# Directory Structure
```
├── .github
│ ├── ISSUE_TEMPLATE
│ │ ├── bug_report.md
│ │ └── feature_request.md
│ └── workflows
│ └── publish.yml
├── .gitignore
├── .nvmrc
├── CHANGELOG.md
├── CODE_OF_CONDUCT.md
├── Dockerfile
├── images
│ ├── cline-config.png
│ └── cursor-config.png
├── LICENSE
├── package-lock.json
├── package.json
├── Pitfalls.md
├── public
│ ├── no-Severity-response.json
│ └── Severity-response.json
├── README.md
├── smithery.yaml
├── src
│ ├── handlers
│ │ └── security.ts
│ ├── index.ts
│ ├── test
│ │ └── test.ts
│ └── types
│ ├── index.ts
│ └── npm-registry-fetch.d.ts
└── tsconfig.json
```
# Files
--------------------------------------------------------------------------------
/.nvmrc:
--------------------------------------------------------------------------------
```
1 | 22
```
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
```
1 | node_modules/
2 | *.log
3 | .env*
4 | build/
5 | dist/
6 | .vscode
```
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
```markdown
1 |
2 | # Security Audit Tool
3 |
4 | [](https://smithery.ai/server/@qianniuspace/mcp-security-audit)
5 | [](https://www.npmjs.com/package/mcp-security-audit)
6 | [](https://opensource.org/licenses/MIT)
7 |
8 | <a href="https://glama.ai/mcp/servers/jjnmdxzmeu">
9 | <img width="380" height="200" src="https://glama.ai/mcp/servers/jjnmdxzmeu/badge" />
10 | </a>
11 |
12 | A powerful MCP (Model Context Protocol) Server that audits npm package dependencies for security vulnerabilities. Built with remote npm registry integration for real-time security checks.
13 |
14 | ## Features
15 |
16 | - 🔍 Real-time security vulnerability scanning
17 | - 🚀 Remote npm registry integration
18 | - 📊 Detailed vulnerability reports with severity levels
19 | - 🛡️ Support for multiple severity levels (critical, high, moderate, low)
20 | - 📦 Compatible with npm/pnpm/yarn package managers
21 | - 🔄 Automatic fix recommendations
22 | - 📋 CVSS scoring and CVE references
23 |
24 |
25 |
26 | ### Installing via Smithery
27 |
28 | To install Security Audit Tool for Claude Desktop automatically via [Smithery](https://smithery.ai/server/@qianniuspace/mcp-security-audit):
29 |
30 | ```bash
31 | npx -y @smithery/cli install @qianniuspace/mcp-security-audit --client claude
32 | ```
33 |
34 | ### MCP Integration
35 |
36 | #### Option 1: Using NPX (Recommended)
37 |
38 |
39 | 1. Add MCP configuration to Cline /Cursor:
40 | ```json
41 | {
42 | "mcpServers": {
43 | "mcp-security-audit": {
44 | "command": "npx",
45 | "args": ["-y", "mcp-security-audit"]
46 | }
47 | }
48 | }
49 | ```
50 |
51 | #### Option 2: Download Source Code and Configure Manually
52 |
53 | 1. Clone the repository:
54 | ```bash
55 | git clone https://github.com/qianniuspace/mcp-security-audit.git
56 | cd mcp-security-audit
57 | ```
58 |
59 | 2. Install dependencies and build:
60 | ```bash
61 | npm install
62 | npm run build
63 | ```
64 |
65 | 3. Add MCP configuration to Cline /Cursor :
66 | ```json
67 | {
68 | "mcpServers": {
69 | "mcp-security-audit": {
70 | "command": "npx",
71 | "args": ["-y", "/path/to/mcp-security-audit/build/index.js"]
72 | }
73 | }
74 | }
75 | ```
76 |
77 |
78 | ## Configuration Screenshots
79 |
80 | ### Cursor Configuration
81 | 
82 |
83 | ### Cline Configuration
84 | 
85 |
86 |
87 |
88 |
89 |
90 | ## API Response Format
91 |
92 | The tool provides detailed vulnerability information including severity levels, fix recommendations, CVSS scores, and CVE references.
93 |
94 | ### Response Examples
95 |
96 | #### 1. When Vulnerabilities Found (Severity-response.json)
97 | ```json
98 | {
99 | "content": [{
100 | "vulnerability": {
101 | "packageName": "lodash",
102 | "version": "4.17.15",
103 | "severity": "high",
104 | "description": "Prototype Pollution in lodash",
105 | "cve": "CVE-2020-8203",
106 | "githubAdvisoryId": "GHSA-p6mc-m468-83gw",
107 | "recommendation": "Upgrade to version 4.17.19 or later",
108 | "fixAvailable": true,
109 | "fixedVersion": "4.17.19",
110 | "cvss": {
111 | "score": 7.4,
112 | "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
113 | },
114 | "cwe": ["CWE-1321"],
115 | "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw"
116 | },
117 | "metadata": {
118 | "timestamp": "2024-04-23T10:00:00.000Z",
119 | "packageManager": "npm"
120 | }
121 | }]
122 | }
123 | ```
124 |
125 | #### 2. When No Vulnerabilities Found (no-Severity-response.json)
126 | ```json
127 | {
128 | "content": [{
129 | "vulnerability": null,
130 | "metadata": {
131 | "timestamp": "2024-04-23T10:00:00.000Z",
132 | "packageManager": "npm",
133 | "message": "No known vulnerabilities found"
134 | }
135 | }]
136 | }
137 | ```
138 |
139 |
140 | ## Development
141 |
142 | For development reference, check the example response files in the `public` directory:
143 | - [Severity-response.json](public/Severity-response.json) : Example response when vulnerabilities are found (transformed from npm audit API response)
144 | - [no-Severity-response.json](public/no-Severity-response.json) : Example response when no vulnerabilities are found (transformed from npm audit API response)
145 |
146 | Note: The example responses shown above are transformed from the raw npm audit API responses to provide a more structured format. The original npm audit API responses contain additional metadata and may have a different structure.
