CVE Dependency Audit
Automatically scan your project's dependencies and identify known Common Vulnerabilities and Exposures (CVEs). Supports Node.js, Python, Ruby, Go, and Maven projects.
Quick Start
Scan current directory
npx tsx scripts/audit.ts
Scan specific directory
npx tsx scripts/audit.ts /path/to/project
Only show critical vulnerabilities
npx tsx scripts/audit.ts --severity critical
Get fresh data (bypass cache)
npx tsx scripts/audit.ts --no-cache
Output as JSON
npx tsx scripts/audit.ts --json
Run from the cve-search plugin directory: ~/.claude/plugins/cache/cve-search/
Usage
npx tsx scripts/audit.ts [directory] [options]
Options
Option Description
[directory]
Directory to scan (default: current directory)
--severity <level>
Filter by severity: critical , high , medium , low
--no-cache
Bypass cache and fetch fresh data
--json
Output results as JSON
--help
Show help message
Supported Package Managers
The skill automatically detects and parses dependency files from multiple ecosystems:
Node.js / npm
-
File: package.json
-
Detects: dependencies , devDependencies , peerDependencies
-
Example: "express": "^4.18.0"
Python / pip
-
File: requirements.txt
-
Detects: Pinned versions and ranges
-
Example: django==3.2.10 or requests>=2.25.0
Ruby / Bundler
-
File: Gemfile
-
Detects: Gem dependencies with versions
-
Example: gem 'rails', '~> 6.1.0'
Go / Go Modules
-
File: go.mod
-
Detects: Direct and indirect dependencies
-
Example: require github.com/user/repo v1.2.3
Java / Maven
-
File: pom.xml
-
Detects: Project and transitive dependencies
-
Example: <artifactId>log4j-core</artifactId>
How It Works
-
Discovery: Scans for supported dependency files in the directory
-
Parsing: Extracts package names and versions from each file
-
Searching: Queries CVE database for each dependency
-
Filtering: Identifies which vulnerabilities affect installed versions
-
Reporting: Displays results sorted by severity
Output Format
Standard Output
🔍 Scanning for dependencies in /home/user/myproject...
Found dependency files: package.json, requirements.txt
Scanning 45 dependencies for CVEs...
📊 Audit Results
Total vulnerabilities found: 8 🔴 Critical: 1 | 🟠 High: 2 | 🟡 Medium: 4 | 🔵 Low: 1
Showing 3 critical/high vulnerabilities:
📦 express@4.18.0 - 2 vulnerability(ies)
🔴 CVE-2024-1234 Score: 9.2 | Buffer overflow in request parsing
🟠 CVE-2024-5678 Score: 7.1 | Path traversal in static file handling
─────────────────────────────────────────────────────────────
🐍 django@3.2.10 - 1 vulnerability(ies)
🟠 CVE-2024-9999 Score: 7.5 | SQL injection in ORM query handling
─────────────────────────────────────────────────────────────
⚠️ Recommendations:
- Update dependencies to patched versions
- Review CVE details at https://cve.mitre.org/
- Use --no-cache for latest vulnerability data
JSON Output
npx tsx scripts/audit.ts --json
Returns structured data:
{ "dependencies": [ { "name": "express", "version": "4.18.0", "source": "npm", "file": "/path/to/package.json" } ], "vulnerabilities": [ { "cveId": "CVE-2024-1234", "dependency": { "name": "express", "version": "4.18.0", ... }, "severity": "CRITICAL", "score": 9.2, "summary": "Buffer overflow in request parsing", "affectsVersion": true } ], "summary": { "total": 8, "critical": 1, "high": 2, "medium": 4, "low": 1 } }
Use Cases
Security Audit Before Deployment
Verify your production dependencies are safe:
npx tsx scripts/audit.ts /app/backend --severity critical
Dependency Health Check
Regular checks to catch newly discovered vulnerabilities:
npx tsx scripts/audit.ts . --no-cache
Generate Compliance Reports
Export vulnerability data for security reviews:
npx tsx scripts/audit.ts . --json > vulnerability-report.json
Focus on Critical Issues
Alert on only the most severe vulnerabilities:
npx tsx scripts/audit.ts . --severity critical --json
Multi-Project Assessment
Audit multiple projects in a monorepo:
npx tsx scripts/audit.ts services/auth npx tsx scripts/audit.ts services/api npx tsx scripts/audit.ts services/web
Severity Levels
Level CVSS Range Icon Meaning
CRITICAL 9.0-10.0 🔴 Immediate patching required
HIGH 7.0-8.9 🟠 Schedule patching soon
MEDIUM 4.0-6.9 🟡 Monitor and plan updates
LOW 0.1-3.9 🔵 Low risk, update when convenient
UNKNOWN N/A ⚪ Unable to determine severity
Caching
Results are cached for 24 hours by default. CVE information doesn't change frequently, so caching improves performance.
Use --no-cache when:
-
Running scheduled security audits
-
Recently discovered vulnerabilities may not be cached
-
Doing a fresh security assessment
-
Setting up CI/CD pipelines
Exit Codes
Code Meaning
0
Success (no vulnerabilities found or filtered)
1
Vulnerabilities found (or error occurred)
Examples
Audit Node.js project with package.json
cd ~/myapp npx tsx scripts/audit.ts
Scans package.json and devDependencies
Audit Python project
cd ~/myproject npx tsx scripts/audit.ts . --severity high
Scans requirements.txt, shows only HIGH and CRITICAL
Audit Go project with fresh data
npx tsx scripts/audit.ts /path/to/go/project --no-cache
Scans go.mod with latest CVE data
Generate JSON report for all vulnerabilities
npx tsx scripts/audit.ts --json > audit-report.json
Machine-readable format for parsing/integration
CI/CD Integration
Fail if any critical vulnerabilities found
npx tsx scripts/audit.ts --severity critical if [ $? -ne 0 ]; then echo "Critical vulnerabilities detected!" exit 1 fi
Limitations
-
Version matching: Uses simple semantic versioning comparison
-
Direct dependencies only: Scans only direct dependencies listed in source files (not transitive dependencies from lock files)
-
Ruby Gemfile: Only scans gems with explicit version specifications in Gemfile (use Gemfile.lock for complete dependency information)
-
Platform-specific vulnerabilities: Shows all known CVEs regardless of platform
-
Rate limiting: OpenCVE API may limit requests (automatic backoff handled)
-
Accuracy: Depends on CVE database accuracy and product name matching
Performance
-
Typical scan time: 10-60 seconds (depending on dependency count and network)
-
Caching: Significantly reduces repeat scan time
-
Parallel searches: Could be optimized with concurrent API requests
Troubleshooting
"No supported dependency files found"
-
Ensure your project has one of the supported files:
-
package.json (Node.js)
-
requirements.txt (Python)
-
Gemfile (Ruby)
-
go.mod (Go)
-
pom.xml (Maven)
Some dependencies not scanned
-
Dependency names must match OpenCVE database naming
-
Some packages use different names in CVE vs package manager
-
Try searching individual dependencies with cve-lookup skill
No vulnerabilities found
-
Your dependencies may be up-to-date
-
Try with --no-cache to check latest database
-
Verify dependency files are valid
Rate limit errors
-
Wait a moment and retry
-
Use cached results from previous queries
-
Reduce severity level to scan fewer CVEs
Related Skills
-
cve-lookup: Search for individual CVEs by ID or product name
-
Combine with version managers to get patches
-
Use results with dependency update tools
References
-
OpenCVE Documentation
-
Official CVE Database
-
CVSS Scoring Guide
-
OWASP Dependency Check - Similar tool for comparison
-
npm Audit Documentation
-
Python PEP 508 - Dependency specification