@vyuhlabs/dxkit 0.9.0 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -138,15 +138,16 @@ These agents auto-trigger when Claude detects a matching question:
138
138
  - **quality-reviewer** — "Review my changes" "Check quality before I commit"
139
139
  - **doc-writer** — "What needs documentation?" "Help me write docs"
140
140
 
141
- ### Dormant (9) — activate with `/enable-agent`
141
+ ### Dormant (10) — activate with `/enable-agent`
142
142
  - **codebase-explorer** — Deep architecture analysis, generates documentation
143
143
  - **code-reviewer** — PR review and security audit (read-only)
144
144
  - **test-writer** — Writes tests for existing code
145
145
  - **test-gap-finder** — Identifies critical untested code paths, prioritized by risk
146
146
  - **dependency-mapper** — Maps import chains and blast radius of changes
147
147
  - **health-auditor** — Comprehensive codebase health audit (scores 6 dimensions)
148
- - **vulnerability-scanner** — Dependency + code vulnerability analysis
148
+ - **vulnerability-scanner** — CWE-classified security scan (Snyk-comparable depth)
149
149
  - **dev-report** — Developer activity, quality patterns, security attribution
150
+ - **dashboard-builder** — Generates HTML dashboard from all reports
150
151
  - **debugger** — Systematic root cause analysis
151
152
 
152
153
  ## Reports
@@ -163,7 +164,9 @@ All analysis commands save timestamped reports to `.ai/reports/`:
163
164
  dependency-map-2026-03-30.md # Import chains, most-depended-on files
164
165
  ```
165
166
 
166
- Convert to PDF: `/export-pdf all` or `/export-pdf .ai/reports/health-audit-2026-03-30.md`
167
+ Export options:
168
+ - **HTML dashboard**: `/dashboard` — beautiful dark-themed dashboard with sidebar navigation
169
+ - **PDF**: `/export-pdf all` — converts all reports to PDF
167
170
 
168
171
  ## Learning System
169
172
 
@@ -186,6 +189,24 @@ DXKit generates a GitHub Action that automatically reviews PRs using Claude Code
186
189
 
187
190
  Reviews appear as PR comments with issues rated as critical/warning/suggestion.
188
191
 
192
+ ## Vulnerability Scanner (Snyk-Comparable)
193
+
194
+ The `/vulnerabilities` command runs a comprehensive security scan with CWE classification:
195
+
196
+ | Category | CWE | What It Checks |
197
+ |---|---|---|
198
+ | Command Injection | CWE-78 | `exec()`, `child_process`, unsanitized input |
199
+ | Decompression Bomb | CWE-409 | zlib/tar/decompress without size limits |
200
+ | Uncontrolled Recursion | CWE-674 | JSON/XML/YAML parsers without depth limits |
201
+ | Arbitrary File Upload | CWE-434 | multer/formidable/busboy without validation |
202
+ | Buffer Overflow | CWE-120 | Native modules (binding.gyp, .node files) |
203
+ | Resource Exhaustion | CWE-770 | Missing rate limits, body size limits, WebSocket payload |
204
+ | Hardcoded Secrets | CWE-798 | Passwords, API keys, tokens in source |
205
+ | Prototype Pollution | CWE-1321 | Via dependency audit CWE extraction |
206
+ | + 15 more CWE categories | | Parsed from `npm audit --json` CWE fields |
207
+
208
+ Reports include a **Findings by CWE Category** table for direct comparison with Snyk/Sonar output.
