npm - @7nsane/zift - Versions diffs - 1.2.0 → 2.0.0 - Mend

@7nsane/zift 1.2.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
-# Zift 🛡️
+# 🛡️ Zift (v2.0.0)
-**Zift** is an elite, high-performance security scanner designed to detect malicious patterns in npm packages before they are executed. By using deterministic AST analysis and lightweight variable propagation, Zift identifies potential credential exfiltration, malicious persistence, and obfuscated execution with extreme precision.
+**The Deterministic Pre-install Security Gate for JavaScript Projects.** By using deterministic AST analysis and lightweight variable propagation, Zift identifies potential credential exfiltration, malicious persistence, and obfuscated execution with extreme precision.
 ## Installation
@@ -23,6 +23,20 @@ zift setup
 npm install <package-name> --zift
 ```
+## 🔍 Limitations & Blind Spots (v2.0.0)
+To maintain a zero-false-positive baseline and high performance, Zift v2 focus on **deterministic behavioral patterns**. It does NOT currently cover:
+- **Cross-file Taint**: Taint tracking is limited to intra-file propagation.
+- **Runtime Decryption**: Logic that decrypts and executes memory-only payloads at runtime.
+- **VM-based Execution**: Malicious payloads executed inside isolated virtual machine environments.
+- **Multi-stage Loaders**: Sophisticated multi-hop obfuscation that reconstructs logic over several cycles.
+- **Post-install Generation**: Malicious code generated or downloaded *after* the initial install/preinstall phase.
+**Positioning**: Zift is a *Deterministic Pre-install Behavioral Security Gate*. It is designed to catch the most common and damaging malware patterns instantly, not to serve as a complete, multi-layer supply-chain defense.
+## License
+MIT
 ## Usage
 ### 🚀 Secure Installer Mode

package/bin/zift.js CHANGED Viewed

@@ -14,11 +14,15 @@ async function main() {
   let isInstallMode = false;
   let installer = 'npm';
-  // 1. Setup Command
+  // 1. Setup & Init Commands
   if (args[0] === 'setup') {
     await runSetup();
     return;
   }
+  if (args[0] === 'init') {
+    runInit();
+    return;
+  }
   // 2. Detection for bun/pnpm usage
   if (args.includes('--bun')) installer = 'bun';
@@ -117,6 +121,15 @@ ${cmd}() {
 async function runRemoteAudit(packageName, format, installer) {
   if (format === 'text') console.log(chalk.blue(`\n🌍 Remote Audit [via ${installer}]: Pre-scanning '${packageName}'...`));
+  // Typosquat Check
+  const { checkTyposquat } = require('../src/utils/typo');
+  const typoMatch = checkTyposquat(packageName);
+  if (typoMatch && format === 'text') {
+    console.log(chalk.red.bold(`\n⚠️  TYPOSQUAT WARNING: '${packageName}' is very similar to '${typoMatch.target}'!`));
+    console.log(chalk.red(`   If you meant '${typoMatch.target}', stop now.\n`));
+  }
   const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'zift-audit-'));
   try {
     cp.execSync(`npm pack ${packageName}`, { cwd: tmpDir, stdio: 'ignore' });
@@ -144,31 +157,97 @@ async function runRemoteAudit(packageName, format, installer) {
   } catch (err) { cleanupAndExit(tmpDir, 1); }
 }
-function handleFindings(findings, format, targetDir, skipExit = false) {
+async function runLocalScan(target, format) {
+  if (format === 'text') console.log(chalk.blue(`\n🔍 Scanning local directory: ${path.resolve(target)}`));
+  const scanner = new PackageScanner(target);
+  const results = await scanner.scan();
+  // Auditing lockfiles
+  const LockfileAuditor = require('../src/lockfile');
+  const auditor = new LockfileAuditor(target);
+  const lockfileFindings = auditor.audit();
+  handleFindings({ ...results, lockfileFindings }, format, target);
+}
+function handleFindings(data, format, targetDir, skipExit = false) {
+  const { results: findings, lifecycleScripts, lockfileFindings = [] } = data;
   if (format === 'json') {
-    process.stdout.write(JSON.stringify({ target: targetDir, findings, summary: { Critical: findings.filter(f => f.classification === 'Critical').length, High: findings.filter(f => f.classification === 'High').length, Medium: findings.filter(f => f.classification === 'Medium').length, Low: findings.filter(f => f.classification === 'Low').length } }, null, 2));
+    process.stdout.write(JSON.stringify({
+      target: targetDir,
