npm - @slashgear/gdpr-cookie-scanner - Versions diffs - 3.6.0 → 3.8.0 - Mend

@slashgear/gdpr-cookie-scanner 3.6.0 → 3.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (149) hide show

package/scripts/build-showcase.mjs ADDED Viewed

@@ -0,0 +1,113 @@
+/**
+ * Reads docs/reports/<host>/ directories, extracts grade/score/date from
+ * each HTML report, and regenerates the "Live Reports" cards in docs/index.html.
+ *
+ * Usage:  node scripts/build-showcase.mjs
+ * Or:     pnpm build:showcase
+ */
+import { readdir, readFile, writeFile } from "fs/promises";
+import { join, resolve } from "path";
+import { existsSync } from "fs";
+const WEBSITE_PUBLIC_DIR = resolve("website/public");
+const REPORTS_DIR = join(WEBSITE_PUBLIC_DIR, "reports");
+const INDEX_HTML = join(WEBSITE_PUBLIC_DIR, "index.html");
+const START_MARKER = "<!-- ── REPORTS_START ── -->";
+const END_MARKER = "<!-- ── REPORTS_END ── -->";
+async function extractMeta(hostDir) {
+  const files = await readdir(join(REPORTS_DIR, hostDir));
+  const htmlFile = files.find((f) => f.endsWith(".html"));
+  if (!htmlFile) return null;
+  const content = await readFile(join(REPORTS_DIR, hostDir, htmlFile), "utf8");
+  // oxfmt may split closing tags across lines — match opening tag content only
+  const grade = content.match(/"grade-badge"[^>]*>([A-F])<\/div>/)?.[1] ?? "?";
+  const score = content.match(/"score-num"[^>]*>(\d+)/)?.[1] ?? "?";
+  // Date from filename: gdpr-report-<host>-YYYY-MM-DD.html
+  const dateRaw = htmlFile.match(/(\d{4}-\d{2}-\d{2})\.html$/)?.[1];
+  const dateStr = dateRaw
+    ? new Date(dateRaw).toLocaleDateString("en-GB", {
+        day: "numeric",
+        month: "short",
+        year: "numeric",
+      })
+    : "";
+  const displayHost = hostDir.replace(/^www\./, "");
+  // Inject modal screenshot if PNG exists alongside the HTML but isn't referenced yet
+  const pngPath = join(REPORTS_DIR, hostDir, "modal-initial.png");
+  const htmlPath = join(REPORTS_DIR, hostDir, htmlFile);
+  if (existsSync(pngPath) && !content.includes("modal-initial.png")) {
+    const IMG = `<img src="modal-initial.png" alt="Consent modal screenshot" class="modal-screenshot" />`;
+    // Insert right after the section-body div that follows <h2>Consent modal</h2>
+    const patched = content.replace(
+      /(<h2>Consent modal<\/h2>[\s\S]*?<div class="section-body">)/,
+      `$1\n          ${IMG}`,
+    );
+    if (patched !== content) {
+      await writeFile(htmlPath, patched, "utf8");
+    }
+  }
+  return { grade, score: parseInt(score, 10) || 0, dateStr, displayHost, hostDir, htmlFile };
+}
+function buildCard({ grade, score, dateStr, displayHost, hostDir, htmlFile }) {
+  return `          <!-- ${displayHost} — ${score}/100 ${grade} -->
+          <div class="report-card">
+            <div class="report-header">
+              <div class="grade-badge grade-${grade}">${grade}</div>
+              <div class="report-meta">
+                <h3>${displayHost}</h3>
+                <span class="score">${score} / 100</span>
+              </div>
+            </div>
+            <p class="report-date">Scanned ${dateStr}</p>
+            <a class="btn btn-outline" href="reports/${hostDir}/${htmlFile}">
+              View report →
+            </a>
+          </div>`;
+}
+async function main() {
+  const hosts = (await readdir(REPORTS_DIR, { withFileTypes: true }))
+    .filter((d) => d.isDirectory())
+    .map((d) => d.name);
+  const reports = (await Promise.all(hosts.map(extractMeta))).filter(Boolean);
+  // Sort by score descending (best first)
+  reports.sort((a, b) => b.score - a.score);
+  const cards = reports.map(buildCard).join("\n\n");
+  let index = await readFile(INDEX_HTML, "utf8");
+  const startIdx = index.indexOf(START_MARKER);
+  const endIdx = index.indexOf(END_MARKER);
+  if (startIdx === -1 || endIdx === -1) {
+    throw new Error(`Markers not found in ${INDEX_HTML}. Add:\n  ${START_MARKER}\n  ${END_MARKER}`);
+  }
+  const newIndex =
+    index.slice(0, startIdx + START_MARKER.length) +
+    "\n" +
+    cards +
+    "\n          " +
+    index.slice(endIdx);
+  await writeFile(INDEX_HTML, newIndex, "utf8");
+  console.log(`✓ ${INDEX_HTML} updated with ${reports.length} report cards`);
+  reports.forEach((r) => console.log(`  ${r.grade} ${r.score}/100  ${r.displayHost}`));
+}
+main().catch((e) => {
+  console.error(e);
+  process.exit(1);
+});