209
+
189
210
  ## Smart Detection
190
211
 
191
212
  - **Test runner** — Detects Jest, Mocha, Vitest, Ava, Tap, pytest, go test from scripts and dependencies
@@ -1,5 +1,5 @@
1
1
  import { ResolvedConfig } from './types';
2
- export declare const VERSION = "0.9.0";
2
+ export declare const VERSION = "0.10.0";
3
3
  export declare const DEFAULT_VERSIONS: {
4
4
  python: string;
5
5
  go: string;
@@ -1 +1 @@
1
- {"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAEzC,eAAO,MAAM,OAAO,UAAU,CAAC;AAE/B,eAAO,MAAM,gBAAgB;;;;;;;;CAQ5B,CAAC;AAEF,eAAO,MAAM,gBAAgB,OAAO,CAAC;AAErC,yEAAyE;AACzE,eAAO,MAAM,cAAc,UAU1B,CAAC;AAEF,wBAAgB,cAAc,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAgC7E;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAuB/E"}
1
+ {"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAEzC,eAAO,MAAM,OAAO,WAAW,CAAC;AAEhC,eAAO,MAAM,gBAAgB;;;;;;;;CAQ5B,CAAC;AAEF,eAAO,MAAM,gBAAgB,OAAO,CAAC;AAErC,yEAAyE;AACzE,eAAO,MAAM,cAAc,UAU1B,CAAC;AAEF,wBAAgB,cAAc,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAgC7E;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAuB/E"}
package/dist/constants.js CHANGED
@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.EVOLVING_FILES = exports.DEFAULT_COVERAGE = exports.DEFAULT_VERSIONS = exports.VERSION = void 0;
4
4
  exports.buildVariables = buildVariables;
5
5
  exports.buildConditions = buildConditions;
6
- exports.VERSION = '0.9.0';
6
+ exports.VERSION = '0.10.0';
7
7
  exports.DEFAULT_VERSIONS = {
8
8
  python: '3.12',
9
9
  go: '1.24.0',
@@ -1 +1 @@
1
- {"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;AA6BA,wCAgCC;AAED,0CAuBC;AApFY,QAAA,OAAO,GAAG,OAAO,CAAC;AAElB,QAAA,gBAAgB,GAAG;IAC9B,MAAM,EAAE,MAAM;IACd,EAAE,EAAE,QAAQ;IACZ,IAAI,EAAE,IAAI;IACV,IAAI,EAAE,QAAQ;IACd,MAAM,EAAE,KAAK;IACb,QAAQ,EAAE,IAAI;IACd,KAAK,EAAE,GAAG;CACX,CAAC;AAEW,QAAA,gBAAgB,GAAG,IAAI,CAAC;AAErC,yEAAyE;AAC5D,QAAA,cAAc,GAAG;IAC5B,8CAA8C;IAC9C,kDAAkD;IAClD,2DAA2D;IAC3D,8CAA8C;IAC9C,2CAA2C;IAC3C,6CAA6C;IAC7C,6CAA6C;IAC7C,kCAAkC;IAClC,oDAAoD;CACrD,CAAC;AAEF,SAAgB,cAAc,CAAC,MAAsB;IACnD,MAAM,CAAC,GAA2B;QAChC,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,kBAAkB,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;QACzD,kBAAkB,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;QACzD,mBAAmB,EAAE,MAAM,CAAC,kBAAkB,IAAI,WAAW;QAC7D,UAAU,EAAE,OAAO;QACnB,cAAc,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,IAAI,wBAAgB,CAAC,MAAM;QACjE,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE,IAAI,wBAAgB,CAAC,EAAE;QACrD,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI,IAAI,wBAAgB,CAAC,IAAI;QAC3D,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI,IAAI,wBAAgB,CAAC,IAAI;QAC3D,cAAc,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,IAAI,wBAAgB,CAAC,MAAM;QACjE,gBAAgB,EAAE,wBAAgB,CAAC,QAAQ;QAC3C,aAAa,EAAE,wBAAgB,CAAC,KAAK;QACrC,OAAO,EAAE,SAAS;QAClB,OAAO,EAAE,UAAU;QACnB,WAAW,EAAE,cAAc;QAC3B,kBAAkB,EAAE,MAAM,CAAC,iBAAiB,IAAI,wBAAgB;QAChE,YAAY,EAAE,MAAM,CAAC,UAAU,EAAE,OAAO,IAAI,UAAU;QACtD,cAAc,EAAE,MAAM,CAAC,UAAU,EAAE,SAAS,IAAI,SAAS;QACzD,qBAAqB,EAAE,MAAM,CAAC,UAAU,EAAE,eAAe,IAAI,EAAE;QAC/D,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,EAAE;KAClC,CAAC;IAEF,oBAAoB;IACpB,CAAC,CAAC,oBAAoB,GAAG,CAAC,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAG,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACxC,CAAC,CAAC,gBAAgB,GAAG,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IACxF,CAAC,CAAC,SAAS,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC;IAC/F,CAAC,CAAC,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC,cAAc,CAAC;IAExC,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAgB,eAAe,CAAC,MAAsB;IACpD,OAAO;QACL,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,MAAM;QAClC,KAAK,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE;QAC1B,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,IAAI,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM;QACzD,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,IAAI;QAC9B,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,MAAM;QAClC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,MAAM;QAClC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC,QAAQ;QAC3C,QAAQ,EAAE,MAAM,CAAC,cAAc,CAAC,KAAK;QACrC,eAAe,EAAE,MAAM,CAAC,cAAc,CAAC,QAAQ,IAAI,MAAM,CAAC,cAAc,CAAC,KAAK;QAC9E,SAAS,EAAE,MAAM,CAAC,cAAc,CAAC,MAAM;QACvC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM;QAC9B,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM;QAC9B,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,SAAS;QACpC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK;QAC7B,cAAc,EAAE,MAAM,CAAC,UAAU;QACjC,iBAAiB,EAAE,MAAM,CAAC,aAAa;QACvC,mBAAmB,EAAE,QAAQ,CAAC,MAAM,CAAC,iBAAiB,IAAI,wBAAgB,CAAC,GAAG,CAAC;QAC/E,YAAY,EAAE,MAAM,CAAC,SAAS;QAC9B,cAAc,EAAE,MAAM,CAAC,UAAU;QACjC,aAAa,EAAE,MAAM,CAAC,SAAS;KAChC,CAAC;AACJ,CAAC"}
1
+ {"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;AA6BA,wCAgCC;AAED,0CAuBC;AApFY,QAAA,OAAO,GAAG,QAAQ,CAAC;AAEnB,QAAA,gBAAgB,GAAG;IAC9B,MAAM,EAAE,MAAM;IACd,EAAE,EAAE,QAAQ;IACZ,IAAI,EAAE,IAAI;IACV,IAAI,EAAE,QAAQ;IACd,MAAM,EAAE,KAAK;IACb,QAAQ,EAAE,IAAI;IACd,KAAK,EAAE,GAAG;CACX,CAAC;AAEW,QAAA,gBAAgB,GAAG,IAAI,CAAC;AAErC,yEAAyE;AAC5D,QAAA,cAAc,GAAG;IAC5B,8CAA8C;IAC9C,kDAAkD;IAClD,2DAA2D;IAC3D,8CAA8C;IAC9C,2CAA2C;IAC3C,6CAA6C;IAC7C,6CAA6C;IAC7C,kCAAkC;IAClC,oDAAoD;CACrD,CAAC;AAEF,SAAgB,cAAc,CAAC,MAAsB;IACnD,MAAM,CAAC,GAA2B;QAChC,YAAY,EAAE,MAAM,CAAC,WAAW;QAChC,kBAAkB,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;QACzD,kBAAkB,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;QACzD,mBAAmB,EAAE,MAAM,CAAC,kBAAkB,IAAI,WAAW;QAC7D,UAAU,EAAE,OAAO;QACnB,cAAc,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,IAAI,wBAAgB,CAAC,MAAM;QACjE,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE,IAAI,wBAAgB,CAAC,EAAE;QACrD,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI,IAAI,wBAAgB,CAAC,IAAI;QAC3D,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI,IAAI,wBAAgB,CAAC,IAAI;QAC3D,cAAc,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,IAAI,wBAAgB,CAAC,MAAM;QACjE,gBAAgB,EAAE,wBAAgB,CAAC,QAAQ;QAC3C,aAAa,EAAE,wBAAgB,CAAC,KAAK;QACrC,OAAO,EAAE,SAAS;QAClB,OAAO,EAAE,UAAU;QACnB,WAAW,EAAE,cAAc;QAC3B,kBAAkB,EAAE,MAAM,CAAC,iBAAiB,IAAI,wBAAgB;QAChE,YAAY,EAAE,MAAM,CAAC,UAAU,EAAE,OAAO,IAAI,UAAU;QACtD,cAAc,EAAE,MAAM,CAAC,UAAU,EAAE,SAAS,IAAI,SAAS;QACzD,qBAAqB,EAAE,MAAM,CAAC,UAAU,EAAE,eAAe,IAAI,EAAE;QAC/D,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,EAAE;KAClC,CAAC;IAEF,oBAAoB;IACpB,CAAC,CAAC,oBAAoB,GAAG,CAAC,