 : 尽快修复
中等 : 计划修复
低危 : 监控和评估

输出分析示例：

{
  "vulnerabilities": [
    {
      "name": "lodash",
      "severity": "high",
      "via": ["prototype-pollution"],
      "fixAvailable": {
        "name": "lodash",
        "version": "4.17.21"
      }
    }
  ]
}

4. 生成安全报告

# 依赖漏洞报告

**日期：** 2024-01-15
**项目：** my-app
**总依赖项：** 250
**发现漏洞：** 12

## 摘要

- 严重：1
- 高危：3
- 中等：5
- 低危：3

## 严重漏洞

### 1. lodash 中的原型污染 (CVE-2020-8203)

**严重性：** 严重
**包：** lodash@4.17.15
**修复版本：** lodash@4.17.21
**CVSS 评分：** 9.8

**描述：**
原型污染漏洞允许攻击者修改对象原型。

**影响：**
如果攻击者控制了易受攻击函数的输入，则可能实现远程代码执行。

**修复方法：**
```bash
npm install lodash@4.17.21

优先级： 立即（24 小时内部署）

2. trim 中的正则表达式拒绝服务 (CVE-2020-7753)

严重性： 高危包： trim@0.0.1 修复版本： trim@1.0.1 CVSS 评分： 7.5

描述： 输入解析中的 ReDoS 漏洞。

npm install trim@1.0.1

优先级： 高（本周内修复）

[... 更多漏洞 ...]

立即行动 (严重)
- 将 lodash 更新至 4.17.21
- 彻底测试
- 部署到生产环境
短期行动 (高危)
- 更新 trim、axios、express
- 审查间接依赖项
- 运行集成测试
长期行动 (中等/低危)
- 为中等问题安排更新计划
- 监控低严重性问题
- 考虑替代包

启用 Dependabot/Renovate
在 CI/CD 中运行审计
添加依赖项前进行审查

保持依赖项最新

5. CI/CD 中的自动化扫描

GitHub Actions：

name: Security Audit

on:
  schedule:
    - cron: '0 0 * * 1'  # 每周
  pull_request:
  push:
    branches: [main]

jobs:
  audit:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3

      - name: Setup Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '20'

      - name: Run npm audit
        run: |
          npm audit --audit-level=moderate
          npm audit --json > audit-report.json

      - name: Upload audit report
        uses: actions/upload-artifact@v3
        with:
          name: audit-report
          path: audit-report.json

      - name: Fail on high vulnerabilities
        run: npm audit --audit-level=high

- name: Run Snyk
  uses: snyk/actions/node@master
  env:
    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
  with:
    args: --severity-threshold=high

6. Dependabot 配置

.github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    reviewers:
      - "security-team"
    labels:
      - "dependencies"
      - "security"
    commit-message:
      prefix: "chore"
      include: "scope"

  # 仅安全更新
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 5
    allow:
      - dependency-type: "direct"
    versioning-strategy: increase-if-necessary

7. 许可证合规性

检查许可证：

# 安装 license-checker
npm install -g license-checker

# 检查所有许可证
license-checker

# 生成报告
license-checker --json > licenses.json

# 检查有问题的许可证
license-checker --onlyAllow 'MIT;Apache-2.0;BSD-3-Clause'

pip install pip-licenses

pip-licenses

# 格式化为表格
pip-licenses --format=markdown

# 检查兼容性
pip-licenses --fail-on 'GPL'

验证包完整性：

# npm
npm audit signatures

# 检查可疑包
npx socket npm i lodash

监控域名抢注：

# 安装 confused
npm install -g confused

# 检查依赖混淆
confused -l package.json

// 在 package.json 中
{
  "scripts": {
    "audit": "npm audit",
    "audit:fix": "npm audit fix",
    "audit:report": "npm audit --json > reports/audit-$(date +%Y%m%d).json",
    "precommit": "npm audit --audit-level=high"
  }
}

{
  "husky": {
    "hooks": {
      "pre-commit": "npm audit --audit-level=high"
    }
  }
}

定期运行审计（至少每周）
立即修复严重/高危漏洞
发布前审查审计报告
使用自动化工具 (Dependabot, Renovate)
监控安全公告
记录例外情况/已接受的风险
先在预发布环境中测试修复

忽略审计警告
在不了解影响的情况下使用 --force
跳过安全更新
未经审查添加包
禁用审计检查
不必要地使用过时的依赖项

// 易受攻击的代码
function merge(target, source) {
  for (let key in source) {
    target[key] = source[key]
  }
}

// 攻击
merge({}, JSON.parse('{"__proto__":{"isAdmin":true}}'))

// 修复：使用 Object.create(null) 或 hasOwnProperty

2. 正则表达式拒绝服务 (ReDoS)

// 易受攻击的正则表达式
/^(a+)+$/

// 攻击：长字符串 'a' 会导致灾难性回溯

// 修复：避免嵌套量词，使用原子组

// 易受攻击
db.query(`SELECT * FROM users WHERE id = ${userId}`)

// 修复：使用参数化查询
db.query('SELECT * FROM users WHERE id = ?', [userId])

4. 跨站脚本攻击 (XSS)

// 易受攻击
element.innerHTML = userInput

// 修复：使用 textContent 或进行清理
element.textContent = userInput
// 或
element.innerHTML = DOMPurify.sanitize(userInput)

修复优先级矩阵

严重性	可利用性	优先级	时间线
严重	高	P0	24 小时
严重	中	P1	1 周
高危	高	P1	1 周
高危	中	P2	2 周
中等	高	P2	2 周
中等	中	P3	1 个月
低危	任何	P4	下一个周期

定期漏洞扫描
记录在案的修复流程
及时修复的证据

每月漏洞扫描
30 天内修复严重漏洞
补丁管理流程

定期安全评估
记录风险分析
及时修复漏洞

工具	语言	成本	功能
npm audit	Node.js	免费	基础，快速
Snyk	多语言	免费版	高级，自动修复
Dependabot	多语言	免费	自动 PR
WhiteSource	多语言	付费	企业级功能
Sonatype	多语言	付费	策略强制执行

🇺🇸English

Dependency Vulnerability Scanner

Scans project dependencies for known security vulnerabilities and provides remediation guidance.

When to Use

"Check for vulnerable dependencies"
"Security audit my dependencies"
"Scan for CVEs"
"Check npm/pip vulnerabilities"
"Update vulnerable packages"

Instructions

1. Detect Package Manager

# Node.js
[ -f "package.json" ] && echo "npm/yarn"

# Python
[ -f "requirements.txt" ] && echo "pip"

# Ruby
[ -f "Gemfile" ] && echo "bundler"

# Go
[ -f "go.mod" ] && echo "go modules"

# Rust
[ -f "Cargo.toml" ] && echo "cargo"

2. Run Security Audit

npm (Node.js)

Basic audit:

npm audit

# Output:
# found 3 vulnerabilities (2 moderate, 1 high)
# run `npm audit fix` to fix them

Detailed report:

npm audit --json > audit-report.json
npm audit --production  # Only production dependencies

Auto-fix:

npm audit fix            # Safe fixes
npm audit fix --force    # May introduce breaking changes

Yarn

yarn audit

# Fix vulnerabilities
yarn upgrade-interactive

# Generate report
yarn audit --json > audit-report.json

pip (Python)

# Install pip-audit
pip install pip-audit

# Run audit
pip-audit

# With fix suggestions
pip-audit --fix

# Check requirements file
pip-audit --requirement requirements.txt

# Output JSON
pip-audit --format json > audit-report.json

Safety (Python alternative)

pip install safety

# Check installed packages
safety check

# Check requirements
safety check --file requirements.txt

# Full report
safety check --full-report

Bundle Audit (Ruby)

gem install bundler-audit

# Update vulnerability database
bundle audit update

# Run audit
bundle audit check

# Auto-update
bundle audit check --update

Snyk (Multi-language)

# Install
npm install -g snyk

# Authenticate
snyk auth

# Test project
snyk test

# Monitor continuously
snyk monitor

# Fix vulnerabilities
snyk fix

OWASP Dependency-Check

# Download
wget https://github.com/jeremylong/DependencyCheck/releases/download/v8.0.0/dependency-check-8.0.0-release.zip
unzip dependency-check-8.0.0-release.zip

# Run scan
./dependency-check/bin/dependency-check.sh \
  --project "My Project" \
  --scan ./

# Generate HTML report
--format HTML --out ./reports

3. Parse and Categorize Results

Severity levels:

Critical : Immediate action required
High : Fix ASAP
Moderate : Plan to fix
Low : Monitor and assess

Example output analysis:

{
  "vulnerabilities": [
    {
      "name": "lodash",
      "severity": "high",
      "via": ["prototype-pollution"],
      "fixAvailable": {
        "name": "lodash",
        "version": "4.17.21"
      }
    }
  ]
}

4. Generate Security Report

# Dependency Vulnerability Report

**Date:** 2024-01-15
**Project:** my-app
**Total Dependencies:** 250
**Vulnerabilities Found:** 12

## Summary

- Critical: 1
- High: 3
- Moderate: 5
- Low: 3

## Critical Vulnerabilities

### 1. Prototype Pollution in lodash (CVE-2020-8203)

**Severity:** Critical
**Package:** lodash@4.17.15
**Fixed in:** lodash@4.17.21
**CVSS Score:** 9.8

**Description:**
Prototype pollution vulnerability allows attackers to modify object prototypes.

**Impact:**
Remote code execution possible if attacker controls input to vulnerable functions.

**Remediation:**
```bash
npm install lodash@4.17.21

