Software & Data Integrity Failures

Supply-chain risk: dependency confusion, slopsquatting (typosquats of trendy AI / ML packages), lifecycle-script abuse in transitive deps, unpinned versions in lockless ecosystems.

What Vulkro detects

Vulkro matches every direct and transitive dependency against the local CVE bundle (OSV + NVD + KEV + EPSS) and runs the package_risk + slopsquat_known heuristics over the dependency graph. P2.2 will additionally downgrade findings whose vulnerable functions are not reachable from any handler.

Non-compliant code (examples)

package.json — unpinned and untyped slopsquat-bait

{
  "dependencies": {
    "left-pad-utility": "latest",
    "langchain-helpers": "^0.0.1"
  }
}

Compliant code (examples)

package.json — pinned, lockfile-tracked, audited

{
  "dependencies": {
    "left-pad": "1.3.0",
    "langchain": "0.0.214"
  }
}
# Plus: commit package-lock.json, run `vulkro match-cve --sbom`
# on every release, and pin a renovate / dependabot review gate.

See also

• Confidence model - what High, Medium, and Low mean for findings in this category.
• Safety - what Vulkro does and does not access on your machine.

References

• CWE-1357
• CWE-829
• OWASP A08:2021

---

This page is generated by vulkro rules export <out-dir> from the catalog in src/rule_docs.rs. Edits made by hand are overwritten on the next regeneration.