+      findings,
+      lifecycleScripts,
+      lockfileFindings,
+      summary: getSummary(findings)
+    }, null, 2));
     if (!skipExit) process.exit(findings.some(f => f.score >= 90) ? 1 : 0);
     return;
   }
+  // Lifecycle Summary
+  if (Object.keys(lifecycleScripts).length > 0) {
+    console.log(chalk.bold('\n📦 Detected Lifecycle Scripts:'));
+    for (const [hook, cmd] of Object.entries(lifecycleScripts)) {
+      console.log(chalk.yellow(`  - ${hook}: `) + chalk.white(cmd));
+    }
+  }
+  // Lockfile Summary
+  if (lockfileFindings.length > 0) {
+    console.log(chalk.bold('\n🔒 Lockfile Security Audit:'));
+    lockfileFindings.forEach(f => {
+      const color = f.severity === 'High' ? chalk.red : chalk.yellow;
+      console.log(color(`  - [${f.severity}] ${f.package}: ${f.type} (${f.source})`));
+    });
+  }
   if (findings.length === 0) {
-    if (!skipExit) { console.log(chalk.green('\n✅ No suspicious patterns detected. All modules safe.')); process.exit(0); }
+    if (!skipExit) {
+      console.log(chalk.green('\n✅ No suspicious AST patterns detected.'));
+      process.exit(0);
+    }
     return;
   }
+  console.log(chalk.bold('\n🔍 Behavioral AST Findings:'));
   findings.forEach(f => {
     const color = { 'Critical': chalk.red.bold, 'High': chalk.red, 'Medium': chalk.yellow, 'Low': chalk.blue }[f.classification];
     console.log(color(`[${f.classification}] ${f.id} ${f.name} (Score: ${f.score})`));
     f.triggers.forEach(t => console.log(chalk.white(`  - ${t.type} in ${t.file}:${t.line} [${t.context}]`)));
     console.log('');
   });
-  if (!skipExit) process.exit(findings[0].score >= 90 ? 1 : 0);
+  if (!skipExit) process.exit(findings.some(f => f.score >= 90) ? 1 : 0);
+}
+function runInit() {
+  const config = {
+    severity: {
+      critical: 90,
+      high: 70,
+      medium: 50
+    },
+    ignore: ['node_modules', '.git', 'test', 'dist'],
+    parallel: true,
+    cache: true
+  };
+  fs.writeFileSync(path.join(process.cwd(), '.zift.json'), JSON.stringify(config, null, 2));
+  fs.writeFileSync(path.join(process.cwd(), '.ziftignore'), '# Add patterns to ignore here\nnode_modules\ndist\ncoverage\n');
+  console.log(chalk.green('\n✅ Initialized Zift configuration (.zift.json and .ziftignore)'));
 }
 function showHelp() {
-  console.log(chalk.blue.bold('\n🛡️  Zift - Universal Security Scanner\n'));
+  console.log(chalk.blue.bold('\n🛡️  Zift v2.0.0 - Intelligent Pre-install Security Gate\n'));
   console.log('Usage:');
   console.log('  zift setup           Secure npm, bun, and pnpm');
+  console.log('  zift init            Initialize configuration');
   console.log('  zift install <pkg>   Scan and install package');
-  console.log('  --bun / --pnpm       Use a specific installer');
+  console.log('  zift .               Scan current directory');
+  console.log('\nOptions:');
+  console.log('  --bun                Use Bun for installation');
+  console.log('  --pnpm               Use pnpm for installation');
+  console.log('  --format json        Output as JSON');
 }
 function cleanupAndExit(dir, code) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@7nsane/zift",
-  "version": "1.2.0",
+  "version": "2.0.0",
   "description": "A high-performance, deterministic security scanner for npm packages.",
   "main": "src/scanner.js",
   "bin": {
@@ -8,7 +8,7 @@
     "zift-scanner": "bin/zift.js"
   },
   "scripts": {
-    "test": "node v1_launch_pack/tests/verify.js",
+    "test": "echo \"Error: no test specified\" && exit 1",
     "scan": "node bin/zift"
   },
   "keywords": [

package/src/collector.js CHANGED Viewed

@@ -4,22 +4,25 @@ const { calculateEntropy } = require('./utils/entropy');
 class ASTCollector {
     constructor() {
-        this.facts = {
+        this.entropyThreshold = 4.8;
+        this.maxFileSize = 512 * 1024;
+        this.maxStringLengthForEntropy = 2048;
+    }
+    collect(code, filePath) {
+        const facts = {
             ENV_READ: [],
             FILE_READ_SENSITIVE: [],
             NETWORK_SINK: [],
             DYNAMIC_EXECUTION: [],
             OBFUSCATION: [],
-            FILE_WRITE_STARTUP: []
+            FILE_WRITE_STARTUP: [],
+            SHELL_EXECUTION: [],
+            ENCODER_USE: []
         };
-        this.flows = [];
-        this.entropyThreshold = 4.8;
