Dependency Scanning
Scan your project dependencies for known CVE vulnerabilities. Uses a local databaseno external API calls required.
How It Works
Dependency scanning:
- Parses
.csprojfiles forPackageReferenceitems - Matches packages against the local CVE database
- Reports vulnerabilities with severity and remediation
builder.Services.AddPrimusSecurity(opts =>
{
opts.EnableDependencyScanning = true;
opts.CveDatabasePath = "data/cve-database.db";
});
Setting Up the CVE Database
Because Primus Security is offline-first, you must provide the CVE database.
Option 1: Use Pre-built Database
Download from your internal package repository or build from source.
Option 2: Build from GitHub Advisory Database
# Clone the advisory database
git clone https://github.com/github/advisory-database.git
# Run the aggregator tool
dotnet run --project tools/PrimusSaaS.Security.DataAggregator -- \
"path/to/advisory-database" \
"data/cve-database.db"
Option 3: Update Regularly
Set up a scheduled job to refresh the database weekly:
# .github/workflows/update-cve.yml
name: Update CVE Database
on:
schedule:
- cron: '0 0 * * 0' # Weekly
jobs:
update:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Update CVE Database
run: ./scripts/update-cve-database.sh
API Usage
Scan Dependencies
[HttpPost("scan-dependencies")]
public async Task<IActionResult> ScanDependencies([FromBody] ScanRequest request)
{
var result = await _scanner.ScanAsync(request.Path);
var depFindings = result.Findings
.Where(f => f.Category == "Dependency")
.ToList();
return Ok(new
{
VulnerablePackages = depFindings.Count,
Findings = depFindings
});
}
Response
{
"vulnerablePackages": 2,
"findings": [
{
"ruleId": "CVE-2024-21907",
"severity": "High",
"title": "Newtonsoft.Json < 13.0.3",
"description": "Improper handling of exceptional conditions",
"remediation": "Upgrade to Newtonsoft.Json 13.0.3 or later"
}
]
}
Supported Package Managers
| Ecosystem | File | Status |
|---|---|---|
| .NET (NuGet) | .csproj | Supported |
| Node.js (npm) | package.json | Planned |
| Python (pip) | requirements.txt | Planned |
| Java (Maven) | pom.xml | Planned |
Configuration Options
{
"PrimusSecurity": {
"EnableDependencyScanning": true,
"CveDatabasePath": "data/cve-database.db",
"IgnoredCves": ["CVE-2021-12345"],
"MinimumSeverity": "Medium"
}
}
| Option | Description |
|---|---|
CveDatabasePath | Path to SQLite CVE database |
IgnoredCves | CVEs to ignore (accepted risk) |
MinimumSeverity | Only report this severity and above |
Next Steps
| Want to... | See Guide |
|---|---|
| Detect hardcoded secrets | Secret Detection |
| Block builds on vulnerabilities | Policy Engine |
| Add to CI/CD pipeline | CI/CD Integration |