Add Vulnerability Scanning Feature and Documentation

README.md

@@ -48,6 +48,7 @@ dotnet run -- --help
 - ✅ Extensible plugin architecture
 - ✅ Repository health analysis
 - ✅ Bill of Materials (BOM) generation
+- ✅ NuGet package vulnerability scanning
 - ✅ Multiple output formats (console, markdown)
 
 ## 🎯 Current Commands
@@ -64,6 +65,9 @@ codemedic health --format markdown
 
 codemedic bom            # Bill of Materials
 codemedic bom --format md > bom.md
+
+codemedic vulnerabilities        # Scan for NuGet vulnerabilities
+codemedic vulnerabilities --format markdown > vulns.md
 ```
 
 ## 🔧 Technology Stack
@@ -84,6 +88,8 @@ codemedic bom --format md > bom.md
 - ✅ Bill of materials command (internal plugin)
 - ✅ Repository scanner with NuGet inspection
 - ✅ Multiple output formats (console, markdown)
+- ✅ Vulnerability scanning for NuGet packages
+- ✅ Dedicated vulnerability analysis command
 
 ## 🔌 Plugin Architecture
 
@@ -92,6 +98,7 @@ CodeMedic uses an extensible plugin system for analysis engines:
 **Current Plugins:**
 - **HealthAnalysisPlugin** - Repository health and code quality analysis
 - **BomAnalysisPlugin** - Bill of Materials generation
+- **VulnerabilityAnalysisPlugin** - NuGet package vulnerability scanning
 
 See `doc/plugin_architecture.md` for details on creating custom plugins.
 

doc/README.md

@@ -11,6 +11,7 @@ Welcome to the CodeMedic documentation. This folder contains technical documenta
 ### Features
 - **[Repository Health Dashboard](feature_repository-health-dashboard.md)** - Design and implementation details for the unified health analysis system
 - **[Bill of Materials (BOM)](feature_bill-of-materials.md)** - Specification for the comprehensive dependency and vendor inventory feature
+- **[Vulnerability Scanning](feature_vulnerability-scanning.md)** - Security-focused NuGet package vulnerability analysis and reporting
 
 ### Scanning & Analysis
 - **[NuGet Scanning Architecture](nuget_scanning_architecture.md)** - Design and implementation of NuGet package discovery, resolution, and analysis including central package management support and version mismatch detection

doc/feature_vulnerability-scanning.md

@@ -0,0 +1,228 @@
+---
+title: Vulnerability Scanning Feature
+description: Security-focused NuGet package vulnerability analysis and reporting
+---
+
+# NuGet Package Vulnerability Scanning
+
+## Overview
+
+The Vulnerability Scanning feature provides comprehensive security analysis of .NET repositories by scanning NuGet package dependencies for known vulnerabilities. This feature helps development teams identify and remediate security risks in their dependency chains.
+
+## Features
+
+### Core Capabilities
+
+- **Comprehensive Package Scanning** - Scans all NuGet packages across all projects in a repository
+- **Vulnerability Detection** - Identifies known vulnerabilities using the dotnet CLI audit functionality
+- **Severity Classification** - Groups vulnerabilities by severity (Critical, High, Moderate, Low)
+- **Project Impact Analysis** - Shows which projects are affected by each vulnerability
+- **Multiple Output Formats** - Console and Markdown output formats
+- **Graceful Error Handling** - Continues scanning even if vulnerabilities or tools are unavailable
+
+### Command: `vulnerabilities`
+
+The `vulnerabilities` command performs a focused security analysis on a .NET repository.
+
+#### Basic Usage
+
+```bash
+# Scan current directory
+codemedic vulnerabilities
+
+# Scan specific repository
+codemedic vulnerabilities /path/to/repo
+
+# Generate markdown report
+codemedic vulnerabilities --format markdown
+
+# Save to file
+codemedic vulnerabilities --format markdown > security-report.md
+```
+
+#### Output Example
+
+```
+────────────────────── NuGet Package Vulnerability Report ──────────────────────
+
+Scanned 8 unique package(s), found 0 vulnerability(ies)
+Total Packages Scanned: 8
+Total Vulnerabilities Found: 0
+
+──────────────────────────────────── Status ────────────────────────────────────
+
+✓ No known vulnerabilities found in scanned packages!
+```
+
+## Architecture
+
+### Components
+
+#### VulnerabilityAnalysisPlugin
+An `IAnalysisEnginePlugin` implementation that:
+- Discovers all .NET projects in the repository
+- Extracts NuGet package references
+- Scans packages for known vulnerabilities
+- Generates security reports
+
+#### VulnerabilityScanner Engine
+Core scanning engine that:
+- Uses `dotnet package root --vulnerable` for vulnerability detection
+- Implements result caching to avoid redundant scans
+- Manages concurrent vulnerability checks (max 5 concurrent)
+- Handles timeouts and graceful degradation
+
+#### PackageVulnerability Model
+Data structure representing a single vulnerability:
+```csharp
+public class PackageVulnerability
+{
+    public string PackageName { get; set; }          // Package name
+    public string AffectedVersion { get; set; }      // Vulnerable version
+    public string VulnerabilityId { get; set; }      // CVE ID or identifier
+    public string Description { get; set; }          // Vulnerability description
+    public string Severity { get; set; }             // Critical/High/Moderate/Low
+    public string? FixedInVersion { get; set; }      // Version that fixes it
+    public DateTime? PublishedDate { get; set; }     // When discovered/published
