@lateos/npm-scan 0.16.0 → 0.16.5

package/backend/detectors/axios-poisoning/d2-decoy-dep.js

@@ -0,0 +1,24 @@
+const KNOWN_DECOYS = ['plain-crypto-js'];
+
+export function scanDecoyDependency(pkgJson) {
+  const deps = { ...pkgJson?.dependencies, ...pkgJson?.devDependencies, ...pkgJson?.peerDependencies };
+  const findings = [];
+
+  for (const depName of KNOWN_DECOYS) {
+    if (deps[depName]) {
+      findings.push({
+        injectedDependency: depName,
+        pattern: 'Pre-staged decoy for supply chain attack',
+      });
+    }
+  }
+
+  if (findings.length > 0) {
+    return {
+      triggered: true,
+      findings,
+    };
+  }
+
+  return { triggered: false, findings: [] };
+}

package/backend/detectors/axios-poisoning/d3-postinstall-rat.js

@@ -0,0 +1,90 @@
+const SUSPICIOUS_HOOKS = ['postinstall', 'install', 'preinstall'];
+const TEMP_DIR_RE = /(?:os\.tmpdir|tmpdir|temp|%TEMP%|\/tmp|\/var\/tmp)/;
+const POWERSHELL_RE = /powershell|pwsh|cmd\.exe|Invoke-Expression|IEX\s*\(/;
+const LAUNCHD_RE = /\/Library\/Launch(Daemons|Agents)\/|launchctl\s+(load|start|submit)/;
+const SYSTEMD_SERVICE_RE = /\/etc\/systemd\/system\/|systemctl\s+(enable|start|daemon-reload)/;
+const CRON_PERSIST_RE = /crontab\s+-[ei]|@reboot\s+|@daily\s+|@hourly\s+/;
+const DLL_LOAD_RE = /LoadLibrary|dlopen|LoadLibraryEx|lib\.(?:LoadLibrary|dlopen)/;
+const PROCESS_INJECT_RE = /CreateRemoteThread|VirtualAllocEx|WriteProcessMemory|NtCreateThreadEx/;
+const NET_CALLBACK_RE = /(?:https?:\/\/|wss?:\/\/|ws:\/\/)(?:[^\s'"]*\.[^\s'"]{2,})/;
+const BINARY_DROP_RE = /(?:fs\.writeFileSync|writeFile|writeFileSync)\s*\([^)]*(?:\.exe|\.dll|\.bin|\.bat|\.ps1)/;
+
+const SUSPICIOUS_HOOK_PATTERNS = [
+  /curl|wget|fetch|https?:\/\//,
+  /powershell|cmd\.exe|bash\b|sh\b/,
+  /process\.exit|fs\.chmod|exec(?:Sync)?\s*\(/,
+  /spawn|fork|detached/,
+  /systemd|launchctl|crontab|schtasks/,
+  /LoadLibrary|dlopen/,
+  /eval|Function\s*\(/,
+  /__dirname|__filename/,
+];
+
+export function scanPostinstallRAT(pkgJson, files = []) {
+  const scripts = pkgJson?.scripts || {};
+  const code = files.map(f => f.content || '').join('\n');
+
+  const activeHooks = [];
+  for (const hook of SUSPICIOUS_HOOKS) {
+    if (scripts[hook]) {
+      activeHooks.push({ hook, command: scripts[hook] });
+    }
+  }
+
+  if (activeHooks.length === 0) {
+    return { triggered: false, platforms: [], c2Indicators: [], payloadType: null, hooks: [], hasBinaryDrop: false };
+  }
+
+  const combined = code + '\n' + activeHooks.map(h => h.command).join('\n');
+
+  const hasSuspiciousCode = SUSPICIOUS_HOOK_PATTERNS.some(p => p.test(combined));
+
+  if (activeHooks.length > 0 && !hasSuspiciousCode) {
+    return { triggered: false, platforms: [], c2Indicators: [], payloadType: null, hooks: [], hasBinaryDrop: false };
+  }
+
+  const platforms = [];
+  let c2Indicators = [];
+  let hasBinaryDrop = false;
+
+  if (POWERSHELL_RE.test(combined)) platforms.push('windows');
+  if (LAUNCHD_RE.test(combined)) platforms.push('macos');
+  if (SYSTEMD_SERVICE_RE.test(combined) || CRON_PERSIST_RE.test(combined)) platforms.push('linux');
+  if (TEMP_DIR_RE.test(combined) && (POWERSHELL_RE.test(combined) || BINARY_DROP_RE.test(combined))) {
+    if (!platforms.includes('windows')) platforms.push('windows');
+    if (!platforms.includes('linux')) platforms.push('linux');
+    if (!platforms.includes('macos')) platforms.push('macos');
+  }
+
+  if (DLL_LOAD_RE.test(combined)) platforms.push('windows');
+  if (PROCESS_INJECT_RE.test(combined)) platforms.push('windows');
