Skip to content

Security: PrecogsAI/precogs-ai-cbom

Security

SECURITY.md

Security & Supply-Chain Posture

Dependency audit

Production dependencies are pinned to exact versions (no ^/~ ranges) and audited.

npm run audit          # npm audit --omit=dev
npm audit --omit=optional   # production surface only

Current production surface: 0 critical, 0 high.

Documented exception

Advisory Severity Status
uuid — missing buffer bounds check in v3/v5/v6 when buf is provided moderate Not applicable. This tool only calls uuidv4() with no buf argument. The only fix is uuid@14 (ESM-only), which would break the CommonJS runtime; the risk does not apply to our code path.

Optional TUI isolation

The interactive terminal UI (blessed, blessed-contrib) is declared under optionalDependencies. Those packages pull transitive advisories (lodash, xml2js) that are not present in a production/CI install:

npm install --omit=optional   # engine only — no TUI, no TUI-transitive advisories

The CLI loads the TUI lazily and falls back to scrolling output when it is absent, so all scan / netscan / image functionality works without it (this is also the recommended posture for CI and air-gapped environments, combined with --no-tui).

Self-SBOM

A CycloneDX 1.6 SBOM of the tool's own dependency tree is generated with:

npm run sbom          # → sbom.json (schema-validated)

Standards conformance

Generated CBOM and QBOM documents are validated against the official CycloneDX 1.6 JSON schema (bundled under schemas/), not a hand-rolled check:

cbom validate cbom-report.json
cbom validate cbom-report.qbom.json

Reporting

Report vulnerabilities in the tool to the maintainers privately before public disclosure.

There aren't any published security advisories