@lateos/npm-scan 0.14.0 → 0.15.1

package/README.md

@@ -3,8 +3,8 @@
 [![npm version](https://img.shields.io/npm/v/@lateos/npm-scan?style=flat-square)](https://www.npmjs.com/package/@lateos/npm-scan)
 [![License](https://img.shields.io/badge/license-Apache%202.0%20%2B%20Commons%20Clause-blue?style=flat-square)](LICENSING.md)
 [![Node](https://img.shields.io/badge/node-%3E%3D18-brightgreen?style=flat-square)](package.json)
-[![Tests](https://img.shields.io/badge/tests-222%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
-[![Coverage](https://img.shields.io/badge/coverage-85%25-yellowgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
+[![Tests](https://img.shields.io/badge/tests-324%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
+[![Coverage](https://img.shields.io/badge/coverage-90%25-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Docker](https://img.shields.io/badge/docker-lateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://hub.docker.com/r/lateos/npm-scan)
 [![Sigstore](https://img.shields.io/static/v1?label=Sigstore&message=Provenance&color=green&style=flat-square&logo=sigstore)](https://github.com/lateos-ai/npm-scan/actions/workflows/publish.yml)
 
@@ -71,6 +71,7 @@ Attackers have moved past simple typosquatting. They now ship **obfuscated prein
 | 🛡️ | **Zero telemetry** | No data leaves your machine. No cloud. No callbacks. |
 | 💾 | **Local scan history** | SQLite-backed persistence, zero external dependencies |
 | 🪝 | **Pre-commit hook** | Block threats before commit — one-liner install, scans `package-lock.json` changes |
+| 📎 | **Yarn + pnpm support** | `scan-lockfile` parses `yarn.lock` and `pnpm-lock.yaml` alongside `package-lock.json` |
 
 ---
 
@@ -190,12 +191,16 @@ npm-scan scan --file path/to/malicious-package.tgz
 ### Scan a lockfile
 
 ```bash
-# Scan the current project's dependencies
+# Scan the current project's dependencies (auto-detects npm/yarn/pnpm)
 npm-scan scan-lockfile
 
 # Scan a specific lockfile
 npm-scan scan-lockfile -f ./path/to/package-lock.json
 
+# Scan yarn.lock or pnpm-lock.yaml
+npm-scan scan-lockfile -f ./yarn.lock --yarn
+npm-scan scan-lockfile -f ./pnpm-lock.yaml --pnpm
+
 # Fail CI/CD on high or critical findings (exit code 1)
 npm-scan scan-lockfile --fail-on high
 
@@ -211,7 +216,7 @@ npm-scan scan-lockfile --watch
 # Watch with faster debounce (500ms) — great for dev workflows
 npm-scan scan-lockfile --watch --debounce 500
 
-# Watch monorepo (all package-lock.json files in workspace)
+# Watch monorepo (all lockfiles — npm/yarn/pnpm — in workspace)
 npm-scan scan-lockfile --watch --monorepo
 
 # Output only risk score (0-10) for dashboards/thresholds
@@ -686,8 +691,12 @@ node --test test/detectors-corpus.test.js
 - `test/detectors-corpus.test.js` — 33 malicious + 50 clean tarball integration (offline)
 - `test/fetch.test.js` — tarball extraction, temp directory cleanup
 - `test/policy-edge-cases.test.js` — edge cases in suppress, override, load validation
+- `test/policy.test.js` — policy YAML/JSON load, apply, suppress, severity override tests
 - `test/report-snapshots.test.js` — HTML/text/CRA/PDF format assertions
+- `test/report.test.js` — SARIF, CSV, STIG, risk score format tests
+- `test/lockfile.test.js` — npm/yarn/pnpm parser, auto-detect, ATK-007/011 lockfile tests
 - `test/cli.test.js` — commander integration tests (help, version, scan, report, error handling)
+- `test/cli-lockfile.test.js` — scan-lockfile CLI options, yarn/pnpm/monorepo/watch tests
 
