dependency-vulnerability-auditlisted

# Dependency Vulnerability Audit ## Overview Dependencies are the largest attack surface in most projects. This skill provides a structured audit process for Go and Maven/JVM projects, combining static manifest review with tool-driven vulnerability scanning. **Critical rule: Never judge a dependency as safe or unsafe based on your knowledge of its version number. Version numbers in your training data are stale. Always run the tools.** --- ## Audit Checklist ### For every project - [ ] Automated vulnerability scanner is run in CI (not just locally) - [ ] Direct dependencies are intentional and documented - [ ] No `replace` directives in `go.mod` pointing to local paths or forks - [ ] Dependency manifest is committed (not generated at build time) ### Go-specific - [ ] `go.sum` is committed alongside `go.mod` - [ ] `govulncheck` runs in CI and fails the build on known CVEs - [ ] No `replace` directives substituting public modules with local or private alternatives - [ ] `go mod verify` passes (confirms module content matches go.sum hashes) ### Maven/JVM-specific - [ ] Dependency versions are pinned (no version ranges: `[1.0,2.0)`) - [ ] OWASP Dependency-Check (or equivalent) runs in CI - [ ] No dependencies with legacy or low-trust group IDs without provenance verification - [ ] Transitive dependency tree has been reviewed (`mvn dependency:tree`) --- ## Go: Running the Audit ### Check for known CVEs ```bash # Install once: go install golang.org/x/vuln/cmd/govulnch