Priority: Immediate (deploy within 24 hours)

High Vulnerabilities

2. Regular Expression Denial of Service in trim (CVE-2020-7753)

Severity: High Package: trim@0.0.1 Fixed in: trim@1.0.1 CVSS Score: 7.5

Description: ReDoS vulnerability in input parsing.

Remediation:

npm install trim@1.0.1

Priority: High (fix this week)

[... more vulnerabilities ...]

Recommendations

Immediate Actions (Critical)
- Update lodash to 4.17.21
- Test thoroughly
- Deploy to production
Short-term (High)
- Update trim, axios, express
- Review indirect dependencies
- Run integration tests
Long-term (Moderate/Low)
- Schedule updates for moderate issues
- Monitor low severity issues
- Consider alternative packages

Prevention

Enable Dependabot/Renovate
Run audits in CI/CD
Review dependencies before adding

Keep dependencies up to date

5. Automated Scanning in CI/CD

GitHub Actions:

name: Security Audit

on:
  schedule:
    - cron: '0 0 * * 1'  # Weekly
  pull_request:
  push:
    branches: [main]

jobs:
  audit:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3

      - name: Setup Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '20'

      - name: Run npm audit
        run: |
          npm audit --audit-level=moderate
          npm audit --json > audit-report.json

      - name: Upload audit report
        uses: actions/upload-artifact@v3
        with:
          name: audit-report
          path: audit-report.json

      - name: Fail on high vulnerabilities
        run: npm audit --audit-level=high

With Snyk:

- name: Run Snyk
  uses: snyk/actions/node@master
  env:
    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
  with:
    args: --severity-threshold=high

6. Dependabot Configuration

.github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    reviewers:
      - "security-team"
    labels:
      - "dependencies"
      - "security"
    commit-message:
      prefix: "chore"
      include: "scope"

  # Security updates only
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 5
    allow:
      - dependency-type: "direct"
    versioning-strategy: increase-if-necessary

7. License Compliance

Check licenses:

# Install license-checker
npm install -g license-checker

# Check all licenses
license-checker

# Generate report
license-checker --json > licenses.json

# Check for problematic licenses
license-checker --onlyAllow 'MIT;Apache-2.0;BSD-3-Clause'

Python:

pip install pip-licenses

pip-licenses

# Format as table
pip-licenses --format=markdown

# Check compatibility
pip-licenses --fail-on 'GPL'

8. Supply Chain Security

Verify package integrity:

# npm
npm audit signatures

# Check for suspicious packages
npx socket npm i lodash

Monitor for typosquatting:

# Install confused
npm install -g confused

# Check for dependency confusion
confused -l package.json

9. Continuous Monitoring

Setup alerts:

// In package.json
{
  "scripts": {
    "audit": "npm audit",
    "audit:fix": "npm audit fix",
    "audit:report": "npm audit --json > reports/audit-$(date +%Y%m%d).json",
    "precommit": "npm audit --audit-level=high"
  }
}

Husky hook:

{
  "husky": {
    "hooks": {
      "pre-commit": "npm audit --audit-level=high"
    }
  }
}

10. Best Practices

DO:

