diff --git a/.github/skills/dependency-inventory/SKILL.md b/.github/skills/dependency-inventory/SKILL.md new file mode 100644 index 0000000..bcec305 --- /dev/null +++ b/.github/skills/dependency-inventory/SKILL.md @@ -0,0 +1,63 @@ +--- +name: Dependency Inventory +description: Detect and export Maven and Gradle dependencies into normalized JSON +--- + +# Dependency Inventory Skill + +This skill detects Maven and Gradle projects and exports +their resolved dependencies into a normalized JSON format. + +## Supported Build Tools + +- Maven +- Gradle + +## Workflow + +1. Detect build tool +2. Execute dependency export +3. Normalize dependency output +4. Generate dependency-inventory.json + +## Maven + +Preferred command: + +```bash +./mvnw dependency:tree \ + -DoutputType=json \ + -DoutputFile=dependency-tree.json +```` + +Fallback: + +```bash +mvn dependency:tree \ + -DoutputType=json \ + -DoutputFile=dependency-tree.json +``` + +## Gradle + +Preferred command: + +```bash +./gradlew exportDependencies +``` + +Fallback: + +```bash +gradle exportDependencies +``` + +## Final Output + +Generate: + +```txt +dependency-inventory.json +``` + +The output must follow the shared dependency schema. \ No newline at end of file diff --git a/.github/skills/dependency-inventory/scripts/collect-dependencies.sh b/.github/skills/dependency-inventory/scripts/collect-dependencies.sh new file mode 100644 index 0000000..2b6158d --- /dev/null +++ b/.github/skills/dependency-inventory/scripts/collect-dependencies.sh @@ -0,0 +1,53 @@ +#!/usr/bin/env bash + +set -e + +OUTPUT_DIR=".dependency-output" + +mkdir -p "$OUTPUT_DIR" + +echo "Detecting project type..." + +# ========================= +# Maven +# ========================= +if [ -f "pom.xml" ]; then + echo "Maven project detected" + + if [ -f "./mvnw" ]; then + ./mvnw dependency:tree \ + -DoutputType=json \ + -DoutputFile="$OUTPUT_DIR/maven-dependencies.json" + else + mvn dependency:tree \ + -DoutputType=json \ + -DoutputFile="$OUTPUT_DIR/maven-dependencies.json" + fi + + python3 .github/skills/dependency-inventory/scripts/normalize-maven.py \ + "$OUTPUT_DIR/maven-dependencies.json" \ + "$OUTPUT_DIR/dependency-inventory.json" + +# ========================= +# Gradle +# ========================= +elif [ -f "build.gradle" ] || [ -f "build.gradle.kts" ]; then + echo "Gradle project detected" + + if [ -f "./gradlew" ]; then + ./gradlew exportDependencies + else + gradle exportDependencies + fi + + python3 .github/skills/dependency-inventory/scripts/normalize-gradle.py \ + "$OUTPUT_DIR/gradle-dependencies.json" \ + "$OUTPUT_DIR/dependency-inventory.json" + +else + echo "Unsupported build tool" + exit 1 +fi + +echo "Dependency inventory generated:" +echo "$OUTPUT_DIR/dependency-inventory.json" \ No newline at end of file diff --git a/.github/skills/dependency-inventory/scripts/normalize-gradle.py b/.github/skills/dependency-inventory/scripts/normalize-gradle.py new file mode 100644 index 0000000..016c14c --- /dev/null +++ b/.github/skills/dependency-inventory/scripts/normalize-gradle.py @@ -0,0 +1,25 @@ +import json +import sys + +input_file = sys.argv[1] +output_file = sys.argv[2] + +with open(input_file) as f: + data = json.load(f) + +normalized = { + "buildTool": "gradle", + "dependencies": [] +} + +for dep in data.get("dependencies", []): + normalized["dependencies"].append({ + "group": dep.get("group"), + "artifact": dep.get("artifact"), + "version": dep.get("version"), + "scope": "runtime", + "transitive": dep.get("transitive", True) + }) + +with open(output_file, "w") as f: + json.dump(normalized, f, indent=2) \ No newline at end of file diff --git a/.github/skills/dependency-inventory/scripts/normalize-maven.py b/.github/skills/dependency-inventory/scripts/normalize-maven.py new file mode 100644 index 0000000..12a04dd --- /dev/null +++ b/.github/skills/dependency-inventory/scripts/normalize-maven.py @@ -0,0 +1,32 @@ +import json +import sys + +input_file = sys.argv[1] +output_file = sys.argv[2] + +with open(input_file) as f: + data = json.load(f) + +dependencies = [] + +def walk(dep, transitive=False): + dependencies.append({ + "group": dep.get("groupId"), + "artifact": dep.get("artifactId"), + "version": dep.get("version"), + "scope": dep.get("scope"), + "transitive": transitive + }) + + for child in dep.get("children", []): + walk(child, True) + +walk(data) + +output = { + "buildTool": "maven", + "dependencies": dependencies +} + +with open(output_file, "w") as f: + json.dump(output, f, indent=2) \ No newline at end of file diff --git a/8 11 17 21 all in one.pdf b/8 11 17 21 all in one.pdf new file mode 100644 index 0000000..d3f37f4 Binary files /dev/null and b/8 11 17 21 all in one.pdf differ diff --git a/DBMS_PostgreSQL_65_Interview_Questions.docx - Google Docs.pdf b/DBMS_PostgreSQL_65_Interview_Questions.docx - Google Docs.pdf new file mode 100644 index 0000000..9f358cf Binary files /dev/null and b/DBMS_PostgreSQL_65_Interview_Questions.docx - Google Docs.pdf differ diff --git a/Java_11_Interview_Preparation_Guide.pdf b/Java_11_Interview_Preparation_Guide.pdf new file mode 100644 index 0000000..0b7b009 Binary files /dev/null and b/Java_11_Interview_Preparation_Guide.pdf differ diff --git a/Java_17_Interview_Preparation_Guide.docx - Google Docs.pdf b/Java_17_Interview_Preparation_Guide.docx - Google Docs.pdf new file mode 100644 index 0000000..847377e Binary files /dev/null and b/Java_17_Interview_Preparation_Guide.docx - Google Docs.pdf differ diff --git a/Java_21_Interview_Preparation_Guide.docx - Google Docs.pdf b/Java_21_Interview_Preparation_Guide.docx - Google Docs.pdf new file mode 100644 index 0000000..3be5c0d Binary files /dev/null and b/Java_21_Interview_Preparation_Guide.docx - Google Docs.pdf differ diff --git a/Java_8_Interview_Preparation_Guide.docx - Google Docs.pdf b/Java_8_Interview_Preparation_Guide.docx - Google Docs.pdf new file mode 100644 index 0000000..84856b8 Binary files /dev/null and b/Java_8_Interview_Preparation_Guide.docx - Google Docs.pdf differ diff --git a/NoSQL_Elasticsearch_Solr_40_Interview_Questions.docx - Google Docs.pdf b/NoSQL_Elasticsearch_Solr_40_Interview_Questions.docx - Google Docs.pdf new file mode 100644 index 0000000..b38807f Binary files /dev/null and b/NoSQL_Elasticsearch_Solr_40_Interview_Questions.docx - Google Docs.pdf differ diff --git a/Oracle_DBA_Advanced_Interview_Guide.docx - Google Docs.pdf b/Oracle_DBA_Advanced_Interview_Guide.docx - Google Docs.pdf new file mode 100644 index 0000000..2d10a09 Binary files /dev/null and b/Oracle_DBA_Advanced_Interview_Guide.docx - Google Docs.pdf differ diff --git a/Oracle_DBA_HandsOn_Practical_Guide.docx - Google Docs.pdf b/Oracle_DBA_HandsOn_Practical_Guide.docx - Google Docs.pdf new file mode 100644 index 0000000..3f0ee6f Binary files /dev/null and b/Oracle_DBA_HandsOn_Practical_Guide.docx - Google Docs.pdf differ diff --git a/Oracle_SQLServer_DBA_Interview_Prep-v2.pdf