vulnera-vs
v2.0.0
Published
extension that helps you know vulnerabilities of your dependencies
Readme
Vulnera - Dependency Vulnerability Scanner for VS Code
Vulnera is a VS Code extension that scans your project dependencies across multiple ecosystems for known vulnerabilities. It analyzes manifest files, provides real-time diagnostics with severity levels, and offers quick-fix recommendations to upgrade vulnerable packages.
✨ Features
🔍 Multi-Ecosystem Support
Scan dependencies across 8+ ecosystems:
| Ecosystem | Manifest Files |
|-----------|---|
| Node.js (npm) | package.json, package-lock.json, yarn.lock |
| Python (pip) | requirements.txt, Pipfile, pyproject.toml |
| Rust (cargo) | Cargo.toml, Cargo.lock |
| Go | go.mod, go.sum |
| Java (Maven) | pom.xml, build.gradle |
| PHP (Composer) | composer.json, composer.lock |
| Ruby | Gemfile, Gemfile.lock |
| .NET | packages.config, .csproj, .fsproj, .vbproj |
📊 Real-Time Analysis
- Auto-scan on file open/save - Automatically analyze manifests as you work
- Inline diagnostics - See vulnerabilities directly in your code with color-coded severity
- Live progress tracking - Monitor scan progress with percentage indicators and detailed status
- Severity filtering - Configure minimum severity level (Low/Medium/High/Critical)
⚡ Quick-Fix Recommendations
- One-click upgrades - Apply recommended version upgrades directly from diagnostics
- Smart versioning - Get both minimal safe upgrades and latest safe versions
- Impact analysis - See upgrade impact (patch, minor, major) before applying
📋 Scan History
- Track all scans - View complete history of vulnerability scans with timestamps
- Detailed results - Click on any scan to see full vulnerability details
- Export-ready - Store results locally for compliance and auditing
🎨 UI/UX
- Detailed webview panels - Expandable vulnerability details with descriptions
- Progress bar visualization - See scan progress with percentage and visual indicators
- Color-coded severity - Critical (red), High (orange), Medium (yellow), Low (green)
- Activity bar sidebar - Integrated Vulnera Lens with scan progress tree view
🚀 Quick Start
Installation
From VS Code Marketplace
- Open VS Code
- Go to Extensions (Ctrl+Shift+X / Cmd+Shift+X)
- Search for "Vulnera"
- Click Install
From Command Line
code --install-extension vulnera-vs
First Scan
- Open a workspace with dependency manifest files
- Run a scan via Command Palette:
Ctrl+Shift+P (Cmd+Shift+P on Mac) → "Vulnera: Scan Workspace" - View results in the Vulnerability Analysis panel
- Apply fixes using quick-fix recommendations
Test Without Backend
Run the mock test to see the extension in action without a live API:
Ctrl+Shift+P → "Vulnera: Test Progress"⚙️ Configuration
Configure Vulnera via VS Code settings (settings.json):
{
"vulnera.apiBaseUrl": "https://api.vulnera.studio",
"vulnera.apiKey": "your-api-key-here",
"vulnera.analyzeOnOpen": true,
"vulnera.analyzeOnSave": false,
"vulnera.detailLevel": "standard",
"vulnera.severityMin": "High",
"vulnera.batchDebounceMs": 500,
"vulnera.requestTimeoutMs": 30000,
"vulnera.retryOnFailure": true,
"vulnera.maxRetries": 3
}| Setting | Type | Default | Description |
|---------|------|---------|-------------|
| apiBaseUrl | string | https://api.vulnera.studio | Vulnera API endpoint |
| apiKey | string | (optional) | API authentication key |
| analyzeOnOpen | boolean | true | Auto-scan manifest files on open |
| analyzeOnSave | boolean | false | Auto-scan manifest files on save |
| detailLevel | enum | standard | Response detail: minimal, standard, full |
| severityMin | enum | High | Minimum severity to show: Low, Medium, High, Critical |
| batchDebounceMs | number | 500 | Delay before batching file scans (ms) |
| requestTimeoutMs | number | 30000 | API request timeout (ms) |
| retryOnFailure | boolean | true | Retry failed requests with backoff |
| maxRetries | number | 3 | Maximum retry attempts |
Environment Variables
Override settings via environment:
export VULNERA_API_BASE_URL="https://your-api.com"
export VULNERA_API_KEY="your-key"
export VULNERA_LOG_LEVEL="debug"🏗️ Architecture
┌─────────────────────────────────────────────────────────┐
│ VS Code Extension (TypeScript) │
│ │
│ ├─ extension.ts │
│ │ ├─ Status Bar: Progress + Results Summary │
│ │ ├─ Activity Bar: Vulnera Lens │
│ │ ├─ Webviews: History + Vulnerability Details │
│ │ └─ Commands: Scan, Refresh, Test │
│ │ │
│ └─ Providers │
│ ├─ HistoryWebviewProvider: Scan history UI │
│ ├─ VulnWebviewProvider: Vulnerability details │
│ ├─ HistoryManager: Scan persistence │
│ └─ Settings Manager: Configuration │
└─────────────────────────────────────────────────────────┘
↓ (stdio)
┌─────────────────────────────────────────────────────────┐
│ Language Server (packages/vulnera-language-server) │
