npm - devcompass - Versions diffs - 2.6.0 → 2.7.1 - Mend

devcompass 2.6.0 → 2.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +389 -96
package/data/known-malicious.json +57 -0
package/package.json +12 -4
package/src/analyzers/license-risk.js +225 -0
package/src/analyzers/package-quality.js +368 -0
package/src/analyzers/security-recommendations.js +274 -0
package/src/analyzers/supply-chain.js +223 -0
package/src/commands/analyze.js +447 -18
package/src/utils/json-formatter.js +118 -28

package/src/analyzers/security-recommendations.js ADDED Viewed

@@ -0,0 +1,274 @@
+// src/analyzers/security-recommendations.js
+/**
+ * Priority levels for recommendations
+ */
+const PRIORITY = {
+  CRITICAL: { level: 1, label: 'CRITICAL', color: 'red', emoji: '🔴' },
+  HIGH: { level: 2, label: 'HIGH', color: 'orange', emoji: '🟠' },
+  MEDIUM: { level: 3, label: 'MEDIUM', color: 'yellow', emoji: '🟡' },
+  LOW: { level: 4, label: 'LOW', color: 'gray', emoji: '⚪' }
+};
+/**
+ * Generate actionable recommendations from all security findings
+ */
+function generateSecurityRecommendations(analysisResults) {
+  const recommendations = [];
+  const {
+    supplyChainWarnings = [],
+    licenseWarnings = [],
+    qualityResults = [],
+    securityVulnerabilities = [],
+    ecosystemAlerts = [],
+    unusedDeps = [],
+    outdatedPackages = []
+  } = analysisResults;
+  // 1. Supply Chain Issues (CRITICAL/HIGH)
+  for (const warning of supplyChainWarnings) {
+    if (warning.type === 'malicious' || warning.severity === 'critical') {
+      recommendations.push({
+        priority: PRIORITY.CRITICAL,
+        category: 'supply_chain',
+        package: warning.package,
+        issue: warning.message,
+        action: `Remove ${warning.package} immediately`,
+        command: `npm uninstall ${warning.package}`,
+        impact: 'Eliminates critical security risk',
+        reason: 'Known malicious package detected'
+      });
+    } else if (warning.type === 'typosquatting') {
+      recommendations.push({
+        priority: PRIORITY.HIGH,
+        category: 'supply_chain',
+        package: warning.package,
+        issue: warning.message,
+        action: warning.recommendation,
+        command: `npm uninstall ${warning.package} && npm install ${warning.official}`,
+        impact: 'Prevents potential supply chain attack',
+        reason: 'Typosquatting attempt detected'
+      });
+    } else if (warning.type === 'install_script' && warning.severity === 'high') {
+      recommendations.push({
+        priority: PRIORITY.HIGH,
+        category: 'supply_chain',
+        package: warning.package,
+        issue: warning.message,
+        action: 'Review install script before deployment',
+        command: `cat node_modules/${warning.package.split('@')[0]}/package.json`,
+        impact: 'Prevents malicious code execution',
+        reason: 'Suspicious install script detected'
+      });
+    }
+  }
+  // 2. License Compliance (HIGH/MEDIUM)
+  for (const warning of licenseWarnings) {
+    if (warning.severity === 'critical' || warning.severity === 'high') {
+      recommendations.push({
+        priority: warning.severity === 'critical' ? PRIORITY.CRITICAL : PRIORITY.HIGH,
+        category: 'license',
+        package: warning.package,
+        issue: `${warning.license}: ${warning.message}`,
+        action: 'Replace with permissive alternative',
+        command: `npm uninstall ${warning.package}`,
+        impact: 'Ensures license compliance',
+        reason: 'High-risk license detected',