+
+  if (NET_CALLBACK_RE.test(combined)) {
+    const urls = combined.match(NET_CALLBACK_RE);
+    c2Indicators = urls ? [...new Set(urls.map(u => u.replace(/['")]/g, '')))] : ['Network callback to external server'];
+  }
+
+  if (BINARY_DROP_RE.test(combined)) hasBinaryDrop = true;
+
+  let payloadType = null;
+  if (platforms.length >= 2 && c2Indicators.length > 0 && hasBinaryDrop) {
+    payloadType = 'cross_platform_RAT';
+  } else if (hasBinaryDrop && c2Indicators.length > 0) {
+    payloadType = 'network_backdoor';
+  } else if (hasBinaryDrop && platforms.length > 0) {
+    payloadType = 'platform_persistence';
+  }
+
+  if (payloadType) {
+    return {
+      triggered: true,
+      payloadType,
+      platforms: [...new Set(platforms)],
+      c2Indicators,
+      hooks: activeHooks.map(h => h.hook),
+      hasBinaryDrop,
+    };
+  }
+
+  return { triggered: false, platforms: [], c2Indicators: [], payloadType: null, hooks: [], hasBinaryDrop: false };
+}

package/backend/detectors/axios-poisoning/index.js

@@ -0,0 +1,94 @@
+import { scanVersionBlocklist } from './d1-version-fingerprint.js';
+import { scanDecoyDependency } from './d2-decoy-dep.js';
+import { scanPostinstallRAT } from './d3-postinstall-rat.js';
+import { attachProvenance } from '../../provenance.js';
+
+const RULE_SEVERITY = { D1: 'critical', D2: 'critical', D3: 'critical' };
+const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
+
+function highestSeverity(severities) {
+  for (const s of SEVERITY_ORDER) if (severities.includes(s)) return s;
+  return 'none';
+}
+
+export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+  const pkgName = pkgJson?.name || 'unknown';
+  const pkgVersion = pkgJson?.version || '0.0.0';
+  const fileList = allFiles || files || [];
+
+  const d1Result = scanVersionBlocklist(pkgJson);
+  if (d1Result.stopCondition) {
+    const evidence = attachProvenance({
+      rule: 'AXS-VER-001',
+      campaign: 'AXIOS_POISONING',
+      triggeredChecks: ['D1'],
+      matchedVersion: d1Result.matchedVersion,
+      action: 'BLOCK_IMMEDIATELY',
+      remediation: `Upgrade to axios@1.14.2 or later, or use pinned safe version`,
+    }, {
+      ruleId: 'AXS-VER-001',
+      ruleName: 'Compromised Axios Version Fingerprinting',
+      severity: 'CRITICAL',
+      campaignName: 'Axios Registry Poisoning',
+      pkgName,
+      pkgVersion,
+      triggered: true,
+      severity: 'critical',
+      indicators: [{ type: 'known_malicious_version', value: `${pkgName}@${pkgVersion}` }],
+      ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/axios-poisoning/d1-version-fingerprint.js',
+      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+    });
+
+    return [{
+      id: 'AXIOS_POISONING',
+      severity: 'critical',
+      title: 'Axios Registry Poisoning campaign',
+      description: `HALT: ${pkgName}@${pkgVersion} is a known compromised version in the Axios registry poisoning campaign. Block install immediately.`,
+      evidence: JSON.stringify(evidence),
+      mitigation: d1Result.reason ? `BLOCK IMMEDIATELY. ${d1Result.reason}. Upgrade to axios@1.14.2 or later, or use pinned safe version.` : 'BLOCK IMMEDIATELY. Upgrade to a safe version.',
+      stopCondition: true,
+    }];
+  }
+
+  const d2Result = scanDecoyDependency(pkgJson);
+  const d3Result = scanPostinstallRAT(pkgJson, fileList);
+
+  const results = { D1: d1Result, D2: d2Result, D3: d3Result };
+
+  const triggered = Object.entries(results)
+    .filter(([_, r]) => r.triggered)
+    .map(([id]) => id);
