devcompass 2.6.0 → 2.7.0

package/data/known-malicious.json

@@ -0,0 +1,57 @@
+{
+  "malicious_packages": [
+    "epress",
+    "expres",
+    "expresss",
+    "reqest",
+    "requet",
+    "lodas",
+    "loadsh",
+    "axois",
+    "axioss",
+    "webpak",
+    "webpackk",
+    "reactt",
+    "vuee",
+    "angularr"
+  ],
+  "typosquat_patterns": {
+    "express": ["epress", "expres", "expresss", "exprss"],
+    "request": ["reqest", "requet", "requets"],
+    "lodash": ["lodas", "loadsh", "lodahs", "lodsh"],
+    "axios": ["axois", "axioss", "axos", "axious"],
+    "webpack": ["webpak", "webpackk", "wepback"],
+    "react": ["reactt", "reakt", "raect"],
+    "vue": ["vuee", "veu", "vuw"],
+    "angular": ["angularr", "anguler", "angulr"],
+    "next": ["nextt", "nxt", "nex"],
+    "typescript": ["typscript", "typescrpt", "typescrip"],
+    "eslint": ["esslint", "elint", "eslnt"],
+    "prettier": ["pretier", "prettir", "pretter"],
+    "jest": ["jst", "jestt", "jест"],
+    "mocha": ["mocha", "mоcha", "mосha"],
+    "chai": ["chаi", "сhai", "chаi"]
+  },
+  "suspicious_patterns": {
+    "install_scripts": [
+      "curl",
+      "wget",
+      "powershell",
+      "eval",
+      "exec",
+      "child_process",
+      "/bin/sh",
+      "/bin/bash",
+      "http://",
+      "https://"
+    ],
+    "suspicious_dependencies": [
+      "bitcoin",
+      "cryptocurrency",
+      "mining",
+      "miner",
+      "keylogger",
+      "backdoor"
+    ]
+  }
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "devcompass",
-  "version": "2.6.0",
-  "description": "Dependency health checker with ecosystem intelligence and real-time GitHub issue tracking for 500+ popular npm packages. Features parallel processing for 80% faster analysis.",
+  "version": "2.7.0",
+  "description": "Dependency health checker with ecosystem intelligence, real-time GitHub issue tracking for 500+ popular npm packages, parallel processing, supply chain security analysis, and advanced license risk detection.",
   "main": "src/index.js",
   "bin": {
     "devcompass": "./bin/devcompass.js"
@@ -45,7 +45,15 @@
     "package-health",
     "top-500-packages",
     "parallel-processing",
-    "performance-optimization"
+    "performance-optimization",
+    "supply-chain-security",
+    "typosquatting-detection",
+    "malicious-packages",
+    "license-compliance",
+    "license-risk",
+    "package-quality",
+    "security-recommendations",
+    "dependency-quality"
   ],
   "author": "Ajay Thorat <ajaythorat988@gmail.com>",
   "license": "MIT",

package/src/analyzers/license-risk.js

@@ -0,0 +1,225 @@
+// src/analyzers/license-risk.js
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * License risk levels and compatibility
+ */
+const LICENSE_RISKS = {
+  // High Risk - Restrictive/Copyleft
+  'GPL-1.0': { risk: 'high', type: 'copyleft', business: 'Requires source disclosure' },
+  'GPL-2.0': { risk: 'high', type: 'copyleft', business: 'Requires source disclosure' },
+  'GPL-3.0': { risk: 'high', type: 'copyleft', business: 'Requires source disclosure' },
+  'AGPL-1.0': { risk: 'critical', type: 'copyleft', business: 'Network copyleft - very restrictive' },
+  'AGPL-3.0': { risk: 'critical', type: 'copyleft', business: 'Network copyleft - very restrictive' },
+  'LGPL-2.0': { risk: 'medium', type: 'weak-copyleft', business: 'Limited copyleft obligations' },
+  'LGPL-2.1': { risk: 'medium', type: 'weak-copyleft', business: 'Limited copyleft obligations' },
