Production dependencies are pinned to exact versions (no ^/~ ranges) and audited.
npm run audit # npm audit --omit=dev
npm audit --omit=optional # production surface onlyCurrent production surface: 0 critical, 0 high.
| Advisory | Severity | Status |
|---|---|---|
uuid — missing buffer bounds check in v3/v5/v6 when buf is provided |
moderate | Not applicable. This tool only calls uuidv4() with no buf argument. The only fix is uuid@14 (ESM-only), which would break the CommonJS runtime; the risk does not apply to our code path. |
The interactive terminal UI (blessed, blessed-contrib) is declared under
optionalDependencies. Those packages pull transitive advisories (lodash,
xml2js) that are not present in a production/CI install:
npm install --omit=optional # engine only — no TUI, no TUI-transitive advisoriesThe CLI loads the TUI lazily and falls back to scrolling output when it is absent,
so all scan / netscan / image functionality works without it (this is also the
recommended posture for CI and air-gapped environments, combined with --no-tui).
A CycloneDX 1.6 SBOM of the tool's own dependency tree is generated with:
npm run sbom # → sbom.json (schema-validated)Generated CBOM and QBOM documents are validated against the official CycloneDX
1.6 JSON schema (bundled under schemas/), not a hand-rolled check:
cbom validate cbom-report.json
cbom validate cbom-report.qbom.jsonReport vulnerabilities in the tool to the maintainers privately before public disclosure.