Simple Vulnerability Scanner

Simple Vulnerability Scanner

Go-based Python dependency security scanner that checks for outdated packages and known CVEs.

Overview

angela is a CLI tool that scans Python projects for outdated dependencies and known security vulnerabilities. It reads pyproject.toml or requirements.txt, checks PyPI for latest versions, queries OSV.dev for CVEs, and updates dependency files while preserving comments and formatting.

Status: Complete | Difficulty: Beginner

Tech Stack

Technology	Version	Purpose
Go	1.24+	Core language
Cobra	-	CLI framework
pelletier/go-toml	-	TOML parsing
PyPI Simple API	PEP 691	Package metadata
OSV.dev API	-	Vulnerability database

Features

Core Functionality

• Scan pyproject.toml and requirements.txt for outdated dependencies
• Query OSV.dev for known CVEs with severity levels (CRITICAL, HIGH, MODERATE, LOW)
• Update dependency versions in-place, preserving comments and formatting
• Dry-run mode to preview changes before applying
• File-based caching with ETag support and TTL expiration
• Concurrent workers with bounded concurrency via errgroup

Commands

Command	Description
scan	Check for outdated packages and vulnerabilities
check	Dry run — show what would change
update	Update dependency versions in-place
update --vulns	Update and scan for vulnerabilities
cache clear	Clear the local cache

Security Relevance

• Supply chain attacks (PyTorch torchtriton compromise, 2022)
• Dependency confusion and typosquatting
• CVE tracking across transitive dependencies
• PEP 440 version parsing for accurate resolution

Architecture

cmd/angela/main.go (Entry point)
    ↓
internal/cli/ (Cobra commands + output formatting)
    ↓
┌──────────────┬──────────────┬──────────────┐
│  pypi/       │  osv/        │  pyproject/  │
│  PyPI Simple │  OSV.dev     │  TOML parser │
│  API client  │  batch CVE   │  + writer    │
│  + cache     │  queries     │  (preserves  │
│  (ETag/TTL)  │              │  comments)   │
├──────────────┼──────────────┼──────────────┤
│  version.go  │  client.go   │  parser.go   │
│  PEP 440     │              │  writer.go   │
│  parser      │              │              │
└──────────────┴──────────────┴──────────────┘
    ↓
internal/ui/ (Terminal colors and spinners)

Quick Start

cd PROJECTS/beginner/simple-vulnerability-scanner

# Install Go dependencies
go mod download

# Scan test data
go run ./cmd/angela scan --file testdata/pyproject.toml

# Check what would change (dry run)
go run ./cmd/angela check --file testdata/pyproject.toml

# Update dependencies
go run ./cmd/angela update --file testdata/pyproject.toml

# Update and scan for vulnerabilities
go run ./cmd/angela update --vulns --file testdata/pyproject.toml

Project Structure

simple-vulnerability-scanner/
├── cmd/angela/
│   └── main.go              # Entry point
├── internal/
│   ├── cli/                 # Cobra commands and output
│   │   ├── update.go
│   │   └── output.go
│   ├── pypi/                # PyPI API client
│   │   ├── client.go        # HTTP client with caching
│   │   ├── cache.go         # File-based cache (ETag)
│   │   └── version.go       # PEP 440 version parser
│   ├── osv/                 # Vulnerability scanner
│   │   └── client.go        # Batch CVE queries
│   ├── pyproject/           # TOML parser/writer
│   ├── requirements/        # requirements.txt parser
│   ├── config/              # Configuration loader
│   └── ui/                  # Terminal colors/spinners
├── pkg/types/               # Shared type definitions
├── testdata/                # Sample files
├── Justfile
└── .golangci.yml

Development

# Run tests
go test ./...

# Lint
golangci-lint run

# Build
go build -o angela ./cmd/angela

Source Code

View on GitHub