@lateos/npm-scan 0.15.0 → 0.15.1

package/backend/detectors/atk-002-obfusc.js

@@ -1,3 +1,45 @@
+const DIST_BUILD_PATTERNS = [/\/dist\//, /\/build\//, /\/bundle/, /\/min\//, /\.min\.js$/, /\.bundled?\.js$/];
+const TEST_FIXTURE_PATTERNS = [/\/test\//, /\/tests\//, /\/__tests__\//, /\/spec\//, /\.test\.js$/, /\.spec\.js$/, /fixtures?/];
+const LIFECYCLE_HOOK_PATTERNS = [/postinstall/, /preinstall/, /['"]install['"]/, /['"]prepare['"]/];
+const KNOWN_SAFE_DOMAINS = [
+  'registry.npmjs.org', 'cdn.jsdelivr.net', 'unpkg.com', 'cdn.skypack.dev',
+  'esm.sh', 'deno.land', 'raw.githubusercontent.com', 'github.com',
+  'npmjs.com', 'nodejs.org', 'v8.dev', 'typescriptlang.org'
+];
+
+function extractUrlDomain(code) {
+  const urlMatch = code.match(/https?:\/\/([^/'"\s]+)/);
+  return urlMatch ? urlMatch[1] : null;
+}
+
+function isDistOrBuild(filePath) {
+  return DIST_BUILD_PATTERNS.some(p => p.test(filePath));
+}
+
+function isTestOrFixture(filePath) {
+  return TEST_FIXTURE_PATTERNS.some(p => p.test(filePath));
+}
+
+function isLifecycleHook(code) {
+  return LIFECYCLE_HOOK_PATTERNS.some(p => p.test(code));
+}
+
+function isKnownSafeDomain(domain) {
+  if (!domain) return false;
+  return KNOWN_SAFE_DOMAINS.some(safe => domain === safe || domain.endsWith('.' + safe));
+}
+
+function createContext(filePath, code) {
+  return {
+    file_path: filePath,
+    is_dist_build: isDistOrBuild(filePath),
+    is_test_fixture: isTestOrFixture(filePath),
+    is_lifecycle_hook: isLifecycleHook(code),
+    url_domain: extractUrlDomain(code),
+    is_known_safe_domain: isKnownSafeDomain(extractUrlDomain(code)),
+  };
+}
+
 export async function scan(pkgJson, files = []) {
   const findings = [];
   const pkgName = pkgJson?.name || '';
@@ -5,6 +47,7 @@ export async function scan(pkgJson, files = []) {
 
   for (const f of files) {
     const code = f.content;
+    const ctx = createContext(f.path, code);
 
     const hasEval = /eval\(|new Function\(|\bFunction\('/.test(code);
 
@@ -19,7 +62,8 @@ export async function scan(pkgJson, files = []) {
           severity: 'medium',
           title: 'Obfuscated payload',
           description: hexDecode ? 'Eval with hex-decoded payload' : 'Eval with base64-decoded payload',
-          evidence: 'eval + decode pattern detected'
+          evidence: 'eval + decode pattern detected',
+          context: ctx,
         });
         return findings;
       }
@@ -32,7 +76,8 @@ export async function scan(pkgJson, files = []) {
             severity: 'high',
             title: 'Obfuscated payload',
             description: 'Double-encoded nested payload',
-            evidence: 'nested encode/decode detected'
+            evidence: 'nested encode/decode detected',
+            context: { ...ctx, is_multi_layer: true },
           });
           return findings;
         }
@@ -48,7 +93,8 @@ export async function scan(pkgJson, files = []) {
           severity: 'medium',
           title: 'Obfuscated payload',
           description: 'Decoded string containing URL/fetch call',
-          evidence: 'obfuscation with network call'
+          evidence: 'obfuscation with network call',
+          context: ctx,
         });
         return findings;
       }
@@ -60,7 +106,8 @@ export async function scan(pkgJson, files = []) {
         severity: 'medium',
         title: 'Obfuscated payload',
         description: 'Eval with String.fromCharCode obfuscation',
-        evidence: 'charcode obfuscation detected'
+        evidence: 'charcode obfuscation detected',
+        context: ctx,
       });
       return findings;
     }
@@ -79,7 +126,8 @@ export async function scan(pkgJson, files = []) {
           severity: 'high',
           title: 'Obfuscated payload',
           description: 'Shell-code obfuscation pattern',
-          evidence: p.source.substring(0, 60)
+          evidence: p.source.substring(0, 60),
+          context: ctx,
         });
         return findings;
       }

package/backend/policy.js

@@ -4,10 +4,77 @@ import { load as yamlLoad } from 'js-yaml';
 const SEVERITY_ORDER = ['none', 'low', 'medium', 'high', 'critical'];
 const VALID_SEVERITIES = new Set(SEVERITY_ORDER);
 
+const KNOWN_REPUTABLE_PACKAGES = new Set([
+  'react', 'react-dom', 'vue', 'angular', 'next', 'nuxt',
+  'express', 'fastify', 'hono', 'koa', 'connect',
+  'webpack', 'vite', 'rollup', 'esbuild', 'typescript', 'babel-core',
+  'lodash', 'ramda', 'underscore',
+  'axios', 'node-fetch', 'got', 'superagent',
+  'sequelize', 'prisma', 'typeorm', 'mongoose',
+  'jest', 'mocha', 'vitest', 'ava',
+  'prettier', 'eslint', 'stylelint',
+  'socket.io', 'ws',
+  'rimraf', 'glob', 'minimatch', 'fs-extra',
+]);
+
 function severityIndex(s) {
   return SEVERITY_ORDER.indexOf(s);
 }
 
