Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/third_party/vuln-check/README.md
Magnus Jensen bce4c4afae
remove old Windows MDM PoC tool (#39473) 
This PR cleans up an old tool/windows-mdm-poc, that we no longer use or
rely on.

It is also an effort to minimze inline dependencies when unused.
2026-02-06 13:55:16 -05:00

3.3 KiB
Raw Blame History

Vulnerability scanning for inlined dependencies

This directory contains manifest files (go.mod, package.json) that list the third-party dependencies that have been copied/inlined into Fleet's codebase.

Purpose

Fleet has several dependencies that were copied directly into the repository rather than imported via Go modules or npm. These inlined dependencies are not automatically scanned by vulnerability detection tools like GitHub Dependabot because they don't appear in the main go.mod or package.json.

This directory solves that problem by creating "dummy" manifest files that list these dependencies at their copied versions. This allows:

  • GitHub Dependabot to detect vulnerabilities and create alerts
  • osv-scanner to scan for Go and npm vulnerabilities
  • npm audit to scan for JavaScript vulnerabilities
  • Other security scanning tools to identify issues

Important notes

  1. This code is NOT compiled into Fleet - These manifest files exist solely for vulnerability scanning
  2. Keep versions in sync - When updating an inlined dependency, update the version here to match
  3. No Go code here - Do not add any .go files to this directory

Tracked dependencies

Go dependencies (go.mod)

Dependency Fleet Location Version
micromdm/nanomdm server/mdm/nanomdm/ v0.9.0
micromdm/nanodep server/mdm/nanodep/ v0.4.0
micromdm/scep/v2 server/mdm/scep/ v2.3.0
pressly/goose/v3 server/goose/ v3.17.0
facebookincubator/nvdtools server/vulnerabilities/nvd/tools/ v0.1.5
virtuald/go-paniclog orbit/pkg/go-paniclog/ v0.0.0-20190812204905-43a7fa316459
josharian/impl server/mock/mockimpl/ v1.4.0
mitchellh/gon orbit/pkg/packaging/macos_notarize.go v0.2.3
sassoftware/relic pkg/file/xar.go v7.2.1+incompatible

npm dependencies (package.json)

Dependency Fleet Location Version
node-sql-parser frontend/utilities/node-sql-parser/ 5.3.13

Running vulnerability scans locally

Go and npm vulnerabilities

Since this directory contains no Go source files (by design), source-based tools like govulncheck ./... won't work. Use tools that scan go.mod directly:

Using osv-scanner (recommended):

go install github.com/google/osv-scanner/cmd/osv-scanner@latest
cd third_party/vuln-check
# To include npm dependencies in the scan, first generate a lock file:
npm i --package-lock-only
osv-scanner scan .

Related documentation