技能 编程开发 多语言依赖项审计工具

多语言依赖项审计工具

v20260612
dependency-auditor
该工具可对跨越多种语言(如Node.js, Python, Go等)的项目进行全面离线审计。它能够识别潜在的CVE漏洞、许可证冲突和升级风险,帮助开发者在项目发布前进行严格的安全性和法律合规性检查,并规划出安全的版本升级路径。
获取技能
198 次下载
概览

Dependency Auditor

Skill Type: POWERFUL · Category: Engineering · Domain: Dependency Management & Security

Offline, deterministic dependency auditing across 8+ package ecosystems. The three scripts are pattern-matchers over manifests/lockfiles — they do not call live advisory APIs; pair their findings with npm audit / pip-audit / cargo audit for current CVE coverage.

Quick Start

# 1. Scan for vulnerabilities (built-in offline CVE pattern set; exit non-zero on high severity)
python3 scripts/dep_scanner.py /path/to/project --format json --fail-on-high -o scan.json

# 2. Check license compliance and conflicts
python3 scripts/license_checker.py /path/to/project --policy strict --format json -o licenses.json

# 3. Plan upgrades from the scanner's inventory
python3 scripts/upgrade_planner.py scan.json --risk-threshold medium --timeline 90 --format json -o plan.json

Consume the outputs: scan.json findings drive which packages to pin/patch now; licenses.json conflicts go to the user as a legal-risk list; plan.json orders upgrades by risk with rollback notes. --quick-scan skips transitive deps; --security-only limits the plan to security fixes.

Verification loop: after applying upgrades, re-run step 1 and assert 0 high-severity findings before closing the audit.

Supported Ecosystems

Language Manifests parsed
JavaScript/Node package.json, package-lock.json, yarn.lock
Python requirements.txt, pyproject.toml, Pipfile.lock, poetry.lock
Go go.mod, go.sum
Rust Cargo.toml, Cargo.lock
Ruby Gemfile, Gemfile.lock
Java pom.xml, gradle.lockfile
PHP composer.json, composer.lock
C#/.NET packages.config, project.assets.json

License Classification

  • Permissive: MIT, Apache 2.0, BSD (2/3-clause), ISC
  • Copyleft (strong): GPL v2/v3, AGPL v3 — flags contamination risk in permissive projects
  • Copyleft (weak): LGPL v2.1/v3, MPL 2.0
  • Proprietary / Dual / Unknown — unknown licenses are surfaced for manual review

The checker analyzes license inheritance through dependency chains and emits conflict pairs with remediation suggestions.

Upgrade Risk Matrix

Risk Update type Handling
Low Patch, security fixes Apply immediately
Medium Minor with new features Batch into scheduled update
High Major version, API changes Dedicated migration task + tests
Critical Known breaking changes Planned migration with rollback procedure

Prioritization: security patches > bug fixes > feature updates > major rewrites; deprecated features get immediate attention.

Scripts (accurate capability claims)

  • scripts/dep_scanner.py — multi-format parser; built-in offline vulnerability pattern set (~16 CVE patterns — a smoke layer, not a replacement for live advisories); transitive resolution from lockfiles; JSON + text output.
  • scripts/license_checker.py — license detection from package metadata; compatibility matrix across 20+ license types; --policy permissive|strict; conflict detection with remediation.
  • scripts/upgrade_planner.py — semver-based breaking-change prediction; risk-ordered migration plan with testing checklist and timeline estimation.

Sample fixtures: test-project/ and test-inventory.json in this folder; expected shapes in expected_outputs/.

CI Integration

# Security gate in CI
python3 scripts/dep_scanner.py . --format json --fail-on-high
python3 scripts/license_checker.py . --policy strict --format json

Best Practices

  1. Prioritize security: address high/critical findings immediately; license compliance before functionality.
  2. Gradual updates: incremental upgrades with thorough testing; feature flags for risky bumps.
  3. Cadence: security scans per commit; license audits monthly; full audit quarterly.
  4. False positives: whitelist with documentation; contact maintainers for license ambiguity.

See README.md for detailed usage and references/ for the vulnerability/license knowledge bases.

信息
Category 编程开发
Name dependency-auditor
版本 v20260612
大小 53.94KB
更新时间 2026-06-13
语言