-        this.maxFileSize = 512 * 1024; // 512KB cap for static analysis
-        this.maxStringLengthForEntropy = 2048; // Don't calculate entropy for massive blobs
-    }
+        const flows = [];
+        const sourceCode = code;
-    collect(code, filePath) {
-        this.sourceCode = code;
         let ast;
         try {
             ast = acorn.parse(code, { ecmaVersion: 2020, sourceType: 'module', locations: true });
@@ -27,7 +30,7 @@ class ASTCollector {
             try {
                 ast = acorn.parse(code, { ecmaVersion: 2020, sourceType: 'script', locations: true });
             } catch (error_) {
-                return { facts: this.facts, flows: this.flows };
+                return { facts, flows };
             }
         }
@@ -36,7 +39,7 @@ class ASTCollector {
                 if (typeof node.value === 'string' && node.value.length > 20 && node.value.length < this.maxStringLengthForEntropy) {
                     const entropy = calculateEntropy(node.value);
                     if (entropy > this.entropyThreshold) {
-                        this.facts.OBFUSCATION.push({
+                        facts.OBFUSCATION.push({
                             file: filePath,
                             line: node.loc.start.line,
                             reason: `High entropy string (${entropy.toFixed(2)})`,
@@ -45,41 +48,88 @@ class ASTCollector {
                     }
                 }
             },
-            CallExpression: (node) => {
-                const calleeCode = this.getSourceCode(node.callee);
+            CallExpression: (node, state, ancestors) => {
+                const calleeCode = sourceCode.substring(node.callee.start, node.callee.end);
                 if (calleeCode === 'eval' || calleeCode === 'Function') {
-                    this.facts.DYNAMIC_EXECUTION.push({
+                    facts.DYNAMIC_EXECUTION.push({
                         file: filePath,
                         line: node.loc.start.line,
                         type: calleeCode
                     });
                 }
+                if (calleeCode === 'require' && node.arguments.length > 0 && node.arguments[0].type !== 'Literal') {
+                    facts.DYNAMIC_EXECUTION.push({
+                        file: filePath,
+                        line: node.loc.start.line,
+                        type: 'dynamic_require',
+                        variable: sourceCode.substring(node.arguments[0].start, node.arguments[0].end)
+                    });
+                }
                 if (this.isNetworkSink(calleeCode)) {
-                    this.facts.NETWORK_SINK.push({
+                    facts.NETWORK_SINK.push({
+                        file: filePath,
+                        line: node.loc.start.line,
+                        callee: calleeCode
+                    });
+                }
+                if (this.isShellSink(calleeCode)) {
+                    facts.SHELL_EXECUTION.push({
                         file: filePath,
                         line: node.loc.start.line,
                         callee: calleeCode
                     });
                 }
-                if (this.isSensitiveFileRead(calleeCode, node)) {
-                    this.facts.FILE_READ_SENSITIVE.push({
+                if (this.isEncoder(calleeCode)) {
+                    facts.ENCODER_USE.push({
+                        file: filePath,
+                        line: node.loc.start.line,
+                        type: calleeCode
+                    });
+                }
+                if (this.isSensitiveFileRead(calleeCode, node, sourceCode)) {
+                    facts.FILE_READ_SENSITIVE.push({
                         file: filePath,
                         line: node.loc.start.line,
-                        path: node.arguments[0] ? this.getSourceCode(node.arguments[0]) : 'unknown'
+                        path: node.arguments[0] ? sourceCode.substring(node.arguments[0].start, node.arguments[0].end) : 'unknown'
                     });
                 }
+                node.arguments.forEach((arg, index) => {
+                    const argCode = sourceCode.substring(arg.start, arg.end);
+                    // Improved check: Does the expression contain any variable we know is tainted?
