SCA Vulnerability Scan Report

Scan Information

Repository:

Scan ID:

Date:

Scanner: Wraith (OSV-Scanner) + Ghost AI Exploitability Analysis

---

Executive Summary

<2-3 paragraphs summarizing:

Number of lockfiles scanned and total dependencies analyzed

High severity findings that require immediate action

Overall security posture (clean, concerning, critical)

False positive reduction achieved by AI analysis>

---

Statistics

| Metric | Count | |--------|-------| | Lockfiles Scanned | | | Packages Scanned | | | Vulnerabilities Detected | (raw scanner output) | | Candidates Analyzed | | | Confirmed Findings | (exploitable) | | False Positives Filtered | | | False Positive Rate | % |

Findings by Severity

| Severity | Count | Recommended Timeline | |----------|-------|----------------------| | High | | Within 1 week | | Medium | | Within 1 month | | Low | | Plan for next quarter |

Findings by Ecosystem

| Ecosystem | Findings | Total Packages | |-----------|----------|----------------| | Go | | | | npm | | | | PyPI | | | | RubyGems | | | | Cargo | | |

Findings by Lockfile

| Lockfile | Findings | Packages | Status | |----------|----------|----------|--------| | go.mod | | | | | frontend/package-lock.json | | | | | requirements.txt | | | |

---

High Severity Findings

@ -

Location: ``

CVEs:

CVSS Score:

Summary: <1-line vulnerability summary>

Exploitability:

Impact:

Remediation: Upgrade to `@`

Exploit Path: ``` User Input → → → ``` Detailed Analysis: See [/findings/.md](/findings/.md)

---

Medium Severity Findings

@ -

Location: ``

CVEs:

CVSS Score:

Summary: <1-line summary>

Remediation: Upgrade to `@`

Detailed Analysis: See [/findings/.md](/findings/.md)

---

Low Severity Findings

| Package | Version | Vuln ID | CVE | CVSS | Remediation | |---------|---------|---------|-----|------|-------------| | | | | | | Upgrade to | | | | | | | Upgrade to |

---

False Positives Filtered

The AI analysis successfully filtered false positives that were not exploitable:

Not Used in Codebase ()

@ - : Package imported but vulnerable function not called

@ - : Only safe submodules used, vulnerable code not reached

@ - : Transitive dependency never directly imported

Test Dependencies Only ()

@ - : Only used in test files (test/), not in production

@ - : Listed in devDependencies, excluded from production build

@ - : Test-only usage, not deployed

Mitigated ()

@ - : Effective input validation wrapper in place

@ - : WAF rules block exploit attempts

@ - : Custom fork with backported patch

Version Overrides ()

@ - : Actually using patched version via `replace` directive

@ - : Fixed via package.json resolutions

@ - : Internal fork with security patches

---

Remediation Plan

High Priority Actions (High Severity)

#### 1. @ - - Action: Upgrade to `@` - Testing Required: - - - - Estimated Effort: - Command: ```bash # Go go get @ go mod tidy

# npm npm install @ npm audit

# Python (poetry) poetry add @ poetry lock

# Python (pip) pip install == pip freeze > requirements.txt

# Ruby bundle update

# Rust cargo update ```

Medium Priority Actions (Medium Severity)

Low Priority Actions (Low Severity)

@: Upgrade to

Long-Term Security Improvements

1. Automated Dependency Scanning - Integrate wraith into CI/CD pipeline - Fail builds on High severity vulnerabilities - Run weekly scans on main/production branches - Set up automated alerts for new vulnerabilities

2. Dependency Update Policy - Enable automated dependency updates (Dependabot, Renovate Bot) - Establish regular security patch windows (e.g., monthly) - Pin major versions, auto-update patches - Review and approve dependency additions

3. Secure Development Practices - Review security track record before adding new dependencies - Prefer well-maintained packages with active security response - Minimize dependency footprint (fewer dependencies = smaller attack surface) - Use Software Bill of Materials (SBOM) for transparency

4. Runtime Protection - Deploy Web Application Firewall (WAF) for internet-facing services - Implement network segmentation for backend services - Use input validation middleware - Monitor for exploitation attempts in logs

5. Vulnerability Response Process - Establish SLA for patching by severity (High: 7 days, Medium: 30 days, Low: 90 days) - Maintain security contact/team for vulnerability reports - Document incident response procedures - Conduct post-incident reviews

---

Detailed Findings

For comprehensive exploitability analysis of each finding, see individual finding files: ``` /findings/ ├── .md ├── .md └── ... ```

Each finding includes:

Detailed exploitability assessment

Attack vector analysis

Code context and data flow

Specific remediation steps

CVE references and links

---

Methodology

Phase 1: Vulnerability Detection

Tool: Wraith (wrapper around Google's OSV-Scanner)

Database: OSV (Open Source Vulnerabilities) - 500,000+ vulnerabilities

Coverage: All major ecosystems (Go, npm, PyPI, RubyGems, Cargo, Maven, Packagist)

Process: Scans lockfiles against OSV database for known vulnerabilities

Phase 2: Exploitability Analysis

Each detected vulnerability was analyzed by an AI agent evaluating:

1. Usage Analysis: Is the vulnerable package/function actually used in the codebase? 2. Data Flow Analysis: Can user input reach the vulnerable code? 3. Context Analysis: Is this production code or test/dev only? 4. Mitigation Detection: Are there protective measures in place (wrappers, validation, WAF)? 5. Severity Adjustment: Contextual CVSS scoring based on actual exploitability

Decision Criteria: A vulnerability is confirmed as exploitable ONLY if:

The vulnerable function is actually called (not just package imported)

User input can reach the vulnerable code

No effective mitigations are in place

The code is in production (not test-only)

Phase 3: False Positive Filtering

Common false positive patterns automatically filtered:

Not Used: Vulnerable functions not imported or called

Test/Dev Only: Dependencies not included in production builds

Mitigated: Wrappers, validation, or WAF rules that prevent exploitation

Version Overrides: Patched forks or resolutions despite lockfile version

Result: Achieved % false positive reduction, providing high-confidence, actionable findings.

---

Appendix: Raw Scan Data

Raw Wraith Output: `/scan-*.json`

Candidates List: `/candidates.json`

Lockfiles Analyzed: `/lockfiles.json`

---

*Report generated by Ghost Security SCA Scanner* *Powered by Wraith and AI Exploitability Analysis*