147 |
148 | ## Contributing
149 |
150 | Contributions are welcome! Please read our [Contributing Guide](CODE_OF_CONDUCT.md) for details on our code of conduct and the process for submitting pull requests.
151 |
152 | ## License
153 |
154 | This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
155 |
156 | ## Author
157 |
158 | ESX ([email protected])
159 |
160 | ## Links
161 |
162 | - [GitHub Repository](https://github.com/qianniuspace/mcp-security-audit)
163 | - [Issue Tracker](https://github.com/qianniuspace/mcp-security-audit/issues)
164 | - [Changelog](CHANGELOG.md)
165 | ```
166 |
```
--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
```markdown
1 | # Contributor Covenant Code of Conduct
2 |
3 | ## Our Pledge
4 |
5 | In the interest of fostering an open and welcoming environment, we as
6 | contributors and maintainers pledge to making participation in our project and
7 | our community a harassment-free experience for everyone, regardless of age, body
8 | size, disability, ethnicity, sex characteristics, gender identity and expression,
9 | level of experience, education, socio-economic status, nationality, personal
10 | appearance, race, religion, or sexual identity and orientation.
11 |
12 | ## Our Standards
13 |
14 | Examples of behaviour that contributes to creating a positive environment
15 | include:
16 |
17 | - Using welcoming and inclusive language
18 | - Being respectful of differing viewpoints and experiences
19 | - Gracefully accepting constructive criticism
20 | - Focusing on what is best for the community
21 | - Showing empathy towards other community members
22 |
23 | Examples of unacceptable behaviours by participants include:
24 |
25 | - The use of sexualized language or imagery and unwelcome sexual attention or
26 | advances
27 | - Trolling, insulting/derogatory comments, and personal or political attacks
28 | - Public or private harassment
29 | - Publishing others' private information, such as a physical or electronic
30 | address, without explicit permission
31 | - Other conduct which could reasonably be considered inappropriate in a
32 | professional setting
33 |
34 | ## Our Responsibilities
35 |
36 | Project maintainers are responsible for clarifying the standards of acceptable
37 | behaviour and are expected to take appropriate and fair corrective action in
38 | response to any instances of unacceptable behaviour.
39 |
40 | Project maintainers have the right and responsibility to remove, edit, or
41 | reject comments, commits, code, wiki edits, issues, and other contributions
42 | that are not aligned to this Code of Conduct, or to ban temporarily or
43 | permanently any contributor for other behaviours that they deem inappropriate,
44 | threatening, offensive, or harmful.
45 |
46 | ## Scope
47 |
48 | This Code of Conduct applies both within project spaces and in public spaces
49 | when an individual is representing the project or its community. Examples of
50 | representing a project or community include using an official project e-mail
51 | address, posting via an official social media account, or acting as an appointed
52 | representative at an online or offline event. Representation of a project may be
53 | further defined and clarified by project maintainers.
54 |
55 | ## Enforcement
56 |
57 | Instances of abusive, harassing, or otherwise unacceptable behaviour may be
58 | reported by contacting the project team at [email protected]. All
59 | complaints will be reviewed and investigated and will result in a response that
60 | is deemed necessary and appropriate to the circumstances. The project team is
61 | obligated to maintain confidentiality with regard to the reporter of an incident.
62 | Further details of specific enforcement policies may be posted separately.
63 |
64 | Project maintainers who do not follow or enforce the Code of Conduct in good
65 | faith may face temporary or permanent repercussions as determined by other
66 | members of the project's leadership.
67 |
68 | ## Attribution
69 |
70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
72 |
73 | [homepage]: https://www.contributor-covenant.org
74 |
75 | For answers to common questions about this code of conduct, see
76 | https://www.contributor-covenant.org/faq
77 |
```
--------------------------------------------------------------------------------
/public/no-Severity-response.json:
--------------------------------------------------------------------------------
```json
1 | {
2 | "actions": [],
3 | "advisories": {},
4 | "muted": [],
5 | "metadata": {
6 | "vulnerabilities": {
7 | "info": 0,
8 | "low": 0,
9 | "moderate": 0,
10 | "high": 0,
11 | "critical": 0
12 | },
13 | "dependencies": 1,
14 | "devDependencies": 0,
15 | "optionalDependencies": 0,
16 | "totalDependencies": 1
17 | }
18 | }
```
--------------------------------------------------------------------------------
/src/types/npm-registry-fetch.d.ts:
--------------------------------------------------------------------------------
```typescript
1 | declare module 'npm-registry-fetch' {
2 | interface FetchOptions {
3 | method?: string;
4 | body?: any;
5 | gzip?: boolean;
6 | [key: string]: any;
7 | }
8 |
9 | interface NpmFetch {
10 | json(url: string, options?: FetchOptions): Promise<any>;
11 | }
12 |
13 | const npmFetch: NpmFetch;
14 | export default npmFetch;
15 | }
```
--------------------------------------------------------------------------------
/tsconfig.json:
--------------------------------------------------------------------------------
```json
1 | {
2 | "compilerOptions": {
3 | "target": "ES2022",
4 | "module": "Node16",
5 | "moduleResolution": "Node16",
6 | "outDir": "./build",
7 | "rootDir": "./src",
8 | "strict": true,
9 | "esModuleInterop": true,
10 | "skipLibCheck": true,
11 | "forceConsistentCasingInFileNames": true
12 | },
13 | "include": ["src/**/*"],
14 | "exclude": ["node_modules"]
15 | }
16 |
```
--------------------------------------------------------------------------------
/smithery.yaml:
--------------------------------------------------------------------------------
```yaml
1 | # Smithery configuration file: https://smithery.ai/docs/config#smitheryyaml
2 |
3 | startCommand:
4 | type: stdio
5 | configSchema:
6 | # JSON Schema defining the configuration options for the MCP.
7 | type: object
8 | required: []
9 | properties: {}
10 | commandFunction:
11 | # A function that produces the CLI command to start the MCP on stdio.
