ldy26098
/
BMAD-METHOD
mirror of https://github.com/bmad-code-org/BMAD-METHOD.git
1
0
Fork 0
Code Packages Projects Releases Wiki Activity
BMAD-METHOD/core/tools/dependency-check.xml

85 lines
3.9 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<tool id="dependency-check" name="Dependency Checker" standalone="true">
<description>Scan project dependencies for outdated packages and known vulnerabilities</description>
<parameters>
<param name="path" required="false" default="." description="Path to project root"/>
<param name="output_format" required="false" default="summary" description="Output format: summary, detailed, json"/>
<param name="severity_threshold" required="false" default="low" description="Minimum severity to report: low, medium, high, critical"/>
</parameters>
<detection>
<package_manager name="npm" files="['package.json', 'package-lock.json']" command="npm audit" outdated_command="npm outdated --json"/>
<package_manager name="yarn" files="['package.json', 'yarn.lock']" command="yarn audit" outdated_command="yarn outdated --json"/>
<package_manager name="pnpm" files="['package.json', 'pnpm-lock.yaml']" command="pnpm audit" outdated_command="pnpm outdated --format json"/>
<package_manager name="pip" files="['requirements.txt', 'Pipfile', 'pyproject.toml']" command="pip-audit" outdated_command="pip list --outdated --format json"/>
<package_manager name="poetry" files="['pyproject.toml', 'poetry.lock']" command="poetry audit" outdated_command="poetry show --outdated"/>
<package_manager name="go" files="['go.mod', 'go.sum']" command="govulncheck ./..." outdated_command="go list -u -m -json all"/>
<package_manager name="cargo" files="['Cargo.toml', 'Cargo.lock']" command="cargo audit" outdated_command="cargo outdated --format json"/>
<package_manager name="composer" files="['composer.json', 'composer.lock']" command="composer audit" outdated_command="composer outdated --format json"/>
</detection>
<execution>
<step n="1" goal="Detect package manager">
<action>Scan {path} for package manager files</action>
<action>Identify primary package manager from detected files</action>
<action if="no package manager found">Report: "No supported package manager detected"</action>
</step>
<step n="2" goal="Run dependency audit">
<action>Execute audit command for detected package manager</action>
<action>Capture stdout and stderr</action>
<action>Parse output for vulnerabilities</action>
</step>
<step n="3" goal="Check for outdated packages">
<action>Look up outdated_command for detected package manager from detection config</action>
<action if="outdated_command is present">
Execute {outdated_command} for the detected package manager
</action>
<action if="outdated_command is absent">
Fall back to {command} if no outdated_command defined (skip outdated check)
</action>
<action>Capture stdout and stderr from outdated command</action>
<action>Parse output for package versions:
- current: currently installed version
- wanted: latest version satisfying semver range
- latest: latest available version
</action>
<action>Classify outdated packages by severity:
- major: major version behind (breaking changes likely)
- minor: minor version behind (new features)
- patch: patch version behind (bug fixes)
</action>
</step>
<step n="4" goal="Generate report">
<action>Filter by severity_threshold</action>
<action>Format output according to output_format</action>
</step>
</execution>
<output_format name="summary">
```
Dependency Check Report
=======================
Project: {project_name}
Package Manager: {package_manager}
Date: {date}
Vulnerabilities:
- Critical: {critical_count}
- High: {high_count}
- Medium: {medium_count}
- Low: {low_count}
Outdated Packages: {outdated_count}
Top Issues:
1. {top_issue_1}
2. {top_issue_2}
3. {top_issue_3}
```
</output_format>
</tool>
View Git Blame Copy Permalink