[REVIEW] dependency-scanning: add override and replacement governance gates

[yanziwei]

Skill Being Reviewed

Skill name: dependency-scanning
Skill path: skills/appsec/dependency-scanning/

False Positive Analysis

Benign override that should not be flagged as a supply-chain bypass:

{
  "dependencies": {
    "webpack": "5.91.0"
  },
  "overrides": {
    "braces": "3.0.3"
  }
}

Why this is not a finding: The override pins a transitive package to a fixed patched version from the same public registry and should be credited when it is documented, represented in the lockfile, and tied to a vulnerability or compatibility issue. The current skill mentions overrides/resolutions as a mitigation, but it does not distinguish governed overrides from risky dependency graph rewrites.

Coverage Gaps

Missed variant 1: npm override redirects a dependency to an unreviewed fork

{
  "overrides": {
    "lodash": "github:unknown-user/lodash#main"
  }
}

Why it should be caught: This bypasses normal registry provenance and lockfile expectations. A scanner may still see a package named lodash, but the artifact source, maintainer, and review path changed.

Missed variant 2: Yarn resolutions downgrade a transitive package below the fixed version

{
  "resolutions": {
    "**/minimist": "0.0.8"
  }
}

Why it should be caught: Resolution blocks can force every transitive copy to a vulnerable version even when direct dependencies would otherwise resolve to a patched version.

Missed variant 3: Go replace points a module to a local path or mutable branch

replace github.com/acme/auth => ../auth
replace github.com/acme/payments => github.com/fork/payments v0.0.0-20260601000000-deadbeef

Why it should be caught: replace is legitimate during development, but production builds need evidence that replacements are intentional, reviewed, immutable, and not local developer paths.

Missed variant 4: Cargo patch shadows crates.io with a git dependency

[patch.crates-io]
ring = { git = "https://github.com/example/ring", branch = "main" }

Why it should be caught: Patch sections can redirect a trusted registry package to mutable source code. The review should require commit pinning, owner approval, and lockfile provenance.

Edge Cases

• Overrides are often the fastest safe fix for transitive CVEs, so the skill should not forbid them categorically.
• Monorepos may use local path replacements for workspace packages in development; production artifact reviews should verify that local paths do not leak into released builds.
• Package-manager lockfiles may record the final resolved artifact but hide the business reason for the override. The review needs both lockfile evidence and human approval evidence.
• Some ecosystems use different names for the same control: npm overrides, Yarn resolutions, pnpm overrides, Go replace, Cargo [patch], Maven dependency management, Gradle constraints, and pip constraints.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: Add dependency override and replacement evidence gates requiring source provenance, fixed versions or immutable commits, lockfile reflection, owner approval, expiry/review reason, and validation that overrides do not downgrade below fixed versions.

Comparison to Other Tools

Tool	Catches this?	Notes
npm audit	Partial	Audits the resolved tree but does not explain whether overrides are governed or risky.
osv-scanner	Partial	Can flag vulnerable resolved versions, but does not fully assess override governance.
govulncheck	Partial	Reviews reachable Go vulnerabilities, but replace governance is still a policy review.
cargo audit	Partial	Audits resolved crates, but [patch] source trust and mutable git references need review.
Dependabot	Partial	Can update dependencies, but override/resolution drift can mask or fight updates.

Overall Assessment

Strengths: The skill covers SBOM generation, CVE triage, license risk, transitive dependencies, and typosquatting. It correctly recommends overrides/resolutions as a way to pin critical transitive dependencies.

Needs improvement: The same override mechanisms can also hide vulnerable downgrades, route dependencies to unreviewed forks, or leave local-path replacements in production. The current output has no place to list override source, reason, approver, lockfile evidence, or downgrade impact.

Priority recommendations:

1. Add a dependency override/replacement review section covering npm, Yarn, pnpm, Go, Cargo, Maven/Gradle, and pip constraints.
2. Add DEP-OVERRIDE-* findings for unpinned git/path replacements, vulnerable downgrades, missing approval, and lockfile mismatch.
3. Extend the output template with an override table that records package, mechanism, replacement source, reason, approver, lockfile evidence, and risk.
4. Treat governed fixed-version overrides as acceptable mitigations, not findings.

Sources Checked

• npm package overrides: https://docs.npmjs.com/cli/v11/configuring-npm/package-json#overrides
• Yarn selective dependency resolutions: https://yarnpkg.com/features/resolutions
• pnpm overrides: https://pnpm.io/package_json#pnpmoverrides
• Go modules replace directive: https://go.dev/ref/mod#go-mod-file-replace
• Cargo patch section: https://doc.rust-lang.org/cargo/reference/overriding-dependencies.html
• Current skill reviewed: https://github.com/UnitOneAI/SecuritySkills/blob/main/skills/appsec/dependency-scanning/SKILL.md

Duplicate check performed: searched existing issues and PRs for dependency-scanning overrides resolutions replace directive, npm overrides, pnpm overrides, go.mod replace, cargo patch, and constraint file override; I did not find an existing implementation focused on override/replacement governance.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Payment details can be provided privately after maintainer acceptance.

[Dolpme]

Implemented in PR #1684: #1684