CVE Dependency Audit
Automatically scan your project's dependencies and identify known Common Vulnerabilities and Exposures (CVEs). Supports Node.js, Python, Ruby, Go, and Maven projects.
Quick Start
# Scan current directory npx tsx scripts/audit.ts # Scan specific directory npx tsx scripts/audit.ts /path/to/project # Only show critical vulnerabilities npx tsx scripts/audit.ts --severity critical # Get fresh data (bypass cache) npx tsx scripts/audit.ts --no-cache # Output as JSON npx tsx scripts/audit.ts --json
Run from the cve-search plugin directory: ~/.claude/plugins/cache/cve-search/
Usage
npx tsx scripts/audit.ts [directory] [options]
Options
| Option | Description |
|---|---|
[directory] | Directory to scan (default: current directory) |
--severity <level> | Filter by severity: critical, high, medium, low |
--no-cache | Bypass cache and fetch fresh data |
--json | Output results as JSON |
--help | Show help message |
Supported Package Managers
The skill automatically detects and parses dependency files from multiple ecosystems:
Node.js / npm
- •File:
package.json - •Detects:
dependencies,devDependencies,peerDependencies - •Example:
"express": "^4.18.0"
Python / pip
- •File:
requirements.txt - •Detects: Pinned versions and ranges
- •Example:
django==3.2.10orrequests>=2.25.0
Ruby / Bundler
- •File:
Gemfile - •Detects: Gem dependencies with versions
- •Example:
gem 'rails', '~> 6.1.0'
Go / Go Modules
- •File:
go.mod - •Detects: Direct and indirect dependencies
- •Example:
require github.com/user/repo v1.2.3
Java / Maven
- •File:
pom.xml - •Detects: Project and transitive dependencies
- •Example:
<artifactId>log4j-core</artifactId>
How It Works
- •Discovery: Scans for supported dependency files in the directory
- •Parsing: Extracts package names and versions from each file
- •Searching: Queries CVE database for each dependency
- •Filtering: Identifies which vulnerabilities affect installed versions
- •Reporting: Displays results sorted by severity
Output Format
Standard Output
🔍 Scanning for dependencies in /home/user/myproject...
Found dependency files: package.json, requirements.txt
Scanning 45 dependencies for CVEs...
📊 Audit Results
Total vulnerabilities found: 8
🔴 Critical: 1 | 🟠 High: 2 | 🟡 Medium: 4 | 🔵 Low: 1
Showing 3 critical/high vulnerabilities:
📦 express@4.18.0 - 2 vulnerability(ies)
🔴 CVE-2024-1234
Score: 9.2 | Buffer overflow in request parsing
🟠 CVE-2024-5678
Score: 7.1 | Path traversal in static file handling
─────────────────────────────────────────────────────────────
🐍 django@3.2.10 - 1 vulnerability(ies)
🟠 CVE-2024-9999
Score: 7.5 | SQL injection in ORM query handling
─────────────────────────────────────────────────────────────
⚠️ Recommendations:
1. Update dependencies to patched versions
2. Review CVE details at https://cve.mitre.org/
3. Use --no-cache for latest vulnerability data
JSON Output
npx tsx scripts/audit.ts --json
Returns structured data:
{
"dependencies": [
{
"name": "express",
"version": "4.18.0",
"source": "npm",
"file": "/path/to/package.json"
}
],
"vulnerabilities": [
{
"cveId": "CVE-2024-1234",
"dependency": { "name": "express", "version": "4.18.0", ... },
"severity": "CRITICAL",
"score": 9.2,
"summary": "Buffer overflow in request parsing",
"affectsVersion": true
}
],
"summary": {
"total": 8,
"critical": 1,
"high": 2,
"medium": 4,
"low": 1
}
}
Use Cases
Security Audit Before Deployment
Verify your production dependencies are safe:
npx tsx scripts/audit.ts /app/backend --severity critical
Dependency Health Check
Regular checks to catch newly discovered vulnerabilities:
npx tsx scripts/audit.ts . --no-cache
Generate Compliance Reports
Export vulnerability data for security reviews:
npx tsx scripts/audit.ts . --json > vulnerability-report.json
Focus on Critical Issues
Alert on only the most severe vulnerabilities:
npx tsx scripts/audit.ts . --severity critical --json
Multi-Project Assessment
Audit multiple projects in a monorepo:
npx tsx scripts/audit.ts services/auth npx tsx scripts/audit.ts services/api npx tsx scripts/audit.ts services/web
Severity Levels
| Level | CVSS Range | Icon | Meaning |
|---|---|---|---|
| CRITICAL | 9.0-10.0 | 🔴 | Immediate patching required |
| HIGH | 7.0-8.9 | 🟠 | Schedule patching soon |
| MEDIUM | 4.0-6.9 | 🟡 | Monitor and plan updates |
| LOW | 0.1-3.9 | 🔵 | Low risk, update when convenient |
| UNKNOWN | N/A | ⚪ | Unable to determine severity |
Caching
Results are cached for 24 hours by default. CVE information doesn't change frequently, so caching improves performance.