 ### Need help?
 

package/backend/detectors/atk-002-obfusc.js

@@ -1,3 +1,45 @@
+const DIST_BUILD_PATTERNS = [/\/dist\//, /\/build\//, /\/bundle/, /\/min\//, /\.min\.js$/, /\.bundled?\.js$/];
+const TEST_FIXTURE_PATTERNS = [/\/test\//, /\/tests\//, /\/__tests__\//, /\/spec\//, /\.test\.js$/, /\.spec\.js$/, /fixtures?/];
+const LIFECYCLE_HOOK_PATTERNS = [/postinstall/, /preinstall/, /['"]install['"]/, /['"]prepare['"]/];
+const KNOWN_SAFE_DOMAINS = [
+  'registry.npmjs.org', 'cdn.jsdelivr.net', 'unpkg.com', 'cdn.skypack.dev',
+  'esm.sh', 'deno.land', 'raw.githubusercontent.com', 'github.com',
+  'npmjs.com', 'nodejs.org', 'v8.dev', 'typescriptlang.org'
+];
+
+function extractUrlDomain(code) {
+  const urlMatch = code.match(/https?:\/\/([^/'"\s]+)/);
+  return urlMatch ? urlMatch[1] : null;
+}
+
+function isDistOrBuild(filePath) {
+  return DIST_BUILD_PATTERNS.some(p => p.test(filePath));
+}
+
+function isTestOrFixture(filePath) {
+  return TEST_FIXTURE_PATTERNS.some(p => p.test(filePath));
+}
+
+function isLifecycleHook(code) {
+  return LIFECYCLE_HOOK_PATTERNS.some(p => p.test(code));
+}
+
+function isKnownSafeDomain(domain) {
+  if (!domain) return false;
+  return KNOWN_SAFE_DOMAINS.some(safe => domain === safe || domain.endsWith('.' + safe));
+}
+
+function createContext(filePath, code) {
+  return {
+    file_path: filePath,
+    is_dist_build: isDistOrBuild(filePath),
+    is_test_fixture: isTestOrFixture(filePath),
+    is_lifecycle_hook: isLifecycleHook(code),
+    url_domain: extractUrlDomain(code),
+    is_known_safe_domain: isKnownSafeDomain(extractUrlDomain(code)),
+  };
+}
+
 export async function scan(pkgJson, files = []) {
   const findings = [];
   const pkgName = pkgJson?.name || '';
@@ -5,6 +47,7 @@ export async function scan(pkgJson, files = []) {
 
   for (const f of files) {
     const code = f.content;
+    const ctx = createContext(f.path, code);
 
     const hasEval = /eval\(|new Function\(|\bFunction\('/.test(code);
 
@@ -19,7 +62,8 @@ export async function scan(pkgJson, files = []) {
           severity: 'medium',
           title: 'Obfuscated payload',
           description: hexDecode ? 'Eval with hex-decoded payload' : 'Eval with base64-decoded payload',
-          evidence: 'eval + decode pattern detected'
+          evidence: 'eval + decode pattern detected',
+          context: ctx,
         });
         return findings;
       }
@@ -32,7 +76,8 @@ export async function scan(pkgJson, files = []) {
             severity: 'high',
             title: 'Obfuscated payload',
             description: 'Double-encoded nested payload',
-            evidence: 'nested encode/decode detected'
+            evidence: 'nested encode/decode detected',
+            context: { ...ctx, is_multi_layer: true },
           });
           return findings;
         }
@@ -48,7 +93,8 @@ export async function scan(pkgJson, files = []) {
           severity: 'medium',
           title: 'Obfuscated payload',
           description: 'Decoded string containing URL/fetch call',
-          evidence: 'obfuscation with network call'