package/src/analyzers/colour.ts ADDED Viewed

@@ -0,0 +1,89 @@
+/**
+ * Colour nudging detection — EDPB Guidelines 03/2022 § 3.3.3.
+ *
+ * A "positive" colour (green = go, approve) on the accept button combined with
+ * a "negative" or neutral colour (grey, red) on the reject button steers users
+ * toward consent without technically hiding the refusal option.
+ */
+function parseRgb(css: string): [number, number, number] | null {
+  const m = css.match(/rgba?\(\s*(\d+),\s*(\d+),\s*(\d+)/);
+  if (!m) return null;
+  return [parseInt(m[1], 10), parseInt(m[2], 10), parseInt(m[3], 10)];
+}
+/** Returns [hue 0–360, saturation 0–100, lightness 0–100]. */
+export function rgbToHsl(r: number, g: number, b: number): [number, number, number] {
+  const rr = r / 255,
+    gg = g / 255,
+    bb = b / 255;
+  const max = Math.max(rr, gg, bb),
+    min = Math.min(rr, gg, bb);
+  const l = (max + min) / 2;
+  if (max === min) return [0, 0, Math.round(l * 100)];
+  const d = max - min;
+  const s = l > 0.5 ? d / (2 - max - min) : d / (max + min);
+  let h: number;
+  switch (max) {
+    case rr:
+      h = (gg - bb) / d + (gg < bb ? 6 : 0);
+      break;
+    case gg:
+      h = (bb - rr) / d + 2;
+      break;
+    default:
+      h = (rr - gg) / d + 4;
+  }
+  return [Math.round(h * 60), Math.round(s * 100), Math.round(l * 100)];
+}
+export type ButtonHue = "green" | "red" | "grey" | "blue" | "neutral";
+/**
+ * Classify the perceptual "valence" of a colour:
+ * - green  → positive, approval (h 80–165, s ≥ 25)
+ * - red    → negative, danger   (h ≤ 20 or ≥ 340, s ≥ 25)
+ * - grey   → neutral / muted    (s < 20)
+ * - blue   → informational      (h 195–265, s ≥ 25)
+ * - neutral → anything else
+ *
+ * Very dark (<10 L) or very light (>93 L) colours are treated as neutral
+ * because their hue carries little visual weight in a button context.
+ */
+export function classifyHue(r: number, g: number, b: number): ButtonHue {
+  const [h, s, l] = rgbToHsl(r, g, b);
+  if (l < 10 || l > 93) return "neutral";
+  if (s < 20) return "grey";
+  if (h >= 80 && h <= 165) return "green";
+  if (h <= 20 || h >= 340) return "red";
+  if (h >= 195 && h <= 265) return "blue";
+  return "neutral";
+}
+export interface ColourNudgingResult {
+  acceptHue: ButtonHue | null;
+  rejectHue: ButtonHue | null;
+  /** True when accept is green and reject is grey or red. */
+  isNudging: boolean;
+}
+/**
+ * Detect colour nudging between the accept and reject buttons.
+ *
+ * Returns `isNudging: true` when the accept button has a "positive" hue (green)
+ * while the reject button has a "negative" or neutral hue (grey or red).
+ */
+export function detectColourNudging(
+  acceptBg: string | null | undefined,
+  rejectBg: string | null | undefined,
+): ColourNudgingResult {
+  const acceptRgb = acceptBg ? parseRgb(acceptBg) : null;
+  const rejectRgb = rejectBg ? parseRgb(rejectBg) : null;
+  const acceptHue = acceptRgb ? classifyHue(...acceptRgb) : null;
+  const rejectHue = rejectRgb ? classifyHue(...rejectRgb) : null;
+  const isNudging = acceptHue === "green" && (rejectHue === "grey" || rejectHue === "red");
+  return { acceptHue, rejectHue, isNudging };
+}

