---

name: cve-audit description: Scan project dependencies for known vulnerabilities. Automatically detect and parse package files (package.json, requirements.txt, Gemfile, go.mod, pom.xml) and check all dependencies against the CVE database. Use when you want to audit a project for security vulnerabilities, check if dependencies have known CVEs, or generate a vulnerability report for compliance.

CVE Dependency Audit

Automatically scan your project's dependencies and identify known Common Vulnerabilities and Exposures (CVEs). Supports Node.js, Python, Ruby, Go, and Maven projects.

Quick Start

Copy# Scan current directory
npx tsx scripts/audit.ts

# Scan specific directory
npx tsx scripts/audit.ts /path/to/project

# Only show critical vulnerabilities
npx tsx scripts/audit.ts --severity critical

# Get fresh data (bypass cache)
npx tsx scripts/audit.ts --no-cache

# Output as JSON
npx tsx scripts/audit.ts --json

Run from the cve-search plugin directory: ~/.claude/plugins/cache/cve-search/

Usage

Copynpx tsx scripts/audit.ts [directory] [options]

Options

Supported Package Managers

The skill automatically detects and parses dependency files from multiple ecosystems:

Node.js / npm

• File: package.json
• Detects: dependencies, devDependencies, peerDependencies
• Example: "express": "^4.18.0"

Python / pip

• File: requirements.txt
• Detects: Pinned versions and ranges
• Example: django==3.2.10 or requests>=2.25.0

Ruby / Bundler

• File: Gemfile
• Detects: Gem dependencies with versions
• Example: gem 'rails', '~> 6.1.0'

Go / Go Modules

• File: go.mod
• Detects: Direct and indirect dependencies
• Example: require github.com/user/repo v1.2.3

Java / Maven

• File: pom.xml
• Detects: Project and transitive dependencies
• Example: <artifactId>log4j-core</artifactId>

How It Works

1. Discovery: Scans for supported dependency files in the directory
2. Parsing: Extracts package names and versions from each file
3. Searching: Queries CVE database for each dependency
4. Filtering: Identifies which vulnerabilities affect installed versions
5. Reporting: Displays results sorted by severity

Output Format

Standard Output

Copy🔍 Scanning for dependencies in /home/user/myproject...

Found dependency files: package.json, requirements.txt

Scanning 45 dependencies for CVEs...

📊 Audit Results

Total vulnerabilities found: 8
  🔴 Critical: 1 | 🟠 High: 2 | 🟡 Medium: 4 | 🔵 Low: 1

Showing 3 critical/high vulnerabilities:

📦 express@4.18.0 - 2 vulnerability(ies)

  🔴 CVE-2024-1234
     Score: 9.2 | Buffer overflow in request parsing

  🟠 CVE-2024-5678
     Score: 7.1 | Path traversal in static file handling

─────────────────────────────────────────────────────────────

🐍 django@3.2.10 - 1 vulnerability(ies)

  🟠 CVE-2024-9999
     Score: 7.5 | SQL injection in ORM query handling

─────────────────────────────────────────────────────────────

⚠️  Recommendations:
  1. Update dependencies to patched versions
  2. Review CVE details at https://cve.mitre.org/
  3. Use --no-cache for latest vulnerability data

JSON Output

Copynpx tsx scripts/audit.ts --json

Returns structured data:

Copy{
  "dependencies": [
    {
      "name": "express",
      "version": "4.18.0",
      "source": "npm",
      "file": "/path/to/package.json"
    }
  ],
  "vulnerabilities": [
    {
      "cveId": "CVE-2024-1234",
      "dependency": { "name": "express", "version": "4.18.0", ... },
      "severity": "CRITICAL",
      "score": 9.2,
      "summary": "Buffer overflow in request parsing",
      "affectsVersion": true
    }
  ],
  "summary": {
    "total": 8,
    "critical": 1,
    "high": 2,
    "medium": 4,
    "low": 1
  }
}

Use Cases

Security Audit Before Deployment

Verify your production dependencies are safe:

Copynpx tsx scripts/audit.ts /app/backend --severity critical

Dependency Health Check

Regular checks to catch newly discovered vulnerabilities:

Copynpx tsx scripts/audit.ts . --no-cache

Generate Compliance Reports

Export vulnerability data for security reviews:

Copynpx tsx scripts/audit.ts . --json > vulnerability-report.json

Focus on Critical Issues

Alert on only the most severe vulnerabilities:

Copynpx tsx scripts/audit.ts . --severity critical --json

Multi-Project Assessment

Audit multiple projects in a monorepo:

Copynpx tsx scripts/audit.ts services/auth
npx tsx scripts/audit.ts services/api
npx tsx scripts/audit.ts services/web

Severity Levels

Caching

Results are cached for 24 hours by default. CVE information doesn't change frequently, so caching improves performance.

Use --no-cache when:

• Running scheduled security audits
• Recently discovered vulnerabilities may not be cached
• Doing a fresh security assessment
• Setting up CI/CD pipelines

Exit Codes

Examples

Audit Node.js project with package.json

Copycd ~/myapp
npx tsx scripts/audit.ts
# Scans package.json and devDependencies

Audit Python project

Copycd ~/myproject
npx tsx scripts/audit.ts . --severity high
# Scans requirements.txt, shows only HIGH and CRITICAL

Audit Go project with fresh data

Copynpx tsx scripts/audit.ts /path/to/go/project --no-cache
# Scans go.mod with latest CVE data

Generate JSON report for all vulnerabilities

Copynpx tsx scripts/audit.ts --json > audit-report.json
# Machine-readable format for parsing/integration

CI/CD Integration

Copy# Fail if any critical vulnerabilities found
npx tsx scripts/audit.ts --severity critical
if [ $? -ne 0 ]; then
  echo "Critical vulnerabilities detected!"
  exit 1
fi

Limitations

• Version matching: Uses simple semantic versioning comparison
• Direct dependencies only: Scans only direct dependencies listed in source files (not transitive dependencies from lock files)
• Ruby Gemfile: Only scans gems with explicit version specifications in Gemfile (use Gemfile.lock for complete dependency information)
• Platform-specific vulnerabilities: Shows all known CVEs regardless of platform
• Rate limiting: OpenCVE API may limit requests (automatic backoff handled)
• Accuracy: Depends on CVE database accuracy and product name matching

Performance

• Typical scan time: 10-60 seconds (depending on dependency count and network)
• Caching: Significantly reduces repeat scan time
• Parallel searches: Could be optimized with concurrent API requests

Troubleshooting

"No supported dependency files found"

• Ensure your project has one of the supported files:
  • package.json (Node.js)
  • requirements.txt (Python)
  • Gemfile (Ruby)
  • go.mod (Go)
  • pom.xml (Maven)

Some dependencies not scanned

• Dependency names must match OpenCVE database naming
• Some packages use different names in CVE vs package manager
• Try searching individual dependencies with cve-lookup skill

No vulnerabilities found

• Your dependencies may be up-to-date
• Try with --no-cache to check latest database
• Verify dependency files are valid

Rate limit errors

• Wait a moment and retry
• Use cached results from previous queries
• Reduce severity level to scan fewer CVEs

Related Skills

• cve-lookup: Search for individual CVEs by ID or product name
• Combine with version managers to get patches
• Use results with dependency update tools

References

• OpenCVE Documentation
• Official CVE Database
• CVSS Scoring Guide
• OWASP Dependency Check - Similar tool for comparison
• npm Audit Documentation
• Python PEP 508 - Dependency specification