+          evidence: 'obfuscation with network call',
+          context: ctx,
         });
         return findings;
       }
@@ -60,7 +106,8 @@ export async function scan(pkgJson, files = []) {
         severity: 'medium',
         title: 'Obfuscated payload',
         description: 'Eval with String.fromCharCode obfuscation',
-        evidence: 'charcode obfuscation detected'
+        evidence: 'charcode obfuscation detected',
+        context: ctx,
       });
       return findings;
     }
@@ -79,7 +126,8 @@ export async function scan(pkgJson, files = []) {
           severity: 'high',
           title: 'Obfuscated payload',
           description: 'Shell-code obfuscation pattern',
-          evidence: p.source.substring(0, 60)
+          evidence: p.source.substring(0, 60),
+          context: ctx,
         });
         return findings;
       }

package/backend/license.js

@@ -78,6 +78,10 @@ export function validateLicense(key, feature = '*') {
 
 export function isFeatureEnabled(feature, licenseKey = process.env.NPM_SCAN_LICENSE_KEY) {
   try {
+    if (!licenseKey) {
+      const unlocked = feature === 'scan' || ALLOWED_UNLOCKED.includes(feature);
+      if (unlocked) return true;
+    }
     validateLicense(licenseKey, feature);
     return true;
   } catch {

package/backend/lockfile.js

@@ -126,10 +126,10 @@ function parseYarnLockfile(content, filePath) {
         if (bodyTrim.startsWith('version ')) {
           const vMatch = bodyTrim.match(/^version ['"]([^'"]+)['"]/);
           if (vMatch) version = vMatch[1];
-        } else if (bodyTrim.startsWith('resolved ')) {
-          const rMatch = bodyTrim.match(/^resolved ['"]([^'"]+)['"]/);
+        } else if (bodyTrim.match(/^\s*resolved\s+(.+)/)) {
+          const rMatch = bodyTrim.match(/^\s*resolved\s+(.+)/);
           if (rMatch) {
-            resolved = rMatch[1];
+            resolved = rMatch[1].trim().replace(/^['"]|['"]$/g, '');
             if (resolved.startsWith('https://registry.yarnpkg.com/')) {
               resolved = resolved.replace('https://registry.yarnpkg.com/', 'https://registry.npmjs.org/');
             }

package/backend/policy.js

@@ -4,10 +4,77 @@ import { load as yamlLoad } from 'js-yaml';
 const SEVERITY_ORDER = ['none', 'low', 'medium', 'high', 'critical'];
 const VALID_SEVERITIES = new Set(SEVERITY_ORDER);
 
+const KNOWN_REPUTABLE_PACKAGES = new Set([
+  'react', 'react-dom', 'vue', 'angular', 'next', 'nuxt',
+  'express', 'fastify', 'hono', 'koa', 'connect',
+  'webpack', 'vite', 'rollup', 'esbuild', 'typescript', 'babel-core',
+  'lodash', 'ramda', 'underscore',
+  'axios', 'node-fetch', 'got', 'superagent',
+  'sequelize', 'prisma', 'typeorm', 'mongoose',
+  'jest', 'mocha', 'vitest', 'ava',
+  'prettier', 'eslint', 'stylelint',
+  'socket.io', 'ws',
+  'rimraf', 'glob', 'minimatch', 'fs-extra',
+]);
+
 function severityIndex(s) {
   return SEVERITY_ORDER.indexOf(s);
 }
 
+function matchesFilePath(filePath, pattern) {
+  if (!pattern) return false;
+  if (pattern === '*') return true;
+  const regexPattern = pattern
+    .replace(/\./g, '\\.')