+                    const isArgTainted = argCode.includes('process.env') || flows.some(f => {
+                        const regex = new RegExp(`\\b${f.toVar}\\b`);
+                        return regex.test(argCode);
+                    });
+                    if (isArgTainted) {
+                        const funcNode = this.findFunctionDefinition(calleeCode, ast);
+                        if (funcNode && funcNode.params[index]) {
+                            const paramName = funcNode.params[index].name;
+                            flows.push({
+                                fromVar: argCode,
+                                toVar: `${calleeCode}:${paramName}`,
+                                file: filePath,
+                                line: node.loc.start.line
+                            });
+                        }
+                    }
+                });
             },
             MemberExpression: (node) => {
-                const objectCode = this.getSourceCode(node.object);
+                const objectCode = sourceCode.substring(node.object.start, node.object.end);
                 if (objectCode === 'process.env' || objectCode === 'process["env"]' || objectCode === "process['env']") {
                     const property = node.property.name || (node.property.type === 'Literal' ? node.property.value : null);
                     const whitelist = ['NODE_ENV', 'TIMING', 'DEBUG', 'VERBOSE', 'CI', 'APPDATA', 'HOME', 'USERPROFILE', 'PATH', 'PWD'];
                     if (whitelist.includes(property)) return;
-                    this.facts.ENV_READ.push({
+                    facts.ENV_READ.push({
                         file: filePath,
                         line: node.loc.start.line,
                         variable: property ? `process.env.${property}` : 'process.env'
@@ -88,8 +138,8 @@ class ASTCollector {
             },
             VariableDeclarator: (node) => {
                 if (node.init && node.id.type === 'Identifier') {
-                    const from = this.getSourceCode(node.init);
-                    this.flows.push({
+                    const from = sourceCode.substring(node.init.start, node.init.end);
+                    flows.push({
                         fromVar: from,
                         toVar: node.id.name,
                         file: filePath,
@@ -99,10 +149,9 @@ class ASTCollector {
             },
             AssignmentExpression: (node) => {
                 if (node.left.type === 'MemberExpression' && node.right.type === 'Identifier') {
-                    // Track property assignments: obj.prop = taintedVar
-                    const from = this.getSourceCode(node.right);
-                    const to = this.getSourceCode(node.left);
-                    this.flows.push({
+                    const from = sourceCode.substring(node.right.start, node.right.end);
+                    const to = sourceCode.substring(node.left.start, node.left.end);
+                    flows.push({
                         fromVar: from,
                         toVar: to,
                         file: filePath,
@@ -111,17 +160,16 @@ class ASTCollector {
                 }
             },
             ObjectExpression: (node, state, ancestors) => {
-                // Track object literal property assignments: const x = { p: process.env }
                 const parent = ancestors[ancestors.length - 2];
                 if (parent && parent.type === 'VariableDeclarator' && parent.id.type === 'Identifier') {
                     const objName = parent.id.name;
                     node.properties.forEach(prop => {
-                        if (prop.value.type === 'MemberExpression') {
-                            const valCode = this.getSourceCode(prop.value);
-                            if (valCode.includes('process.env')) {
-                                this.flows.push({
+                        if (prop.value.type === 'MemberExpression' || prop.value.type === 'Identifier') {
+                            const valCode = sourceCode.substring(prop.value.start, prop.value.end);
+                            if (valCode.includes('process.env') || flows.some(f => f.toVar === valCode)) {
+                                flows.push({
                                     fromVar: valCode,
-                                    toVar: `${objName}.${this.getSourceCode(prop.key)}`,
+                                    toVar: `${objName}.${sourceCode.substring(prop.key.start, prop.key.end)}`,
                                     file: filePath,
                                     line: prop.loc.start.line
                                 });
@@ -132,26 +180,63 @@ class ASTCollector {
             }
         });
-        return { facts: this.facts, flows: this.flows };
+        return { facts, flows };
     }
     isNetworkSink(calleeCode) {
-        const methodSinks = ['http.request', 'https.request', 'http.get', 'https.get', 'net.connect', 'dns.lookup', 'dns.resolve', 'fetch', 'axios'];
-        // Match methods like http.request but avoid requestIdleCallback or local 'request' variables
+        const methodSinks = [
+            'http.request', 'https.request', 'http.get', 'https.get',
+            'net.connect', 'dns.lookup', 'dns.resolve', 'dns.resolve4', 'dns.resolve6',
+            'fetch', 'axios', 'request'
