Skip to content

feat(tools): get_dependency_blast_radius + manus-use blast-radius CLI#63

Merged
manus-use merged 4 commits into
mainfrom
feat/dependency-blast-radius
Jun 29, 2026
Merged

feat(tools): get_dependency_blast_radius + manus-use blast-radius CLI#63
manus-use merged 4 commits into
mainfrom
feat/dependency-blast-radius

Conversation

@manus-use

Copy link
Copy Markdown
Owner

Summary

Adds get_dependency_blast_radius — a new tool that answers "how many downstream projects are actually exposed to this vulnerability?"

Given a CVE or package@version spec, it:

  1. Resolves affected packages from three public sources in parallel:
    • NVD CPE configurations
    • OSV.dev query + full vulnerability fetch
    • GitHub Advisory Database (GHSA)
  2. Deduplicates across sources by (name, ecosystem)
  3. Enriches each package with real download/dependent stats:
    • npm → npm registry search API (dependent count) + npm downloads API (weekly/monthly)
    • PyPI → PyPI JSON API (metadata) + pypistats.org (weekly/monthly downloads)
    • Maven → Maven Central Solr search (artifact metadata, version count)
  4. Labels blast radius per package:
    Label Weekly downloads or npm dependents
    CRITICAL ≥ 5 M downloads or ≥ 50 K dependents
    HIGH ≥ 500 K downloads or ≥ 5 K dependents
    MEDIUM ≥ 50 K downloads or ≥ 500 dependents
    LOW any measurable signal
    UNKNOWN no data available

CLI

manus-use blast-radius CVE-2021-44228
manus-use blast-radius requests@2.28.0
manus-use blast-radius npm:lodash@4.17.20
manus-use blast-radius CVE-2021-44228 --output json | jq .summary
manus-use blast-radius CVE-2021-44228 --output json | jq '.packages[0].blast_radius'

Files changed

File Change
src/manus_use/tools/get_dependency_blast_radius.py ✨ new tool (22 KB)
src/manus_use/cli.py blast-radius subcommand + dispatch
src/manus_use/agents/vi_agent.py ✨ import + tool list + Step 6c in system prompt
tests/test_dependency_blast_radius.py ✨ 74 new tests (all HTTP mocked)
README.md 📝 full subcommand docs + examples

APIs used (all free, no keys required)

  • NVD CVE API (services.nvd.nist.gov)
  • OSV.dev query API (api.osv.dev)
  • GitHub Advisory REST API (api.github.com/advisories)
  • npm registry search + downloads API
  • PyPI JSON API + pypistats.org
  • Maven Central Solr search (search.maven.org)

Tests

74 new tests, all passing. Full suite: 845 passed.

tests/test_dependency_blast_radius.py  74 passed in 1.39s
full suite                            845 passed, 3 deselected, 2 warnings

Closes #(new)

manus-use pushed a commit that referenced this pull request Jun 29, 2026
…n PRs roadmap, and changelog section

- poc-search subcommand (PR #62): multi-source PoC aggregator (trickest, VulnCheck KEV, Exploit-DB, GitHub, NVD)
- changelog subcommand (PR #66): conventional-commit release automation
- VulnCheck enrichment section: VULNCHECK_API_KEY optional, vulncheck-kev + nist-nvd2 indexes
- Updated 8-step VI pipeline description to include VulnCheck KEV in step 2, patch diff/exploit complexity/version range in step 6
- Coming Soon table: 9 open PRs (#51 silent-patches, #53 cve-timeline, #54 version-range, #58 vendor-response, #60 poc-freshness, #63 blast-radius, #64 sbom-scan, #65 temporal-priority, #67 cluster-variants)
- Updated built-in tools list to mention VulnCheck KEV and new VI tools
- Added Changelog section linking to CHANGELOG.md
- Updated Table of Contents with Changelog entry
- Expanded Security examples to include poc-search and changelog
@manus-use

Copy link
Copy Markdown
Owner Author

Closing to reopen after repo rename — fixes lint failures

@manus-use manus-use closed this Jun 29, 2026
@manus-use manus-use reopened this Jun 29, 2026
Patch 🩹 added 4 commits June 29, 2026 16:10
…mmand

Adds a new tool that estimates how broadly a CVE can propagate by
measuring downstream exposure of each affected package.

Tool: get_dependency_blast_radius(spec, max_packages=10)
  - spec can be a CVE ID (e.g. CVE-2021-44228) or package@version
    (e.g. requests@2.28.0, npm:lodash@4.17.20)
  - Resolves affected packages from NVD CPE configs, OSV.dev, and
    GitHub Advisory Database (GHSA) in parallel
  - Deduplicates packages across sources before enrichment
  - Enriches each package with ecosystem-specific download/dependent stats:
    * npm  → npm search API (dependent count) + npm downloads API
    * PyPI → PyPI JSON API + pypistats.org
    * Maven → Maven Central Solr search
  - Labels each package CRITICAL / HIGH / MEDIUM / LOW / UNKNOWN based
    on weekly downloads (≥5M→CRITICAL) or npm dependent count (≥50K→CRITICAL)
  - Returns human-readable text or structured dict depending on caller

CLI: manus-use blast-radius <SPEC> [--output text|json] [--max-packages N]
  manus-use blast-radius CVE-2021-44228
  manus-use blast-radius requests@2.28.0
  manus-use blast-radius CVE-2021-44228 --output json | jq .summary

Agent: registered in VulnerabilityIntelligenceAgent tool list + Step 6c
  in the system prompt; agent now annotates reports with blast-radius
  label and flags CRITICAL exposure prominently.

Tests: 74 new tests covering all helper functions and the full pipeline
  (all external HTTP mocked; zero real network calls)

Free APIs used (no key required):
  NVD CVE API, OSV.dev query, GitHub Advisory REST API,
  npm registry search + downloads API, PyPI JSON API,
  pypistats.org, Maven Central Solr
@manus-use manus-use force-pushed the feat/dependency-blast-radius branch from fc09357 to ab51967 Compare June 29, 2026 16:10
@manus-use manus-use merged commit b45de00 into main Jun 29, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant