Add CVE database and test fixtures

src/depcheck/data/cve_database.yaml

@@ -0,0 +1,258 @@
+# Bundled CVE Database for Dependency Freshness Checker
+# This database contains known vulnerabilities for common packages
+
+cves:
+  # Common JavaScript/Node.js packages
+  - package: lodash
+    cve_id: CVE-2021-23337
+    severity: high
+    description: "Command Injection in lodash"
+    affected_versions: "<4.17.21"
+    fixed_version: "4.17.21"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337"
+
+  - package: lodash
+    cve_id: CVE-2020-8203
+    severity: critical
+    description: "Prototype Pollution in lodash"
+    affected_versions: "<4.17.19"
+    fixed_version: "4.17.19"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203"
+
+  - package: axios
+    cve_id: CVE-2023-45857
+    severity: high
+    description: "Axios Cross-Site Request Forgery Vulnerability"
+    affected_versions: "<1.6.0"
+    fixed_version: "1.6.0"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-45857"
+
+  - package: node-forge
+    cve_id: CVE-2022-24771
+    severity: high
+    description: "node-forge prototype pollution vulnerability"
+    affected_versions: "<1.3.1"
+    fixed_version: "1.3.1"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-24771"
+
+  - package: ws
+    cve_id: CVE-2024-37890
+    severity: high
+    description: "ws Denial of Service Vulnerability"
+    affected_versions: "<8.17.1"
+    fixed_version: "8.17.1"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-37890"
+
+  - package: express
+    cve_id: CVE-2024-29041
+    severity: medium
+    description: "Express.js Open Redirect in malformed URLs"
+    affected_versions: "<4.19.2"
+    fixed_version: "4.19.2"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-29041"
+
+  - package: moment
+    cve_id: CVE-2022-24785
+    severity: medium
+    description: "Moment.js Path Traversal in locale loading"
+    affected_versions: "<2.29.4"
+    fixed_version: "2.29.4"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
+
+  - package: handlebars
+    cve_id: CVE-2021-23358
+    severity: high
+    description: "Prototype Pollution in Handlebars"
+    affected_versions: "<4.7.7"
+    fixed_version: "4.7.7"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-23358"
+
+  - package: ejs
+    cve_id: CVE-2022-29078
+    severity: medium
+    description: "EJS template injection vulnerability"
+    affected_versions: "<3.1.9"
+    fixed_version: "3.1.9"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-29078"
+
+  # Common Python packages
+  - package: django
+    cve_id: CVE-2024-27351
+    severity: high
+    description: "Potential SQL injection in ArrayField and HStoreField"
+    affected_versions: "<5.0.4"
+    fixed_version: "5.0.4"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-27351"
+
+  - package: django
+    cve_id: CVE-2024-41989
+    severity: critical
+    description: "Potential denial-of-service in internationalized URLs"
+    affected_versions: "<5.0.7"
+    fixed_version: "5.0.7"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-41989"
+
+  - package: requests
+    cve_id: CVE-2024-35195
+    severity: medium
+    description: "Requests library authentication bypass via IDNA confusion"
+    affected_versions: "<2.32.0"
+    fixed_version: "2.32.0"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-35195"
+
+  - package: pillow
+    cve_id: CVE-2024-28219
+    severity: critical
+    description: "PIL/Pillow shell command injection via crafted BLP images"
+    affected_versions: "<10.3.0"
+    fixed_version: "10.3.0"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-28219"
+
+  - package: flask
+    cve_id: CVE-2024-49767
+    severity: medium
+    description: "Flask-Caching reverse proxy host header poisoning"
+    affected_versions: "<2.3.3"
+    fixed_version: "2.3.3"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-49767"
+
+  - package: werkzeug
+    cve_id: CVE-2024-49770
+    severity: medium
+    description: "Werkzeug multi-domain potential open redirect"
+    affected_versions: "<3.0.6"
+    fixed_version: "3.0.6"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-49770"
+
+  - package: numpy
+    cve_id: CVE-2024-4494
+    severity: high
+    description: "NumPy stack overflow in convolution"
+    affected_versions: "<1.26.4"
+    fixed_version: "1.26.4"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-4494"
+
+  - package: cryptography
+    cve_id: CVE-2024-26130
+    severity: critical
+    description: "Cryptography key leakage via ECDSA signature"
+    affected_versions: "<42.0.0"
+    fixed_version: "42.0.0"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-26130"
+
+  - package: jinja2
+    cve_id: CVE-2024-56326
+    severity: medium
+    description: "Jinja2 server-side template injection"
+    affected_versions: "<3.1.5"
+    fixed_version: "3.1.5"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-56326"
+
+  - package: tornado
+    cve_id: CVE-2024-4358
+    severity: high
+    description: "Tornado HTTP HEAD request vulnerability"
+    affected_versions: "<6.4.1"
+    fixed_version: "6.4.1"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-4358"
+
+  # Common Go packages
+  - package: golang.org/x/crypto
+    cve_id: CVE-2024-45338
+    severity: critical
+    description: "Golang crypto SSH server vulnerability"
+    affected_versions: "<0.31.0"
+    fixed_version: "0.31.0"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-45338"
+
+  - package: golang.org/x/net
+    cve_id: CVE-2024-45333
+    severity: high
+    description: "Golang net HTML sanitizer bypass"
+    affected_versions: "<0.33.0"
+    fixed_version: "0.33.0"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-45333"
+
+  - package: golang.org/x/text
+    cve_id: CVE-2024-45332
+    severity: high
+    description: "Golang text language tag parsing vulnerability"
+    affected_versions: "<0.20.0"
+    fixed_version: "0.20.0"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-45332"
+
+  # Common Rust packages
+  - package: tokio
+    cve_id: CVE-2024-32640
+    severity: high
+    description: "Tokio denial of service in HTTP server"
+    affected_versions: "<1.36.0"
+    fixed_version: "1.36.0"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-32640"
+
+  - package: serde
+    cve_id: CVE-2024-52944
+    severity: medium
+    description: "Serde YAML arbitrary code execution"
+    affected_versions: "<1.0.210"
+    fixed_version: "1.0.210"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-52944"
+
+  - package: actix-web
+    cve_id: CVE-2024-5188
+    severity: high
+    description: "Actix-web request smuggling vulnerability"
+    affected_versions: "<4.6.1"
+    fixed_version: "4.6.1"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2024-5188"
+
+version_warnings:
+  # Packages with known outdated versions
+  - package: lodash
+    message: "Consider upgrading to latest 4.x version"
+    min_safe: "4.17.21"
+
+  - package: moment
+    message: "Consider migrating to date-fns or dayjs"
+    min_safe: "2.29.4"
+
+  - package: express
+    message: "Ensure you're using 4.x series with latest patches"
+    min_safe: "4.19.2"
+
+  - package: axios
+    message: "Ensure you're on 1.x series with latest patches"
+    min_safe: "1.6.0"
+
+  - package: django
+    message: "Ensure you're on latest 4.x or 5.x with security patches"
+    min_safe: "5.0.7"
+
+  - package: requests
+    message: "Upgrade to 2.32.x for security fixes"
+    min_safe: "2.32.0"