@nodesecure/scanner 5.0.0 → 5.1.0

package/README.md

@@ -11,7 +11,7 @@ Scorecard](https://api.securityscorecards.dev/projects/github.com/NodeSecure/sca
 
 ## Requirements
 
-- [Node.js](https://nodejs.org/en/) version 16 or higher
+- [Node.js](https://nodejs.org/en/) version 18 or higher
 
 ## Getting Started
 

package/i18n/english.js

@@ -0,0 +1,6 @@
+const scanner = {
+  disable_scarf: "This dependency could collect data against your consent so think to disable it with the env var: SCARF_ANALYTICS",
+  keylogging: "This dependency can retrieve your keyboard and mouse inputs. It can be used for 'keylogging' attacks/malwares."
+};
+
+export default { scanner };

package/i18n/french.js

@@ -0,0 +1,7 @@
+const scanner = {
+  disable_scarf: "Cette dépendance peut récolter des données contre votre volonté, pensez donc à la désactiver en fournissant la variable d'environnement SCARF_ANALYTICS",
+  keylogging: "Cette dépendance peut obtenir vos entrées clavier ou de souris. Cette dépendance peut être utilisée en tant que 'keylogging' attacks/malwares."
+};
+
+export default { scanner };
+

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "@nodesecure/scanner",
-  "version": "5.0.0",
+  "version": "5.1.0",
   "description": "A package API to run a static analysis of your module's dependencies.",
   "exports": "./index.js",
   "engines": {
-    "node": ">=16"
+    "node": ">=18"
   },
   "scripts": {
     "lint": "eslint src test",
@@ -16,6 +16,7 @@
   },
   "files": [
     "src",
+    "i18n",
     "types",
     "index.js",
     "index.d.ts"
@@ -49,36 +50,36 @@
   },
   "homepage": "https://github.com/NodeSecure/scanner#readme",
   "devDependencies": {
-    "@nodesecure/eslint-config": "^1.7.0",
+    "@nodesecure/eslint-config": "^1.8.0",
     "@slimio/is": "^2.0.0",
-    "@types/node": "^20.4.5",
-    "c8": "^7.13.0",
-    "dotenv": "^16.0.3",
+    "@types/node": "^20.10.0",
+    "c8": "^8.0.1",
+    "dotenv": "^16.3.1",
     "eslint": "^8.37.0",
     "get-folder-size": "^4.0.0",
-    "glob": "^10.3.4",
+    "glob": "^10.3.10",
     "pkg-ok": "^3.0.0",
-    "sinon": "^15.0.3",
+    "sinon": "^17.0.1",
     "snap-shot-core": "^10.2.4"
   },
   "dependencies": {
     "@nodesecure/authors": "^1.0.2",
     "@nodesecure/flags": "^2.4.0",
     "@nodesecure/fs-walk": "^1.0.0",
-    "@nodesecure/i18n": "^3.3.0",
-    "@nodesecure/js-x-ray": "^6.0.1",
-    "@nodesecure/npm-registry-sdk": "^1.5.2",
+    "@nodesecure/i18n": "^3.4.0",
+    "@nodesecure/js-x-ray": "^6.2.0",
+    "@nodesecure/npm-registry-sdk": "^1.6.1",
     "@nodesecure/ntlp": "^2.2.1",
     "@nodesecure/vuln": "^1.7.0",
     "@npm/types": "^1.0.2",
-    "@npmcli/arborist": "^6.2.6",
+    "@npmcli/arborist": "^7.2.1",
     "@slimio/lock": "^1.0.0",
     "builtins": "^5.0.1",
-    "combine-async-iterators": "^2.0.1",
-    "itertools": "^2.1.1",
+    "combine-async-iterators": "^2.1.0",
+    "itertools": "^2.1.2",
     "lodash.difference": "^4.5.0",
-    "pacote": "^15.1.1",
-    "semver": "^7.3.8"
+    "pacote": "^17.0.4",
+    "semver": "^7.5.4"
   },
   "type": "module"
 }

package/src/class/dependency.class.js

@@ -13,11 +13,15 @@ export default class Dependency {
     this.alias = {};
 
     if (parent !== null) {
-      parent.dependencyCount++;
+      parent.addChildren();
     }
     this.#parent = parent;
   }
 
+  addChildren() {
+    this.dependencyCount += 1;
+  }
+
   get fullName() {
     return `${this.name} ${this.version}`;
   }

package/src/depWalker.js

@@ -1,366 +1,381 @@
-// Import Node.js Dependencies
-import path from "path";
-import { readFileSync, promises as fs } from "fs";
-import timers from "timers/promises";
-import os from "os";
-
-// Import Third-party Dependencies
-import combineAsyncIterators from "combine-async-iterators";
-import * as iter from "itertools";
-import pacote from "pacote";
-import Arborist from "@npmcli/arborist";
-import Lock from "@slimio/lock";
-import * as vuln from "@nodesecure/vuln";
-import { ScannerLoggerEvents } from "./constants.js";
-
-// Import Internal Dependencies
-import {
-  mergeDependencies, getCleanDependencyName, getDependenciesWarnings, addMissingVersionFlags, isGitDependency,
-  NPM_TOKEN
-} from "./utils/index.js";
-import { scanDirOrArchive } from "./tarball.js";
-import { packageMetadata } from "./npmRegistry.js";
-import Dependency from "./class/dependency.class.js";
-import Logger from "./class/logger.class.js";
-
-const { version: packageVersion } = JSON.parse(
-  readFileSync(
-    new URL(path.join("..", "package.json"), import.meta.url)
-  )
-);
-
-export async function* searchDeepDependencies(packageName, gitURL, options) {
-  const { exclude, currDepth = 0, parent, maxDepth, registry } = options;
-
-  const { name, version, deprecated, ...pkg } = await pacote.manifest(gitURL ?? packageName, {
-    ...NPM_TOKEN,
-    registry,
-    cache: `${os.homedir()}/.npm`
-  });
-  const { dependencies, customResolvers, alias } = mergeDependencies(pkg);
-
-  const current = new Dependency(name, version, parent);
-  current.alias = Object.fromEntries(alias);
-
-  if (gitURL !== null) {
-    current.isGit(gitURL);
-    try {
-      await pacote.manifest(`${name}@${version}`, {
-        ...NPM_TOKEN,
-        registry,
-        cache: `${os.homedir()}/.npm`
-      });
-    }
-    catch {
-      current.existOnRemoteRegistry = false;
-    }
-  }
-  current.addFlag("isDeprecated", deprecated === true);
-  current.addFlag("hasCustomResolver", customResolvers.size > 0);
-  current.addFlag("hasDependencies", dependencies.size > 0);
-
-  if (currDepth !== maxDepth) {
-    const config = {
-      exclude, currDepth: currDepth + 1, parent: current, maxDepth, registry
-    };
-
-    const gitDependencies = iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr));
-    for (const [depName, valueStr] of gitDependencies) {
-      yield* searchDeepDependencies(depName, valueStr, config);
-    }
-
-    const depsNames = await Promise.all(iter.map(dependencies.entries(), getCleanDependencyName));
-    for (const [fullName, cleanName, isLatest] of depsNames) {
-      if (!isLatest) {
-        current.addFlag("hasOutdatedDependency");
-      }
-
-      if (exclude.has(cleanName)) {
-        exclude.get(cleanName).add(current.fullName);
-      }
-      else {
-        exclude.set(cleanName, new Set([current.fullName]));
-        yield* searchDeepDependencies(fullName, null, config);
-      }
-    }
-  }
-
-  yield current;
-}
-
-export async function* deepReadEdges(currentPackageName, options) {
-  const { to, parent, exclude, fullLockMode, includeDevDeps, registry } = options;
-  const { version, integrity = to.integrity } = to.package;
-
-  const updatedVersion = version === "*" || typeof version === "undefined" ? "latest" : version;
-  const current = new Dependency(currentPackageName, updatedVersion, parent);
-  current.dev = to.dev;
-
-  if (fullLockMode && !includeDevDeps) {
-    const { deprecated, _integrity, ...pkg } = await pacote.manifest(`${currentPackageName}@${updatedVersion}`, {
-      ...NPM_TOKEN,
-      registry,
-      cache: `${os.homedir()}/.npm`
-    });
-    const { customResolvers, alias } = mergeDependencies(pkg);
-
-    current.alias = Object.fromEntries(alias);
-    current.addFlag("hasValidIntegrity", _integrity === integrity);
-    current.addFlag("isDeprecated");
-    current.addFlag("hasCustomResolver", customResolvers.size > 0);
-
-    if (isGitDependency(to.resolved)) {
-      current.isGit(to.resolved);
-    }
-  }
-  current.addFlag("hasDependencies", to.edgesOut.size > 0);
-
-  for (const [packageName, { to: toNode }] of to.edgesOut) {
-    if (toNode === null || (!includeDevDeps && toNode.dev)) {
-      continue;
-    }
-    const cleanName = `${packageName}@${toNode.package.version}`;
-
-    if (exclude.has(cleanName)) {
-      exclude.get(cleanName).add(current.fullName);
-    }
-    else {
-      exclude.set(cleanName, new Set([current.fullName]));
-      yield* deepReadEdges(packageName, { parent: current, to: toNode, exclude, registry });
-    }
-  }
-  yield current;
-}
-
-export async function* getRootDependencies(manifest, options) {
-  const {
-    maxDepth = 4, exclude,
-    usePackageLock, fullLockMode, includeDevDeps,
-    location,
-    registry
-  } = options;
-
-  const { dependencies, customResolvers, alias } = mergeDependencies(manifest, void 0);