+  'LGPL-3.0': { risk: 'medium', type: 'weak-copyleft', business: 'Limited copyleft obligations' },
+  
+  // Medium Risk
+  'MPL-1.0': { risk: 'medium', type: 'weak-copyleft', business: 'File-level copyleft' },
+  'MPL-1.1': { risk: 'medium', type: 'weak-copyleft', business: 'File-level copyleft' },
+  'MPL-2.0': { risk: 'medium', type: 'weak-copyleft', business: 'File-level copyleft' },
+  'EPL-1.0': { risk: 'medium', type: 'weak-copyleft', business: 'Module-level copyleft' },
+  'EPL-2.0': { risk: 'medium', type: 'weak-copyleft', business: 'Module-level copyleft' },
+  'CDDL-1.0': { risk: 'medium', type: 'weak-copyleft', business: 'File-level copyleft' },
+  
+  // Low Risk - Permissive
+  'MIT': { risk: 'low', type: 'permissive', business: 'Very permissive' },
+  'Apache-2.0': { risk: 'low', type: 'permissive', business: 'Permissive with patent grant' },
+  'BSD-2-Clause': { risk: 'low', type: 'permissive', business: 'Very permissive' },
+  'BSD-3-Clause': { risk: 'low', type: 'permissive', business: 'Very permissive' },
+  'ISC': { risk: 'low', type: 'permissive', business: 'Very permissive' },
+  'CC0-1.0': { risk: 'low', type: 'public-domain', business: 'Public domain' },
+  'Unlicense': { risk: 'low', type: 'public-domain', business: 'Public domain' },
+  '0BSD': { risk: 'low', type: 'permissive', business: 'Very permissive' },
+  
+  // Unknown/Special
+  'UNLICENSED': { risk: 'critical', type: 'unknown', business: 'No license - all rights reserved' },
+  'SEE LICENSE IN': { risk: 'high', type: 'unknown', business: 'Custom license - review required' },
+  'CUSTOM': { risk: 'high', type: 'unknown', business: 'Custom license - review required' }
+};
+
+/**
+ * License compatibility matrix
+ * Can license A be combined with license B?
+ */
+const LICENSE_COMPATIBILITY = {
+  'MIT': ['MIT', 'Apache-2.0', 'BSD-2-Clause', 'BSD-3-Clause', 'ISC', 'GPL-2.0', 'GPL-3.0', 'LGPL-2.1', 'LGPL-3.0'],
+  'Apache-2.0': ['Apache-2.0', 'GPL-3.0', 'LGPL-3.0'],
+  'GPL-2.0': ['GPL-2.0', 'MIT', 'BSD-2-Clause', 'BSD-3-Clause', 'ISC'],
+  'GPL-3.0': ['GPL-3.0', 'MIT', 'Apache-2.0', 'BSD-2-Clause', 'BSD-3-Clause', 'ISC'],
+  'LGPL-2.1': ['LGPL-2.1', 'MIT', 'BSD-2-Clause', 'BSD-3-Clause', 'ISC', 'GPL-2.0'],
+  'LGPL-3.0': ['LGPL-3.0', 'MIT', 'Apache-2.0', 'BSD-2-Clause', 'BSD-3-Clause', 'ISC', 'GPL-3.0']
+};
+
+/**
+ * Normalize license name
+ */
+function normalizeLicense(license) {
+  if (!license) return 'UNLICENSED';
+  
+  const normalized = license
+    .replace(/\s+/g, '-')
+    .replace(/[()]/g, '')
+    .toUpperCase();
+  
+  // Handle common variations
+  if (normalized.includes('MIT')) return 'MIT';
+  if (normalized.includes('APACHE-2')) return 'Apache-2.0';
+  if (normalized.includes('BSD-2')) return 'BSD-2-Clause';
+  if (normalized.includes('BSD-3')) return 'BSD-3-Clause';
+  if (normalized.includes('ISC')) return 'ISC';
+  if (normalized.includes('GPL-2')) return 'GPL-2.0';
+  if (normalized.includes('GPL-3')) return 'GPL-3.0';
+  if (normalized.includes('LGPL-2')) return 'LGPL-2.1';
+  if (normalized.includes('LGPL-3')) return 'LGPL-3.0';
+  if (normalized.includes('AGPL')) return 'AGPL-3.0';
+  if (normalized.includes('MPL')) return 'MPL-2.0';
+  if (normalized.includes('SEE LICENSE')) return 'SEE LICENSE IN';
+  if (normalized === 'UNLICENSED') return 'UNLICENSED';
+  
+  return license;
+}
+
+/**
+ * Get license risk information
+ */
+function getLicenseRisk(license) {
+  const normalized = normalizeLicense(license);
+  return LICENSE_RISKS[normalized] || {
+    risk: 'high',
+    type: 'unknown',
+    business: 'Unknown license - review required'
+  };
+}
+
+/**
+ * Check license compatibility
+ */
+function checkLicenseCompatibility(projectLicense, dependencyLicenses) {
+  const conflicts = [];
+  const normalized = normalizeLicense(projectLicense);
+  const compatible = LICENSE_COMPATIBILITY[normalized] || [];
+  
+  for (const [pkg, license] of Object.entries(dependencyLicenses)) {
+    const depNormalized = normalizeLicense(license);
+    const depRisk = getLicenseRisk(license);
+    
+    // Check if copyleft license conflicts with permissive project
+    if (depRisk.type === 'copyleft' && !compatible.includes(depNormalized)) {
+      conflicts.push({
+        package: pkg,
+        license: license,
+        projectLicense: projectLicense,
+        severity: 'high',
+        issue: 'License incompatibility',
+        message: `${license} dependency may conflict with ${projectLicense} project license`,
+        recommendation: 'Review license compatibility with legal team'
+      });
+    }
+  }
+  
+  return conflicts;
+}
+
+/**
+ * Analyze license risks for all dependencies
+ */
+async function analyzeLicenseRisks(projectPath, licenses) {
+  const warnings = [];
+  const stats = {
+    total: 0,
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    copyleft: 0,
+    permissive: 0,
+    unknown: 0
+  };
+  
+  // Get project license
+  let projectLicense = 'MIT'; // Default
+  try {
+    const projectPkgPath = path.join(projectPath, 'package.json');
+    if (fs.existsSync(projectPkgPath)) {
+      const projectPkg = JSON.parse(fs.readFileSync(projectPkgPath, 'utf8'));
+      projectLicense = projectPkg.license || 'MIT';
+    }
+  } catch (error) {
+    // Use default
+  }
+  
+  const dependencyLicenses = {};
+  
+  // Analyze each license
+  for (const pkg of licenses) {
+    stats.total++;
+    
+    const risk = getLicenseRisk(pkg.license);
+    dependencyLicenses[pkg.package] = pkg.license;
+    
+    // Count by type
+    if (risk.type === 'copyleft' || risk.type === 'weak-copyleft') {
+      stats.copyleft++;
+    } else if (risk.type === 'permissive' || risk.type === 'public-domain') {
+      stats.permissive++;
+    } else {
+      stats.unknown++;
+    }
+    
+    // Add warnings for high-risk licenses
+    if (risk.risk === 'critical' || risk.risk === 'high') {
+      stats[risk.risk]++;
+      
+      warnings.push({
+        package: pkg.package,
+        license: pkg.license,
+        severity: risk.risk,
+        type: risk.type,
+        issue: 'High-risk license',
+        message: `${pkg.license}: ${risk.business}`,
+        recommendation: risk.risk === 'critical' 
+          ? 'Replace with permissive alternative immediately'
+          : 'Consider replacing with MIT/Apache alternative'
+      });
+    } else if (risk.risk === 'medium') {
+      stats.medium++;
+    } else {
+      stats.low++;
+    }
+  }
+  
+  // Check license compatibility
+  const conflicts = checkLicenseCompatibility(projectLicense, dependencyLicenses);
+  warnings.push(...conflicts);
+  
+  return {
+    warnings,
+    stats,
+    projectLicense
+  };
+}
+
+/**
+ * Get license risk score (0-10)
+ */
+function getLicenseRiskScore(stats) {
+  let score = 10;
+  
+  score -= stats.critical * 3;
+  score -= stats.high * 2;
+  score -= stats.medium * 0.5;
+  
+  return Math.max(0, score);
+}
+
+module.exports = {
+  analyzeLicenseRisks,
+  getLicenseRisk,
+  checkLicenseCompatibility,
+  normalizeLicense,
+  getLicenseRiskScore,
+  LICENSE_RISKS
+};

package/src/analyzers/package-quality.js

@@ -0,0 +1,368 @@
+// src/analyzers/package-quality.js
+const fs = require('fs');
+const path = require('path');
+const https = require('https');
+
+/**
+ * Fetch package metadata from npm registry
+ */
+function fetchNpmPackageInfo(packageName) {
+  return new Promise((resolve, reject) => {
+    const options = {
+      hostname: 'registry.npmjs.org',
+      path: `/${packageName}`,
+      method: 'GET',
+      headers: {
+        'User-Agent': 'DevCompass',
+        'Accept': 'application/json'
+      }
+    };
+    
+    const req = https.request(options, (res) => {
+      let data = '';
+      
+      res.on('data', (chunk) => {
+        data += chunk;
+      });
+      
+      res.on('end', () => {
+        if (res.statusCode === 200) {
+          try {
+            resolve(JSON.parse(data));
+          } catch (error) {
+            reject(new Error('Failed to parse npm response'));
+          }
+        } else {
+          reject(new Error(`npm registry returned ${res.statusCode}`));
+        }
+      });
+    });
+    
+    req.on('error', reject);
+    req.setTimeout(5000, () => {
+      req.destroy();
+      reject(new Error('Request timeout'));
+    });
+    req.end();
+  });
+}
+
+/**
+ * Calculate days since last publish
+ */
+function daysSincePublish(dateString) {
+  const publishDate = new Date(dateString);
+  const now = new Date();
+  const diffTime = Math.abs(now - publishDate);
+  const diffDays = Math.ceil(diffTime / (1000 * 60 * 60 * 24));
+  return diffDays;
+}
+
+/**
+ * Calculate package health score (0-10)
+ */
+function calculateHealthScore(packageData, githubData = null) {
+  let score = 10;
+  
+  // Get latest version info
+  const latestVersion = packageData['dist-tags']?.latest;
+  const versionData = packageData.versions?.[latestVersion];
+  const time = packageData.time?.[latestVersion];
+  
+  if (!versionData || !time) {
+    return 5; // Default score if data missing
+  }
+  
+  // 1. Age factor (max -2 points)
+  const daysSince = daysSincePublish(time);
+  if (daysSince > 365 * 3) {
+    score -= 2; // 3+ years old
+  } else if (daysSince > 365 * 2) {
+    score -= 1.5; // 2-3 years old
+  } else if (daysSince > 365) {
+    score -= 1; // 1-2 years old
+  } else if (daysSince > 180) {
+    score -= 0.5; // 6-12 months old
+  }
+  
+  // 2. Maintenance frequency (max -2 points)
+  const versions = Object.keys(packageData.versions || {});
+  const recentVersions = versions.filter(v => {
+    const vTime = packageData.time?.[v];
+    if (!vTime) return false;
+    return daysSincePublish(vTime) <= 365;
+  });
+  
+  if (recentVersions.length === 0) {
+    score -= 2; // No updates in a year
+  } else if (recentVersions.length < 3) {
+    score -= 1; // Less than 3 updates in a year
+  }
+  
+  // 3. GitHub activity (if available) (max -2 points)
+  if (githubData) {
+    const { totalIssues, last7Days, last30Days } = githubData;
+    
+    // High issue count with low activity is bad
+    if (totalIssues > 100 && last30Days < 5) {
+      score -= 1.5; // Many issues, low maintenance
+    } else if (totalIssues > 50 && last30Days < 3) {
+      score -= 1; // Medium issues, low maintenance
+    }
+    
+    // Very high recent activity might indicate problems
+    if (last7Days > 30) {
+      score -= 0.5; // Unusually high activity
+    }
+  }
+  
+  // 4. Dependencies count (max -1 point)
+  const deps = versionData.dependencies || {};
+  const depCount = Object.keys(deps).length;
+  
+  if (depCount > 50) {
+    score -= 1; // Too many dependencies
+  } else if (depCount > 30) {
+    score -= 0.5;
+  }
+  
+  // 5. Has description and repository (max -1 point)
+  if (!packageData.description) {
+    score -= 0.5;
+  }
+  if (!packageData.repository) {
+    score -= 0.5;
+  }
+  
+  // 6. Deprecated packages (automatic 0)
+  if (versionData.deprecated) {
+    return 0;
+  }
+  
+  return Math.max(0, Math.min(10, score));
+}
+
+/**
+ * Determine package status based on health score
+ */
+function getPackageStatus(score, daysSince) {
+  if (score === 0) {
+    return {
+      status: 'deprecated',
+      color: 'red',
+      severity: 'critical',
+      label: 'DEPRECATED'
+    };
+  } else if (score < 3 || daysSince > 365 * 3) {
+    return {
+      status: 'abandoned',
+      color: 'red',
+      severity: 'critical',
+      label: 'ABANDONED'
+    };
+  } else if (score < 5 || daysSince > 365 * 2) {
+    return {
+      status: 'stale',
+      color: 'yellow',
+      severity: 'high',
+      label: 'STALE'
+    };
+  } else if (score < 7) {
+    return {
+      status: 'needs_attention',
+      color: 'yellow',
+      severity: 'medium',
+      label: 'NEEDS ATTENTION'
+    };
+  } else {
+    return {
+      status: 'healthy',
+      color: 'green',
+      severity: 'low',
+      label: 'HEALTHY'
+    };
+  }
+}
+
+/**
+ * Get maintainer activity status
+ */
+function getMaintainerStatus(packageData) {
+  const maintainers = packageData.maintainers || [];
+  const latestVersion = packageData['dist-tags']?.latest;
+  const time = packageData.time?.[latestVersion];
+  
+  if (!time) {
+    return 'unknown';
+  }
+  
+  const daysSince = daysSincePublish(time);
+  
+  if (daysSince > 365 * 2) {
+    return 'inactive';
+  } else if (daysSince > 365) {
+    return 'low_activity';
+  } else if (daysSince > 180) {
+    return 'moderate_activity';
+  } else {
+    return 'active';
+  }
+}
+
+/**
+ * Analyze package quality for all dependencies
+ */
+async function analyzePackageQuality(dependencies, githubData = []) {
+  const results = [];
+  const stats = {
+    total: 0,
+    healthy: 0,
+    needsAttention: 0,
+    stale: 0,
+    abandoned: 0,
+    deprecated: 0
+  };
+  
+  // Create GitHub data lookup
+  const githubLookup = {};
+  for (const data of githubData) {
+    githubLookup[data.package] = data;
+  }
+  
+  // Analyze each package (limit to prevent rate limiting)
+  const packages = Object.keys(dependencies).slice(0, 20); // Analyze first 20
+  
+  for (const packageName of packages) {
+    try {
+      stats.total++;
+      
+      // Fetch package info from npm
+      const packageData = await fetchNpmPackageInfo(packageName);
+      
+      // Calculate health score
+      const github = githubLookup[packageName];
+      const healthScore = calculateHealthScore(packageData, github);
+      
+      // Get latest version info
+      const latestVersion = packageData['dist-tags']?.latest;
+      const time = packageData.time?.[latestVersion];
+      const daysSince = time ? daysSincePublish(time) : 0;
+      
+      // Determine status
+      const status = getPackageStatus(healthScore, daysSince);
+      const maintainerStatus = getMaintainerStatus(packageData);
+      
+      // Count by status
+      if (status.status === 'healthy') {
+        stats.healthy++;
+      } else if (status.status === 'needs_attention') {
+        stats.needsAttention++;
+      } else if (status.status === 'stale') {
+        stats.stale++;
+      } else if (status.status === 'abandoned') {
+        stats.abandoned++;
+      } else if (status.status === 'deprecated') {
+        stats.deprecated++;
+      }
+      
+      // Get repository info
+      const repository = packageData.repository?.url || '';
+      const hasGithub = repository.includes('github.com');
+      
+      // Build result
+      const result = {
+        package: packageName,
+        version: dependencies[packageName],
+        healthScore: Number(healthScore.toFixed(1)),
+        status: status.status,
+        severity: status.severity,
+        label: status.label,
+        lastPublish: time ? new Date(time).toISOString().split('T')[0] : 'unknown',
+        daysSincePublish: daysSince,
+        maintainerStatus: maintainerStatus,
+        hasRepository: !!packageData.repository,
+        hasGithub: hasGithub,
+        totalVersions: Object.keys(packageData.versions || {}).length,
+        description: packageData.description || '',
+        deprecated: packageData.versions?.[latestVersion]?.deprecated || false
+      };
+      
+      // Add GitHub metrics if available
+      if (github) {
+        result.githubMetrics = {
+          totalIssues: github.totalIssues,
+          recentIssues: github.last30Days,
+          trend: github.trend
+        };
+      }
+      
+      results.push(result);
+      
+      // Small delay to respect npm registry rate limits
+      await new Promise(resolve => setTimeout(resolve, 100));
+      
+    } catch (error) {
+      console.error(`Error analyzing ${packageName}:`, error.message);
+      // Continue with next package
+    }
+  }
+  
+  return {
+    results,
+    stats
+  };
+}
+
+/**
+ * Get quality recommendations for a package
+ */
+function getQualityRecommendation(packageResult) {
+  const { status, healthScore, daysSincePublish, maintainerStatus } = packageResult;
+  
+  if (status === 'deprecated') {
+    return {
+      action: 'critical',
+      message: 'Package is deprecated',
+      recommendation: 'Find an actively maintained alternative immediately'
+    };
+  }
+  
+  if (status === 'abandoned') {
+    return {
+      action: 'high',
+      message: `Last updated ${Math.floor(daysSincePublish / 365)} years ago`,
+      recommendation: 'Migrate to an actively maintained alternative'
+    };
+  }
+  
+  if (status === 'stale') {
+    return {
+      action: 'medium',
+      message: `Not updated in ${Math.floor(daysSincePublish / 30)} months`,
+      recommendation: 'Consider finding a more actively maintained package'
+    };
+  }
+  
+  if (status === 'needs_attention') {
+    return {
+      action: 'low',
+      message: `Health score: ${healthScore}/10`,
+      recommendation: 'Monitor for updates and potential alternatives'
+    };
+  }
+  
+  return {
+    action: 'none',
+    message: 'Package is healthy',
+    recommendation: 'No action needed'
+  };
+}
+
+module.exports = {
+  analyzePackageQuality,
+  calculateHealthScore,
+  getPackageStatus,
+  getMaintainerStatus,
+  getQualityRecommendation,
+  fetchNpmPackageInfo
+};