dependency-scanner

# Dependency Scanner Skill

Performs comprehensive dependency scanning and inventory generation for codebases, supporting migration planning and security assessments through SBOM (Software Bill of Materials) generation.

## Purpose

Enable comprehensive dependency management for:
- Direct and transitive dependency extraction
- Dependency tree visualization
- Version conflict detection
- Circular dependency identification
- License extraction and compliance
- SBOM generation (CycloneDX, SPDX formats)

## Capabilities

### 1. Direct/Transitive Dependency Extraction
- Parse package manifests (package.json, pom.xml, requirements.txt, etc.)
- Resolve full dependency trees including transitive dependencies
- Identify version constraints and resolution results
- Track dependency sources and registries

### 2. Dependency Tree Visualization
- Generate hierarchical dependency graphs
- Export to DOT, JSON, or Mermaid formats
- Highlight problematic paths
- Calculate tree depth and breadth metrics

### 3. Version Conflict Detection
- Identify version conflicts in dependency trees
- Detect peer dependency violations
- Find incompatible version ranges
- Suggest resolution strategies

### 4. Circular Dependency Identification
- Detect circular dependency chains
- Map dependency cycles
- Assess impact of circular dependencies
- Recommend breaking strategies

### 5. License Extraction
- Extract license information from dependencies
- Identify license types (MIT, Apache, GPL, etc.)
- Flag copyleft licenses
- Track dual-licensed packages

### 6. SBOM Generation
- Generate CycloneDX format SBOMs
- Generate SPDX format SBOMs
- Include vulnerability references
- Support machine-readable and human-readable outputs

## Tool Integrations

This skill can leverage the following external tools when available:

| Tool | Purpose | Integration Method |
|------|---------|-------------------|
| npm/yarn/pnpm | Node.js dependencies | CLI |
| Maven | Java dependencies | CLI |
| Gradle | Java/Kotlin dependencies | CLI |
| pip/pipenv/poetry | Python dependencies | CLI |
| Bundler | Ruby dependencies | CLI |
| Cargo | Rust dependencies | CLI |
| Go Modules | Go dependencies | CLI |
| Snyk | Security scanning | CLI / API |
| OWASP Dependency-Check | Vulnerability scanning | CLI |
| Trivy | SBOM generation | MCP Server / CLI |
| Syft | SBOM generation | CLI |

## Usage

### Basic Scanning

```bash
# Invoke skill for dependency scanning
# The skill will auto-detect package managers and scan accordingly

# Expected inputs:
# - targetPath: Path to project root
# - scanDepth: 'direct' | 'transitive' | 'full'
# - outputFormat: 'json' | 'tree' | 'sbom-cyclonedx' | 'sbom-spdx'
# - includeLicenses: boolean
```

### Scanning Workflow

1. **Detection Phase**
   - Identify package managers in use
   - Locate manifest files
   - Check for lock files

2. **Extraction Phase**
   - Parse manifest files
   - Resolve dependency trees
   - Extract version information

3. **Analysis Phase**
   - Detect conflicts
   - Identify circular dependencies
   - Extract licenses

4. **Output Generation**
   - Generate inventory reports
   - Create SBOMs if requested
   - Produce visualization artifacts

## Output Schema

```json
{
  "scanId": "string",
  "timestamp": "ISO8601",
  "target": {
    "path": "string",
    "packageManagers": ["string"],
    "manifestFiles": ["string"]
  },
  "summary": {
    "totalDependencies": "number",
    "directDependencies": "number",
    "transitiveDependencies": "number",
    "uniquePackages": "number",
    "treeDepth": "number"
  },
  "dependencies": [
    {
      "name": "string",
      "version": "string",
      "type": "direct|transitive",
      "parent": "string|null",
      "license": "string",
      "repository": "string",
      "depth": "number"
    }
  ],
  "conflicts": [
    {
      "package": "string",
      "versions": ["string"],
      "sources": ["string"],
      "recommendation": "string"
    }
  ],
  "circularDependencies": [
    {
      "chain": ["string"],
      "severity": "high|medium|low"
    }
  ],
  "licenses": {
    "summary": {
      "MIT": "number",
      "Apache-2.0": "number",
      "GPL-3.0": "number"
    },
    "copyleft": ["string"],
    "unknown": ["string"]
  },
  "sbom": {
    "format": "cyclonedx|spdx",
    "version": "string",
    "path": "string"
  }
}
```