-  const parent = new Dependency(manifest.name, manifest.version);
-  parent.alias = Object.fromEntries(alias);
-
-  try {
-    await pacote.manifest(`${manifest.name}@${manifest.version}`, {
-      ...NPM_TOKEN,
-      registry,
-      cache: `${os.homedir()}/.npm`
-    });
-  }
-  catch {
-    parent.existOnRemoteRegistry = false;
-  }
-  parent.addFlag("hasCustomResolver", customResolvers.size > 0);
-  parent.addFlag("hasDependencies", dependencies.size > 0);
-
-  let iterators;
-  if (usePackageLock) {
-    const arb = new Arborist({
-      ...NPM_TOKEN,
-      path: location,
-      registry
-    });
-    let tree;
-    try {
-      await fs.access(path.join(location, "node_modules"));
-      tree = await arb.loadActual();
-    }
-    catch {
-      tree = await arb.loadVirtual();
-    }
-
-    iterators = [
-      ...iter
-        .filter(tree.edgesOut.entries(), ([, { to }]) => to !== null && (includeDevDeps ? true : (!to.dev || to.isWorkspace)))
-        .map(([packageName, { to }]) => [packageName, to.isWorkspace ? to.target : to])
-        .map(([packageName, to]) => deepReadEdges(packageName, {
-          to,
-          parent,
-          fullLockMode,
-          includeDevDeps,
-          exclude,
-          registry
-        }))
-    ];
-  }
-  else {
-    const configRef = { exclude, maxDepth, parent, registry };
-    iterators = [
-      ...iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr))
-        .map(([depName, valueStr]) => searchDeepDependencies(depName, valueStr, configRef)),
-      ...iter.map(dependencies.entries(), ([name, ver]) => searchDeepDependencies(`${name}@${ver}`, null, configRef))
-    ];
-  }
-  for await (const dep of combineAsyncIterators({}, ...iterators)) {
-    yield dep;
-  }
-
-  // Add root dependencies to the exclude Map (because the parent is not handled by searchDeepDependencies)
-  // if we skip this the code will fail to re-link properly dependencies in the following steps
-  const depsName = await Promise.all(iter.map(dependencies.entries(), getCleanDependencyName));
-  for (const [, fullRange, isLatest] of depsName) {
-    if (!isLatest) {
-      parent.addFlag("hasOutdatedDependency");
-    }
-    if (exclude.has(fullRange)) {
-      exclude.get(fullRange).add(parent.fullName);
-    }
-  }
-
-  yield parent;
-}
-
-/**
- * @param {*} manifest
- * @param {*} options
- * @param {Logger} logger
- */
-export async function depWalker(manifest, options = {}, logger = new Logger()) {
-  const {
-    forceRootAnalysis = false,
-    usePackageLock = false,
-    includeDevDeps = false,
-    fullLockMode = false,
-    maxDepth,
-    location,
-    vulnerabilityStrategy = vuln.strategies.NONE,
-    registry
-  } = options;
-
-  // Create TMP directory
-  const tmpLocation = await fs.mkdtemp(path.join(os.tmpdir(), "/"));
-
-  const payload = {
-    id: tmpLocation.slice(-6),
-    rootDependencyName: manifest.name,
-    scannerVersion: packageVersion,
-    vulnerabilityStrategy,
-    warnings: []
-  };
-
-  // We are dealing with an exclude Map to avoid checking a package more than one time in searchDeepDependencies
-  const exclude = new Map();
-  const dependencies = new Map();
-
-  {
-    logger
-      .start(ScannerLoggerEvents.analysis.tree)
-      .start(ScannerLoggerEvents.analysis.tarball)
-      .start(ScannerLoggerEvents.analysis.registry);
-    const fetchedMetadataPackages = new Set();
-    const promisesToWait = [];
-
-    const tarballLocker = new Lock({ maxConcurrent: 5 });
-    tarballLocker.on("freeOne", () => logger.tick(ScannerLoggerEvents.analysis.tarball));
-
-    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode, includeDevDeps, location, registry };
-    for await (const currentDep of getRootDependencies(manifest, rootDepsOptions)) {
-      const { name, version, dev } = currentDep;
-      const current = currentDep.exportAsPlainObject(name === manifest.name ? 0 : void 0);
-      let proceedDependencyAnalysis = true;
-
-      if (dependencies.has(name)) {
-        // TODO: how to handle different metadata ?
-        const dep = dependencies.get(name);
-
-        const currVersion = Object.keys(current.versions)[0];
-        if (currVersion in dep.versions) {
-          // The dependency has already entered the analysis
-          // This happens if the package is used by multiple packages in the tree
-          proceedDependencyAnalysis = false;
-        }
-        else {
-          dep.versions[currVersion] = current.versions[currVersion];
-        }
-      }
-      else {
-        dependencies.set(name, current);
-      }
-
-      // If the dependency is a DevDependencies we ignore it.
-      if (dev) {
-        continue;
-      }
-
-      if (proceedDependencyAnalysis) {
-        logger.tick(ScannerLoggerEvents.analysis.tree);
-
-        // There is no need to fetch 'N' times the npm metadata for the same package.
-        if (fetchedMetadataPackages.has(name)) {
-          logger.tick(ScannerLoggerEvents.analysis.registry);
-        }
-        else {