+        alternative: 'Search npm for MIT/Apache alternatives'
+      });
+    }
+  }
+  // 3. Security Vulnerabilities (CRITICAL/HIGH)
+  if (securityVulnerabilities.critical > 0 || securityVulnerabilities.high > 0) {
+    recommendations.push({
+      priority: securityVulnerabilities.critical > 0 ? PRIORITY.CRITICAL : PRIORITY.HIGH,
+      category: 'security',
+      issue: `${securityVulnerabilities.total} security vulnerabilities detected`,
+      action: 'Run npm audit fix to resolve vulnerabilities',
+      command: 'npm audit fix',
+      impact: `Resolves ${securityVulnerabilities.total} known vulnerabilities`,
+      reason: 'Security vulnerabilities in dependencies'
+    });
+  }
+  // 4. Ecosystem Alerts (varies by severity)
+  for (const alert of ecosystemAlerts) {
+    if (alert.severity === 'critical' || alert.severity === 'high') {
+      const priority = alert.severity === 'critical' ? PRIORITY.CRITICAL : PRIORITY.HIGH;
+      recommendations.push({
+        priority: priority,
+        category: 'ecosystem',
+        package: `${alert.package}@${alert.version}`,
+        issue: alert.title,
+        action: `Upgrade to ${alert.fix}`,
+        command: `npm install ${alert.package}@${alert.fix}`,
+        impact: 'Resolves known stability/security issue',
+        reason: alert.source
+      });
+    }
+  }
+  // 5. Package Quality Issues (MEDIUM/LOW)
+  for (const pkg of qualityResults) {
+    if (pkg.status === 'deprecated') {
+      recommendations.push({
+        priority: PRIORITY.CRITICAL,
+        category: 'quality',
+        package: pkg.package,
+        issue: 'Package is deprecated',
+        action: 'Find actively maintained alternative',
+        command: `npm uninstall ${pkg.package}`,
+        impact: 'Prevents future breaking changes',
+        reason: 'Package is no longer maintained',
+        healthScore: pkg.healthScore
+      });
+    } else if (pkg.status === 'abandoned') {
+      recommendations.push({
+        priority: PRIORITY.HIGH,
+        category: 'quality',
+        package: pkg.package,
+        issue: `Last updated ${Math.floor(pkg.daysSincePublish / 365)} years ago`,
+        action: 'Migrate to actively maintained alternative',
+        command: `npm uninstall ${pkg.package}`,
+        impact: 'Improves long-term stability',
+        reason: 'Package appears abandoned',
+        healthScore: pkg.healthScore
+      });
+    } else if (pkg.status === 'stale' && pkg.healthScore < 5) {
+      recommendations.push({
+        priority: PRIORITY.MEDIUM,
+        category: 'quality',
+        package: pkg.package,
+        issue: `Health score: ${pkg.healthScore}/10`,
+        action: 'Consider more actively maintained alternative',
+        impact: 'Improves package quality',
+        reason: 'Low health score',
+        healthScore: pkg.healthScore
+      });
+    }
+  }
+  // 6. Unused Dependencies (MEDIUM)
+  if (unusedDeps.length > 0) {
+    const packageList = unusedDeps.map(d => d.name).join(' ');
+    recommendations.push({
+      priority: PRIORITY.MEDIUM,
+      category: 'cleanup',
+      issue: `${unusedDeps.length} unused dependencies detected`,
+      action: 'Remove unused packages',
+      command: `npm uninstall ${packageList}`,
+      impact: `Reduces node_modules size, improves security surface`,
+      reason: 'Unused dependencies increase attack surface'
+    });
+  }
+  // 7. Outdated Packages (LOW)
+  const criticalOutdated = outdatedPackages.filter(p =>
+    p.updateType === 'major update' && p.current.startsWith('0.')