+        ];
+        // Improved matching for require('https').get patterns
         return methodSinks.some(sink => {
-            return calleeCode === sink || calleeCode.endsWith('.' + sink);
+            if (calleeCode === sink) return true;
+            if (calleeCode.endsWith('.' + sink)) return true;
+            // Catch cases like require('https').get
+            if (sink.includes('.') && calleeCode.endsWith(sink.split('.')[1]) && calleeCode.includes(sink.split('.')[0])) return true;
+            return false;
         }) && !calleeCode.includes('IdleCallback');
     }
-    isSensitiveFileRead(calleeCode, node) {
+    isShellSink(calleeCode) {
+        const shellSinks = ['child_process.exec', 'child_process.spawn', 'child_process.execSync', 'exec', 'spawn', 'execSync'];
+        return shellSinks.some(sink => {
+            if (calleeCode === sink) return true;
+            if (calleeCode.endsWith('.' + sink)) return true;
+            if (sink.includes('.') && calleeCode.endsWith(sink.split('.')[1]) && calleeCode.includes(sink.split('.')[0])) return true;
+            return false;
+        });
+    }
+    isEncoder(calleeCode) {
+        const encoders = ['Buffer.from', 'btoa', 'atob'];
+        return encoders.some(enc => calleeCode === enc || calleeCode.endsWith('.' + enc));
+    }
+    findFunctionDefinition(name, ast) {
+        let found = null;
+        walk.simple(ast, {
+            FunctionDeclaration: (node) => {
+                if (node.id.name === name) found = node;
+            },
+            VariableDeclarator: (node) => {
+                if (node.id.name === name && node.init && (node.init.type === 'ArrowFunctionExpression' || node.init.type === 'FunctionExpression')) {
+                    found = node.init;
+                }
+            }
+        });
+        return found;
+    }
+    isSensitiveFileRead(calleeCode, node, sourceCode) {
         if (!calleeCode.includes('fs.readFile') && !calleeCode.includes('fs.readFileSync') &&
             !calleeCode.includes('fs.promises.readFile')) return false;
         if (node.arguments.length > 0 && node.arguments[0].type === 'Literal') {
-            const path = String(node.arguments[0].value);
+            const pathValue = String(node.arguments[0].value);
             const sensitive = ['.ssh', '.env', 'shadow', 'passwd', 'credentials', 'token'];
-            return sensitive.some((s) => path.toLowerCase().includes(s));
+            return sensitive.some((s) => pathValue.toLowerCase().includes(s));
         }
         return false;
     }

package/src/engine.js CHANGED Viewed

@@ -27,7 +27,15 @@ class SafetyEngine {
         // Check required facts
         for (const req of rule.requires) {
-            const matchedFacts = facts[req] || [];
+            let matchedFacts = facts[req] || [];
+            // Special case for dynamic require (which shares DYNAMIC_EXECUTION fact type)
+            if (rule.alias === 'DYNAMIC_REQUIRE_DEPENDENCY') {
+                matchedFacts = matchedFacts.filter(f => f.type === 'dynamic_require');
+            } else if (req === 'DYNAMIC_EXECUTION') {
+                matchedFacts = matchedFacts.filter(f => f.type !== 'dynamic_require');
+            }
             if (matchedFacts.length === 0) return null; // Rule not matched
             triggers.push(...matchedFacts.map(f => ({ ...f, type: req })));
         }
@@ -38,31 +46,37 @@ class SafetyEngine {
                 const matchedOpts = facts[opt] || [];
                 if (matchedOpts.length > 0) {
                     triggers.push(...matchedOpts.map(f => ({ ...f, type: opt })));
-                    baseScore += 20; // Bonus for optional matches (e.g., obfuscation)
+                    baseScore += 20;
                 }
             }
         }
-        // Apply Lifecycle Multiplier (1.8x)
+        // Apply Lifecycle Multiplier (2.0x for V2)
         const isInLifecycle = triggers.some(t => lifecycleFiles.has(t.file));
         if (isInLifecycle) {
-            multiplier = 1.8;
+            multiplier = 2.0;
+        }
+        // Encoder Multiplier (1.5x)
+        const hasEncoder = facts['ENCODER_USE'] && facts['ENCODER_USE'].length > 0;
+        if (hasEncoder) {
+            multiplier *= 1.5;
         }
         // Cluster Bonus: Source + Sink
         const hasSource = triggers.some(t => t.type.includes('READ'));
-        const hasSink = triggers.some(t => t.type.includes('SINK') || t.type === 'DYNAMIC_EXECUTION');
+        const hasSink = triggers.some(t => t.type.includes('SINK') || t.type === 'DYNAMIC_EXECUTION' || t.type === 'SHELL_EXECUTION');
         if (hasSource && hasSink) {
             baseScore += 40;
         }
         let finalScore = baseScore * multiplier;
-        // Lifecycle Guard: ENV_READ + NETWORK_SINK + lifecycleContext = min 85 (High)
+        // Severe Cluster: ENV_READ + (NETWORK_SINK | SHELL_EXECUTION) + lifecycleContext = Critical (100)
         const isEnvRead = triggers.some(t => t.type === 'ENV_READ');
-        const isNetworkSink = triggers.some(t => t.type === 'NETWORK_SINK');
-        if (isEnvRead && isNetworkSink && isInLifecycle && finalScore < 85) {
-            finalScore = 85;
+        const isDangerousSink = triggers.some(t => t.type === 'NETWORK_SINK' || t.type === 'SHELL_EXECUTION');
+        if (isEnvRead && isDangerousSink && isInLifecycle) {