12 | |-
13 | (config) => ({ command: 'node', args: ['build/index.js'], env: {} })
14 |
```
--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
```markdown
1 | # Changelog
2 |
3 | All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
4 |
5 | ### [1.0.4](https://github.com/qianniuspace/mcp-security-audit/compare/v1.0.3...v1.0.4) (2025-02-21)
6 |
7 | ### [1.0.3](https://github.com/qianniuspace/mcp-security-audit/compare/v1.0.1...v1.0.3) (2025-02-21)
8 |
9 | ### 1.0.2 (2025-02-20)
10 |
11 | ### 1.0.1 (2025-02-20)
12 |
```
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
```markdown
1 | ---
2 | name: Feature request
3 | about: Suggest an idea for this project
4 | title: "[FEATURE]"
5 | labels: enhancement
6 | assignees: StevenStavrakis
7 |
8 | ---
9 |
10 | **Is your feature request related to a problem? Please describe.**
11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
12 |
13 | **Describe the solution you'd like**
14 | A clear and concise description of what you want to happen.
15 |
16 | **Describe alternatives you've considered**
17 | A clear and concise description of any alternative solutions or features you've considered.
18 |
19 | **Additional context**
20 | Add any other context or screenshots about the feature request here.
21 |
```
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
```dockerfile
1 | # Generated by https://smithery.ai. See: https://smithery.ai/docs/config#dockerfile
2 | # Use the official Node.js 18 image as the base image
3 | FROM node:18-alpine AS builder
4 |
5 | # Set the working directory inside the container
6 | WORKDIR /app
7 |
8 | # Copy package.json and package-lock.json to the working directory
9 | COPY package.json package-lock.json ./
10 |
11 | # Install dependencies (ignoring scripts to prevent premature build)
12 | RUN npm install --ignore-scripts
13 |
14 | # Copy the rest of the application code to the container
15 | COPY . .
16 |
17 | # Build the TypeScript files
18 | RUN npm run build
19 |
20 | # Final stage: Use a smaller Node.js image to run the application
21 | FROM node:18-alpine
22 |
23 | # Set the working directory inside the container
24 | WORKDIR /app
25 |
26 | # Copy built files from the builder stage
27 | COPY --from=builder /app/build /app/build
28 | COPY --from=builder /app/package.json /app/package.json
29 | COPY --from=builder /app/package-lock.json /app/package-lock.json
30 |
31 | # Install production dependencies only
32 | RUN npm install --omit=dev --ignore-scripts
33 |
34 | # Command to run the application
35 | ENTRYPOINT ["node", "build/index.js"]
36 |
```
--------------------------------------------------------------------------------
/src/types/index.ts:
--------------------------------------------------------------------------------
```typescript
1 | /**
2 | * Type definitions for the security audit system
3 | */
4 |
5 | /**
6 | * Represents a single security vulnerability
7 | */
8 | export interface Vulnerability {
9 | name: string; // Package name
10 | version: string; // Affected version range
11 | severity: string; // Severity level (critical, high, moderate, low)
12 | description: string; // Detailed description of the vulnerability
13 | recommendation: string; // Recommended action to fix the vulnerability
14 | fixAvailable: boolean; // Whether a fix is available
15 | fixedVersion?: string; // Version that fixes the vulnerability
16 | // references: string[];
17 | githubAdvisoryId?: string; // GitHub Security Advisory ID
18 | updatedAt?: string; // Last update timestamp
19 | cvss?: { // Common Vulnerability Scoring System
20 | score: number;
21 | vector: string;
22 | };
23 | cwe?: string[]; // Common Weakness Enumeration identifiers
24 | url?: string; // URL for more information
25 | }
26 |
27 |
28 | /**
29 | * Represents a map of package names to their versions
30 | */
31 | export interface NpmDependencies {
32 | [key: string]: string; // Package name -> version mapping
33 | }
34 |
35 |
```
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
```markdown
1 | ---
2 | name: Bug report
3 | about: Report an issue with the mcp-security-audit tool
4 | title: "[BUG]"
5 | labels: bug
6 | assignees: qianniuspace
7 |
8 | ---
9 |
10 | **Describe the bug**
11 | A clear and concise description of what the bug is.
12 |
13 | **To Reproduce**
14 | Steps to reproduce the behavior:
15 | 1. Command or configuration used
16 | 2. Package.json content or dependencies being audited
17 | 3. Environment details (Node.js version, npm version)
18 | 4. Error message or unexpected output
19 |
20 | **Expected behavior**
21 | A clear and concise description of what you expected to happen.
22 |
23 | **Actual behavior**
24 | What actually happened, including any error messages, logs, or unexpected output.
25 |
26 | **Screenshots**
27 | If applicable, add screenshots to help explain your problem.
28 |
29 | **Environment information:**
30 | - OS: [e.g. macOS, Windows, Linux]
31 | - Node.js version: [e.g. 18.15.0]
32 | - npm version: [e.g. 9.5.0]
33 | - mcp-security-audit version: [e.g. 1.0.4]
34 | - Integration method: [e.g. npx, local installation, Smithery]
35 | - Client used: [e.g. Claude Desktop, Cursor, Cline]
36 |
37 | **Additional context**
38 | Add any other context about the problem here, such as:
39 | - Were you auditing a specific package?
40 | - Did the issue occur with specific dependency versions?
41 | - Any recent changes to your environment?
