@rexymayderio/sentinel 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analyzers/source-analyzer.d.ts.map +1 -1
- package/dist/analyzers/source-analyzer.js +14 -11
- package/dist/analyzers/source-analyzer.js.map +1 -1
- package/dist/analyzers/test-path.d.ts +3 -0
- package/dist/analyzers/test-path.d.ts.map +1 -1
- package/dist/analyzers/test-path.js +30 -0
- package/dist/analyzers/test-path.js.map +1 -1
- package/dist/analyzers/typosquat.d.ts +4 -0
- package/dist/analyzers/typosquat.d.ts.map +1 -0
- package/dist/analyzers/typosquat.js +45 -0
- package/dist/analyzers/typosquat.js.map +1 -0
- package/dist/core/sentinel.d.ts.map +1 -1
- package/dist/core/sentinel.js +15 -4
- package/dist/core/sentinel.js.map +1 -1
- package/dist/engine/policy-engine.js +3 -3
- package/dist/engine/policy-engine.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"source-analyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/source-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"source-analyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/source-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAkB/D,qBAAa,cAAe,YAAW,QAAQ;IAC7C,QAAQ,CAAC,EAAE,YAAY;IAEvB,QAAQ,IAAI,OAAO;IAIb,OAAO,CAAC,GAAG,EAAE,eAAe;CAwDnC"}
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { createFinding } from '../domain/finding.js';
|
|
2
2
|
import { POPULAR_NPM_PACKAGES, SUSPICIOUS_TLDS } from './rules/index.js';
|
|
3
|
+
import { isSuspiciousTyposquatCandidate } from './typosquat.js';
|
|
3
4
|
function levenshtein(a, b) {
|
|
4
5
|
const matrix = [];
|
|
5
6
|
for (let i = 0; i <= b.length; i++)
|
|
@@ -52,17 +53,19 @@ export class SourceAnalyzer {
|
|
|
52
53
|
}
|
|
53
54
|
if (target.ecosystem === 'npm' && metadata.name) {
|
|
54
55
|
const pkgName = metadata.name.toLowerCase();
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
56
|
+
if (isSuspiciousTyposquatCandidate(metadata)) {
|
|
57
|
+
for (const popular of POPULAR_NPM_PACKAGES) {
|
|
58
|
+
if (pkgName !== popular) {
|
|
59
|
+
const distance = levenshtein(pkgName, popular);
|
|
60
|
+
if (distance > 0 && distance <= 2) {
|
|
61
|
+
findings.push(createFinding({
|
|
62
|
+
category: 'source',
|
|
63
|
+
severity: 'CRITICAL',
|
|
64
|
+
title: 'Possible typosquatting',
|
|
65
|
+
description: `Package name "${pkgName}" is similar to popular package "${popular}" (distance: ${distance})`,
|
|
66
|
+
ruleId: 'typosquatting',
|
|
67
|
+
}));
|
|
68
|
+
}
|
|
66
69
|
}
|
|
67
70
|
}
|
|
68
71
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"source-analyzer.js","sourceRoot":"","sources":["../../src/analyzers/source-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"source-analyzer.js","sourceRoot":"","sources":["../../src/analyzers/source-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACzE,OAAO,EAAE,8BAA8B,EAAE,MAAM,gBAAgB,CAAC;AAEhE,SAAS,WAAW,CAAC,CAAS,EAAE,CAAS;IACvC,MAAM,MAAM,GAAe,EAAE,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACpD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,MAAM,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACtD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,MAAM,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;gBACnC,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC,CAAC,GAAG,CAAC,CAAE;gBACxB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC,CAAC,GAAG,CAAC,CAAE,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC,CAAE,CAAC,CAAC,GAAG,CAAC,CAAE,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC,CAAC,CAAE,GAAG,CAAC,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC,CAAC,CAAC,MAAM,CAAE,CAAC,CAAC,CAAC,MAAM,CAAE,CAAC;AACtC,CAAC;AAED,MAAM,OAAO,cAAc;IAChB,EAAE,GAAG,QAAQ,CAAC;IAEvB,QAAQ;QACN,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAoB;QAChC,MAAM,QAAQ,GAAG,EAAE