Finds known vulnerabilities in your dependencies using yavdb as the source agregator of vulnerabilities.
Thanks to the amazing work done by libraries.io all the dependency manifest parsing is handled by bibliothecary and this means we have support for more than 20 package managers. Due to the limited sources of information we only have identified vulnerabilities for the ones listed in yavdb.
This projects aims to provide an OSS alternative to identify known vulnerabilities for your dependencies. Although it makes a good effort in doing this, there is no assurance it is finding all the publicly available vulnerabilities. The maintainers take no responsibility for any harm caused by you relying on it. Use as a complement to other tools at your own risk.
- NPM
- RubyGems
- Maven
- Nuget
- Packagist
- Pypi
- Go
- Ruby 2.3 or newer
- Bundler
gem install bundler
gem install dependency_spy
Check current directory project
depspy
- Version Comparison
- Ignore vulnerabilities
- Improve output formatters
- Add more output options
Commands:
depspy check # Check dependencies for known vulnerabilities
depspy help [COMMAND] # Describe available commands or one specific command
depspy update # Update known vulnerabilities database
Options:
[--verbose], [--no-verbose]
d, [--vuln-db-path=VULN-DB-PATH] # Default: <HOME>/.yavdb/yavdb
After checking out the repo, run bin/setup
to install dependencies.
Then, run bundle exec rake spec
to run the tests.
You can also run bin/console
for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install
.
To release a new version, update the version number in version.rb
, and then run bundle exec rake release
,
which will create a git tag for the version,
push git commits and tags, and push the .gem
file to rubygems.org.
Bug reports and pull requests are welcome on GitHub at https://github.com/rtfpessoa/dependency_spy. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
Copyright (c) 2017-present Rodrigo Fernandes. See LICENSE for details.