Check a project for known vulnerabilities in its dependencies. Supported package managers:
- npm
- pnpm
- Yarn
- Composer
- Gradle
In the background this script calls:
npm audit / pnpm audit / yarn audit
for nodejs reposlocal-php-security-checker
(https://github.com/fabpot/local-php-security-checker) for PHP reposorg.owasp:dependency-check-gradle
for Gradle repos
The output is a json file with info about the vulnerable packages.
Note: there's no guarantee that the script or tools called by this script will not modify the target repo (eg. gradle init file needs to be created/modified for gradle dependency check). Recommended to operate on copies of repos.
usage: dep-vuln-checker.py [-h] [-g GH_APIKEY_FILE] [-n NVD_APIKEY_FILE]
[-a APPLOG] [-l VULNLOG] [-i INVPATH]
[-c REQCACHETYPE] [-cp REQCACHEPATH]
[-rh REDISHOST] [-rp REDISPORT] [-r GHSAREPOPATH]
[-s] [-t NVD_DOWNLOAD_TMPDIR] [-I]
dirlist [dirlist ...]
positional arguments:
dirlist location of newline separated file which contains the project dir paths to check
OR a single directory path
OR multiple directory paths
optional arguments:
-h, --help show this help message and exit
-g GH_APIKEY_FILE GitHub apikey location (default: /etc/dep-vuln-checker/gh-apikey)
-n NVD_APIKEY_FILE NVD apikey location (default: /etc/dep-vuln-checker/nvd-apikey)
-a APPLOG app log location or "none" (default: /var/log/dep-vuln-checker/app.log)
-l VULNLOG vulnerability log location (default: /dep-vuln-checker/vulns.log)
-i INVPATH Inventory database location or "none" (default: /var/lib/dep-vuln-checker/inventory.db)
-c REQCACHETYPE request cache type. Allowed values: redis, sqlite (no request cache used if omitted)
-cp REQCACHEPATH reqest cache database path when using sqlite cache type (default: /var/lib/dep-vuln-checker/reqcache.db
-rh REDISHOST redis host for request cache and/or severity cache (default: 127.0.0.1)
-rp REDISPORT redis port for request cache and/or severity cache (default: 6379)
-rP REDISPASS redis password for request cache and/or severity cache (no password used if omitted)
-r GHSAREPOPATH directory to clone GitHub Advisory Database to
-s silent mode - no output
-t NVD_DOWNLOAD_TMPDIR temp directory to download NVD JSON files (default: /tmp)
-I initialize local NVD + GHSA cache and exit
Some options can also be passed as environment variables:
REDIS_HOST
REDIS_PORT
REDIS_PASS
NVD_APIKEY
GH_APIKEY
- npm >= 6
- pnpm
- yarn
- local-php-security-checker