,CAAC;QACpB,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,QAAQ,CAAC;QAC1C,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,UAAU,IAAI,QAAQ,CAAC,QAAQ,CAAC;QAEjF,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,WAAW,GAAG,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,cAAc,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAE7G,IAAI,CAAC,WAAW,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtD,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;oBAC1B,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,kBAAkB;oBACzB,WAAW,EAAE,kCAAkC,SAAS,EAAE;oBAC1D,MAAM,EAAE,WAAW;iBACpB,CAAC,CAAC,CAAC;YACN,CAAC;YAED,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,KAAK,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;oBAClC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;wBAC5B,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;4BAC1B,QAAQ,EAAE,QAAQ;4BAClB,QAAQ,EAAE,MAAM;4BAChB,KAAK,EAAE,gBAAgB;4BACvB,WAAW,EAAE,4CAA4C,GAAG,EAAE;4BAC9D,MAAM,EAAE,gBAAgB;4BACxB,QAAQ,EAAE,SAAS;yBACpB,CAAC,CAAC,CAAC;oBACN,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,SAAS,KAAK,KAAK,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;YAChD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YAC5C,IAAI,8BAA8B,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC7C,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;oBAC3C,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;wBACxB,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;wBAC/C,IAAI,QAAQ,GAAG,CAAC,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;4BAClC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;gCAC1B,QAAQ,EAAE,QAAQ;gCAClB,QAAQ,EAAE,UAAU;gCACpB,KAAK,EAAE,wBAAwB;gCAC/B,WAAW,EAAE,iBAAiB,OAAO,oCAAoC,OAAO,gBAAgB,QAAQ,GAAG;gCAC3G,MAAM,EAAE,eAAe;6BACxB,CAAC,CAAC,CAAC;wBACN,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
|
|
@@ -1,2 +1,5 @@
|
|
|
1
|
+
/** npm packages where shell/process APIs in lib/ are expected (test runners). */
|
|
2
|
+
export declare const TEST_TOOL_PACKAGES: Set<string>;
|
|
1
3
|
export declare function isTestPath(filePath: string): boolean;
|
|
4
|
+
export declare function isTestToolShellFinding(packageName: string | undefined, filePath: string | undefined, ruleId: string | undefined): boolean;
|
|
2
5
|
//# sourceMappingURL=test-path.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"test-path.d.ts","sourceRoot":"","sources":["../../src/analyzers/test-path.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"test-path.d.ts","sourceRoot":"","sources":["../../src/analyzers/test-path.ts"],"names":[],"mappings":"AAkBA,iFAAiF;AACjF,eAAO,MAAM,kBAAkB,aAU7B,CAAC;AAqBH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAYpD;AAED,wBAAgB,sBAAsB,CACpC,WAAW,EAAE,MAAM,GAAG,SAAS,EAC/B,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,MAAM,EAAE,MAAM,GAAG,SAAS,GACzB,OAAO,CAKT"}
|
|
@@ -11,6 +11,30 @@ const TEST_DIR_SEGMENTS = new Set([
|
|
|
11
11
|
'e2e',
|
|
12
12
|
'mocks',
|
|
13
13
|
'testdata',
|
|
14
|
+
'test_runner',
|
|
15
|
+
'test-runner',
|
|
16
|
+
'testing',
|
|
17
|
+
]);
|
|
18
|
+
/** npm packages where shell/process APIs in lib/ are expected (test runners). */
|
|
19
|
+
export const TEST_TOOL_PACKAGES = new Set([
|
|
20
|
+
'test',
|
|
21
|
+
'jest',
|
|
22
|
+
'vitest',
|
|
23
|
+
'mocha',
|
|
24
|
+
'tap',
|
|
25
|
+
'ava',
|
|
26
|
+
'jasmine',
|
|
27
|
+
'playwright',
|
|
28
|
+
'cypress',
|
|
29
|
+
]);
|
|
30
|
+
const SHELL_RULE_IDS = new Set([
|
|
31
|
+
'spawn',
|
|
32
|
+
'exec',
|
|
33
|
+
'exec-sync-file',
|
|
34
|
+
'child-process',
|
|
35
|
+
'os-system',
|
|
36
|
+
'subprocess',
|
|
37
|
+
'powershell',
|
|
14
38
|
]);
|
|
15
39
|
function isTestFileName(name) {
|
|
16
40
|
const lower = name.toLowerCase();
|
|
@@ -29,4 +53,10 @@ export function isTestPath(filePath) {
|
|
|
29
53
|
.slice(0, -1)
|
|
30
54
|
.some((segment) => TEST_DIR_SEGMENTS.has(segment.toLowerCase()));
|
|
31
55
|
}
|
|
56
|
+
export function isTestToolShellFinding(packageName, filePath, ruleId) {
|
|
57
|
+
if (!packageName || !filePath || !ruleId || !SHELL_RULE_IDS.has(ruleId)) {
|
|
58
|
+
return false;
|
|
59
|
+
}
|
|
60
|
+
return TEST_TOOL_PACKAGES.has(packageName.toLowerCase()) && isTestPath(filePath);
|
|
61
|
+
}
|
|
32
62
|
//# sourceMappingURL=test-path.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"test-path.js","sourceRoot":"","sources":["../../src/analyzers/test-path.ts"],"names":[],"mappings":"AAAA,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,MAAM;IACN,OAAO;IACP,WAAW;IACX,WAAW;IACX,cAAc;IACd,UAAU;IACV,SAAS;IACT,MAAM;IACN,OAAO;IACP,KAAK;IACL,OAAO;IACP,UAAU;
|
|
1
|
+
{"version":3,"file":"test-path.js","sourceRoot":"","sources":["../../src/analyzers/test-path.ts"],"names":[],"mappings":"AAAA,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,MAAM;IACN,OAAO;IACP,WAAW;IACX,WAAW;IACX,cAAc;IACd,UAAU;IACV,SAAS;IACT,MAAM;IACN,OAAO;IACP,KAAK;IACL,OAAO;IACP,UAAU;IACV,aAAa;IACb,aAAa;IACb,SAAS;CACV,CAAC,CAAC;AAEH,iFAAiF;AACjF,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACxC,MAAM;IACN,MAAM;IACN,QAAQ;IACR,OAAO;IACP,KAAK;IACL,KAAK;IACL,SAAS;IACT,YAAY;IACZ,SAAS;CACV,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IAC7B,OAAO;IACP,MAAM;IACN,gBAAgB;IAChB,eAAe;IACf,WAAW;IACX,YAAY;IACZ,YAAY;CACb,CAAC,CAAC;AAEH,SAAS,cAAc,CAAC,IAAY;IAClC,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,OAAO,CACL,gCAAgC,CAAC,IAAI,CAAC,KAAK,CAAC;QAC5C,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC;QAC/B,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,CAC5B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,QAAgB;IACzC,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAErD,IAAI,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,QAAQ;SACZ,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;SACZ,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AACrE,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,WAA+B,EAC/B,QAA4B,EAC5B,MAA0B;IAE1B,IAAI,CAAC,WAAW,IAAI,CAAC,QAAQ,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QACxE,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,kBAAkB,CAAC,GAAG,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC;AACnF,CAAC"}
|
|
@@ -0,0 +1,4 @@
|
|
|
1
|
+
import type { PackageMetadata } from '../domain/artifact.js';
|
|
2
|
+
export declare function hasTrustedRepository(metadata: PackageMetadata): boolean;
|
|
3
|
+
export declare function isSuspiciousTyposquatCandidate(metadata: PackageMetadata): boolean;
|
|
4
|
+
//# sourceMappingURL=typosquat.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"typosquat.d.ts","sourceRoot":"","sources":["../../src/analyzers/typosquat.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAe7D,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,eAAe,GAAG,OAAO,CAIvE;AAED,wBAAgB,8BAA8B,CAAC,QAAQ,EAAE,eAAe,GAAG,OAAO,CA4BjF"}
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
const MS_PER_DAY = 1000 * 60 * 60 * 24;
|
|
2
|
+
const NEW_PACKAGE_DAYS = 30;
|
|
3
|
+
const LOW_DOWNLOAD_THRESHOLD = 100;
|
|
4
|
+
const ESTABLISHED_DOWNLOAD_THRESHOLD = 10_000;
|
|
5
|
+
const TRUSTED_REPO_PREFIXES = [
|
|
6
|
+
'https://github.com/nodejs/',
|
|
7
|
+
'https://github.com/expressjs/',
|
|
8
|
+
'https://github.com/lodash/',
|
|
9
|
+
'https://github.com/facebook/',
|
|
10
|
+
'https://github.com/vercel/',
|
|
11
|
+
];
|
|
12
|
+
export function hasTrustedRepository(metadata) {
|
|
13
|
+
const repo = (metadata.repository ?? metadata.homepage ?? '').toLowerCase();
|
|
14
|
+
if (!repo)
|
|
15
|
+
return false;
|
|
16
|
+
return TRUSTED_REPO_PREFIXES.some((prefix) => repo.includes(prefix));
|
|
17
|
+
}
|
|
18
|
+
export function isSuspiciousTyposquatCandidate(metadata) {
|
|
19
|
+
if (metadata.verifiedPublisher)
|
|
20
|
+
return false;
|
|
21
|
+
if (hasTrustedRepository(metadata))
|
|
22
|
+
return false;
|
|
23
|
+
const firstPublish = metadata.firstPublishDate ?? metadata.publishDate;
|
|
24
|
+
if (firstPublish) {
|
|
25
|
+
const daysOld = (Date.now() - new Date(firstPublish).getTime()) / MS_PER_DAY;
|
|
26
|
+
if (daysOld >= 365)
|
|
27
|
+
return false;
|
|
28
|
+
}
|
|
29
|
+
if (metadata.downloadCount !== undefined && metadata.downloadCount >= ESTABLISHED_DOWNLOAD_THRESHOLD) {
|
|
30
|
+
return false;
|
|
31
|
+
}
|
|
32
|
+
if (firstPublish) {
|
|
33
|
+
const daysOld = (Date.now() - new Date(firstPublish).getTime()) / MS_PER_DAY;
|
|
34
|
+
if (daysOld < NEW_PACKAGE_DAYS)
|
|
35
|
+
return true;
|
|
36
|
+
}
|
|
37
|
+
if (metadata.downloadCount !== undefined && metadata.downloadCount < LOW_DOWNLOAD_THRESHOLD) {
|
|
38
|
+
return true;
|
|
39
|
+
}
|
|
40
|
+
if (!metadata.repository && !metadata.homepage) {
|
|
41
|
+
return true;
|
|
42
|
+
}
|
|
43
|
+
return false;
|
|
44
|
+
}
|
|
45
|
+
//# sourceMappingURL=typosquat.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"typosquat.js","sourceRoot":"","sources":["../../src/analyzers/typosquat.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AACvC,MAAM,gBAAgB,GAAG,EAAE,CAAC;AAC5B,MAAM,sBAAsB,GAAG,GAAG,CAAC;AACnC,MAAM,8BAA8B,GAAG,MAAM,CAAC;AAE9C,MAAM,qBAAqB,GAAG;IAC5B,4BAA4B;IAC5B,+BAA+B;IAC/B,4BAA4B;IAC5B,8BAA8B;IAC9B,4BAA4B;CAC7B,CAAC;AAEF,MAAM,UAAU,oBAAoB,CAAC,QAAyB;IAC5D,MAAM,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,IAAI,QAAQ,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5E,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,QAAyB;IACtE,IAAI,QAAQ,CAAC,iBAAiB;QAAE,OAAO,KAAK,CAAC;IAC7C,IAAI,oBAAoB,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAEjD,MAAM,YAAY,GAAG,QAAQ,CAAC,gBAAgB,IAAI,QAAQ,CAAC,WAAW,CAAC;IACvE,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,GAAG,UAAU,CAAC;QAC7E,IAAI,OAAO,IAAI,GAAG;YAAE,OAAO,KAAK,CAAC;IACnC,CAAC;IAED,IAAI,QAAQ,CAAC,aAAa,KAAK,SAAS,IAAI,QAAQ,CAAC,aAAa,IAAI,8BAA8B,EAAE,CAAC;QACrG,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,GAAG,UAAU,CAAC;QAC7E,IAAI,OAAO,GAAG,gBAAgB;YAAE,OAAO,IAAI,CAAC;IAC9C,CAAC;IAED,IAAI,QAAQ,CAAC,aAAa,KAAK,SAAS,IAAI,QAAQ,CAAC,aAAa,GAAG,sBAAsB,EAAE,CAAC;QAC5F,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,UAAU,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sentinel.d.ts","sourceRoot":"","sources":["../../src/core/sentinel.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG/D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;
|
|
1
|
+
{"version":3,"file":"sentinel.d.ts","sourceRoot":"","sources":["../../src/core/sentinel.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG/D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AAKzD,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAgB,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAGzG,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAKhE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAGhE,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAC5C,QAAQ,CAAC,SAAS,EAAE,QAAQ,EAAE,CAAC;IAC/B,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAC9C,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,QAAQ,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;CACtC;AAED,qBAAa,QAAQ;IAMP,OAAO,CAAC,QAAQ,CAAC,OAAO;IALpC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAwB;IACvD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;IAC5C,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAyB;IACzD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;gBAEf,OAAO,EAAE,eAAe;IAO/C,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA8CzE,OAAO,CAAC,uBAAuB;IA6BzB,OAAO,CACX,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,IAAI,CAAA;KAAE,GAC5D,OAAO,CAAC,aAAa,CAAC;IAoCzB,cAAc,CAAC,MAAM,EAAE,kBAAkB,EAAE,MAAM,CAAC,EAAE,YAAY,GAAG,MAAM;YAI3D,YAAY;CAmB3B;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,eAAe,GAAG,QAAQ,CAEjE"}
|
package/dist/core/sentinel.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { cleanupArtifact } from '../acquire/acquirer.js';
|
|
2
2
|
import { runAnalyzers } from '../analyzers/analyzer.js';
|
|
3
|
-
import { isTestPath } from '../analyzers/test-path.js';
|
|
3
|
+
import { isTestPath, isTestToolShellFinding } from '../analyzers/test-path.js';
|
|
4
4
|
import { buildPermissionGraph } from './permissions.js';
|
|
5
5
|
import { parseTarget } from '../domain/target.js';
|
|
6
6
|
import { DEFAULT_POLICY } from '../engine/default-policy.js';
|
|
@@ -35,7 +35,7 @@ export class Sentinel {
|
|
|
35
35
|
}
|
|
36
36
|
try {
|
|
37
37
|
const rawFindings = await runAnalyzers(this.options.analyzers, { artifact, target });
|
|
38
|
-
const findings = tagTestFindings(rawFindings);
|
|
38
|
+
const findings = tagTestFindings(rawFindings, artifact);
|
|
39
39
|
const permissions = buildPermissionGraph(findings.filter((f) => !f.isTest));
|
|
40
40
|
const evidence = {
|
|
41
41
|
hasMetadata: hasMeaningfulMetadata(artifact.metadata),
|
|
@@ -146,8 +146,19 @@ export class Sentinel {
|
|
|
146
146
|
export function createSentinel(options) {
|
|
147
147
|
return new Sentinel(options);
|
|
148
148
|
}
|
|
149
|
-
function tagTestFindings(findings) {
|
|
150
|
-
|
|
149
|
+
function tagTestFindings(findings, artifact) {
|
|
150
|
+
const packageName = artifact.metadata.name;
|
|
151
|
+
return findings.map((finding) => {
|
|
152
|
+
if (finding.isTest)
|
|
153
|
+
return finding;
|
|
154
|
+
if (finding.file && isTestPath(finding.file)) {
|
|
155
|
+
return { ...finding, isTest: true };
|
|
156
|
+
}
|
|
157
|
+
if (isTestToolShellFinding(packageName, finding.file, finding.ruleId)) {
|
|
158
|
+
return { ...finding, isTest: true };
|
|
159
|
+
}
|
|
160
|
+
return finding;
|
|
161
|
+
});
|
|
151
162
|
}
|
|
152
163
|
function recommendedActionFor(decision) {
|
|
153
164
|
switch (decision) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sentinel.js","sourceRoot":"","sources":["../../src/core/sentinel.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;
|
|
1
|
+
{"version":3,"file":"sentinel.js","sourceRoot":"","sources":["../../src/core/sentinel.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD,OAAO,EAAE,UAAU,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AAG/E,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAExD,OAAO,EAAE,WAAW,EAAe,MAAM,qBAAqB,CAAC;AAG/D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,UAAU,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AACzG,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAGnF,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAWhE,MAAM,OAAO,QAAQ;IAMU;IALZ,cAAc,GAAG,IAAI,cAAc,EAAE,CAAC;IACtC,YAAY,CAAe;IAC3B,eAAe,GAAG,IAAI,eAAe,EAAE,CAAC;IACxC,YAAY,CAAe;IAE5C,YAA6B,OAAwB;QAAxB,YAAO,GAAP,OAAO,CAAiB;QACnD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY;YACtC,CAAC,CAAC,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,CAAC,YAAY,EAAE;YAChD,CAAC,CAAC,cAAc,CAAC;QACnB,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC1D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB,EAAE,GAAW;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,WAAW,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAErE,IAAI,QAA8B,CAAC;QACnC,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACtE,OAAO,IAAI,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;YACrF,MAAM,QAAQ,GAAG,eAAe,