#!/bin/bash # Vollstaendiger Dependency Security Scan set -e # Farben RED='\033[0;31m' YELLOW='\033[1;33m' GREEN='\033[0;32m' BLUE='\033[0;34m' NC='\033[0m' echo -e "${BLUE}================================${NC}" echo -e "${BLUE}Dependency Security Scanner${NC}" echo -e "${BLUE}================================${NC}" echo "" # Package Manager erkennen if [ -f "pnpm-lock.yaml" ]; then PKG_MANAGER="pnpm" elif [ -f "yarn.lock" ]; then PKG_MANAGER="yarn" elif [ -f "package-lock.json" ]; then PKG_MANAGER="npm" else PKG_MANAGER="npm" fi echo "Package Manager: $PKG_MANAGER" echo "" # Temporaere Dateien AUDIT_FILE=$(mktemp) OUTDATED_FILE=$(mktemp) # ================================ # 1. VULNERABILITY AUDIT # ================================ echo -e "${YELLOW}[1/3] Pruefe Sicherheitsluecken...${NC}" case "$PKG_MANAGER" in "pnpm") pnpm audit --json > "$AUDIT_FILE" 2>/dev/null || true ;; "yarn") yarn audit --json > "$AUDIT_FILE" 2>/dev/null || true ;; "npm") npm audit --json > "$AUDIT_FILE" 2>/dev/null || true ;; esac # Audit Ergebnisse parsen if [ -s "$AUDIT_FILE" ]; then CRITICAL=$(jq '.metadata.vulnerabilities.critical // 0' "$AUDIT_FILE" 2>/dev/null || echo "0") HIGH=$(jq '.metadata.vulnerabilities.high // 0' "$AUDIT_FILE" 2>/dev/null || echo "0") MODERATE=$(jq '.metadata.vulnerabilities.moderate // 0' "$AUDIT_FILE" 2>/dev/null || echo "0") LOW=$(jq '.metadata.vulnerabilities.low // 0' "$AUDIT_FILE" 2>/dev/null || echo "0") TOTAL=$((CRITICAL + HIGH + MODERATE + LOW)) else CRITICAL=0 HIGH=0 MODERATE=0 LOW=0 TOTAL=0 fi echo "" echo "Vulnerabilities gefunden:" echo -e " ${RED}Critical: $CRITICAL${NC}" echo -e " ${RED}High: $HIGH${NC}" echo -e " ${YELLOW}Moderate: $MODERATE${NC}" echo -e " Low: $LOW" echo "" # ================================ # 2. OUTDATED CHECK # ================================ echo -e "${YELLOW}[2/3] Pruefe veraltete Pakete...${NC}" case "$PKG_MANAGER" in "pnpm") pnpm outdated --json > "$OUTDATED_FILE" 2>/dev/null || true ;; "npm") npm outdated --json > "$OUTDATED_FILE" 2>/dev/null || true ;; "yarn") yarn outdated --json > "$OUTDATED_FILE" 2>/dev/null || true ;; esac if [ -s "$OUTDATED_FILE" ]; then OUTDATED_COUNT=$(jq 'length' "$OUTDATED_FILE" 2>/dev/null || echo "0") echo "Veraltete Pakete: $OUTDATED_COUNT" if [ "$OUTDATED_COUNT" -gt 0 ]; then echo "" echo "Top 10 veraltete Pakete:" jq -r 'to_entries | .[:10][] | " \(.key): \(.value.current // "?") -> \(.value.latest // "?")"' "$OUTDATED_FILE" 2>/dev/null || true fi else OUTDATED_COUNT=0 echo "Keine veralteten Pakete gefunden." fi echo "" # ================================ # 3. SCORE BERECHNEN # ================================ echo -e "${YELLOW}[3/3] Berechne Security Score...${NC}" SCORE=$((100 - (CRITICAL * 25) - (HIGH * 10) - (MODERATE * 3) - (LOW * 1))) if [ $SCORE -lt 0 ]; then SCORE=0; fi echo "" echo -e "${BLUE}================================${NC}" echo -e "${BLUE}ERGEBNIS${NC}" echo -e "${BLUE}================================${NC}" echo "" if [ $SCORE -ge 90 ]; then echo -e "Security Score: ${GREEN}$SCORE/100${NC}" elif [ $SCORE -ge 70 ]; then echo -e "Security Score: ${YELLOW}$SCORE/100${NC}" else echo -e "Security Score: ${RED}$SCORE/100${NC}" fi echo "" echo "Zusammenfassung:" echo " Vulnerabilities: $TOTAL" echo " Veraltete Pakete: $OUTDATED_COUNT" # ================================ # EMPFEHLUNGEN # ================================ echo "" echo -e "${BLUE}Empfehlungen:${NC}" if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then echo -e " ${RED}DRINGEND: Fuehre '$PKG_MANAGER audit fix' aus${NC}" fi if [ "$OUTDATED_COUNT" -gt 10 ]; then echo -e " ${YELLOW}Updates verfuegbar: '$PKG_MANAGER update'${NC}" fi if [ "$TOTAL" -eq 0 ] && [ "$OUTDATED_COUNT" -lt 5 ]; then echo -e " ${GREEN}Alles in Ordnung! Dependencies sind sicher.${NC}" fi # Cleanup rm -f "$AUDIT_FILE" "$OUTDATED_FILE" # Exit mit Fehler bei kritischen Issues if [ "$CRITICAL" -gt 0 ]; then exit 1 fi