@slashgear/gdpr-cookie-scanner 1.0.0 → 1.2.0

package/src/report/generator.ts

@@ -1,8 +1,10 @@
 import { execFile } from "child_process";
-import { writeFile, mkdir } from "fs/promises";
-import { basename, dirname, join } from "path";
+import { writeFile, mkdir, readFile } from "fs/promises";
+import { basename, dirname, extname, join } from "path";
 import { promisify } from "util";
 import { fileURLToPath } from "url";
+import { Marked } from "marked";
+import { generatePdf } from "./pdf.js";
 
 const execFileAsync = promisify(execFile);
 const oxfmtBin = join(dirname(fileURLToPath(import.meta.url)), "../../node_modules/.bin/oxfmt");
@@ -18,7 +20,7 @@ import type { ScanOptions } from "../types.js";
 export class ReportGenerator {
   constructor(private readonly options: ScanOptions) {}
 
-  async generate(result: ScanResult): Promise<string> {
+  async generate(result: ScanResult): Promise<{ reportPath: string; pdfPath: string }> {
     await mkdir(this.options.outputDir, { recursive: true });
 
     const hostname = new URL(result.url).hostname.replace(/^www\./, "");
@@ -36,7 +38,154 @@ export class ReportGenerator {
     await writeFile(checklistPath, checklist, "utf-8");
     await execFileAsync(oxfmtBin, [checklistPath]).catch(() => {});
 
