npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

vulnmatter-extension

v1.1.8

Published

VS Code extension for CVE vulnerability analysis using the VulnMatter API with X-API-Key. See CHANGELOG.md for release notes.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

vulnmattervulnmatter

Keywords

jsonconvertersecurityvulnerabilitycvevulnmatter

Readme

VulnMatter VS Code Extension

Visual Studio Code extension integrating CVE vulnerability analysis and automatic configuration of MCP (Model Context Protocol) servers for VulnMatter and Filesystem.

NOTE: CVE analysis, report generation and products UI sections are currently hidden (temporarily disabled) while focusing on configuration features. They can be re-enabled later without code loss.

🚀 Key Features

  • Management and persistence of VulnMatter X-API-Key
  • Batch CVE scoring (temporarily hidden)
  • Aggregated report generation (temporarily hidden)
  • Local history (products) (temporarily hidden)
  • Automatic configuration of:
    • VulnMatter MCP server (supergateway over SSE)
    • Filesystem MCP server (@modelcontextprotocol/server-filesystem)
    • Synchronization for both VS Code MCP and Claude Desktop
  • Diagnostic button (🔧) to view current configuration status

1. Development Installation

npm install
npm run compile

Then press F5 in VS Code to open the "Extension Development Host" window.

2. Requirements

| Resource | Minimum Version | Notes | |---------|----------------|-------| | Node.js | 18.x | Recommend 18 LTS or later | | VS Code | 1.85+ | Needed for modern webview | | (Optional) Claude Desktop | Latest | For external MCP integration |

3. VulnMatter API Configuration

  1. Open the extension side view.
  2. Go to the "API Configuration" section.
  3. Enter your X-API-Key and optionally a different API URL if you use a custom environment.
  4. Click "Save Configuration".

3.1 How to Obtain a VulnMatter API Key

If you do not yet have an API Key (official site: https://vulnmatter.com/):

  1. Navigate to the VulnMatter portal (internal/company URL or https://app.vulnmatter.com as applicable).
  2. Sign in (create an account if needed) with your corporate SSO or email/password (depending on deployment).
  3. Open your user/profile menu and locate the section named "API Keys" or "Developer / API Access".
  4. Click "Create New Key" (or "Generate Token").
  5. Provide an optional label (e.g. "VS Code Extension").
  6. Copy the generated key immediately – many portals only show it once.
  7. Paste it into the extension UI field X-API-Key and press "Save Configuration".
  8. (Optional) If you are using a self‑hosted VulnMatter instance set the custom base URL before saving.

IMPORTANT: The value must be placed specifically in the form field labeled X-API-Key inside the extension panel (it is a password-style input). Do not place it in the API URL field.

Security / storage notes:

  • The key is written in plain text to ~/.vulnmatter/config.json (no encryption). Protect filesystem access.
  • You can revoke the key at any time in the portal; then generate a new one and update the extension.
  • Avoid committing the key to source control. The extension never auto-uploads it.
  • If multiple keys are supported later you can rotate without downtime.

For assistance you can email: [email protected]

Troubleshooting key issues:

  • 401 / unauthorized responses → key revoked, expired, or pasted with whitespace.
  • Empty results or timeouts → verify base URL or network proxy settings.
  • After changing the key, use the UI Save again to force regeneration of external MCP configs.

Generated configuration file:

~/.vulnmatter/config.json

Example:

{
  "apiKey": "TU_API_KEY",
  "apiUrl": "https://api.vulnmatter.com",
  "timestamp": "2025-09-20T12:34:56.123Z",
  "paths": {
    "vulnmatterConfig": "C:/Users/usuario/.vulnmatter/config.json",
    "claudeDesktopConfig": "C:/Users/usuario/AppData/Roaming/Claude/claude_desktop_config.json",
    "vsCodeMcpConfig": "C:/Users/usuario/AppData/Roaming/Code/User/mcp.json",
    "effectiveRoot": "C:/ruta/proyecto",
    "serverNodeName": "filesystem_miproyecto"
  }
}

4. CVE Analysis (Temporarily Hidden)

When re-enabled:

  1. Enter CVEs one per line, format: CVE-YYYY-NNNN.
  2. Click "Analyze CVEs".
  3. Scores appear (simulated values are generated if the API is unreachable).

Color legend:

  • High (>=7.0): Red
  • Medium (4.0–6.9): Orange
  • Low (<4.0): Green

5. Report Generation (Temporarily Hidden)

When re-enabled:

  1. Make sure you have entered CVEs.
  2. (Optional) Add additional query parameters: format=pdf&detailed=true.
  3. Click "Generate Report".
  4. A record is stored in ~/.vulnmatter/products.json.