+
+  if (triggered.length === 0) return [];
+
+  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+
+  const evidence = attachProvenance({
+    campaign: 'AXIOS_POISONING',
+    triggeredChecks: triggered,
+    details: Object.fromEntries(
+      Object.entries(results).filter(([_, r]) => r.triggered)
+    ),
+  }, {
+    ruleId: 'AXIOS_POISONING',
+    ruleName: 'Axios Registry Poisoning Detection',
+    severity: severity.toUpperCase(),
+    campaignName: 'Axios Registry Poisoning',
+    pkgName,
+    pkgVersion,
+    triggered: true,
+    severity,
+    indicators: triggered.map(id => ({ type: `rule_${id}`, value: RULE_SEVERITY[id] })),
+    ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/axios-poisoning/',
+    campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+  });
+
+  return [{
+    id: 'AXIOS_POISONING',
+    severity,
+    title: 'Axios Registry Poisoning campaign',
+    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+    evidence: JSON.stringify(evidence),
+    mitigation: 'If decoy dependency detected: verify all axios dependencies are legitimate. If RAT payload detected: run full malware scan on the system, rotate all credentials, check for unauthorized network connections. Upgrade to axios@1.14.2+ or pin to a known safe version.',
+  }];
+}

package/backend/detectors/cve-2026-48710-badhost/codePattern.js

@@ -1,99 +1,99 @@
-import { codePatternAuthFinding, codePatternInfoFinding } from './findings.js';
-
-const AUTH_CONTEXT_PATHS = [
-  'middleware',
-  'auth',
-  'security',
-  'router',
-  'depends',
-  'guard',
-  'permission',
-];
-
-const URL_PATH_PATTERN = /request\.url\.path|req\.url\.path|self\.request\.url\.path/g;
-const SCOPE_PATH_PATTERN = /request\.scope\s*\[\s*["']path["']\s*\]|request\.scope\.get\s*\(\s*["']path["']\s*\)/g;
-
-function hasAuthContext(filePath) {
-  const lower = filePath.toLowerCase();
-  return AUTH_CONTEXT_PATHS.some(ctx => lower.includes(ctx));
-}
-
-function findFunctionBoundaries(lines) {
-  const functions = [];
-  let currentFn = null;
-  let fnBodyStart = -1;
-  let indent = 0;
-
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    const defMatch = line.match(/^(def\s+\w+|async\s+def\s+\w+)/);
-    if (defMatch) {
-      if (currentFn) {
-        functions.push({ name: currentFn, startLine: fnBodyStart, endLine: i - 1 });
-      }
-      currentFn = defMatch[1];
-      fnBodyStart = i;
-      indent = line.length - line.trimStart().length;
-    } else if (currentFn && line.trim() && line.length - line.trimStart().length <= indent && !line.trim().startsWith('#') && !line.trim().startsWith('@')) {
-      functions.push({ name: currentFn, startLine: fnBodyStart, endLine: i - 1 });
-      currentFn = null;
-    }
-  }
-  if (currentFn) {
-    functions.push({ name: currentFn, startLine: fnBodyStart, endLine: lines.length - 1 });
-  }
-
-  return functions;
-}
-
-function hasScopePathInFunction(lines, fnStart, fnEnd) {
-  for (let i = fnStart; i <= fnEnd && i < lines.length; i++) {
-    if (SCOPE_PATH_PATTERN.test(lines[i])) return true;
-  }
-  return false;
-}
-
-export function scanCodePatterns(allFiles) {
-  const findings = [];
-
-  for (const file of (allFiles || [])) {
-    const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
-    const path = file.path || '';
-    if (!path.endsWith('.py')) continue;
-
-    const lines = content.split('\n');
-    const isAuthContext = hasAuthContext(path);
-    const functions = findFunctionBoundaries(lines);
-    const suppressedLines = new Set();
-
-    for (const fn of functions) {
-      if (hasScopePathInFunction(lines, fn.startLine, fn.endLine)) {
-        for (let i = fn.startLine; i <= fn.endLine && i < lines.length; i++) {
-          if (URL_PATH_PATTERN.test(lines[i])) {
-            suppressedLines.add(i + 1);
-          }
-          URL_PATH_PATTERN.lastIndex = 0;
-        }
-      }
-    }
-
-    if (isAuthContext) {
-      let m;
-      while ((m = URL_PATH_PATTERN.exec(content)) !== null) {
-        const lineNumber = content.slice(0, m.index).split('\n').length;
-        if (suppressedLines.has(lineNumber)) continue;
-        findings.push(codePatternAuthFinding(path, lineNumber));
-      }
-    } else {
-      let m;
-      while ((m = URL_PATH_PATTERN.exec(content)) !== null) {
-        const lineNumber = content.slice(0, m.index).split('\n').length;
-        if (suppressedLines.has(lineNumber)) continue;
-        findings.push(codePatternInfoFinding(path, lineNumber));
-      }
-    }
-  }
-
-  return findings;
-}
+import { codePatternAuthFinding, codePatternInfoFinding } from './findings.js';
+
+const AUTH_CONTEXT_PATHS = [
+  'middleware',
+  'auth',
+  'security',
+  'router',
+  'depends',
+  'guard',
+  'permission',
+];
+
+const URL_PATH_PATTERN = /request\.url\.path|req\.url\.path|self\.request\.url\.path/g;
+const SCOPE_PATH_PATTERN = /request\.scope\s*\[\s*["']path["']\s*\]|request\.scope\.get\s*\(\s*["']path["']\s*\)/g;
+
+function hasAuthContext(filePath) {
+  const lower = filePath.toLowerCase();
+  return AUTH_CONTEXT_PATHS.some(ctx => lower.includes(ctx));
+}
+
+function findFunctionBoundaries(lines) {
+  const functions = [];
+  let currentFn = null;
+  let fnBodyStart = -1;
+  let indent = 0;
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const defMatch = line.match(/^(def\s+\w+|async\s+def\s+\w+)/);
+    if (defMatch) {
+      if (currentFn) {
+        functions.push({ name: currentFn, startLine: fnBodyStart, endLine: i - 1 });
+      }
+      currentFn = defMatch[1];
+      fnBodyStart = i;
+      indent = line.length - line.trimStart().length;
+    } else if (currentFn && line.trim() && line.length - line.trimStart().length <= indent && !line.trim().startsWith('#') && !line.trim().startsWith('@')) {
+      functions.push({ name: currentFn, startLine: fnBodyStart, endLine: i - 1 });
+      currentFn = null;
+    }
+  }
+  if (currentFn) {
+    functions.push({ name: currentFn, startLine: fnBodyStart, endLine: lines.length - 1 });
+  }
+
+  return functions;
+}
+
+function hasScopePathInFunction(lines, fnStart, fnEnd) {
+  for (let i = fnStart; i <= fnEnd && i < lines.length; i++) {
+    if (SCOPE_PATH_PATTERN.test(lines[i])) return true;
+  }
+  return false;
+}
+
+export function scanCodePatterns(allFiles) {
+  const findings = [];
+
+  for (const file of (allFiles || [])) {
+    const content = typeof file.content === 'string' ? file.content : '';
+    if (!content) continue;
+    const path = file.path || '';
+    if (!path.endsWith('.py')) continue;
+
+    const lines = content.split('\n');
+    const isAuthContext = hasAuthContext(path);
+    const functions = findFunctionBoundaries(lines);
+    const suppressedLines = new Set();
+
+    for (const fn of functions) {
+      if (hasScopePathInFunction(lines, fn.startLine, fn.endLine)) {
+        for (let i = fn.startLine; i <= fn.endLine && i < lines.length; i++) {
+          if (URL_PATH_PATTERN.test(lines[i])) {
+            suppressedLines.add(i + 1);
+          }
+          URL_PATH_PATTERN.lastIndex = 0;
+        }
+      }
+    }
+
+    if (isAuthContext) {
+      let m;
+      while ((m = URL_PATH_PATTERN.exec(content)) !== null) {
+        const lineNumber = content.slice(0, m.index).split('\n').length;
+        if (suppressedLines.has(lineNumber)) continue;
+        findings.push(codePatternAuthFinding(path, lineNumber));
+      }
+    } else {
+      let m;
+      while ((m = URL_PATH_PATTERN.exec(content)) !== null) {
+        const lineNumber = content.slice(0, m.index).split('\n').length;
+        if (suppressedLines.has(lineNumber)) continue;
+        findings.push(codePatternInfoFinding(path, lineNumber));
+      }
+    }
+  }
+
+  return findings;
+}

package/backend/detectors/cve-2026-48710-badhost/findings.js

@@ -1,105 +1,105 @@
-const CVE = 'CVE-2026-48710';
-const NICKNAME = 'BadHost';
-const CVSS = 7.0;
-const REFERENCES = [
-  'https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette/',
-  'https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr',
-  'https://badhost.org/',
-  'https://osv.dev/vulnerability/PYSEC-2026-161',
-];
-
-const MITIGATION_NOTE = 'Partial mitigation: Cloudflare and AWS ALB reject malformed Host headers for properly proxied deployments. Direct uvicorn/hypercorn/daphne/granian exposure with no reverse proxy in front is highest risk.';
-
-const DEPENDENCY_REMEDIATION = 'Upgrade starlette to >= 1.0.1. If starlette is inherited transitively through fastapi, vllm, litellm, or an MCP server package, upgrade the top-level package to a version that pins starlette >= 1.0.1. Verify with: pip show starlette.';
-
-const CODE_REMEDIATION = 'Replace request.url.path with request.scope["path"] for all security-sensitive decisions (auth checks, path allowlists, rate limiting gates). The reconstructed request.url is influenced by the unvalidated Host header in Starlette < 1.0.1.';
-
-function makeFinding(overrides = {}) {
-  return {
-    id: CVE,
-    severity: 'high',
-    title: `${NICKNAME} — ${overrides.source || 'unknown'}`,
-    description: '',
-    remediation: '',
-    evidence: JSON.stringify({
-      cve: CVE,
-      nickname: NICKNAME,
-      cvss: CVSS,
-      references: REFERENCES,
-      ...overrides,
-    }),
-    ...overrides,
-  };
-}
-
-export function directDependencyFinding(version, specifier) {
-  return makeFinding({
-    severity: 'high',
-    confidence: 'HIGH',
-    source: 'direct-dependency',
-    title: `${NICKNAME}: Starlette ${version} vulnerable`,
-    description: `Starlette ${version} (${specifier}) is vulnerable to CVE-2026-48710 (BadHost) — authentication bypass via Host header injection. Upgrade to starlette >= 1.0.1.`,
-    remediation: `${DEPENDENCY_REMEDIATION} ${MITIGATION_NOTE}`,
-    file: null,
-    line: null,
-    via: null,
-  });
-}
-
-export function directDependencyUnpinnedFinding() {
-  return makeFinding({
-    severity: 'high',
-    confidence: 'HIGH',
-    source: 'direct-dependency-unpinned',
-    title: `${NICKNAME}: Starlette unpinned`,
-    description: 'Starlette is declared with no version constraint — assume vulnerable to CVE-2026-48710 (BadHost) until pinned to >= 1.0.1.',
-    remediation: `${DEPENDENCY_REMEDIATION} ${MITIGATION_NOTE}`,
-    file: null,
-    line: null,
-    via: null,
-  });
-}
-
-export function transitiveDependencyFinding(packageName, tier) {
-  const confidence = tier === 1 ? 'HIGH' : 'MEDIUM';
-  const tierLabel = tier === 1 ? 'Tier 1' : 'Tier 2';
-  return makeFinding({
-    severity: 'high',
-    confidence,
-    source: 'transitive-dependency',
