InstallHub
Dependency Vulnerability Scan
Packages that declare dependencies on other marketplace packages inherit any vulnerabilities in those dependencies. The dependency vulnerability scanner checks every declared dependency against the NVD and OSV vulnerability databases.
What Is Scanned
The packageDependencies array in manifest.json declares other marketplace packages that this package requires. Each dependency is resolved to a specific version and checked for known CVEs.
// manifest.json excerpt:
{
"packageDependencies": [
{ "packageId": "acme-corp/form-utils", "versionRange": "^1.0.0" },
{ "packageId": "biz-corp/approval-commons", "versionRange": ">=2.0.0 <3.0.0" }
]
}Vulnerability Databases
| Database | URL | Update Frequency | Coverage |
|---|---|---|---|
| NVD (National Vulnerability Database) | nvd.nist.gov | Hourly sync | CVSS scores, CVE descriptions, affected version ranges |
| OSV (Open Source Vulnerabilities) | osv.dev | Hourly sync | Open source package vulnerabilities across ecosystems |
| BizFirstAI Internal Advisory | Internal | Real-time | InstallHub-specific package advisories issued by BizFirstGO security team |
DependencyVulnerabilityChecker — How It Works
public class DependencyVulnerabilityChecker : ISecurityCheck
{
public async Task<IReadOnlyList<ScanFinding>> CheckAsync(
PackageBundle bundle, ScanContext context, CancellationToken ct)
{
var findings = new List<ScanFinding>();
foreach (var dep in bundle.Manifest.PackageDependencies)
{
// Resolve the specific version that satisfies the range
var resolvedVersion = await _versionResolver.ResolveAsync(dep.PackageId, dep.VersionRange, ct);
// Query all three databases in parallel
var (nvdResults, osvResults, internalResults) = await (
_nvdClient.QueryAsync(dep.PackageId, resolvedVersion, ct),
_osvClient.QueryAsync(dep.PackageId, resolvedVersion, ct),
_internalAdvisory.QueryAsync(dep.PackageId, resolvedVersion, ct)
);
foreach (var vuln in nvdResults.Concat(osvResults).Concat(internalResults))
{
findings.Add(new ScanFinding
{
Check = "DependencyVulnerability",
Severity = MapCvssToSeverity(vuln.CvssScore),
ArtifactType = "PackageDependency",
ArtifactName = dep.PackageId,
Field = "packageDependencies",
Value = $"{dep.PackageId}@{resolvedVersion}",
Rule = vuln.CveId,
Message = $"Dependency '{dep.PackageId}' version '{resolvedVersion}' has {vuln.Severity} severity vulnerability {vuln.CveId}: {vuln.Description}"
});
}
}
return findings;
}
private Severity MapCvssToSeverity(double cvss) => cvss switch
{
>= 9.0 => Severity.Critical,
>= 7.0 => Severity.High,
>= 4.0 => Severity.Medium,
_ => Severity.Low
};
}Severity Mapping
| CVSS Score | Scanner Severity | Scan Result | Action |
|---|---|---|---|
| 9.0–10.0 (Critical) | Critical | FAIL | Import blocked; listing rejected |
| 7.0–8.9 (High) | High | FAIL | Import blocked; listing rejected |
| 4.0–6.9 (Medium) | Medium | WARN | Import proceeds with warning; badge shown |
| 0.1–3.9 (Low) | Low | WARN | Import proceeds with warning; badge shown |
Scan Finding Example
{
"check": "DependencyVulnerability",
"result": "WARN",
"severity": "Medium",
"findings": [
{
"artifactType": "PackageDependency",
"artifactName": "acme-corp/form-utils",
"field": "packageDependencies",
"value": "acme-corp/form-utils@1.0.0",
"rule": "CVE-2026-12345",
"message": "Dependency 'acme-corp/form-utils' version '1.0.0' has a Medium severity XSS vulnerability (CVE-2026-12345, CVSS 5.4). Update to version 1.0.1 or later to resolve. See: https://nvd.nist.gov/vuln/detail/CVE-2026-12345"
}
]
}Re-scanning Listed Packages
The marketplace performs a nightly re-scan of all listed packages using the latest vulnerability database snapshots. If a newly discovered CVE affects a listed package's dependencies:
- The package's scan badge is updated to WARN or FAIL
- The publisher receives an email notification with the CVE details and remediation guidance
- A FAIL re-scan suspends new installs of the package — existing installs continue working
- The publisher has 30 days to publish a new version with the vulnerability resolved before the package is unlisted