@lateos/npm-scan 1.0.0 → 1.1.0

package/backend/detectors/tier1-transitive-deps.js

@@ -0,0 +1,182 @@
+import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
+
+const THRESHOLDS = {
+  flag_threshold: 80,
+  warn_threshold: 50,
+  new_package_days: 7,
+  unknown_depth_weight: 45,
+  typosquat_depth_weight: 50,
+  different_maintainer_weight: 35,
+};
+
+const SUSPICIOUS_NAMES = /(?:plain-crypto|crypto-js|secure-crypto|crypto-lib|cryptography)/i;
+
+function levenshtein(a, b) {
+  if (Math.abs(a.length - b.length) > 2) return 3;
+  const m = a.length,
+    n = b.length;
+  if (m === 0) return n;
+  if (n === 0) return m;
+  let prev = new Int32Array(n + 1);
+  let curr = new Int32Array(n + 1);
+  for (let j = 0; j <= n; j++) prev[j] = j;
+  for (let i = 1; i <= m; i++) {
+    curr[0] = i;
+    let rowMin = curr[0];
+    for (let j = 1; j <= n; j++) {
+      const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+      curr[j] = Math.min(prev[j] + 1, curr[j - 1] + 1, prev[j - 1] + cost);
+      if (curr[j] < rowMin) rowMin = curr[j];
+    }
+    if (rowMin > 2) return 3;
+    const tmp = prev;
+    prev = curr;
+    curr = tmp;
+  }
+  return prev[n];
+}
+
+function isTyposquat(name, popularNames) {
+  for (const popular of popularNames) {
+    if (Math.abs(name.length - popular.length) > 2) continue;
+    const dist = levenshtein(name, popular);
+    if (dist <= 2 && name !== popular) return popular;
+  }
+  return null;
+}
+
+const POPULAR_PACKAGES = [
+  'crypto-js',
+  'crypto',
+  'bcrypt',
+  'jsonwebtoken',
+  'json5',
+  'lodash',
+  'axios',
+  'express',
+  'moment',
+  'chalk',
+  'react',
+  'vue',
+  'angular',
+  'next',
+  'nuxt',
+  'typescript',
+  'eslint',
+  'prettier',
+  'webpack',
+  'babel',
+  'mongoose',
+  'redis',
+  'mysql',
+  'postgres',
+  'passport',
+];
+
+function collectDependencies(pkgJson) {
+  const deps = {};
+  const allDeps = {
+    ...(pkgJson?.dependencies || {}),
+    ...(pkgJson?.devDependencies || {}),
+  };
+  for (const [name, version] of Object.entries(allDeps)) {
+    deps[name] = { version, depth: 0, isDirect: true };
+  }
+  return deps;
+}
+
+function computeConfidence(findings) {
+  if (findings.length === 0) return 0;
+  const maxScore = Math.max(...findings.map((f) => f.weight));
+  let base = maxScore;
+  if (findings.length > 1) base += 15;
+  return Math.min(100, Math.max(0, base));
+}
+
+function severityLabel(score) {
+  if (score >= 80) return 'high';
+  if (score >= 60) return 'medium';
+  return 'low';
+}
+
+function confidenceLabel(score) {
+  if (score >= 80) return 'HIGH';
+  if (score >= 60) return 'MEDIUM';
+  return 'LOW';
+}
+
+export const name = 'tier1-transitive-deps';
+
+export async function scan(pkgJson, _jsFiles, _registryMeta, _allFiles) {
+  const pkgName = pkgJson?.name;
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+
+  const deps = collectDependencies(pkgJson);
+  const depNames = Object.keys(deps);
+  if (depNames.length === 0) return [];
+
+  const findings = [];
+
+  for (const [depName, depInfo] of Object.entries(deps)) {
+    let weight = 0;
+    const reasons = [];
+
+    if (SUSPICIOUS_NAMES.test(depName)) {
+      weight += 55;
+      reasons.push('suspicious_naming: matches known malicious pattern');
+    }
+
+    const typosquatTarget = isTyposquat(depName, POPULAR_PACKAGES);
+    if (typosquatTarget) {
+      weight += THRESHOLDS.typosquat_depth_weight;
+      reasons.push(`typosquat: "${depName}" similar to "${typosquatTarget}"`);
+    }
+
+    if (depInfo.isDirect) {
+      const depVersion = depInfo.version || '';
+      if (depVersion.includes('x') || depVersion === '*' || /^\d+\.\d+\.\d+$/.test(depVersion)) {
+        const parts = depVersion.split('.');
+        if (parts.length === 3) {
+          const major = parseInt(parts[0], 10);
+          if (major >= 99) {
+            weight += 55;
+            reasons.push(`version_anomaly: suspicious version ${depVersion}`);
+          }
+        }
+      }
+    }
+
+    if (weight > 0) {
+      findings.push({
+        package: depName,
+        depth: depInfo.depth,
+        isDirect: depInfo.isDirect,
+        weight,
+        reasons,
+      });
+    }
+  }
+
+  if (findings.length === 0) return [];
+
+  const confidenceScore = computeConfidence(findings);
+  if (confidenceScore < THRESHOLDS.warn_threshold) return [];
+
+  const topFindings = findings.sort((a, b) => b.weight - a.weight).slice(0, 5);
+
+  return [
+    {
+      detector: 'tier1-transitive-deps',
+      id: 'TIER1-TRANSITIVE-DEPS',
+      severity: severityLabel(confidenceScore),
+      confidence: confidenceLabel(confidenceScore),
+      confidenceScore,
+      subtype: 'transitive_injection',
+      message: `${findings.length} suspicious transitive dependenc${findings.length > 1 ? 'ies' : 'y'} detected`,
+      evidence: topFindings.map((f) => `${f.package} (depth ${f.depth}): ${f.reasons.join('; ')}`),
+      locations: [{ file: 'package.json', line: 1, column: 1 }],
+      crossFiles: topFindings.map((f) => f.package),
+      reference: 'D12: Axios backdoor transitive injection',
+    },
+  ];
+}