+    .replace(/\*\*/g, '___DOUBLE_STAR___')
+    .replace(/\*/g, '[^/]*')
+    .replace(/___DOUBLE_STAR___/g, '.*');
+  return new RegExp(`^${regexPattern}$`).test(filePath);
+}
+
+function matchesContext(finding, rule) {
+  const ctx = finding.context;
+  if (!ctx) return false;
+
+  if (rule.context?.is_dist_build === true && !ctx.is_dist_build) return false;
+  if (rule.context?.is_dist_build === false && ctx.is_dist_build) return false;
+  if (rule.context?.is_test_fixture === true && !ctx.is_test_fixture) return false;
+  if (rule.context?.is_test_fixture === false && ctx.is_test_fixture) return false;
+  if (rule.context?.is_lifecycle_hook === true && !ctx.is_lifecycle_hook) return false;
+  if (rule.context?.is_lifecycle_hook === false && ctx.is_lifecycle_hook) return false;
+  if (rule.context?.is_known_safe_domain === true && !ctx.is_known_safe_domain) return false;
+  if (rule.context?.is_known_safe_domain === false && ctx.is_known_safe_domain) return false;
+
+  if (rule.context?.file_path && !matchesFilePath(ctx.file_path, rule.context.file_path)) return false;
+  if (rule.context?.url_domain) {
+    if (!ctx.url_domain) return false;
+    const domainPattern = rule.context.url_domain.replace(/\*/g, '.*');
+    if (!new RegExp(`^${domainPattern}$`).test(ctx.url_domain)) return false;
+  }
+
+  return true;
+}
+
+function getPackageReputationTier(pkgName) {
+  const name = pkgName?.replace(/^@/, '').replace(/\/.*/, '') || '';
+  if (KNOWN_REPUTABLE_PACKAGES.has(name)) return 'trusted';
+  return 'unknown';
+}
+
+function matchesSuppressRule(finding, pkgName, rule) {
+  if (rule.atk_id !== (finding.atk_id || finding.id)) return false;
+  if (rule.package && rule.package !== '*' && rule.package !== pkgName) return false;
+
+  if (rule.context && !matchesContext(finding, rule)) return false;
+
+  if (rule.reputation_tier) {
+    const tier = getPackageReputationTier(pkgName);
+    if (rule.reputation_tier !== tier && !(rule.reputation_tier === '*' || rule.reputation_tier === 'any')) return false;
+  }
+
+  return true;
+}
+
 function loadPolicy(path) {
   const raw = readFileSync(path, 'utf8').trim();
   let policy;
@@ -63,6 +130,8 @@ function sanitizePolicy(policy) {
       atk_id: r.atk_id,
       package: r.package || '*',
       reason: r.reason || '',
+      context: r.context || null,
+      reputation_tier: r.reputation_tier || null,
     })),
   };
 }
@@ -73,19 +142,15 @@ function isAllowed(packageName, policy) {
   return policy.allow.packages.some(p => p === packageName || p === nameOnly);
 }
 
-function matchesSuppressRule(finding, pkgName, rule) {
-  if (rule.atk_id !== (finding.atk_id || finding.id)) return false;
-  if (rule.package === '*') return true;
-  return rule.package === pkgName;
-}
-
 function applyPolicy(findings, packageName, policy) {
   let filtered = [...findings];
 
   if (policy.suppress.length) {
-    filtered = filtered.filter(f =>
-      !policy.suppress.some(r => matchesSuppressRule(f, packageName, r))
-    );
+    filtered = filtered.filter(f => {
+      if (f.context?.is_lifecycle_hook) return true;
+      if (f.context?.is_multi_layer) return true;
+      return !policy.suppress.some(r => matchesSuppressRule(f, packageName, r));
+    });
   }
 
   filtered = filtered.map(f => {
@@ -108,4 +173,4 @@ function checkFailOn(findings, policy) {
   return findings.some(f => severityIndex(f.severity) >= threshold);
 }
 
-export { loadPolicy, applyPolicy, isAllowed };
+export { loadPolicy, applyPolicy, isAllowed, getPackageReputationTier, matchesContext };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.14.0",
+  "version": "0.15.1",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {
@@ -34,9 +34,9 @@
     "corpus": "node tests/corpus/run.js"
   },
   "lint-staged": {
-    "**/package{,-lock}.json": "node cli/cli.js scan-lockfile --fail-on high",
-    "**/yarn.lock": "node cli/cli.js scan-lockfile --fail-on high --yarn",
-    "**/pnpm-lock.yaml": "node cli/cli.js scan-lockfile --fail-on high --pnpm"
+    "**/package{,-lock}.json": "sh -c 'node cli/cli.js scan-lockfile --fail-on high'",