+            finalScore = 100;
         }
         return {

package/src/lifecycle.js CHANGED Viewed

@@ -5,11 +5,12 @@ class LifecycleResolver {
     constructor(packageDir) {
         this.packageDir = packageDir;
         this.lifecycleFiles = new Set();
+        this.detectedScripts = {};
     }
     resolve() {
         const packageJsonPath = path.join(this.packageDir, 'package.json');
-        if (!fs.existsSync(packageJsonPath)) return this.lifecycleFiles;
+        if (!fs.existsSync(packageJsonPath)) return { files: this.lifecycleFiles, scripts: this.detectedScripts };
         try {
             const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
@@ -19,6 +20,7 @@ class LifecycleResolver {
             for (const hook of lifecycleHooks) {
                 if (scripts[hook]) {
+                    this.detectedScripts[hook] = scripts[hook];
                     this.extractFilesFromScript(scripts[hook]);
                 }
             }
@@ -26,7 +28,7 @@ class LifecycleResolver {
             // Ignore parse errors
         }
-        return this.lifecycleFiles;
+        return { files: this.lifecycleFiles, scripts: this.detectedScripts };
     }
     extractFilesFromScript(script) {

package/src/lockfile.js ADDED Viewed

@@ -0,0 +1,99 @@
+const fs = require('node:fs');
+const path = require('node:path');
+class LockfileAuditor {
+    constructor(packageDir) {
+        this.packageDir = packageDir;
+        this.findings = [];
+    }
+    audit() {
+        const lockfiles = [
+            { name: 'package-lock.json', type: 'npm' },
+            { name: 'pnpm-lock.yaml', type: 'pnpm' },
+            { name: 'bun.lockb', type: 'bun' }
+        ];
+        for (const lock of lockfiles) {
+            const fullPath = path.join(this.packageDir, lock.name);
+            if (fs.existsSync(fullPath)) {
+                this.auditLockfile(fullPath, lock.type);
+            }
+        }
+        return this.findings;
+    }
+    auditLockfile(filePath, type) {
+        const content = fs.readFileSync(filePath, 'utf8');
+        if (type === 'npm') {
+            try {
+                const lock = JSON.parse(content);
+                this.checkNpmDependencies(lock.dependencies || lock.packages || {});
+            } catch (e) { }
+        } else if (type === 'pnpm') {
+            // pnpm-lock.yaml regex-based scanning (to avoid heavy yaml parser)
+            this.scanTextForUntrustedSources(content, 'pnpm');
+        } else if (type === 'bun') {
+            // bun.lockb is binary, but often contains readable URLs or has a text counterpart
+            this.scanTextForUntrustedSources(content, 'bun');
+        }
+    }
+    scanTextForUntrustedSources(content, type) {
+        // Look for git+ssh, git+https, github:, or non-npm https urls
+        const lines = content.split('\n');
+        lines.forEach((line, index) => {
+            const gitMatch = line.match(/(git\+ssh|git\+https|github:|[a-zA-Z0-9.\-_]+\/[a-zA-Z0-9.\-_]+#[a-f0-9]+)/);
+            if (gitMatch) {
+                this.findings.push({
+                    type: 'UNTRUSTED_GIT_SOURCE',
+                    package: `Line ${index + 1}`,
+                    source: gitMatch[0],
+                    severity: 'Medium'
+                });
+            }
+            const httpMatch = line.match(/https?:\/\/(?!(registry\.npmjs\.org|registry\.yarnpkg\.com))[a-zA-Z0-9.\-/_]+/);
+            if (httpMatch) {
+                this.findings.push({
+                    type: 'NON_STANDARD_REGISTRY',
+                    package: `Line ${index + 1}`,
+                    source: httpMatch[0],
+                    severity: 'High'
+                });
+            }
+        });
+    }
+    checkNpmDependencies(deps) {
+        for (const [name, info] of Object.entries(deps)) {
+            if (!name) continue;
+            const resolved = info.resolved || (info.version ? info.version : '');
+            // Detect Git Dependencies
+            if (resolved.includes('git+') || resolved.includes('github:')) {
+                this.findings.push({
+                    type: 'UNTRUSTED_GIT_SOURCE',
+                    package: name,
+                    source: resolved,
+                    severity: 'Medium'
+                });
+            }
+            // Detect HTTP based installs
+            if (resolved.startsWith('http:') || (resolved.startsWith('https:') && !resolved.includes('registry.npmjs.org'))) {
+                this.findings.push({
+                    type: 'NON_STANDARD_REGISTRY',
+                    package: name,
+                    source: resolved,
+                    severity: 'High'
+                });
+            }
+        }
+    }
+}
+module.exports = LockfileAuditor;

package/src/rules/definitions.js CHANGED Viewed

@@ -31,13 +31,30 @@ const RULES = [
         requires: ['OBFUSCATION', 'DYNAMIC_EXECUTION'],
         baseScore: 40,
         description: 'Detection of high-entropy strings being executed via eval or Function constructor.'
+    },
+    {
+        id: 'ZFT-005',
+        alias: 'SHELL_COMMAND_EXECUTION',
+        name: 'Shell Command Execution',
+        requires: ['SHELL_EXECUTION'],
+        optional: ['ENV_READ', 'FILE_READ_SENSITIVE'],
+        baseScore: 50,
+        description: 'Detection of shell command execution (child_process).'