42 |
```
--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
```json
1 | {
2 | "name": "mcp-security-audit",
3 | "version": "1.0.4",
4 | "description": "Audit your package.json dependencies",
5 | "author": {
6 | "name": "esx",
7 | "email": "[email protected]",
8 | "url": "https://cloudesx.com/"
9 | },
10 | "license": "MIT",
11 | "keywords": [
12 | "mcp",
13 | "modelcontextprotocol",
14 | "package",
15 | "audit",
16 | "dependencies",
17 | "package.json"
18 | ],
19 | "bugs": {
20 | "url": "https://github.com/qianniuspace/mcp-security-audit/issues"
21 | },
22 | "homepage": "https://github.com/qianniuspace/mcp-security-audit#readme",
23 | "repository": {
24 | "type": "git",
25 | "url": "git+https://github.com/qianniuspace/mcp-security-audit.git"
26 | },
27 | "type": "module",
28 | "bin": {
29 | "mcp-security-audit": "./build/index.js"
30 | },
31 | "files": [
32 | "build"
33 | ],
34 | "main": "index.js",
35 | "scripts": {
36 | "build": "tsc && node -e \"require('fs').chmodSync('build/index.js', '755')\"",
37 | "prepare": "npm run build",
38 | "watch": "tsc --watch",
39 | "inspector": "npx @modelcontextprotocol/inspector build/index.js",
40 | "bump": "npx -y standard-version --skip.tag && git add . ; git commit -m 'chore: bump version' ; git push"
41 | },
42 | "dependencies": {
43 | "@modelcontextprotocol/sdk": "^1.5.0",
44 | "chalk": "^5.4.1",
45 | "npm-audit-report": "^6.0.0",
46 | "npm-registry-fetch": "^18.0.2",
47 | "zod": "^3.24.2"
48 | },
49 | "devDependencies": {
50 | "@types/node": "^22.13.4",
51 | "typescript": "^5.7.3"
52 | }
53 | }
54 |
```
--------------------------------------------------------------------------------
/.github/workflows/publish.yml:
--------------------------------------------------------------------------------
```yaml
1 | name: Publish Package to npmjs
2 |
3 | on:
4 | workflow_dispatch:
5 | release:
6 | types: [published]
7 | push:
8 | branches:
9 | - main
10 |
11 | # cancel previous runs if a new one is triggered
12 | concurrency:
13 | group: ${{ github.workflow }}-${{ github.ref }}
14 |
15 | jobs:
16 | build:
17 | runs-on: ubuntu-latest
18 | permissions:
19 | contents: write
20 | id-token: write
21 | steps:
22 | - uses: actions/checkout@v4
23 | # Setup .npmrc file to publish to npm
24 | - uses: actions/setup-node@v4
25 | with:
26 | node-version: "22.x"
27 | registry-url: "https://registry.npmjs.org"
28 | - run: npm install
29 |
30 | - name: Get version from package.json
31 | id: version
32 | run: echo "version=$(node -p "require('./package.json').version")" >> $GITHUB_OUTPUT
33 |
34 | - name: Create Git tag
35 | if: ${{ !contains(github.event.head_commit.message, 'chore(release)') && github.event_name != 'workflow_dispatch' }}
36 | run: |
37 | git config --local user.email "[email protected]"
38 | git config --local user.name "GitHub Action"
39 | git tag -a "v${{ steps.version.outputs.version }}" -m "Release v${{ steps.version.outputs.version }}"
40 | git push origin "v${{ steps.version.outputs.version }}"
41 |
42 | - name: Create GitHub Release
43 | if: ${{ !contains(github.event.head_commit.message, 'chore(release)') && github.event_name != 'workflow_dispatch' }}
44 | uses: softprops/action-gh-release@v1
45 | with:
46 | tag_name: v${{ steps.version.outputs.version }}
47 | name: Release v${{ steps.version.outputs.version }}
48 | generate_release_notes: true
49 |
50 | - run: npm publish --provenance --access public
51 | # only if the commit message contains chore(release), or if manually triggered with workflow_dispatch
52 | if: ${{ contains(github.event.head_commit.message, 'chore(release)') || github.event_name == 'workflow_dispatch' }}
53 | env:
54 | NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
55 |
```
--------------------------------------------------------------------------------
/src/index.ts:
--------------------------------------------------------------------------------
```typescript
1 | #!/usr/bin/env node
2 |
3 | /**
4 | * Main server file for the Security Audit MCP Server
5 | * Handles tool registration and request processing for security audits
6 | */
7 |
8 | import { Server } from '@modelcontextprotocol/sdk/server/index.js'
9 | import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js'
10 | import {
11 | CallToolRequestSchema,
12 | ErrorCode,
13 | ListToolsRequestSchema,
14 | McpError,
15 | } from '@modelcontextprotocol/sdk/types.js'
16 | import { SecurityAuditHandler } from './handlers/security.js'
17 | import { NpmDependencies } from './types/index.js'
18 |
19 | /**
20 | * Server class that handles security audit requests
21 | * Implements the Model Context Protocol for tool integration
22 | */
23 | class SecurityAuditServer {
24 | private server: Server
25 | private securityHandler: SecurityAuditHandler
26 |
27 | constructor() {
28 | // Initialize MCP server with basic configuration
29 | this.server = new Server(
30 | {
31 | name: 'mcp-security-audit-server',
32 | version: '0.1.0',
33 | },
34 | {
35 | capabilities: {
36 | tools: {},
37 | },
38 | }
39 | )
40 |
41 | // Create security audit handler instance
42 | this.securityHandler = new SecurityAuditHandler()
43 | this.setupToolHandlers()
44 |
45 | // Setup error handling
46 | this.server.onerror = (error) => console.error('[MCP Error]', error)
47 |
48 | // Handle graceful shutdown
49 | process.on('SIGINT', async () => {
50 | await this.server.close()
51 | process.exit(0)
52 | })
53 | }
54 |
55 | /**
56 | * Setup handlers for tool-related requests
57 | * Registers available tools and their handlers
58 | */