## Integration with Migration Processes

This skill integrates with the following Code Migration/Modernization processes:

- **dependency-analysis-updates**: Primary tool for dependency assessment
- **legacy-codebase-assessment**: Dependency inventory for legacy systems
- **framework-upgrade**: Compatibility analysis for upgrades
- **cloud-migration**: Dependency portability assessment

## Configuration

### Skill Configuration File

Create `.dependency-scanner.json` in the project root:

```json
{
  "packageManagers": ["auto"],
  "excludePaths": ["node_modules", ".git"],
  "scanDepth": "full",
  "includeDev": true,
  "includeOptional": false,
  "licensePolicy": {
    "allowed": ["MIT", "Apache-2.0", "BSD-3-Clause", "ISC"],
    "flagged": ["GPL-3.0", "AGPL-3.0"],
    "blocked": []
  },
  "sbomConfig": {
    "format": "cyclonedx",
    "version": "1.5",
    "includeVulnerabilities": true
  }
}
```

## MCP Server Integration

When Trivy SBOM Generator MCP Server is available:

```javascript
// Example MCP tool invocation
{
  "tool": "trivy_generate_sbom",
  "arguments": {
    "target": "./",
    "format": "cyclonedx",
    "output": "./sbom.json"
  }
}
```

When GitHub Dependabot MCP Server is available:

```javascript
// Example dependency update check
{
  "tool": "dependabot_check_updates",
  "arguments": {
    "repo": "owner/repo",
    "ecosystem": "npm"
  }
}
```

## Package Manager Support

### Node.js (npm/yarn/pnpm)

```bash
# Auto-detected files:
# - package.json
# - package-lock.json
# - yarn.lock
# - pnpm-lock.yaml
```

### Java (Maven/Gradle)

```bash
# Auto-detected files:
# - pom.xml
# - build.gradle
# - build.gradle.kts
```

### Python (pip/pipenv/poetry)

```bash
# Auto-detected files:
# - requirements.txt
# - Pipfile
# - pyproject.toml
# - setup.py
```

### Ruby (Bundler)

```bash
# Auto-detected files:
# - Gemfile
# - Gemfile.lock
```

### Go (Modules)

```bash
# Auto-detected files:
# - go.mod
# - go.sum
```

### Rust (Cargo)

```bash
# Auto-detected files:
# - Cargo.toml
# - Cargo.lock
```

## Best Practices

1. **Lock File Usage**: Always include lock files for reproducible scans
2. **Regular Scanning**: Integrate into CI/CD for continuous monitoring
3. **SBOM Storage**: Store SBOMs alongside releases for compliance
4. **License Reviews**: Review license changes in dependency updates
5. **Conflict Resolution**: Address version conflicts before migration

## Related Skills

- `vulnerability-scanner`: Security scanning of dependencies
- `license-compliance-checker`: Detailed license analysis
- `dependency-updater`: Automated dependency updates

## Related Agents

- `dependency-modernization-agent`: Uses this skill for dependency management
- `migration-readiness-assessor`: Uses this skill for readiness evaluation
- `security-vulnerability-assessor`: Uses this skill for dependency security

## References

- [SBOM Generator MCP Server (Trivy)](https://playbooks.com/mcp/trivy-sbom-generator)
- [GitHub Dependabot MCP Server](https://mcp.so/server/github-dependabot-mcp-server)
- [Renovate](https://github.com/renovatebot/renovate)
- [OWASP Dependency-Check](https://github.com/jeremylong/DependencyCheck)
- [CycloneDX Specification](https://cyclonedx.org/)
- [SPDX Specification](https://spdx.dev/)