Dependency Auditor Skill

Automated security auditing of project dependencies to identify known vulnerabilities.

Instructions

You are a dependency security expert. When invoked:

1. Scan Dependencies:

   • Analyze package.json, requirements.txt, go.mod, Gemfile, etc.
   • Check for known vulnerabilities (CVEs)
   • Identify outdated packages
   • Detect transitive dependency issues
   • Check license compatibility

2. Vulnerability Assessment:

   • Severity classification (Critical, High, Medium, Low)
   • Exploitability analysis
   • Attack vector identification
   • Impact assessment
   • Available patches or workarounds

3. Supply Chain Security:

   • Detect suspicious packages
   • Check package integrity
   • Verify package maintainers
   • Identify typosquatting attempts
   • Check for deprecated packages

4. Remediation Guidance:

   • Suggest safe version upgrades
   • Provide patch availability
   • Recommend alternative packages
   • Breaking change analysis
   • Migration path guidance

5. Generate Report: Create detailed security audit with prioritized action items

Vulnerability Severity Levels

Critical

• Remote code execution (RCE)
• SQL injection in core dependencies
• Authentication bypass
• Arbitrary file access
• Privilege escalation
• Action: Fix immediately, consider hotfix

High

• Cross-site scripting (XSS)
• Denial of service (DoS)
• Information disclosure
• Path traversal
• Insecure deserialization
• Action: Fix within 7 days

Medium

• Security misconfiguration
• Weak cryptography
• Session fixation
• Unvalidated redirects
• Action: Fix within 30 days

Low

• Information leakage
• Insecure defaults
• Minor security flaws
• Action: Fix in regular maintenance cycle

Usage Examples

@dependency-auditor
@dependency-auditor --severity critical
@dependency-auditor --fix-suggestions
@dependency-auditor --include-transitive
@dependency-auditor package.json
@dependency-auditor --check-licenses
@dependency-auditor --supply-chain

Audit Commands by Ecosystem

Node.js / npm

# Check for vulnerabilities
npm audit

# Get detailed report
npm audit --json

# Check for specific severity
npm audit --audit-level=high

# Automatic fix (use with caution)
npm audit fix

# Fix only non-breaking changes
npm audit fix --only=prod

# Check with yarn
yarn audit

# Check with pnpm
pnpm audit

# Use external tools
npx snyk test
npx audit-ci --moderate

Python

# Using pip-audit
pip-audit

# Using safety
safety check
safety check --json

# Check requirements file
pip-audit -r requirements.txt

# Using bandit for code issues
bandit -r . --severity-level high

Go

# Check vulnerabilities
go list -json -m all | nancy sleuth

# Using govulncheck
govulncheck ./...

# Check specific module
go list -json -m golang.org/x/text | nancy sleuth

Ruby

# Bundle audit
bundle audit check
bundle audit update

# Check with specific severity
bundle audit check --severity high

Java / Maven

# OWASP Dependency Check
mvn dependency-check:check

# Using snyk
snyk test

.NET

# List vulnerable packages
dotnet list package --vulnerable

# Include transitive dependencies
dotnet list package --vulnerable --include-transitive

Audit Report Format

# Dependency Security Audit Report

**Project**: my-app
**Date**: 2024-01-15
**Total Dependencies**: 342 (direct: 45, transitive: 297)
**Vulnerabilities Found**: 23
**Risk Level**: HIGH

---

## Executive Summary

🔴 **Critical**: 2 vulnerabilities
🟠 **High**: 8 vulnerabilities
🟡 **Medium**: 10 vulnerabilities
🟢 **Low**: 3 vulnerabilities

**Immediate Action Required**: 2 critical vulnerabilities need patching now
**Recommendation**: Update 10 packages, replace 2 deprecated packages

---

## Critical Vulnerabilities (2)

### 🔴 CVE-2024-1234: Remote Code Execution in lodash
**Package**: lodash@4.17.15
**Severity**: Critical (CVSS 9.8)
**CWE**: CWE-94 (Code Injection)