+    public string? AdvisoryUrl { get; set; }         // URL for more info
+    public double? CvssScore { get; set; }           // CVSS score if available
+}
+```
+
+## Integration
+
+### Health Dashboard Integration
+
+The vulnerability scanning is integrated into the `health` command, which displays vulnerability information as part of the comprehensive repository health report:
+
+```bash
+codemedic health --format markdown
+```
+
+The health report includes a "Known Vulnerabilities" section showing:
+- Total vulnerabilities found
+- Vulnerabilities grouped by severity
+- Package names and versions
+- CVE IDs and descriptions
+- Projects affected
+
+### Dedicated Command
+
+For security-focused analysis, use the standalone `vulnerabilities` command:
+
+```bash
+codemedic vulnerabilities
+codemedic vulnerabilities --format markdown > audit-report.md
+```
+
+## Usage Scenarios
+
+### 1. Security Audit
+Generate a comprehensive vulnerability report for security review:
+```bash
+codemedic vulnerabilities --format markdown > security-audit.md
+```
+
+### 2. Pre-deployment Check
+Verify no critical vulnerabilities before deployment:
+```bash
+codemedic vulnerabilities
+# Review output for any Critical or High severity items
+```
+
+### 3. Regular Health Monitoring
+Include vulnerability check as part of health monitoring:
+```bash
+codemedic health
+codemedic health --format markdown > health-report.md
+```
+
+### 4. CI/CD Integration
+Embed vulnerability scanning in your pipeline:
+```bash
+#!/bin/bash
+dotnet CodeMedic.dll vulnerabilities
+if [ $? -ne 0 ]; then
+    echo "Vulnerabilities found!"
+    exit 1
+fi
+```
+
+## Technical Details
+
+### Scanning Process
+
+1. **Project Discovery** - Recursively finds all `.csproj` files
+2. **Package Extraction** - Parses project files for NuGet references
+3. **Deduplication** - Removes duplicate packages (same name@version)
+4. **Vulnerability Checking** - Uses dotnet CLI to check each package
+5. **Result Aggregation** - Groups by severity and project
+6. **Report Generation** - Formats for human-readable output
+
+### Performance Considerations
+
+- **Caching** - Results cached per session to avoid redundant checks
+- **Concurrency** - Up to 5 concurrent vulnerability checks
+- **Timeouts** - 5-second timeout per package check, 2-second process wait
+- **Graceful Degradation** - Continues even if vulnerabilities tool unavailable
+
+### Output Formats
+
+#### Console (Default)
+Rich formatted output with:
+- Section headers with visual separators
+- Summary statistics with severity breakdown
+- Vulnerability tables grouped by severity
+- Projects affected by each vulnerability
+
+#### Markdown
+Machine-readable Markdown suitable for:
+- Embedding in reports
+- Version control integration
+- Documentation
+- Email and sharing
+
+## Configuration
+
+No configuration required for basic operation. The scanner:
+- Uses default .NET vulnerability database
+- Automatically detects projects
+- Handles cross-platform paths
+- Degrades gracefully on missing tools
+
+## Limitations & Future Enhancements
+
+### Current Limitations
+- Requires dotnet 6.0+ with vulnerability checking support
+- Uses dotnet CLI audit tool (requires it to be available)
+- Scanning speed depends on number of packages and network availability
+- Works best with recently updated vulnerability database
+
+### Planned Enhancements
+- Integration with external vulnerability databases (NVD, CVE feeds)
+- Configuration options for severity thresholds
+- Custom vulnerability rules and policies
+- Integration with SBOM (Software Bill of Materials)
+- Automated remediation recommendations
+- Webhook integration for CI/CD pipelines
+
+## Troubleshooting
+
+### "dotnet audit not available" Warning
+**Cause:** The dotnet CLI vulnerability tool is not installed or accessible
+**Solution:** Ensure .NET SDK is up-to-date: `dotnet --version`
+
+### No vulnerabilities detected when expected
+**Cause:** Vulnerability database may be outdated
+**Solution:** Update .NET SDK or manually check packages on nuget.org
+
+### Scanning very slow
+**Cause:** Large number of packages or network latency
+**Solution:** Results are cached, subsequent runs will be faster
+
+## See Also
+
+- [Repository Health Dashboard](feature_repository-health-dashboard.md)
+- [Bill of Materials](feature_bill-of-materials.md)
+- [Plugin Architecture](plugin_architecture.md)
+- [NuGet Scanning Architecture](nuget_scanning_architecture.md)

run-vulnerabilities.ps1

@@ -0,0 +1,15 @@
+#!/usr/bin/env pwsh
+
+<#
+.SYNOPSIS
+    Runs CodeMedic vulnerability scan on the current repository
+#>
+
+$ErrorActionPreference = 'Stop'
+$scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
+$projectRoot = $scriptDir
+
+Write-Host "Running CodeMedic vulnerability scan..." -ForegroundColor Cyan
+Write-Host "Repository: $projectRoot" -ForegroundColor Gray
+
+& dotnet "$projectRoot\src\CodeMedic\bin\Release\net10.0\CodeMedic.dll" vulnerabilities @args

run-vulnerabilities.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# Runs CodeMedic vulnerability scan on the current repository
+
+set -e
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
+
+echo "Running CodeMedic vulnerability scan..."
+echo "Repository: $PROJECT_ROOT"
+
+dotnet "$PROJECT_ROOT/src/CodeMedic/bin/Release/net10.0/CodeMedic.dll" vulnerabilities "$@"