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAG,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACxC,CAAC,CAAC,gBAAgB,GAAG,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IACxF,CAAC,CAAC,SAAS,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC;IAC/F,CAAC,CAAC,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC,cAAc,CAAC;IAExC,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAgB,eAAe,CAAC,MAAsB;IACpD,OAAO;QACL,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,MAAM;QAClC,KAAK,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE;QAC1B,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,IAAI,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM;QACzD,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,IAAI;QAC9B,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,MAAM;QAClC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,MAAM;QAClC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC,QAAQ;QAC3C,QAAQ,EAAE,MAAM,CAAC,cAAc,CAAC,KAAK;QACrC,eAAe,EAAE,MAAM,CAAC,cAAc,CAAC,QAAQ,IAAI,MAAM,CAAC,cAAc,CAAC,KAAK;QAC9E,SAAS,EAAE,MAAM,CAAC,cAAc,CAAC,MAAM;QACvC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM;QAC9B,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM;QAC9B,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,SAAS;QACpC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK;QAC7B,cAAc,EAAE,MAAM,CAAC,UAAU;QACjC,iBAAiB,EAAE,MAAM,CAAC,aAAa;QACvC,mBAAmB,EAAE,QAAQ,CAAC,MAAM,CAAC,iBAAiB,IAAI,wBAAgB,CAAC,GAAG,CAAC;QAC/E,YAAY,EAAE,MAAM,CAAC,SAAS;QAC9B,cAAc,EAAE,MAAM,CAAC,UAAU;QACjC,aAAa,EAAE,MAAM,CAAC,SAAS;KAChC,CAAC;AACJ,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vyuhlabs/dxkit",
3
- "version": "0.9.0",
3
+ "version": "0.10.0",
4
4
  "description": "AI-native developer experience toolkit for any repository",
5
5
  "license": "MIT",
6
6
  "bin": {
@@ -1,74 +1,112 @@
1
1
  ---
2
2
  name: vulnerability-scanner
3
- description: Scans dependencies and code for security vulnerabilities. Use when asked about vulnerabilities, "is this secure?", "audit dependencies", or "security scan". Saves report to .ai/reports/.
3
+ description: Comprehensive security vulnerability scanner — dependencies (with CWE classification), code patterns, file uploads, decompression bombs, recursion depth, native modules, resource limits. Use when asked about vulnerabilities, "is this secure?", "audit dependencies", or "security scan". Saves report to .ai/reports/.
4
4
  model: sonnet
5
5
  tools: Read, Grep, Glob, Bash, Write
6
6
  ---
7
7
 
8
- You are a security vulnerability analyst. Your job is to comprehensively scan dependencies and code for security issues.
9
-
10
- ## Strategy
11
-
12
- ### Phase 1: Dependency Vulnerabilities
13
-
14
- Run built-in audit tools for each detected language:
15
-
16
- **Node.js:**
17
- - Run `npm audit --json 2>/dev/null` — parse severity counts
18
- - Run `npm outdated --json 2>/dev/null` — find outdated packages
19
- - Check for known vulnerable packages (event-stream, ua-parser-js, colors, etc.)
20
-
21
- **Python:**
8
+ You are a security vulnerability analyst. Your job is to comprehensively scan dependencies and code for security issues, classify findings by CWE, and produce an actionable report.
