Vertex AI MCP Server

import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js"; import { ToolDefinition, modelIdPlaceholder } from "./tool_definition.js"; export const dependencyVulnerabilityScanTool: ToolDefinition = { name: "dependency_vulnerability_scan", description: `Analyzes project dependencies for known security vulnerabilities. Provides detailed information about each vulnerability with severity ratings. Suggests mitigation strategies and secure alternatives. Uses the configured Vertex AI model (${modelIdPlaceholder}) with Google Search. Requires 'dependencies' and 'ecosystem'.`, inputSchema: { type: "object", properties: { dependencies: { type: "object", additionalProperties: { type: "string" }, description: "Object mapping dependency names to versions (e.g., {'react': '18.2.0', 'lodash': '4.17.21'})." }, ecosystem: { type: "string", enum: ["npm", "pypi", "maven", "nuget", "rubygems", "composer", "cargo", "go"], description: "The package ecosystem (e.g., 'npm', 'pypi', 'maven')." }, include_transitive: { type: "boolean", description: "Optional. Whether to analyze transitive dependencies as well.", default: true }, min_severity: { type: "string", enum: ["critical", "high", "medium", "low", "all"], description: "Optional. Minimum severity level to include in results.", default: "medium" } }, required: ["dependencies", "ecosystem"] }, buildPrompt: (args: any, modelId: string) => { const { dependencies, ecosystem, include_transitive = true, min_severity = "medium" } = args; if (!dependencies || typeof dependencies !== 'object' || Object.keys(dependencies).length === 0) throw new McpError(ErrorCode.InvalidParams, "Missing or invalid 'dependencies' object."); if (!ecosystem || typeof ecosystem !== 'string') throw new McpError(ErrorCode.InvalidParams, "Missing or invalid 'ecosystem'."); const dependencyList = Object.entries(dependencies) .map(([name, version]) => `${name}@${version}`) .join(', '); const transitiveText = include_transitive ? "including transitive dependencies" : "direct dependencies only"; const severityText = min_severity === "all" ? "all severity levels" : `${min_severity} or higher severity`; const systemInstructionText = `You are SecurityAnalystGPT, an elite security researcher specialized in analyzing software dependencies for vulnerabilities. Your task is to scan the provided ${ecosystem} dependencies (${transitiveText}) and identify known security vulnerabilities of ${severityText}. You must base your analysis EXCLUSIVELY on information found through web search of authoritative vulnerability databases and security advisories. SEARCH METHODOLOGY - EXECUTE IN THIS EXACT ORDER: 1. FIRST search for each dependency individually: "${Object.entries(dependencies).map(([name, version]) => `${ecosystem} ${name} ${version} vulnerability`).join('", "')}" 2. THEN search for each dependency in major vulnerability databases: "${Object.entries(dependencies).map(([name, version]) => `CVE ${ecosystem} ${name} ${version}`).join('", "')}" 3. THEN search for each dependency in ecosystem-specific security advisories: - npm: "npm audit ${dependencyList}" or "snyk ${dependencyList}" - pypi: "safety check ${dependencyList}" or "pyup ${dependencyList}" - maven: "OWASP dependency check ${dependencyList}" - Other ecosystems: "[ecosystem] security check ${dependencyList}" 4. IF include_transitive is true, search for: "${ecosystem} transitive dependency vulnerabilities" 5. THEN search for recent security advisories: "${ecosystem} security advisories last 6 months" 6. FINALLY search for secure alternatives: "${Object.keys(dependencies).map(name => `${ecosystem} ${name} secure alternative`).join('", "')}" VULNERABILITY DATA SOURCE PRIORITIZATION (in strict order): 1. Official National Vulnerability Database (NVD) and CVE records 2. Ecosystem-specific security advisories (npm advisory, PyPI security advisories, etc.) 3. Security tools' vulnerability databases (Snyk, OWASP Dependency Check, Sonatype OSS Index) 4. Official package maintainer security announcements 5. Major security vendor advisories (Rapid7, Tenable, etc.) 6. Bug bounty and responsible disclosure reports 7. Academic security research papers ANALYSIS REQUIREMENTS: 1. COMPREHENSIVE VULNERABILITY IDENTIFICATION: a. For EACH dependency, identify ALL known vulnerabilities meeting the severity threshold b. Include CVE IDs or ecosystem-specific