npm - @slashgear/gdpr-cookie-scanner - Versions diffs - 1.0.0 - Mend

@slashgear/gdpr-cookie-scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (85) hide show

package/.changeset/README.md +8 -0
package/.changeset/config.json +11 -0
package/.github/ISSUE_TEMPLATE/bug_report.yml +44 -0
package/.github/ISSUE_TEMPLATE/feature_request.yml +26 -0
package/.github/PULL_REQUEST_TEMPLATE.md +24 -0
package/.github/workflows/ci.yml +38 -0
package/.github/workflows/release.yml +57 -0
package/.idea/gdpr-report.iml +8 -0
package/.idea/modules.xml +8 -0
package/.idea/vcs.xml +6 -0
package/CHANGELOG.md +7 -0
package/CLAUDE.md +75 -0
package/CODE_OF_CONDUCT.md +41 -0
package/CONTRIBUTING.md +79 -0
package/LICENSE +21 -0
package/README.md +127 -0
package/SECURITY.md +15 -0
package/dist/analyzers/compliance.d.ts +13 -0
package/dist/analyzers/compliance.d.ts.map +1 -0
package/dist/analyzers/compliance.js +171 -0
package/dist/analyzers/compliance.js.map +1 -0
package/dist/analyzers/wording.d.ts +13 -0
package/dist/analyzers/wording.d.ts.map +1 -0
package/dist/analyzers/wording.js +91 -0
package/dist/analyzers/wording.js.map +1 -0
package/dist/classifiers/cookie-classifier.d.ts +8 -0
package/dist/classifiers/cookie-classifier.d.ts.map +1 -0
package/dist/classifiers/cookie-classifier.js +108 -0
package/dist/classifiers/cookie-classifier.js.map +1 -0
package/dist/classifiers/network-classifier.d.ts +9 -0
package/dist/classifiers/network-classifier.d.ts.map +1 -0
package/dist/classifiers/network-classifier.js +51 -0
package/dist/classifiers/network-classifier.js.map +1 -0
package/dist/classifiers/tracker-list.d.ts +16 -0
package/dist/classifiers/tracker-list.d.ts.map +1 -0
package/dist/classifiers/tracker-list.js +86 -0
package/dist/classifiers/tracker-list.js.map +1 -0
package/dist/cli.d.ts +3 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +110 -0
package/dist/cli.js.map +1 -0
package/dist/report/generator.d.ts +19 -0
package/dist/report/generator.d.ts.map +1 -0
package/dist/report/generator.js +552 -0
package/dist/report/generator.js.map +1 -0
package/dist/scanner/browser.d.ts +11 -0
package/dist/scanner/browser.d.ts.map +1 -0
package/dist/scanner/browser.js +38 -0
package/dist/scanner/browser.js.map +1 -0
package/dist/scanner/consent-modal.d.ts +5 -0
package/dist/scanner/consent-modal.d.ts.map +1 -0
package/dist/scanner/consent-modal.js +244 -0
package/dist/scanner/consent-modal.js.map +1 -0
package/dist/scanner/cookies.d.ts +11 -0
package/dist/scanner/cookies.d.ts.map +1 -0
package/dist/scanner/cookies.js +30 -0
package/dist/scanner/cookies.js.map +1 -0
package/dist/scanner/index.d.ts +9 -0
package/dist/scanner/index.d.ts.map +1 -0
package/dist/scanner/index.js +146 -0
package/dist/scanner/index.js.map +1 -0
package/dist/scanner/network.d.ts +8 -0
package/dist/scanner/network.d.ts.map +1 -0
package/dist/scanner/network.js +41 -0
package/dist/scanner/network.js.map +1 -0
package/dist/types.d.ts +105 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +2 -0
package/dist/types.js.map +1 -0
package/package.json +52 -0
package/renovate.json +17 -0
package/src/analyzers/compliance.ts +203 -0
package/src/analyzers/wording.ts +112 -0
package/src/classifiers/cookie-classifier.ts +125 -0
package/src/classifiers/network-classifier.ts +65 -0
package/src/classifiers/tracker-list.ts +105 -0
package/src/cli.ts +134 -0
package/src/report/generator.ts +703 -0
package/src/scanner/browser.ts +52 -0
package/src/scanner/consent-modal.ts +276 -0
package/src/scanner/cookies.ts +43 -0
package/src/scanner/index.ts +163 -0
package/src/scanner/network.ts +51 -0
package/src/types.ts +134 -0
package/tsconfig.json +18 -0

package/src/classifiers/network-classifier.ts ADDED Viewed

@@ -0,0 +1,65 @@
+import { TRACKER_DB, PIXEL_PATTERNS } from "./tracker-list.js";
+import type { TrackerCategory } from "../types.js";
+interface NetworkClassification {
+  isThirdParty: boolean;
+  trackerCategory: TrackerCategory | null;
+  trackerName: string | null;
+}
+export function classifyNetworkRequest(url: string, resourceType: string): NetworkClassification {
+  let hostname: string;
+  try {
+    hostname = new URL(url).hostname.replace(/^www\./, "");
+  } catch {
+    return { isThirdParty: false, trackerCategory: null, trackerName: null };
+  }
+  // Check tracker database (exact match or suffix match)
+  for (const [domain, entry] of Object.entries(TRACKER_DB)) {
+    if (hostname === domain || hostname.endsWith(`.${domain}`)) {
+      return {
+        isThirdParty: true,
+        trackerCategory: entry.category,
+        trackerName: entry.name,
+      };
+    }
+  }
+  // Check pixel/beacon patterns in URL
+  if (PIXEL_PATTERNS.some((p) => p.test(url))) {
+    return {
+      isThirdParty: true,
+      trackerCategory: "pixel",
+      trackerName: "Tracking Pixel",
+    };
+  }
+  // Resource type heuristics
+  if (resourceType === "image" && isLikelyPixel(url)) {
+    return {
+      isThirdParty: true,
+      trackerCategory: "pixel",
+      trackerName: "Tracking Pixel (image)",
+    };
+  }
+  return {
+    isThirdParty: false,
+    trackerCategory: null,
+    trackerName: null,
+  };
+}
+/**
+ * Heuristic: 1x1 gif / tiny image with tracking params
+ */
+function isLikelyPixel(url: string): boolean {
+  const u = url.toLowerCase();
+  return (
+    (u.includes(".gif") || u.includes(".png")) &&
+    u.includes("?") &&
+    /[?&](uid|userid|sid|cid|vid|ts|t=|e=|ev=)/i.test(url)
+  );
+}

