@lateos/npm-scan 0.3.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/README.md +39 -29
  2. package/backend/db/schema.sql +32 -1
  3. package/backend/sbom.js +7 -4
  4. package/cli/cli.js +2 -2
  5. package/package.json +1 -1
package/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # npm-scan
2
2
 
3
- Powerful npm supply chain security scanner. Detects malicious packages, supply chain attacks, and generates SBOM reports.
3
+ Powerful npm supply chain security scanner. Detects malicious packages, supply chain attacks, and generates SBOM + compliance reports.
4
4
 
5
5
  ## Quick Start
6
6
 
@@ -17,56 +17,66 @@ npx @lateos/npm-scan scan lodash
17
17
 
18
18
  ## Features
19
19
 
20
- - **Static Analysis** — detects malicious lifecycle scripts, obfuscated payloads, credential harvesting, persistence, network exfiltration, dependency confusion, and typosquatting (ATK-001–007)
21
- - **SBOM Output** — CycloneDX 1.5 JSON/XML with findings mapped as vulnerabilities
20
+ - **Static Analysis** — detects malicious lifecycle scripts, obfuscated payloads, credential harvesting, persistence, network exfiltration, dependency confusion, typosquatting, tarball tampering, conditional triggers, and sandbox evasion (ATK-001–010)
21
+ - **SBOM Output** — CycloneDX 1.5 and SPDX 2.3 with findings mapped as vulnerabilities
22
+ - **NIST 800-161 Compliance** — HTML report includes control traceability matrix (SR-2.1 → SR-10.3)
22
23
  - **SQLite Storage** — local scan history, zero external dependencies
23
- - **CLI** — `scan`, `scan-lockfile`, `report --sbom`
24
+ - **CLI** — `scan`, `scan-lockfile`, `report --sbom --html --nist`
25
+ - **Dynamic Sandbox** — gVisor-based isolation (premium, documented in `docs/sandbox-threat-model.md`)
24
26
  - **GitHub Action** — scans lockfile on PRs
25
27
  - **Docker** — multi-arch images via GHCR
26
28
 
27
29
  ## Commands
28
30
 
29
31
  ```
30
- npm-scan scan <package> Scan a package from the npm registry
31
- npm-scan scan-lockfile Scan a local package-lock.json
32
- npm-scan report List recent scans
33
- npm-scan report -i <id> Show findings for a scan
34
- npm-scan report -i <id> --sbom Generate CycloneDX SBOM (json/xml)
32
+ npm-scan scan <package> Scan a package from the npm registry
33
+ npm-scan scan <package> --sbom Scan + output CycloneDX SBOM
34
+ npm-scan scan <package> --sbom spdx Scan + output SPDX SBOM
35
+ npm-scan scan-lockfile Scan a local package-lock.json
36
+ npm-scan report List recent scans
37
+ npm-scan report -i <id> Show findings for a scan
38
+ npm-scan report -i <id> --sbom Generate CycloneDX SBOM
39
+ npm-scan report -i <id> --sbom spdx Generate SPDX SBOM
40
+ npm-scan report -i <id> --html Generate HTML report (with NIST table)
41
+ npm-scan report --html Generate HTML report for all scans
35
42
  ```
36
43
 
37
44
  ## Architecture
38
45
 
39
46
  ```
40
47
  cli/ Commander.js CLI entrypoint
41
- backend/ Detectors, fetch, SQLite db, SBOM, license
48
+ backend/ Detectors, fetch, SQLite db, SBOM, report
42
49
  docker/ Multi-arch Docker images + compose
43
- docs/ Project plan, attack taxonomy (ATK)
44
- tests/ Corpus: clean + malicious packages
50
+ docs/ Project plan, attack taxonomy (ATK), sandbox threat model
51
+ tests/ Corpus: 5 clean + 30 malicious packages
45
52
  ```
46
53
 
54
+ ## Detectors (ATK Taxonomy)
55
+
56
+ | ID | Class | Severity |
57
+ |---------|--------------------------------------------|----------|
58
+ | ATK-001 | Malicious lifecycle scripts | high |
59
+ | ATK-002 | Obfuscated payloads | medium |
60
+ | ATK-003 | Credential harvesting | high |
61
+ | ATK-004 | Persistence via editor configs | high |
62
+ | ATK-005 | Network exfiltration | critical |
63
+ | ATK-006 | Dependency confusion | medium |
64
+ | ATK-007 | Typosquatting | low |
65
+ | ATK-008 | Tarball tampering (published ≠ source) | high |
66
+ | ATK-009 | Conditional/dormant triggers (CI, time) | high |
67
+ | ATK-010 | Sandbox evasion / anti-analysis | medium |
68
+
69
+ See `docs/attack-taxonomy.md` for full NIST 800-161 mappings, evasion surfaces, and PoC examples.
70
+
47
71
  ## Development
48
72
 
49
73
  ```bash
50
74
  npm install
51
75
  npm run dev # CLI stub
52
- npm run test # Unit tests
53
- npm run corpus # False-positive corpus test
76
+ npm run test # Unit tests (13)
77
+ npm run corpus # False-positive corpus test (30 malicious, 5 clean)
54
78
  ```
55
79
 
56
- ## Detectors (ATK Taxonomy)
57
-
58
- | ID | Class | Severity |
59
- |----|-------|----------|
60
- | ATK-001 | Malicious lifecycle scripts | high |
61
- | ATK-002 | Obfuscated payloads | medium |
62
- | ATK-003 | Credential harvesting | high |
63
- | ATK-004 | Persistence via editor configs | high |
64
- | ATK-005 | Network exfiltration | critical |
65
- | ATK-006 | Dependency confusion | medium |
66
- | ATK-007 | Typosquatting | low |
67
-
68
- See `docs/attack-taxonomy.md` for full NIST 800-161 mappings.
69
-
70
80
  ## License
71
81
 
72
- Apache-2.0 core + Commons Clause premium. See `LICENSING.md`.
82
+ Apache-2.0 core + Commons Clause premium. See `LICENSING.md`.
package/backend/db/schema.sql CHANGED
@@ -1 +1,32 @@
1
- -- SQLite schema for local CLI mode (free tier)\n-- Tables: scans, findings (ATK-linked)\n\nCREATE TABLE IF NOT EXISTS scans (\n id INTEGER PRIMARY KEY AUTOINCREMENT,\n package_name TEXT NOT NULL,\n version TEXT,\n scanned_at DATETIME DEFAULT CURRENT_TIMESTAMP,\n status TEXT DEFAULT 'completed',\n sbom_json TEXT\n);\n\nCREATE TABLE IF NOT EXISTS findings (\n id INTEGER PRIMARY KEY AUTOINCREMENT,\n scan_id INTEGER NOT NULL,\n atk_id TEXT NOT NULL REFERENCES attack_taxonomy(id),\n severity TEXT CHECK (severity IN ('info', 'low', 'medium', 'high', 'critical')),\n description TEXT,\n evidence TEXT,\n mitigation TEXT,\n FOREIGN KEY (scan_id) REFERENCES scans(id) ON DELETE CASCADE\n);\n\n-- View for reports\nCREATE VIEW scan_findings AS\nSELECT s.*, f.* FROM scans s\nJOIN findings f ON s.id = f.scan_id;\n\n-- Indexes\nCREATE INDEX idx_scans_package ON scans(package_name);\nCREATE INDEX idx_findings_atk ON findings(atk_id);\nCREATE INDEX idx_findings_severity ON findings(severity);
1
+ -- SQLite schema for local CLI mode (free tier)
2
+ -- Tables: scans, findings (ATK-linked)
3
+
4
+ CREATE TABLE IF NOT EXISTS scans (
5
+ id INTEGER PRIMARY KEY AUTOINCREMENT,
6
+ package_name TEXT NOT NULL,
7
+ version TEXT,
8
+ scanned_at DATETIME DEFAULT CURRENT_TIMESTAMP,
9
+ status TEXT DEFAULT 'completed',
10
+ sbom_json TEXT
11
+ );
12
+
13
+ CREATE TABLE IF NOT EXISTS findings (
14
+ id INTEGER PRIMARY KEY AUTOINCREMENT,
15
+ scan_id INTEGER NOT NULL,
16
+ atk_id TEXT NOT NULL,
17
+ severity TEXT CHECK (severity IN ('info', 'low', 'medium', 'high', 'critical')),
18
+ description TEXT,
19
+ evidence TEXT,
20
+ mitigation TEXT,
21
+ FOREIGN KEY (scan_id) REFERENCES scans(id) ON DELETE CASCADE
22
+ );
23
+
24
+ -- View for reports
25
+ CREATE VIEW IF NOT EXISTS scan_findings AS
26
+ SELECT s.*, f.* FROM scans s
27
+ JOIN findings f ON s.id = f.scan_id;
28
+
29
+ -- Indexes
30
+ CREATE INDEX IF NOT EXISTS idx_scans_package ON scans(package_name);
31
+ CREATE INDEX IF NOT EXISTS idx_findings_atk ON findings(atk_id);
32
+ CREATE INDEX IF NOT EXISTS idx_findings_severity ON findings(severity);
package/backend/sbom.js CHANGED
@@ -17,13 +17,16 @@ function generateCycloneDX(pkgJson, findings) {
17
17
  },
18
18
  tools: [{ name: 'npm-scan', version: '0.2.5' }]
19
19
  },
20
- vulnerabilities: findings.map(f => ({
21
- id: f.id,
20
+ vulnerabilities: findings.map(f => {
21
+ const atkId = f.atk_id || f.id;
22
+ return {
23
+ id: atkId,
22
24
  source: { name: 'npm-scan' },
23
25
  ratings: [{ severity: f.severity }],
24
- description: f.title || '',
26
+ description: f.description || f.title || '',
25
27
  recommendation: f.mitigation || 'Review evidence'
26
- }))
28
+ };
29
+ })
27
30
  };
28
31
  return JSON.stringify(bom, null, 2);
29
32
  }
package/cli/cli.js CHANGED
@@ -12,7 +12,7 @@ program
12
12
  .description('Scan a package')
13
13
  .argument('<target>', 'package name')
14
14
  .option('-l, --license-key <key>', 'Premium license')
15
- .option('--sbom [format]', 'Generate SBOM (json/xml/spdx)', 'json')
15
+ .option('--sbom [format]', 'Generate SBOM (json/xml/spdx)')
16
16
  .action(async (target, options) => {
17
17
  try {
18
18
  const { pkgJson, jsFiles, tmpDir } = await import('../backend/fetch.js').then(m => m.fetchPackage(target));
@@ -46,7 +46,7 @@ program
46
46
  .command('report')
47
47
  .description('Generate report')
48
48
  .option('-i, --id <id>', 'Scan ID')
49
- .option('--sbom [format]', 'SBOM format (json/xml/spdx)', 'json')
49
+ .option('--sbom [format]', 'SBOM format (json/xml/spdx)')
50
50
  .option('--html', 'HTML report')
51
51
  .option('--nist', 'NIST 800-161 compliance report')
52
52
  .action(async (options) => {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@lateos/npm-scan",
3
- "version": "0.3.0",
3
+ "version": "0.3.2",
4
4
  "description": "Powerful npm supply chain security scanner - detects malicious packages (Shai-Hulud style), behavioral analysis, SBOM, and compliance reporting.",
5
5
  "main": "backend/index.js",
6
6
  "bin": {