package/src/analyzers/compliance.ts CHANGED Viewed

@@ -6,6 +6,7 @@ import type {
   NetworkRequest,
 } from "../types.js";
 import { analyzeButtonWording, analyzeModalText } from "./wording.js";
+import { detectColourNudging } from "./colour.js";
 interface ComplianceInput {
   modal: ConsentModal;
@@ -32,6 +33,10 @@ export function analyzeCompliance(input: ComplianceInput): ComplianceScore {
   ].some((r) => r.requiresConsent);
   const consentRequired = hasNonEssentialCookies || hasNonEssentialTrackers;
+  // Run wording analysis once — modal may not be detected, so these can be null
+  const wordingResult = input.modal.detected ? analyzeButtonWording(input.modal.buttons) : null;
+  const textResult = input.modal.detected ? analyzeModalText(input.modal.text) : null;
   // ── A. Consent validity (0-25) ────────────────────────────────
   let consentValidity = 25;
@@ -44,10 +49,8 @@ export function analyzeCompliance(input: ComplianceInput): ComplianceScore {
     });
     consentValidity = 0;
   } else if (input.modal.detected) {
-    // Wording analysis
-    const wordingResult = analyzeButtonWording(input.modal.buttons);
-    const textResult = analyzeModalText(input.modal.text);
-    issues.push(...wordingResult.issues, ...textResult.issues);
+    // Wording analysis (wordingResult / textResult hoisted above)
+    issues.push(...wordingResult!.issues, ...textResult!.issues);
     // Pre-ticked checkboxes
     const preTicked = input.modal.checkboxes.filter((c) => c.isCheckedByDefault);
@@ -62,9 +65,9 @@ export function analyzeCompliance(input: ComplianceInput): ComplianceScore {
     }
     // Missing info deductions
-    if (textResult.missingInfo.includes("purposes")) consentValidity -= 5;
-    if (textResult.missingInfo.includes("third-parties")) consentValidity -= 5;
-    if (textResult.missingInfo.length >= 3) consentValidity -= 5;
+    if (textResult!.missingInfo.includes("purposes")) consentValidity -= 5;
+    if (textResult!.missingInfo.includes("third-parties")) consentValidity -= 5;
+    if (textResult!.missingInfo.length >= 3) consentValidity -= 5;
   }
   // ── B. Easy refusal (0-25) ────────────────────────────────────
@@ -109,6 +112,29 @@ export function analyzeCompliance(input: ComplianceInput): ComplianceScore {
       }
     }
+    // Indirect reject label ("continuer sans accepter", "continue without accepting"…)
+    if (wordingResult?.hasIndirectRejectLabel) {
+      easyRefusal -= 5;
+    }
+    // Colour nudging: green accept + grey/red reject
+    if (acceptButton && rejectButton) {
+      const { isNudging, acceptHue, rejectHue } = detectColourNudging(
+        acceptButton.backgroundColor,
+        rejectButton.backgroundColor,
+      );
+      if (isNudging) {
+        issues.push({
+          type: "nudging",
+          severity: "warning",
+          description:
+            'Accept button uses a "positive" colour (green) while reject is visually de-emphasised',
+          evidence: `Accept: ${acceptButton.backgroundColor} (${acceptHue}), Reject: ${rejectButton.backgroundColor} (${rejectHue}) — EDPB Guidelines 03/2022 § 3.3.3`,
+        });
+        easyRefusal -= 5;
+      }
+    }
     // Font size asymmetry
     if (acceptButton?.fontSize && rejectButton?.fontSize) {
       if (acceptButton.fontSize > rejectButton.fontSize * 1.3) {
@@ -167,9 +193,8 @@ export function analyzeCompliance(input: ComplianceInput): ComplianceScore {
       transparency -= 10;
     }
     // Already deducted in consentValidity for missing info
-    const wordingResult = analyzeModalText(input.modal.text);
-    if (wordingResult.missingInfo.length > 0) {
-      transparency -= wordingResult.missingInfo.length * 3;
+    if (textResult!.missingInfo.length > 0) {
+      transparency -= textResult!.missingInfo.length * 3;
     }
     // No privacy policy link in the modal
     if (!input.modal.privacyPolicyUrl) {