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;YACxD,MAAM,WAAW,GAAG,oBAAoB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;YAC5E,MAAM,QAAQ,GAAG;gBACf,WAAW,EAAE,qBAAqB,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBACrD,SAAS,EAAE,QAAQ,CAAC,KAAK,CAAC,MAAM;aACjC,CAAC;YACF,MAAM,iBAAiB,GAAG,IAAI,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC;YACzF,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,QAAQ,EAAE,QAAQ,EAAE,EAAE,iBAAiB,EAAE,CAAC,CAAC;YACtF,MAAM,cAAc,GAAG,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;YACvF,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;YAE/F,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC;YAC9F,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,WAAW,aAAa,oBAAoB,CAAC;YAE9F,OAAO;gBACL,MAAM;gBACN,QAAQ;gBACR,IAAI;gBACJ,MAAM;gBACN,WAAW;gBACX,cAAc;gBACd,OAAO;gBACP,iBAAiB,EAAE,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC;gBACxD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;aAC/B,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAEO,uBAAuB,CAAC,MAAc,EAAE,MAAc,EAAE,KAAa;QAC3E,MAAM,cAAc,GAAG,sBAAsB,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAC;QACrF,MAAM,IAAI,GAAc;YACtB,KAAK,EAAE,CAAC;YACR,KAAK,EAAE,KAAK;YACZ,UAAU,EAAE,CAAC;YACb,eAAe,EAAE,CAAC;YAClB,eAAe,EAAE,CAAC;SACnB,CAAC;QACF,MAAM,MAAM,GAAiB;YAC3B,QAAQ,EAAE,kBAAkB;YAC5B,OAAO,EAAE,CAAC,kEAAkE,EAAE,GAAG,cAAc,CAAC,OAAO,CAAC;YACxG,SAAS,EAAE,EAAE;SACd,CAAC;QAEF,OAAO;YACL,MAAM;YACN,QAAQ,EAAE,EAAE;YACZ,IAAI;YACJ,MAAM;YACN,WAAW,EAAE,EAAE;YACf,cAAc;YACd,OAAO,EAAE,gDAAgD;YACzD,iBAAiB,EAAE,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC;YACxD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SAC/B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CACX,SAAiB,EACjB,GAAW,EACX,OAA6D;QAE7D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACjD,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC;QAExB,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACvC,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,gCAAgC;gBACzC,MAAM;aACP,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,EAAE,YAAY;YACpC,CAAC,CAAC,IAAI;YACN,CAAC,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;QAE9D,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,6BAA6B;gBACtC,MAAM;aACP,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC7B,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAEtD,OAAO;YACL,OAAO,EAAE,aAAa,CAAC,QAAQ,KAAK,CAAC;YACrC,OAAO,EAAE,aAAa,CAAC,QAAQ,KAAK,CAAC;gBACnC,CAAC,CAAC,0BAA0B,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,IAAI,EAAE;gBAC7D,CAAC,CAAC,wBAAwB,aAAa,CAAC,MAAM,IAAI,aAAa,CAAC,MAAM,EAAE;YAC1E,MAAM;SACP,CAAC;IACJ,CAAC;IAED,cAAc,CAAC,MAA0B,EAAE,MAAqB;QAC9D,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,YAAY,IAAI,UAAU,CAAC,CAAC;IAClG,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,MAAc;QACvC,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAEvC,QAAQ,MAAM,CAAC,SAAS,EAAE,CAAC;YACzB,KAAK,KAAK;gBACR,OAAO,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,EAAE,kBAAkB,CAAC,EAAE;oBAC5E,GAAG,EAAE,EAAE,yBAAyB,EAAE,MAAM,EAAE;iBAC3C,CAAC,CAAC;YACL,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAC7C,OAAO,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,sBAAsB,KAAK,IAAI,IAAI,MAAM,CAAC,CAAC,CAAC;YACxF,CAAC;YACD,KAAK,OAAO,CAAC;YACb,KAAK,OAAO;gBACV,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,yDAAyD,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;YACxG;gBACE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,+BAA+B,MAAM,CAAC,SAAS,EAAE,EAAE,CAAC;QAClG,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,cAAc,CAAC,OAAwB;IACrD,OAAO,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,eAAe,CAAC,QAAmB,EAAE,QAAkB;IAC9D,MAAM,WAAW,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC3C,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;QAC9B,IAAI,OAAO,CAAC,MAAM;YAAE,OAAO,OAAO,CAAC;QACnC,IAAI,OAAO,CAAC,IAAI,IAAI,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7C,OAAO,EAAE,GAAG,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QACtC,CAAC;QACD,IAAI,sBAAsB,CAAC,WAAW,EAAE,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACtE,OAAO,EAAE,GAAG,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QACtC,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,oBAAoB,CAAC,QAAkC;IAC9D,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,gBAAgB,CAAC;QAC1B,KAAK,kBAAkB;YACrB,OAAO,sCAAsC,CAAC;QAChD,KAAK,MAAM;YACT,OAAO,sBAAsB,CAAC;QAChC;YACE,OAAO,iBAAiB,CAAC;IAC7B,CAAC;AACH,CAAC"}
|
|
@@ -41,14 +41,14 @@ export class PolicyEngine {
|
|
|
41
41
|
}
|
|
42
42
|
let decision = 'APPROVE';
|
|
43
43
|
if (this.config.warnOnInstallScript) {
|
|
44
|
-
const hasInstallScript = findings.some((f) => f.category === 'install-script' && f.ruleId?.startsWith('script-'));
|
|
44
|
+
const hasInstallScript = findings.some((f) => !f.isTest && f.category === 'install-script' && f.ruleId?.startsWith('script-'));
|
|
45
45
|
if (hasInstallScript) {
|
|
46
46
|
reasons.push('Package has install scripts');
|
|
47
47
|
decision = 'WARN';
|
|
48
48
|
}
|
|
49
49
|
}
|
|
50
50
|
if (this.config.warnOnShellAccess) {
|
|
51
|
-
const hasShell = findings.some((f) => f.category === 'static-code' && ['spawn', 'exec', 'child-process', 'os-system', 'subprocess'].includes(f.ruleId ?? ''));
|
|
51
|
+
const hasShell = findings.some((f) => !f.isTest && f.category === 'static-code' && ['spawn', 'exec', 'child-process', 'os-system', 'subprocess'].includes(f.ruleId ?? ''));
|
|
52
52
|
if (hasShell) {
|
|
53
53
|
reasons.push('Package requires shell access');
|
|
54
54
|
decision = decision === 'WARN' ? 'WARN' : 'REQUIRE_APPROVAL';
|
|
@@ -56,7 +56,7 @@ export class PolicyEngine {
|
|
|
56
56
|
}
|
|
57
57
|
if (this.config.requireApprovalForNetwork) {
|
|
58
58
|
const hasNetwork = permissions.some((p) => p.type.startsWith('network-')) ||
|
|
59
|
-
findings.some((f) => f.category === 'network' && f.severity !== 'LOW');
|
|
59
|
+
findings.some((f) => !f.isTest && f.category === 'network' && f.severity !== 'LOW');
|
|
60
60
|
if (hasNetwork) {
|
|
61
61
|
reasons.push('Package requires network access');
|
|
62
62
|
decision = 'REQUIRE_APPROVAL';
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy-engine.js","sourceRoot":"","sources":["../../src/engine/policy-engine.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD,MAAM,OAAO,YAAY;IACM;IAA7B,YAA6B,SAAuB,cAAc;QAArC,WAAM,GAAN,MAAM,CAA+B;IAAG,CAAC;IAEtE,QAAQ,CACN,MAAc,EACd,IAAe,EACf,QAAmB,EACnB,WAAyB,EACzB,cAA8B;QAE9B,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,MAAM,SAAS,GAAa,EAAE,CAAC;QAE/B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAEvC,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;YAC/E,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,mCAAmC,CAAC,EAAE,SAAS,EAAE,CAAC;QAC1F,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;YAC/E,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,mCAAmC,CAAC,EAAE,SAAS,EAAE,CAAC;QACjG,CAAC;QAED,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YAC7C,OAAO,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,KAAK,6BAA6B,IAAI,CAAC,MAAM,CAAC,cAAc,GAAG,CAAC,CAAC;YACjG,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;QACnD,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,UAAU,EAAE,CAAC;YAC/B,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,OAAO,EAAE;oBACP,kEAAkE;oBAClE,GAAG,cAAc,CAAC,OAAO;iBAC1B;gBACD,SAAS;aACV,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YACnC,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,oBAAoB,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC;YACvF,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;gBACnC,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;YAC1D,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;gBAC9E,OAAO,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;gBAClC,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;YAC1D,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,GAAmB,SAAS,CAAC;QAEzC,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE,CAAC;YACpC,MAAM,gBAAgB,GAAG,QAAQ,CAAC,IAAI,CACpC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,gBAAgB,IAAI,CAAC,CAAC,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,
|
|
1
|
+
{"version":3,"file":"policy-engine.js","sourceRoot":"","sources":["../../src/engine/policy-engine.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD,MAAM,OAAO,YAAY;IACM;IAA7B,YAA6B,SAAuB,cAAc;QAArC,WAAM,GAAN,MAAM,CAA+B;IAAG,CAAC;IAEtE,QAAQ,CACN,MAAc,EACd,IAAe,EACf,QAAmB,EACnB,WAAyB,EACzB,cAA8B;QAE9B,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,MAAM,SAAS,GAAa,EAAE,CAAC;QAE/B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAEvC,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;YAC/E,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,mCAAmC,CAAC,EAAE,SAAS,EAAE,CAAC;QAC1F,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;YAC/E,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,mCAAmC,CAAC,EAAE,SAAS,EAAE,CAAC;QACjG,CAAC;QAED,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;YAC7C,OAAO,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,KAAK,6BAA6B,IAAI,CAAC,MAAM,CAAC,cAAc,GAAG,CAAC,CAAC;YACjG,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;QACnD,CAAC;QAED,IAAI,CAAC,cAAc,CAAC,UAAU,EAAE,CAAC;YAC/B,OAAO;gBACL,QAAQ,EAAE,kBAAkB;gBAC5B,OAAO,EAAE;oBACP,kEAAkE;oBAClE,GAAG,cAAc,CAAC,OAAO;iBAC1B;gBACD,SAAS;aACV,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YACnC,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,oBAAoB,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC;YACvF,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;gBACnC,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;YAC1D,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;gBAC9E,OAAO,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;gBAClC,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;YAC1D,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,GAAmB,SAAS,CAAC;QAEzC,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE,CAAC;YACpC,MAAM,gBAAgB,GAAG,QAAQ,CAAC,IAAI,CACpC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,gBAAgB,IAAI,CAAC,CAAC,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CACvF,CAAC;YACF,IAAI,gBAAgB,EAAE,CAAC;gBACrB,OAAO,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;gBAC5C,QAAQ,GAAG,MAAM,CAAC;YACpB,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,CAAC;YAClC,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAC5B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,aAAa,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAC3I,CAAC;YACF,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;gBAC9C,QAAQ,GAAG,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC;YAC/D,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,yBAAyB,EAAE,CAAC;YAC1C,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;gBACvE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC;YACtF,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;gBAChD,QAAQ,GAAG,kBAAkB,CAAC;YAChC,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YACtE,OAAO,CAAC,IAAI,CAAC,cAAc,IAAI,CAAC,KAAK,4BAA4B,IAAI,CAAC,MAAM,CAAC,aAAa,GAAG,CAAC,CAAC;YAC/F,QAAQ,GAAG,MAAM,CAAC;QACpB,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAChD,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;CACF;AAED,MAAM,UAAU,gBAAgB,CAAC,SAAiC;IAChE,OAAO,EAAE,GAAG,cAAc,EAAE,GAAG,SAAS,EAAE,CAAC;AAC7C,CAAC"}
|