+    },
+    {
+        id: 'ZFT-006',
+        alias: 'DYNAMIC_REQUIRE_DEPENDENCY',
+        name: 'Dynamic Require Dependency',
+        requires: ['DYNAMIC_EXECUTION'], // Will check if type === 'dynamic_require' in engine
+        baseScore: 30,
+        description: 'Detection of dynamic require calls where the dependency name is a variable.'
     }
 ];
 const CATEGORIES = {
     SOURCES: ['ENV_READ', 'FILE_READ_SENSITIVE'],
-    SINKS: ['NETWORK_SINK', 'DYNAMIC_EXECUTION'],
-    OBFUSCATION: ['OBFUSCATION'],
+    SINKS: ['NETWORK_SINK', 'DYNAMIC_EXECUTION', 'SHELL_EXECUTION'],
+    SIGNALS: ['OBFUSCATION', 'ENCODER_USE'],
     PERSISTENCE: ['FILE_WRITE_STARTUP']
 };

package/src/scanner.js CHANGED Viewed

@@ -3,6 +3,7 @@ const path = require('node:path');
 const ASTCollector = require('./collector');
 const LifecycleResolver = require('./lifecycle');
 const SafetyEngine = require('./engine');
+const { getHash } = require('./utils/hash');
 class PackageScanner {
     constructor(packageDir) {
@@ -13,8 +14,15 @@ class PackageScanner {
     }
     async scan() {
-        const lifecycleFiles = this.lifecycleResolver.resolve();
+        const { files: lifecycleFiles, scripts } = this.lifecycleResolver.resolve();
         const files = await this.getFiles();
+        this.detectedLifecycleScripts = scripts; // Store for formatter
+        // Initialize cache directory
+        const cacheDir = path.join(this.packageDir, 'node_modules', '.zift-cache');
+        if (!fs.existsSync(cacheDir)) {
+            try { fs.mkdirSync(cacheDir, { recursive: true }); } catch (e) { }
+        }
         let allFacts = {
             facts: {
@@ -23,29 +31,60 @@ class PackageScanner {
                 NETWORK_SINK: [],
                 DYNAMIC_EXECUTION: [],
                 OBFUSCATION: [],
-                FILE_WRITE_STARTUP: []
+                FILE_WRITE_STARTUP: [],
+                SHELL_EXECUTION: [],
+                ENCODER_USE: []
             },
             flows: []
         };
-        for (const file of files) {
-            const relativePath = path.relative(this.packageDir, file);
+        const pkgVersion = require('../package.json').version;
-            // Refined ignore logic
-            const ignorePatterns = ['node_modules', '.git', 'test', 'dist', 'coverage', 'docs', '.github'];
-            if (ignorePatterns.some(p => relativePath.includes(p)) || relativePath.startsWith('.')) continue;
+        // Parallel processing with limited concurrency (8 files at a time)
+        const concurrency = 8;
+        for (let i = 0; i < files.length; i += concurrency) {
+            const chunk = files.slice(i, i + concurrency);
+            await Promise.all(chunk.map(async (file) => {
+                const stats = fs.statSync(file);
+                if (stats.size > 512 * 1024) return;
-            const stats = fs.statSync(file);
-            if (stats.size > 512 * 1024) continue; // Skip files > 512KB
+                const code = fs.readFileSync(file, 'utf8');
+                const fileHash = getHash(code + pkgVersion);
+                const cachePath = path.join(cacheDir, fileHash + '.json');
-            const code = fs.readFileSync(file, 'utf8');
-            const { facts, flows } = this.collector.collect(code, file);
+                let facts = {}, flows = [];
-            // Merge facts
-            for (const category in facts) {
-                allFacts.facts[category].push(...facts[category]);
-            }
-            allFacts.flows.push(...flows);
+                if (fs.existsSync(cachePath)) {
+                    // Cache hit: Load metadata
+                    try {
+                        const cached = JSON.parse(fs.readFileSync(cachePath, 'utf8'));
+                        facts = cached.facts || {};
+                        flows = cached.flows || [];
+                    } catch (e) {
+                        // Corrupt cache: re-scan
+                        const result = this.collector.collect(code, file);
+                        facts = result.facts;
+                        flows = result.flows;
+                    }
+                } else {
+                    // Cache miss: Scan and save
+                    const result = this.collector.collect(code, file);
+                    facts = result.facts;
+                    flows = result.flows;
+                    try {
+                        fs.writeFileSync(cachePath, JSON.stringify({ facts, flows }));
+                    } catch (e) { }
+                }
+                // Merge facts (Synchronized)
+                for (const category in facts) {
+                    if (allFacts.facts[category]) {
+                        allFacts.facts[category].push(...facts[category]);
+                    }
+                }
+                allFacts.flows.push(...flows);
+            }));
         }
         const findings = this.engine.evaluate(allFacts, lifecycleFiles);