package/src/analyzers/tcf-decoder.ts ADDED Viewed

@@ -0,0 +1,130 @@
+import type { TcfConsentString } from "../types.js";
+export const IAB_PURPOSES: Record<number, string> = {
+  1: "Store and/or access information on a device",
+  2: "Select basic ads",
+  3: "Create a personalised ads profile",
+  4: "Select personalised ads",
+  5: "Create a personalised content profile",
+  6: "Select personalised content",
+  7: "Measure ad performance",
+  8: "Measure content performance",
+  9: "Apply market research to generate audience insights",
+  10: "Develop and improve products",
+  11: "Use limited data to select content",
+};
+export const IAB_SPECIAL_FEATURES: Record<number, string> = {
+  1: "Use precise geolocation data",
+  2: "Actively scan device characteristics for identification",
+};
+class BitReader {
+  private pos = 0;
+  constructor(private readonly buf: Buffer) {}
+  readBits(n: number): number {
+    let value = 0;
+    for (let i = 0; i < n; i++) {
+      const byteIndex = Math.floor(this.pos / 8);
+      if (byteIndex >= this.buf.length) throw new Error("BitReader: out of bounds");
+      const bitIndex = 7 - (this.pos % 8);
+      const bit = (this.buf[byteIndex] >> bitIndex) & 1;
+      // Use multiplication instead of bit shift to avoid 32-bit overflow on 36-bit timestamps
+      value = value * 2 + bit;
+      this.pos++;
+    }
+    return value;
+  }
+}
+function deciSecondsToDate(ds: number): Date {
+  return new Date(ds * 100);
+}
+function readLanguage(reader: BitReader): string {
+  const c1 = reader.readBits(6) + 65; // 'A' = 0
+  const c2 = reader.readBits(6) + 65;
+  return String.fromCharCode(c1, c2);
+}
+function readBitField(reader: BitReader, count: number): number[] {
+  const active: number[] = [];
+  for (let i = 1; i <= count; i++) {
+    if (reader.readBits(1) === 1) active.push(i);
+  }
+  return active;
+}
+/**
+ * Decode a TCF v1 or v2 consent string (core segment only).
+ * Returns null if decoding fails or if the version is not 1 or 2.
+ */
+export function decodeTcfConsentString(raw: string): TcfConsentString | null {
+  try {
+    // Take only the core segment (before '~')
+    const coreSegment = raw.split("~")[0];
+    // Convert base64url to standard base64 and decode
+    const base64 = coreSegment.replace(/-/g, "+").replace(/_/g, "/");
+    const buf = Buffer.from(base64, "base64");
+    const reader = new BitReader(buf);
+    const version = reader.readBits(6);
+    if (version !== 1 && version !== 2) return null;
+    const created = deciSecondsToDate(reader.readBits(36));
+    const lastUpdated = deciSecondsToDate(reader.readBits(36));
+    const cmpId = reader.readBits(12);
+    const cmpVersion = reader.readBits(12);
+    reader.readBits(6); // consentScreen (unused)
+    const consentLanguage = readLanguage(reader);
+    const vendorListVersion = reader.readBits(12);
+    if (version === 1) {
+      const purposesAllowed = readBitField(reader, 24);
+      return {
+        raw,
+        version: 1,
+        created,
+        lastUpdated,
+        cmpId,
+        cmpVersion,
+        consentLanguage,
+        vendorListVersion,
+        specialFeatureOptins: [],
+        purposesConsent: purposesAllowed,
+        purposesLegitimateInterest: [],
+      };
+    }
+    // TCF v2
+    const tcfPolicyVersion = reader.readBits(6);
+    const isServiceSpecific = reader.readBits(1) === 1;
+    reader.readBits(1); // useNonStandardStacks
+    const specialFeatureOptins = readBitField(reader, 12);
+    const purposesConsent = readBitField(reader, 24);
+    const purposesLegitimateInterest = readBitField(reader, 24);
+    reader.readBits(1); // purposeOneTreatment
+    const publisherCC = readLanguage(reader);
+    return {
+      raw,
+      version: 2,
+      created,
+      lastUpdated,
+      cmpId,
+      cmpVersion,
+      consentLanguage,
+      vendorListVersion,
+      tcfPolicyVersion,
+      isServiceSpecific,
+      specialFeatureOptins,
+      purposesConsent,
+      purposesLegitimateInterest,
+      publisherCC,
+    };
+  } catch {
+    return null;
+  }
+}

package/src/analyzers/wording.ts CHANGED Viewed

@@ -14,6 +14,35 @@ const MISLEADING_ACCEPT_LABELS = [
  */
 const FAKE_REJECT_LABELS = [/^(×|✕|✖|close|fermer|dismiss|ignorer|skip|passer)$/i];
+/**
+ * Indirect reject labels: the button does refuse, but without using a clear negative
+ * word like "refuse/reject". The user has to infer the refusal from context.
+ * Flagged as a dark pattern per EDPB Guidelines 03/2022 (§ 3.3.3 — hiding choices).
+ *
+ * Pattern logic: "continue/proceed + without/sans/sin/senza/ohne + consent-related word".
+ */
+const INDIRECT_REJECT_LABELS = [
+  // English
+  /\bcontinue\s+without\b/i,
+  /\bproceed\s+without\b/i,
+  /\bwithout\s+(accepting|accept|consent|consenting)\b/i,
+  // French
+  /\bcontinuer\s+sans\b/i,
+  /\bsans\s+(accepter|consentir|cookies)\b/i,
+  // Spanish
+  /\bcontinuar\s+sin\b/i,
+  /\bsin\s+(aceptar|consentir)\b/i,
+  // Italian
+  /\bcontinua\s+senza\b/i,
+  /\bsenza\s+(accettare|consenso)\b/i,
+  // German
+  /\bweiter\s+ohne\b/i,
+  /\bohne\s+(akzeptieren|zustimmen)\b/i,
+  // Dutch
+  /\bvervolgenen?\s+zonder\b/i,
+  /\bzonder\s+(accepteren|toestemming)\b/i,
+];
 /**
  * Required informational elements in consent text (RGPD Art. 13-14).
  */
@@ -32,6 +61,7 @@ export interface WordingAnalysis {
   missingInfo: string[];
   hasPositiveActionForAccept: boolean;
   hasExplicitRejectOption: boolean;
+  hasIndirectRejectLabel: boolean;
 }
 export function analyzeButtonWording(buttons: ConsentButton[]): WordingAnalysis {
@@ -80,11 +110,25 @@ export function analyzeButtonWording(buttons: ConsentButton[]): WordingAnalysis
     }
   }
+  // ── Indirect reject (refusal implied, not stated) ─────────────
+  const hasIndirectRejectLabel =
+    !!rejectButton && INDIRECT_REJECT_LABELS.some((p) => p.test(rejectButton.text));
+  if (hasIndirectRejectLabel && rejectButton) {
+    issues.push({
+      type: "misleading-wording",
+      severity: "warning",
+      description: `Reject button uses indirect wording: "${rejectButton.text}"`,
+      evidence:
+        'EDPB Guidelines 03/2022: the refusal option must be as clear as acceptance — indirect phrases like "continue without accepting" obscure the user\'s choice',
+    });
+  }
   return {
     issues,
     missingInfo: [], // filled in by analyzeModalText
     hasPositiveActionForAccept: !!acceptButton,
     hasExplicitRejectOption: !!rejectButton,
+    hasIndirectRejectLabel,
   };
 }

package/src/report/generator.ts CHANGED Viewed

@@ -15,6 +15,7 @@ import type {
   DarkPatternIssue,
   ConsentButton,
 } from "../types.js";
+import { IAB_PURPOSES, IAB_SPECIAL_FEATURES } from "../analyzers/tcf-decoder.js";
 import type { ScanOptions } from "../types.js";
 import { lookupCookie } from "../classifiers/cookie-lookup.js";
@@ -170,8 +171,12 @@ export class ReportGenerator {
     sections.push(`## 6. Network Requests — Detected Trackers\n`);
     sections.push(this.buildNetworkSection(r));
+    // ── IAB TCF ───────────────────────────────────────────────────
+    sections.push(`## 7. IAB TCF (Transparency & Consent Framework)\n`);
+    sections.push(this.buildTcfSection(r));
     // ── Recommendations ───────────────────────────────────────────
-    sections.push(`## 7. Recommendations\n`);
+    sections.push(`## 8. Recommendations\n`);
     sections.push(this.buildRecommendations(r));
     // ── Scan errors ───────────────────────────────────────────────
@@ -488,6 +493,83 @@ ${rows.join("\n")}
     return lines.join("\n");
   }
+  private buildTcfSection(r: ScanResult): string {
+    const { tcf } = r;
+    const lines: string[] = [];
+    lines.push(`> Informational only — does not affect the compliance score.\n`);
+    if (!tcf.detected) {
+      lines.push("**TCF detected:** ❌ No TCF implementation found on this page.");
+      return lines.join("\n");
+    }
+    lines.push(`**TCF detected:** ✅ Yes${tcf.version ? ` (v${tcf.version})` : ""}`);
+    lines.push(`**CMP API (\`__tcfapi\`):** ${tcf.apiPresent ? "✅ Present" : "❌ Not present"}`);
+    lines.push(
+      `**Locator frame (\`__tcfapiLocator\`):** ${tcf.locatorFramePresent ? "✅ Present" : "❌ Not present"}`,
+    );
+    lines.push(`**Consent string cookie:** ${tcf.cookieName ? `\`${tcf.cookieName}\`` : "—"}`);
+    lines.push(`**CMP ID:** ${tcf.cmpId ?? "—"}`);
+    const cs = tcf.consentString;
+    if (!cs) {
+      lines.push("\n_No consent string could be decoded._");
+      return lines.join("\n");
+    }
+    lines.push("\n### Decoded consent string\n");
+    lines.push("| Field | Value |");
+    lines.push("|-------|-------|");
+    lines.push(`| Version | TCF v${cs.version} |`);
+    lines.push(`| Created | ${cs.created.toISOString().split("T")[0]} |`);
+    lines.push(`| Last updated | ${cs.lastUpdated.toISOString().split("T")[0]} |`);
+    lines.push(`| CMP ID | ${cs.cmpId} |`);
+    lines.push(`| CMP version | ${cs.cmpVersion} |`);
+    lines.push(`| Consent language | ${cs.consentLanguage} |`);
+    lines.push(`| Vendor list version | ${cs.vendorListVersion} |`);
+    if (cs.tcfPolicyVersion !== undefined) {
+      lines.push(`| TCF policy version | ${cs.tcfPolicyVersion} |`);
+    }
+    if (cs.isServiceSpecific !== undefined) {
+      lines.push(`| Service specific | ${cs.isServiceSpecific ? "Yes" : "No"} |`);
+    }
+    if (cs.publisherCC) {
+      lines.push(`| Publisher country | ${cs.publisherCC} |`);
+    }
+    if (cs.purposesConsent.length > 0) {
+      lines.push("\n### Purposes with consent\n");
+      lines.push("| ID | Purpose |");
+      lines.push("|----|---------|");
+      for (const id of cs.purposesConsent) {
+        lines.push(`| ${id} | ${IAB_PURPOSES[id] ?? "Unknown"} |`);
+      }
+    } else {
+      lines.push("\n_No purposes with explicit consent._");
+    }
+    if (cs.purposesLegitimateInterest.length > 0) {
+      lines.push("\n### Purposes with legitimate interest\n");
+      lines.push("| ID | Purpose |");
+      lines.push("|----|---------|");
+      for (const id of cs.purposesLegitimateInterest) {
+        lines.push(`| ${id} | ${IAB_PURPOSES[id] ?? "Unknown"} |`);
+      }
+    }
+    if (cs.specialFeatureOptins.length > 0) {
+      lines.push("\n### Special features opted in\n");
+      lines.push("| ID | Feature |");
+      lines.push("|----|---------|");
+      for (const id of cs.specialFeatureOptins) {
+        lines.push(`| ${id} | ${IAB_SPECIAL_FEATURES[id] ?? "Unknown"} |`);
+      }
+    }
+    return lines.join("\n");
+  }
   private buildRecommendations(r: ScanResult): string {
     const recs: string[] = [];
     const issues = r.compliance.issues;