-    title: `${NICKNAME}: Transitive via ${packageName}`,
-    description: `Starlette not directly pinned; inherited through ${packageName} (${tierLabel}). ${packageName} depends on Starlette — if its version constraint allows Starlette < 1.0.1, your deployment is vulnerable.`,
-    remediation: `${DEPENDENCY_REMEDIATION} ${MITIGATION_NOTE}`,
-    file: null,
-    line: null,
-    via: packageName,
-  });
-}
-
-export function codePatternAuthFinding(filePath, lineNumber) {
-  return makeFinding({
-    severity: 'medium',
-    confidence: 'MEDIUM',
-    source: 'code-pattern',
-    title: `${NICKNAME}: Dangerous path extraction in auth/middleware`,
-    description: `request.url.path used in auth/middleware context at ${filePath}:${lineNumber} — use request.scope['path'] instead. The reconstructed request.url is influenced by the unvalidated Host header in Starlette < 1.0.1.`,
-    remediation: `${CODE_REMEDIATION} ${MITIGATION_NOTE}`,
-    file: filePath,
-    line: lineNumber,
-    via: null,
-  });
-}
-
-export function codePatternInfoFinding(filePath, lineNumber) {
-  return makeFinding({
-    severity: 'info',
-    confidence: 'LOW',
-    source: 'code-pattern',
-    title: `${NICKNAME}: request.url.path usage detected`,
-    description: `request.url.path used at ${filePath}:${lineNumber} — may be influenced by unvalidated Host header in Starlette < 1.0.1. Verify request.scope['path'] is used for security decisions.`,
-    remediation: `${CODE_REMEDIATION} ${MITIGATION_NOTE}`,
-    file: filePath,
-    line: lineNumber,
-    via: null,
-  });
-}
+const CVE = 'CVE-2026-48710';
+const NICKNAME = 'BadHost';
+const CVSS = 7.0;
+const REFERENCES = [
+  'https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette/',
+  'https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr',
+  'https://badhost.org/',
+  'https://osv.dev/vulnerability/PYSEC-2026-161',
+];
+
+const MITIGATION_NOTE = 'Partial mitigation: Cloudflare and AWS ALB reject malformed Host headers for properly proxied deployments. Direct uvicorn/hypercorn/daphne/granian exposure with no reverse proxy in front is highest risk.';
+
+const DEPENDENCY_REMEDIATION = 'Upgrade starlette to >= 1.0.1. If starlette is inherited transitively through fastapi, vllm, litellm, or an MCP server package, upgrade the top-level package to a version that pins starlette >= 1.0.1. Verify with: pip show starlette.';
+
+const CODE_REMEDIATION = 'Replace request.url.path with request.scope["path"] for all security-sensitive decisions (auth checks, path allowlists, rate limiting gates). The reconstructed request.url is influenced by the unvalidated Host header in Starlette < 1.0.1.';
+
+function makeFinding(overrides = {}) {
+  return {
+    id: CVE,
+    severity: 'high',
+    title: `${NICKNAME} — ${overrides.source || 'unknown'}`,
+    description: '',
+    remediation: '',
+    evidence: JSON.stringify({
+      cve: CVE,
+      nickname: NICKNAME,
+      cvss: CVSS,
+      references: REFERENCES,
+      ...overrides,
+    }),
+    ...overrides,
+  };
+}
+
+export function directDependencyFinding(version, specifier) {
+  return makeFinding({
+    severity: 'high',
+    confidence: 'HIGH',
+    source: 'direct-dependency',
+    title: `${NICKNAME}: Starlette ${version} vulnerable`,
+    description: `Starlette ${version} (${specifier}) is vulnerable to CVE-2026-48710 (BadHost) — authentication bypass via Host header injection. Upgrade to starlette >= 1.0.1.`,
+    remediation: `${DEPENDENCY_REMEDIATION} ${MITIGATION_NOTE}`,
+    file: null,
+    line: null,
+    via: null,
+  });
+}
+
+export function directDependencyUnpinnedFinding() {
+  return makeFinding({
+    severity: 'high',
+    confidence: 'HIGH',
+    source: 'direct-dependency-unpinned',
+    title: `${NICKNAME}: Starlette unpinned`,
+    description: 'Starlette is declared with no version constraint — assume vulnerable to CVE-2026-48710 (BadHost) until pinned to >= 1.0.1.',
+    remediation: `${DEPENDENCY_REMEDIATION} ${MITIGATION_NOTE}`,
+    file: null,
+    line: null,
+    via: null,
+  });
+}
+
+export function transitiveDependencyFinding(packageName, tier) {
+  const confidence = tier === 1 ? 'HIGH' : 'MEDIUM';
+  const tierLabel = tier === 1 ? 'Tier 1' : 'Tier 2';
+  return makeFinding({
+    severity: 'high',
+    confidence,
+    source: 'transitive-dependency',
+    title: `${NICKNAME}: Transitive via ${packageName}`,
+    description: `Starlette not directly pinned; inherited through ${packageName} (${tierLabel}). ${packageName} depends on Starlette — if its version constraint allows Starlette < 1.0.1, your deployment is vulnerable.`,
+    remediation: `${DEPENDENCY_REMEDIATION} ${MITIGATION_NOTE}`,
+    file: null,
+    line: null,
+    via: packageName,
+  });
+}
+
+export function codePatternAuthFinding(filePath, lineNumber) {
+  return makeFinding({
+    severity: 'medium',
+    confidence: 'MEDIUM',
+    source: 'code-pattern',
+    title: `${NICKNAME}: Dangerous path extraction in auth/middleware`,
+    description: `request.url.path used in auth/middleware context at ${filePath}:${lineNumber} — use request.scope['path'] instead. The reconstructed request.url is influenced by the unvalidated Host header in Starlette < 1.0.1.`,
+    remediation: `${CODE_REMEDIATION} ${MITIGATION_NOTE}`,
+    file: filePath,
+    line: lineNumber,
+    via: null,
+  });
+}
+
+export function codePatternInfoFinding(filePath, lineNumber) {
+  return makeFinding({
+    severity: 'info',
+    confidence: 'LOW',
+    source: 'code-pattern',
+    title: `${NICKNAME}: request.url.path usage detected`,
+    description: `request.url.path used at ${filePath}:${lineNumber} — may be influenced by unvalidated Host header in Starlette < 1.0.1. Verify request.scope['path'] is used for security decisions.`,
+    remediation: `${CODE_REMEDIATION} ${MITIGATION_NOTE}`,
+    file: filePath,
+    line: lineNumber,
+    via: null,
+  });
+}

package/backend/detectors/cve-2026-48710-badhost/index.js

@@ -1,15 +1,15 @@
-import { scanFiles } from './manifest.js';
-import { scanTransitive } from './transitive.js';
-import { scanCodePatterns } from './codePattern.js';
-
-export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
-  const targetFiles = allFiles || files;
-
-  const manifestFindings = scanFiles(targetFiles);
-  const transitiveFindings = scanTransitive(targetFiles);
-  const codeFindings = scanCodePatterns(targetFiles);
-
-  const allFindings = [...manifestFindings, ...transitiveFindings, ...codeFindings];
-
-  return allFindings;
-}
+import { scanFiles } from './manifest.js';
+import { scanTransitive } from './transitive.js';
+import { scanCodePatterns } from './codePattern.js';
+
+export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+  const targetFiles = allFiles || files;
+
+  const manifestFindings = scanFiles(targetFiles);
+  const transitiveFindings = scanTransitive(targetFiles);
+  const codeFindings = scanCodePatterns(targetFiles);
+
+  const allFindings = [...manifestFindings, ...transitiveFindings, ...codeFindings];
+
+  return allFindings;
+}