│ │
│ ├─ server.ts │
│ │ ├─ LSP Initialize & Lifecycle │
│ │ ├─ Document Open/Change/Save Handlers │
│ │ └─ Settings/Configuration Management │
│ │ │
│ ├─ analysis/ │
│ │ ├─ batchManager.ts: Queue & debounce files │
│ │ ├─ diagnosticBuilder.ts: Response → LSP Diagnostic │
│ │ └─ codeActionBuilder.ts: Quick-fix generation │
│ │ │
│ ├─ api/ │
│ │ ├─ client.ts: HTTP POST with retry logic │
│ │ └─ types.ts: API contract types │
│ │ │
│ └─ utils/ │
│ ├─ ecosystem.ts: Manifest detection │
│ └─ retry.ts: Exponential backoff strategy │
└─────────────────────────────────────────────────────────┘
↓ (HTTPS)
┌─────────────────────────────────────────────────────────┐
│ Vulnera API Backend │
│ POST https://api.vulnera.studio/api/v1/dependencies │
│ │
│ • Batch analysis (1-16 files per request) │
│ • Caching layer │
│ • Security advisories aggregation │
│ • Version recommendation engine │
└─────────────────────────────────────────────────────────┘📡 API Integration
Batch Processing
Vulnera batches multiple manifest files into a single API request for efficiency:
Request:
{
"files": [
{
"file_content": "lodash==4.17.15\nrequests==2.25.1",
"ecosystem": "pypi",
"filename": "requirements.txt",
"workspace_path": "/frontend"
}
],
"detail_level": "standard",
"enable_cache": true
}Response:
{
"metadata": {
"total_vulnerabilities": 7,
"critical_count": 1,
"duration_ms": 3200
},
"results": [
{
"filename": "requirements.txt",
"vulnerabilities": [
{
"id": "CVE-2024-12345",
"severity": "High",
"summary": "ReDoS in lodash",
"description": "...",
"affected_packages": [...],
"references": [...]
}
],
"version_recommendations": [
{
"package": "lodash",
"current_version": "4.17.15",
"nearest_safe_above_current": "4.17.21",
"most_up_to_date_safe": "4.18.0"
}
]
}
]
}Rate Limits
- Unauthenticated: 10 files/batch
- Authenticated (with API key): 16 files/batch
🧪 Development
Prerequisites
- Node.js 18+
- npm 9+
- VS Code 1.103+
Setup
# Clone repository
git clone https://github.com/yourusername/Vulnera-VS-Code-Extension.git
cd Vulnera-VS-Code-Extension
# Install dependencies
npm install
# Build extension & language server
npm run build
# Run tests
npm test
# Run linter
npm run lintDevelopment Commands
# Watch & compile TypeScript
npm --prefix packages/vulnera-language-server run dev
# Build only the language server
npm run build:server
# Launch debug instance (F5 in VS Code)
# Press F5 to open extension in debug window
# Test progress bar with mock data
# In debug window: Ctrl+Shift+P → "Vulnera: Test Progress"Project Structure
.
├── extension.ts # Main extension entry point
├── historyManager.ts # Scan history persistence
├── historyWebviewProvider.ts # History UI webview
├── vulnWebviewProvider.ts # Vulnerability details webview
│
├── packages/vulnera-language-server/
│ ├── src/
│ │ ├── server.ts # LSP server implementation
│ │ ├── analysis/
│ │ │ ├── batchManager.ts # File batching & debouncing
│ │ │ ├── diagnosticBuilder.ts
│ │ │ └── codeActionBuilder.ts
│ │ ├── api/
│ │ │ ├── client.ts # HTTP client
│ │ │ └── types.ts # TypeScript interfaces
│ │ ├── settings/
│ │ │ └── settingsManager.ts
│ │ └── utils/
│ │ ├── ecosystem.ts # Manifest detection
│ │ └── retry.ts # Retry logic
│ │
│ └── test/ # Server tests
│
├── test/
│ └── mockData.js # Mock data for testing
│
└── assets/
└── icon/ # Extension icons🧑💻 Contributing
Contributions are welcome! Please follow these guidelines:
- Fork the repository
- Create a feature branch:
git checkout -b feature/amazing-feature - Make your changes with clear commit messages
- Add tests if adding new functionality
- Run linter:
npm run lint - Submit a pull request
Code Style
- Use TypeScript for type safety
- Follow ESLint configuration (run
npm run lint) - Add JSDoc comments for public APIs
- Write descriptive commit messages
🐛 Bug Reports & Feature Requests
Found a bug or have a feature idea?
- Check existing issues to avoid duplicates
- Open a new issue with:
- Clear description
- Steps to reproduce (for bugs)
- VS Code version
- Extension version
- Example project/files if possible
📝 License
This project is licensed under the MIT License - see LICENSE file for details.
🙏 Acknowledgments
- Vulnera API - Vulnerability data aggregation service
- VS Code LSP - Language Server Protocol for enhanced integration
- Security Community - NVD, GitHub Security, GHSA advisories
📚 Additional Resources
- VS Code Extension Development Guide
- Language Server Protocol Documentation
- Vulnera API Documentation
- OWASP Dependency Check
💬 Support
- Documentation: See TECHNICAL_REFERENCE.md
- Quick Start: See QUICKSTART.md
- Testing Guide: See TEST_GUIDE.md
- Issues: GitHub Issues
Made with ❤️ for the security-conscious developer
⭐ If you find Vulnera useful, please give us a star on GitHub!