Skip to content

rotem94/VulnerabilityScanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
src/main
src/main
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

🔍 Vulnerability Scanner for package.json

A lightweight and fast Java-based tool that scans Node.js project dependencies for known vulnerabilities using GitHub’s Security Advisory GraphQL API.

Built with Spring Boot, multithreading, and clean architecture principles.

🚀 Features

  • ✅ Upload a package.json and scan for vulnerable dependencies
  • ✅ Integration with GitHub GraphQL Security Advisory API
  • ✅ Intelligent version resolution using semantic versioning
  • ✅ Parallelized query processing for performance
  • ✅ Clean separation between web, logic, and config layers
  • ✅ Centralized exception handling with meaningful error responses
  • ✅ Swagger UI for interactive API testing

🛠️ Tech Stack

  • Java 17
  • Spring Boot
  • GitHub GraphQL API
  • Swagger (SpringDoc OpenAPI)

🧱 Project Structure

src/main/java/rotem/com/vulnscan/
├── config/                 → Configuration classes (Gson, RestTemplate, Swagger, etc.)
├── controllers/           → REST controllers and error handlers
├── exceptions/            → Custom exceptions for various failure modes
├── interfaces/            → Interfaces for abstraction (e.g., GitHub API)
├── logic/                 → Business logic, query building, vulnerability filtering
└── Application.java       → Entry point

⚙️ Setup Instructions

1. Clone the Repository

git clone https://github.com/rotem94/VulnerabilityScanner.git

2. Set Your GitHub Token

Required to authenticate with the GitHub GraphQL API.

Add your personal access token in application.properties:

GITHUB-TOKEN-ACCESS=your_personal_access_token

3. Build & Run the App

./mvnw spring-boot:run

The app will start at:
📍 http://localhost:8080

Swagger UI:
📍 http://localhost:8080/swagger-ui/index.html

📂 Using the API

🔍 Scan Vulnerabilities

Endpoint:
POST /api/v1/scan
Content-Type: application/json

Request Example:

{
  "ecosystem": "npm",
  "fileContent": "{ \"dependencies\": { \"lodash\": \"4.17.10\" } }"
}

Response Example:

{
  "results": [
    {
      "package": "lodash",
      "version": "4.17.10",
      "vulnerabilities": [
        {
          "cve": "CVE-2020-8203",
          "severity": "HIGH",
          "summary": "Prototype pollution",
          "fixedIn": [">=4.17.19"]
        }
      ]
    }
  ]
}

🔐 Authentication

This project uses a GitHub Personal Access Token (PAT) to authenticate with the GitHub GraphQL Security Advisory API.

📌 Assumptions & Design Decisions

  • Parallelization was used instead of caching to reduce scan latency.
  • Thread-safe design with Java streams ensures performant queries.
  • Ecosystem currently supports only npm (Node.js), but designed for easy expansion.
  • Error handling is centralized via @RestControllerAdvice.

About

Lightweight Java scanner for npm vulnerabilities — clean, fast, real-world

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages