@lateos/npm-scan 1.0.0 → 1.1.0

package/backend/sbom.js

@@ -1,5 +1,7 @@
 export function generateSBOM(pkgJson, findings, format = 'json') {
-  if (format === 'spdx') return generateSPDX(pkgJson, findings);
+  if (format === 'spdx') {
+    return generateSPDX(pkgJson, findings);
+  }
   return generateCycloneDX(pkgJson, findings);
 }
 
@@ -13,20 +15,20 @@ function generateCycloneDX(pkgJson, findings) {
         type: 'library',
         name: pkgJson.name || 'unknown',
         version: pkgJson.version || 'unknown',
-        purl: `pkg:npm/${pkgJson.name || 'unknown'}@${pkgJson.version || 'unknown'}`
+        purl: `pkg:npm/${pkgJson.name || 'unknown'}@${pkgJson.version || 'unknown'}`,
       },
-      tools: [{ name: 'npm-scan', version: process.env.npm_package_version || '0.3.2' }]
+      tools: [{ name: 'npm-scan', version: process.env.npm_package_version || '0.3.2' }],
     },
-    vulnerabilities: findings.map(f => {
+    vulnerabilities: findings.map((f) => {
       const atkId = f.atk_id || f.id;
       return {
-      id: atkId,
-      source: { name: 'npm-scan' },
-      ratings: [{ severity: f.severity }],
-      description: f.description || f.title || '',
-      recommendation: f.mitigation || 'Review evidence'
+        id: atkId,
+        source: { name: 'npm-scan' },
+        ratings: [{ severity: f.severity }],
+        description: f.description || f.title || '',
+        recommendation: f.mitigation || 'Review evidence',
       };
-    })
+    }),
   };
   return JSON.stringify(bom, null, 2);
 }
@@ -42,26 +44,30 @@ function generateSPDX(pkgJson, findings) {
     documentNamespace: `https://npm-scan.io/spdx/${pkgName}-${pkgVer}`,
     creationInfo: {
       creators: ['Tool: npm-scan'],
-      created: new Date().toISOString()
+      created: new Date().toISOString(),
     },
-    packages: [{
-      SPDXID: 'SPDXRef-Package',
-      name: pkgName,
-      versionInfo: pkgVer,
-      packageFileName: `pkg:npm/${pkgName}@${pkgVer}`,
-      primaryPackagePurpose: 'LIBRARY',
-      externalRefs: [{
-        referenceCategory: 'PACKAGE-MANAGER',
-        referenceType: 'purl',
-        referenceLocator: `pkg:npm/${pkgName}@${pkgVer}`
-      }]
-    }],
-    annotations: findings.map(f => ({
+    packages: [
+      {
+        SPDXID: 'SPDXRef-Package',
+        name: pkgName,
+        versionInfo: pkgVer,
+        packageFileName: `pkg:npm/${pkgName}@${pkgVer}`,
+        primaryPackagePurpose: 'LIBRARY',
+        externalRefs: [
+          {
+            referenceCategory: 'PACKAGE-MANAGER',
+            referenceType: 'purl',
+            referenceLocator: `pkg:npm/${pkgName}@${pkgVer}`,
+          },
+        ],
+      },
+    ],
+    annotations: findings.map((f) => ({
       annotationDate: new Date().toISOString(),
       annotationType: 'OTHER',
       annotator: 'Tool: npm-scan',
-      comment: `[${f.atk_id || f.id}] ${f.severity.toUpperCase()}: ${f.description || f.title || ''}`
-    }))
+      comment: `[${f.atk_id || f.id}] ${f.severity.toUpperCase()}: ${f.description || f.title || ''}`,
+    })),
   };
   return JSON.stringify(spdx, null, 2);
-}
+}

package/backend/scripts/analyze-false-positives.js

@@ -20,7 +20,7 @@ function analyzeFalsePositives(fpFile) {
   }
 
   const text = readFileSync(absPath, 'utf-8');
-  const lines = text.split('\n').filter(l => l.trim());
+  const lines = text.split('\n').filter((l) => l.trim());
 
   for (const line of lines) {
     const fp = JSON.parse(line);
@@ -63,13 +63,14 @@ function analyzeFalsePositives(fpFile) {
   }
 
   for (const [detectorName, stats] of Object.entries(analysis.detectors)) {
-    stats.avg_confidence = stats.confidences.length > 0
-      ? (stats.confidences.reduce((a, b) => a + b, 0) / stats.confidences.length).toFixed(1)
-      : '0.0';
+    stats.avg_confidence =
+      stats.confidences.length > 0
+        ? (stats.confidences.reduce((a, b) => a + b, 0) / stats.confidences.length).toFixed(1)
+        : '0.0';
     stats.unique_package_count = stats.unique_packages.size;
     delete stats.unique_packages;
 
-    const fpShare = (stats.fp_count / analysis.total_fps * 100).toFixed(1);
+    const fpShare = ((stats.fp_count / analysis.total_fps) * 100).toFixed(1);
 
     if (stats.fp_count >= 5) {
       analysis.high_fp_detectors.push(detectorName);
@@ -114,10 +115,13 @@ for (const [name, stats] of Object.entries(analysis.detectors).sort(
   (a, b) => b[1].fp_count - a[1].fp_count
 )) {
   const dName = name.padEnd(32).slice(0, 32);
-  const examples = stats.examples.slice(0, 2).map(e => e.package).join(', ');
+  const examples = stats.examples
+    .slice(0, 2)
+    .map((e) => e.package)
+    .join(', ');
   console.log(
     `${dName} ${String(stats.fp_count).padStart(4)} ${String(stats.unique_package_count).padStart(11)} ` +
-    `${stats.avg_confidence.padStart(7)}  ${examples}`
+      `${stats.avg_confidence.padStart(7)}  ${examples}`
   );
 }
 
@@ -125,7 +129,9 @@ if (analysis.recommendations.length > 0) {
   console.log('\n=== RECOMMENDATIONS ===');
   for (const rec of analysis.recommendations) {
     console.log(`\n${rec.detector}:`);
-    console.log(`  FPs: ${rec.fp_count} (${rec.share_of_total_fps} of total) across ${rec.unique_packages} unique packages`);
+    console.log(
+      `  FPs: ${rec.fp_count} (${rec.share_of_total_fps} of total) across ${rec.unique_packages} unique packages`
+    );
     console.log(`  Avg confidence: ${rec.avg_confidence}`);
     console.log(`  Severity breakdown: ${JSON.stringify(rec.severity_distribution)}`);
     console.log(`  Suggestion: ${rec.suggested_action}`);

package/backend/scripts/analyze-validation.js

@@ -20,11 +20,13 @@ async function analyzeValidation(resultsFile) {
   }
 
   const text = readFileSync(absPath, 'utf-8');
-  const lines = text.split('\n').filter(l => l.trim());
+  const lines = text.split('\n').filter((l) => l.trim());
 
   for (const line of lines) {
     const result = JSON.parse(line);
-    if (result.error) continue;
+    if (result.error) {
+      continue;
+    }
 
     stats.total_packages += 1;
     stats.total_detections += result.detection_count;
@@ -47,8 +49,8 @@ async function analyzeValidation(resultsFile) {
     campaign.total += 1;
     campaign.total_expected += result.expected_detectors.length;
 
-    const matched = result.expected_detectors.filter(
-      id => result.detected_detectors.includes(id)
+    const matched = result.expected_detectors.filter((id) =>
+      result.detected_detectors.includes(id)
     );
     campaign.total_matched += matched.length;
     stats.total_expected += result.expected_detectors.length;
@@ -90,22 +92,24 @@ async function analyzeValidation(resultsFile) {
 
   for (const campaignId of Object.keys(stats.campaigns)) {
     const campaign = stats.campaigns[campaignId];
-    campaign.detection_rate = campaign.total > 0
-      ? ((campaign.detected / campaign.total) * 100).toFixed(1) + '%'
-      : '0%';
-    campaign.expected_match_rate = campaign.total_expected > 0
-      ? ((campaign.total_matched / campaign.total_expected) * 100).toFixed(1) + '%'
-      : '0%';
+    campaign.detection_rate =
+      campaign.total > 0 ? ((campaign.detected / campaign.total) * 100).toFixed(1) + '%' : '0%';
+    campaign.expected_match_rate =
+      campaign.total_expected > 0
+        ? ((campaign.total_matched / campaign.total_expected) * 100).toFixed(1) + '%'
+        : '0%';
   }
 
   for (const detectorName of Object.keys(stats.detectors)) {
     const detector = stats.detectors[detectorName];
-    detector.avg_confidence = detector.confidences.length > 0
-      ? (detector.confidences.reduce((a, b) => a + b, 0) / detector.confidences.length).toFixed(1)
-      : '0.0';
-    detector.precision = detector.total_hits > 0
-      ? ((detector.expected_count / detector.total_hits) * 100).toFixed(1) + '%'
-      : '0%';
+    detector.avg_confidence =
+      detector.confidences.length > 0
+        ? (detector.confidences.reduce((a, b) => a + b, 0) / detector.confidences.length).toFixed(1)
+        : '0.0';
+    detector.precision =
+      detector.total_hits > 0
+        ? ((detector.expected_count / detector.total_hits) * 100).toFixed(1) + '%'
+        : '0%';
   }
 
   return stats;
@@ -117,14 +121,16 @@ console.log(`[INFO] Analyzing ${resultsFile}...`);
 const stats = await analyzeValidation(resultsFile);
 
 console.log('\n=== CAMPAIGN DETECTION RATES ===');
-console.log('Campaign                         Packages  Detected  Rate     Expected  Matched  Match%');
+console.log(
+  'Campaign                         Packages  Detected  Rate     Expected  Matched  Match%'
+);
 console.log('─'.repeat(95));
-for (const [id, campaign] of Object.entries(stats.campaigns)) {
+for (const [_id, campaign] of Object.entries(stats.campaigns)) {
   const name = campaign.name.padEnd(33).slice(0, 33);
   console.log(
     `${name} ${String(campaign.total).padStart(8)} ${String(campaign.detected).padStart(9)} ` +
-    `${campaign.detection_rate.padStart(7)} ${String(campaign.total_expected).padStart(9)} ` +
-    `${String(campaign.total_matched).padStart(8)} ${campaign.expected_match_rate.padStart(7)}`
+      `${campaign.detection_rate.padStart(7)} ${String(campaign.total_expected).padStart(9)} ` +
+      `${String(campaign.total_matched).padStart(8)} ${campaign.expected_match_rate.padStart(7)}`
   );
 }
 console.log(`\nTotal: ${stats.total_packages} packages, ${stats.total_detections} detections`);
@@ -138,7 +144,7 @@ for (const [name, detector] of Object.entries(stats.detectors).sort(
   const dName = name.padEnd(32).slice(0, 32);
   console.log(
     `${dName} ${String(detector.total_hits).padStart(5)} ${String(detector.expected_count).padStart(9)} ` +
-    `${detector.precision.padStart(10)} ${detector.avg_confidence.padStart(14)}`
+      `${detector.precision.padStart(10)} ${detector.avg_confidence.padStart(14)}`
   );
 }
 

package/backend/scripts/detect-false-positives.js

@@ -18,7 +18,7 @@ async function detectFalsePositives(topPackagesFile, confidenceThreshold = 70) {
   }
 
   const text = readFileSync(absPath, 'utf-8');
-  const lines = text.split('\n').filter(l => l.trim());
+  const lines = text.split('\n').filter((l) => l.trim());
   console.log(`[INFO] Loaded ${lines.length} packages from ${topPackagesFile}`);
 
   const falsePositives = [];
@@ -48,8 +48,12 @@ async function detectFalsePositives(topPackagesFile, confidenceThreshold = 70) {
       const findings = await runAll(pkgJson, [], null, []);
 
       for (const detection of findings) {
-        if (detection.confidenceScore < confidenceThreshold) continue;
-        if (whitelistedDetectors && whitelistedDetectors.has(detection.id)) continue;
+        if (detection.confidenceScore < confidenceThreshold) {
+          continue;
+        }
+        if (whitelistedDetectors && whitelistedDetectors.has(detection.id)) {
+          continue;
+        }
 
         falsePositives.push({
           package: pkgName,
@@ -64,7 +68,9 @@ async function detectFalsePositives(topPackagesFile, confidenceThreshold = 70) {
         });
 
         if (falsePositives.length <= 10) {
-          console.log(`[FLAG] ${pkgName}@${pkg.version}: ${detection.id} (${detection.confidenceScore}%)`);
+          console.log(
+            `[FLAG] ${pkgName}@${pkg.version}: ${detection.id} (${detection.confidenceScore}%)`
+          );
         }
       }
     } catch (err) {
@@ -73,12 +79,14 @@ async function detectFalsePositives(topPackagesFile, confidenceThreshold = 70) {
   }
 
   const outPath = resolve('false-positives.jsonl');
-  const outputData = falsePositives.map(fp => JSON.stringify(fp)).join('\n') + '\n';
+  const outputData = falsePositives.map((fp) => JSON.stringify(fp)).join('\n') + '\n';
   writeFileSync(outPath, outputData, 'utf-8');
 
   const scannedCount = count - skipped;
   console.log(`\n[SUMMARY] Scanned ${scannedCount} packages (skipped ${skipped} whitelisted)`);
-  console.log(`[SUMMARY] Found ${falsePositives.length} potential false positives (${(falsePositives.length / scannedCount * 100).toFixed(1)}% FP rate)`);
+  console.log(
+    `[SUMMARY] Found ${falsePositives.length} potential false positives (${((falsePositives.length / scannedCount) * 100).toFixed(1)}% FP rate)`
+  );
   console.log(`[INFO] Written to ${outPath}`);
 
   return falsePositives;
@@ -87,7 +95,9 @@ async function detectFalsePositives(topPackagesFile, confidenceThreshold = 70) {
 const topPackagesFile = process.argv[2] || 'top-packages.jsonl';
 const confidenceThreshold = parseInt(process.argv[3]) || 70;
 
-detectFalsePositives(topPackagesFile, confidenceThreshold).then(() => process.exit(0)).catch(err => {
-  console.error(`[FATAL] ${err.message}`);
-  process.exit(1);
-});
+detectFalsePositives(topPackagesFile, confidenceThreshold)
+  .then(() => process.exit(0))
+  .catch((err) => {
+    console.error(`[FATAL] ${err.message}`);
+    process.exit(1);
+  });

package/backend/scripts/fetch-top-packages.js

@@ -26,7 +26,9 @@ async function fetchTopPackages(limit = 1000) {
       const data = await response.json();
 
       for (const result of data.results || []) {
-        if (packages.length >= limit) break;
+        if (packages.length >= limit) {
+          break;
+        }
         packages.push({
           name: result.package.name,
           version: result.package.version,
@@ -34,12 +36,14 @@ async function fetchTopPackages(limit = 1000) {
           keywords: result.package.keywords || [],
           publisher: result.package.publisher ? result.package.publisher.username : null,
           date: result.package.date,
-          score: result.score ? {
-            final: result.score.final,
-            quality: result.score.detail?.quality,
-            popularity: result.score.detail?.popularity,
-            maintenance: result.score.detail?.maintenance,
-          } : null,
+          score: result.score
+            ? {
+                final: result.score.final,
+                quality: result.score.detail?.quality,
+                popularity: result.score.detail?.popularity,
+                maintenance: result.score.detail?.maintenance,
+              }
+            : null,
         });
       }
 
@@ -48,10 +52,12 @@ async function fetchTopPackages(limit = 1000) {
       console.error(`[ERROR] Failed page ${page + 1}: ${err.message}`);
     }
 
-    if (packages.length >= limit) break;
+    if (packages.length >= limit) {
+      break;
+    }
 
     if (page < numPages - 1) {
-      await new Promise(r => setTimeout(r, 2000));
+      await new Promise((r) => setTimeout(r, 2000));
     }
   }
 
@@ -61,7 +67,7 @@ async function fetchTopPackages(limit = 1000) {
   }
 
   const outPath = resolve('top-packages.jsonl');
-  const lines = packages.map(pkg => JSON.stringify(pkg)).join('\n') + '\n';
+  const lines = packages.map((pkg) => JSON.stringify(pkg)).join('\n') + '\n';
   writeFileSync(outPath, lines, 'utf-8');
   console.log(`\n[INFO] Written ${packages.length} packages to ${outPath}`);
   return packages;
@@ -69,37 +75,177 @@ async function fetchTopPackages(limit = 1000) {
 
 async function fallbackList(limit) {
   const knownTop = [
-    'lodash', 'chalk', 'react', 'express', 'commander', 'axios', 'moment',
-    'webpack', 'eslint', 'typescript', 'prettier', 'babel', 'next', 'vue',
-    'angular', 'redux', 'jest', 'mocha', 'chai', 'sinon', 'nodemon',
-    'debug', 'async', 'request', 'colors', 'mkdirp', 'fs-extra', 'glob',
-    'yargs', 'minimist', 'uuid', 'date-fns', 'crypto-js', 'jsonwebtoken',
-    'passport', 'socket.io', 'ws', 'graphql', 'apollo', 'prisma',
-    'mongoose', 'pg', 'mysql2', 'redis', 'sequelize', 'typeorm',
-    'dotenv', 'cross-env', 'rimraf', 'semver', 'rimraf', 'tar',
-    'inquirer', 'ora', 'listr', 'conf', 'env-paths', 'find-up',
-    'p-locate', 'locate-path', 'path-exists', 'y18n', 'yallist',
-    'minipass', 'minizlib', 'supports-color', 'has-flag', 'wrap-ansi',
-    'string-width', 'strip-ansi', 'ansi-regex', 'is-fullwidth-code-point',
-    'emoji-regex', 'cliui', 'escalade', 'get-caller-file', 'require-directory',
-    'npm', 'node-fetch', 'got', 'phin', 'undici', 'make-fetch-happen',
-    'cacache', 'ssri', 'unique-filename', 'unique-slug', 'imurmurhash',
-    'signal-exit', 'which', 'isexe', 'minimatch', 'brace-expansion',
-    'balanced-match', 'concat-map', 'lru-cache', 'yallist', 'semver',
-    'json5', 'tslib', 'source-map', 'source-map-js', 'ms', 'mime',
-    'cookie', 'express-session', 'body-parser', 'cors', 'helmet',
-    'morgan', 'compression', 'serve-static', 'send', 'fresh',
-    'etag', 'parseurl', 'utils-merge', 'methods', 'array-flatten',
-    'qs', 'merge-descriptors', 'path-to-regexp', 'iconv-lite',
-    'raw-body', 'on-finished', 'ee-first', 'inherits', 'depd',
-    'http-errors', 'statuses', 'setprototypeof', 'toidentifier',
-    'content-type', 'negotiator', 'accepts', 'type-is', 'vary',
-    'encodeurl', 'escape-html', 'destroy', 'bytes', 'unpipe',
-    'finalhandler', 'media-typer', 'http-proxy', 'http-proxy-middleware',
-    'morgan', 'connect', 'pino', 'winston', 'bunyan', 'log4js',
-    'nanoid', 'uid', 'ulid', 'cuid', 'shortid', 'uuidv4', 'uuidv7',
-    'bcrypt', 'bcryptjs', 'argon2', 'scrypt', 'pbkdf2', 'crypto',
-    'node-forge', 'pkijs', 'asn1js', 'jsrsasign', 'jose', 'jwk',
+    'lodash',
+    'chalk',
+    'react',
+    'express',
+    'commander',
+    'axios',
+    'moment',
+    'webpack',
+    'eslint',
+    'typescript',
+    'prettier',
+    'babel',
+    'next',
+    'vue',
+    'angular',
+    'redux',
+    'jest',
+    'mocha',
+    'chai',
+    'sinon',
+    'nodemon',
+    'debug',
+    'async',
+    'request',
+    'colors',
+    'mkdirp',
+    'fs-extra',
+    'glob',
+    'yargs',
+    'minimist',
+    'uuid',
+    'date-fns',
+    'crypto-js',
+    'jsonwebtoken',
+    'passport',
+    'socket.io',
+    'ws',
+    'graphql',
+    'apollo',
+    'prisma',
+    'mongoose',
+    'pg',
+    'mysql2',
+    'redis',
+    'sequelize',
+    'typeorm',
+    'dotenv',
+    'cross-env',
+    'rimraf',
+    'semver',
+    'rimraf',
+    'tar',
+    'inquirer',
+    'ora',
+    'listr',
+    'conf',
+    'env-paths',
+    'find-up',
+    'p-locate',
+    'locate-path',
+    'path-exists',
+    'y18n',
+    'yallist',
+    'minipass',
+    'minizlib',
+    'supports-color',
+    'has-flag',
+    'wrap-ansi',
+    'string-width',
+    'strip-ansi',
+    'ansi-regex',
+    'is-fullwidth-code-point',
+    'emoji-regex',
+    'cliui',
+    'escalade',
+    'get-caller-file',
+    'require-directory',
+    'npm',
+    'node-fetch',
+    'got',
+    'phin',
+    'undici',
+    'make-fetch-happen',
+    'cacache',
+    'ssri',
+    'unique-filename',
+    'unique-slug',
+    'imurmurhash',
+    'signal-exit',
+    'which',
+    'isexe',
+    'minimatch',
+    'brace-expansion',
+    'balanced-match',
+    'concat-map',
+    'lru-cache',
+    'yallist',
+    'semver',
+    'json5',
+    'tslib',
+    'source-map',
+    'source-map-js',
+    'ms',
+    'mime',
+    'cookie',
+    'express-session',
+    'body-parser',
+    'cors',
+    'helmet',
+    'morgan',
+    'compression',
+    'serve-static',
+    'send',
+    'fresh',
+    'etag',
+    'parseurl',
+    'utils-merge',
+    'methods',
+    'array-flatten',
+    'qs',
+    'merge-descriptors',
+    'path-to-regexp',
+    'iconv-lite',
+    'raw-body',
+    'on-finished',
+    'ee-first',
+    'inherits',
+    'depd',
+    'http-errors',
+    'statuses',
+    'setprototypeof',
+    'toidentifier',
+    'content-type',
+    'negotiator',
+    'accepts',
+    'type-is',
+    'vary',
+    'encodeurl',
+    'escape-html',
+    'destroy',
+    'bytes',
+    'unpipe',
+    'finalhandler',
+    'media-typer',
+    'http-proxy',
+    'http-proxy-middleware',
+    'morgan',
+    'connect',
+    'pino',
+    'winston',
+    'bunyan',
+    'log4js',
+    'nanoid',
+    'uid',
+    'ulid',
+    'cuid',
+    'shortid',
+    'uuidv4',
+    'uuidv7',
+    'bcrypt',
+    'bcryptjs',
+    'argon2',
+    'scrypt',
+    'pbkdf2',
+    'crypto',
+    'node-forge',
+    'pkijs',
+    'asn1js',
+    'jsrsasign',
+    'jose',
+    'jwk',
   ];
   const pkgs = knownTop.slice(0, limit).map((name, i) => ({
     name,
@@ -113,17 +259,19 @@ async function fallbackList(limit) {
   console.log(`[FALLBACK] Using ${pkgs.length} known top packages`);
 
   const outPath = resolve('top-packages.jsonl');
-  const lines = pkgs.map(pkg => JSON.stringify(pkg)).join('\n') + '\n';
+  const lines = pkgs.map((pkg) => JSON.stringify(pkg)).join('\n') + '\n';
   writeFileSync(outPath, lines, 'utf-8');
   console.log(`[INFO] Written ${pkgs.length} packages to ${outPath}`);
   return pkgs;
 }
 
 const limit = parseInt(process.argv[2]) || 1000;
-fetchTopPackages(limit).then(pkgs => {
-  console.log(`[DONE] ${pkgs.length} packages fetched`);
-  process.exit(0);
-}).catch(err => {
-  console.error(`[FATAL] ${err.message}`);
-  process.exit(1);
-});
+fetchTopPackages(limit)
+  .then((pkgs) => {
+    console.log(`[DONE] ${pkgs.length} packages fetched`);
+    process.exit(0);
+  })
+  .catch((err) => {
+    console.error(`[FATAL] ${err.message}`);
+    process.exit(1);
+  });