Skip to content

feat: dependency risk scanner (nightshift deps)#120

Open
boldfield wants to merge 1 commit intomarcus:mainfrom
boldfield:nightshift/dependency-risk-scanner
Open

feat: dependency risk scanner (nightshift deps)#120
boldfield wants to merge 1 commit intomarcus:mainfrom
boldfield:nightshift/dependency-risk-scanner

Conversation

@boldfield
Copy link
Copy Markdown

@boldfield boldfield commented Apr 14, 2026
edited
Loading

Summary

Add nightshift deps subcommand that scans Go module dependencies for security, maintenance, and license risks.

  • Vulnerability scanning: Queries OSV.dev API with proper CVSS 3.1 vector parsing (computes base scores from vector strings per spec, not raw numeric scores)
  • Maintenance health: Checks GitHub repos for archive status and commit recency
  • License detection: Fetches LICENSE files from GitHub, classifies via SPDX keyword matching
  • Error handling: API errors are surfaced to callers (not silently swallowed), partial results returned alongside errors
  • Persistence: Results stored in dep_scans/dep_findings SQLite tables (migration v6)
  • CLI output: Colored terminal output with lipgloss, JSON via --json flag, exit code 1 on critical findings

Iteration 3 fixes

  • Fixed CVSS vector parsing: properly implements CVSS 3.1 spec formula using math.Pow for the impact sub-score exponent (was pow5, should be power of 13 for scope-changed)
  • All three checkers (vulns, maintenance, license) now return errors to callers instead of silently succeeding
  • Scanner returns partial results alongside errors for resilience

Test plan

  • 17 unit tests pass across gomod, vulns, risk, scanner, and store packages
  • Full project test suite passes (go test ./... — 22 packages)
  • CVSS vector parsing verified against known vectors (9.8 critical, 8.8 high, 4.2 medium, 1.8 low)
  • httptest-based tests for OSV.dev API interaction
  • Store round-trip tests verify SQLite persistence
  • Build succeeds cleanly

@boldfield
feat(deps): add dependency risk scanner
edd79cb 
Add 'nightshift deps' subcommand that scans Go module dependencies for
security vulnerabilities (OSV.dev API), maintenance risks (GitHub API),
and license concerns (GitHub raw content + SPDX matching).

Key implementation details:
- CVSS 3.1 vector parsing computes base scores from vector strings
  (not raw numeric scores) per the CVSS specification
- API errors are surfaced to callers rather than silently swallowed
- Partial results returned alongside errors for resilience
- Concurrent scanning with semaphores (10 for OSV, 5 for GitHub)
- Results persisted to dep_scans/dep_findings SQLite tables
- Colored CLI output with lipgloss, JSON output via --json flag
- Exit code 1 when critical findings detected

Nightshift-Task: dependency-risk
Nightshift-Ref: https://github.com/marcus/nightshift
@boldfield boldfield force-pushed the nightshift/dependency-risk-scanner branch from 8381d7c to edd79cb Compare April 14, 2026 10:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@boldfield