@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/pdf.js

@@ -1,7 +1,12 @@
 import { PDFDocument, StandardFonts, rgb } from 'pdf-lib';
 
 const SEV_ORDER = ['critical', 'high', 'medium', 'low'];
-const SEV_COLORS = { critical: rgb(0.8, 0.2, 0.2), high: rgb(0.75, 0.15, 0.15), medium: rgb(0.9, 0.5, 0.1), low: rgb(0.8, 0.7, 0.1) };
+const SEV_COLORS = {
+  critical: rgb(0.8, 0.2, 0.2),
+  high: rgb(0.75, 0.15, 0.15),
+  medium: rgb(0.9, 0.5, 0.1),
+  low: rgb(0.8, 0.7, 0.1),
+};
 
 const NIST_SR_MAP = {
   'ATK-001': { control: 'SR-3.1', title: 'Malicious code detection' },
@@ -29,24 +34,34 @@ function wrapText(text, font, size, maxWidth) {
   for (const word of words) {
     const test = current ? current + ' ' + word : word;
     if (font.widthOfTextAtSize(test, size) > maxWidth) {
-      if (current) lines.push(current);
+      if (current) {
+        lines.push(current);
+      }
       current = word;
     } else {
       current = test;
     }
   }
-  if (current) lines.push(current);
+  if (current) {
+    lines.push(current);
+  }
   return lines;
 }
 
-function drawTableRow(page, font, columns, y, colWidths, fontSize, isHeader) {
+function _drawTableRow(page, font, columns, y, colWidths, fontSize, _isHeader) {
   let x = MARGIN;
   const rowH = fontSize + 6;
   for (let i = 0; i < columns.length; i++) {
     const text = columns[i];
     const lines = wrapText(text, font, fontSize, colWidths[i] - 4);
     for (let j = 0; j < lines.length; j++) {
-      page.drawText(lines[j], { x: x + 2, y: y - (j * fontSize) - 2, size: fontSize, font, color: rgb(0, 0, 0) });
+      page.drawText(lines[j], {
+        x: x + 2,
+        y: y - j * fontSize - 2,
+        size: fontSize,
+        font,
+        color: rgb(0, 0, 0),
+      });
     }
     x += colWidths[i];
   }
@@ -55,7 +70,12 @@ function drawTableRow(page, font, columns, y, colWidths, fontSize, isHeader) {
 
 function drawPageHeader(page, font, text, y) {
   page.drawText(text, { x: MARGIN, y, size: 14, font, color: rgb(0.2, 0.2, 0.2) });
-  page.drawLine({ start: { x: MARGIN, y: y - 4 }, end: { x: PAGE_W - MARGIN, y: y - 4 }, thickness: 1, color: rgb(0.7, 0.7, 0.7) });
+  page.drawLine({
+    start: { x: MARGIN, y: y - 4 },
+    end: { x: PAGE_W - MARGIN, y: y - 4 },
+    thickness: 1,
+    color: rgb(0.7, 0.7, 0.7),
+  });
   return y - 20;
 }
 
@@ -68,8 +88,10 @@ export async function generatePDF(scans) {
   const sevCounts = { critical: 0, high: 0, medium: 0, low: 0 };
   let totalFindings = 0;
   for (const s of scans) {
-    for (const f of (s.findings || [])) {
-      if (sevCounts[f.severity] !== undefined) sevCounts[f.severity]++;
+    for (const f of s.findings || []) {
+      if (sevCounts[f.severity] !== undefined) {
+        sevCounts[f.severity]++;
+      }
       totalFindings++;
     }
   }
@@ -80,20 +102,41 @@ export async function generatePDF(scans) {
 
   page.drawText('npm-scan Report', { x: MARGIN, y, size: 24, font: boldFont, color: rgb(0, 0, 0) });
   y -= 30;
-  page.drawText(`Generated: ${new Date().toISOString()}`, { x: MARGIN, y, size: 10, font, color: rgb(0.4, 0.4, 0.4) });
+  page.drawText(`Generated: ${new Date().toISOString()}`, {
+    x: MARGIN,
+    y,
+    size: 10,
+    font,
+    color: rgb(0.4, 0.4, 0.4),
+  });
   y -= 14;
-  page.drawText(`Version: ${version}  |  Packages scanned: ${scans.length}  |  Total findings: ${totalFindings}`, { x: MARGIN, y, size: 10, font, color: rgb(0.4, 0.4, 0.4) });
+  page.drawText(
+    `Version: ${version}  |  Packages scanned: ${scans.length}  |  Total findings: ${totalFindings}`,
+    { x: MARGIN, y, size: 10, font, color: rgb(0.4, 0.4, 0.4) }
+  );
   y -= 30;
 