package/src/classifiers/tracker-list.ts ADDED Viewed

@@ -0,0 +1,105 @@
+import type { TrackerCategory } from "../types.js";
+interface TrackerEntry {
+  name: string;
+  category: TrackerCategory;
+}
+/**
+ * Known tracker domains and their categories.
+ * Based on open-source tracker databases (EasyPrivacy, Disconnect, DuckDuckGo Tracker Radar).
+ */
+export const TRACKER_DB: Record<string, TrackerEntry> = {
+  // ── Google ────────────────────────────────────────────────────
+  "google-analytics.com": { name: "Google Analytics", category: "analytics" },
+  "analytics.google.com": { name: "Google Analytics", category: "analytics" },
+  "googletagmanager.com": { name: "Google Tag Manager", category: "analytics" },
+  "googletagservices.com": { name: "Google Tag Services", category: "advertising" },
+  "googlesyndication.com": { name: "Google AdSense", category: "advertising" },
+  "doubleclick.net": { name: "Google DoubleClick", category: "advertising" },
+  "adservice.google.com": { name: "Google Ad Services", category: "advertising" },
+  "google.com/ads": { name: "Google Ads", category: "advertising" },
+  "googleadservices.com": { name: "Google Ad Services", category: "advertising" },
+  "pagead2.googlesyndication.com": { name: "Google PageAd", category: "advertising" },
+  // ── Meta / Facebook ───────────────────────────────────────────
+  "connect.facebook.net": { name: "Facebook SDK", category: "social" },
+  "graph.facebook.com": { name: "Facebook Graph API", category: "social" },
+  "facebook.com/tr": { name: "Meta Pixel", category: "advertising" },
+  "fbcdn.net": { name: "Facebook CDN", category: "social" },
+  // ── Microsoft ─────────────────────────────────────────────────
+  "bat.bing.com": { name: "Bing Ads", category: "advertising" },
+  "clarity.ms": { name: "Microsoft Clarity", category: "analytics" },
+  "ads.microsoft.com": { name: "Microsoft Ads", category: "advertising" },
+  "scorecardresearch.com": { name: "Scorecard Research", category: "analytics" },
+  // ── Hotjar ────────────────────────────────────────────────────
+  "hotjar.com": { name: "Hotjar", category: "analytics" },
+  "static.hotjar.com": { name: "Hotjar", category: "analytics" },
+  // ── LinkedIn ─────────────────────────────────────────────────
+  "snap.licdn.com": { name: "LinkedIn Insight Tag", category: "advertising" },
+  "platform.linkedin.com": { name: "LinkedIn", category: "social" },
+  // ── Twitter / X ──────────────────────────────────────────────
+  "static.ads-twitter.com": { name: "Twitter Ads", category: "advertising" },
+  "analytics.twitter.com": { name: "Twitter Analytics", category: "analytics" },
+  "t.co": { name: "Twitter URL shortener", category: "advertising" },
+  // ── TikTok ───────────────────────────────────────────────────
+  "analytics.tiktok.com": { name: "TikTok Analytics", category: "analytics" },
+  "ads-api.tiktok.com": { name: "TikTok Ads", category: "advertising" },
+  // ── Criteo ───────────────────────────────────────────────────
+  "dis.us.criteo.com": { name: "Criteo", category: "advertising" },
+  "rtax.criteo.com": { name: "Criteo Retargeting", category: "advertising" },
+  "static.criteo.net": { name: "Criteo", category: "advertising" },
+  // ── Segment / Amplitude / Mixpanel ───────────────────────────
+  "api.segment.io": { name: "Segment", category: "analytics" },
+  "cdn.segment.com": { name: "Segment", category: "analytics" },
+  "api2.amplitude.com": { name: "Amplitude", category: "analytics" },
+  "api.mixpanel.com": { name: "Mixpanel", category: "analytics" },
+  // ── Intercom / Drift / HubSpot ────────────────────────────────
+  "js.intercomcdn.com": { name: "Intercom", category: "analytics" },
+  "widget.intercom.io": { name: "Intercom Widget", category: "analytics" },
+  "hubspot.com": { name: "HubSpot", category: "analytics" },
+  "js.hs-scripts.com": { name: "HubSpot", category: "analytics" },
+  "drift.com": { name: "Drift", category: "analytics" },
+  // ── Fingerprinting ───────────────────────────────────────────
+  "fingerprintjs.com": { name: "FingerprintJS", category: "fingerprinting" },
+  "fpnpmcdn.net": { name: "FingerprintJS CDN", category: "fingerprinting" },
+  // ── Advertising networks ─────────────────────────────────────
+  "amazon-adsystem.com": { name: "Amazon Ads", category: "advertising" },
+  "pubmatic.com": { name: "PubMatic", category: "advertising" },
+  "rubiconproject.com": { name: "Rubicon Project", category: "advertising" },
+  "openx.net": { name: "OpenX", category: "advertising" },
+  "casalemedia.com": { name: "Casale Media", category: "advertising" },
+  "akamaized.net": { name: "Akamai", category: "cdn" },
+  "outbrain.com": { name: "Outbrain", category: "advertising" },
+  "taboola.com": { name: "Taboola", category: "advertising" },
+  "quantserve.com": { name: "Quantcast", category: "advertising" },
+  "chartbeat.com": { name: "Chartbeat", category: "analytics" },
+  // ── AB Testing ───────────────────────────────────────────────
+  "optimizely.com": { name: "Optimizely", category: "analytics" },
+  "vwo.com": { name: "VWO", category: "analytics" },
+  "app.convert.com": { name: "Convert", category: "analytics" },
+};
+/**
+ * Patterns for detecting tracking pixels and beacons by URL shape.
+ */
+export const PIXEL_PATTERNS: RegExp[] = [
+  /\/pixel(\.gif|\.png|\.php)?(\?|$)/i,
+  /\/beacon(\.gif|\.png|\.php)?(\?|$)/i,
+  /\/track(ing)?(\.gif|\.png|\.php)?(\?|$)/i,
+  /\/collect(\?|$)/i,
+  /\/event(\?|$)/i,
+  /\/(hit|ping|log)(\?|$)/i,
+  /\?.*(?:pixel|beacon|track|event|hit)=/i,
+];

package/src/cli.ts ADDED Viewed

@@ -0,0 +1,134 @@
+#!/usr/bin/env node
+import { Command } from "commander";
+import chalk from "chalk";
+import ora from "ora";
+import { join, resolve } from "path";
+import { Scanner } from "./scanner/index.js";
+import { ReportGenerator } from "./report/generator.js";
+import type { ScanOptions } from "./types.js";
+const program = new Command();
+program
+  .name("gdpr-scan")
+  .description("Scan a website for GDPR cookie consent compliance")
+  .version("0.1.0");
+program
+  .command("scan")
+  .description("Scan a website and generate a GDPR compliance report")
+  .argument("<url>", "URL of the website to scan")
+  .option("-o, --output <dir>", "Output directory for the report", "./gdpr-reports")
+  .option("-t, --timeout <ms>", "Navigation timeout in milliseconds", "30000")
+  .option("--no-screenshots", "Disable screenshot capture")
+  .option("-l, --locale <locale>", "Browser locale for language detection", "fr-FR")
+  .option("-v, --verbose", "Show detailed output", false)
+  .action(async (url: string, opts) => {
+    console.log();
+    console.log(chalk.bold.blue("  GDPR Cookie Scanner"));
+    console.log(chalk.gray("  ─────────────────────────────────────"));
+    const normalizedUrl = normalizeUrl(url);
+    const hostname = new URL(normalizedUrl).hostname;
+    const outputDir = join(resolve(opts.output), hostname);
+    console.log(chalk.gray(`  Target : ${url}`));
+    console.log(chalk.gray(`  Output : ${outputDir}`));
+    console.log();
+    const options: ScanOptions = {
+      url: normalizedUrl,
+      outputDir,
+      timeout: parseInt(opts.timeout, 10),
+      screenshots: opts.screenshots !== false,
+      locale: opts.locale,
+      verbose: opts.verbose,
+    };
+    const spinner = ora("Launching browser...").start();
+    try {
+      const scanner = new Scanner(options);
+      spinner.text = "Loading page (before interaction)...";
+      const result = await scanner.run((phase) => {
+        spinner.text = phase;
+      });
+      spinner.succeed("Scan complete");
+      console.log();
+      const generator = new ReportGenerator(options);
+      const reportPath = await generator.generate(result);
+      console.log(
+        chalk.bold(
+          `  Compliance score: ${formatScore(result.compliance.total)} ${result.compliance.grade}`,
+        ),
+      );
+      console.log();
+      if (result.compliance.issues.length > 0) {
+        console.log(chalk.yellow(`  ${result.compliance.issues.length} issue(s) detected:`));
+        for (const issue of result.compliance.issues.slice(0, 5)) {
+          const icon = issue.severity === "critical" ? chalk.red("✗") : chalk.yellow("⚠");
+          console.log(`    ${icon} ${issue.description}`);
+        }
+        if (result.compliance.issues.length > 5) {
+          console.log(
+            chalk.gray(`    ... and ${result.compliance.issues.length - 5} more (see report)`),
+          );
+        }
+        console.log();
+      }
+      console.log(chalk.green(`  Report saved: ${reportPath}`));
+      console.log();
+      process.exit(result.compliance.grade === "F" ? 1 : 0);
+    } catch (err) {
+      spinner.fail("Scan failed");
+      console.error(chalk.red(`\n  Error: ${err instanceof Error ? err.message : String(err)}`));
+      if (opts.verbose && err instanceof Error && err.stack) {
+        console.error(chalk.gray(err.stack));
+      }
+      process.exit(2);
+    }
+  });
+program
+  .command("list-trackers")
+  .description("Show the built-in tracker database summary")
+  .action(async () => {
+    const { TRACKER_DB } = await import("./classifiers/tracker-list.js");
+    const categories = new Map<string, number>();
+    for (const entry of Object.values(TRACKER_DB)) {
+      const cat = entry.category;
+      categories.set(cat, (categories.get(cat) ?? 0) + 1);
+    }
+    console.log(chalk.bold("\n  Built-in tracker database:"));
+    for (const [cat, count] of categories.entries()) {
+      console.log(`    ${chalk.cyan(cat.padEnd(20))} ${count} domains`);
+    }
+    console.log(`\n  Total: ${Object.keys(TRACKER_DB).length} tracked domains\n`);
+  });
+program.parse(process.argv);
+function normalizeUrl(url: string): string {
+  if (!url.startsWith("http://") && !url.startsWith("https://")) {
+    return `https://${url}`;
+  }
+  return url;
+}
+function formatScore(score: number): string {
+  const colored =
+    score >= 80
+      ? chalk.green(score)
+      : score >= 60
+        ? chalk.yellow(score)
+        : score >= 40
+          ? chalk.hex("#FFA500")(score)
+          : chalk.red(score);
+  return `${colored}/100`;
+}