6. MCP Integration

The extension configures MCP nodes for both VS Code and Claude Desktop.

6.1 Configuration Paths

| OS | VS Code MCP | Claude Desktop | |---------|-------------|----------------| | Windows | %APPDATA%/Code/User/mcp.json | %APPDATA%/Claude/claude_desktop_config.json | | macOS | ~/Library/Application Support/Code/User/mcp.json | ~/Library/Application Support/Claude/claude_desktop_config.json | | Linux | ~/.config/Code/User/mcp.json | ~/.config/Claude/claude_desktop_config.json |

6.2 VulnMatter MCP Server

Generated node:

{
  "servers": {
    "VulnMatter": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "supergateway", "--sse", "https://mcp.singularity-matter.com/sse"],
      "env": {
        "NODE_TLS_REJECT_UNAUTHORIZED": "0",
        "X-API-Key": "TU_API_KEY"
      }
    }
  }
}

6.3 Filesystem MCP Server

Dynamic name: filesystem_<project_basename>

{
  "servers": {
    "filesystem_miproyecto": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem"],
      "env": { "ROOT": "C:/ruta/proyecto" }
    }
  }
}

6.4 Activation from the UI

Available checkboxes:

  • MCP VS Code → creates/updates VulnMatter node in mcp.json.
  • MCP Claude → creates/updates node in claude_desktop_config.json.
  • Filesystem MCP → creates local filesystem server.

The API Key is automatically injected into env.X-API-Key each time you reconfigure.

6.5 Diagnostic Button (🔧)

Shows a modal summary with:

  • Status of each server

  • Presence of API Key

  • Active file paths

7. Automatic Migrations

If a legacy Assents node existed, it is renamed to VulnMatter in all configs (internal + Claude + VS Code MCP). Existing customizations are preserved.

8. Security

| Aspect | Detail | |---------|---------| | API Key storage | Plain text in ~/.vulnmatter/config.json | | UI exposure | Never shown fully after saving | | In transit | Sent in X-API-Key header over HTTPS | | Best practices | Protect home folder via OS encryption (BitLocker, FileVault, LUKS) |

To improve security you could:

  • Integrate with a Secret Manager (Azure Key Vault, AWS Secrets Manager)
  • Encrypt the local file (add AES layer + user passphrase)

9. Troubleshooting

| Issue | Possible Cause | Solution | |----------|---------------|----------| | Empty scores | Invalid API Key | Regenerate or verify the key | | MCP node not visible | Corrupted mcp.json | Delete file and reconfigure from the extension | | Claude doesn’t detect server | Path/root format mismatch | Restart Claude after configuring | | Changed API Key not reflected | MCP not reconfigured | Check the corresponding checkbox again | | Permission error | Protected directory | Run VS Code with proper permissions | | Report very slow | Real API call latency | Check connectivity / rely on temporary fallback |

View current configuration

Click the 🔧 button (MCP status) or inspect:

~/.vulnmatter/config.json
%APPDATA%/Code/User/mcp.json
%APPDATA%/Claude/claude_desktop_config.json

Full reset

# Close VS Code and Claude Desktop first
rm ~/.vulnmatter/config.json
rm %APPDATA%/Code/User/mcp.json
rm %APPDATA%/Claude/claude_desktop_config.json

(Adjust paths per OS). Then reopen and reconfigure.

10. Development Scripts

npm run compile   # Compile
npm run watch     # Watch / incremental rebuild
npm run package   # Webpack production build

Package:

npm install -g @vscode/vsce
vsce package

11. Extend

| Goal | How | |----------|--------------| | New VulnMatter endpoint | Clone pattern from getCVEScores() / getCVEReport() | | Add another MCP server | Create method similar to createOrUpdateVulnMatterServer() | | Additional UI | Add sections to vulnmatter.html and handle messages in onDidReceiveMessage | | Support multiple API Keys | Change apiKey → array and add selection UI |

12. Changelog

| Version | Changes | |---------|---------| | 1.1.0 | VS Code + Claude MCP, diagnostic button, Assents→VulnMatter migration, automatic X-API-Key update | | 1.0.0 | CVE analysis, reports, API Key save |

13. License

(Define here: MIT / Apache-2.0 / Proprietary)

14. Support

  • Internal contact / Slack channel

  • Repository issues (if applicable)

Need screenshots or want the hidden features back? Open an issue or request it.

npm install --save-dev @vscode/vsce
npx vsce package
npx vsce publish