59 | private setupToolHandlers() {
60 | // Register available tools
61 | this.server.setRequestHandler(ListToolsRequestSchema, async () => ({
62 | tools: [
63 | {
64 | name: 'audit_nodejs_dependencies',
65 | description: 'Audit specific dependencies for vulnerabilities',
66 | inputSchema: {
67 | type: 'object',
68 | properties: {
69 | dependencies: {
70 | type: 'object',
71 | additionalProperties: {
72 | type: 'string',
73 | },
74 | description: 'Dependencies object from package.json',
75 | }
76 | },
77 | required: ['dependencies'],
78 | },
79 | },
80 | ],
81 | }))
82 |
83 | // Handle tool execution requests
84 | this.server.setRequestHandler(CallToolRequestSchema, async (request) => {
85 | // Validate request parameters
86 | if (!request.params.arguments) {
87 | throw new McpError(
88 | ErrorCode.InvalidParams,
89 | 'Missing arguments'
90 | )
91 | }
92 |
93 | // Route request to appropriate handler
94 | switch (request.params.name) {
95 | case 'audit_nodejs_dependencies':
96 | return this.securityHandler.auditNodejsDependencies(
97 | request.params.arguments as { dependencies: NpmDependencies }
98 | );
99 | default:
100 | throw new McpError(ErrorCode.MethodNotFound, `Unknown tool: ${request.params.name}`);
101 | }
102 | })
103 | }
104 |
105 | /**
106 | * Start the server using stdio transport
107 | */
108 | async run() {
109 | const transport = new StdioServerTransport()
110 | await this.server.connect(transport)
111 | console.error('Security Audit MCP server running on stdio')
112 | }
113 | }
114 |
115 | // Create and start server instance
116 | const server = new SecurityAuditServer()
117 | server.run().catch(console.error)
118 |
```
--------------------------------------------------------------------------------
/src/test/test.ts:
--------------------------------------------------------------------------------
```typescript
1 | import npmFetch from 'npm-registry-fetch';
2 | import { SecurityAuditHandler } from '../handlers/security.js';
3 | import * as path from 'path';
4 | import * as fs from 'fs';
5 |
6 | async function testNpmRegistry() {
7 | try {
8 | // 测试 1: Registry 连接和完整响应
9 | // console.log('Test 1: Testing npm registry connection and full response...');
10 | // const pingResponse = await npmFetch.json('/-/ping');
11 | // console.log('Registry connection:', pingResponse ? 'OK' : 'Failed');
12 | // console.log('Full ping response:', JSON.stringify(pingResponse, null, 2));
13 |
14 | // 测试 2: 单个依赖审计(已知漏洞版本)- 完整响应
15 | console.log('\nTest 2: Testing single dependency audit with full response...');
16 | const handler = new SecurityAuditHandler();
17 | const singleDep = {
18 | // 'lodash': '4.17.1', // 多个已知漏洞
19 | // '@modelcontextprotocol/sdk': '1.5.0',
20 | "next": "14.2.17"
21 | };
22 |
23 | console.log('\nSending audit requests for single dependencies:');
24 | for (const [name, version] of Object.entries(singleDep)) {
25 | console.log(`\nAuditing ${name}@${version}`);
26 | const auditData = {
27 | name: "single-dependency-audit",
28 | version: "1.0.0",
29 | requires: { [name]: version },
30 | dependencies: {
31 | [name]: { version: version.replace('^', '') }
32 | }
33 | };
34 | console.log('Request data:', JSON.stringify(auditData, null, 2));
35 |
36 | try {
37 | const response = await npmFetch.json('/-/npm/v1/security/audits', {
38 | method: 'POST',
39 | body: auditData,
40 | gzip: true
41 | });
42 | console.log('Full API Response:', JSON.stringify(response, null, 2));
43 | } catch (error) {
44 | console.error(`Error auditing ${name}:`, error);
45 | }
46 | }
47 |
48 | // const singleAuditResult = await handler.auditDependencies({
49 | // dependencies: singleDep,
50 | // level: 'low'
51 | // });
52 |
53 | // console.log('\nProcessed Single Dependency Results:');
54 | // console.log(JSON.stringify(singleAuditResult, null, 2));
55 |
56 | // // 测试 3: 多个依赖审计 - 完整响应
57 | // console.log('\nTest 3: Testing multiple dependencies audit with full response...');
58 | // const multipleDeps = {
59 | // 'lodash': '4.17.1',
60 | // 'express': '4.0.0',
61 | // 'moment': '2.0.0'
62 | // };
63 |
64 | // console.log('\nSending audit requests for multiple dependencies:');
65 | // for (const [name, version] of Object.entries(multipleDeps)) {
66 | // console.log(`\nAuditing ${name}@${version}`);
67 | // const auditData = {
68 | // name: "multiple-dependencies-audit",
69 | // version: "1.0.0",
70 | // requires: { [name]: version },
71 | // dependencies: {
72 | // [name]: { version: version.replace('^', '') }
73 | // }
74 | // };
75 | // console.log('Request data:', JSON.stringify(auditData, null, 2));
76 |
77 | // try {
78 | // const response = await npmFetch.json('/-/npm/v1/security/audits', {
79 | // method: 'POST',
80 | // body: auditData,
81 | // gzip: true
82 | // });
83 | // console.log('Full API Response:', JSON.stringify(response, null, 2));
84 | // } catch (error) {
85 | // console.error(`Error auditing ${name}:`, error);
86 | // }
87 | // }
88 |
89 | // const multipleAuditResult = await handler.auditDependencies({
90 | // dependencies: multipleDeps,
91 | // level: 'low'
92 | // });
93 |
94 | // console.log('\nProcessed Multiple Dependencies Results:');
95 | // console.log(JSON.stringify(multipleAuditResult, null, 2));
96 |
97 |
98 | // 测试 lodash 4.17.1 的漏洞
99 | // console.log('\nTesting [email protected] vulnerabilities...');
100 | // const handler = new SecurityAuditHandler();
101 | // const dependencies = {
102 | // "@ai-sdk/deepseek": "^0.1.0" // 已知有漏洞的版本
103 | // };
104 |
105 | // try {
