DependencyVulnQueue — Vulnerability-Fix Queue + SLA
22 dependency CVEs from Dependabot + Snyk + GHSA in single queue. Per CVE: severity (CVSS 3.1), exposure path (transitive depth), CISA KEV catalog status, SLA clock, fix-available, applied/auto-merge state. Surfaces 3 critical past SLA + 4 in CISA KEV catalog (actively exploited).
What it is
The single-pane-of-glass queue across Dependabot + Snyk + GHSA + npm audit + pip audit + KEV catalog. SbomScanner identifies; DependencyDrift catches version skew; DependencyVulnQueue triages the fix queue.
What’s in it
- 22 CVEs across npm, pip, maven, go, docker, internal libs
- Per CVE: CVSS, KEV status, days open vs SLA (24h crit / 7d high / 30d med / 90d low), fix availability, applied state
- Worst-offender findings: jsonwebtoken (KEV + 18d past 24h SLA), Log4Shell (patched), xz-utils backdoor (Mar 2024 disclosure — patched immediately), python-jose (KEV + algorithm confusion)
Why this shape
CISA KEV catalog is the single-most-actionable filter — vulns confirmed actively exploited. Most platforms drown in CVEs; KEV cuts to the 4 that need attention now.
How it ships
Single HTML file, ~13KB. Zero dependencies. 22 CVEs × KEV/severity filters + per-CVE drilldown in 100 lines of vanilla JavaScript.