""" 📦 Dependency Analyzer Check for outdated packages, CVEs, and unused dependencies """ from typing import Dict, List, Any, Optional import re import json import subprocess import logging from pathlib import Path logger = logging.getLogger(__name__) class DependencyAnalyzer: """Analyze project dependencies for security and optimization""" @staticmethod def parse_package_json(file_path: str) -> Optional[Dict[str, Any]]: """Parse package.json file""" try: with open(file_path, 'r', encoding='utf-8') as f: return json.load(f) except Exception as e: logger.error(f"Failed to parse package.json: {e}") return None @staticmethod def parse_requirements_txt(file_path: str) -> List[Dict[str, str]]: """Parse requirements.txt file""" dependencies = [] try: with open(file_path, 'r', encoding='utf-8') as f: for line in f: line = line.strip() if line and not line.startswith('#'): # Parse package==version or package>=version match = re.match(r'([a-zA-Z0-9_-]+)([>=<]+)?([\d.]+)?', line) if match: dependencies.append({ "name": match.group(1), "version": match.group(3) or "latest", "operator": match.group(2) or "==" }) except Exception as e: logger.error(f"Failed to parse requirements.txt: {e}") return dependencies @staticmethod def check_known_vulnerabilities(package_name: str, version: str) -> List[Dict[str, Any]]: """Check for known CVEs (simplified - would integrate with OSV/Snyk API)""" # Simplified vulnerability database known_issues = { "lodash": { "versions": ["<4.17.21"], "cves": ["CVE-2021-23337", "CVE-2020-28500"], "severity": "high", "description": "Prototype pollution vulnerability" }, "axios": { "versions": ["<0.21.1"], "cves": ["CVE-2020-28168"], "severity": "medium", "description": "SSRF vulnerability" }, "requests": { "versions": ["<2.31.0"], "cves": ["CVE-2023-32681"], "severity": "medium", "description": "Proxy-Authorization header leak" } } issues = [] if package_name in known_issues: vuln = known_issues[package_name] issues.append({ "package": package_name, "current_version": version, "vulnerable_versions": vuln["versions"], "cves": vuln["cves"], "severity": vuln["severity"], "description": vuln["description"], "recommendation": "Update to latest version" }) return issues @staticmethod def check_outdated_packages(dependencies: List[Dict[str, str]], ecosystem: str = "npm") -> List[Dict[str, Any]]: """Check which packages are outdated""" outdated = [] # Simplified version checking (would integrate with npm/PyPI API) for dep in dependencies: name = dep.get("name") version = dep.get("version", "0.0.0") # Mock outdated check if version.startswith("0.") or version.startswith("1."): outdated.append({ "package": name, "current": version, "latest": "2.0.0", # Mock latest version "age": "Very old", "recommendation": f"Update to 2.0.0" }) return outdated @classmethod def analyze_dependencies(cls, project_path: str) -> Dict[str, Any]: """Full dependency analysis""" project_path = Path(project_path) results = { "dependencies": [], "vulnerabilities": [], "outdated": [], "unused": [], "stats": {} } # Check for package.json (Node.js) package_json_path = project_path / "package.json" if package_json_path.exists(): pkg_data = cls.parse_package_json(str(package_json_path)) if pkg_data: deps = pkg_data.get("dependencies", {}) dev_deps = pkg_data.get("devDependencies", {}) all_deps = [] for name, version in {**deps, **dev_deps}.items(): all_deps.append({"name": name, "version": version.lstrip("^~")}) results["dependencies"] = all_deps # Check vulnerabilities for dep in all_deps: vulns = cls.check_known_vulnerabilities(dep["name"], dep["version"]) results["vulnerabilities"].extend(vulns) # Check outdated results["outdated"] = cls.check_outdated_packages(all_deps, "npm") # Check for requirements.txt (Python) requirements_path = project_path / "requirements.txt" if requirements_path.exists(): deps = cls.parse_requirements_txt(str(requirements_path)) results["dependencies"].extend(deps) # Check vulnerabilities for dep in deps: vulns = cls.check_known_vulnerabilities(dep["name"], dep["version"]) results["vulnerabilities"].extend(vulns) # Check outdated outdated = cls.check_outdated_packages(deps, "pip") results["outdated"].extend(outdated) # Generate stats results["stats"] = { "total_dependencies": len(results["dependencies"]), "vulnerabilities_found": len(results["vulnerabilities"]), "outdated_count": len(results["outdated"]), "critical_vulns": sum(1 for v in results["vulnerabilities"] if v.get("severity") == "critical"), "high_vulns": sum(1 for v in results["vulnerabilities"] if v.get("severity") == "high") } return results def format_dependency_report(analysis: Dict[str, Any]) -> str: """Format dependency analysis into readable report""" stats = analysis.get("stats", {}) vulns = analysis.get("vulnerabilities", []) outdated = analysis.get("outdated", []) report = f""" # 📦 Dependency Analysis Report ## 📊 Summary - **Total Dependencies**: {stats.get('total_dependencies', 0)} - **Vulnerabilities**: {stats.get('vulnerabilities_found', 0)} - 🔴 Critical: {stats.get('critical_vulns', 0)} - 🟠 High: {stats.get('high_vulns', 0)} - **Outdated Packages**: {stats.get('outdated_count', 0)} """ if vulns: report += "## 🛡️ Security Vulnerabilities\n\n" for vuln in vulns: severity = vuln.get("severity", "unknown").upper() emoji = "🔴" if severity == "CRITICAL" else "🟠" if severity == "HIGH" else "🟡" report += f"### {emoji} {vuln.get('package')} {vuln.get('current_version')}\n" report += f"**CVEs**: {', '.join(vuln.get('cves', []))}\n" report += f"**Description**: {vuln.get('description')}\n" report += f"**Fix**: {vuln.get('recommendation')}\n\n" if outdated: report += "## 📅 Outdated Packages\n\n" for pkg in outdated[:10]: # Show top 10 report += f"- **{pkg.get('package')}**: {pkg.get('current')} → {pkg.get('latest')}\n" if not vulns and not outdated: report += "✅ **All dependencies are up-to-date and secure!**\n" return report