This scanner compares the dependencies and devDependencies listed in a package.json
file against a registry of known issues associated with specific versions. If any of the listed versions match the known issues, a markdown report is automatically generated, detailing the identified issues. Additionally, the report highlights significant changes in dependencies by providing a concise summary of the version changes.
NOTE:
- Currently, the scanner covers Chainlink and OpenZeppelin dependencies, with plans to include more in the near future.
- Additionally, work is underway to extend the scanner's functionality to support projects using Foundry.
- Node.js
semver
npm package
- Place the scanner folder in the same level as your
package.json
file. - Install the required npm packages:
npm install semver
- Run the scanner:
node DependencyCheck/scan_project.js
- If any vulnerable dependencies are found, a markdown report will be generated in the scanner directory named dependency_report.md.
- The scanner reads the
package.json
file to get the list of dependencies and devDependencies. - It then checks each dependency against the known vulnerabilities in
vulnerabilities.json
. - If a vulnerable dependency is found, it's added to the report.
- The report provides details about the vulnerability, including a description, patched versions, and a link to more details.
- Additionally, significant changes in dependencies are listed along with a brief summary of the changes in versions.
Here are some examples from previous audits where the scanner was used:
Contributions to improve the scanner are welcome! please open an issue or contact [email protected].