npm - @lateos/npm-scan - Versions diffs - 0.12.3 → 0.13.1 - Mend

@lateos/npm-scan 0.12.3 → 0.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/backend/lockfile.js ADDED Viewed

@@ -0,0 +1,152 @@
+import { readFileSync } from 'fs';
+import { resolve, dirname } from 'path';
+import { fileURLToPath } from 'url';
+export function parseLockfile(filePath) {
+  try {
+    const content = readFileSync(filePath, 'utf8');
+    const lockfile = JSON.parse(content);
+    const packages = [];
+    if (lockfile.packages) {
+      for (const [key, pkg] of Object.entries(lockfile.packages)) {
+        if (key === '') continue;
+        const name = pkg.name || key.replace(/^node_modules\//, '').replace(/^[^/]+\//, '');
+        packages.push({
+          name,
+          version: pkg.version || 'unknown',
+          resolved: pkg.resolved || '',
+          integrity: pkg.integrity || '',
+          path: key,
+          peerDeps: pkg.peerDependencies || {},
+          dev: pkg.dev || false,
+          optional: pkg.optional || false,
+          scripts: pkg.scripts || {},
+          dependencies: pkg.dependencies || {}
+        });
+      }
+    }
+    const rootDeps = lockfile.packages?.['node_modules/'] || {};
+    return {
+      version: lockfile.lockfileVersion,
+      packages,
+      root: {
+        name: rootDeps.name || 'unknown',
+        version: rootDeps.version || 'unknown',
+        dependencies: rootDeps.dependencies || {},
+        devDependencies: rootDeps.devDependencies || {},
+        peerDependencies: rootDeps.peerDependencies || {}
+      }
+    };
+  } catch (e) {
+    throw new Error(`Failed to parse lockfile: ${e.message}`);
+  }
+}
+export function checkMaliciousPatterns(pkg) {
+  const findings = [];
+  const name = pkg.name?.toLowerCase() || '';
+  const typosquatPatterns = [
+    /^(lodash|lodahs|lodash-js|lodashexe)$/,
+    /^(axios|axio|ax10s|ax1os)$/,
+    /^(react|reakt|reackt|r3act)$/,
+    /^(express|expres|expresjs|exress)$/,
+    /^(vue|vu3|vujs|vuejs)$/,
+    /^(webpack|webpak|webpackjs)$/,
+  ];
+  for (const pattern of typosquatPatterns) {
+    if (pattern.test(name)) {
+      findings.push({
+        id: 'ATK-007',
+        severity: 'high',
+        title: 'Typosquat detected',
+        description: `Package name "${pkg.name}" is similar to popular packages`,
+        evidence: `similar to ${pattern.source}`
+      });
+    }
+  }
+  return findings;
+}
+export function analyzeDependencyGraph(lockfileData) {
+  const findings = [];
+  const pkgMap = new Map();
+  for (const pkg of lockfileData.packages) {
+    pkgMap.set(pkg.name, pkg);
+  }
+  for (const pkg of lockfileData.packages) {
+    if (pkg.peerDeps && Object.keys(pkg.peerDeps).length > 0) {
+      for (const [peerName, peerVersion] of Object.entries(pkg.peerDeps)) {
+        if (peerName.includes('plugin') || peerName.includes('hook') || peerName.includes('ext')) {
+          findings.push({
+            id: 'ATK-011',
+            severity: 'high',
+            title: 'Transitive propagation (worm)',
+            description: `Package "${pkg.name}" depends on peer "${peerName}@${peerVersion}" - potential worm propagation chain`,
+            evidence: `peer dep chain: ${pkg.name} -> ${peerName}`
+          });
+        }
+      }
+    }
+    if (pkg.dependencies && typeof pkg.dependencies === 'object' && Object.keys(pkg.dependencies).length > 5) {
+      const transitiveCount = Object.keys(pkg.dependencies).filter(k => k.includes('scope')).length;
+      if (transitiveCount > 3) {
+        findings.push({
+          id: 'ATK-011',
+          severity: 'medium',
+          title: 'Transitive propagation (worm)',
+          description: `Package "${pkg.name}" has excessive transitive dependencies (${transitiveCount} scoped)`,
+          evidence: `heavy transitive dep chain: ${pkg.name}`
+        });
+      }
+    }
+  }
+  return findings;
+}
+export function generateLockfileReport(lockfileData) {
+  const total = lockfileData.packages.length;
+  const dev = lockfileData.packages.filter(p => p.dev).length;
+  const optional = lockfileData.packages.filter(p => p.optional).length;
+  const findings = [];
+  for (const pkg of lockfileData.packages) {
+    const maliciousFindings = checkMaliciousPatterns(pkg);
+    findings.push(...maliciousFindings);
+  }
+  findings.push(...analyzeDependencyGraph(lockfileData));
+  return {
+    scanId: Date.now(),
+    package: lockfileData.root.name,
+    version: lockfileData.root.version,
+    totalDependencies: total,
+    devDependencies: dev,
+    optionalDependencies: optional,
+    lockfileVersion: lockfileData.version,
+    findings,
+    riskScore: calculateRiskScore(findings)
+  };
+}
+function calculateRiskScore(findings) {
+  if (!findings.length) return '0.0';
+  const weights = { critical: 10, high: 7, medium: 4, low: 2, info: 0.5 };
+  const maxSeverity = findings.reduce((max, f) => {
+    const w = weights[f.severity] || 0;
+    return Math.max(max, w);
+  }, 0);
+  const countBonus = Math.min(findings.length * 0.3, 3);
+  const score = Math.min(maxSeverity + countBonus, 10);
+  return score.toFixed(1);
+}