   // Severity summary
-  page.drawText('Severity Summary', { x: MARGIN, y, size: 14, font: boldFont, color: rgb(0, 0, 0) });
+  page.drawText('Severity Summary', {
+    x: MARGIN,
+    y,
+    size: 14,
+    font: boldFont,
+    color: rgb(0, 0, 0),
+  });
   y -= 20;
 
   for (const sev of SEV_ORDER) {
     const count = sevCounts[sev] || 0;
     const color = SEV_COLORS[sev] || rgb(0, 0, 0);
     page.drawCircle({ x: MARGIN + 6, y: y - 4, size: 4, color });
-    page.drawText(`${sev}: ${count}`, { x: MARGIN + 16, y: y - 8, size: 11, font, color: rgb(0, 0, 0) });
+    page.drawText(`${sev}: ${count}`, {
+      x: MARGIN + 16,
+      y: y - 8,
+      size: 11,
+      font,
+      color: rgb(0, 0, 0),
+    });
     y -= 18;
   }
 
@@ -102,15 +145,33 @@ export async function generatePDF(scans) {
   // Per-package summary
   for (const s of scans) {
     const findings = s.findings || [];
-    if (y < MARGIN + 60) { page = doc.addPage([PAGE_W, PAGE_H]); y = PAGE_H - MARGIN; }
+    if (y < MARGIN + 60) {
+      page = doc.addPage([PAGE_W, PAGE_H]);
+      y = PAGE_H - MARGIN;
+    }
 
-    page.drawText(`${s.package_name}@${s.version || 'unknown'}`, { x: MARGIN, y, size: 12, font: boldFont, color: rgb(0, 0, 0) });
+    page.drawText(`${s.package_name}@${s.version || 'unknown'}`, {
+      x: MARGIN,
+      y,
+      size: 12,
+      font: boldFont,
+      color: rgb(0, 0, 0),
+    });
     y -= 16;
-    page.drawText(`  ${findings.length} findings`, { x: MARGIN, y, size: 10, font, color: rgb(0.4, 0.4, 0.4) });
+    page.drawText(`  ${findings.length} findings`, {
+      x: MARGIN,
+      y,
+      size: 10,
+      font,
+      color: rgb(0.4, 0.4, 0.4),
+    });
     y -= 14;
 
     for (const f of findings) {
-      if (y < MARGIN + 20) { page = doc.addPage([PAGE_W, PAGE_H]); y = PAGE_H - MARGIN; }
+      if (y < MARGIN + 20) {
+        page = doc.addPage([PAGE_W, PAGE_H]);
+        y = PAGE_H - MARGIN;
+      }
       const sevColor = SEV_COLORS[f.severity] || rgb(0, 0, 0);
       page.drawCircle({ x: MARGIN + 3, y: y + 2, size: 3, color: sevColor });
       const line = `${f.atk_id || f.id}  ${f.severity}  ${(f.description || f.title || '').slice(0, 70)}`;
@@ -136,8 +197,8 @@ export async function generatePDF(scans) {
   }
   y -= 16;
 
-  lineLoop: for (const s of scans) {
-    for (const f of (s.findings || [])) {
+  for (const s of scans) {
+    for (const f of s.findings || []) {
       if (y < MARGIN + 20) {
         page = doc.addPage([PAGE_W, PAGE_H]);
         y = PAGE_H - MARGIN;
@@ -156,10 +217,12 @@ export async function generatePDF(scans) {
       let maxLines = 1;
       for (let i = 0; i < rowData.length; i++) {
         const lines = wrapText(rowData[i], font, 9, colWidths[i] - 4);
-        if (lines.length > maxLines) maxLines = lines.length;
+        if (lines.length > maxLines) {
+          maxLines = lines.length;
+        }
       }
 