Use --no-cache when:
- •Running scheduled security audits
- •Recently discovered vulnerabilities may not be cached
- •Doing a fresh security assessment
- •Setting up CI/CD pipelines
Exit Codes
| Code | Meaning |
|---|---|
0 | Success (no vulnerabilities found or filtered) |
1 | Vulnerabilities found (or error occurred) |
Examples
Audit Node.js project with package.json
cd ~/myapp npx tsx scripts/audit.ts # Scans package.json and devDependencies
Audit Python project
cd ~/myproject npx tsx scripts/audit.ts . --severity high # Scans requirements.txt, shows only HIGH and CRITICAL
Audit Go project with fresh data
npx tsx scripts/audit.ts /path/to/go/project --no-cache # Scans go.mod with latest CVE data
Generate JSON report for all vulnerabilities
npx tsx scripts/audit.ts --json > audit-report.json # Machine-readable format for parsing/integration
CI/CD Integration
# Fail if any critical vulnerabilities found npx tsx scripts/audit.ts --severity critical if [ $? -ne 0 ]; then echo "Critical vulnerabilities detected!" exit 1 fi
Limitations
- •Version matching: Uses simple semantic versioning comparison
- •Direct dependencies only: Scans only direct dependencies listed in source files (not transitive dependencies from lock files)
- •Ruby Gemfile: Only scans gems with explicit version specifications in Gemfile (use Gemfile.lock for complete dependency information)
- •Platform-specific vulnerabilities: Shows all known CVEs regardless of platform
- •Rate limiting: OpenCVE API may limit requests (automatic backoff handled)
- •Accuracy: Depends on CVE database accuracy and product name matching
Performance
- •Typical scan time: 10-60 seconds (depending on dependency count and network)
- •Caching: Significantly reduces repeat scan time
- •Parallel searches: Could be optimized with concurrent API requests
Troubleshooting
"No supported dependency files found"
- •Ensure your project has one of the supported files:
- •
package.json(Node.js) - •
requirements.txt(Python) - •
Gemfile(Ruby) - •
go.mod(Go) - •
pom.xml(Maven)
- •
Some dependencies not scanned
- •Dependency names must match OpenCVE database naming
- •Some packages use different names in CVE vs package manager
- •Try searching individual dependencies with
cve-lookupskill
No vulnerabilities found
- •Your dependencies may be up-to-date
- •Try with
--no-cacheto check latest database - •Verify dependency files are valid
Rate limit errors
- •Wait a moment and retry
- •Use cached results from previous queries
- •Reduce severity level to scan fewer CVEs
Related Skills
- •cve-lookup: Search for individual CVEs by ID or product name
- •Combine with version managers to get patches
- •Use results with dependency update tools
References
- •OpenCVE Documentation
- •Official CVE Database
- •CVSS Scoring Guide
- •OWASP Dependency Check - Similar tool for comparison
- •npm Audit Documentation
- •Python PEP 508 - Dependency specification