+  );
+  if (criticalOutdated.length > 0) {
+    for (const pkg of criticalOutdated.slice(0, 3)) { // Top 3
+      recommendations.push({
+        priority: PRIORITY.MEDIUM,
+        category: 'updates',
+        package: pkg.name,
+        issue: `Version ${pkg.current} is pre-1.0 and outdated`,
+        action: `Update to ${pkg.latest}`,
+        command: `npm install ${pkg.name}@latest`,
+        impact: 'Gets bug fixes and improvements',
+        reason: 'Pre-1.0 packages change rapidly'
+      });
+    }
+  }
+  // Sort by priority
+  recommendations.sort((a, b) => a.priority.level - b.priority.level);
+  return recommendations;
+}
+/**
+ * Group recommendations by priority
+ */
+function groupByPriority(recommendations) {
+  return {
+    critical: recommendations.filter(r => r.priority.level === 1),
+    high: recommendations.filter(r => r.priority.level === 2),
+    medium: recommendations.filter(r => r.priority.level === 3),
+    low: recommendations.filter(r => r.priority.level === 4)
+  };
+}
+/**
+ * Calculate expected impact of following recommendations
+ */
+function calculateExpectedImpact(recommendations, currentScore) {
+  let improvement = 0;
+  for (const rec of recommendations) {
+    switch (rec.priority.level) {
+      case 1: // CRITICAL
+        improvement += 2.0;
+        break;
+      case 2: // HIGH
+        improvement += 1.5;
+        break;
+      case 3: // MEDIUM
+        improvement += 0.5;
+        break;
+      case 4: // LOW
+        improvement += 0.2;
+        break;
+    }
+  }
+  const newScore = Math.min(10, currentScore + improvement);
+  const percentageIncrease = ((newScore - currentScore) / 10) * 100;
+  return {
+    currentScore,
+    expectedScore: Number(newScore.toFixed(1)),
+    improvement: Number(improvement.toFixed(1)),
+    percentageIncrease: Number(percentageIncrease.toFixed(1)),
+    critical: recommendations.filter(r => r.priority.level === 1).length,
+    high: recommendations.filter(r => r.priority.level === 2).length,
+    medium: recommendations.filter(r => r.priority.level === 3).length,
+    low: recommendations.filter(r => r.priority.level === 4).length
+  };
+}
+/**
+ * Get top N recommendations
+ */
+function getTopRecommendations(recommendations, n = 5) {
+  return recommendations.slice(0, n);
+}
+/**
+ * Get recommendations by category
+ */
+function getRecommendationsByCategory(recommendations) {
+  return {
+    supply_chain: recommendations.filter(r => r.category === 'supply_chain'),
+    license: recommendations.filter(r => r.category === 'license'),
+    security: recommendations.filter(r => r.category === 'security'),
+    ecosystem: recommendations.filter(r => r.category === 'ecosystem'),
+    quality: recommendations.filter(r => r.category === 'quality'),
+    cleanup: recommendations.filter(r => r.category === 'cleanup'),
+    updates: recommendations.filter(r => r.category === 'updates')
+  };
+}
+module.exports = {
+  generateSecurityRecommendations,
+  groupByPriority,
+  calculateExpectedImpact,
+  getTopRecommendations,
+  getRecommendationsByCategory,
+  PRIORITY
+};

package/src/analyzers/supply-chain.js ADDED Viewed

@@ -0,0 +1,223 @@
+// src/analyzers/supply-chain.js
+const fs = require('fs');
+const path = require('path');
+/**
+ * Load known malicious packages database
+ */
+function loadMaliciousDatabase() {
+  try {
+    const dbPath = path.join(__dirname, '../../data/known-malicious.json');
+    const data = fs.readFileSync(dbPath, 'utf8');
+    return JSON.parse(data);
+  } catch (error) {
+    console.error('Error loading malicious packages database:', error.message);
+    return {
+      malicious_packages: [],
+      typosquat_patterns: {},
+      suspicious_patterns: { install_scripts: [], suspicious_dependencies: [] }
+    };
+  }
+}
+/**
+ * Calculate Levenshtein distance between two strings
+ */
+function levenshteinDistance(str1, str2) {
+  const matrix = [];
+  for (let i = 0; i <= str2.length; i++) {
+    matrix[i] = [i];
+  }
+  for (let j = 0; j <= str1.length; j++) {
+    matrix[0][j] = j;
+  }
+  for (let i = 1; i <= str2.length; i++) {
+    for (let j = 1; j <= str1.length; j++) {
+      if (str2.charAt(i - 1) === str1.charAt(j - 1)) {
+        matrix[i][j] = matrix[i - 1][j - 1];