+    "**/yarn.lock": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --yarn'",
+    "**/pnpm-lock.yaml": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --pnpm'"
   },
   "publishConfig": {
     "access": "public"

package/test/fixtures/lockfiles/npm-lock.json

@@ -0,0 +1,69 @@
+{
+  "name": "test-project",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "packages": {
+    "": {
+      "name": "test-project",
+      "version": "1.0.0",
+      "dependencies": {
+        "lodash": "^4.17.21",
+        "axios": "^1.6.0"
+      },
+      "devDependencies": {
+        "@babel/core": "^7.23.0"
+      }
+    },
+    "node_modules/lodash": {
+      "name": "lodash",
+      "version": "4.17.21",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+      "integrity": "sha512-v2kDEeDAnj4p1hhL6Ogrgu4BSWwg8cD2fRIouDAiqwu+iNl1IvyMex9jG9j8OpNp1zntnv/headququbit",
+      "dependencies": {}
+    },
+    "node_modules/axios": {
+      "name": "axios",
+      "version": "1.6.8",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz",
+      "integrity": "sha512-j2xvyqwsdd456789abcdef",
+      "dependencies": {
+        "form-data": "4.0.0",
+        "proxy-from-env": "1.1.0"
+      }
+    },
+    "node_modules/axios/node_modules/form-data": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz",
+      "integrity": "sha512-444567890123456"
+    },
+    "node_modules/@babel/core": {
+      "name": "@babel/core",
+      "version": "7.23.9",
+      "resolved": "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz",
+      "integrity": "sha512-5q+M1iEJCOrGJs9NxzG3p3z7w2cJK/QuoRoI2pOJhtcNQjl9y7w6w4At5ZQHZdwqd+5N5G1lULu7I6pXVBw==",
+      "dev": true,
+      "dependencies": {
+        "@babel/generator": "^7.23.6",
+        "@babel/parser": "^7.23.9"
+      }
+    },
+    "node_modules/reakt": {
+      "name": "reakt",
+      "version": "18.2.0",
+      "resolved": "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz",
+      "integrity": "sha-abcdabcd1234defghi",
+      "optional": true,
+      "dependencies": {}
+    },
+    "node_modules/express": {
+      "name": "express",
+      "version": "4.18.2",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
+      "integrity": "sha512-abcdabcd1234abcdefghi",
+      "dependencies": {
+        "accepts": "~1.3.8",
+        "body-parser": "1.20.2"
+      }
+    }
+  }
+}

package/test/fixtures/lockfiles/yarn.lock

@@ -1,15 +1,15 @@
 lodash@^4.17.21:
   version "4.17.21"
-  resolved "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz"
   integrity sha512-Vythumb
   dependencies: {}
   dev false
-  optional false
+  optional true
 
 axios@^1.6.0:
   version "1.6.8"
-  resolved "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz"
-  integrity sha512-j2xvyqwsdd456789abcdef
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.6.8.tgz"
+  integrity sha-j2xvyqwsdd456789abcdef
   dependencies:
     form-data "4.0.0"
     proxy-from-env "1.1.0"
@@ -30,6 +30,7 @@ axios@^1.6.0:
     gensync "^1.0.0-beta.2"
     json5 "^2.2.3"
     semver "^6.3.1"
+    rimraf "^3.0.2"
   dev true
   optional false
 
@@ -45,7 +46,7 @@ axios@^1.6.0:
   dev false
   optional false
 
-reakt@^18.2.0, reakt@^18.2.0::version=18.2.0:
+reakt@^18.2.0:
   version "18.2.0"
   resolved "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz"
   integrity sha512-abcdabcd1234defghi
@@ -53,7 +54,7 @@ reakt@^18.2.0, reakt@^18.2.0::version=18.2.0:
   dev false
   optional true
 
-"express@npm:expres@^4.18.2", expres@^4.18.2::version=4.18.2:
+express@npm:expres@^4.18.2:
   version "4.18.2"
   resolved "https://registry.npmjs.org/expres-4.18.2.tgz"
   integrity sha512-abcdabcd1234abcdefghi
@@ -92,7 +93,7 @@ reakt@^18.2.0, reakt@^18.2.0::version=18.2.0:
   dev false
   optional false
 
-"my-scope-plugin@npm:my-scope-plugin@^1.0.0", my-scope-plugin@^1.0.0::version=1.0.0:
+"my-scope-plugin@npm:my-scope-plugin@^1.0.0":
   version "1.0.0"
   resolved "https://registry.npmjs.org/my-scope-plugin-1.0.0.tgz"
   integrity sha512-abcdefghijk123456789abcdef