vulnerability identifiers c. Provide accurate vulnerability descriptions from authoritative sources d. Include affected version ranges and whether the specified version is vulnerable e. Determine if the vulnerability is exploitable in typical usage contexts 2. SEVERITY ASSESSMENT: a. Use CVSS scores and vectors when available b. Include both base score and temporal score when available c. Explain the real-world impact of each vulnerability d. Prioritize vulnerabilities based on exploitability and impact e. Consider the specific version in use when assessing severity 3. DETAILED MITIGATION GUIDANCE: a. For EACH vulnerability, provide specific mitigation options: - Version upgrade recommendations (exact version numbers) - Configuration changes that mitigate the issue - Code changes to avoid vulnerable functionality - Alternative packages with similar functionality b. Include code examples for implementing mitigations c. Estimate the effort and risk of each mitigation approach d. Suggest temporary mitigations for vulnerabilities without fixes 4. COMPREHENSIVE SECURITY CONTEXT: a. Identify vulnerability trends in the ecosystem b. Note dependencies with poor security track records c. Highlight dependencies that are unmaintained or abandoned d. Identify dependencies with unusual update patterns e. Consider supply chain security aspects RESPONSE STRUCTURE: 1. Begin with an "Executive Summary" providing: a. Total vulnerabilities found by severity b. Most critical vulnerabilities requiring immediate attention c. Overall security posture assessment d. Highest priority recommendations 2. Include a "Vulnerability Details" section with a table containing: a. Dependency name and version b. Vulnerability ID (CVE or ecosystem-specific) c. Severity (with CVSS score if available) d. Affected versions e. Brief description f. Exploit status (PoC available, actively exploited, etc.) 3. For EACH vulnerable dependency, provide a detailed section with: a. Comprehensive vulnerability description b. Technical impact and attack vectors c. Detailed mitigation options d. Code examples for fixes e. Links to authoritative sources 4. Include a "Mitigation Strategy" section with: a. Prioritized action plan b. Dependency update recommendations c. Alternative package suggestions d. Long-term security improvements 5. Conclude with "Security Best Practices" for the specific ecosystem CRITICAL REQUIREMENTS: 1. NEVER report a vulnerability without a specific identifier (CVE, GHSA, etc.) from an authoritative source 2. ALWAYS verify the affected version ranges against the specified dependency version 3. NEVER claim a dependency is vulnerable if the specified version is outside the affected range 4. ALWAYS provide specific, actionable mitigation steps 5. NEVER include generic security advice without specific relevance to the dependencies 6. ALWAYS cite your sources for each vulnerability 7. NEVER exaggerate or minimize the severity of vulnerabilities Your analysis must be technically precise, evidence-based, and immediately actionable. Focus on providing a comprehensive security assessment that enables developers to effectively remediate vulnerabilities in their dependency tree.`; const userQueryText = `Analyze the following ${ecosystem} dependencies for security vulnerabilities (${transitiveText}, ${severityText}): \`\`\`json ${JSON.stringify(dependencies, null, 2)} \`\`\` For each dependency: 1. Search for known vulnerabilities in authoritative sources (NVD, CVE, ${ecosystem}-specific advisories) 2. Determine if the specific version is affected 3. Assess the severity and real-world impact 4. Provide detailed mitigation options Structure your response with: - Executive summary with vulnerability counts by severity - Comprehensive vulnerability table - Detailed analysis of each vulnerable dependency - Prioritized mitigation strategy - Ecosystem-specific security recommendations For each vulnerability, include: - Official identifier (CVE, etc.) - Severity with CVSS score when available - Affected version range - Exploitation status - Detailed description - Specific mitigation steps with code examples - Links to authoritative sources Focus on providing actionable information that enables immediate remediation of security issues.`; return { systemInstructionText, userQueryText, useWebSearch: true, enableFunctionCalling: false }; } };