b/Oracle_SQLServer_DBA_Interview_Prep-v2.pdf new file mode 100644 index 0000000..370365c Binary files /dev/null and b/Oracle_SQLServer_DBA_Interview_Prep-v2.pdf differ diff --git a/Oracle_SQLServer_DBA_Interview_Prep.docx - Google Docs.pdf b/Oracle_SQLServer_DBA_Interview_Prep.docx - Google Docs.pdf new file mode 100644 index 0000000..08ae5c9 Binary files /dev/null and b/Oracle_SQLServer_DBA_Interview_Prep.docx - Google Docs.pdf differ diff --git a/SpringBoot_100_Interview_Questions.docx - Google Docs.pdf b/SpringBoot_100_Interview_Questions.docx - Google Docs.pdf new file mode 100644 index 0000000..d7aba16 Binary files /dev/null and b/SpringBoot_100_Interview_Questions.docx - Google Docs.pdf differ diff --git a/Top 100 Power BI Interview Questions and Answers for 2026.pdf b/Top 100 Power BI Interview Questions and Answers for 2026.pdf new file mode 100644 index 0000000..68a8124 Binary files /dev/null and b/Top 100 Power BI Interview Questions and Answers for 2026.pdf differ diff --git a/instruction.md b/instruction.md new file mode 100644 index 0000000..6ac2eab --- /dev/null +++ b/instruction.md @@ -0,0 +1,114 @@ +# Vulnerability Scanner Agent + +## Role +You are a Dependency Vulnerability Scanner Agent. +When the user says "start", execute ALL steps below +automatically without asking any questions. + +--- + +## On "start" — run these 5 steps: + +### Step 1 — Discover dependency files +Scan the repo for: +- build.gradle, build.gradle.kts +- pom.xml +- gradle.lockfile, *.lock +- package.json, package-lock.json, yarn.lock +- requirements.txt, Pipfile.lock + +Print: "Found X dependency file(s): [list]" + +### Step 2 — Resolve full dependency tree + +For Gradle projects, run: + ./gradlew dependencies --configuration compileClasspath > dep-tree.txt + ./gradlew dependencies --configuration runtimeClasspath >> dep-tree.txt + ./gradlew dependencies --configuration testCompileClasspath >> dep-tree.txt + +For Maven projects, run: + mvn dependency:tree -Doutput=mvn-dep-tree.txt -DoutputType=text + +Parse the output to extract for each package: +- group:artifact name +- declared version (what's in the file) +- resolved version (what Gradle/Maven actually uses) +- scope: compile / runtime / test / provided +- type: DIRECT or TRANSITIVE +- introduced via: the direct dependency that pulled it in + +### Step 3 — Check vulnerabilities via OSV API + +For each unique package@version, POST to: + https://api.osv.dev/v1/querybatch + +Request body: +{ + "queries": [ + {"package": {"name": "group:artifact", "ecosystem": "Maven"}, "version": "x.y.z"}, + {"package": {"name": "group:artifact", "ecosystem": "Maven"}, "version": "x.y.z"} + ] +} + +Ecosystem values: Maven, npm, PyPI + +From each response extract: +- id → CVE ID or GHSA ID +- severity score → CVSS v3 score (0.0 to 10.0) +- fix version → first "fixed" event in affected.ranges +- cwe_ids → from database_specific +- summary → max 150 characters +- published → date string + +Severity rules: +- CVSS >= 9.0 → Critical +- CVSS 7.0-8.9 → High +- CVSS 4.0-6.9 → Medium +- CVSS < 4.0 → Low +- No CVE found → Safe + +### Step 4 — Write CSV report + +Create reports/ directory. +File: reports/vulnerability-report-YYYY-MM-DD.csv + +Columns (exact order): +Package Name,Group ID,Artifact ID,Type,Scope, +Declared Version,Resolved Version,Introduced Via, +CVE ID,CVSS Score,Severity,CWE,Description, +Fix Version,Published Date,Source File + +Rules: +- One row per CVE per package +- Package with no CVE: CVE ID=NONE, CVSS=0.0, Severity=SAFE +- Sort by CVSS score descending (Critical rows first) +- Wrap comma-containing fields in double quotes +- API failure row: CVE ID=API_ERROR + +### Step 5 — Print this exact summary block + +======================================== + VULNERABILITY SCAN COMPLETE +======================================== + Scan date : YYYY-MM-DD HH:MM + Files scanned : [list] + Total packages : N + ---------------------------------------- + Critical (>=9.0): N + High (7-8.9): N + Medium (4-6.9): N + Low (<4.0) : N + Safe (no CVE) : N + ---------------------------------------- + Report saved to : reports/vulnerability-report-YYYY-MM-DD.csv +======================================== + +--- + +## Hard rules +- NEVER skip transitive dependencies +- NEVER guess or invent CVE IDs — only report what OSV returns +- Do NOT ask the user anything — run all 5 steps on "start" +- If no dep files found, say exactly: + "No dependency files found. Supported: build.gradle, + pom.xml, package.json, requirements.txt" diff --git a/jvm-dependency-audit.md b/jvm-dependency-audit.md new file mode 100644 index 0000000..ed3d388 --- /dev/null +++ b/jvm-dependency-audit.md @@ -0,0 +1,298 @@ +--- +name: jvm-dependency-audit +description: "Combined JVM dependency audit skill for Maven and Gradle projects. Use when the user asks to check, audit, or review dependencies; says 'outdated deps', 'check my pom', 'check my build.gradle', or 'is this version safe'; pastes a groupId:artifactId coordinate; or wants a dependency health report before a release or during maintenance. Supports single-module and multi-module repos. Uses Maven Tools MCP for live Maven Central data and writes a two-table Markdown report (dependency-audit-report.md) to the repo root." +allowed-tools: mcp__maven-tools__* mcp__context7__* WebSearch WebFetch +--- + +# JVM Dependency Audit — Combined Skill + +Unified audit skill for **Maven** (`pom.xml`) and **Gradle** (`build.gradle` / `build.gradle.kts`) projects, single-module and multi-module. + +Uses Maven Tools MCP for live Maven Central data (versions, CVEs, licenses, freshness). +Outputs exactly **two Markdown tables** written to `dependency-audit-report.md` at the repository root. + +--- + +## When to Use + +- "Check my dependencies" / "audit dependencies" / "outdated deps" +- Before a release or during regular maintenance +- After a security advisory +- User pastes a `pom.xml`, `build.gradle`, or `groupId:artifactId` coordinate +- Multi-module repo where submodules may diverge in dependency versions + +--- + +## Phase 0 — Detect Build System & Discover All Modules + +Run this before any other step. Never stop at the root. + +### Maven + +```bash +find . -name "pom.xml" | sort +``` + +A root `pom.xml` with a `` block is multi-module. +Each `` entry is a subdirectory with its own `pom.xml`. + +### Gradle + +```bash +find . \( -name "settings.gradle" -o -name "settings.gradle.kts" \) | sort +find . \( -name "build.gradle" -o -name "build.gradle.kts" \) | sort +``` + +Read `settings.gradle(.kts)` for the canonical module list: + +```groovy +// Groovy DSL +include 'module-a', 'module-b', 'module-c' +``` +```kotlin +// Kotlin DSL +include("module-a", "module-b", "module-c") +``` + +Check for a version catalog: +```bash +cat gradle/libs.versions.toml # resolve all version.ref entries before extraction +``` + +**Single-module projects:** treat the root as the only