-          fetchedMetadataPackages.add(name);
-          promisesToWait.push(packageMetadata(name, version, {
-            ref: current,
-            logger
-          }));
-        }
-
-        promisesToWait.push(scanDirOrArchive(name, version, {
-          ref: current.versions[version],
-          location,
-          tmpLocation: forceRootAnalysis && name === manifest.name ? null : tmpLocation,
-          locker: tarballLocker,
-          logger,
-          registry
-        }));
-      }
-    }
-
-    logger.end(ScannerLoggerEvents.analysis.tree);
-
-    // Wait for all extraction to be done!
-    await Promise.allSettled(promisesToWait);
-    await timers.setImmediate();
-
-    logger.end(ScannerLoggerEvents.analysis.tarball).end(ScannerLoggerEvents.analysis.registry);
-  }
-
-  const { hydratePayloadDependencies, strategy } = await vuln.setStrategy(vulnerabilityStrategy);
-  await hydratePayloadDependencies(dependencies, {
-    useStandardFormat: true,
-    path: location
-  });
-
-  payload.vulnerabilityStrategy = strategy;
-
-  // We do this because it "seem" impossible to link all dependencies in the first walk.
-  // Because we are dealing with package only one time it may happen sometimes.
-  for (const [packageName, dependency] of dependencies) {
-    for (const [verStr, verDescriptor] of Object.entries(dependency.versions)) {
-      verDescriptor.flags.push(...addMissingVersionFlags(new Set(verDescriptor.flags), dependency));
-
-      const fullName = `${packageName}@${verStr}`;
-      const usedDeps = exclude.get(fullName) || new Set();
-      if (usedDeps.size === 0) {
-        continue;
-      }
-
-      const usedBy = Object.create(null);
-      for (const [name, version] of [...usedDeps].map((name) => name.split(" "))) {
-        usedBy[name] = version;
-      }
-      Object.assign(verDescriptor.usedBy, usedBy);
-    }
-  }
-
-  try {
-    const { warnings, flaggedAuthors } = await getDependenciesWarnings(dependencies);
-    payload.warnings = warnings;
-    payload.flaggedAuthors = flaggedAuthors;
-    payload.dependencies = Object.fromEntries(dependencies);
-
-    return payload;
-  }
-  finally {
-    await timers.setImmediate();
-    await fs.rm(tmpLocation, { recursive: true, force: true });
-
-    logger.emit(ScannerLoggerEvents.done);
-  }
-}
+// Import Node.js Dependencies
+import path from "path";
+import { readFileSync, promises as fs } from "fs";
+import timers from "timers/promises";
+import os from "os";
+
+// Import Third-party Dependencies
+import combineAsyncIterators from "combine-async-iterators";
+import * as iter from "itertools";
+import pacote from "pacote";
+import Arborist from "@npmcli/arborist";
+import Lock from "@slimio/lock";
+import * as vuln from "@nodesecure/vuln";
+import { ScannerLoggerEvents } from "./constants.js";
+
+// Import Internal Dependencies
+import {
+  mergeDependencies, getCleanDependencyName, getDependenciesWarnings, addMissingVersionFlags, isGitDependency,
+  NPM_TOKEN
+} from "./utils/index.js";
+import { scanDirOrArchive } from "./tarball.js";
+import { packageMetadata, manifestMetadata } from "./npmRegistry.js";
+import Dependency from "./class/dependency.class.js";
+import Logger from "./class/logger.class.js";
+
+const { version: packageVersion } = JSON.parse(
+  readFileSync(
+    new URL(path.join("..", "package.json"), import.meta.url)
+  )
+);
+
+export async function* searchDeepDependencies(packageName, gitURL, options) {
+  const { exclude, currDepth = 0, parent, maxDepth, registry } = options;
+
+  const { name, version, deprecated, ...pkg } = await pacote.manifest(gitURL ?? packageName, {
+    ...NPM_TOKEN,
+    registry,
+    cache: `${os.homedir()}/.npm`
+  });
+  const { dependencies, customResolvers, alias } = mergeDependencies(pkg);
+
+  const current = new Dependency(name, version, parent);
+  current.alias = Object.fromEntries(alias);
+
+  if (gitURL !== null) {
+    current.isGit(gitURL);
+    try {
+      await pacote.manifest(`${name}@${version}`, {
+        ...NPM_TOKEN,
+        registry,
+        cache: `${os.homedir()}/.npm`
+      });
+    }
+    catch {
+      current.existOnRemoteRegistry = false;
+    }
+  }
+  current.addFlag("isDeprecated", deprecated === true);
+  current.addFlag("hasCustomResolver", customResolvers.size > 0);
+  current.addFlag("hasDependencies", dependencies.size > 0);
+
+  if (currDepth !== maxDepth) {
+    const config = {
+      exclude, currDepth: currDepth + 1, parent: current, maxDepth, registry
+    };
+
+    const gitDependencies = iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr));
+    for (const [depName, valueStr] of gitDependencies) {
+      yield* searchDeepDependencies(depName, valueStr, config);
+    }
+
+    const depsNames = await Promise.all(iter.map(dependencies.entries(), getCleanDependencyName));
+    for (const [fullName, cleanName, isLatest] of depsNames) {
+      if (!isLatest) {
+        current.addFlag("hasOutdatedDependency");
+      }
+
+      if (exclude.has(cleanName)) {
+        current.addChildren();
+        exclude.get(cleanName).add(current.fullName);
+      }
+      else {
+        exclude.set(cleanName, new Set([current.fullName]));
+        yield* searchDeepDependencies(fullName, null, config);
+      }
+    }
+  }
+
+  yield current;
+}
+
+export async function* deepReadEdges(currentPackageName, options) {
+  const { to, parent, exclude, fullLockMode, includeDevDeps, registry } = options;
+  const { version, integrity = to.integrity } = to.package;
+
+  const updatedVersion = version === "*" || typeof version === "undefined" ? "latest" : version;
+  const current = new Dependency(currentPackageName, updatedVersion, parent);
+  current.dev = to.dev;
+
+  if (fullLockMode && !includeDevDeps) {
+    const { deprecated, _integrity, ...pkg } = await pacote.manifest(`${currentPackageName}@${updatedVersion}`, {
+      ...NPM_TOKEN,
+      registry,
+      cache: `${os.homedir()}/.npm`
+    });
+    const { customResolvers, alias } = mergeDependencies(pkg);
+
+    current.alias = Object.fromEntries(alias);
+    current.addFlag("hasValidIntegrity", _integrity === integrity);
+    current.addFlag("isDeprecated");
+    current.addFlag("hasCustomResolver", customResolvers.size > 0);
+
+    if (isGitDependency(to.resolved)) {
+      current.isGit(to.resolved);
+    }
+  }
+  current.addFlag("hasDependencies", to.edgesOut.size > 0);
+
+  for (const [packageName, { to: toNode }] of to.edgesOut) {
+    if (toNode === null || (!includeDevDeps && toNode.dev)) {
+      continue;
+    }
+    const cleanName = `${packageName}@${toNode.package.version}`;
+
+    if (exclude.has(cleanName)) {
+      current.addChildren();
+      exclude.get(cleanName).add(current.fullName);
+    }
+    else {
+      exclude.set(cleanName, new Set([current.fullName]));
+      yield* deepReadEdges(packageName, { parent: current, to: toNode, exclude, registry });
+    }
+  }
+  yield current;
+}
+
+export async function* getRootDependencies(manifest, options) {
+  const {
+    maxDepth = 4, exclude,
+    usePackageLock, fullLockMode, includeDevDeps,
+    location,
+    registry
+  } = options;
+
+  const { dependencies, customResolvers, alias } = mergeDependencies(manifest, void 0);
+  const parent = new Dependency(manifest.name, manifest.version);
+  parent.alias = Object.fromEntries(alias);
+
+  try {
+    await pacote.manifest(`${manifest.name}@${manifest.version}`, {
+      ...NPM_TOKEN,
+      registry,
+      cache: `${os.homedir()}/.npm`
+    });
+  }
+  catch {
+    parent.existOnRemoteRegistry = false;
+  }
+  parent.addFlag("hasCustomResolver", customResolvers.size > 0);
+  parent.addFlag("hasDependencies", dependencies.size > 0);
+
+  let iterators;
+  if (usePackageLock) {
+    const arb = new Arborist({
+      ...NPM_TOKEN,
+      path: location,
+      registry
+    });
+    let tree;
+    try {
+      await fs.access(path.join(location, "node_modules"));
+      tree = await arb.loadActual();
+    }
+    catch {
+      tree = await arb.loadVirtual();
+    }
+
+    iterators = [
+      ...iter
+        .filter(tree.edgesOut.entries(), ([, { to }]) => to !== null && (includeDevDeps ? true : (!to.dev || to.isWorkspace)))
+        .map(([packageName, { to }]) => [packageName, to.isWorkspace ? to.target : to])
+        .map(([packageName, to]) => deepReadEdges(packageName, {
+          to,
+          parent,
+          fullLockMode,
+          includeDevDeps,
+          exclude,
+          registry
+        }))
+    ];
+  }
+  else {
+    const configRef = { exclude, maxDepth, parent, registry };
+    iterators = [
+      ...iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr))
+        .map(([depName, valueStr]) => searchDeepDependencies(depName, valueStr, configRef)),
+      ...iter.map(dependencies.entries(), ([name, ver]) => searchDeepDependencies(`${name}@${ver}`, null, configRef))
+    ];
+  }
+  for await (const dep of combineAsyncIterators({}, ...iterators)) {
+    yield dep;
+  }
+
+  // Add root dependencies to the exclude Map (because the parent is not handled by searchDeepDependencies)
+  // if we skip this the code will fail to re-link properly dependencies in the following steps
+  const depsName = await Promise.all(iter.map(dependencies.entries(), getCleanDependencyName));
+  for (const [, fullRange, isLatest] of depsName) {
+    if (!isLatest) {
+      parent.addFlag("hasOutdatedDependency");
+    }
+    if (exclude.has(fullRange)) {
+      exclude.get(fullRange).add(parent.fullName);
+    }
+  }
+
+  yield parent;
+}
+
+/**
+ * @param {*} manifest
+ * @param {*} options
+ * @param {Logger} logger
+ */
+export async function depWalker(manifest, options = {}, logger = new Logger()) {
+  const {
+    forceRootAnalysis = false,
+    usePackageLock = false,
+    includeDevDeps = false,
+    fullLockMode = false,
+    maxDepth,
+    location,
+    vulnerabilityStrategy = vuln.strategies.NONE,
+    registry
+  } = options;
+
+  // Create TMP directory
+  const tmpLocation = await fs.mkdtemp(path.join(os.tmpdir(), "/"));
+
+  const payload = {
+    id: tmpLocation.slice(-6),
+    rootDependencyName: manifest.name,
+    scannerVersion: packageVersion,
+    vulnerabilityStrategy,
+    warnings: []
+  };
+
+  // We are dealing with an exclude Map to avoid checking a package more than one time in searchDeepDependencies
+  const exclude = new Map();
+  const dependencies = new Map();
+
+  {
+    logger
+      .start(ScannerLoggerEvents.analysis.tree)
+      .start(ScannerLoggerEvents.analysis.tarball)
+      .start(ScannerLoggerEvents.analysis.registry);
+    const fetchedMetadataPackages = new Set();
+    const promisesToWait = [];
+
+    const tarballLocker = new Lock({ maxConcurrent: 5 });
+    tarballLocker.on("freeOne", () => logger.tick(ScannerLoggerEvents.analysis.tarball));
+
+    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode, includeDevDeps, location, registry };
+    for await (const currentDep of getRootDependencies(manifest, rootDepsOptions)) {
+      const { name, version, dev } = currentDep;
+
+      const current = currentDep.exportAsPlainObject(name === manifest.name ? 0 : void 0);
+      let proceedDependencyAnalysis = true;
+
+      if (dependencies.has(name)) {
+        const dep = dependencies.get(name);
+        promisesToWait.push(manifestMetadata(name, version, dep.metadata));
+
+        const currVersion = Object.keys(current.versions)[0];
+        if (currVersion in dep.versions) {
+          // The dependency has already entered the analysis
+          // This happens if the package is used by multiple packages in the tree
+          proceedDependencyAnalysis = false;
+        }
+        else {
+          dep.versions[currVersion] = current.versions[currVersion];
+        }
+      }
+      else {
+        dependencies.set(name, current);
+      }
+
+      // If the dependency is a DevDependencies we ignore it.
+      if (dev) {
+        continue;
+      }
+
+      if (proceedDependencyAnalysis) {
+        logger.tick(ScannerLoggerEvents.analysis.tree);
+
+        // There is no need to fetch 'N' times the npm metadata for the same package.
+        if (fetchedMetadataPackages.has(name)) {
+          logger.tick(ScannerLoggerEvents.analysis.registry);
+        }
+        else {
+          fetchedMetadataPackages.add(name);
+          promisesToWait.push(packageMetadata(name, version, {
+            ref: current,
+            logger
+          }));
+        }
+
+        promisesToWait.push(scanDirOrArchive(name, version, {
+          ref: current.versions[version],
+          location,
+          tmpLocation: forceRootAnalysis && name === manifest.name ? null : tmpLocation,
+          locker: tarballLocker,
+          logger,
+          registry
+        }));
+      }
+    }
+
+    logger.end(ScannerLoggerEvents.analysis.tree);
+
+    // Wait for all extraction to be done!
+    await Promise.allSettled(promisesToWait);
+    await timers.setImmediate();
+
+    logger.end(ScannerLoggerEvents.analysis.tarball).end(ScannerLoggerEvents.analysis.registry);
+  }
+
+  const { hydratePayloadDependencies, strategy } = await vuln.setStrategy(vulnerabilityStrategy);
+  await hydratePayloadDependencies(dependencies, {
+    useStandardFormat: true,
+    path: location
+  });
+
+  payload.vulnerabilityStrategy = strategy;
+
+  // We do this because it "seem" impossible to link all dependencies in the first walk.
+  // Because we are dealing with package only one time it may happen sometimes.
+  const globalWarnings = [];
+  for (const [packageName, dependency] of dependencies) {
+    const metadataIntegrities = dependency.metadata?.integrity ?? {};
+
+    for (const [version, integrity] of Object.entries(metadataIntegrities)) {
+      const dependencyVer = dependency.versions[version];
+      if (!("integrity" in dependencyVer) || dependencyVer.flags.includes("isGit")) {
+        continue;
+      }
+
+      if (dependencyVer.integrity !== integrity) {
+        globalWarnings.push(`${packageName}@${version} manifest & tarball integrity doesn't match!`);
+      }
+    }
+    for (const [verStr, verDescriptor] of Object.entries(dependency.versions)) {
+      verDescriptor.flags.push(...addMissingVersionFlags(new Set(verDescriptor.flags), dependency));
+
+      const usedDeps = exclude.get(`${packageName}@${verStr}`) || new Set();
+      if (usedDeps.size === 0) {
+        continue;
+      }
+
+      const usedBy = Object.create(null);
+      for (const [name, version] of [...usedDeps].map((name) => name.split(" "))) {
+        usedBy[name] = version;
+      }
+      Object.assign(verDescriptor.usedBy, usedBy);
+    }
+  }
+
+  try {
+    const { warnings, flaggedAuthors } = await getDependenciesWarnings(dependencies);
+    payload.warnings = globalWarnings.concat(warnings);
+    payload.flaggedAuthors = flaggedAuthors;
+    payload.dependencies = Object.fromEntries(dependencies);
+
+    return payload;
+  }
+  finally {
+    await timers.setImmediate();
+    await fs.rm(tmpLocation, { recursive: true, force: true });
+
+    logger.emit(ScannerLoggerEvents.done);
+  }
+}

package/src/manifest.js

@@ -1,6 +1,7 @@
 // Import Node.js Dependencies
 import fs from "node:fs/promises";
 import path from "node:path";
+import crypto from "node:crypto";
 
 // Import Internal Dependencies
 import { parseAuthor } from "./utils/index.js";
@@ -10,6 +11,7 @@ import { parseAuthor } from "./utils/index.js";
 const kNativeNpmPackages = new Set([
   "node-gyp", "node-pre-gyp", "node-gyp-build", "node-addon-api"
 ]);
+const kNodemodulesBinPrefix = "node_modules/.bin/";
 
 /**
  * @see https://www.nerdycode.com/prevent-npm-executing-scripts-security/
@@ -24,7 +26,7 @@ const kUnsafeNpmScripts = new Set([
 
 /**
  * @param {!string} location
- * @returns {import("@npm/types").PackageJson}
+ * @returns {Promise<import("@npm/types").PackageJson>}
  */
 export async function read(location) {
   const packageStr = await fs.readFile(
@@ -37,13 +39,37 @@ export async function read(location) {
 
 export async function readAnalyze(location) {
   const {
-    description = "", author = {}, scripts = {},
-    dependencies = {}, devDependencies = {}, gypfile = false,
+    name,
+    version,
+    description = "",
+    author = {},
+    scripts = {},
+    dependencies = {},
+    devDependencies = {},
+    gypfile = false,
     engines = {},
     repository = {},
-    imports = {}
+    imports = {},
+    license = ""
   } = await read(location);
 
+  for (const [scriptName, scriptValue] of Object.entries(scripts)) {
+    scripts[scriptName] = scriptValue.replaceAll(kNodemodulesBinPrefix, "");
+  }
+
+  const integrityObj = {
+    name,
+    version,
+    dependencies,
+    license,
+    scripts
+  };
+
+  const integrity = crypto
+    .createHash("sha256")
+    .update(JSON.stringify(integrityObj))
+    .digest("hex");
+
   const packageDeps = Object.keys(dependencies);
   const packageDevDeps = Object.keys(devDependencies);
   const hasNativePackage = [...packageDevDeps, ...packageDeps]
@@ -60,6 +86,7 @@ export async function readAnalyze(location) {
     packageDeps,
     packageDevDeps,
     nodejs: { imports },
-    hasNativeElements: hasNativePackage || gypfile
+    hasNativeElements: hasNativePackage || gypfile,
+    integrity
   };
 }

package/src/npmRegistry.js

@@ -1,12 +1,28 @@
+// Import Node.js Dependencies
+import crypto from "node:crypto";
+
 // Import Third-party Dependencies
 import semver from "semver";
-import { packument } from "@nodesecure/npm-registry-sdk";
+import { packument, packumentVersion } from "@nodesecure/npm-registry-sdk";
 
 // Import Internal Dependencies
 import { parseAuthor } from "./utils/index.js";
 
+export async function manifestMetadata(name, version, metadata) {
+  try {
+    const pkgVersion = await packumentVersion(name, version);
+
+    const integrity = getPackumentVersionIntegrity(pkgVersion);
+    metadata.integrity[version] = integrity;
+  }
+  catch {
+    // Ignore
+  }
+}
+
 export async function packageMetadata(name, version, options) {
   const { ref, logger } = options;
+  const packageSpec = `${name}:${version}`;
 
   try {
     const pkg = await packument(name);
@@ -24,7 +40,8 @@ export async function packageMetadata(name, version, options) {
       lastUpdateAt,
       hasReceivedUpdateInOneYear: !(oneYearFromToday > lastUpdateAt),
       maintainers: pkg.maintainers ?? [],
-      publishers: []
+      publishers: [],
+      integrity: {}
     };
 
     const isOutdated = semver.neq(version, lastVersion);
@@ -35,6 +52,13 @@ export async function packageMetadata(name, version, options) {
     const publishers = new Set();
     let searchForMaintainersInVersions = metadata.maintainers.length === 0;
     for (const ver of Object.values(pkg.versions).reverse()) {
+      const versionSpec = `${ver.name}:${ver.version}`;
+      if (packageSpec === versionSpec) {
+        metadata.integrity[ver.version] = getPackumentVersionIntegrity(
+          ver
+        );
+      }
+
       const { _npmUser: npmUser, version, maintainers = [] } = ver;
       const isNullOrUndefined = typeof npmUser === "undefined" || npmUser === null;
       if (isNullOrUndefined || !("name" in npmUser) || typeof npmUser.name !== "string") {
@@ -70,3 +94,25 @@ export async function packageMetadata(name, version, options) {
     logger.tick("registry");
   }
 }
+
+function getPackumentVersionIntegrity(packumentVersion) {
+  const { name, version, dependencies = {}, license = "", scripts = {} } = packumentVersion;
+
+  // See https://github.com/npm/cli/issues/5234
+  if ("install" in dependencies && dependencies.install === "node-gyp rebuild") {
+    delete dependencies.install;
+  }
+
+  const integrityObj = {
+    name,
+    version,
+    dependencies,
+    license,
+    scripts
+  };
+
+  return crypto
+    .createHash("sha256")
+    .update(JSON.stringify(integrityObj))
+    .digest("hex");
+}

package/src/tarball.js

@@ -72,10 +72,19 @@ export async function scanDirOrArchive(name, version, options) {
     const {
       packageDeps,
       packageDevDeps,
-      author, description, hasScript, hasNativeElements, nodejs,
-      engines, repository, scripts
+      author,
+      description,
+      hasScript,
+      hasNativeElements,
+      nodejs,
+      engines,
+      repository,
+      scripts,
+      integrity
     } = await manifest.readAnalyze(dest);
-    Object.assign(ref, { author, description, engines, repository, scripts });
+    Object.assign(ref, {
+      author, description, engines, repository, scripts, integrity
+    });
 
     // Get the composition of the (extracted) directory
     const { ext, files, size } = await getTarballComposition(dest);

package/src/utils/semver.js

@@ -50,12 +50,13 @@ export async function getCleanDependencyName([depName, range]) {
 
 export function getSemVerWarning(value) {
   return {
-    kind: "invalid-semver",
+    kind: "zero-semver",
     file: "package.json",
     value,
     location: null,
-    i18n: "sast_warnings.invalidSemVer",
+    i18n: "sast_warnings.zeroSemVer",
     severity: "Information",
+    source: "Scanner",
     experimental: false
   };
 }

package/src/utils/warnings.js

@@ -8,7 +8,7 @@ import { extractAllAuthors } from "@nodesecure/authors";
 // Import Internal Dependencies
 import { getDirNameFromUrl } from "./dirname.js";
 
-i18n.extendFromSystemPath(
+await i18n.extendFromSystemPath(
   path.join(getDirNameFromUrl(import.meta.url), "..", "..", "i18n")
 );
 

package/types/scanner.d.ts

@@ -104,6 +104,13 @@ declare namespace Scanner {
      * If the dependency is a GIT repository
      */
     gitUrl: null | string;
+    /**
+     * Version MD5 integrity hash
+     * Generated by the scanner to verify manifest/tarball confusion
+     *
+     * (Not supported on GIT dependency)
+     */
+    integrity?: string;
   }
 
   export interface Dependency {
@@ -131,6 +138,11 @@ declare namespace Scanner {
        * List of people who published this package
        */
       publishers: Publisher[];
+      /**
+       * Version MD5 integrity hash
+       * Generated by the scanner to verify manifest/tarball confusion
+       */
+      integrity: Record<string, string>;
     }
     /** List of versions of this package available in the dependency tree (In the payload) */
     versions: Record<string, DependencyVersion>;