+function matchesFilePath(filePath, pattern) {
+  if (!pattern) return false;
+  if (pattern === '*') return true;
+  const regexPattern = pattern
+    .replace(/\./g, '\\.')
+    .replace(/\*\*/g, '___DOUBLE_STAR___')
+    .replace(/\*/g, '[^/]*')
+    .replace(/___DOUBLE_STAR___/g, '.*');
+  return new RegExp(`^${regexPattern}$`).test(filePath);
+}
+
+function matchesContext(finding, rule) {
+  const ctx = finding.context;
+  if (!ctx) return false;
+
+  if (rule.context?.is_dist_build === true && !ctx.is_dist_build) return false;
+  if (rule.context?.is_dist_build === false && ctx.is_dist_build) return false;
+  if (rule.context?.is_test_fixture === true && !ctx.is_test_fixture) return false;
+  if (rule.context?.is_test_fixture === false && ctx.is_test_fixture) return false;
+  if (rule.context?.is_lifecycle_hook === true && !ctx.is_lifecycle_hook) return false;
+  if (rule.context?.is_lifecycle_hook === false && ctx.is_lifecycle_hook) return false;
+  if (rule.context?.is_known_safe_domain === true && !ctx.is_known_safe_domain) return false;
+  if (rule.context?.is_known_safe_domain === false && ctx.is_known_safe_domain) return false;
+
+  if (rule.context?.file_path && !matchesFilePath(ctx.file_path, rule.context.file_path)) return false;
+  if (rule.context?.url_domain) {
+    if (!ctx.url_domain) return false;
+    const domainPattern = rule.context.url_domain.replace(/\*/g, '.*');
+    if (!new RegExp(`^${domainPattern}$`).test(ctx.url_domain)) return false;
+  }
+
+  return true;
+}
+
+function getPackageReputationTier(pkgName) {
+  const name = pkgName?.replace(/^@/, '').replace(/\/.*/, '') || '';
+  if (KNOWN_REPUTABLE_PACKAGES.has(name)) return 'trusted';
+  return 'unknown';
+}
+
+function matchesSuppressRule(finding, pkgName, rule) {
+  if (rule.atk_id !== (finding.atk_id || finding.id)) return false;
+  if (rule.package && rule.package !== '*' && rule.package !== pkgName) return false;
+
+  if (rule.context && !matchesContext(finding, rule)) return false;
+
+  if (rule.reputation_tier) {
+    const tier = getPackageReputationTier(pkgName);
+    if (rule.reputation_tier !== tier && !(rule.reputation_tier === '*' || rule.reputation_tier === 'any')) return false;
+  }
+
+  return true;
+}
+
 function loadPolicy(path) {
   const raw = readFileSync(path, 'utf8').trim();
   let policy;
@@ -63,6 +130,8 @@ function sanitizePolicy(policy) {
       atk_id: r.atk_id,
       package: r.package || '*',
       reason: r.reason || '',
+      context: r.context || null,
+      reputation_tier: r.reputation_tier || null,
     })),
   };
 }
@@ -73,19 +142,15 @@ function isAllowed(packageName, policy) {
   return policy.allow.packages.some(p => p === packageName || p === nameOnly);
 }
 
-function matchesSuppressRule(finding, pkgName, rule) {
-  if (rule.atk_id !== (finding.atk_id || finding.id)) return false;
-  if (rule.package === '*') return true;
-  return rule.package === pkgName;
-}
-
 function applyPolicy(findings, packageName, policy) {
   let filtered = [...findings];
 
   if (policy.suppress.length) {
-    filtered = filtered.filter(f =>
-      !policy.suppress.some(r => matchesSuppressRule(f, packageName, r))
-    );
+    filtered = filtered.filter(f => {
+      if (f.context?.is_lifecycle_hook) return true;
+      if (f.context?.is_multi_layer) return true;
+      return !policy.suppress.some(r => matchesSuppressRule(f, packageName, r));
+    });
   }
 
   filtered = filtered.map(f => {
@@ -108,4 +173,4 @@ function checkFailOn(findings, policy) {
   return findings.some(f => severityIndex(f.severity) >= threshold);
 }
 
-export { loadPolicy, applyPolicy, isAllowed };
+export { loadPolicy, applyPolicy, isAllowed, getPackageReputationTier, matchesContext };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.15.0",
+  "version": "0.15.1",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {
@@ -34,9 +34,9 @@
     "corpus": "node tests/corpus/run.js"
   },
   "lint-staged": {
-    "**/package{,-lock}.json": "node cli/cli.js scan-lockfile --fail-on high",
-    "**/yarn.lock": "node cli/cli.js scan-lockfile --fail-on high --yarn",
-    "**/pnpm-lock.yaml": "node cli/cli.js scan-lockfile --fail-on high --pnpm"
+    "**/package{,-lock}.json": "sh -c 'node cli/cli.js scan-lockfile --fail-on high'",
+    "**/yarn.lock": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --yarn'",
+    "**/pnpm-lock.yaml": "sh -c 'node cli/cli.js scan-lockfile --fail-on high --pnpm'"
   },
   "publishConfig": {
     "access": "public"