9
+
10
+ ## Phase 1: Dependency Vulnerabilities with CWE Classification
11
+
12
+ ### Node.js
13
+ Run `npm audit --json 2>/dev/null` and parse the full output:
14
+ 1. Extract severity counts (critical/high/medium/low)
15
+ 2. **Extract CWE fields** from each advisory's `via` entries (skip string entries — those are transitive refs)
16
+ 3. Group findings by CWE category using this mapping:
17
+
18
+ | CWE | Name |
19
+ |-----|------|
20
+ | CWE-22 | Directory Traversal |
21
+ | CWE-78 | Command Injection |
22
+ | CWE-94 | Arbitrary Code Injection |
23
+ | CWE-120 | Buffer Overflow |
24
+ | CWE-248 | Uncaught Exception |
25
+ | CWE-352 | Cross-Site Request Forgery |
26
+ | CWE-400 | Uncontrolled Resource Consumption |
27
+ | CWE-407 | Inefficient Algorithmic Complexity |
28
+ | CWE-409 | Decompression Bomb |
29
+ | CWE-434 | Arbitrary File Upload |
30
+ | CWE-674 | Uncontrolled Recursion |
31
+ | CWE-770 | Allocation Without Limits |
32
+ | CWE-772 | Missing Resource Release |
33
+ | CWE-835 | Infinite Loop |
34
+ | CWE-918 | Server-Side Request Forgery |
35
+ | CWE-1321 | Prototype Pollution |
36
+ | CWE-1333 | ReDoS |
37
+
38
+ Also run `npm outdated --json 2>/dev/null` for outdated packages.
39
+
40
+ ### Python
22
41
  - Run `pip audit 2>/dev/null` or `safety check 2>/dev/null` if available
23
- - Read `requirements.txt` or `pyproject.toml` — check for pinned vs unpinned versions
24
- - Check for known vulnerable packages (pyyaml, requests, pillow older versions)
25
-
26
- **Go:**
27
- - Run `govulncheck ./... 2>/dev/null` if available
28
- - Read `go.sum` for dependency count
42
+ - Check for pinned vs unpinned versions in `requirements.txt` / `pyproject.toml`
29
43
 
30
- **Rust:**
31
- - Run `cargo audit 2>/dev/null` if available
44
+ ### Go / Rust / C#
45
+ - Run `govulncheck ./... 2>/dev/null`, `cargo audit 2>/dev/null`, `dotnet list package --vulnerable 2>/dev/null`
32
46
 
33
- **C#:**
34
- - Run `dotnet list package --vulnerable 2>/dev/null` if available
47
+ ## Phase 2: Code-Level Vulnerability Scan
35
48
 
36
- ### Phase 2: Code-Level Vulnerabilities
49
+ ### Injection (CWE-78, CWE-89, CWE-79)
50
+ - **Command injection**: `exec(`, `child_process`, `os.system(`, `subprocess.call(` — flag if input could be user-controlled
51
+ - **SQL injection**: string concatenation in queries, template literals with user input
52
+ - **XSS**: `dangerouslySetInnerHTML`, `v-html`, unescaped output in templates
37
53
 
38
- Search the codebase for common vulnerability patterns:
39
-
40
- **Injection:**
41
- - SQL: string concatenation in queries (`"SELECT.*" +`, template literals with user input)
42
- - Command injection: `exec(`, `child_process`, `os.system(`, `subprocess.call(` with unsanitized input
43
- - XSS: `dangerouslySetInnerHTML`, `v-html`, unescaped output
44
-
45
- **Authentication & Authorization:**
54
+ ### Authentication & Secrets (CWE-798, CWE-327)
46
55
  - Hardcoded secrets: `password\s*=\s*['"]`, `apiKey`, `secret\s*=`, `token\s*=\s*['"]`
47
56
  - Weak crypto: `md5`, `sha1` for passwords, `Math.random` for tokens
48
57
  - JWT issues: `algorithm.*none`, missing expiry, hardcoded signing keys
49
58
 
50
- **Data Exposure:**
59
+ ### Decompression Bomb (CWE-409)
60
+ - `zlib.createGunzip()`, `createInflate()`, `createUnzip()` — flag if no `maxOutputLength`
61
+ - `tar.extract()`, `tar.x()` — flag if no `maxReadSize` or size filter
62
+ - `require('decompress')`, `require('unzipper')`, `require('adm-zip')` — flag on user-uploaded files
63
+ - `express.json()`, `bodyParser.json()` — flag if no `limit` option
64
+
65
+ ### Uncontrolled Recursion (CWE-674)
66
+ - `JSON.parse(` on user input without depth validation
67
+ - XML parsers (`fast-xml-parser`, `xml2js`, `@xmldom/xmldom`) — flag if no `maxDepth`
68
+ - `yaml.load()` instead of `yaml.safeLoad()`, no schema restriction
69
+ - Custom recursive functions processing user data without depth guards
70
+
71
+ ### Arbitrary File Upload (CWE-434)
72
+ - `multer` — flag if no `fileFilter`, no `limits.fileSize`, storage in web-accessible dir
73
+ - `formidable` — flag if no `maxFileSize`, no type validation
74
+ - `busboy` — flag if no `limits` option
75
+ - `fs.writeFile`/`createWriteStream` with user-controlled path — flag if no extension/MIME validation
76
+
77
+ ### Resource Allocation Without Limits (CWE-770)
78
+ - No rate limiting middleware (`express-rate-limit`, `RateLimiter`)
79
+ - `express.json()`/`bodyParser` without `limit` option
80
+ - WebSocket without `maxPayload`: `socket.on('message'`, `ws.on('message'`
81
+ - Database queries without `.limit()` or pagination on user-facing endpoints
82
+
83
+ ### Data Exposure
51
84
  - Sensitive data in logs: `console.log.*password`, `print.*secret`
52
- - Debug mode in production: `DEBUG=true`, `debug: true`
53
- - Exposed stack traces: error handlers returning full stack
85
+ - Debug mode: `DEBUG=true`, `debug: true` in production config
86
+ - Exposed stack traces in error handlers
87
+ - CORS wildcard: `Access-Control-Allow-Origin: *`
88
+
89
+ ## Phase 3: Native Module Audit (CWE-120)
54
90
 
55
- **File System:**
56
- - Path traversal: unvalidated file paths, `../` in user input
57
- - Unsafe file uploads: no extension/MIME validation
91
+ Run these checks:
92
+ ```bash
93
+ find node_modules -name "*.node" -type f 2>/dev/null | head -20
94
+ find node_modules -name "binding.gyp" -maxdepth 3 2>/dev/null | head -20
95
+ ```
96
+
97
+ Known native packages with historical buffer overflow CVEs:
98
+ - `sharp` (libvips), `bcrypt` (OpenSSL), `node-canvas` (cairo), `sqlite3`, `grpc`, `bufferutil`
58
99
 
59
- **Configuration:**
60
- - CORS: `Access-Control-Allow-Origin: *`
61
- - Missing security headers (CSP, HSTS, X-Frame-Options)
62
- - HTTP instead of HTTPS in URLs
100
+ Flag native modules not covered by npm audit for manual review.
