npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

bob-mcp-vuln-analysis

v0.0.4

Published

MCP server for vulnerability analysis - resolves component mappings, inspects codebases, and classifies remediation paths

Downloads

37

Readme

bob-mcp-vuln-analysis

MCP server for vulnerability analysis - resolves component mappings, inspects codebases, and classifies remediation paths.

Quick Start

npx -y bob-mcp-vuln-analysis

Prerequisites

  • Node.js 18+
  • GitHub Enterprise token (for GitHub API access)
  • Write access to mapping file path

Environment Variables

| Variable | Required | Description | |----------|----------|-------------| | GITHUB_BASE_URL | Yes | GitHub Enterprise API base URL (e.g., https://github.ibm.com/api/v3) | | GITHUB_TOKEN | Yes | GitHub Enterprise personal access token | | MAPPING_FILE_PATH | No | Path to mapping registry (default: ~/.mcp-vuln-remediator/mappings.yaml) | | LOG_LEVEL | No | Logging level (info, warn, error, debug) | | REQUEST_TIMEOUT_MS | No | Request timeout in milliseconds |

Global MCP Configuration

Add to your VS Code User Settings (Cmd+Shift+P → "Open User Settings (JSON)"):

{
  "mcpServers": {
    "bob-mcp-vuln-analysis": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "bob-mcp-vuln-analysis"],
      "env": {
        "GITHUB_BASE_URL": "https://github.ibm.com/api/v3",
        "GITHUB_TOKEN": "your-token-here",
        "MAPPING_FILE_PATH": "~/.mcp-vuln-remediator/mappings.yaml"
      }
    }
  }
}

How This Server Fits Into the Vuln Workflow

This MCP server is one of four related bob-mcp-vuln-* servers:

  • bob-mcp-vuln-intake: Fetch and normalize Jira/GitHub vulnerability issues, then prioritize them for review.
  • bob-mcp-vuln-analysis: Resolve Jira component → repo/local-path mapping, inspect the codebase, and classify whether a vulnerability is locally fixable, needs more input, or is likely vendor/deviation-bound.
  • bob-mcp-vuln-remediation: From an approved plan, create a branch, apply code/Dockerfile/dependency changes, optionally run basic build/test, and open a pull request.
  • bob-mcp-vuln-workflow: Write structured comments back to Jira or GitHub and transition Jira status once remediation reaches specific milestones.

Each server is designed to be useful on its own and can be wired together by your MCP client or agentic IDE mode to form an end-to-end vulnerability remediation flow.

Common Orchestration Command

A global command exists that orchestrates all four bob-mcp-vuln-* servers together in a single guided session. This is useful when you want an end-to-end flow without manually chaining servers.

Setup

The orchestration command file is included in this repository at bob-isv-vuln-helper.md. To use it, copy it to your Bob commands directory:

mkdir -p ~/.bob/commands
cp <path-to-repo>/bob-mcp-vuln-analysis/bob-isv-vuln-helper.md ~/.bob/commands/bob-isv-vuln-helper.md

Usage

Invoke the orchestration command with /bob-isv-vuln-remediate (or alias /vuln-remediate). It will:

  1. Ask whether you're working with Jira or GitHub
  2. Collect a JQL query or GitHub issue URL
  3. Use intake server to fetch and prioritize issues (Critical → Minor)
  4. Use analysis server to resolve component mapping and classify remediation path
  5. Ask for your approval before applying fixes
  6. Use remediation server to create branch, apply fix, and open PR
  7. Use workflow server to post comment and transition Jira status
  8. Ask if you want to continue with the next issue

When to Use This vs Individual Servers

  • Use this command: For guided end-to-end remediation, especially if you're new to the workflow
  • Use individual servers: When you need to focus on a specific part of the workflow (e.g., only analyze issues, or only create PRs)

Tools

  • check_setup: Validate server configuration, mapping file accessibility, and GitHub connectivity
  • load_component_mapping: Resolve Jira component to repository/local-path configuration
  • save_component_mapping: Create or update persistent mapping entries
  • inspect_codebase_context: Identify relevant files (Dockerfile, package manifests, etc.)
  • infer_build_commands: Propose likely build/test commands from repository contents
  • classify_issue_remediation: Determine remediation path (fixable, vendor dependency, needs input, etc.)
  • generate_analysis_report: Produce detailed human-readable analysis summary

Prompts

  • analyze-vulnerability-issue: Interactively analyze a vulnerability issue
  • map-component-to-repo: Interactively create/update component-to-repo mappings
  • inspect-local-code-for-vuln-fix: Interactively inspect local checkout for remediation points

Mapping Registry

The mapping file stores component-to-repository mappings in YAML format at ~/.mcp-vuln-remediator/mappings.yaml:

mappings:
  - component: my-service
    jira_project: SEC
    repo:
      provider: github
      url: https://github.ibm.com/my-org/my-service
      default_branch: main
    local_path: /Users/me/repos/my-service
    build:
      command: npm run build
      test_command: npm test
    image_patterns:
      - my-service
    notes: Main frontend service

IBM Bob Limitations

This server has the following limitations specific to IBM Bob integration:

  • Runs as stdio transport only (no HTTP server)
  • Requires GITHUB_TOKEN for GitHub Enterprise API access
  • Mapping file must be accessible and writable
  • Does not create branches, commits, or PRs directly (delegates to remediation server)