@trailofbits/vsix-audit 0.1.0

package/dist/scanner/checks/unicode.js

@@ -0,0 +1,247 @@
+import { detectBundler } from "../bundler.js";
+import { isScannable, SCANNABLE_EXTENSIONS_UNICODE } from "../constants.js";
+function findLineAndColumn(content, index) {
+    const beforeMatch = content.slice(0, index);
+    const lines = beforeMatch.split("\n");
+    const line = lines.length;
+    const column = (lines.at(-1)?.length ?? 0) + 1;
+    return { line, column };
+}
+function getContext(content, index, length) {
+    const start = Math.max(0, index - 20);
+    const end = Math.min(content.length, index + length + 20);
+    let ctx = content.slice(start, end);
+    if (start > 0)
+        ctx = "..." + ctx;
+    if (end < content.length)
+        ctx = ctx + "...";
+    return ctx.replace(/[\n\r]/g, "\\n").slice(0, 80);
+}
+// Zero-width characters: U+200B-200D, U+FEFF
+const ZERO_WIDTH_REGEX = /[\u200B-\u200D\uFEFF]/g;
+// Variation selectors: U+FE00-FE0F (GlassWorm technique)
+const VARIATION_SELECTOR_REGEX = /[\uFE00-\uFE0F]/g;
+// Bidirectional overrides: U+202A-202E (Trojan Source attack)
+const BIDI_OVERRIDE_REGEX = /[\u202A-\u202E]/g;
+// Unicode escapes for ASCII: \u00XX where XX is 20-7E (printable ASCII)
+// This is obfuscation - using unicode escapes for normal characters
+const UNICODE_ASCII_ESCAPE_REGEX = /\\u00[2-7][0-9a-fA-F]/g;
+// Cyrillic homoglyphs that look like Latin letters
+// а(U+0430)/a, с(U+0441)/c, е(U+0435)/e, о(U+043E)/o, р(U+0440)/p, х(U+0445)/x, у(U+0443)/y
+// Also uppercase: А(U+0410)/A, В(U+0412)/B, С(U+0421)/C, Е(U+0415)/E, Н(U+041D)/H, etc.
+const CYRILLIC_LOOKALIKE_REGEX = /[\u0430\u0441\u0435\u043E\u0440\u0445\u0443\u0410\u0412\u0421\u0415\u041D\u041A\u041C\u041E\u0420\u0422\u0425]/g;
+// Additional invisible/confusable characters
+// U+00AD Soft hyphen, U+034F Combining grapheme joiner, U+115F-1160 Hangul fillers
+// U+17B4-17B5 Khmer vowels, U+180E Mongolian vowel separator
+const OTHER_INVISIBLE_REGEX = /[\u00AD\u034F\u115F\u1160\u17B4\u17B5\u180E\u2060-\u2064\u206A-\u206F]/g;
+function detectPattern(content, regex, minMatches = 1) {
+    const matches = [];
+    const r = new RegExp(regex.source, regex.flags);
+    let match;
+    while ((match = r.exec(content)) !== null) {
+        const { line, column } = findLineAndColumn(content, match.index);
+        matches.push({
+            line,
+            column,
+            matched: match[0],
+            context: getContext(content, match.index, match[0].length),
+        });
+    }
+    return matches.length >= minMatches ? matches : [];
+}
+/**
+ * Check if the file appears to be primarily i18n/localization content.
+ * These files naturally have high Unicode diversity and should be treated differently.
+ */
+function isI18nFile(filename, content) {
+    // Check filename patterns
+    const i18nPatterns = [
+        /locales?\//i,
+        /i18n\//i,
+        /translations?\//i,
+        /lang\//i,
+        /messages/i,
+        /\.l10n\./i,
+        /nls\./i,
+    ];
+    if (i18nPatterns.some((p) => p.test(filename))) {
+        return true;
+    }
+    // Check if content looks like localization JSON
+    // (has many string keys with translated values)
+    if (filename.endsWith(".json")) {
+        const keyValuePairs = (content.match(/"[^"]+"\s*:\s*"[^"]+"/g) ?? []).length;
+        const lines = content.split("\n").length;
+        // If more than 50% of lines are key-value pairs, likely i18n
+        if (keyValuePairs / lines > 0.5 && keyValuePairs > 10) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Check if invisible characters are in proximity to execution patterns.
+ * This helps distinguish malicious steganography from benign Unicode use.
+ */
+function hasExecutionInProximity(content, invisibleIndex, proximityChars = 200) {
+    const start = Math.max(0, invisibleIndex - proximityChars);
+    const end = Math.min(content.length, invisibleIndex + proximityChars);
+    const region = content.slice(start, end);
+    const execPatterns = [
+        /eval\s*\(/i,
+        /Function\s*\(/i,
+        /exec\s*\(/i,
+        /spawn\s*\(/i,
+        /execSync\s*\(/i,
+        /child_process/i,
+        /\.\s*call\s*\(/,
+        /\.\s*apply\s*\(/,
+        /new\s+Function/i,
+        /atob\s*\(/i,
+        /Buffer\.from/i,
+    ];
+    return execPatterns.some((p) => p.test(region));
+}
+// Rules that should be skipped for bundled code (they're noisy on minified i18n)
+const SKIP_FOR_BUNDLED = new Set([
+    "ZERO_WIDTH_CHARS",
+    "CYRILLIC_HOMOGLYPH",
+    "OTHER_INVISIBLE_CHARS",
+    "UNICODE_ASCII_ESCAPE",
+]);
+const UNICODE_RULES = [
+    {
+        id: "ZERO_WIDTH_CHARS",
+        title: "Zero-width characters detected",
+        description: "File contains zero-width Unicode characters (U+200B-200D, U+FEFF). These invisible characters can hide malicious code or be used for steganography.",
+        severity: "high",
+        detect: (content) => detectPattern(content, ZERO_WIDTH_REGEX, 3),
+    },
+    {
+        id: "VARIATION_SELECTOR",
+        title: "Unicode variation selectors detected (GlassWorm technique)",
+        description: "File contains many Unicode variation selectors (U+FE00-FE0F). GlassWorm malware uses these to hide executable code. A few variation selectors are normal (emoji formatting), but many indicates hidden data.",
+        severity: "critical",
+        // Require at least 10 variation selectors - a few are normal for emojis
+        // GlassWorm attack uses hundreds to encode hidden payloads
+        detect: (content) => detectPattern(content, VARIATION_SELECTOR_REGEX, 10),
+    },
+    {
+        id: "BIDI_OVERRIDE",
+        title: "Bidirectional text override detected (Trojan Source)",
+        description: "File contains Unicode bidirectional override characters (U+202A-202E). This is the Trojan Source attack technique that can make malicious code appear benign by reordering how text is displayed.",
+        severity: "critical",
+        detect: (content) => detectPattern(content, BIDI_OVERRIDE_REGEX, 1),
+    },
+    {
+        id: "UNICODE_ASCII_ESCAPE",
+        title: "Unicode escape sequences for ASCII characters",
+        description: "File uses Unicode escape sequences (\\u00XX) for normal ASCII characters. This is a common obfuscation technique to hide string contents from static analysis.",
+        severity: "medium",
+        detect: (content) => detectPattern(content, UNICODE_ASCII_ESCAPE_REGEX, 5),
+    },
+    {
+        id: "CYRILLIC_HOMOGLYPH",
+        title: "Cyrillic homoglyph characters detected",
+        description: "File contains Cyrillic characters that visually resemble Latin letters (e.g., Cyrillic 'а' vs Latin 'a'). This can be used for homoglyph attacks to disguise malicious identifiers.",
+        severity: "high",
+        detect: (content, filename) => {
+            // Only flag in code files, not documentation
+            if (filename.endsWith(".md") || filename.endsWith(".txt")) {
+                return [];
+            }
+            // Skip i18n files which legitimately contain Cyrillic
+            if (isI18nFile(filename, content)) {
+                return [];
+            }
+            return detectPattern(content, CYRILLIC_LOOKALIKE_REGEX, 1);
+        },
+    },
+    {
+        id: "OTHER_INVISIBLE_CHARS",
+        title: "Other invisible Unicode characters detected",
+        description: "File contains invisible Unicode characters (soft hyphens, combining marks, format controls). These can be used to hide malicious content.",
+        severity: "medium",
+        detect: (content) => detectPattern(content, OTHER_INVISIBLE_REGEX, 3),
+    },
+    {
+        id: "INVISIBLE_CODE_EXECUTION",
+        title: "Invisible characters near code execution",
+        description: "File contains many invisible Unicode characters in proximity to code execution functions (eval, Function, exec). This is a strong indicator of hidden malicious code.",
+        severity: "critical",
+        detect: (content, filename) => {
+            // Skip i18n files - these legitimately contain RTL and combining chars
+            if (isI18nFile(filename, content)) {
+                return [];
+            }
+            // Check for truly suspicious invisible chars (exclude ZWNJ which is common in RTL text)
+            // Only flag: variation selectors (GlassWorm), bidi overrides (Trojan Source)
+            // Note: Single ZWSPs are common in UI libraries as constants, so exclude them
+            const suspiciousInvisible = new RegExp(`${VARIATION_SELECTOR_REGEX.source}|${BIDI_OVERRIDE_REGEX.source}`, "g");
+            // Require at least 5 invisible chars - single chars are often legitimate
+            const matches = detectPattern(content, suspiciousInvisible, 5);
+            // Only return matches that are actually near execution patterns
+            // (within 200 chars of eval, Function, exec, etc.)
+            return matches.filter((m) => {
+                const matchIndex = content.slice(0, m.line).split("\n").length > 1
+                    ? content
+                        .split("\n")
+                        .slice(0, m.line - 1)
+                        .join("\n").length + m.column
+                    : m.column;
+                return hasExecutionInProximity(content, matchIndex);
+            });
+        },
+    },
+];
+export function checkUnicode(contents) {
+    const findings = [];
+    const seenFindings = new Set();
+    for (const [filename, buffer] of contents.files) {
+        if (!isScannable(filename, SCANNABLE_EXTENSIONS_UNICODE))
+            continue;
+        const content = buffer.toString("utf8");
+        // Detect bundled code
+        const bundlerInfo = detectBundler(content, filename);
+        for (const rule of UNICODE_RULES) {
+            // Skip noisy rules for bundled code
+            if (bundlerInfo.isBundled && SKIP_FOR_BUNDLED.has(rule.id)) {
+                continue;
+            }
+            const matches = rule.detect(content, filename);
+            if (matches.length === 0)
+                continue;
+            // Create one finding per rule per file, with all matches in metadata
+            const key = `${rule.id}:${filename}`;
+            if (seenFindings.has(key))
+                continue;
+            seenFindings.add(key);
+            const firstMatch = matches[0];
+            if (!firstMatch)
+                continue;
+            findings.push({
+                id: rule.id,
+                title: rule.title,
+                description: rule.description,
+                severity: rule.severity,
+                category: "unicode",
+                location: {
+                    file: filename,
+                    line: firstMatch.line,
+                    column: firstMatch.column,
+                },
+                metadata: {
+                    matchCount: matches.length,
+                    firstMatch: firstMatch.context,
+                    codePoints: matches
+                        .slice(0, 5)
+                        .map((m) => [...m.matched]
+                        .map((c) => `U+${c.codePointAt(0)?.toString(16).toUpperCase().padStart(4, "0")}`)
+                        .join(", ")),
+                },
+            });
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=unicode.js.map

package/dist/scanner/checks/unicode.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unicode.js","sourceRoot":"","sources":["../../../src/scanner/checks/unicode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,4BAA4B,EAAE,MAAM,iBAAiB,CAAC;AAkB5E,SAAS,iBAAiB,CAAC,OAAe,EAAE,KAAa;IACvD,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC5C,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,CAAC;IAC1B,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC1B,CAAC;AAED,SAAS,UAAU,CAAC,OAAe,EAAE,KAAa,EAAE,MAAc;IAChE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,KAAK,GAAG,MAAM,GAAG,EAAE,CAAC,CAAC;IAC1D,IAAI,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACpC,IAAI,KAAK,GAAG,CAAC;QAAE,GAAG,GAAG,KAAK,GAAG,GAAG,CAAC;IACjC,IAAI,GAAG,GAAG,OAAO,CAAC,MAAM;QAAE,GAAG,GAAG,GAAG,GAAG,KAAK,CAAC;IAC5C,OAAO,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACpD,CAAC;AAED,6CAA6C;AAC7C,MAAM,gBAAgB,GAAG,wBAAwB,CAAC;AAElD,yDAAyD;AACzD,MAAM,wBAAwB,GAAG,kBAAkB,CAAC;AAEpD,8DAA8D;AAC9D,MAAM,mBAAmB,GAAG,kBAAkB,CAAC;AAE/C,wEAAwE;AACxE,oEAAoE;AACpE,MAAM,0BAA0B,GAAG,wBAAwB,CAAC;AAE5D,mDAAmD;AACnD,4FAA4F;AAC5F,wFAAwF;AACxF,MAAM,wBAAwB,GAC5B,iHAAiH,CAAC;AAEpH,6CAA6C;AAC7C,mFAAmF;AACnF,6DAA6D;AAC7D,MAAM,qBAAqB,GACzB,yEAAyE,CAAC;AAE5E,SAAS,aAAa,CAAC,OAAe,EAAE,KAAa,EAAE,UAAU,GAAG,CAAC;IACnE,MAAM,OAAO,GAAmB,EAAE,CAAC;IACnC,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;IAChD,IAAI,KAA6B,CAAC;IAElC,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC1C,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QACjE,OAAO,CAAC,IAAI,CAAC;YACX,IAAI;YACJ,MAAM;YACN,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;YACjB,OAAO,EAAE,UAAU,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;SAC3D,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC,MAAM,IAAI,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;AACrD,CAAC;AAED;;;GAGG;AACH,SAAS,UAAU,CAAC,QAAgB,EAAE,OAAe;IACnD,0BAA0B;IAC1B,MAAM,YAAY,GAAG;QACnB,aAAa;QACb,SAAS;QACT,kBAAkB;QAClB,SAAS;QACT,WAAW;QACX,WAAW;QACX,QAAQ;KACT,CAAC;IACF,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gDAAgD;IAChD,gDAAgD;IAChD,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,MAAM,aAAa,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QAC7E,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;QACzC,6DAA6D;QAC7D,IAAI,aAAa,GAAG,KAAK,GAAG,GAAG,IAAI,aAAa,GAAG,EAAE,EAAE,CAAC;YACtD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,uBAAuB,CAC9B,OAAe,EACf,cAAsB,EACtB,cAAc,GAAG,GAAG;IAEpB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,cAAc,GAAG,cAAc,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,cAAc,GAAG,cAAc,CAAC,CAAC;IACtE,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAEzC,MAAM,YAAY,GAAG;QACnB,YAAY;QACZ,gBAAgB;QAChB,YAAY;QACZ,aAAa;QACb,gBAAgB;QAChB,gBAAgB;QAChB,gBAAgB;QAChB,iBAAiB;QACjB,iBAAiB;QACjB,YAAY;QACZ,eAAe;KAChB,CAAC;IACF,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,iFAAiF;AACjF,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,kBAAkB;IAClB,oBAAoB;IACpB,uBAAuB;IACvB,sBAAsB;CACvB,CAAC,CAAC;AAEH,MAAM,aAAa,GAAkB;IACnC;QACE,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,qJAAqJ;QACvJ,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,gBAAgB,EAAE,CAAC,CAAC;KACjE;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,4DAA4D;QACnE,WAAW,EACT,8MAA8M;QAChN,QAAQ,EAAE,UAAU;QACpB,wEAAwE;QACxE,2DAA2D;QAC3D,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,wBAAwB,EAAE,EAAE,CAAC;KAC1E;IACD;QACE,EAAE,EAAE,eAAe;QACnB,KAAK,EAAE,sDAAsD;QAC7D,WAAW,EACT,mMAAmM;QACrM,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,mBAAmB,EAAE,CAAC,CAAC;KACpE;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,+CAA+C;QACtD,WAAW,EACT,gKAAgK;QAClK,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,0BAA0B,EAAE,CAAC,CAAC;KAC3E;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,wCAAwC;QAC/C,WAAW,EACT,qLAAqL;QACvL,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,EAAE;YAC5B,6CAA6C;YAC7C,IAAI,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC1D,OAAO,EAAE,CAAC;YACZ,CAAC;YAED,sDAAsD;YACtD,IAAI,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;gBAClC,OAAO,EAAE,CAAC;YACZ,CAAC;YAED,OAAO,aAAa,CAAC,OAAO,EAAE,wBAAwB,EAAE,CAAC,CAAC,CAAC;QAC7D,CAAC;KACF;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,2IAA2I;QAC7I,QAAQ,EAAE,QAAQ;QAClB,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,qBAAqB,EAAE,CAAC,CAAC;KACtE;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,KAAK,EAAE,0CAA0C;QACjD,WAAW,EACT,uKAAuK;QACzK,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,EAAE;YAC5B,uEAAuE;YACvE,IAAI,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;gBAClC,OAAO,EAAE,CAAC;YACZ,CAAC;YAED,wFAAwF;YACxF,6EAA6E;YAC7E,8EAA8E;YAC9E,MAAM,mBAAmB,GAAG,IAAI,MAAM,CACpC,GAAG,wBAAwB,CAAC,MAAM,IAAI,mBAAmB,CAAC,MAAM,EAAE,EAClE,GAAG,CACJ,CAAC;YACF,yEAAyE;YACzE,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,EAAE,mBAAmB,EAAE,CAAC,CAAC,CAAC;YAE/D,gEAAgE;YAChE,mDAAmD;YACnD,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBAC1B,MAAM,UAAU,GACd,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;oBAC7C,CAAC,CAAC,OAAO;yBACJ,KAAK,CAAC,IAAI,CAAC;yBACX,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;yBACpB,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM;oBACjC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBACf,OAAO,uBAAuB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YACtD,CAAC,CAAC,CAAC;QACL,CAAC;KACF;CACF,CAAC;AAEF,MAAM,UAAU,YAAY,CAAC,QAAsB;IACjD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IAEvC,KAAK,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;QAChD,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,4BAA4B,CAAC;YAAE,SAAS;QAEnE,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAExC,sBAAsB;QACtB,MAAM,WAAW,GAAG,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAErD,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,oCAAoC;YACpC,IAAI,WAAW,CAAC,SAAS,IAAI,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;gBAC3D,SAAS;YACX,CAAC;YAED,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAE/C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAEnC,qEAAqE;YACrE,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,EAAE,IAAI,QAAQ,EAAE,CAAC;YACrC,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAS;YACpC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAEtB,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YAC9B,IAAI,CAAC,UAAU;gBAAE,SAAS;YAE1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,IAAI,CAAC,EAAE;gBACX,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,UAAU,CAAC,IAAI;oBACrB,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B;gBACD,QAAQ,EAAE;oBACR,UAAU,EAAE,OAAO,CAAC,MAAM;oBAC1B,UAAU,EAAE,UAAU,CAAC,OAAO;oBAC9B,UAAU,EAAE,OAAO;yBAChB,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;yBACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACT,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC;yBACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;yBAChF,IAAI,CAAC,IAAI,CAAC,CACd;iBACJ;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/scanner/checks/unicode.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=unicode.test.d.ts.map

package/dist/scanner/checks/unicode.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unicode.test.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/unicode.test.ts"],"names":[],"mappings":""}

package/dist/scanner/checks/unicode.test.js

@@ -0,0 +1,202 @@
+import { describe, expect, it } from "vitest";
+import { checkUnicode } from "./unicode.js";
+function makeContents(files) {
+    const manifest = {
+        name: "test-extension",
+        publisher: "test",
+        version: "1.0.0",
+    };
+    const fileMap = new Map();
+    for (const [name, content] of Object.entries(files)) {
+        fileMap.set(name, Buffer.from(content, "utf8"));
+    }
+    return { manifest, files: fileMap, basePath: "/test" };
+}
+describe("checkUnicode", () => {
+    describe("zero-width characters", () => {
+        it("detects zero-width space characters (U+200B)", () => {
+            // 3+ occurrences needed
+            const content = "const x\u200B = 'a\u200Bb\u200Bc';";
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            expect(findings).toHaveLength(1);
+            expect(findings.some((f) => f.id === "ZERO_WIDTH_CHARS")).toBe(true);
+            expect(findings.some((f) => f.severity === "high")).toBe(true);
+        });
+        it("detects zero-width joiner (U+200D)", () => {
+            const content = "const x\u200D = 'a\u200Db\u200Dc';";
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            expect(findings).toHaveLength(1);
+            expect(findings.some((f) => f.id === "ZERO_WIDTH_CHARS")).toBe(true);
+        });
+        it("ignores files with only 1-2 zero-width chars", () => {
+            const content = "const x\u200B = 'a\u200Bb';";
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            const zeroWidthFinding = findings.find((f) => f.id === "ZERO_WIDTH_CHARS");
+            expect(zeroWidthFinding).toBeUndefined();
+        });
+    });
+    describe("variation selectors (GlassWorm technique)", () => {
+        it("detects variation selectors (U+FE00-FE0F) when >= 10 present", () => {
+            // Implementation requires 10+ variation selectors (GlassWorm uses hundreds)
+            // A few are normal for emoji formatting
+            const content = "a\uFE00b\uFE01c\uFE02d\uFE03e\uFE04f\uFE05g\uFE06h\uFE07i\uFE08j\uFE09k\uFE0A";
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            expect(findings).toHaveLength(1);
+            expect(findings.some((f) => f.id === "VARIATION_SELECTOR")).toBe(true);
+            expect(findings.some((f) => f.severity === "critical")).toBe(true);
+        });
+        it("ignores few variation selectors (normal for emoji)", () => {
+            // Less than 10 variation selectors should be ignored (normal emoji use)
+            const content = "a\uFE00b\uFE01c\uFE02d\uFE0F";
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            expect(findings.find((f) => f.id === "VARIATION_SELECTOR")).toBeUndefined();
+        });
+    });
+    describe("bidirectional overrides (Trojan Source)", () => {
+        it("detects left-to-right override (U+202D)", () => {
+            const content = "const admin\u202D = true;";
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            expect(findings).toHaveLength(1);
+            expect(findings.some((f) => f.id === "BIDI_OVERRIDE")).toBe(true);
+            expect(findings.some((f) => f.severity === "critical")).toBe(true);
+        });
+        it("detects right-to-left override (U+202E)", () => {
+            const content = "const admin\u202E = true;";
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            expect(findings).toHaveLength(1);
+            expect(findings.some((f) => f.id === "BIDI_OVERRIDE")).toBe(true);
+        });
+    });
+    describe("Unicode ASCII escapes", () => {
+        it("detects excessive Unicode escapes for ASCII", () => {
+            // Using \\u00XX for normal printable ASCII is suspicious
+            const content = "const x = '\\u0068\\u0065\\u006c\\u006c\\u006f\\u0077';"; // "hellow"
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            expect(findings).toHaveLength(1);
+            expect(findings.some((f) => f.id === "UNICODE_ASCII_ESCAPE")).toBe(true);
+            expect(findings.some((f) => f.severity === "medium")).toBe(true);
+        });
+        it("ignores files with few Unicode escapes", () => {
+            const content = "const x = '\\u0068\\u0065';"; // Only 2 escapes
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            const escapeFinding = findings.find((f) => f.id === "UNICODE_ASCII_ESCAPE");
+            expect(escapeFinding).toBeUndefined();
+        });
+    });
+    describe("Cyrillic homoglyphs", () => {
+        it("detects Cyrillic 'а' (U+0430) that looks like Latin 'a'", () => {
+            const content = "const \u0430dmin = true;"; // Cyrillic а
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            expect(findings).toHaveLength(1);
+            expect(findings.some((f) => f.id === "CYRILLIC_HOMOGLYPH")).toBe(true);
+            expect(findings.some((f) => f.severity === "high")).toBe(true);
+        });
+        it("detects Cyrillic 'е' (U+0435) that looks like Latin 'e'", () => {
+            const content = "const s\u0435cret = 'password';"; // Cyrillic е
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            expect(findings).toHaveLength(1);
+            expect(findings.some((f) => f.id === "CYRILLIC_HOMOGLYPH")).toBe(true);
+        });
+        it("ignores Cyrillic in markdown files", () => {
+            const content = "# Hello \u0430nd welcome"; // Cyrillic а in markdown
+            const contents = makeContents({ "README.md": content });
+            const findings = checkUnicode(contents);
+            const cyrillicFinding = findings.find((f) => f.id === "CYRILLIC_HOMOGLYPH");
+            expect(cyrillicFinding).toBeUndefined();
+        });
+    });
+    describe("invisible characters near code execution", () => {
+        it("flags many invisible chars in file with eval()", () => {
+            // Implementation requires 5+ invisible chars near execution patterns
+            const content = "const payload\uFE01\uFE02\uFE03\uFE04\uFE05 = 'data';\neval(payload);";
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            expect(findings.some((f) => f.id === "INVISIBLE_CODE_EXECUTION")).toBe(true);
+        });
+        it("flags many invisible chars in file with Function()", () => {
+            const content = "const x\uFE01\uFE02\uFE03\uFE04\uFE05 = 1;\nnew Function('return x')();";
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            expect(findings.some((f) => f.id === "INVISIBLE_CODE_EXECUTION")).toBe(true);
+        });
+        it("flags many invisible chars in file with child_process", () => {
+            const content = "require('child_process').exec('ls');\nconst hidden\uFE01\uFE02\uFE03\uFE04\uFE05 = 1;";
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            expect(findings.some((f) => f.id === "INVISIBLE_CODE_EXECUTION")).toBe(true);
+        });
+        it("does NOT flag few invisible chars even with execution context", () => {
+            // Single invisible char isn't enough - needs 5+
+            const content = "const x\uFE01 = 1;\neval(x);";
+            const contents = makeContents({ "extension.js": content });
+            const findings = checkUnicode(contents);
+            expect(findings.some((f) => f.id === "INVISIBLE_CODE_EXECUTION")).toBe(false);
+        });
+    });
+    describe("file filtering", () => {
+        it("scans JavaScript files", () => {
+            // Use bidi override which triggers with just 1 occurrence
+            const content = "const admin\u202E = true;";
+            const contents = makeContents({ "test.js": content });
+            const findings = checkUnicode(contents);
+            expect(findings.length).toBeGreaterThan(0);
+        });
+        it("scans TypeScript files", () => {
+            const content = "const admin\u202E: boolean = true;";
+            const contents = makeContents({ "test.ts": content });
+            const findings = checkUnicode(contents);
+            expect(findings.length).toBeGreaterThan(0);
+        });
+        it("scans JSON files", () => {
+            const content = '{"key\u202E": "value"}';
+            const contents = makeContents({ "test.json": content });
+            const findings = checkUnicode(contents);
+            expect(findings.length).toBeGreaterThan(0);
+        });
+        it("ignores binary files", () => {
+            // Even critical patterns should be ignored in binary files
+            const content = "\u202E\u202D\u202C";
+            const contents = makeContents({ "test.png": content });
+            const findings = checkUnicode(contents);
+            expect(findings).toHaveLength(0);
+        });
+    });
+    describe("metadata", () => {
+        it("includes match count in metadata", () => {
+            // Use BIDI_OVERRIDE which triggers with 1+ occurrences
+            const content = "a\u202Db\u202Ec\u202D";
+            const contents = makeContents({ "test.js": content });
+            const findings = checkUnicode(contents);
+            const finding = findings.find((f) => f.id === "BIDI_OVERRIDE");
+            expect(finding?.metadata?.["matchCount"]).toBe(3);
+        });
+        it("includes code points in metadata", () => {
+            const content = "const admin\u202E = true;";
+            const contents = makeContents({ "test.js": content });
+            const findings = checkUnicode(contents);
+            const finding = findings.find((f) => f.id === "BIDI_OVERRIDE");
+            const codePoints = finding?.metadata?.["codePoints"];
+            expect(codePoints).toBeDefined();
+            expect(codePoints?.some((cp) => cp.includes("202E"))).toBe(true);
+        });
+        it("includes line number in location", () => {
+            const content = "line1\nline2\nconst admin\u202E = true;";
+            const contents = makeContents({ "test.js": content });
+            const findings = checkUnicode(contents);
+            const finding = findings.find((f) => f.id === "BIDI_OVERRIDE");
+            expect(finding?.location?.line).toBe(3);
+        });
+    });
+});
+//# sourceMappingURL=unicode.test.js.map

package/dist/scanner/checks/unicode.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unicode.test.js","sourceRoot":"","sources":["../../../src/scanner/checks/unicode.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,SAAS,YAAY,CAAC,KAA6B;IACjD,MAAM,QAAQ,GAAiB;QAC7B,IAAI,EAAE,gBAAgB;QACtB,SAAS,EAAE,MAAM;QACjB,OAAO,EAAE,OAAO;KACjB,CAAC;IAEF,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC1C,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;IAClD,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;AACzD,CAAC;AAED,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;QACrC,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;YACtD,wBAAwB;YACxB,MAAM,OAAO,GAAG,oCAAoC,CAAC;YACrD,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAExC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,OAAO,GAAG,oCAAoC,CAAC;YACrD,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAExC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;YACtD,MAAM,OAAO,GAAG,6BAA6B,CAAC;YAC9C,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,gBAAgB,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,kBAAkB,CAAC,CAAC;YAE3E,MAAM,CAAC,gBAAgB,CAAC,CAAC,aAAa,EAAE,CAAC;QAC3C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACzD,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;YACtE,4EAA4E;YAC5E,wCAAwC;YACxC,MAAM,OAAO,GACX,+EAA+E,CAAC;YAClF,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAExC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACvE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;YAC5D,wEAAwE;YACxE,MAAM,OAAO,GAAG,8BAA8B,CAAC;YAC/C,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAExC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAC9E,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACvD,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;YACjD,MAAM,OAAO,GAAG,2BAA2B,CAAC;YAC5C,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAExC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;YACjD,MAAM,OAAO,GAAG,2BAA2B,CAAC;YAC5C,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAExC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;QACrC,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;YACrD,yDAAyD;YACzD,MAAM,OAAO,GAAG,yDAAyD,CAAC,CAAC,WAAW;YACtF,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAExC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,sBAAsB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACzE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAChD,MAAM,OAAO,GAAG,6BAA6B,CAAC,CAAC,iBAAiB;YAChE,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,sBAAsB,CAAC,CAAC;YAE5E,MAAM,CAAC,aAAa,CAAC,CAAC,aAAa,EAAE,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACnC,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;YACjE,MAAM,OAAO,GAAG,0BAA0B,CAAC,CAAC,aAAa;YACzD,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAExC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACvE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;YACjE,MAAM,OAAO,GAAG,iCAAiC,CAAC,CAAC,aAAa;YAChE,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAExC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,OAAO,GAAG,0BAA0B,CAAC,CAAC,yBAAyB;YACrE,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;YAExD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,eAAe,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,oBAAoB,CAAC,CAAC;YAE5E,MAAM,CAAC,eAAe,CAAC,CAAC,aAAa,EAAE,CAAC;QAC1C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,0CAA0C,EAAE,GAAG,EAAE;QACxD,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,qEAAqE;YACrE,MAAM,OAAO,GAAG,uEAAuE,CAAC;YACxF,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAExC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,0BAA0B,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/E,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;YAC5D,MAAM,OAAO,GAAG,yEAAyE,CAAC;YAC1F,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAExC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,0BAA0B,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/E,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;YAC/D,MAAM,OAAO,GACX,uFAAuF,CAAC;YAC1F,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAExC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,0BAA0B,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/E,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;YACvE,gDAAgD;YAChD,MAAM,OAAO,GAAG,8BAA8B,CAAC;YAC/C,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3D,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAExC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,0BAA0B,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;YAChC,0DAA0D;YAC1D,MAAM,OAAO,GAAG,2BAA2B,CAAC;YAC5C,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;YAEtD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;YAChC,MAAM,OAAO,GAAG,oCAAoC,CAAC;YACrD,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;YAEtD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kBAAkB,EAAE,GAAG,EAAE;YAC1B,MAAM,OAAO,GAAG,wBAAwB,CAAC;YACzC,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;YAExD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE;YAC9B,2DAA2D;YAC3D,MAAM,OAAO,GAAG,oBAAoB,CAAC;YACrC,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;YAEvD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,UAAU,EAAE,GAAG,EAAE;QACxB,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,uDAAuD;YACvD,MAAM,OAAO,GAAG,uBAAuB,CAAC;YACxC,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;YAEtD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC;YAE/D,MAAM,CAAC,OAAO,EAAE,QAAQ,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,MAAM,OAAO,GAAG,2BAA2B,CAAC;YAC5C,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;YAEtD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC;YAC/D,MAAM,UAAU,GAAG,OAAO,EAAE,QAAQ,EAAE,CAAC,YAAY,CAAyB,CAAC;YAE7E,MAAM,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;YACjC,MAAM,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,MAAM,OAAO,GAAG,yCAAyC,CAAC;YAC1D,MAAM,QAAQ,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;YAEtD,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC;YAE/D,MAAM,CAAC,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanner/checks/yara.d.ts

@@ -0,0 +1,23 @@
+import type { Finding, VsixContents } from "../types.js";
+/**
+ * Get the default YARA rules directory (cached)
+ */
+export declare function getDefaultYaraRulesDir(): Promise<string>;
+export declare const DEFAULT_YARA_RULES_DIR: string;
+/**
+ * Check if YARA-X is installed and available
+ */
+export declare function isYaraAvailable(): Promise<boolean>;
+/**
+ * Get YARA-X version string
+ */
+export declare function getYaraVersion(): Promise<string | null>;
+/**
+ * List all YARA rule files in a directory
+ */
+export declare function listYaraRules(rulesDir: string): Promise<string[]>;
+/**
+ * Run YARA rules against extension contents
+ */
+export declare function checkYara(contents: VsixContents, rulesDir?: string): Promise<Finding[]>;
+//# sourceMappingURL=yara.d.ts.map

package/dist/scanner/checks/yara.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"yara.d.ts","sourceRoot":"","sources":["../../../src/scanner/checks/yara.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA+GzD;;GAEG;AACH,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,MAAM,CAAC,CAK9D;AAGD,eAAO,MAAM,sBAAsB,QAQlC,CAAC;AASF;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC,CAOxD;AAED;;GAEG;AACH,wBAAsB,cAAc,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAO7D;AAED;;GAEG;AACH,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAOvE;AAqHD;;GAEG;AACH,wBAAsB,SAAS,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CA+G7F"}