106 | // const result = await handler.auditDependencies({ dependencies });
107 |
108 | // console.log('\nAudit Summary:');
109 | // console.log(JSON.stringify(result, null, 2));
110 |
111 |
112 |
113 | // } catch (error) {
114 | // console.error('Error during audit:', error);
115 | // }
116 |
117 | } catch (error) {
118 | console.error('Test failed:', error instanceof Error ? error.message : 'Unknown error');
119 | console.error('Full error:', error);
120 | process.exit(1);
121 | }
122 | }
123 |
124 | // 运行测试
125 | console.log('Starting tests...\n');
126 | testNpmRegistry().catch(error => {
127 | console.error('Test execution failed:', error);
128 | console.error('Full error details:', error);
129 | process.exit(1);
130 | });
```
--------------------------------------------------------------------------------
/src/handlers/security.ts:
--------------------------------------------------------------------------------
```typescript
1 | /**
2 | * Security audit handler for npm dependencies
3 | * Provides functionality to check for vulnerabilities in npm packages
4 | */
5 |
6 | import { Vulnerability, NpmDependencies } from '../types/index.js';
7 | import { McpError, ErrorCode } from '@modelcontextprotocol/sdk/types.js';
8 | import npmFetch from 'npm-registry-fetch';
9 |
10 |
11 | export class SecurityAuditHandler {
12 | /**
13 | * Audits a single dependency for security vulnerabilities
14 | * @param name - The name of the package to audit
15 | * @param version - The version of the package to audit
16 | * @returns Promise containing the audit results
17 | */
18 | private async auditSingleDependency(name: string, version: string): Promise<any> {
19 | try {
20 | // Validate input parameters
21 | if (!name || !version) {
22 | throw new Error(`Invalid package name or version: ${name}@${version}`);
23 | }
24 |
25 | // Clean version string by removing prefix characters (^ or ~)
26 | const cleanVersion = version.trim().replace(/^[\^~]/, '');
27 |
28 | // Prepare audit data structure
29 | const auditData = {
30 | name: "single-dependency-audit",
31 | version: "1.0.0",
32 | requires: { [name]: cleanVersion },
33 | dependencies: {
34 | [name]: { version: cleanVersion }
35 | }
36 | };
37 |
38 | // Send audit request to npm registry
39 | const result = await npmFetch.json('/-/npm/v1/security/audits', {
40 | method: 'POST',
41 | body: auditData,
42 | gzip: true
43 | });
44 |
45 | if (!result) {
46 | throw new Error(`No response received for ${name}@${cleanVersion}`);
47 | }
48 |
49 | return result;
50 | } catch (error) {
51 | console.error(`[ERROR] Error auditing ${name}@${version}:`, error);
52 | throw new McpError(
53 | ErrorCode.InternalError,
54 | `Failed to audit ${name}@${version}: ${error instanceof Error ? error.message : 'Unknown error'}`
55 | );
56 | }
57 | }
58 |
59 | /**
60 | * Main method to audit multiple dependencies
61 | * @param dependencies - Object containing package names and versions to audit
62 | * @returns Promise containing consolidated audit results
63 | */
64 | async auditNodejsDependencies(args: { dependencies: NpmDependencies }) {
65 | try {
66 | // Validate dependencies object
67 | if (!args || typeof args.dependencies !== 'object') {
68 | throw new McpError(
69 | ErrorCode.InvalidParams,
70 | 'Invalid dependencies object'
71 | );
72 | }
73 |
74 | // Handle potentially nested dependencies object
75 | const actualDeps = args.dependencies.dependencies || args.dependencies;
76 |
77 | const auditResults = [];
78 | for (const [name, version] of Object.entries(actualDeps)) {
79 | if (typeof version !== 'string') continue
80 | try {
81 | const result = await this.auditSingleDependency(name, version);
82 | auditResults.push(result);
83 | } catch (error) {
84 | console.error(`[ERROR] Failed to audit ${name}@${version}:`, error);
85 | // Continue processing other dependencies
86 | }
87 | }
88 |
89 | // Merge and process all vulnerability results
90 | const mergedVulnerabilities = auditResults.flatMap(result =>
91 | this.processVulnerabilities(result)
92 | );
93 |
94 | // Return consolidated results
95 | return {
96 | content: [
97 | {
98 | type: 'text',
99 | text: JSON.stringify(mergedVulnerabilities, null, 2),
100 | },
101 | ]
102 | };
103 | } catch (error) {
104 | console.error('[ERROR] Audit failed:', error);
105 | if (error instanceof McpError) {
106 | throw error;
107 | }
108 | throw new McpError(
109 | ErrorCode.InternalError,
110 | `Audit failed: ${error instanceof Error ? error.message : 'Unknown error'}`
111 | );
112 | }
113 | }
114 |
115 | /**
116 | * Process raw vulnerability data into standardized format
117 | * @param auditData - Raw audit data from npm registry
118 | * @returns Array of processed vulnerabilities
119 | */
120 | private processVulnerabilities(auditData: any): Vulnerability[] {
121 | if (!auditData.advisories || Object.keys(auditData.advisories).length === 0) {
122 | return [];
123 | }
124 |
125 | const advisories = auditData.advisories;
126 | return Object.values(advisories).map((advisory: any) => ({
127 | name: advisory.module_name,
128 | version: advisory.vulnerable_versions,
129 | severity: advisory.severity,
130 | description: advisory.overview,
131 | recommendation: advisory.recommendation,
132 | fixAvailable: !!advisory.patched_versions,
133 | fixedVersion: advisory.patched_versions,
134 | githubAdvisoryId: advisory.github_advisory_id,
135 | updatedAt: advisory.updated,
136 | moreInfo: advisory.url
137 | }));
138 | }
139 |
140 | /**
141 | * Generate summary statistics for vulnerabilities