-      if (y - (maxLines * 11) < MARGIN) {
+      if (y - maxLines * 11 < MARGIN) {
         page = doc.addPage([PAGE_W, PAGE_H]);
         y = PAGE_H - MARGIN;
         y = drawPageHeader(page, boldFont, 'All Findings (continued)', y);
@@ -172,14 +235,19 @@ export async function generatePDF(scans) {
         const lines = wrapText(rowData[i], font, 9, colWidths[i] - 4);
         for (let j = 0; j < lines.length; j++) {
           const color = i === 1 && SEV_COLORS[f.severity] ? SEV_COLORS[f.severity] : rgb(0, 0, 0);
-          page.drawText(lines[j], { x: x + 2, y: rowY - (j * 11) - 2, size: 9, font, color });
+          page.drawText(lines[j], { x: x + 2, y: rowY - j * 11 - 2, size: 9, font, color });
         }
         x += colWidths[i];
       }
 
       const lineY = rowY + 2;
-      page.drawLine({ start: { x: MARGIN, y: lineY }, end: { x: PAGE_W - MARGIN, y: lineY }, thickness: 0.5, color: rgb(0.85, 0.85, 0.85) });
-      y = rowY - (maxLines * 11) - 4;
+      page.drawLine({
+        start: { x: MARGIN, y: lineY },
+        end: { x: PAGE_W - MARGIN, y: lineY },
+        thickness: 0.5,
+        color: rgb(0.85, 0.85, 0.85),
+      });
+      y = rowY - maxLines * 11 - 4;
     }
   }
 
@@ -200,9 +268,11 @@ export async function generatePDF(scans) {
 
   const atkMap = {};
   for (const s of scans) {
-    for (const f of (s.findings || [])) {
+    for (const f of s.findings || []) {
       const key = f.atk_id || f.id;
-      if (!atkMap[key]) atkMap[key] = [];
+      if (!atkMap[key]) {
+        atkMap[key] = [];
+      }
       atkMap[key].push(f);
     }
   }
@@ -228,16 +298,25 @@ export async function generatePDF(scans) {
       x += rowWidths[i];
     }
 
-    page.drawLine({ start: { x: MARGIN, y: y + 4 }, end: { x: PAGE_W - MARGIN, y: y + 4 }, thickness: 0.5, color: rgb(0.85, 0.85, 0.85) });
+    page.drawLine({
+      start: { x: MARGIN, y: y + 4 },
+      end: { x: PAGE_W - MARGIN, y: y + 4 },
+      thickness: 0.5,
+      color: rgb(0.85, 0.85, 0.85),
+    });
     y -= 18;
   }
 
   // Footer
   const pages = doc.getPages();
   for (const p of pages) {
-    const { width } = p.getSize();
+    const { width: _width } = p.getSize();
     p.drawText(`npm-scan v${version} | Apache-2.0 + Commons Clause`, {
-      x: MARGIN, y: 20, size: 8, font, color: rgb(0.6, 0.6, 0.6),
+      x: MARGIN,
+      y: 20,
+      size: 8,
+      font,
+      color: rgb(0.6, 0.6, 0.6),
     });
   }
 

package/backend/policy.js

@@ -5,26 +5,89 @@ const SEVERITY_ORDER = ['none', 'low', 'medium', 'high', 'critical'];
 const VALID_SEVERITIES = new Set(SEVERITY_ORDER);
 
 const KNOWN_REPUTABLE_PACKAGES = new Set([
-  'react', 'react-dom', 'vue', 'angular', 'next', 'nuxt',
-  'express', 'fastify', 'hono', 'koa', 'connect',
-  'webpack', 'vite', 'rollup', 'esbuild', 'typescript', 'babel-core',
-  'lodash', 'ramda', 'underscore',
-  'axios', 'node-fetch', 'got', 'superagent',
-  'sequelize', 'prisma', 'typeorm', 'mongoose',
-  'jest', 'mocha', 'vitest', 'ava',
-  'prettier', 'eslint', 'stylelint',
-  'socket.io', 'ws',
-  'rimraf', 'glob', 'minimatch', 'fs-extra',
-  'electron', 'puppeteer', 'playwright', 'sharp', 'node-canvas',
-  'ffmpeg-static', 'turbo',
-  'react-scripts', '@angular/cli',
-  'gatsby', 'parcel',
-  'tslib', 'core-js', 'regenerator-runtime', 'buffer',
-  'node-gyp', 'node-pre-gyp',
-  'winston', 'uuid', 'moment', 'dotenv', 'pg', 'semver', 'redux', 'redis',
-  'dayjs', 'luxon', 'chalk', 'debug', 'cors', 'helmet', 'multer',
-  'body-parser', 'cheerio', 'bluebird', 'bcrypt', 'commander', 'yargs',
-  'passport', 'jsonwebtoken', 'nodemailer', 'class-validator',
+  'react',
+  'react-dom',
+  'vue',
+  'angular',
+  'next',
+  'nuxt',
+  'express',
+  'fastify',
+  'hono',
+  'koa',
+  'connect',
+  'webpack',
+  'vite',
+  'rollup',
+  'esbuild',
+  'typescript',
+  'babel-core',
+  'lodash',
+  'ramda',
+  'underscore',
+  'axios',
+  'node-fetch',
+  'got',
+  'superagent',
+  'sequelize',
+  'prisma',
+  'typeorm',
+  'mongoose',
+  'jest',
+  'mocha',
+  'vitest',
+  'ava',
+  'prettier',
+  'eslint',
+  'stylelint',
+  'socket.io',
+  'ws',
+  'rimraf',
+  'glob',
+  'minimatch',
+  'fs-extra',
+  'electron',
+  'puppeteer',
+  'playwright',
+  'sharp',
+  'node-canvas',
+  'ffmpeg-static',
+  'turbo',
+  'react-scripts',
+  '@angular/cli',
+  'gatsby',
+  'parcel',
+  'tslib',
+  'core-js',
+  'regenerator-runtime',
+  'buffer',
+  'node-gyp',
+  'node-pre-gyp',
+  'winston',
+  'uuid',
+  'moment',
+  'dotenv',
+  'pg',
+  'semver',
+  'redux',
+  'redis',
+  'dayjs',
+  'luxon',
+  'chalk',
+  'debug',
+  'cors',
+  'helmet',
+  'multer',
+  'body-parser',
+  'cheerio',
+  'bluebird',
+  'bcrypt',
+  'commander',
+  'yargs',
+  'passport',
+  'jsonwebtoken',
+  'nodemailer',
+  'class-validator',
 ]);
 
 function severityIndex(s) {
@@ -32,8 +95,12 @@ function severityIndex(s) {
 }
 
 function matchesFilePath(filePath, pattern) {
-  if (!pattern) return false;
-  if (pattern === '*') return true;
+  if (!pattern) {
+    return false;
+  }
+  if (pattern === '*') {
+    return true;
+  }
   const regexPattern = pattern
     .replace(/\./g, '\\.')
     .replace(/\*\*/g, '___DOUBLE_STAR___')
@@ -44,49 +111,90 @@ function matchesFilePath(filePath, pattern) {
 
 function matchesContext(finding, rule) {
   const ctx = finding.context;
-  if (!ctx) return false;
-
-  if (rule.context?.is_dist_build === true && !ctx.is_dist_build) return false;
-  if (rule.context?.is_dist_build === false && ctx.is_dist_build) return false;
-  if (rule.context?.is_test_fixture === true && !ctx.is_test_fixture) return false;
-  if (rule.context?.is_test_fixture === false && ctx.is_test_fixture) return false;
-  if (rule.context?.is_lifecycle_hook === true && !ctx.is_lifecycle_hook) return false;
-  if (rule.context?.is_lifecycle_hook === false && ctx.is_lifecycle_hook) return false;
-  if (rule.context?.is_known_safe_domain === true && !ctx.is_known_safe_domain) return false;
-  if (rule.context?.is_known_safe_domain === false && ctx.is_known_safe_domain) return false;
-
-  if (rule.context?.file_path && !matchesFilePath(ctx.file_path, rule.context.file_path)) return false;
+  if (!ctx) {
+    return false;
+  }
+
+  if (rule.context?.is_dist_build === true && !ctx.is_dist_build) {
+    return false;
+  }
+  if (rule.context?.is_dist_build === false && ctx.is_dist_build) {
+    return false;
+  }
+  if (rule.context?.is_test_fixture === true && !ctx.is_test_fixture) {
+    return false;
+  }
+  if (rule.context?.is_test_fixture === false && ctx.is_test_fixture) {
+    return false;
+  }
+  if (rule.context?.is_lifecycle_hook === true && !ctx.is_lifecycle_hook) {
+    return false;
+  }
+  if (rule.context?.is_lifecycle_hook === false && ctx.is_lifecycle_hook) {
+    return false;
+  }
+  if (rule.context?.is_known_safe_domain === true && !ctx.is_known_safe_domain) {
+    return false;
+  }
+  if (rule.context?.is_known_safe_domain === false && ctx.is_known_safe_domain) {
+    return false;
+  }
+
+  if (rule.context?.file_path && !matchesFilePath(ctx.file_path, rule.context.file_path)) {
+    return false;
+  }
   if (rule.context?.url_domain) {
-    if (!ctx.url_domain) return false;
+    if (!ctx.url_domain) {
+      return false;
+    }
     const domainPattern = rule.context.url_domain.replace(/\*/g, '.*');
-    if (!new RegExp(`^${domainPattern}$`).test(ctx.url_domain)) return false;
+    if (!new RegExp(`^${domainPattern}$`).test(ctx.url_domain)) {
+      return false;
+    }
   }
 
   return true;
 }
 
 function matchesKnownReputable(packageName) {
-  if (KNOWN_REPUTABLE_PACKAGES.has(packageName)) return true;
+  if (KNOWN_REPUTABLE_PACKAGES.has(packageName)) {
+    return true;
+  }
   const [scope, name] = packageName.split('/');
-  if (scope && name && KNOWN_REPUTABLE_PACKAGES.has(`${scope}/*`)) return true;
+  if (scope && name && KNOWN_REPUTABLE_PACKAGES.has(`${scope}/*`)) {
+    return true;
+  }
   return false;
 }
 
 function getPackageReputationTier(pkgName) {
   const name = pkgName?.replace(/^@/, '').replace(/\/.*/, '') || '';
-  if (matchesKnownReputable(name)) return 'trusted';
+  if (matchesKnownReputable(name)) {
+    return 'trusted';
+  }
   return 'unknown';
 }
 
 function matchesSuppressRule(finding, pkgName, rule) {
-  if (rule.atk_id !== (finding.atk_id || finding.id)) return false;
-  if (rule.package && rule.package !== '*' && rule.package !== pkgName) return false;
+  if (rule.atk_id !== (finding.atk_id || finding.id)) {
+    return false;
+  }
+  if (rule.package && rule.package !== '*' && rule.package !== pkgName) {
+    return false;
+  }
 
-  if (rule.context && !matchesContext(finding, rule)) return false;
+  if (rule.context && !matchesContext(finding, rule)) {
+    return false;
+  }
 
   if (rule.reputation_tier) {
     const tier = getPackageReputationTier(pkgName);
-    if (rule.reputation_tier !== tier && !(rule.reputation_tier === '*' || rule.reputation_tier === 'any')) return false;
+    if (
+      rule.reputation_tier !== tier &&
+      !(rule.reputation_tier === '*' || rule.reputation_tier === 'any')
+    ) {
+      return false;
+    }
   }
 
   return true;
@@ -109,13 +217,17 @@ function loadPolicy(path) {
   if (policy.severity_overrides) {
     for (const [atkId, severity] of Object.entries(policy.severity_overrides)) {
       if (!VALID_SEVERITIES.has(severity)) {
-        throw new Error(`Invalid severity "${severity}" for ${atkId} — must be one of: low, medium, high, critical`);
+        throw new Error(
+          `Invalid severity "${severity}" for ${atkId} — must be one of: low, medium, high, critical`
+        );
       }
     }
   }
 
   if (policy.fail_on && !VALID_SEVERITIES.has(policy.fail_on)) {
-    throw new Error(`Invalid fail_on "${policy.fail_on}" — must be one of: none, low, medium, high, critical`);
+    throw new Error(
+      `Invalid fail_on "${policy.fail_on}" — must be one of: none, low, medium, high, critical`
+    );
   }
 
   if (policy.suppress) {
@@ -143,7 +255,7 @@ function sanitizePolicy(policy) {
     allow: { packages: policy.allow?.packages ?? [] },
     severity_overrides: policy.severity_overrides ?? {},
     fail_on: policy.fail_on ?? 'none',
-    suppress: (policy.suppress ?? []).map(r => ({
+    suppress: (policy.suppress ?? []).map((r) => ({
       atk_id: r.atk_id,
       package: r.package || '*',
       reason: r.reason || '',
@@ -154,23 +266,29 @@ function sanitizePolicy(policy) {
 }
 
