feat(tools): get_dependency_blast_radius + manus-use blast-radius CLI#63
Merged
Conversation
manus-use
pushed a commit
that referenced
this pull request
Jun 29, 2026
…n PRs roadmap, and changelog section - poc-search subcommand (PR #62): multi-source PoC aggregator (trickest, VulnCheck KEV, Exploit-DB, GitHub, NVD) - changelog subcommand (PR #66): conventional-commit release automation - VulnCheck enrichment section: VULNCHECK_API_KEY optional, vulncheck-kev + nist-nvd2 indexes - Updated 8-step VI pipeline description to include VulnCheck KEV in step 2, patch diff/exploit complexity/version range in step 6 - Coming Soon table: 9 open PRs (#51 silent-patches, #53 cve-timeline, #54 version-range, #58 vendor-response, #60 poc-freshness, #63 blast-radius, #64 sbom-scan, #65 temporal-priority, #67 cluster-variants) - Updated built-in tools list to mention VulnCheck KEV and new VI tools - Added Changelog section linking to CHANGELOG.md - Updated Table of Contents with Changelog entry - Expanded Security examples to include poc-search and changelog
Owner
Author
|
Closing to reopen after repo rename — fixes lint failures |
added 4 commits
June 29, 2026 16:10
…mmand Adds a new tool that estimates how broadly a CVE can propagate by measuring downstream exposure of each affected package. Tool: get_dependency_blast_radius(spec, max_packages=10) - spec can be a CVE ID (e.g. CVE-2021-44228) or package@version (e.g. requests@2.28.0, npm:lodash@4.17.20) - Resolves affected packages from NVD CPE configs, OSV.dev, and GitHub Advisory Database (GHSA) in parallel - Deduplicates packages across sources before enrichment - Enriches each package with ecosystem-specific download/dependent stats: * npm → npm search API (dependent count) + npm downloads API * PyPI → PyPI JSON API + pypistats.org * Maven → Maven Central Solr search - Labels each package CRITICAL / HIGH / MEDIUM / LOW / UNKNOWN based on weekly downloads (≥5M→CRITICAL) or npm dependent count (≥50K→CRITICAL) - Returns human-readable text or structured dict depending on caller CLI: manus-use blast-radius <SPEC> [--output text|json] [--max-packages N] manus-use blast-radius CVE-2021-44228 manus-use blast-radius requests@2.28.0 manus-use blast-radius CVE-2021-44228 --output json | jq .summary Agent: registered in VulnerabilityIntelligenceAgent tool list + Step 6c in the system prompt; agent now annotates reports with blast-radius label and flags CRITICAL exposure prominently. Tests: 74 new tests covering all helper functions and the full pipeline (all external HTTP mocked; zero real network calls) Free APIs used (no key required): NVD CVE API, OSV.dev query, GitHub Advisory REST API, npm registry search + downloads API, PyPI JSON API, pypistats.org, Maven Central Solr
…ssignments in tests
fc09357 to
ab51967
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
get_dependency_blast_radius— a new tool that answers "how many downstream projects are actually exposed to this vulnerability?"Given a CVE or
package@versionspec, it:CLI
Files changed
src/manus_use/tools/get_dependency_blast_radius.pysrc/manus_use/cli.pyblast-radiussubcommand + dispatchsrc/manus_use/agents/vi_agent.pytests/test_dependency_blast_radius.pyREADME.mdAPIs used (all free, no keys required)
services.nvd.nist.gov)api.osv.dev)api.github.com/advisories)search.maven.org)Tests
74 new tests, all passing. Full suite: 845 passed.
Closes #(new)