142 | * @param vulnerabilities - Array of processed vulnerabilities
143 | * @returns Summary object with counts by severity
144 | */
145 | private generateSummary(vulnerabilities: Vulnerability[]) {
146 | return {
147 | total: vulnerabilities.length,
148 | critical: vulnerabilities.filter(v => v.severity === 'critical').length,
149 | high: vulnerabilities.filter(v => v.severity === 'high').length,
150 | moderate: vulnerabilities.filter(v => v.severity === 'moderate').length,
151 | low: vulnerabilities.filter(v => v.severity === 'low').length
152 | };
153 | }
154 | }
155 |
```
--------------------------------------------------------------------------------
/public/Severity-response.json:
--------------------------------------------------------------------------------
```json
1 | {
2 | "actions": [
3 | {
4 | "isMajor": false,
5 | "action": "install",
6 | "resolves": [
7 | {
8 | "id": 1085674,
9 | "path": "lodash",
10 | "dev": false,
11 | "optional": false,
12 | "bundled": false
13 | },
14 | {
15 | "id": 1094499,
16 | "path": "lodash",
17 | "dev": false,
18 | "optional": false,
19 | "bundled": false
20 | },
21 | {
22 | "id": 1094500,
23 | "path": "lodash",
24 | "dev": false,
25 | "optional": false,
26 | "bundled": false
27 | },
28 | {
29 | "id": 1096305,
30 | "path": "lodash",
31 | "dev": false,
32 | "optional": false,
33 | "bundled": false
34 | },
35 | {
36 | "id": 1096996,
37 | "path": "lodash",
38 | "dev": false,
39 | "optional": false,
40 | "bundled": false
41 | },
42 | {
43 | "id": 1097130,
44 | "path": "lodash",
45 | "dev": false,
46 | "optional": false,
47 | "bundled": false
48 | },
49 | {
50 | "id": 1097140,
51 | "path": "lodash",
52 | "dev": false,
53 | "optional": false,
54 | "bundled": false
55 | }
56 | ],
57 | "module": "lodash",
58 | "target": "4.17.21"
59 | }
60 | ],
61 | "advisories": {
62 | "1085674": {
63 | "findings": [
64 | {
65 | "version": "4.17.1",
66 | "paths": [
67 | "lodash"
68 | ]
69 | }
70 | ],
71 | "found_by": null,
72 | "deleted": null,
73 | "references": "- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm",
74 | "created": "2019-07-19T16:13:07.000Z",
75 | "id": 1085674,
76 | "npm_advisory_id": null,
77 | "overview": "lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.",
78 | "reported_by": null,
79 | "title": "Regular Expression Denial of Service (ReDoS) in lodash",
80 | "metadata": null,
81 | "cves": [
82 | "CVE-2019-1010266"
83 | ],
84 | "access": "public",
85 | "severity": "moderate",
86 | "module_name": "lodash",
87 | "vulnerable_versions": "<4.17.11",
88 | "github_advisory_id": "GHSA-x5rq-j2xg-h7qm",
89 | "recommendation": "Upgrade to version 4.17.11 or later",
90 | "patched_versions": ">=4.17.11",
91 | "updated": "2023-01-09T05:01:38.000Z",
92 | "cvss": {
93 | "score": 0,
94 | "vectorString": null
95 | },
96 | "cwe": [
97 | "CWE-400"
98 | ],
99 | "url": "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"
100 | },
101 | "1094499": {
102 | "findings": [
103 | {
104 | "version": "4.17.1",
105 | "paths": [
106 | "lodash"
107 | ]
108 | }
109 | ],
110 | "found_by": null,
111 | "deleted": null,
112 | "references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad",
113 | "created": "2019-02-07T18:16:48.000Z",
114 | "id": 1094499,
115 | "npm_advisory_id": null,
116 | "overview": "Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.",
117 | "reported_by": null,
118 | "title": "Prototype Pollution in lodash",
119 | "metadata": null,
120 | "cves": [
121 | "CVE-2018-16487"
122 | ],
123 | "access": "public",
124 | "severity": "high",
125 | "module_name": "lodash",
126 | "vulnerable_versions": "<4.17.11",
127 | "github_advisory_id": "GHSA-4xc9-xhrj-v574",
128 | "recommendation": "Upgrade to version 4.17.11 or later",
129 | "patched_versions": ">=4.17.11",
130 | "updated": "2023-11-01T23:00:56.000Z",
131 | "cvss": {
132 | "score": 0,
133 | "vectorString": null
134 | },
135 | "cwe": [
136 | "CWE-400"
137 | ],
138 | "url": "https://github.com/advisories/GHSA-4xc9-xhrj-v574"
139 | },
140 | "1094500": {
141 | "findings": [
142 | {
143 | "version": "4.17.1",
144 | "paths": [
145 | "lodash"
146 | ]
147 | }
148 | ],
149 | "found_by": null,
150 | "deleted": null,
151 | "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9",
152 | "created": "2022-01-06T20:30:46.000Z",
153 | "id": 1094500,
154 | "npm_advisory_id": null,
155 | "overview": "All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \n\nSteps to reproduce (provided by reporter Liyuan Chen):\n```js\nvar lo = require('lodash');\n\nfunction build_blank(n) {\n var ret = \"1\"\n for (var i = 0; i < n; i++) {\n ret += \" \"\n }\n return ret + \"1\";\n}\nvar s = build_blank(50000) var time0 = Date.now();\nlo.trim(s) \nvar time_cost0 = Date.now() - time0;\nconsole.log(\"time_cost0: \" + time_cost0);\nvar time1 = Date.now();\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\nconsole.log(\"time_cost1: \" + time_cost1);\nvar time2 = Date.now();\nlo.trimEnd(s);\nvar time_cost2 = Date.now() - time2;\nconsole.log(\"time_cost2: \" + time_cost2);\n```",
156 | "reported_by": null,
157 | "title": "Regular Expression Denial of Service (ReDoS) in lodash",
158 | "metadata": null,
159 | "cves": [
160 | "CVE-2020-28500"
161 | ],
162 | "access": "public",
163 | "severity": "moderate",
164 | "module_name": "lodash",
165 | "vulnerable_versions": "<4.17.21",
166 | "github_advisory_id": "GHSA-29mw-wpgm-hmr9",
167 | "recommendation": "Upgrade to version 4.17.21 or later",
168 | "patched_versions": ">=4.17.21",
169 | "updated": "2023-11-01T23:21:12.000Z",
170 | "cvss": {
171 | "score": 5.3,
172 | "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
173 | },
174 | "cwe": [
175 | "CWE-400",
176 | "CWE-1333"
177 | ],
178 | "url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9"
179 | },
180 | "1096305": {
181 | "findings": [
182 | {
183 | "version": "4.17.1",
184 | "paths": [
185 | "lodash"
186 | ]
187 | }
188 | ],
189 | "found_by": null,
190 | "deleted": null,
191 | "references": "- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://github.com/lodash/lodash/issues/4874\n- https://github.com/github/advisory-database/pull/2884\n- https://hackerone.com/reports/864701\n- https://github.com/lodash/lodash/wiki/Changelog#v41719\n- https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/advisories/GHSA-p6mc-m468-83gw",
192 | "created": "2020-07-15T19:15:48.000Z",
193 | "id": 1096305,
194 | "npm_advisory_id": null,
195 | "overview": "Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.",
196 | "reported_by": null,
197 | "title": "Prototype Pollution in lodash",
198 | "metadata": null,
199 | "cves": [
200 | "CVE-2020-8203"
201 | ],
202 | "access": "public",
203 | "severity": "high",
204 | "module_name": "lodash",
205 | "vulnerable_versions": ">=3.7.0 <4.17.19",
206 | "github_advisory_id": "GHSA-p6mc-m468-83gw",
207 | "recommendation": "Upgrade to version 4.17.19 or later",
208 | "patched_versions": ">=4.17.19",
209 | "updated": "2024-01-26T15:32:50.000Z",
210 | "cvss": {
211 | "score": 7.4,
212 | "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"
213 | },
214 | "cwe": [
215 | "CWE-770",
216 | "CWE-1321"
217 | ],
218 | "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw"
219 | },
220 | "1096996": {
221 | "findings": [
222 | {
223 | "version": "4.17.1",
224 | "paths": [
225 | "lodash"
226 | ]
227 | }
228 | ],
229 | "found_by": null,
230 | "deleted": null,
231 | "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://security.netapp.com/advisory/ntap-20210312-0006\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm",
232 | "created": "2021-05-06T16:05:51.000Z",
233 | "id": 1096996,
234 | "npm_advisory_id": null,
235 | "overview": "`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.",
236 | "reported_by": null,
237 | "title": "Command Injection in lodash",
238 | "metadata": null,
239 | "cves": [
240 | "CVE-2021-23337"
241 | ],
242 | "access": "public",
243 | "severity": "high",
244 | "module_name": "lodash",
245 | "vulnerable_versions": "<4.17.21",
246 | "github_advisory_id": "GHSA-35jh-r3h4-6jhm",
247 | "recommendation": "Upgrade to version 4.17.21 or later",
248 | "patched_versions": ">=4.17.21",
249 | "updated": "2024-04-17T18:39:19.000Z",
250 | "cvss": {
251 | "score": 7.2,
252 | "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
253 | },
254 | "cwe": [
255 | "CWE-77",
256 | "CWE-94"
257 | ],
258 | "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm"
259 | },
260 | "1097130": {
261 | "findings": [
262 | {
263 | "version": "4.17.1",
264 | "paths": [
265 | "lodash"
266 | ]
267 | }
268 | ],
269 | "found_by": null,
270 | "deleted": null,
271 | "references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004",
272 | "created": "2018-07-26T15:14:52.000Z",
273 | "id": 1097130,
274 | "npm_advisory_id": null,
275 | "overview": "Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.",
276 | "reported_by": null,
277 | "title": "Prototype Pollution in lodash",
278 | "metadata": null,
279 | "cves": [
280 | "CVE-2018-3721"
281 | ],
282 | "access": "public",
283 | "severity": "moderate",
284 | "module_name": "lodash",
285 | "vulnerable_versions": "<4.17.5",
286 | "github_advisory_id": "GHSA-fvqr-27wr-82fm",
287 | "recommendation": "Upgrade to version 4.17.5 or later",
288 | "patched_versions": ">=4.17.5",
289 | "updated": "2024-04-22T19:49:54.000Z",
290 | "cvss": {
291 | "score": 6.5,
292 | "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
293 | },
294 | "cwe": [
295 | "CWE-471",
296 | "CWE-1321"
297 | ],
298 | "url": "https://github.com/advisories/GHSA-fvqr-27wr-82fm"
299 | },
300 | "1097140": {
301 | "findings": [
302 | {
303 | "version": "4.17.1",
304 | "paths": [
305 | "lodash"
306 | ]
307 | }
308 | ],
309 | "found_by": null,
310 | "deleted": null,
311 | "references": "- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&%3Butm_medium=RSS\n- https://github.com/advisories/GHSA-jf85-cpcp-j695",
312 | "created": "2019-07-10T19:45:23.000Z",
313 | "id": 1097140,
314 | "npm_advisory_id": null,
315 | "overview": "Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.",
316 | "reported_by": null,
317 | "title": "Prototype Pollution in lodash",
318 | "metadata": null,
319 | "cves": [
320 | "CVE-2019-10744"
321 | ],
322 | "access": "public",
323 | "severity": "critical",
324 | "module_name": "lodash",
325 | "vulnerable_versions": "<4.17.12",
326 | "github_advisory_id": "GHSA-jf85-cpcp-j695",
327 | "recommendation": "Upgrade to version 4.17.12 or later",
328 | "patched_versions": ">=4.17.12",
329 | "updated": "2024-04-22T19:49:44.000Z",
330 | "cvss": {
331 | "score": 9.1,
332 | "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
333 | },
334 | "cwe": [
335 | "CWE-20",
336 | "CWE-1321"
337 | ],
338 | "url": "https://github.com/advisories/GHSA-jf85-cpcp-j695"
339 | }
340 | },
341 | "muted": [],
342 | "metadata": {
343 | "vulnerabilities": {
344 | "info": 0,
345 | "low": 0,
346 | "moderate": 3,
347 | "high": 3,
348 | "critical": 1
349 | },
350 | "dependencies": 1,
351 | "devDependencies": 0,
352 | "optionalDependencies": 0,
353 | "totalDependencies": 1
354 | }
355 | }
```