MokoConsulting/MokoGitea-APP
1
0
Fork 0
Code Issues 158 Pull Requests 3 Releases 96 Wiki Activity

feat(security): dependency vulnerability scanner #562

Merged
jmiller merged 1 commits from feat/dependency-scanner into dev 2026-06-07 16:12:32 +00:00
Conversation 0 Commits 1 Files Changed 2
+544 -1
jmiller commented 2026-06-07 15:33:05 +00:00
Owner
Copy Link
Copy Source

Summary

  • Add dependency vulnerability scanner module that checks project dependencies against known CVEs via the OSV.dev API
  • Parses go.mod, package.json, composer.json, and requirements.txt
  • Wire into existing scanner orchestrator for automatic push-time scanning

Closes #551

Details

  • Implements the existing Scanner interface (Type, ScanCommit, ScanTree)
  • Batch queries OSV.dev (up to 1000 deps per request, 30s timeout)
  • CVSS v3 vector string parsing for severity mapping (Critical/High/Medium/Low)
  • Defaults to Medium severity when no CVSS data is available
  • Fingerprint dedup via sha256(vuln_id + package + version)
  • Skips vendor/, node_modules/, testdata/ directories
  • Reuses existing security_alert table (no migration needed)

Test plan

  • Verify build compiles on server
  • Push to a repo with a go.mod containing a known vulnerable dependency
  • Confirm alerts appear in the Security tab with correct CVE IDs and severity
  • Test with package.json, composer.json, requirements.txt repos
  • Verify dedup - re-push should update existing alerts, not create duplicates
  • Test with DependScanner disabled in repo settings - should skip scanning
## Summary - Add dependency vulnerability scanner module that checks project dependencies against known CVEs via the OSV.dev API - Parses go.mod, package.json, composer.json, and requirements.txt - Wire into existing scanner orchestrator for automatic push-time scanning Closes #551 ## Details - Implements the existing `Scanner` interface (`Type`, `ScanCommit`, `ScanTree`) - Batch queries OSV.dev (up to 1000 deps per request, 30s timeout) - CVSS v3 vector string parsing for severity mapping (Critical/High/Medium/Low) - Defaults to Medium severity when no CVSS data is available - Fingerprint dedup via sha256(vuln_id + package + version) - Skips vendor/, node_modules/, testdata/ directories - Reuses existing `security_alert` table (no migration needed) ## Test plan - [ ] Verify build compiles on server - [ ] Push to a repo with a go.mod containing a known vulnerable dependency - [ ] Confirm alerts appear in the Security tab with correct CVE IDs and severity - [ ] Test with package.json, composer.json, requirements.txt repos - [ ] Verify dedup - re-push should update existing alerts, not create duplicates - [ ] Test with DependScanner disabled in repo settings - should skip scanning
jmiller added 1 commit 2026-06-07 15:33:06 +00:00
feat(security): add dependency vulnerability scanner (#551)
Generic: Repo Health / Scripts governance (push) Blocked by required conditions
Details
Generic: Repo Health / Repository health (push) Blocked by required conditions
Details
Generic: Repo Health / Report Issues (push) Blocked by required conditions
Details
Generic: Repo Health / Site Health (push) Has been skipped
Details
Generic: Repo Health / Access control (push) Successful in 1s
Details
Universal: PR Check / Build RC Package (pull_request) Blocked by required conditions
Details
Universal: PR Check / Report Issues (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Scripts governance (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Repository health (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Report Issues (pull_request) Blocked by required conditions
Details
Branch Policy Check / Verify merge target (pull_request) Successful in 1s
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Details
Generic: Repo Health / Access control (pull_request) Successful in 1s
Details
PR RC Release / Build RC Release (pull_request) Successful in 3s
Details
Universal: PR Check / Validate PR (pull_request) Failing after 6s
Details
Branch Cleanup / Delete merged branch (pull_request) Successful in 2s
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || 'development' }}) (pull_request) Successful in 1m22s
Details
18fc79fa0a 
Add dependency scanner module that parses manifest files (go.mod,
package.json, composer.json, requirements.txt) and checks dependencies
against the OSV.dev API for known CVEs. Implements the existing Scanner
interface and wires into the orchestrator for push-time scanning.
jmiller merged commit 75316bf80a into dev 2026-06-07 16:12:32 +00:00
jmiller deleted branch feat/dependency-scanner 2026-06-07 16:12:33 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
breaking-change
Breaking API or behavior change
 ci-cd
CI/CD pipeline changes
 config
Configuration changes
 dependencies
Dependency updates
 deploy-failure
Deployment failed
 docker
Docker/container changes
 documentation
Documentation changes
 good first issue
Good for newcomers
 health-check
Repo health check result
 help wanted
Extra attention needed
 mokostandards
Related to MokoStandards framework
 push-failure
Git push operation failed
 security
Security vulnerability or hardening
 size/l
200-500 lines changed
 size/m
50-200 lines changed
 size/s
10-50 lines changed
 size/xl
500+ lines changed
 size/xs
< 10 lines changed
 standards-drift
Deviates from MokoStandards
 standards-update
MokoStandards compliance update
 sync-failure
Sync or mirror failed
 tech-debt
Technical debt and TODO/FIXME items
 upstream
upstream
Inherited from upstream Gitea
 work-in-progress
Draft or incomplete work
No labels
Priority -
Type -
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-APP#562
Delete Branch "feat/dependency-scanner"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?