Run audits regularly (weekly minimum)
Fix critical/high vulnerabilities immediately
Review audit reports before releases
Use automated tools (Dependabot, Renovate)
Monitor security advisories
Document exceptions/accepted risks
Test fixes in staging first

DON'T:

Ignore audit warnings
Use --force without understanding impact
Skip security updates
Add packages without review
Disable audit checks
Use outdated dependencies unnecessarily

Common Vulnerability Types

1. Prototype Pollution

// Vulnerable code
function merge(target, source) {
  for (let key in source) {
    target[key] = source[key]
  }
}

// Attack
merge({}, JSON.parse('{"__proto__":{"isAdmin":true}}'))

// Fix: Use Object.create(null) or hasOwnProperty

2. Regular Expression DoS (ReDoS)

// Vulnerable regex
/^(a+)+$/

// Attack: Long string of 'a's causes catastrophic backtracking

// Fix: Avoid nested quantifiers, use atomic groups

3. SQL Injection

// Vulnerable
db.query(`SELECT * FROM users WHERE id = ${userId}`)

// Fix: Use parameterized queries
db.query('SELECT * FROM users WHERE id = ?', [userId])

4. Cross-Site Scripting (XSS)

// Vulnerable
element.innerHTML = userInput

// Fix: Use textContent or sanitize
element.textContent = userInput
// or
element.innerHTML = DOMPurify.sanitize(userInput)

Remediation Priority Matrix

Severity	Exploitability	Priority	Timeline
Critical	High	P0	24 hours
Critical	Medium	P1	1 week
High	High	P1	1 week
High	Medium	P2	2 weeks
Moderate	High	P2	2 weeks
Moderate	Medium	P3	1 month
Low	Any	P4	Next cycle

Compliance Requirements

SOC 2:

Regular vulnerability scanning
Documented remediation process
Evidence of timely fixes

PCI DSS:

Monthly vulnerability scans
Fix critical vulnerabilities within 30 days
Patch management process

HIPAA:

Regular security assessments
Document risk analysis
Timely vulnerability remediation

Tools Comparison

Tool	Languages	Cost	Features
npm audit	Node.js	Free	Basic, fast
Snyk	Multi	Free tier	Advanced, auto-fix
Dependabot	Multi	Free	Auto PRs
WhiteSource	Multi	Paid	Enterprise features
Sonatype	Multi	Paid	Policy enforcement

Weekly Installs

Repository

dexploarer/clau…s-skills

GitHub Stars

First Seen

1 day ago

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

zencoder1

amp1

cline1

openclaw1

opencode1

cursor1

Azure Data Explorer (Kusto) 查询技能：KQL数据分析、日志遥测与时间序列处理

114,200 周安装

依赖漏洞扫描器 - 一键安全审计 npm/pip/Cargo 项目依赖，修复 CVE 漏洞

🇨🇳中文介绍

依赖漏洞扫描器

使用时机

使用说明

1. 检测包管理器

2. 运行安全审计

npm (Node.js)

相关 Skills

Yarn

pip (Python)

Safety (Python 替代方案)

Bundle Audit (Ruby)

Snyk (多语言)

OWASP Dependency-Check

3. 解析和分类结果

4. 生成安全报告

高危漏洞

2. trim 中的正则表达式拒绝服务 (CVE-2020-7753)

建议

预防措施

5. CI/CD 中的自动化扫描

6. Dependabot 配置

7. 许可证合规性

8. 供应链安全

9. 持续监控

10. 最佳实践

常见漏洞类型

修复优先级矩阵

合规性要求

工具对比

🇺🇸English

Dependency Vulnerability Scanner

When to Use

Instructions

1. Detect Package Manager

2. Run Security Audit

npm (Node.js)

Yarn

pip (Python)

Safety (Python alternative)

Bundle Audit (Ruby)

Snyk (Multi-language)

OWASP Dependency-Check

3. Parse and Categorize Results

4. Generate Security Report

High Vulnerabilities

2. Regular Expression Denial of Service in trim (CVE-2020-7753)

Recommendations

Prevention

5. Automated Scanning in CI/CD

6. Dependabot Configuration

7. License Compliance

8. Supply Chain Security

9. Continuous Monitoring

10. Best Practices

Common Vulnerability Types

Remediation Priority Matrix

Compliance Requirements

Tools Comparison

最新 Skills