@lateos/npm-scan 0.16.0 → 0.16.5

package/backend/siem/cef.js

@@ -1,33 +1,33 @@
-export function generateCEF(scans) {
-  const entries = [];
-  for (const s of scans) {
-    for (const f of (s.findings || [])) {
-      const atkId = f.atk_id || f.id;
-      const desc = (f.description || f.title || '').replace(/\\/g, '\\\\').replace(/\|/g, '\\|');
-      const sevMap = { critical: 10, high: 8, medium: 5, low: 2 };
-      const sev = sevMap[f.severity] || 5;
-      const pkgName = (s.package_name || 'unknown').replace(/\|/g, '\\|');
-      const pkgVer = (s.version || '').replace(/\|/g, '\\|');
-      entries.push([
-        'CEF:0',
-        'npm-scan',
-        'npm-scan',
-        process.env.npm_package_version || '0.4.0',
-        atkId,
-        desc,
-        String(sev),
-        `suser=${pkgName} ${pkgVer}`,
-        `msg=${desc}`,
-        `cs1=${atkId}`,
-        `cs1Label=atkId`,
-        `cs2=${f.severity}`,
-        `cs2Label=severity`,
-        `cs3=${pkgName}`,
-        `cs3Label=package`,
-        `cs4=${pkgVer}`,
-        `cs4Label=version`,
-      ].join('|'));
-    }
-  }
-  return entries.join('\n');
+export function generateCEF(scans) {
+  const entries = [];
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      const atkId = f.atk_id || f.id;
+      const desc = (f.description || f.title || '').replace(/\\/g, '\\\\').replace(/\|/g, '\\|');
+      const sevMap = { critical: 10, high: 8, medium: 5, low: 2 };
+      const sev = sevMap[f.severity] || 5;
+      const pkgName = (s.package_name || 'unknown').replace(/\|/g, '\\|');
+      const pkgVer = (s.version || '').replace(/\|/g, '\\|');
+      entries.push([
+        'CEF:0',
+        'npm-scan',
+        'npm-scan',
+        process.env.npm_package_version || '0.4.0',
+        atkId,
+        desc,
+        String(sev),
+        `suser=${pkgName} ${pkgVer}`,
+        `msg=${desc}`,
+        `cs1=${atkId}`,
+        `cs1Label=atkId`,
+        `cs2=${f.severity}`,
+        `cs2Label=severity`,
+        `cs3=${pkgName}`,
+        `cs3Label=package`,
+        `cs4=${pkgVer}`,
+        `cs4Label=version`,
+      ].join('|'));
+    }
+  }
+  return entries.join('\n');
 }

package/backend/siem/ecs.js

@@ -1,41 +1,41 @@
-export function generateECS(scans) {
-  const events = [];
-  for (const s of scans) {
-    for (const f of (s.findings || [])) {
-      const atkId = f.atk_id || f.id;
-      const sevMap = { critical: 100, high: 80, medium: 50, low: 20 };
-      events.push({
-        '@timestamp': new Date().toISOString(),
-        event: {
-          kind: 'alert',
-          category: 'threat',
-          type: ['indicator', 'threat'],
-          action: 'npm-scan-detected',
-          severity: sevMap[f.severity] || 50,
-        },
-        message: `[${atkId}] ${f.severity.toUpperCase()}: ${f.description || f.title || 'Unknown finding'}`,
-        log: { level: f.severity },
-        observer: {
-          vendor: 'Lateos',
-          product: 'npm-scan',
-          version: process.env.npm_package_version || '0.7.0',
-        },
-        labels: {
-          package: s.package_name || 'unknown',
-          version: s.version || 'unknown',
-          atk_id: atkId,
-          severity: f.severity,
-        },
-        vulnerability: {
-          classification: 'npm-supply-chain',
-          reference: `https://npm-scan.io/atk/${atkId}`,
-          id: atkId,
-          description: f.description || f.title || null,
-          enumeration: 'ATK',
-        },
-        file: f.evidence ? { name: f.evidence } : undefined,
-      });
-    }
-  }
-  return events.map(e => JSON.stringify(e)).join('\n');
+export function generateECS(scans) {
+  const events = [];
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      const atkId = f.atk_id || f.id;
+      const sevMap = { critical: 100, high: 80, medium: 50, low: 20 };
+      events.push({
+        '@timestamp': new Date().toISOString(),
+        event: {
+          kind: 'alert',
+          category: 'threat',
+          type: ['indicator', 'threat'],
+          action: 'npm-scan-detected',
+          severity: sevMap[f.severity] || 50,
+        },
+        message: `[${atkId}] ${f.severity.toUpperCase()}: ${f.description || f.title || 'Unknown finding'}`,
+        log: { level: f.severity },
+        observer: {
+          vendor: 'Lateos',
+          product: 'npm-scan',
+          version: process.env.npm_package_version || '0.7.0',
+        },
+        labels: {
+          package: s.package_name || 'unknown',
+          version: s.version || 'unknown',
+          atk_id: atkId,
+          severity: f.severity,
+        },
+        vulnerability: {
+          classification: 'npm-supply-chain',
+          reference: `https://npm-scan.io/atk/${atkId}`,
+          id: atkId,
+          description: f.description || f.title || null,
+          enumeration: 'ATK',
+        },
+        file: f.evidence ? { name: f.evidence } : undefined,
+      });
+    }
+  }
+  return events.map(e => JSON.stringify(e)).join('\n');
 }

package/backend/siem/index.js

@@ -1,19 +1,19 @@
-import { generateCEF } from './cef.js';
-import { generateECS } from './ecs.js';
-import { generateSentinel } from './sentinel.js';
-import { generateQRadar } from './qradar.js';
-
-export function generateSIEM(scans, format = 'cef') {
-  switch (format) {
-    case 'cef':
-      return generateCEF(scans);
-    case 'ecs':
-      return generateECS(scans);
-    case 'sentinel':
-      return generateSentinel(scans);
-    case 'qradar':
-      return generateQRadar(scans);
-    default:
-      throw new Error(`Unknown SIEM format: ${format}. Supported: cef, ecs, sentinel, qradar`);
-  }
+import { generateCEF } from './cef.js';
+import { generateECS } from './ecs.js';
+import { generateSentinel } from './sentinel.js';
+import { generateQRadar } from './qradar.js';
+
+export function generateSIEM(scans, format = 'cef') {
+  switch (format) {
+    case 'cef':
+      return generateCEF(scans);
+    case 'ecs':
+      return generateECS(scans);
+    case 'sentinel':
+      return generateSentinel(scans);
+    case 'qradar':
+      return generateQRadar(scans);
+    default:
+      throw new Error(`Unknown SIEM format: ${format}. Supported: cef, ecs, sentinel, qradar`);
+  }
 }

package/backend/siem/qradar.js

@@ -1,57 +1,57 @@
-export function generateQRadar(scans) {
-  const events = [];
-  for (const s of scans) {
-    for (const f of (s.findings || [])) {
-      const atkId = f.atk_id || f.id;
-      events.push({
-        source: 'npm-scan',
-        version: process.env.npm_package_version || '0.7.0',
-        devicetime: new Date().toISOString(),
-        devicepayload: [
-          s.package_name || 'unknown',
-          s.version || 'unknown',
-          atkId,
-          f.severity,
-          f.title || f.description || '',
-          f.evidence || '',
-        ].join('\t'),
-        devicevendor: 'Lateos',
-        devicename: 'npm-scan',
-        deviceproduct: 'npm-scan',
-        atk_id: atkId,
-        severity: f.severity,
-        package_name: s.package_name || 'unknown',
-        package_version: s.version || 'unknown',
-        finding_title: f.title || f.description || '',
-        finding_description: f.description || f.title || '',
-        evidence: f.evidence || '',
-        mitigation: f.mitigation || '',
-        raw_category: 'NPM Supply Chain Threat',
-        qid: _qrQid(f.severity),
-        category: _qrCategory(f.severity),
-      });
-    }
-  }
-  return events.map(e => JSON.stringify(e)).join('\n');
-}
-
-const QID_MAP = {
-  critical: 90050001,
-  high: 90050002,
-  medium: 90050003,
-  low: 90050004,
-};
-
-function _qrQid(severity) {
-  return QID_MAP[severity] || 90050003;
-}
-
-function _qrCategory(severity) {
-  const map = {
-    critical: 'Critical Severity Malware',
-    high: 'High Severity Malware',
-    medium: 'Medium Severity Malware',
-    low: 'Low Severity Malware',
-  };
-  return map[severity] || 'Medium Severity Malware';
+export function generateQRadar(scans) {
+  const events = [];
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      const atkId = f.atk_id || f.id;
+      events.push({
+        source: 'npm-scan',
+        version: process.env.npm_package_version || '0.7.0',
+        devicetime: new Date().toISOString(),
+        devicepayload: [
+          s.package_name || 'unknown',
+          s.version || 'unknown',
+          atkId,
+          f.severity,
+          f.title || f.description || '',
+          f.evidence || '',
+        ].join('\t'),
+        devicevendor: 'Lateos',
+        devicename: 'npm-scan',
+        deviceproduct: 'npm-scan',
+        atk_id: atkId,
+        severity: f.severity,
+        package_name: s.package_name || 'unknown',
+        package_version: s.version || 'unknown',
+        finding_title: f.title || f.description || '',
+        finding_description: f.description || f.title || '',
+        evidence: f.evidence || '',
+        mitigation: f.mitigation || '',
+        raw_category: 'NPM Supply Chain Threat',
+        qid: _qrQid(f.severity),
+        category: _qrCategory(f.severity),
+      });
+    }
+  }
+  return events.map(e => JSON.stringify(e)).join('\n');
+}
+
+const QID_MAP = {
+  critical: 90050001,
+  high: 90050002,
+  medium: 90050003,
+  low: 90050004,
+};
+
+function _qrQid(severity) {
+  return QID_MAP[severity] || 90050003;
+}
+
+function _qrCategory(severity) {
+  const map = {
+    critical: 'Critical Severity Malware',
+    high: 'High Severity Malware',
+    medium: 'Medium Severity Malware',
+    low: 'Low Severity Malware',
+  };
+  return map[severity] || 'Medium Severity Malware';
 }

package/backend/siem/sentinel.js

@@ -1,28 +1,28 @@
-export function generateSentinel(scans) {
-  const events = [];
-  for (const s of scans) {
-    for (const f of (s.findings || [])) {
-      const atkId = f.atk_id || f.id;
-      events.push({
-        TimeGenerated: new Date().toISOString(),
-        Computer: process.env.COMPUTERNAME || process.env.HOSTNAME || 'npm-scan-host',
-        SourceSystem: 'npm-scan',
-        DeviceVendor: 'Lateos',
-        DeviceProduct: 'npm-scan',
-        DeviceVersion: process.env.npm_package_version || '0.7.0',
-        SeverityLevel: f.severity,
-        Severity: f.severity.toUpperCase(),
-        EventType: 'npm-supply-chain-threat',
-        ATKId: atkId,
-        FindingTitle: f.title || f.description || '',
-        FindingDescription: f.description || f.title || '',
-        Evidence: f.evidence || '',
-        PackageName: s.package_name || 'unknown',
-        PackageVersion: s.version || 'unknown',
-        Mitigation: f.mitigation || '',
-        ThreatClassification: 'npm-supply-chain',
-      });
-    }
-  }
-  return JSON.stringify(events, null, 2);
+export function generateSentinel(scans) {
+  const events = [];
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      const atkId = f.atk_id || f.id;
+      events.push({
+        TimeGenerated: new Date().toISOString(),
+        Computer: process.env.COMPUTERNAME || process.env.HOSTNAME || 'npm-scan-host',
+        SourceSystem: 'npm-scan',
+        DeviceVendor: 'Lateos',
+        DeviceProduct: 'npm-scan',
+        DeviceVersion: process.env.npm_package_version || '0.7.0',
+        SeverityLevel: f.severity,
+        Severity: f.severity.toUpperCase(),
+        EventType: 'npm-supply-chain-threat',
+        ATKId: atkId,
+        FindingTitle: f.title || f.description || '',
+        FindingDescription: f.description || f.title || '',
+        Evidence: f.evidence || '',
+        PackageName: s.package_name || 'unknown',
+        PackageVersion: s.version || 'unknown',
+        Mitigation: f.mitigation || '',
+        ThreatClassification: 'npm-supply-chain',
+      });
+    }
+  }
+  return JSON.stringify(events, null, 2);
 }

package/backend/vsix-scan/detectors/activation-event-risk.js

@@ -1,116 +1,116 @@
-const ACTIVATION_RISK_MATRIX = {
-  '*': { base: 'critical', label: 'Wildcard (all files)' },
-  'onStartupFinished': { base: 'high', label: 'Startup finished' },
-  'workspaceContains:**/*': { base: 'high', label: 'Workspace contains wildcard' },
-  'workspaceContains': { base: 'high', label: 'Workspace contains' },
-  'onCommand:*': { base: 'low', label: 'Any command' },
-};
-
-const DEFAULT_BASE_RISK = 'medium';
-
-const ESCALATION_KEYWORDS = [
-  'npx', 'bun', 'curl', 'wget', 'fetch(',
-  'exec(', 'spawn(', 'execSync', 'spawnSync',
-  'child_process', 'shell: true', 'detached: true',
-];
-
-const BUNDLED_BUN_PATTERN = /bun|runtime/;
-
-const SIZE_DELTA_THRESHOLD = 400 * 1024;
-
-const SHELL_CMDS = ['npx', 'bun', 'curl', 'wget', 'exec', 'spawn', 'execSync'];
-
-export async function checkActivationEventRisk(extensionManifest, versionHistory = [], priorVersions = []) {
-  const signals = [];
-
-  const activationEvents = extensionManifest?.activationEvents || [];
-  if (activationEvents.length === 0 && extensionManifest?.main) {
-    return { triggered: false, signals: [], riskLevel: null, why: [] };
-  }
-
-  let maxBaseRisk = 0;
-  const riskLabels = ['none', 'low', 'medium', 'high', 'critical'];
-  const riskValues = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
-
-  let worstEvent = null;
-  const why = [];
-
-  for (const event of activationEvents) {
-    const risk = ACTIVATION_RISK_MATRIX[event];
-    if (risk) {
-      const baseIdx = riskValues[risk.base] || riskValues[DEFAULT_BASE_RISK];
-      if (baseIdx > maxBaseRisk) {
-        maxBaseRisk = baseIdx;
-        worstEvent = event;
-      }
-    } else if (event.includes('*') && event !== 'onCommand:*') {
-      const baseIdx = riskValues['high'];
-      if (baseIdx > maxBaseRisk) {
-        maxBaseRisk = baseIdx;
-        worstEvent = event;
-      }
-    }
-  }
-
-  const contributes = extensionManifest?.contributes || {};
-  const commands = contributes?.commands || [];
-  const cmdTitles = commands.map(c => (c.title || '').toLowerCase()).join(' ');
-
-  const bundledDeps = extensionManifest?.bundledDependencies || [];
-  const bundledStr = Array.isArray(bundledDeps) ? bundledDeps.join(' ') : '';
-
-  const hasShellKeyword = SHELL_CMDS.some(cmd => cmdTitles.includes(cmd));
-  const hasBunBundled = BUNDLED_BUN_PATTERN.test(bundledStr);
-
-  const activationEventsStr = activationEvents.join(' ');
-  const hasShellInActivationContext = ESCALATION_KEYWORDS.some(kw => activationEventsStr.toLowerCase().includes(kw.toLowerCase()));
-
-  let escalateToCritical = false;
-
-  if (hasShellKeyword || hasBunBundled || hasShellInActivationContext) {
-    escalateToCritical = true;
-    why.push('HIGH activation event + shell/execution keywords');
-  }
-
-  if (versionHistory.length >= 2) {
-    const sizes = versionHistory
-      .filter(v => v.assetSize)
-      .map(v => v.assetSize)
-      .sort((a, b) => b - a);
-
-    if (sizes.length >= 2 && (sizes[0] - sizes[sizes.length - 1]) > SIZE_DELTA_THRESHOLD) {
-      escalateToCritical = true;
-      why.push(`HIGH activation event + version size delta > ${SIZE_DELTA_THRESHOLD} bytes`);
-    }
-  }
-
-  const priorActivationEvents = priorVersions
-    .filter(v => v.activationEvents)
-    .flatMap(v => v.activationEvents);
-
-  if (priorActivationEvents.length > 0) {
-    const newEvents = activationEvents.filter(e => !priorActivationEvents.includes(e));
-    if (newEvents.length > 0) {
-      why.push(`First-time activation event(s) added: ${newEvents.join(', ')}`);
-      if (!escalateToCritical && maxBaseRisk >= riskValues['high']) {
-        escalateToCritical = true;
-      }
-    }
-  }
-
-  let riskLevel = maxBaseRisk > 0 ? riskLabels[maxBaseRisk] : null;
-  if (escalateToCritical && riskValues[riskLevel] <= riskValues['high']) {
-    riskLevel = 'critical';
-  }
-
-  if (!riskLevel) return { triggered: false, signals: [], riskLevel: null, why: [] };
-
-  signals.push({
-    type: 'ACTIVATION_EVENT_RISK',
-    activationEvents,
-    riskLevel,
-    why,
-  });
-
-  return { triggered: true, signals, riskLevel, why };
-}
+const ACTIVATION_RISK_MATRIX = {
+  '*': { base: 'critical', label: 'Wildcard (all files)' },
+  'onStartupFinished': { base: 'high', label: 'Startup finished' },
+  'workspaceContains:**/*': { base: 'high', label: 'Workspace contains wildcard' },
+  'workspaceContains': { base: 'high', label: 'Workspace contains' },
+  'onCommand:*': { base: 'low', label: 'Any command' },
+};
+
+const DEFAULT_BASE_RISK = 'medium';
+
+const ESCALATION_KEYWORDS = [
+  'npx', 'bun', 'curl', 'wget', 'fetch(',
+  'exec(', 'spawn(', 'execSync', 'spawnSync',
+  'child_process', 'shell: true', 'detached: true',
+];
+
+const BUNDLED_BUN_PATTERN = /bun|runtime/;
+
+const SIZE_DELTA_THRESHOLD = 400 * 1024;
+
+const SHELL_CMDS = ['npx', 'bun', 'curl', 'wget', 'exec', 'spawn', 'execSync'];
+
+export async function checkActivationEventRisk(extensionManifest, versionHistory = [], priorVersions = []) {
+  const signals = [];
+
+  const activationEvents = extensionManifest?.activationEvents || [];
+  if (activationEvents.length === 0 && extensionManifest?.main) {
+    return { triggered: false, signals: [], riskLevel: null, why: [] };
+  }
+
+  let maxBaseRisk = 0;
+  const riskLabels = ['none', 'low', 'medium', 'high', 'critical'];
+  const riskValues = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
+
+  let worstEvent = null;
+  const why = [];
+
+  for (const event of activationEvents) {
+    const risk = ACTIVATION_RISK_MATRIX[event];
+    if (risk) {
+      const baseIdx = riskValues[risk.base] || riskValues[DEFAULT_BASE_RISK];
+      if (baseIdx > maxBaseRisk) {
+        maxBaseRisk = baseIdx;
+        worstEvent = event;
+      }
+    } else if (event.includes('*') && event !== 'onCommand:*') {
+      const baseIdx = riskValues['high'];
+      if (baseIdx > maxBaseRisk) {
+        maxBaseRisk = baseIdx;
+        worstEvent = event;
+      }
+    }
+  }
+
+  const contributes = extensionManifest?.contributes || {};
+  const commands = contributes?.commands || [];
+  const cmdTitles = commands.map(c => (c.title || '').toLowerCase()).join(' ');
+
+  const bundledDeps = extensionManifest?.bundledDependencies || [];
+  const bundledStr = Array.isArray(bundledDeps) ? bundledDeps.join(' ') : '';
+
+  const hasShellKeyword = SHELL_CMDS.some(cmd => cmdTitles.includes(cmd));
+  const hasBunBundled = BUNDLED_BUN_PATTERN.test(bundledStr);
+
+  const activationEventsStr = activationEvents.join(' ');
+  const hasShellInActivationContext = ESCALATION_KEYWORDS.some(kw => activationEventsStr.toLowerCase().includes(kw.toLowerCase()));
+
+  let escalateToCritical = false;
+
+  if (hasShellKeyword || hasBunBundled || hasShellInActivationContext) {
+    escalateToCritical = true;
+    why.push('HIGH activation event + shell/execution keywords');
+  }
+
+  if (versionHistory.length >= 2) {
+    const sizes = versionHistory
+      .filter(v => v.assetSize)
+      .map(v => v.assetSize)
+      .sort((a, b) => b - a);
+
+    if (sizes.length >= 2 && (sizes[0] - sizes[sizes.length - 1]) > SIZE_DELTA_THRESHOLD) {
+      escalateToCritical = true;
+      why.push(`HIGH activation event + version size delta > ${SIZE_DELTA_THRESHOLD} bytes`);
+    }
+  }
+
+  const priorActivationEvents = priorVersions
+    .filter(v => v.activationEvents)
+    .flatMap(v => v.activationEvents);
+
+  if (priorActivationEvents.length > 0) {
+    const newEvents = activationEvents.filter(e => !priorActivationEvents.includes(e));
+    if (newEvents.length > 0) {
+      why.push(`First-time activation event(s) added: ${newEvents.join(', ')}`);
+      if (!escalateToCritical && maxBaseRisk >= riskValues['high']) {
+        escalateToCritical = true;
+      }
+    }
+  }
+
+  let riskLevel = maxBaseRisk > 0 ? riskLabels[maxBaseRisk] : null;
+  if (escalateToCritical && riskValues[riskLevel] <= riskValues['high']) {
+    riskLevel = 'critical';
+  }
+
+  if (!riskLevel) return { triggered: false, signals: [], riskLevel: null, why: [] };
+
+  signals.push({
+    type: 'ACTIVATION_EVENT_RISK',
+    activationEvents,
+    riskLevel,
+    why,
+  });
+
+  return { triggered: true, signals, riskLevel, why };
+}