package/cli/cli.js CHANGED Viewed

@@ -236,7 +236,46 @@ program
         });
       }
     } else {
-      console.log('Scanning lockfile:', options.file);
+      const lockfile = options.file;
+      try {
+        const { parseLockfile, generateLockfileReport } = await import('../backend/lockfile.js');
+        if (!silent) console.log(`\x1b[32m✔\x1b[0m Scanning lockfile: ${lockfile}`);
+        const lockfileData = parseLockfile(lockfile);
+        const results = generateLockfileReport(lockfileData);
+        if (!silent) {
+          console.log(`  Total deps: ${results.totalDependencies}`);
+          console.log(`  Lockfile version: ${results.lockfileVersion}`);
+          if (results.findings.length > 0) {
+            console.log(`\n\x1b[31m🔴\x1b[0m ${results.findings.length} finding(s) found:\n`);
+            for (const f of results.findings) {
+              const color = f.severity === 'critical' ? '\x1b[31m' : f.severity === 'high' ? '\x1b[91m' : f.severity === 'medium' ? '\x1b[33m' : '\x1b[32m';
+              console.log(`  ${color}${f.severity.toUpperCase().padEnd(8)}\x1b[0m ${f.id}: ${f.title}`);
+              console.log(`           ${f.description}`);
+            }
+          } else {
+            console.log(`\n\x1b[32m✔\x1b[0m No threats found.`);
+          }
+          console.log(`\n\x1b[36mRisk Score: ${results.riskScore}/10\x1b[0m`);
+        }
+        console.log(JSON.stringify(results, null, 2));
+        if (results.findings.length > 0) {
+          const failOn = options.failOn || 'none';
+          if (failOn !== 'none') {
+            const weights = { critical: 5, high: 4, medium: 3, low: 2, info: 1 };
+            const maxWeight = Math.max(...results.findings.map(f => weights[f.severity] || 0));
+            const failThreshold = weights[failOn] || 0;
+            if (maxWeight >= failThreshold) process.exit(1);
+          }
+        }
+      } catch (e) {
+        console.error(`Error: ${e.message}`);
+        process.exit(1);
+      }
     }
   });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.12.3",
+  "version": "0.13.1",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {