@nodesecure/scanner 5.0.1 → 5.1.0

package/README.md

@@ -11,7 +11,7 @@ Scorecard](https://api.securityscorecards.dev/projects/github.com/NodeSecure/sca
 
 ## Requirements
 
-- [Node.js](https://nodejs.org/en/) version 16 or higher
+- [Node.js](https://nodejs.org/en/) version 18 or higher
 
 ## Getting Started
 

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "@nodesecure/scanner",
-  "version": "5.0.1",
+  "version": "5.1.0",
   "description": "A package API to run a static analysis of your module's dependencies.",
   "exports": "./index.js",
   "engines": {
-    "node": ">=16"
+    "node": ">=18"
   },
   "scripts": {
     "lint": "eslint src test",
@@ -50,36 +50,36 @@
   },
   "homepage": "https://github.com/NodeSecure/scanner#readme",
   "devDependencies": {
-    "@nodesecure/eslint-config": "^1.7.0",
+    "@nodesecure/eslint-config": "^1.8.0",
     "@slimio/is": "^2.0.0",
-    "@types/node": "^20.4.5",
-    "c8": "^7.13.0",
-    "dotenv": "^16.0.3",
+    "@types/node": "^20.10.0",
+    "c8": "^8.0.1",
+    "dotenv": "^16.3.1",
     "eslint": "^8.37.0",
     "get-folder-size": "^4.0.0",
-    "glob": "^10.3.4",
+    "glob": "^10.3.10",
     "pkg-ok": "^3.0.0",
-    "sinon": "^15.0.3",
+    "sinon": "^17.0.1",
     "snap-shot-core": "^10.2.4"
   },
   "dependencies": {
     "@nodesecure/authors": "^1.0.2",
     "@nodesecure/flags": "^2.4.0",
     "@nodesecure/fs-walk": "^1.0.0",
-    "@nodesecure/i18n": "^3.3.0",
-    "@nodesecure/js-x-ray": "^6.0.1",
-    "@nodesecure/npm-registry-sdk": "^1.5.2",
+    "@nodesecure/i18n": "^3.4.0",
+    "@nodesecure/js-x-ray": "^6.2.0",
+    "@nodesecure/npm-registry-sdk": "^1.6.1",
     "@nodesecure/ntlp": "^2.2.1",
     "@nodesecure/vuln": "^1.7.0",
     "@npm/types": "^1.0.2",
-    "@npmcli/arborist": "^6.2.6",
+    "@npmcli/arborist": "^7.2.1",
     "@slimio/lock": "^1.0.0",
     "builtins": "^5.0.1",
-    "combine-async-iterators": "^2.0.1",
-    "itertools": "^2.1.1",
+    "combine-async-iterators": "^2.1.0",
+    "itertools": "^2.1.2",
     "lodash.difference": "^4.5.0",
-    "pacote": "^15.1.1",
-    "semver": "^7.3.8"
+    "pacote": "^17.0.4",
+    "semver": "^7.5.4"
   },
   "type": "module"
 }

package/src/depWalker.js

@@ -19,7 +19,7 @@ import {
   NPM_TOKEN
 } from "./utils/index.js";
 import { scanDirOrArchive } from "./tarball.js";
-import { packageMetadata } from "./npmRegistry.js";
+import { packageMetadata, manifestMetadata } from "./npmRegistry.js";
 import Dependency from "./class/dependency.class.js";
 import Logger from "./class/logger.class.js";
 
@@ -262,12 +262,13 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
     const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode, includeDevDeps, location, registry };
     for await (const currentDep of getRootDependencies(manifest, rootDepsOptions)) {
       const { name, version, dev } = currentDep;
+
       const current = currentDep.exportAsPlainObject(name === manifest.name ? 0 : void 0);
       let proceedDependencyAnalysis = true;
 
       if (dependencies.has(name)) {
-        // TODO: how to handle different metadata ?
         const dep = dependencies.get(name);
+        promisesToWait.push(manifestMetadata(name, version, dep.metadata));
 
         const currVersion = Object.keys(current.versions)[0];
         if (currVersion in dep.versions) {
@@ -333,7 +334,20 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
 
   // We do this because it "seem" impossible to link all dependencies in the first walk.
   // Because we are dealing with package only one time it may happen sometimes.
+  const globalWarnings = [];
   for (const [packageName, dependency] of dependencies) {
+    const metadataIntegrities = dependency.metadata?.integrity ?? {};
+
+    for (const [version, integrity] of Object.entries(metadataIntegrities)) {
+      const dependencyVer = dependency.versions[version];
+      if (!("integrity" in dependencyVer) || dependencyVer.flags.includes("isGit")) {
+        continue;
+      }
+
+      if (dependencyVer.integrity !== integrity) {
+        globalWarnings.push(`${packageName}@${version} manifest & tarball integrity doesn't match!`);
+      }
+    }
     for (const [verStr, verDescriptor] of Object.entries(dependency.versions)) {
       verDescriptor.flags.push(...addMissingVersionFlags(new Set(verDescriptor.flags), dependency));
 
@@ -352,7 +366,7 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
 
   try {
     const { warnings, flaggedAuthors } = await getDependenciesWarnings(dependencies);
-    payload.warnings = warnings;
+    payload.warnings = globalWarnings.concat(warnings);
     payload.flaggedAuthors = flaggedAuthors;
     payload.dependencies = Object.fromEntries(dependencies);
 

package/src/manifest.js

@@ -1,6 +1,7 @@
 // Import Node.js Dependencies
 import fs from "node:fs/promises";
 import path from "node:path";
+import crypto from "node:crypto";
 
 // Import Internal Dependencies
 import { parseAuthor } from "./utils/index.js";
@@ -10,6 +11,7 @@ import { parseAuthor } from "./utils/index.js";
 const kNativeNpmPackages = new Set([
   "node-gyp", "node-pre-gyp", "node-gyp-build", "node-addon-api"
 ]);
+const kNodemodulesBinPrefix = "node_modules/.bin/";
 
 /**
  * @see https://www.nerdycode.com/prevent-npm-executing-scripts-security/
@@ -24,7 +26,7 @@ const kUnsafeNpmScripts = new Set([
 
 /**
  * @param {!string} location
- * @returns {import("@npm/types").PackageJson}
+ * @returns {Promise<import("@npm/types").PackageJson>}
  */
 export async function read(location) {
   const packageStr = await fs.readFile(
@@ -37,13 +39,37 @@ export async function read(location) {
 
 export async function readAnalyze(location) {
   const {
-    description = "", author = {}, scripts = {},
-    dependencies = {}, devDependencies = {}, gypfile = false,
+    name,
+    version,
+    description = "",
+    author = {},
+    scripts = {},
+    dependencies = {},
+    devDependencies = {},
+    gypfile = false,
     engines = {},
     repository = {},
-    imports = {}
+    imports = {},
+    license = ""
   } = await read(location);
 
+  for (const [scriptName, scriptValue] of Object.entries(scripts)) {
+    scripts[scriptName] = scriptValue.replaceAll(kNodemodulesBinPrefix, "");
+  }
+
+  const integrityObj = {
+    name,
+    version,
+    dependencies,
+    license,
+    scripts
+  };
+
+  const integrity = crypto
+    .createHash("sha256")
+    .update(JSON.stringify(integrityObj))
+    .digest("hex");
+
   const packageDeps = Object.keys(dependencies);
   const packageDevDeps = Object.keys(devDependencies);
   const hasNativePackage = [...packageDevDeps, ...packageDeps]
@@ -60,6 +86,7 @@ export async function readAnalyze(location) {
     packageDeps,
     packageDevDeps,
     nodejs: { imports },
-    hasNativeElements: hasNativePackage || gypfile
+    hasNativeElements: hasNativePackage || gypfile,
+    integrity
   };
 }

package/src/npmRegistry.js

@@ -1,12 +1,28 @@
+// Import Node.js Dependencies
+import crypto from "node:crypto";
+
 // Import Third-party Dependencies
 import semver from "semver";
-import { packument } from "@nodesecure/npm-registry-sdk";
+import { packument, packumentVersion } from "@nodesecure/npm-registry-sdk";
 
 // Import Internal Dependencies
 import { parseAuthor } from "./utils/index.js";
 
+export async function manifestMetadata(name, version, metadata) {
+  try {
+    const pkgVersion = await packumentVersion(name, version);
+
+    const integrity = getPackumentVersionIntegrity(pkgVersion);
+    metadata.integrity[version] = integrity;
+  }
+  catch {
+    // Ignore
+  }
+}
+
 export async function packageMetadata(name, version, options) {
   const { ref, logger } = options;
+  const packageSpec = `${name}:${version}`;
 
   try {
     const pkg = await packument(name);
@@ -24,7 +40,8 @@ export async function packageMetadata(name, version, options) {
       lastUpdateAt,
       hasReceivedUpdateInOneYear: !(oneYearFromToday > lastUpdateAt),
       maintainers: pkg.maintainers ?? [],
-      publishers: []
+      publishers: [],
+      integrity: {}
     };
 
     const isOutdated = semver.neq(version, lastVersion);
@@ -35,6 +52,13 @@ export async function packageMetadata(name, version, options) {
     const publishers = new Set();
     let searchForMaintainersInVersions = metadata.maintainers.length === 0;
     for (const ver of Object.values(pkg.versions).reverse()) {
+      const versionSpec = `${ver.name}:${ver.version}`;
+      if (packageSpec === versionSpec) {
+        metadata.integrity[ver.version] = getPackumentVersionIntegrity(
+          ver
+        );
+      }
+
       const { _npmUser: npmUser, version, maintainers = [] } = ver;
       const isNullOrUndefined = typeof npmUser === "undefined" || npmUser === null;
       if (isNullOrUndefined || !("name" in npmUser) || typeof npmUser.name !== "string") {
@@ -70,3 +94,25 @@ export async function packageMetadata(name, version, options) {
     logger.tick("registry");
   }
 }
+
+function getPackumentVersionIntegrity(packumentVersion) {
+  const { name, version, dependencies = {}, license = "", scripts = {} } = packumentVersion;
+
+  // See https://github.com/npm/cli/issues/5234
+  if ("install" in dependencies && dependencies.install === "node-gyp rebuild") {
+    delete dependencies.install;
+  }
+
+  const integrityObj = {
+    name,
+    version,
+    dependencies,
+    license,
+    scripts
+  };
+
+  return crypto
+    .createHash("sha256")
+    .update(JSON.stringify(integrityObj))
+    .digest("hex");
+}

package/src/tarball.js

@@ -72,10 +72,19 @@ export async function scanDirOrArchive(name, version, options) {
     const {
       packageDeps,
       packageDevDeps,
-      author, description, hasScript, hasNativeElements, nodejs,
-      engines, repository, scripts
+      author,
+      description,
+      hasScript,
+      hasNativeElements,
+      nodejs,
+      engines,
+      repository,
+      scripts,
+      integrity
     } = await manifest.readAnalyze(dest);
-    Object.assign(ref, { author, description, engines, repository, scripts });
+    Object.assign(ref, {
+      author, description, engines, repository, scripts, integrity
+    });
 
     // Get the composition of the (extracted) directory
     const { ext, files, size } = await getTarballComposition(dest);

package/src/utils/semver.js

@@ -50,12 +50,13 @@ export async function getCleanDependencyName([depName, range]) {
 
 export function getSemVerWarning(value) {
   return {
-    kind: "invalid-semver",
+    kind: "zero-semver",
     file: "package.json",
     value,
     location: null,
-    i18n: "sast_warnings.invalidSemVer",
+    i18n: "sast_warnings.zeroSemVer",
     severity: "Information",
+    source: "Scanner",
     experimental: false
   };
 }

package/src/utils/warnings.js

@@ -8,7 +8,7 @@ import { extractAllAuthors } from "@nodesecure/authors";
 // Import Internal Dependencies
 import { getDirNameFromUrl } from "./dirname.js";
 
-i18n.extendFromSystemPath(
+await i18n.extendFromSystemPath(
   path.join(getDirNameFromUrl(import.meta.url), "..", "..", "i18n")
 );
 

package/types/scanner.d.ts

@@ -104,6 +104,13 @@ declare namespace Scanner {
      * If the dependency is a GIT repository
      */
     gitUrl: null | string;
+    /**
+     * Version MD5 integrity hash
+     * Generated by the scanner to verify manifest/tarball confusion
+     *
+     * (Not supported on GIT dependency)
+     */
+    integrity?: string;
   }
 
   export interface Dependency {
@@ -131,6 +138,11 @@ declare namespace Scanner {
        * List of people who published this package
        */
       publishers: Publisher[];
+      /**
+       * Version MD5 integrity hash
+       * Generated by the scanner to verify manifest/tarball confusion
+       */
+      integrity: Record<string, string>;
     }
     /** List of versions of this package available in the dependency tree (In the payload) */
     versions: Record<string, DependencyVersion>;