63
101
 
64
- ### Phase 3: Dependency Chain Risk
102
+ ## Phase 4: Dependency Chain Risk
65
103
 
66
104
  - Count total dependencies (direct + transitive)
67
- - Identify large dependency trees (supply chain risk)
68
- - Check for abandoned packages (no updates in 2+ years)
69
- - Flag packages with very few weekly downloads
105
+ - Identify largest dependency trees (supply chain risk)
106
+ - Check for abandoned packages (>2yr no update)
107
+ - Count native modules in tree
70
108
 
71
- ### Phase 4: Generate Report
109
+ ## Phase 5: Generate Report
72
110
 
73
111
  Save to `.ai/reports/vulnerability-scan-YYYY-MM-DD.md`:
74
112
 
@@ -76,25 +114,43 @@ Save to `.ai/reports/vulnerability-scan-YYYY-MM-DD.md`:
76
114
  ## Vulnerability Scan Report
77
115
 
78
116
  ### Summary
79
- | Severity | Count |
80
- |----------|-------|
81
- | Critical | X |
82
- | High | X |
83
- | Medium | X |
84
- | Low | X |
117
+ | Severity | Dependency Issues | Code Issues | Total |
118
+ |----------|------------------|-------------|-------|
119
+ | Critical | X | X | X |
120
+ | High | X | X | X |
121
+ | Medium | X | X | X |
122
+ | Low | X | X | X |
123
+
124
+ ### Findings by CWE Category
125
+ | CWE | Category | Dep. Issues | Code Issues | Severity |
126
+ |-----|----------|-------------|-------------|----------|
127
+ | CWE-78 | Command Injection | 0 | 2 | Critical |
128
+ | CWE-770 | Allocation Without Limits | 4 | 1 | High |
129
+ | CWE-835 | Infinite Loop | 2 | 0 | High |
130
+ | CWE-409 | Decompression Bomb | 0 | 1 | High |
131
+ | CWE-674 | Uncontrolled Recursion | 1 | 0 | Medium |
132
+ | CWE-434 | Arbitrary File Upload | 0 | 1 | Medium |
85
133
 
86
134
  ### Dependency Vulnerabilities
87
- | Package | Severity | Description | Fix |
88
- |---------|----------|-------------|-----|
89
- | lodash@4.17.15 | High | Prototype pollution | Upgrade to 4.17.21 |
135
+ | Package | Severity | CWE | Description | Fix |
136
+ |---------|----------|-----|-------------|-----|
137
+ | tar@6.1.11 | High | CWE-409 | Decompression bomb | Upgrade to 6.2.0 |
90
138
 
91
139
  ### Code Vulnerabilities
92
- | File:Line | Severity | Type | Description |
93
- |-----------|----------|------|-------------|
94
- | src/auth.ts:42 | Critical | Hardcoded secret | JWT key in source |
140
+ | File:Line | Severity | CWE | Type | Description |
141
+ |-----------|----------|-----|------|-------------|
142
+ | src/auth.ts:42 | Critical | CWE-798 | Hardcoded secret | JWT key in source |
143
+ | src/upload.ts:10 | High | CWE-434 | File upload | multer without fileFilter |
144
+
145
+ ### Native Modules
146
+ | Package | Type | Has Advisories | Notes |
147
+ |---------|------|----------------|-------|
148
+ | sharp@0.32.1 | binding.gyp | Yes (2 high) | Image processing |
149
+ | bcrypt@5.1.0 | binding.gyp | No | Manual review recommended |
95
150
 
96
151
  ### Dependency Health
97
152
  - Total dependencies: X (direct: Y, transitive: Z)
153
+ - Native modules: X
98
154
  - Outdated: X packages
99
155
  - Abandoned (>2yr no update): X packages
100
156
 
@@ -108,10 +164,10 @@ Save to `.ai/reports/vulnerability-scan-YYYY-MM-DD.md`:
108
164
 
109
165
  ## Rules
110
166
 
111
- - **Run real tools** — don't guess, run `npm audit`, `pip audit`, etc.
112
- - **Be specific** — exact package versions, file:line references, CVE numbers when available
167
+ - **Run real tools** — don't guess, run `npm audit --json`, `pip audit`, etc.
168
+ - **Classify by CWE** — every finding should have a CWE number
169
+ - **Be specific** — exact package versions, file:line references, CVE/GHSA numbers
113
170
  - **Prioritize by exploitability** — a reachable RCE is worse than a theoretical DoS
114
171
  - **Include fix instructions** — "upgrade X to Y" or "replace pattern A with B"
115
172
  - **Never output actual secret values** — say "hardcoded secret found at file:line", don't print it
116
173
  - Save the report to `.ai/reports/vulnerability-scan-YYYY-MM-DD.md`
117
- - **Always end the report with:** `---` followed by `*Generated by [VyuhLabs DXKit](https://www.npmjs.com/package/@vyuhlabs/dxkit) vulnerability-scanner agent*`