-    return outputPath;
+    const cookiesFilename = `gdpr-cookies-${hostname}-${date}.md`;
+    const cookiesPath = join(this.options.outputDir, cookiesFilename);
+    const cookiesInventory = this.buildCookiesInventory(result);
+    await writeFile(cookiesPath, cookiesInventory, "utf-8");
+    await execFileAsync(oxfmtBin, [cookiesPath]).catch(() => {});
+
+    const combined = [markdown, checklist, cookiesInventory].join("\n\n---\n\n");
+    const rawBody = await this.buildHtmlBody(combined);
+    const body = await this.inlineImages(rawBody, this.options.outputDir);
+    const html = this.wrapHtml(body, hostname);
+    const pdfFilename = `gdpr-report-${hostname}-${date}.pdf`;
+    const pdfPath = join(this.options.outputDir, pdfFilename);
+    await generatePdf(html, pdfPath);
+
+    return { reportPath: outputPath, pdfPath };
+  }
+
+  private async buildHtmlBody(markdown: string): Promise<string> {
+    type TocEntry = { level: number; text: string; id: string };
+    const entries: TocEntry[] = [];
+    const idCounts = new Map<string, number>();
+
+    const slugify = (text: string): string => {
+      const base =
+        text
+          .replace(/[^\p{L}\p{N}\s-]/gu, "")
+          .trim()
+          .toLowerCase()
+          .replace(/\s+/g, "-")
+          .replace(/-+/g, "-") || "section";
+      const count = idCounts.get(base) ?? 0;
+      idCounts.set(base, count + 1);
+      return count === 0 ? base : `${base}-${count}`;
+    };
+
+    const localMarked = new Marked();
+    localMarked.use({
+      renderer: {
+        heading({ text, depth }: { text: string; depth: number }) {
+          const id = slugify(text);
+          if (depth <= 2) entries.push({ level: depth, text, id });
+          return `<h${depth} id="${id}">${text}</h${depth}>\n`;
+        },
+      },
+    });
+
+    const body = await localMarked.parse(markdown);
+
+    if (entries.length === 0) return body;
+
+    const tocItems = entries
+      .map(({ level, text, id }) => {
+        const cls = level === 1 ? "toc-h1" : "toc-h2";
+        return `<li class="${cls}"><a href="#${id}">${text}</a></li>`;
+      })
+      .join("\n");
+
+    const toc = `<nav class="toc">
+<p class="toc-title">Table of Contents</p>
+<ul>
+${tocItems}
+</ul>
+</nav>`;
+
+    return toc + "\n" + body;
+  }
+
+  private async inlineImages(html: string, outputDir: string): Promise<string> {
+    const mimeTypes: Record<string, string> = {
+      ".png": "image/png",
+      ".jpg": "image/jpeg",
+      ".jpeg": "image/jpeg",
+      ".gif": "image/gif",
+      ".webp": "image/webp",
+    };
+
+    const imgRegex = /<img([^>]*)\ssrc="([^"#][^"]*)"([^>]*)>/gi;
+    const replacements: Array<{ original: string; replacement: string }> = [];
+
+    for (const match of html.matchAll(imgRegex)) {
+      const [full, before, src, after] = match;
+      if (src.startsWith("data:") || src.startsWith("http://") || src.startsWith("https://"))
+        continue;
+      const mime = mimeTypes[extname(src).toLowerCase()];
+      if (!mime) continue;
+      try {
+        const buf = await readFile(join(outputDir, src));
+        replacements.push({
+          original: full,
+          replacement: `<img${before} src="data:${mime};base64,${buf.toString("base64")}"${after}>`,
+        });
+      } catch {
+        // file not found — leave the tag as-is
+      }
+    }
+
+    return replacements.reduce(
+      (acc, { original, replacement }) => acc.replace(original, replacement),
+      html,
+    );
+  }
+
+  private wrapHtml(body: string, hostname: string): string {
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>GDPR Report — ${hostname}</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+           font-size: 11pt; line-height: 1.6; color: #1a1a1a; max-width: 900px;
+           margin: 0 auto; padding: 0 8px; }
+    h1 { font-size: 18pt; border-bottom: 2px solid #1a1a2e; padding-bottom: 6px;
+         color: #1a1a2e; margin-top: 2em; }
+    h2 { font-size: 14pt; color: #1a1a2e; margin-top: 1.5em; }
+    h3 { font-size: 12pt; margin-top: 1.2em; }
+    table { width: 100%; border-collapse: collapse; font-size: 9.5pt;
+            margin: 1em 0; page-break-inside: auto; }
+    th { background: #f0f0f4; padding: 6px 10px; text-align: left;
+         border-bottom: 2px solid #ccc; }
+    td { padding: 5px 10px; border-bottom: 1px solid #eee; vertical-align: top; }
+    tr { page-break-inside: avoid; }
+    code { font-family: "SFMono-Regular", Consolas, monospace; background: #f4f4f4;
+           padding: 1px 5px; border-radius: 3px; font-size: 9pt; }
+    pre { background: #f4f4f4; padding: 12px; border-radius: 4px;
+          overflow-x: auto; font-size: 9pt; }
+    blockquote { border-left: 3px solid #ccc; margin: 0.5em 0;
+                 padding: 0.5em 1em; color: #555; }
+    hr { border: none; border-top: 1px solid #ddd; margin: 2em 0;
+         page-break-after: always; }
+    a { color: #0066cc; }
+    img { max-width: 100%; height: auto; border: 1px solid #ddd; border-radius: 4px; }
+    nav.toc { background: #f4f5f8; border-left: 4px solid #1a1a2e; border-radius: 4px;
+              padding: 14px 20px; margin: 0 0 2.5em 0; page-break-inside: avoid; }
+    .toc-title { font-weight: 700; font-size: 11pt; margin: 0 0 10px 0; color: #1a1a2e; }
+    nav.toc ul { list-style: none; margin: 0; padding: 0; }
+    nav.toc li { margin: 3px 0; line-height: 1.4; }
+    .toc-h1 { font-weight: 600; margin-top: 6px; }
+    .toc-h2 { padding-left: 1.2em; font-size: 9.5pt; }
+    nav.toc a { color: #0055aa; text-decoration: none; }
+    @media print {
+      h1 { page-break-before: always; }
+      h1:first-child { page-break-before: avoid; }
+    }
+  </style>
+</head>
+<body>${body}</body>
+</html>`;
   }
 
   private buildMarkdown(r: ScanResult): string {
@@ -193,7 +342,7 @@ ${row("Cookie behavior", breakdown.cookieBehavior, 25)}
     const { modal } = r;
     const acceptBtn = modal.buttons.find((b) => b.type === "accept");
     const rejectBtn = modal.buttons.find((b) => b.type === "reject");
-    const prefBtn = modal.buttons.find((b) => b.type === "preferences");
+    const _prefBtn = modal.buttons.find((b) => b.type === "preferences");
 
     const preTicked = modal.checkboxes.filter((c) => c.isCheckedByDefault);
 
@@ -460,6 +609,131 @@ ${rows.join("\n")}
     return recs.join("\n\n");
   }
 
+  private buildCookiesInventory(r: ScanResult): string {
+    const hostname = new URL(r.url).hostname;
+    const scanDate = new Date(r.scanDate).toLocaleString("en-GB");
+
+    // Collect all cookies across all phases, keyed by name+domain
+    type CookieEntry = {
+      name: string;
+      domain: string;
+      category: string;
+      phases: Set<string>;
+      expires: number | null;
+      httpOnly: boolean;
+      secure: boolean;
+      requiresConsent: boolean;
+    };
+
+    const cookieMap = new Map<string, CookieEntry>();
+
+    const phaseLabel: Record<ScannedCookie["capturedAt"], string> = {
+      "before-interaction": "before consent",
+      "after-accept": "after acceptance",
+      "after-reject": "after rejection",
+    };
+
+    const allCookies = [
+      ...r.cookiesBeforeInteraction,
+      ...r.cookiesAfterAccept,
+      ...r.cookiesAfterReject,
+    ];
+
+    for (const c of allCookies) {
+      const key = `${c.name}||${c.domain}`;
+      if (!cookieMap.has(key)) {
+        cookieMap.set(key, {
+          name: c.name,
+          domain: c.domain,
+          category: c.category,
+          phases: new Set(),
+          expires: c.expires,
+          httpOnly: c.httpOnly,
+          secure: c.secure,
+          requiresConsent: c.requiresConsent,
+        });
+      }
+      cookieMap.get(key)!.phases.add(phaseLabel[c.capturedAt]);
+    }
+
+    const expires = (entry: CookieEntry): string => {
+      if (entry.expires === null) return "Session";
+      const days = Math.round((entry.expires * 1000 - Date.now()) / 86400000);
+      if (days < 0) return "Expired";
+      if (days === 0) return "< 1 day";
+      if (days < 30) return `${days} days`;
+      return `${Math.round(days / 30)} months`;
+    };
+
+    const categoryLabel: Record<string, string> = {
+      "strictly-necessary": "Strictly necessary",
+      analytics: "Analytics",
+      advertising: "Advertising",
+      social: "Social",
+      personalization: "Personalization",
+      unknown: "Unknown",
+    };
+
+    const entries = [...cookieMap.values()].sort((a, b) => {
+      // Sort: strictly-necessary first, then by category, then by name
+      const order = [
+        "strictly-necessary",
+        "analytics",
+        "advertising",
+        "social",
+        "personalization",
+        "unknown",
+      ];
+      const oa = order.indexOf(a.category);
+      const ob = order.indexOf(b.category);
+      if (oa !== ob) return oa - ob;
+      return a.name.localeCompare(b.name);
+    });
+
+    const lines: string[] = [];
+
+    lines.push(`# Cookie Inventory — ${hostname}`);
+    lines.push(`
+> **Scan date:** ${scanDate}
+> **Scanned URL:** ${r.url}
+> **Unique cookies detected:** ${entries.length}
+`);
+
+    lines.push(`## Instructions`);
+    lines.push(`
+This table lists all cookies detected during the scan, across all phases.
+The **Description / Purpose** column is to be filled in by the DPO or technical owner.
+
+- **Before consent** — cookie present from page load, before any interaction
+- **After acceptance** — cookie set or persisting after clicking "Accept all"
+- **After rejection** — cookie present after clicking "Reject all"
+`);
+
+    lines.push(`## Cookie table\n`);
+    lines.push(
+      `| Cookie | Domain | Category | Phases | Expiry | Consent required | Description / Purpose |`,
+    );
+    lines.push(
+      `|--------|--------|----------|--------|--------|------------------|-----------------------|`,
+    );
+
+    for (const entry of entries) {
+      const phases = [...entry.phases].join(", ");
+      const consent = entry.requiresConsent ? "⚠️ Yes" : "✅ No";
+      const cat = categoryLabel[entry.category] ?? entry.category;
+      lines.push(
+        `| \`${entry.name}\` | ${entry.domain} | ${cat} | ${phases} | ${expires(entry)} | ${consent} | <!-- fill in --> |`,
+      );
+    }
+
+    lines.push(`\n---`);
+    lines.push(
+      `\n_Automatically generated by gdpr-cookie-scanner. Categories marked "Unknown" could not be identified automatically and should be verified manually._\n`,
+    );
+
+    return lines.join("\n") + "\n";
+  }
+
   private buildChecklist(r: ScanResult): string {
     const hostname = new URL(r.url).hostname;
     const scanDate = new Date(r.scanDate).toLocaleString("en-GB");
@@ -485,7 +759,8 @@ ${rows.join("\n")}
     rows.push({
       category: "Consent",
       rule: "Consent modal detected",
-      reference: "RGPD Art. 7 · Dir. ePrivacy Art. 5(3)",
+      reference:
+        "[GDPR Art. 7](https://gdpr-info.eu/art-7-gdpr/) · [ePrivacy Dir. Art. 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058)",
       status: r.modal.detected ? ok : ko,
       detail: r.modal.detected
         ? `Detected (\`${r.modal.selector}\`)`
@@ -496,7 +771,7 @@ ${rows.join("\n")}
     rows.push({
       category: "Consent",
       rule: "No pre-ticked checkboxes",
-      reference: "RGPD Recital 32",
+      reference: "[GDPR Recital 32](https://gdpr-info.eu/recitals/no-32/)",
       status: preTicked.length === 0 ? ok : ko,
       detail:
         preTicked.length === 0
@@ -509,7 +784,7 @@ ${rows.join("\n")}
     rows.push({
       category: "Consent",
       rule: "Accept button label is unambiguous",
-      reference: "RGPD Art. 4(11)",
+      reference: "[GDPR Art. 4(11)](https://gdpr-info.eu/art-4-gdpr/)",
       status:
         !r.modal.detected || !misleadingAccept
           ? ok
@@ -531,7 +806,8 @@ ${rows.join("\n")}
     rows.push({
       category: "Easy refusal",
       rule: "Reject button present at first layer",
-      reference: "CNIL Recommendation 2022",
+      reference:
+        "[CNIL Recommendation 2022](https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies/recommandation-sur-les-cookies-et-autres-traceurs)",
       status: !r.modal.detected ? ko : noReject ? ko : ok,
       detail: !r.modal.detected
         ? "Modal not detected"
@@ -544,7 +820,8 @@ ${rows.join("\n")}
     rows.push({
       category: "Easy refusal",
       rule: "Rejecting requires no more clicks than accepting",
-      reference: "CNIL Recommendation 2022",
+      reference:
+        "[CNIL Recommendation 2022](https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies/recommandation-sur-les-cookies-et-autres-traceurs)",
       status: !r.modal.detected ? ko : clickIssue ? ko : ok,
       detail: !r.modal.detected
         ? "Modal not detected"
@@ -559,7 +836,8 @@ ${rows.join("\n")}
     rows.push({
       category: "Easy refusal",
       rule: "Size symmetry between Accept and Reject",
-      reference: "CEPD Guidelines 03/2022",
+      reference:
+        "[EDPB Guidelines 03/2022](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-dark-patterns-social-media-platform_en)",
       status: !r.modal.detected ? ko : sizeIssue ? warn : ok,
       detail: !r.modal.detected
         ? "Modal not detected"
@@ -572,7 +850,8 @@ ${rows.join("\n")}
     rows.push({
       category: "Easy refusal",
       rule: "Font symmetry between Accept and Reject",
-      reference: "CEPD Guidelines 03/2022",
+      reference:
+        "[EDPB Guidelines 03/2022](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-dark-patterns-social-media-platform_en)",
       status: !r.modal.detected ? ko : nudgeIssue ? warn : ok,
       detail: !r.modal.detected
         ? "Modal not detected"
@@ -585,7 +864,8 @@ ${rows.join("\n")}
     rows.push({
       category: "Transparency",
       rule: "Granular controls available",
-      reference: "CEPD Guidelines 05/2020",
+      reference:
+        "[EDPB Guidelines 05/2020](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en)",
       status: !r.modal.detected ? ko : r.modal.hasGranularControls ? ok : warn,
       detail: !r.modal.detected
         ? "Modal not detected"
@@ -595,21 +875,25 @@ ${rows.join("\n")}
     });
 
     const infoChecks: Array<{ key: string; label: string; ref: string }> = [
-      { key: "purposes", label: "Processing purposes mentioned", ref: "RGPD Art. 13-14" },
+      {
+        key: "purposes",
+        label: "Processing purposes mentioned",
+        ref: "[GDPR Art. 13-14](https://gdpr-info.eu/art-13-gdpr/)",
+      },
       {
         key: "third-parties",
         label: "Sub-processors / third parties mentioned",
-        ref: "RGPD Art. 13-14",
+        ref: "[GDPR Art. 13-14](https://gdpr-info.eu/art-13-gdpr/)",
       },
       {
         key: "duration",
         label: "Retention period mentioned",
-        ref: "RGPD Art. 13(2)(a)",
+        ref: "[GDPR Art. 13(2)(a)](https://gdpr-info.eu/art-13-gdpr/)",
       },
       {
         key: "withdrawal",
         label: "Right to withdraw consent mentioned",
-        ref: "RGPD Art. 7(3)",
+        ref: "[GDPR Art. 7(3)](https://gdpr-info.eu/art-7-gdpr/)",
       },
     ];
 
@@ -635,7 +919,8 @@ ${rows.join("\n")}
     rows.push({
       category: "Cookie behavior",
       rule: "No non-essential cookie before consent",
-      reference: "RGPD Art. 7 · Dir. ePrivacy Art. 5(3)",
+      reference:
+        "[GDPR Art. 7](https://gdpr-info.eu/art-7-gdpr/) · [ePrivacy Dir. Art. 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058)",
       status: illegalPre.length === 0 ? ok : ko,
       detail:
         illegalPre.length === 0
@@ -649,7 +934,8 @@ ${rows.join("\n")}
     rows.push({
       category: "Cookie behavior",
       rule: "Non-essential cookies removed after rejection",
-      reference: "RGPD Art. 7 · CNIL Recommendation 2022",
+      reference:
+        "[GDPR Art. 7](https://gdpr-info.eu/art-7-gdpr/) · [CNIL Recommendation 2022](https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies/recommandation-sur-les-cookies-et-autres-traceurs)",
       status: persistAfterReject.length === 0 ? ok : ko,
       detail:
         persistAfterReject.length === 0
@@ -663,7 +949,8 @@ ${rows.join("\n")}
     rows.push({
       category: "Cookie behavior",
       rule: "No network tracker before consent",
-      reference: "RGPD Art. 7 · Dir. ePrivacy Art. 5(3)",
+      reference:
+        "[GDPR Art. 7](https://gdpr-info.eu/art-7-gdpr/) · [ePrivacy Dir. Art. 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058)",
       status: preTrackers.length === 0 ? ok : ko,
       detail:
         preTrackers.length === 0

package/src/report/pdf.ts

@@ -0,0 +1,21 @@
+import { writeFile } from "fs/promises";
+import { chromium } from "playwright";
+
+export async function generatePdf(html: string, outputPath: string): Promise<void> {
+  const browser = await chromium.launch({
+    headless: true,
+    args: ["--no-sandbox", "--disable-setuid-sandbox", "--disable-dev-shm-usage"],
+  });
+  try {
+    const page = await browser.newPage();
+    await page.setContent(html, { waitUntil: "domcontentloaded" });
+    const pdf = await page.pdf({
+      format: "A4",
+      printBackground: true,
+      margin: { top: "20mm", bottom: "20mm", left: "15mm", right: "15mm" },
+    });
+    await writeFile(outputPath, pdf);
+  } finally {
+    await browser.close();
+  }
+}

package/src/scanner/index.ts

@@ -97,7 +97,7 @@ export class Scanner {
     await clearState(session2.context);
     const interceptor4 = createNetworkInterceptor(session2.page, "after-accept");
 
-    let cookiesAfterAccept = cookiesBeforeInteraction;
+    let cookiesAfterAccept: typeof cookiesBeforeInteraction = [];
     let networkAfterAccept: typeof networkBeforeInteraction = [];
 
     try {
@@ -105,8 +105,14 @@ export class Scanner {
         waitUntil: "networkidle",
         timeout: this.options.timeout,
       });
-      await session2.page.waitForTimeout(2000);
+    } catch (err) {
+      errors.push(`Accept phase navigation timeout: ${String(err)}`);
+    }
 
+    // Give a moment for late-loading scripts even if networkidle timed out
+    await session2.page.waitForTimeout(2000);
+
+    try {
       const modal2 = await detectConsentModal(session2.page, this.options);
       const acceptButton = modal2.buttons.find((b) => b.type === "accept");
 

package/.idea/gdpr-report.iml

@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<module type="WEB_MODULE" version="4">
-  <component name="NewModuleRootManager">
-    <content url="file://$MODULE_DIR$" />
-    <orderEntry type="inheritedJdk" />
-    <orderEntry type="sourceFolder" forTests="false" />
-  </component>
-</module>

package/.idea/modules.xml

@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="ProjectModuleManager">
-    <modules>
-      <module fileurl="file://$PROJECT_DIR$/.idea/gdpr-report.iml" filepath="$PROJECT_DIR$/.idea/gdpr-report.iml" />
-    </modules>
-  </component>
-</project>

package/.idea/vcs.xml

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="VcsDirectoryMappings">
-    <mapping directory="" vcs="Git" />
-  </component>
-</project>