Add local vulnerability scanning scripts to smartem-devtools #153
Description
Summary
Add local vulnerability scanning capabilities for developer use. Two tools evaluated:
- osv-scanner (Go binary) - multi-language, used in CI
- pip-audit (Python/uvx) - Python-only, more accurate for unpinned deps
Tasks
- Add osv-scanner local scan script to scripts/
- Add pip-audit script for local scanning
- Add both tools to smartem-workspace dev dependencies
- Compare both tools and assess if we want both or just one of them
Context
Scripts already drafted and tested against FragmentScreen repos. See scan results below.
OSV Scanner Results (click to expand)
OSV Scanner Results - FragmentScreen Repos
Scan date: 2026-01-30T19:50:00+00:00
Scanner version: osv-scanner version: 1.9.2
Purpose: Pre-PR vulnerability assessment for OSV Scanner rollout to FragmentScreen repos
Summary
| Repo | Status | Vulnerabilities | Highest CVSS |
|---|---|---|---|
| fandanGO-aria | Vulns found | 7 | 8.8 |
| fandanGO-core | Clean | 0 | - |
| fandanGO-cryoem-cnb | Vulns found | 2 | 9.8 |
| fandanGO-nmr-cerm | Clean | 0 | - |
| fandanGO-nmr-guf | Vulns found | 3 | 8.2 |
| ddapi-record-logs | Clean | 0 | - |
| ddapi-record-oscem | Clean | 0 | - |
Detailed Findings
fandanGO-aria
Status: Vulnerabilities found
+-------------------------------------+------+-----------+--------------+---------+------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+------+-----------+--------------+---------+------------------+
| https://osv.dev/PYSEC-2024-225 | 7.5 | PyPI | cryptography | 42.0.2 | requirements.txt |
| https://osv.dev/GHSA-6vqw-3v5j-54x4 | | | | | |
| https://osv.dev/GHSA-79v4-65xg-pq4g | | PyPI | cryptography | 42.0.2 | requirements.txt |
| https://osv.dev/GHSA-h4gh-qq45-vh27 | | PyPI | cryptography | 42.0.2 | requirements.txt |
| https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.31.0 | requirements.txt |
| https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.31.0 | requirements.txt |
| https://osv.dev/PYSEC-2025-49 | 8.8 | PyPI | setuptools | 68.2.2 | requirements.txt |
| https://osv.dev/GHSA-5rjg-fvgr-3xxf | | | | | |
| https://osv.dev/GHSA-cx63-2mw6-8hw5 | 8.8 | PyPI | setuptools | 68.2.2 | requirements.txt |
+-------------------------------------+------+-----------+--------------+---------+------------------+
fandanGO-cryoem-cnb
Status: Vulnerabilities found (unpinned deps - version 0.0.0)
| pyyaml | 0.0.0 | PYSEC-2021-142 | CVSS 9.8 |
| pyyaml | 0.0.0 | PYSEC-2018-49 | CVSS 9.8 |
fandanGO-nmr-guf
Status: Vulnerabilities found (unpinned deps - version 0.0.0)
| openpyxl | 0.0.0 | PYSEC-2017-48 | CVSS 8.2 |
| pandas | 0.0.0 | PYSEC-2020-73 | |
pip-audit Results (click to expand)
pip-audit Scanner Results - FragmentScreen Repos
Scan date: 2026-01-30T20:15:00+00:00
Scanner: pip-audit (via uvx)
Note: pip-audit only scans Python dependencies (requirements.txt). PHP repos are skipped.
Summary
| Repo | Status | Vulnerabilities | Packages Affected |
|---|---|---|---|
| fandanGO-aria | Vulns found | 7 | 3 |
| fandanGO-core | Clean | 0 | 0 |
| fandanGO-cryoem-cnb | Clean | 0 | 0 |
| fandanGO-nmr-cerm | Clean | 0 | 0 |
| fandanGO-nmr-guf | Clean | 0 | 0 |
| ddapi-record-logs | Skipped | - | - (PHP) |
| ddapi-record-oscem | Skipped | - | - (PHP) |
Detailed Findings
fandanGO-aria
Status: 7 vulnerabilities found in 3 packages
Name Version ID Fix Versions
------------ ------- ------------------- ------------
requests 2.31.0 CVE-2024-35195 2.32.0
requests 2.31.0 CVE-2024-47081 2.32.4
cryptography 42.0.2 PYSEC-2024-225 42.0.4
cryptography 42.0.2 GHSA-h4gh-qq45-vh27 43.0.1
cryptography 42.0.2 CVE-2024-12797 44.0.1
setuptools 68.2.2 PYSEC-2025-49 78.1.1
setuptools 68.2.2 CVE-2024-6345 70.0.0
Tool Comparison (click to expand)
Vulnerability Scanner Comparison: osv-scanner vs pip-audit
Results Comparison
| Repo | osv-scanner | pip-audit | Match? |
|---|---|---|---|
| fandanGO-aria | 7 vulns | 7 vulns | Yes |
| fandanGO-core | Clean | Clean | Yes |
| fandanGO-cryoem-cnb | 2 vulns | Clean | No |
| fandanGO-nmr-cerm | Clean | Clean | Yes |
| fandanGO-nmr-guf | 3 vulns | Clean | No |
| ddapi-record-logs | Clean | Skipped (PHP) | N/A |
| ddapi-record-oscem | Clean | Skipped (PHP) | N/A |
Analysis of Differences
osv-scanner found vulns in fandanGO-cryoem-cnb & fandanGO-nmr-guf, pip-audit did not.
Root cause: Unpinned dependencies in requirements.txt
osv-scanner saw version 0.0.0 for unpinned packages and flagged historical vulnerabilities.
pip-audit resolves the actual versions that would be installed today, which are patched.
Verdict: pip-audit is more accurate for current risk. osv-scanner is stricter but flags false positives when deps are unpinned.
Tool Comparison
| Feature | osv-scanner | pip-audit |
|---|---|---|
| Installation | Go binary | uvx pip-audit (no install) |
| Languages | Python, JS, Go, Rust, PHP, etc. | Python only |
| Database | OSV (Google) | OSV + PyPI Advisory |
| Unpinned deps | Reports as 0.0.0 (false positives) | Resolves actual versions |
| Fix versions | Not shown | Shows fix version |
| GitHub Action | Yes (osv-scanner-action) | Yes (pip-audit-action) |
Recommendations
- For CI (GitHub Actions): Keep osv-scanner - already configured, works across all languages
- For local Python scanning: Use
uvx pip-audit- more accurate, shows fix versions, no installation needed