Scan your dependencies for security vulnerabilities (CVEs) directly in VS Code
Ask Copilot: "Check for vulnerabilities" → Get instant CVE reports with fix instructions.
- Install: Search "VulScan-MCP" in VS Code Extensions
- Requirement: Python 3.11+ installed (Download)
- Use: Ask Copilot:
"Check for security vulnerabilities"
That's it! Dependencies auto-install on first use.
### 1. lodash @ 4.17.15
#### 📦 Library Affected
- Package: lodash
- Current Version: 4.17.15
- Severity: HIGH
#### 🔍 CVE Details
- CVE IDs: CVE-2021-23337, CVE-2020-28500
- What is it: Command injection vulnerability allowing attackers to execute arbitrary code
#### ✅ Mitigation Steps
⚠️ WARNING: Version upgrade required. Test in staging first.
1. Update package.json: "lodash": "^4.17.21"
2. Run: npm install
3. Run full test suite
4. Deploy to staging and monitorLanguages: JavaScript, TypeScript, Python, Java, Go, Rust, Ruby, PHP, C++, .NET
Sources: NVD (National Vulnerability Database) + OSV (Open Source Vulnerabilities)
Platforms: Windows, macOS, Linux
✅ Security vulnerabilities (CVEs) - Known exploitable flaws
❌ NOT deprecated packages - This tool is CVE-focused only
Note: Clean results mean no CVEs found - packages may still be outdated but secure.
Python not found?
Install Python 3.11+ globally, then restart VS Code.
"No module named 'mcp'" error?
python3 -m pip install --user mcp requestsStill issues? Check logs:
- Windows:
%TEMP%\vulscan-mcp-debug.log - macOS/Linux:
/tmp/vulscan-mcp-debug.log
# Clone & run
git clone https://github.com/abhishekrai43/VulScan-MCP.git
cd VulScan-MCP
pip install -r requirements.txt
python -m mcp_server
# Test extension
cd vulscan-mcp-vscode
npm install && npm run compile
# Press F5 in VS CodeMIT License | Report Issues
Built with Model Context Protocol, NVD API, OSV API