@@ -53,17 +92,28 @@ class PackageScanner {
     }
     async getFiles() {
+        // Load .ziftignore
+        const ziftIgnorePath = path.join(this.packageDir, '.ziftignore');
+        let ignoreLines = ['node_modules', '.git', 'dist', 'build', 'coverage', 'test', 'tests'];
+        if (fs.existsSync(ziftIgnorePath)) {
+            const content = fs.readFileSync(ziftIgnorePath, 'utf8');
+            ignoreLines = [...ignoreLines, ...content.split('\n').map(l => l.trim()).filter(l => l && !l.startsWith('#'))];
+        }
         const getJsFiles = (dir) => {
             const results = [];
             const list = fs.readdirSync(dir);
             for (const file of list) {
                 const fullPath = path.join(dir, file);
+                const relativePath = path.relative(this.packageDir, fullPath);
+                // Simple ignore check
+                if (ignoreLines.some(pattern => relativePath.includes(pattern) || file === pattern)) continue;
+                if (file.startsWith('.') && file !== '.ziftignore') continue;
                 const stat = fs.statSync(fullPath);
                 if (stat && stat.isDirectory()) {
-                    const ignoreDirs = ['node_modules', '.git', 'dist', 'build', 'coverage', 'test', 'tests'];
-                    if (!ignoreDirs.includes(file) && !file.startsWith('.')) {
-                        results.push(...getJsFiles(fullPath));
-                    }
+                    results.push(...getJsFiles(fullPath));
                 } else if (file.endsWith('.js')) {
                     results.push(fullPath);
                 }
@@ -76,23 +126,26 @@ class PackageScanner {
     formatFindings(findings) {
         const sorted = findings.sort((a, b) => b.score - a.score);
-        return sorted.map(f => {
-            let classification = 'Low';
-            if (f.score >= 90) classification = 'Critical';
-            else if (f.score >= 70) classification = 'High';
-            else if (f.score >= 50) classification = 'Medium';
-            return {
-                ...f,
-                classification,
-                triggers: f.triggers.map(t => ({
-                    type: t.type,
-                    file: path.relative(this.packageDir, t.file),
-                    line: t.line,
-                    context: t.reason || t.callee || t.variable || t.path
-                }))
-            };
-        });
+        return {
+            results: sorted.map(f => {
+                let classification = 'Low';
+                if (f.score >= 90) classification = 'Critical';
+                else if (f.score >= 70) classification = 'High';
+                else if (f.score >= 50) classification = 'Medium';
+                return {
+                    ...f,
+                    classification,
+                    triggers: f.triggers.map(t => ({
+                        type: t.type,
+                        file: path.relative(this.packageDir, t.file),
+                        line: t.line,
+                        context: t.reason || t.callee || t.variable || t.path
+                    }))
+                };
+            }),
+            lifecycleScripts: this.detectedLifecycleScripts
+        };
     }
 }

package/src/utils/hash.js ADDED Viewed

@@ -0,0 +1,7 @@
+const crypto = require('node:crypto');
+function getHash(data) {
+    return crypto.createHash('sha256').update(data).digest('hex');
+}
+module.exports = { getHash };

package/src/utils/typo.js ADDED Viewed

@@ -0,0 +1,43 @@
+function levenshtein(s1, s2) {
+    const scores = [];
+    for (let i = 0; i <= s1.length; i++) {
+        let lastValue = i;
+        for (let j = 0; j <= s2.length; j++) {
+            if (i === 0) {
+                scores[j] = j;
+            } else if (j > 0) {
+                let newValue = scores[j - 1];
+                if (s1.charAt(i - 1) !== s2.charAt(j - 1)) {
+                    newValue = Math.min(Math.min(newValue, lastValue), scores[j]) + 1;
+                }
+                scores[j - 1] = lastValue;
+                lastValue = newValue;
+            }
+        }
+        if (i > 0) scores[s2.length] = lastValue;
+    }
+    return scores[s2.length];
+}
+const TOP_PACKAGES = [
+    'react', 'vue', 'axios', 'express', 'lodash', 'moment', 'next', 'react-dom',
+    'chalk', 'commander', 'fs-extra', 'glob', 'inquirer', 'jest', 'request',
+    'typescript', 'webpack', 'babel-core', 'eslint', 'prettier'
+];
+function checkTyposquat(name) {
+    if (!name || TOP_PACKAGES.includes(name)) return null;
+    for (const top of TOP_PACKAGES) {
+        const distance = levenshtein(name, top);
+        if (distance === 1 || (distance === 2 && top.length >= 5)) {
+            return {
+                target: top,
+                distance: distance
+            };
+        }
+    }
+    return null;
+}
+module.exports = { checkTyposquat };