package/backend/detectors/tier1-typosquat.js

@@ -3,38 +3,54 @@ import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
 
 const require = createRequire(import.meta.url);
 const TOP_PACKAGES = require('../../src/config/top-5000.json');
-const TOP_SET = new Set(TOP_PACKAGES);
+const _TOP_SET = new Set(TOP_PACKAGES);
 
 function levenshtein(a, b) {
-  if (Math.abs(a.length - b.length) > 2) return 3;
-  const m = a.length, n = b.length;
-  if (m === 0) return n;
-  if (n === 0) return m;
+  if (Math.abs(a.length - b.length) > 2) {
+    return 3;
+  }
+  const m = a.length,
+    n = b.length;
+  if (m === 0) {
+    return n;
+  }
+  if (n === 0) {
+    return m;
+  }
   let prev = new Int32Array(n + 1);
   let curr = new Int32Array(n + 1);
-  for (let j = 0; j <= n; j++) prev[j] = j;
+  for (let j = 0; j <= n; j++) {
+    prev[j] = j;
+  }
   for (let i = 1; i <= m; i++) {
     curr[0] = i;
     let rowMin = curr[0];
     for (let j = 1; j <= n; j++) {
       const cost = a[i - 1] === b[j - 1] ? 0 : 1;
-      curr[j] = Math.min(
-        prev[j] + 1,
-        curr[j - 1] + 1,
-        prev[j - 1] + cost
-      );
-      if (curr[j] < rowMin) rowMin = curr[j];
+      curr[j] = Math.min(prev[j] + 1, curr[j - 1] + 1, prev[j - 1] + cost);
+      if (curr[j] < rowMin) {
+        rowMin = curr[j];
+      }
     }
-    if (rowMin > 2) return 3;
-    const tmp = prev; prev = curr; curr = tmp;
+    if (rowMin > 2) {
+      return 3;
+    }
+    const tmp = prev;
+    prev = curr;
+    curr = tmp;
   }
   return prev[n];
 }
 
 function jaroWinkler(a, b) {
-  if (a === b) return 1;
-  const m = a.length, n = b.length;
-  if (m === 0 || n === 0) return 0;
+  if (a === b) {
+    return 1;
+  }
+  const m = a.length,
+    n = b.length;
+  if (m === 0 || n === 0) {
+    return 0;
+  }
   const matchDist = Math.floor(Math.max(m, n) / 2) - 1;
   const aMatch = new Array(m).fill(false);
   const bMatch = new Array(n).fill(false);
@@ -43,36 +59,53 @@ function jaroWinkler(a, b) {
     const start = Math.max(0, i - matchDist);
     const end = Math.min(n, i + matchDist + 1);
     for (let j = start; j < end; j++) {
-      if (bMatch[j] || a[i] !== b[j]) continue;
+      if (bMatch[j] || a[i] !== b[j]) {
+        continue;
+      }
       aMatch[i] = true;
       bMatch[j] = true;
       matches++;
       break;
     }
   }
-  if (matches === 0) return 0;
-  let t = 0, k = 0;
+  if (matches === 0) {
+    return 0;
+  }
+  let t = 0,
+    k = 0;
   for (let i = 0; i < m; i++) {
-    if (!aMatch[i]) continue;
-    while (!bMatch[k]) k++;
-    if (a[i] !== b[k]) t++;
+    if (!aMatch[i]) {
+      continue;
+    }
+    while (!bMatch[k]) {
+      k++;
+    }
+    if (a[i] !== b[k]) {
+      t++;
+    }
     k++;
   }
   const jaro = (matches / m + matches / n + (matches - t / 2) / matches) / 3;
   let prefix = 0;
   const limit = Math.min(4, m, n);
   for (let i = 0; i < limit; i++) {
-    if (a[i] === b[i]) prefix++;
-    else break;
+    if (a[i] === b[i]) {
+      prefix++;
+    } else {
+      break;
+    }
   }
   return jaro + prefix * 0.1 * (1 - jaro);
 }
 
-function soundex(s) {
-  if (!s) return '';
+function _soundex(s) {
+  if (!s) {
+    return '';
+  }
   s = s.toLowerCase();
   const first = s[0];
-  const rest = s.slice(1)
+  const rest = s
+    .slice(1)
     .replace(/[aeiouyhw]/g, '')
     .replace(/[bfpv]/g, '1')
     .replace(/[cgjkqsxz]/g, '2')
@@ -85,15 +118,22 @@ function soundex(s) {
 }
 
 function homoglyphScore(a, b) {
-  if (a.length !== b.length) return 0;
-  const map = { '0': 'o', '1': 'l', '3': 'e', '4': 'a', '5': 's', '6': 'g', '7': 't', '8': 'b', '@': 'a' };
+  if (a.length !== b.length) {
+    return 0;
+  }
+  const map = { 0: 'o', 1: 'l', 3: 'e', 4: 'a', 5: 's', 6: 'g', 7: 't', 8: 'b', '@': 'a' };
   let swaps = 0;
   for (let i = 0; i < a.length; i++) {
-    if (a[i] === b[i]) continue;
+    if (a[i] === b[i]) {
+      continue;
+    }
     const na = map[a[i]] || a[i];
     const nb = map[b[i]] || b[i];
-    if (na === b[i] || a[i] === nb || na === nb) swaps++;
-    else return 0;
+    if (na === b[i] || a[i] === nb || na === nb) {
+      swaps++;
+    } else {
+      return 0;
+    }
   }
   return swaps > 0 ? 1 - swaps / a.length : 0;
 }
@@ -119,34 +159,52 @@ function computeConfidence(dist, phonetic, homoglyph, registryMeta) {
   if (registryMeta) {
     const age = registryMeta.age || 0;
     const downloads = registryMeta.weeklyDownloads || 0;
-    if (age < 30) score += 15;
-    if (downloads < 1000) score += 10;
-    if (age > 365 && downloads > 100000) score -= 30;
+    if (age < 30) {
+      score += 15;
+    }
+    if (downloads < 1000) {
+      score += 10;
+    }
+    if (age > 365 && downloads > 100000) {
+      score -= 30;
+    }
   }
   score = Math.max(50, Math.min(100, score));
   return { subtype, score };
 }
 
 function severityLabel(score) {
-  if (score >= 80) return 'high';
-  if (score >= 60) return 'medium';
+  if (score >= 80) {
+    return 'high';
+  }
+  if (score >= 60) {
+    return 'medium';
+  }
   return 'low';
 }
 
 function confidenceLabel(score) {
-  if (score >= 80) return 'HIGH';
-  if (score >= 60) return 'MEDIUM';
+  if (score >= 80) {
+    return 'HIGH';
+  }
+  if (score >= 60) {
+    return 'MEDIUM';
+  }
   return 'LOW';
 }
 
 export const name = 'tier1-typosquat';
 
-export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+export async function scan(pkgJson, jsFiles, registryMeta, _allFiles) {
   const findings = [];
   const pkgName = pkgJson?.name;
-  if (!pkgName) return findings;
+  if (!pkgName) {
+    return findings;
+  }
 
-  if (KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return findings;
+  if (KNOWN_REPUTABLE_PACKAGES.has(pkgName)) {
+    return findings;
+  }
 
   const namesToCheck = [];
   let scopedName = null;
@@ -167,27 +225,48 @@ export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
   for (const checkName of namesToCheck) {
     for (const target of TOP_PACKAGES) {
       if (checkName === target) {
-        if (pkgName.startsWith('@') && checkName === scopedName && !KNOWN_REPUTABLE_PACKAGES.has(scopedName)) {
+        if (
+          pkgName.startsWith('@') &&
+          checkName === scopedName &&
+          !KNOWN_REPUTABLE_PACKAGES.has(scopedName)
+        ) {
           let score = 80;
           if (registryMeta) {
-            if ((registryMeta.age || 0) < 30) score += 15;
-            if ((registryMeta.weeklyDownloads || 0) < 1000) score += 10;
+            if ((registryMeta.age || 0) < 30) {
+              score += 15;
+            }
+            if ((registryMeta.weeklyDownloads || 0) < 1000) {
+              score += 10;
+            }
           }
           score = Math.max(50, Math.min(100, score));
           if (score > bestScore) {
             bestScore = score;
-            best = { target, dist: 0, phonetic: 1, homoglyph: 0, subtype: 'edit_distance_1', isScopeSquat: true };
+            best = {
+              target,
+              dist: 0,
+              phonetic: 1,
+              homoglyph: 0,
+              subtype: 'edit_distance_1',
+              isScopeSquat: true,
+            };
           }
         }
         continue;
       }
-      if (Math.abs(checkName.length - target.length) > 2) continue;
+      if (Math.abs(checkName.length - target.length) > 2) {
+        continue;
+      }
       const dist = levenshtein(checkName, target);
-      if (dist > 2) continue;
+      if (dist > 2) {
+        continue;
+      }
       const phonetic = jaroWinkler(checkName, target);
       const homoglyph = homoglyphScore(checkName, target);
       const conf = computeConfidence(dist, phonetic, homoglyph, registryMeta);
-      if (!conf || conf.score <= bestScore) continue;
+      if (!conf || conf.score <= bestScore) {
+        continue;
+      }
       bestScore = conf.score;
       best = { target, dist, phonetic, homoglyph, subtype: conf.subtype, isScopeSquat: false };
     }

package/backend/detectors/tier1-version-anomaly.js

@@ -3,11 +3,17 @@ import { KNOWN_REPUTABLE_PACKAGES } from '../policy.js';
 const SENTINEL_PATTERNS = new Set(['99.99.99', '11.11.11', '10.10.10']);
 
 function parseVersion(v) {
-  if (!v || typeof v !== 'string') return null;
+  if (!v || typeof v !== 'string') {
+    return null;
+  }
   const parts = v.split('.');
-  if (parts.length !== 3) return null;
+  if (parts.length !== 3) {
+    return null;
+  }
   const [major, minor, patch] = parts.map(Number);
-  if (isNaN(major) || isNaN(minor) || isNaN(patch)) return null;
+  if (isNaN(major) || isNaN(minor) || isNaN(patch)) {
+    return null;
+  }
   return { major, minor, patch, full: v };
 }
 
@@ -17,19 +23,23 @@ function versionScore(v) {
 
 function extractVersions(registryMeta) {
   if (Array.isArray(registryMeta)) {
-    return registryMeta.map(v => parseVersion(v)).filter(Boolean);
+    return registryMeta.map((v) => parseVersion(v)).filter(Boolean);
   }
   if (registryMeta && typeof registryMeta === 'object') {
     const versions = registryMeta.versions || registryMeta.time;
     if (versions && typeof versions === 'object') {
-      return Object.keys(versions).map(v => parseVersion(v)).filter(Boolean);
+      return Object.keys(versions)
+        .map((v) => parseVersion(v))
+        .filter(Boolean);
     }
   }
   return [];
 }
 
 function computeStats(scores) {
-  if (scores.length < 2) return null;
+  if (scores.length < 2) {
+    return null;
+  }
   const mean = scores.reduce((s, v) => s + v, 0) / scores.length;
   const variance = scores.reduce((s, v) => s + (v - mean) ** 2, 0) / scores.length;
   const stddev = Math.sqrt(variance);
@@ -38,7 +48,9 @@ function computeStats(scores) {
 
 export function analyzeAnomaly(packageName, versionStr, versionHistory) {
   const current = parseVersion(versionStr);
-  if (!current) return null;
+  if (!current) {
+    return null;
+  }
 
   const historical = extractVersions(versionHistory);
   const currentScore = versionScore(current);
@@ -79,14 +91,18 @@ export function analyzeAnomaly(packageName, versionStr, versionHistory) {
   }
 
   const stats = computeStats(recentScores);
-  if (!stats) return null;
+  if (!stats) {
+    return null;
+  }
 
   const zScore = stats.stddev > 0 ? (currentScore - stats.mean) / stats.stddev : 0;
-  const baselineMaxVer = historical.find(v => versionScore(v) === stats.max)?.full || 'unknown';
+  const baselineMaxVer = historical.find((v) => versionScore(v) === stats.max)?.full || 'unknown';
   const baselineMeanVal = (stats.mean / 10000).toFixed(1);
   const prevMaxMajor = Math.floor(stats.max / 10000);
-  const isNormalMajorBump = current.major === prevMaxMajor + 1 && current.minor === 0 && current.patch === 0;
-  const isReasonableVersion = current.major <= prevMaxMajor + 2 && current.major >= Math.floor(stats.min / 10000);
+  const isNormalMajorBump =
+    current.major === prevMaxMajor + 1 && current.minor === 0 && current.patch === 0;
+  const isReasonableVersion =
+    current.major <= prevMaxMajor + 2 && current.major >= Math.floor(stats.min / 10000);
   const ratio = stats.max > 0 ? currentScore / stats.max : 0;
 
   let flagged = false;
@@ -126,7 +142,9 @@ export function analyzeAnomaly(packageName, versionStr, versionHistory) {
     reason = `Version ${versionStr} has z-score ${zScore.toFixed(1)} and is outside expected version range`;
   }
 
-  if (!flagged) return null;
+  if (!flagged) {
+    return null;
+  }
 
   return {
     flagged,
@@ -141,47 +159,65 @@ export function analyzeAnomaly(packageName, versionStr, versionHistory) {
 }
 
 function severityLabel(sc) {
-  if (sc >= 90) return 'critical';
-  if (sc >= 70) return 'high';
-  if (sc >= 50) return 'medium';
+  if (sc >= 90) {
+    return 'critical';
+  }
+  if (sc >= 70) {
+    return 'high';
+  }
+  if (sc >= 50) {
+    return 'medium';
+  }
   return 'low';
 }
 
 function confidenceLabel(sc) {
-  if (sc >= 80) return 'HIGH';
-  if (sc >= 60) return 'MEDIUM';
+  if (sc >= 80) {
+    return 'HIGH';
+  }
+  if (sc >= 60) {
+    return 'MEDIUM';
+  }
   return 'LOW';
 }
 
 export const name = 'tier1-version-anomaly';
 
-export async function scan(pkgJson, jsFiles, registryMeta, allFiles) {
+export async function scan(pkgJson, jsFiles, registryMeta, _allFiles) {
   const pkgName = pkgJson?.name;
   const version = pkgJson?.version;
 
-  if (!pkgName || !version) return [];
-  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) return [];
+  if (!pkgName || !version) {
+    return [];
+  }
+  if (pkgName && KNOWN_REPUTABLE_PACKAGES.has(pkgName)) {
+    return [];
+  }
 
   const result = analyzeAnomaly(pkgName, version, registryMeta);
-  if (!result) return [];
-
-  return [{
-    detector: 'tier1-version-anomaly',
-    id: 'TIER1-VERSION-ANOMALY',
-    severity: severityLabel(result.confidenceScore),
-    confidence: confidenceLabel(result.confidenceScore),
-    confidenceScore: result.confidenceScore,
-    subtype: result.attackPattern.toLowerCase(),
-    message: `Version anomaly detected in "${pkgName}": ${result.reason}`,
-    evidence: [
-      `version: ${version}`,
-      `baseline_max: ${result.baselineMax}`,
-      `baseline_mean: ${result.baselineMean}`,
-      `z_score: ${result.zScore ?? 'N/A'}`,
-      `attack_pattern: ${result.attackPattern}`,
-    ],
-    crossFiles: [],
-    locations: [{ file: 'package.json', line: 3, column: 10 }],
-    reference: '176-package dependency confusion campaign',
-  }];
+  if (!result) {
+    return [];
+  }
+
+  return [
+    {
+      detector: 'tier1-version-anomaly',
+      id: 'TIER1-VERSION-ANOMALY',
+      severity: severityLabel(result.confidenceScore),
+      confidence: confidenceLabel(result.confidenceScore),
+      confidenceScore: result.confidenceScore,
+      subtype: result.attackPattern.toLowerCase(),
+      message: `Version anomaly detected in "${pkgName}": ${result.reason}`,
+      evidence: [
+        `version: ${version}`,
+        `baseline_max: ${result.baselineMax}`,
+        `baseline_mean: ${result.baselineMean}`,
+        `z_score: ${result.zScore ?? 'N/A'}`,
+        `attack_pattern: ${result.attackPattern}`,
+      ],
+      crossFiles: [],
+      locations: [{ file: 'package.json', line: 3, column: 10 }],
+      reference: '176-package dependency confusion campaign',
+    },
+  ];
 }