**Description**:
Template function in lodash allows arbitrary code execution through prototype pollution.

**Attack Vector**: Network
**Complexity**: Low
**Privileges Required**: None
**User Interaction**: None

**Affected Versions**: < 4.17.21
**Fixed Version**: 4.17.21
**Exploitability**: High (exploit code publicly available)

**Impact**:
- Remote code execution on server
- Complete system compromise possible
- Data breach risk

**Remediation**:
```bash
npm install lodash@4.17.21
# or
npm update lodash

Verification:

// Test that vulnerability is fixed
const lodash = require('lodash');
console.log(lodash.VERSION); // Should be >= 4.17.21

Breaking Changes: None Priority: Fix immediately (within 24 hours)

🔴 CVE-2024-5678: SQL Injection in sequelize

Package: sequelize@6.3.5 Severity: Critical (CVSS 9.1) CWE: CWE-89 (SQL Injection)

Description: Raw query function improperly escapes user input, allowing SQL injection attacks.

Attack Vector: Network Complexity: Low Privileges Required: Low User Interaction: None

Affected Versions: 6.0.0 - 6.6.4 Fixed Version: 6.6.5 Exploitability: High

Impact:

• Database compromise
• Unauthorized data access
• Data modification/deletion

Remediation:

npm install sequelize@6.6.5

Breaking Changes: Minor API changes in query builder Migration Guide: https://sequelize.org/docs/v6/other-topics/upgrade-to-v6/

Alternative: Consider using parameterized queries exclusively

Priority: Fix immediately (within 24 hours)

High Vulnerabilities (8)

🟠 CVE-2024-9012: Prototype Pollution in minimist

Package: minimist@1.2.5 (transitive via: mocha -> yargs -> minimist) Severity: High (CVSS 7.3) CWE: CWE-1321 (Prototype Pollution)

Description: Argument parsing allows prototype pollution leading to property injection.

Affected Versions: < 1.2.6 Fixed Version: 1.2.6

Remediation:

# Update parent package
npm update mocha

# Or use resolutions (package.json)
{
  "resolutions": {
    "minimist": "^1.2.6"
  }
}

Impact: Medium (requires specific usage patterns) Priority: Fix within 7 days

🟠 CVE-2024-3456: XSS in marked

Package: marked@4.0.10 Severity: High (CVSS 7.1) CWE: CWE-79 (Cross-Site Scripting)

Description: Markdown parser doesn't properly sanitize HTML, allowing XSS attacks.

Affected Versions: < 4.0.16 Fixed Version: 4.0.16

Remediation:

npm install marked@4.0.16

Additional Protection:

// Use with DOMPurify for extra safety
import DOMPurify from 'dompurify';
import { marked } from 'marked';

const clean = DOMPurify.sanitize(marked(userInput));

Priority: Fix within 7 days

🟠 CVE-2024-7890: Path Traversal in express-fileupload

Package: express-fileupload@1.3.1 Severity: High (CVSS 7.5)

Description: File upload functionality doesn't properly validate file paths, allowing directory traversal.

Affected Versions: < 1.4.0 Fixed Version: 1.4.0

Remediation:

npm install express-fileupload@1.4.0

Additional Hardening:

app.use(fileUpload({
  limits: { fileSize: 50 * 1024 * 1024 },
  abortOnLimit: true,
  safeFileNames: true,
  preserveExtension: true,
  uploadTimeout: 60000
}));

Priority: Fix within 7 days

Medium Vulnerabilities (10)

🟡 CVE-2024-1111: Regular Expression DoS in validator

Package: validator@13.7.0 Severity: Medium (CVSS 5.3) CWE: CWE-1333 (ReDoS)

Description: Email validation regex vulnerable to catastrophic backtracking.

Affected Versions: < 13.9.0 Fixed Version: 13.9.0

Impact: Service degradation, CPU exhaustion Priority: Fix within 30 days

Transitive Dependencies (15 issues)

Dependency Tree Analysis

my-app
├── express@4.18.0
│   ├── body-parser@1.20.0
│   │   └──