module. The `Module` column in both report tables will show the project name or `root`. + +--- + +## Phase 1 — Extract Dependencies per Module + +### Maven — from each `pom.xml` + +Extract every `` under ``. +Resolve overrides from ``. +Record BOM imports (`import`) as the effective version source for child dependencies. + +Normalize to: `groupId | artifactId | version | scope` + +**Direct vs transitive:** +- Declared in the module's own `` block → **Direct** +- Pulled in by another dependency → **Transitive** + +```bash +# Get the full resolved tree (shows transitive deps) +mvn dependency:tree -DoutputType=text + +# Per module +mvn dependency:tree -pl module-a -DoutputType=text +``` + +### Gradle — from each `build.gradle` / `build.gradle.kts` + +**Groovy DSL:** +```groovy +dependencies { + implementation 'com.google.guava:guava:32.1.3-jre' + testImplementation 'org.junit.jupiter:junit-jupiter:5.10.1' + compileOnly 'org.projectlombok:lombok:1.18.30' + runtimeOnly 'org.postgresql:postgresql:42.6.0' +} +``` + +**Kotlin DSL:** +```kotlin +dependencies { + implementation("com.google.guava:guava:32.1.3-jre") + testImplementation("org.junit.jupiter:junit-jupiter:5.10.1") +} +``` + +**Version catalog** (`gradle/libs.versions.toml`): +```toml +[versions] +guava = "32.1.3-jre" + +[libraries] +guava = { module = "com.google.guava:guava", version.ref = "guava" } +``` +Resolve all `version.ref` entries to concrete versions before building the list. + +**BOM / platform imports:** +```groovy +implementation platform('org.springframework.boot:spring-boot-dependencies:3.2.0') +``` +Record the BOM coordinate and version. Use BOM-managed versions as the effective version for child dependencies unless overridden. + +**Direct vs transitive:** +- Declared in the module's own `dependencies { }` block → **Direct** +- Resolved transitively at runtime → **Transitive** + +```bash +# Full resolved tree per module and configuration +./gradlew :module-a:dependencies --configuration compileClasspath +./gradlew :module-a:dependencies --configuration testCompileClasspath + +# Why is a specific library included? +./gradlew :module-a:dependencyInsight --dependency slf4j-api --configuration compileClasspath +``` + +--- + +## Phase 2 — Run Maven Tools MCP + +Choose the narrowest tool that matches the request: + +| Intent | Tool | Default Parameters | +|--------|------|--------------------| +| Full project audit | `analyze_project_health` | `includeSecurityScan: true`, `includeLicenseScan: true`, `stabilityFilter: PREFER_STABLE` | +| Upgrade analysis (current versions known) | `compare_dependency_versions` | `includeSecurityScan: true`, `stabilityFilter: STABLE_ONLY` | +| Bulk latest-version check (no current versions) | `check_multiple_dependencies` | `stabilityFilter: PREFER_STABLE` | +| Latest version lookup | `get_latest_version` | `stabilityFilter: PREFER_STABLE` | +| Age / freshness | `analyze_dependency_age` | project-appropriate threshold | +| Maintenance signal | `analyze_release_patterns` | `monthsToAnalyze: 24` | + +- Default to `analyze_project_health` for a broad audit of each module. +- Run per module, then aggregate results across all modules. +- Deduplicate the same `groupId:artifactId` that appears in multiple modules — keep the per-module row in the tables; do not collapse across modules. + +**Interpret conservatively:** +- Patch and minor updates → safe now. +- Major updates → manual review unless the user explicitly wants breaking upgrades. +- When `compare_dependency_versions` returns `same_major_stable_fallback`: surface both the major upgrade path and the fallback; recommend the fallback first. + +--- + +## Phase 3 — Write `dependency-audit-report.md` + +Save the file to the **repository root**. +The report contains exactly **two tables** and a short header. Nothing else. + +--- + +### Report Template + +````markdown +# Dependency Audit Report + +**Project:** {project-name} +**Build System:** Maven | Gradle (Groovy DSL) | Gradle (Kotlin DSL) +**Modules Scanned:** {N} — {module-a, module-b, module-c, ...} +**Date:** {YYYY-MM-DD} +**Total Dependencies:** {total rows in Table 1} +**Vulnerable Dependencies:** {total rows in Table 2} + +--- + +## Table 1 — All Dependencies + +> Lists every resolved dependency across all modules. +> For single-module projects the Module column shows the project name or `root`. +> Direct = declared in the module's own build file. Transitive = pulled in by another dependency. + +| Module | Group ID | Artifact ID | Version | Direct / Transitive | +|--------|----------|-------------|---------|---------------------| +| root | org.springframework.boot | spring-boot-starter-web | 3.2.0 | Direct | +| root | org.springframework | spring-core | 6.1.2 | Transitive | +| root | com.fasterxml.jackson.core | jackson-databind | 2.13.0 | Transitive | +| module-a | com.google.guava | guava | 32.0.1-jre | Direct | +| module-a | org.slf4j | slf4j-api | 1.7.36 | Transitive | +| module-b | org.junit.jupiter | junit-jupiter | 5.9.0 | Direct | +| module-b | org.apache.logging.log4j | log4j-core | 2.14.0 | Direct | + +_Sort order: Module → Direct before Transitive → Group ID alphabetically._ + +--- + +## Table 2 — Vulnerable Dependencies (Upgrade Required) + +> Lists only dependencies with known CVEs or available upgrades that fix security issues. +> Severity follows CVSS: 🔴 Critical (9–10) | 🟠 High (7–8.9) | 🟡 Medium (4–6.9) | 🟢 Low (0.1–3.9). +> CVE Count = total known CVEs affecting the current version. +> Upgrade To = lowest version that resolves all listed CVEs. + +| Module | Group ID | Artifact ID | Current Version | Direct / Transitive | Severity | CVE Count | Upgrade To | +|--------|----------|-------------|----------------|---------------------|----------|-----------|------------| +| module-b | org.apache.logging.log4j | log4j-core | 2.14.0 | Direct | 🔴 Critical | 3 | 2.17.1 | +| root | com.fasterxml.jackson.core | jackson-databind | 2.13.0 | Transitive | 🟠 High | 2 | 2.14.0 | +| module-a | org.slf4j | slf4j-api | 1.7.36 | Transitive | 🟡 Medium | 1 | 2.0.9 | + +_If no vulnerabilities are found, write:_ `_No vulnerable dependencies detected._` +```` + +--- + +### Column rules + +**Table 1 — All Dependencies** + +| Column | Value | +|--------|-------| +| Module | Module name from `settings.gradle` or `` tag. Use project name / `root` for single-module. | +| Group ID | Maven `groupId` exactly as declared or resolved. | +| Artifact ID | Maven `artifactId` exactly as declared or resolved. | +| Version | Effective resolved version (after BOM / conflict resolution). | +| Direct / Transitive | `Direct` if declared in this module's own build file; `Transitive` otherwise. | + +**Table 2 — Vulnerable Dependencies** + +| Column | Value | +|--------|-------| +| Module | Same as Table 1. | +| Group ID | Same as Table 1. | +| Artifact ID | Same as Table 1. | +| Current Version | Effective resolved version currently in use. | +| Direct / Transitive | Same as Table 1. | +| Severity | Highest CVSS severity across all CVEs for this version. Use emoji + label. | +| CVE Count | Total number of known CVEs affecting the current version. | +| Upgrade To | Lowest available stable version that resolves all CVEs. If no fix exists, write `No fix available`. | + +**Sort order for both tables:** Module name → Direct before Transitive → Group ID alphabetically. + +--- + +## Phase 4 — Documentation Handoff (for upgrade questions) + +When the report surfaces major upgrades or migration-heavy changes, add documentation context before recommending action. + +Order of preference: +1. Maven Tools MCP for dependency facts (already done in Phase 2) +2. Raw Context7 tools if available +3. Standalone Context7 tools if available +4. `WebSearch` + `WebFetch` for official docs, release notes, migration guides +5. If no documentation path is available, state that dependency facts are ready but deeper docs are unavailable in this environment + +Use especially for: major version upgrades, BOM migrations, framework platform changes. + +--- + +## Quick Commands Reference + +| Task | Maven | Gradle | +|------|-------|--------| +| Find all build files | `find . -name "pom.xml"` | `find . -name "build.gradle*"` | +| Full dependency tree | `mvn dependency:tree` | `./gradlew :module:dependencies` | +| Resolved tree (specific config) | `mvn dependency:tree -pl module-a` | `./gradlew :module-a:dependencies --configuration compileClasspath` | +| Why is X included? | `mvn dependency:tree -Dincludes=groupId` | `./gradlew :module:dependencyInsight --dependency X` | +| Outdated versions | `mvn versions:display-dependency-updates` | `./gradlew dependencyUpdates` | +| Security scan | `mvn dependency-check:check` | `./gradlew dependencyCheckAnalyze` | +| Unused / undeclared | `mvn dependency:analyze` | (use OWASP or Snyk) | + +--- + +## Recovery + +| Issue | Action | +|-------|--------| +| MCP tools unavailable | Tell the user Maven Tools MCP is not configured; point to . Use `:latest` for bundled Context7, `:latest-noc7` otherwise. | +| Gradle version catalog not resolved | Parse `gradle/libs.versions.toml`; resolve all `version.ref` entries before proceeding. | +| BOM-managed version missing | Record the BOM coordinate; use its managed version as the effective version. | +| Dependency not found on Maven Central | Verify `groupId:artifactId` format; note if the artifact appears to be internal/private. | +| Security scan incomplete or slow | Use partial results; note CVE data may be incomplete; continue with version guidance. | +| Version type unclear | Treat as unstable; prefer the nearest known stable release. | +| Module has no dependencies | Include it in Table 1 with a single row: all dependency columns empty, a note `No dependencies declared`. Omit from Table 2. | +| Same dependency in multiple modules | Keep a separate row per module in both tables. Do not collapse across modules. | +| Context7 / docs tools unavailable | State dependency facts are ready but migration docs are unavailable; fall back to `WebSearch` / `WebFetch`. | + +--- + +> **License:** MIT +> **Requires:** [Maven Tools MCP server](https://github.com/arvindand/maven-tools-mcp) +> **Pairs with:** Context7 or WebSearch/WebFetch for migration documentation diff --git a/maven-dependency-audit.md b/maven-dependency-audit.md new file mode 100644 index 0000000..26511d3 --- /dev/null +++ b/maven-dependency-audit.md @@ -0,0 +1,511 @@ +--- +name: maven-dependency-audit +description: "Audit Maven or Gradle JVM dependencies for outdated versions, security vulnerabilities, and conflicts. Supports single-module and multi-module projects. Use when user says 'check dependencies', 'audit dependencies', 'outdated deps', before releases, or during regular maintenance. Scans every module's pom.xml / build.gradle(.kts) and writes a Markdown table report to the repo." +--- + +# Maven / Gradle Dependency Audit Skill (Enhanced) + +Audit JVM dependencies across **Maven** and **Gradle** projects — single-module and **multi-module** — for outdated versions, security vulnerabilities, conflicts, and unused declarations. +Outputs a **Markdown table report** (`dependency-audit-report.md`) saved to the repository root. + +--- + +## When to Use + +- User says "check dependencies" / "audit dependencies" / "outdated dependencies" +- Before a release +- Regular maintenance (monthly recommended) +- After a security advisory +- Multi-module repo where each submodule may diverge in dependency versions + +--- + +## Phase 0 — Detect Build System & Module Layout + +Before running any commands, identify the build system and all modules. + +### Maven + +```bash +# Find all pom.xml files in the repo +find . -name "pom.xml" | sort +``` + +A root `pom.xml` that contains `` is a multi-module project. +Each `` entry maps to a subdirectory with its own `pom.xml`. + +### Gradle + +```bash +# Find root settings file and all build files +find . -name "settings.gradle" -o -name "settings.gradle.kts" | sort +find . -name "build.gradle" -o -name "build.gradle.kts" | sort +``` + +Read `settings.gradle(.kts)` to get the canonical module list: + +```groovy +// Groovy DSL +include 'module-a', 'module-b', 'module-c' + +// Kotlin DSL +include("module-a", "module-b", "module-c") +``` + +Check for a version catalog: +```bash +cat gradle/libs.versions.toml # if present, resolve version.ref entries before extraction +``` + +**Rule:** Always scan every module. Never stop at the root. + +--- + +## Phase 1 — Extract Dependencies per Module + +### Maven + +```bash +# From repo root — lists effective dependencies for every module +mvn dependency:tree -DoutputType=text +``` + +To target a specific module: +```bash +mvn dependency:tree -pl module-a -DoutputType=text +``` + +Extract `` blocks from each `pom.xml`. Resolve any `` overrides. +Normalize each to: `groupId:artifactId:version:scope` + +### Gradle (Groovy DSL) + +```groovy +// build.gradle +dependencies { + implementation 'com.google.guava:guava:32.1.3-jre' + testImplementation 'org.junit.jupiter:junit-jupiter:5.10.1' + compileOnly 'org.projectlombok:lombok:1.18.30' + runtimeOnly 'org.postgresql:postgresql:42.6.0' +} +``` + +```bash +# Print resolved dependency tree per module +./gradlew :module-a:dependencies --configuration compileClasspath +./gradlew :module-a:dependencies --configuration testCompileClasspath +``` + +### Gradle (Kotlin DSL) + +```kotlin +// build.gradle.kts +dependencies { + implementation("com.google.guava:guava:32.1.3-jre") + testImplementation("org.junit.jupiter:junit-jupiter:5.10.1") +} +``` + +Same Gradle commands apply — replace module name as needed. + +### Version Catalog (`gradle/libs.versions.toml`) + +```toml +[versions] +guava = "32.1.3-jre" +junit = "5.10.1" + +[libraries] +guava = { module = "com.google.guava:guava", version.ref = "guava" } +junit = { module = "org.junit.jupiter:junit-jupiter", version.ref = "junit" } +``` + +Resolve all `version.ref` entries before building the dependency list. Record the catalog file as the authoritative version source for those libraries. + +### BOM / Platform Imports + +**Maven:** +```xml + + org.springframework.boot + spring-boot-dependencies + 3.2.0 + pom + import + +``` + +**Gradle:** +```groovy +implementation platform('org.springframework.boot:spring-boot-dependencies:3.2.0') +``` + +Record each BOM coordinate and version. Treat BOM-managed versions as the effective version for child dependencies unless a module overrides them explicitly. + +--- + +## Phase 2 — Check for Outdated Dependencies + +### Maven + +```bash +# All modules from root +mvn versions:display-dependency-updates + +# Quiet output (less verbose) +mvn versions:display-dependency-updates -q + +# Single module +mvn versions:display-dependency-updates -pl module-a + +# Plugin updates too +mvn versions:display-plugin-updates +``` + +### Gradle + +```bash +# Using gradle-versions-plugin (add if not present — see below) +./gradlew dependencyUpdates + +# Per module +./gradlew :module-a:dependencyUpdates +``` + +**Add the plugin** if not present (`build.gradle`): +```groovy +plugins { + id 'com.github.ben-manes.versions' version '0.51.0' +} +``` + +Or Kotlin DSL (`build.gradle.kts`): +```kotlin +plugins { + id("com.github.ben-manes.versions") version "0.51.0" +} +``` + +### Categorize Updates + +| Category | Criteria | Action | +|----------|----------|--------| +| 🔴 Security | CVE fix in newer version | Update immediately | +| 🔴 Major | `x.0.0` change | Review changelog, test thoroughly | +| 🟡 Minor | `x.y.0` change | Usually safe, test | +| 🟢 Patch | `x.y.z` change | Safe, minimal testing | + +--- + +## Phase 3 — Analyze Dependency Tree (Conflicts) + +### Maven + +```bash +# Full tree from root (all modules) +mvn dependency:tree + +# Filter for a specific library +mvn dependency:tree -Dincludes=org.slf4j + +# Analyze unused / undeclared +mvn dependency:analyze +``` + +**Conflict signals in Maven tree output:** + +``` +[INFO] +- com.example:module-a:jar:1.0:compile +[INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile +[INFO] +- com.example:module-b:jar:1.0:compile +[INFO] | \- org.slf4j:slf4j-api:jar:2.0.9:compile (omitted for conflict) +``` + +- `(omitted for conflict)` — version conflict; Maven resolved it, but verify the winner is correct. +- `(omitted for duplicate)` — same version, no issue. + +### Gradle + +```bash +# Dependency tree per module +./gradlew :module-a:dependencies + +# Filter for a specific configuration +./gradlew :module-a:dependencies --configuration compileClasspath + +# Check for dependency insight (why is X included?) +./gradlew :module-a:dependencyInsight --dependency slf4j-api --configuration compileClasspath +``` + +**Cross-module version conflict detection (multi-module):** +Compare the resolved versions of the same `groupId:artifactId` across all modules. +Flag any case where the same library resolves to different versions in different modules. + +--- + +## Phase 4 — Security Vulnerability Scan + +### Option A: OWASP Dependency-Check (Recommended for both Maven and Gradle) + +**Maven** — add plugin to root `pom.xml`: +```xml + + org.owasp + dependency-check-maven + 9.0.7 + +``` + +```bash +mvn dependency-check:check +# Report: target/dependency-check-report.html +``` + +**Gradle** — add to root `build.gradle`: +```groovy +plugins { + id 'org.owasp.dependencycheck' version '9.0.7' +} +``` + +```bash +./gradlew dependencyCheckAnalyze +# Report: build/reports/dependency-check-report.html +``` + +### Option B: GitHub Dependabot +Enable in repository Settings → Security → Dependabot alerts. +Works for both Maven (`pom.xml`) and Gradle (`build.gradle`, `build.gradle.kts`, `gradle/libs.versions.toml`). + +### Option C: Snyk CLI + +```bash +snyk test --all-projects # scans all modules (Maven + Gradle) +``` + +### Severity Reference + +| CVSS Score | Severity | Action | +|------------|----------|--------| +| 9.0 – 10.0 | 🔴 Critical | Update immediately | +| 7.0 – 8.9 | 🟠 High | Update within days | +| 4.0 – 6.9 | 🟡 Medium | Update within weeks | +| 0.1 – 3.9 | 🟢 Low | Update at convenience | + +--- + +## Phase 5 — Resolve Conflicts + +### Maven — Pin via `dependencyManagement` + +```xml + + + + org.slf4j + slf4j-api + 2.0.9 + + + +``` + +### Gradle — Force a version + +```groovy +// Groovy DSL +configurations.all { + resolutionStrategy { + force 'org.slf4j:slf4j-api:2.0.9' + } +} +``` + +```kotlin +// Kotlin DSL +configurations.all { + resolutionStrategy { + force("org.slf4j:slf4j-api:2.0.9") + } +} +``` + +### Exclude Transitive Dependency + +**Maven:** +```xml + + com.example + some-library + 1.0 + + + commons-logging + commons-logging + + + +``` + +**Gradle:** +```groovy +implementation('com.example:some-library:1.0') { + exclude group: 'commons-logging', module: 'commons-logging' +} +``` + +--- + +## Phase 6 — Generate `dependency-audit-report.md` + +Write the following Markdown file to the **repository root** as `dependency-audit-report.md`. + +````markdown +# Dependency Audit Report + +**Project:** {project-name} +**Build System:** Maven | Gradle (Groovy DSL) | Gradle (Kotlin DSL) +**Modules Scanned:** {N} — {module-a, module-b, module-c, ...} +**Date:** {YYYY-MM-DD} +**Total Unique Dependencies:** {count} + +--- + +## Security Issues + +| Module | Dependency | Current Version | CVE | Severity | Fixed In | Action | +|--------|-----------|----------------|-----|----------|----------|--------| +| module-a | log4j-core | 2.14.0 | CVE-2021-44228 | 🔴 Critical | 2.17.1 | Update immediately | +| root | jackson-databind | 2.13.0 | CVE-2022-42003 | 🟠 High | 2.14.0 | Update within days | + +_No issues found_ — replace rows with this if the section is empty. + +--- + +## Outdated Dependencies + +### 🔴 Major Updates — Manual Review Required + +| Module | Dependency | Current | Latest | Notes | +|--------|-----------|---------|--------|-------| +| module-b | slf4j-api | 1.7.36 | 2.0.9 | Breaking API changes; migration guide required | + +### 🟡 Minor Updates — Safe with Testing + +| Module | Dependency | Current | Latest | +|--------|-----------|---------|--------| +| root | junit-jupiter | 5.9.0 | 5.10.1 | +| module-a | guava | 32.0.1 | 32.1.3 | + +### 🟢 Patch Updates — Safe + +| Module | Dependency | Current | Latest | +|--------|-----------|---------|--------| +| module-c | commons-lang3 | 3.12.0 | 3.13.0 | + +--- + +## Version Conflicts Across Modules + +| Dependency | Versions Found | Modules Affected | Recommended Fix | +|-----------|---------------|-----------------|-----------------| +| slf4j-api | 1.7.36, 2.0.9 | root, module-a | Pin 2.0.9 in BOM / `dependencyManagement` / `resolutionStrategy` | + +--- + +## Unused / Undeclared Dependencies + +| Module | Dependency | Issue | Recommendation | +|--------|-----------|-------|----------------| +| module-b | commons-io:2.11.0 | Declared but unused | Remove from build file | +| module-a | slf4j-api | Used but undeclared (transitive only) | Declare explicitly | + +--- + +## Stale / Unmaintained Dependencies + +| Module | Dependency | Current | Last Release | Months Stale | Risk | +|--------|-----------|---------|-------------|-------------|------| +| root | some-old-lib | 1.2.0 | 2021-03-01 | 38 | 🔴 No recent activity | + +--- + +## License Risks + +| Module | Dependency | Version | License | Risk | +|--------|-----------|---------|---------|------| +| module-c | some-gpl-lib | 2.0.0 | GPL-3.0 | 🔴 Review before distribution | + +--- + +## Per-Module Summary + +| Module | Total Deps | Critical CVEs | High CVEs | Major Outdated | Minor/Patch Outdated | Conflicts | Status | +|--------|-----------|--------------|----------|---------------|---------------------|-----------|--------| +| root | 12 | 0 | 1 | 0 | 3 | 1 | 🟡 Action needed | +| module-a | 8 | 1 | 0 | 0 | 1 | 1 | 🔴 Critical | +| module-b | 5 | 0 | 0 | 1 | 0 | 0 | 🟡 Review | +| module-c | 4 | 0 | 0 | 0 | 1 | 0 | 🟢 OK | +| **Total** | **29** | **1** | **1** | **1** | **5** | **2** | — | + +--- + +## Prioritised Recommendations + +| Priority | Action | Module(s) | Effort | +|----------|--------|-----------|--------| +| 🔴 Immediate | Update log4j-core 2.14.0 → 2.17.1 (CVE-2021-44228) | module-a | Low | +| 🔴 Immediate | Update jackson-databind 2.13.0 → 2.14.0 (CVE-2022-42003) | root | Low | +| 🟡 This sprint | Apply 5 minor/patch updates | root, module-a, module-c | Low | +| 🟡 This sprint | Pin slf4j-api to 2.0.9 to resolve cross-module conflict | root, module-a | Low | +| ⬜ Plan | Evaluate slf4j 1.x → 2.x migration | module-b | Medium | +| ⬜ Plan | Remove unused commons-io | module-b | Low | +| ⬜ Plan | Replace or fork some-old-lib (38 months unmaintained) | root | High | +```` + +--- + +## Quick Commands Reference + +| Task | Maven | Gradle | +|------|-------|--------| +| List all build files | `find . -name "pom.xml"` | `find . -name "build.gradle*"` | +| Outdated deps | `mvn versions:display-dependency-updates` | `./gradlew dependencyUpdates` | +| Outdated plugins | `mvn versions:display-plugin-updates` | `./gradlew dependencyUpdates` | +| Dependency tree | `mvn dependency:tree` | `./gradlew :module:dependencies` | +| Find specific dep | `mvn dependency:tree -Dincludes=groupId` | `./gradlew :module:dependencyInsight --dependency X` | +| Unused / undeclared | `mvn dependency:analyze` | (no built-in; use OWASP or Snyk) | +| Security scan | `mvn dependency-check:check` | `./gradlew dependencyCheckAnalyze` | +| Update all (CAUTION) | `mvn versions:use-latest-releases` | manual edits or Renovate bot | +| Resolve conflict | `` block | `resolutionStrategy { force ... }` | + +--- + +## Update Strategies + +### Conservative (Recommended for Production) +1. Apply patch updates freely. +2. Apply minor updates with basic testing. +3. Treat major updates as a planned migration with changelog review. + +### Selective +```bash +# Maven — update only one dependency +mvn versions:use-latest-versions -Dincludes=org.junit.jupiter + +# Gradle — edit build file or version catalog directly, then verify +./gradlew :module:dependencies --configuration compileClasspath +``` + +### Automated (CI-friendly) +- **Renovate Bot** — supports Maven, Gradle, and version catalogs out of the box. +- **GitHub Dependabot** — supports `pom.xml`, `build.gradle`, `build.gradle.kts`, `libs.versions.toml`. + +--- + +## Token Optimization Notes + +- Use `-q` (quiet) flag on Maven commands for less verbose output. +- Use `--configuration compileClasspath` on Gradle to limit tree size. +- Filter with `-Dincludes=groupId:artifactId` or `--dependency` when looking for a specific library. +- Do not paste entire dependency trees into the report — summarize conflicts and flag anomalies only. diff --git a/maven-tools.md b/maven-tools.md new file mode 100644 index 0000000..11819d4 --- /dev/null +++ b/maven-tools.md @@ -0,0 +1,329 @@ +--- +name: maven-tools +description: "JVM dependency intelligence via Maven Tools MCP server. Use when the user asks about Maven or Gradle dependencies, JVM library versions, safe upgrades, CVEs, license risks, release history, or project dependency health. Use when reviewing `pom.xml`, `build.gradle`, `build.gradle.kts`, or Maven coordinates. Use when the user says 'check my dependencies', 'should I upgrade X', or 'is this version safe'. Use even when the user just pastes a `groupId:artifactId` coordinate without a verb. Supports single-module and multi-module projects." +allowed-tools: mcp__maven-tools__* mcp__context7__* WebSearch WebFetch +--- + +# Maven Tools (Enhanced) + +Use this skill to ground JVM dependency decisions in live Maven Central data. +Supports **Maven** (`pom.xml`) and **Gradle** (`build.gradle` / `build.gradle.kts`), single-module and **multi-module** projects. +Outputs a **Markdown table report** saved to the repo root as `dependency-audit-report.md`. + +This is an execution skill. Use Maven Tools MCP first for dependency facts, then do the reasoning in-model. Assume Maven Tools MCP is already configured; only discuss setup if the tools are unavailable. + +--- + +## When to Use + +Activate when the user asks about: + +- Java, Kotlin, Scala, or JVM dependencies +- Maven, Gradle, `pom.xml`, `build.gradle`, or `build.gradle.kts` +- latest versions, upgrades, CVEs, licenses, dependency age, or release history +- whether a dependency is safe, current, stale, or worth upgrading +- multi-module projects where each submodule may have its own dependency set + +--- + +## Build File Detection + +Before running any MCP tools, identify all build files in the repository: + +### Maven +``` +pom.xml ← root / single-module +module-a/pom.xml ← submodule +module-b/pom.xml ← submodule +``` + +### Gradle +``` +build.gradle or build.gradle.kts ← root / single-module +module-a/build.gradle(.kts) ← submodule +module-b/build.gradle(.kts) ← submodule +settings.gradle or settings.gradle.kts ← lists all included submodules +``` + +**Multi-module detection rule:** +- Maven: root `pom.xml` contains a `` block → each listed path has its own `pom.xml`. +- Gradle: `settings.gradle` contains `include(...)` directives → each path has its own `build.gradle(.kts)`. + +Always scan **every** module's build file. Do not stop at the root. + +--- + +## Dependency Extraction by Build System + +### Maven — from `pom.xml` +Extract all `` entries under `` and managed versions from ``. + +Normalize each to: `groupId:artifactId:version` + +### Gradle — from `build.gradle` or `build.gradle.kts` + +**Groovy DSL** (`build.gradle`): +```groovy +dependencies { + implementation 'com.google.guava:guava:32.1.3-jre' + testImplementation 'org.junit.jupiter:junit-jupiter:5.10.1' +} +``` + +**Kotlin DSL** (`build.gradle.kts`): +```kotlin +dependencies { + implementation("com.google.guava:guava:32.1.3-jre") + testImplementation("org.junit.jupiter:junit-jupiter:5.10.1") +} +``` + +Normalize each to: `groupId:artifactId:version` + +**Version catalog** (`gradle/libs.versions.toml` — if present): +```toml +[versions] +guava = "32.1.3-jre" + +[libraries] +guava = { module = "com.google.guava:guava", version.ref = "guava" } +``` +Resolve all `version.ref` references before building the dependency list. + +**BOM imports** (`platform(...)` in Gradle, `import` in Maven): +Record the BOM coordinate and version. Treat BOM-managed versions as the effective version for child dependencies unless overridden. + +--- + +## Core Boundary + +Use Maven Tools MCP for version, security, license, freshness, and release-pattern facts from Maven Central. + +- Do the reasoning in-model: recommend next steps, call out risk, and separate safe-now actions from manual-review items. +- Normalize dependency inputs to `groupId:artifactId` or `groupId:artifactId:version` as needed. +- For recommendation questions, evaluate concrete candidates with Maven Tools first, then add documentation context before making a strong call. +- Do not use Maven metadata alone to decide library popularity, framework fit, migration effort, or performance tradeoffs. + +--- + +## Tool Selection + +Choose the narrowest tool that matches the request: + +| Intent | Tool | Default Parameters | +|--------|------|--------------------| +| Latest version lookup | `get_latest_version` | `stabilityFilter: PREFER_STABLE` | +| Check exact version | `check_version_exists` | none | +| Bulk candidate check (no current versions) | `check_multiple_dependencies` | `stabilityFilter: PREFER_STABLE` | +| Upgrade analysis (with current versions) | `compare_dependency_versions` | `includeSecurityScan: true`, `stabilityFilter: STABLE_ONLY` | +| Age / freshness | `analyze_dependency_age` | use project-appropriate threshold | +| Maintenance signal | `analyze_release_patterns` | `monthsToAnalyze: 24` | +| Release history | `get_version_timeline` | `versionCount: 20` | +| Full project audit | `analyze_project_health` | `includeSecurityScan: true`, `includeLicenseScan: true`, `stabilityFilter: PREFER_STABLE` | + +Default to `analyze_project_health` when the user says "check my dependencies" or pastes a project dependency set. + +Use `check_multiple_dependencies` for candidate sets without current versions. +Use `compare_dependency_versions` for upgrade decisions on current versions. +Use `analyze_project_health` for broad audits, not every single dependency question. + +--- + +## Workflow + +### Step 1 — Discover all modules + +``` +repo/ +├── pom.xml or settings.gradle(.kts) ← root +├── module-a/pom.xml or build.gradle(.kts) +├── module-b/pom.xml or build.gradle(.kts) +└── module-c/pom.xml or build.gradle(.kts) +``` + +List every module. For single-module projects, the list has one entry. + +### Step 2 — Extract dependencies per module + +For each module, produce a list: `groupId:artifactId:version`, tagged with scope +(`compile`, `runtime`, `test`, `provided` for Maven; `implementation`, `testImplementation`, `compileOnly`, etc. for Gradle). + +### Step 3 — Run MCP tools + +- Use `analyze_project_health` per module for a full audit. +- Use `compare_dependency_versions` when the user asks about specific upgrade decisions. +- Aggregate results across all modules — deduplicate same coordinates that appear in multiple modules. + +### Step 4 — Interpret results conservatively + +- Patch and minor updates → safe now. +- Major updates → manual review unless user explicitly wants breaking upgrades. +- When `compare_dependency_versions` returns `same_major_stable_fallback`: + - Surface both the major upgrade path and the fallback. + - Recommend the fallback first for conservative maintenance. + +### Step 5 — Write `dependency-audit-report.md` to the repo root + +See **Report Format** section below. + +--- + +## Report Format + +Save the report as `dependency-audit-report.md` at the repository root. + +````markdown +# Dependency Audit Report + +**Project:** {project-name} +**Build System:** Maven | Gradle (Groovy) | Gradle (Kotlin DSL) +**Modules Scanned:** {N} +**Date:** {YYYY-MM-DD} +**Total Unique Dependencies:** {count} + +--- + +## Security Issues + +| Module | Dependency | Current Version | CVE | Severity | Fixed In | Action | +|--------|-----------|----------------|-----|----------|----------|--------| +| module-a | log4j-core | 2.14.0 | CVE-2021-44228 | 🔴 Critical | 2.17.1 | Update immediately | +| root | jackson-databind | 2.13.0 | CVE-2022-42003 | 🟠 High | 2.14.0 | Update within days | + +--- + +## Outdated Dependencies + +### 🔴 Major Updates — Manual Review Required + +| Module | Dependency | Current | Latest | Notes | +|--------|-----------|---------|--------|-------| +| module-b | slf4j-api | 1.7.36 | 2.0.9 | Breaking API changes; see migration guide | + +### 🟡 Minor Updates — Safe with Testing + +| Module | Dependency | Current | Latest | +|--------|-----------|---------|--------| +| root | junit-jupiter | 5.9.0 | 5.10.1 | +| module-a | guava | 32.0.1 | 32.1.3 | + +### 🟢 Patch Updates — Safe + +| Module | Dependency | Current | Latest | +|--------|-----------|---------|--------| +| module-c | commons-lang3 | 3.12.0 | 3.13.0 | + +--- + +## Version Conflicts (Multi-Module) + +| Dependency | Versions Found | Modules | Resolution | +|-----------|---------------|---------|-----------| +| slf4j-api | 1.7.36, 2.0.9 | root, module-a | Pin to 2.0.9 in BOM / `dependencyManagement` | + +--- + +## Unused / Undeclared Dependencies + +| Module | Dependency | Issue | +|--------|-----------|-------| +| module-b | commons-io:2.11.0 | Declared but unused — consider removing | +| module-a | slf4j-api | Used but undeclared (transitive only) | + +--- + +## Stale / Unmaintained Dependencies + +| Module | Dependency | Current | Last Release | Months Since Release | Risk | +|--------|-----------|---------|-------------|---------------------|------| +| root | some-lib | 1.2.0 | 2021-03-01 | 38 | 🔴 High — no recent activity | + +--- + +## License Risks + +| Module | Dependency | Version | License | Risk | +|--------|-----------|---------|---------|------| +| module-c | some-gpl-lib | 2.0.0 | GPL-3.0 | 🔴 Review for distribution | + +--- + +## Summary & Recommendations + +| Priority | Action | Affected Modules | +|----------|--------|-----------------| +| 🔴 Immediate | Fix CVE-2021-44228 in log4j-core → 2.17.1 | module-a | +| 🔴 Immediate | Fix CVE-2022-42003 in jackson-databind → 2.14.0 | root | +| 🟡 This sprint | Apply minor/patch updates | root, module-a, module-c | +| 🟡 This sprint | Resolve slf4j version conflict | root, module-a | +| ⬜ Plan | Evaluate slf4j 2.x migration | module-b | +| ⬜ Plan | Remove unused commons-io | module-b | +```` + +**Severity legend used in all tables:** + +| Symbol | Meaning | +|--------|---------| +| 🔴 | Critical / High — act immediately or within days | +| 🟠 | High | +| 🟡 | Medium / minor — act this sprint | +| 🟢 | Low / patch — safe, act at convenience | +| ⬜ | Informational / planned | + +--- + +## Documentation Handoff + +When the answer needs migration guides, API details, or library usage patterns, add documentation context before giving a strong recommendation. + +Use this order: + +1. Maven Tools MCP first for dependency facts +2. Raw Context7 tools if available in the current tool list +3. Standalone Context7 tools if available +4. `WebSearch` and `WebFetch` for official docs, release notes, and migration guides +5. If no documentation path is available, say dependency facts are available but deeper doc lookup is not + +Use especially for: major upgrades, migration planning, recommendation-style comparisons between candidate libraries. + +--- + +## Less Helpful / Out of Scope + +- Private artifact repositories not mirrored through Maven Central +- Non-JVM ecosystems not using Maven coordinates +- Trivial one-off lookups where the exact dependency and decision are already obvious +- Recommendation questions driven mostly by ecosystem adoption or benchmarks unless docs and broader research are also added + +--- + +## Setup Assumption + +Assume Maven Tools MCP is already configured. + +- `arvindand/maven-tools-mcp:latest` — when raw Context7 tools should be exposed through the same server +- `arvindand/maven-tools-mcp:latest-noc7` — when documentation is handled separately + +Only discuss installation when the tools are unavailable. + +--- + +## Recovery + +| Issue | Action | +|-------|--------| +| MCP tools unavailable | Tell the user Maven Tools MCP is not configured and point them to . Mention `:latest` or `:latest-noc7`. | +| Gradle version catalog not resolved | Parse `gradle/libs.versions.toml` and resolve `version.ref` before proceeding. | +| BOM-managed version missing | Note the BOM coordinate; use the BOM's managed version as the effective version. | +| Dependency not found on Maven Central | Verify `groupId:artifactId` format. Note if the artifact appears to be internal/private. | +| Raw Context7 tools unavailable | Use standalone Context7 tools if available; otherwise fall back to `WebSearch` and `WebFetch`. | +| No documentation path available | Say dependency facts are available but deeper migration or API docs are not available in the current environment. | +| Security scan incomplete or slow | Use the partial result, say CVE data may be incomplete, and continue with version/maintenance guidance. | +| Version type unclear | Treat it as unstable and prefer a known stable release. | +| Multi-module — some modules have no dependencies | Include them in the report with a "No dependencies declared" note. | + +--- + +> **License:** MIT +> **Requires:** [Maven Tools MCP server](https://github.com/arvindand/maven-tools-mcp) +> **Pairs with:** [context7 skill](../context7/) or standalone Context7 tools for documentation-heavy follow-up diff --git a/optimized_jvm_dependency_audit_skill.md b/optimized_jvm_dependency_audit_skill.md new file mode 100644 index 0000000..4ac8827 --- /dev/null +++ b/optimized_jvm_dependency_audit_skill.md @@ -0,0 +1,185 @@ +# JVM Dependency Audit Skill (Optimized) + +--- +name: jvm-dependency-audit + +description: > + Audit Maven and Gradle dependencies for outdated versions, + vulnerabilities, and dependency health. Supports single-module + and multi-module JVM repositories. + +allowed-tools: + - mcp__maven-tools__* + - mcp__context7__* + - WebSearch + - WebFetch +--- + +# Purpose + +Use when the user asks to: +- audit dependencies +- check outdated dependencies +- review pom.xml or build.gradle +- check dependency vulnerabilities +- validate dependency health before release + +Outputs: +- dependency-audit-report.md + +--- + +# Phase 1 — Detect Build System + +## Maven + +Find all pom.xml files. + +Multi-module Maven projects: +- root pom contains +- each module has its own pom.xml + +## Gradle + +Find: +- settings.gradle / settings.gradle.kts +- build.gradle / build.gradle.kts + +Use settings.gradle(.kts) as the canonical module list. + +If gradle/libs.versions.toml exists: +- resolve all version.ref entries +- use resolved versions during extraction + +--- + +# Phase 2 — Extract Dependencies + +Normalize all dependencies into: + +groupId | artifactId | version | scope | module | dependencyType + +Where: +- Direct = declared in module build file +- Transitive = resolved through another dependency + +## Maven Rules + +- extract all dependencies from pom.xml +- resolve dependencyManagement overrides +- resolve BOM-managed versions +- use effective resolved versions + +## Gradle Rules + +Support: +- Groovy DSL +- Kotlin DSL +- Version catalogs +- platform/BOM imports + +Use effective resolved versions after BOM resolution. + +--- + +# Phase 3 — Analyze Dependency Health + +Preferred tool: +- analyze_project_health + +Default settings: +- includeSecurityScan: true +- includeLicenseScan: true +- stabilityFilter: PREFER_STABLE + +Additional tools when needed: +- compare_dependency_versions +- check_multiple_dependencies +- get_latest_version +- analyze_dependency_age +- analyze_release_patterns + +Rules: +- prefer stable versions +- recommend patch/minor upgrades first +- flag major upgrades separately +- use lowest secure upgrade version +- keep separate rows per module + +--- + +# Phase 4 — Generate Report + +Write: +- dependency-audit-report.md + +The report contains exactly two tables. + +--- + +# Table 1 — All Dependencies + +| Module | Group ID | Artifact ID | Version | Direct / Transitive | +|---|---|---|---|---| + +Rules: +- use effective resolved version +- sort by: + 1. module + 2. direct before transitive + 3. groupId alphabetically + +--- + +# Table 2 — Vulnerable Dependencies + +| Module | Group ID | Artifact ID | Current Version | Direct / Transitive | Severity | CVE Count | Upgrade To | +|---|---|---|---|---|---|---|---| + +Severity mapping: +- 🔴 Critical = 9.0–10 +- 🟠 High = 7.0–8.9 +- 🟡 Medium = 4.0–6.9 +- 🟢 Low = 0.1–3.9 + +Rules: +- include only vulnerable dependencies +- use lowest stable fixed version +- if no fix exists: + - Upgrade To = No fix available + +If none exist: +- _No vulnerable dependencies detected._ + +--- + +# Special Handling + +## BOM-managed dependencies + +Use BOM-managed versions as effective versions. + +## Multi-module projects + +Keep separate rows per module. +Do not collapse duplicates. + +## Empty modules + +If a module has no dependencies: + +| Module | Group ID | Artifact ID | Version | Direct / Transitive | +|---|---|---|---|---| +| module-name | | | | No dependencies declared | + +--- + +# Output Requirements + +- deterministic output +- no extra prose +- no summaries outside report +- no markdown explanations outside required tables +- always use effective resolved versions +- prefer stable upgrade recommendations +