 function isAllowed(packageName, policy) {
-  if (!policy.allow.packages.length) return false;
+  if (!policy.allow.packages.length) {
+    return false;
+  }
   const nameOnly = packageName.split('@')[0];
-  return policy.allow.packages.some(p => p === packageName || p === nameOnly);
+  return policy.allow.packages.some((p) => p === packageName || p === nameOnly);
 }
 
 function applyPolicy(findings, packageName, policy) {
   let filtered = [...findings];
 
   if (policy.suppress.length) {
-    filtered = filtered.filter(f => {
-      if (f.context?.is_lifecycle_hook) return true;
-      if (f.context?.is_multi_layer) return true;
-      return !policy.suppress.some(r => matchesSuppressRule(f, packageName, r));
+    filtered = filtered.filter((f) => {
+      if (f.context?.is_lifecycle_hook) {
+        return true;
+      }
+      if (f.context?.is_multi_layer) {
+        return true;
+      }
+      return !policy.suppress.some((r) => matchesSuppressRule(f, packageName, r));
     });
   }
 
-  filtered = filtered.map(f => {
+  filtered = filtered.map((f) => {
     const override = policy.severity_overrides[f.atk_id || f.id];
     if (override) {
       return { ...f, severity: override, _severityOverridden: true };
@@ -184,10 +302,19 @@ function applyPolicy(findings, packageName, policy) {
 }
 
 function checkFailOn(findings, policy) {
-  if (policy.fail_on === 'none') return false;
+  if (policy.fail_on === 'none') {
+    return false;
+  }
 
   const threshold = severityIndex(policy.fail_on);
-  return findings.some(f => severityIndex(f.severity) >= threshold);
+  return findings.some((f) => severityIndex(f.severity) >= threshold);
 }
 
-export { loadPolicy, applyPolicy, isAllowed, getPackageReputationTier, matchesContext, KNOWN_REPUTABLE_PACKAGES };
+export {
+  loadPolicy,
+  applyPolicy,
+  isAllowed,
+  getPackageReputationTier,
+  matchesContext,
+  KNOWN_REPUTABLE_PACKAGES,
+};

package/backend/provenance.js

@@ -12,7 +12,13 @@ export function signManifest(manifest, key = HMAC_KEY) {
   return createHmac('sha256', key).update(JSON.stringify(manifest)).digest('hex');
 }
 
-export function buildDetectionRule({ ruleId, ruleName, severity, cveReferences = [], campaignName }) {
+export function buildDetectionRule({
+  ruleId,
+  ruleName,
+  severity,
+  cveReferences = [],
+  campaignName,
+}) {
   return {
     rule_id: ruleId,
     rule_name: ruleName,
@@ -41,7 +47,12 @@ export function buildDetectionResult({ triggered, severity, indicators = [] }) {
 
 export function buildAuditTrail({ detectionLogic, ruleProvenanceUrl, campaignSourceUrl }) {
   const contentHash = hashContent(detectionLogic);
-  const manifest = { contentHash, ruleProvenanceUrl, campaignSourceUrl, generatedAt: new Date().toISOString() };
+  const manifest = {
+    contentHash,
+    ruleProvenanceUrl,
+    campaignSourceUrl,
+    generatedAt: new Date().toISOString(),
+  };
   return {
     content_hash: contentHash,
     rule_provenance_url: ruleProvenanceUrl,
@@ -60,7 +71,21 @@ export function buildDetectionRecord({ rule, scanMetadata, detectionResult, audi
   };
 }
 
-export function attachProvenance(evidence, { ruleId, ruleName, severity, campaignName, pkgName, pkgVersion, triggered, indicators, ruleProvenanceUrl, campaignSourceUrl }) {
+export function attachProvenance(
+  evidence,
+  {
+    ruleId,
+    ruleName,
+    severity,
+    campaignName,
+    pkgName,
+    pkgVersion,
+    triggered,
+    indicators,
+    ruleProvenanceUrl,
+    campaignSourceUrl,
+  }
+) {
   const rule = buildDetectionRule({ ruleId, ruleName, severity, campaignName });
   const scanMetadata = buildScanMetadata({
     scannerVersion: '@lateos/npm-scan',