+      } else {
+        matrix[i][j] = Math.min(
+          matrix[i - 1][j - 1] + 1,
+          matrix[i][j - 1] + 1,
+          matrix[i - 1][j] + 1
+        );
+      }
+    }
+  }
+  return matrix[str2.length][str1.length];
+}
+/**
+ * Detect typosquatting attempts
+ */
+function detectTyposquatting(packageName, packageVersion, maliciousDb) {
+  const warnings = [];
+  // Whitelist of legitimate popular packages that might have similar names
+  // These should NEVER be flagged as typosquatting
+  const LEGITIMATE_PACKAGES = [
+    'chalk', 'chai', 'ora', 'yargs', 'meow', 'execa', 'globby', 'del', 'make-dir',
+    'p-map', 'p-limit', 'p-queue', 'got', 'ky', 'node-fetch', 'cross-fetch',
+    'uuid', 'nanoid', 'cuid', 'luxon', 'date-fns', 'ms', 'bytes', 'filesize',
+    'fast-glob', 'chokidar', 'picomatch', 'micromatch', 'anymatch',
+    'semver', 'commander', 'yargs', 'inquirer', 'prompts', 'enquirer',
+    'debug', 'pino', 'winston', 'bunyan', 'signale'
+  ];
+  // Skip whitelist packages
+  if (LEGITIMATE_PACKAGES.includes(packageName)) {
+    return warnings;
+  }
+  // Check against known typosquat patterns
+  // typosquat_patterns is an object: { "express": ["epress", "expres"], ... }
+  const patterns = maliciousDb.typosquat_patterns || {};
+  for (const officialName of Object.keys(patterns)) {
+    // Skip if the official package is also whitelisted (both are legitimate)
+    // This prevents false positives like "chalk" vs "chai"
+    if (LEGITIMATE_PACKAGES.includes(officialName)) {
+      continue;
+    }
+    const distance = levenshteinDistance(packageName, officialName);
+    // Flag if 1-2 character difference (typosquatting likely)
+    if (distance > 0 && distance <= 2 && packageName !== officialName) {
+      warnings.push({
+        package: `${packageName}@${packageVersion}`,
+        type: 'typosquatting',
+        severity: distance === 1 ? 'high' : 'medium',
+        message: `Similar to: ${officialName} (official package)`,
+        recommendation: `Verify if you meant to install ${officialName}`,
+        official: officialName
+      });
+    }
+  }
+  return warnings;
+}
+/**
+ * Check if package is known malicious
+ */
+function checkMaliciousPackage(packageName, database) {
+  if (database.malicious_packages.includes(packageName.toLowerCase())) {
+    return {
+      package: packageName,
+      type: 'malicious',
+      severity: 'critical',
+      message: `Known malicious package detected: ${packageName}`,
+      recommendation: 'Remove immediately - this package is known to be malicious'
+    };
+  }
+  return null;
+}
+/**
+ * Analyze install scripts for suspicious patterns
+ */
+function analyzeInstallScripts(projectPath, dependencies) {
+  const warnings = [];
+  const database = loadMaliciousDatabase();
+  try {
+    for (const dep of Object.keys(dependencies)) {
+      const packageJsonPath = path.join(projectPath, 'node_modules', dep, 'package.json');
+      if (!fs.existsSync(packageJsonPath)) {
+        continue;
+      }
+      const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+      const scripts = packageJson.scripts || {};
+      // Check for install hooks
+      const installHooks = ['preinstall', 'install', 'postinstall'];
+      for (const hook of installHooks) {
+        if (scripts[hook]) {
+          const script = scripts[hook].toLowerCase();
+          // Check for suspicious patterns
+          const suspiciousPatterns = database.suspicious_patterns.install_scripts;
+          const foundPatterns = suspiciousPatterns.filter(pattern =>
+            script.includes(pattern.toLowerCase())
+          );
+          if (foundPatterns.length > 0) {
+            warnings.push({
+              package: `${dep}@${packageJson.version}`,
+              type: 'install_script',
+              severity: foundPatterns.some(p => ['curl', 'wget', 'eval', 'exec'].includes(p)) ? 'high' : 'medium',
+              script: hook,
+              action: scripts[hook],
+              patterns: foundPatterns,
+              message: `Install script contains suspicious patterns: ${foundPatterns.join(', ')}`,
+              recommendation: 'Review the install script before deployment'
+            });
+          }
+        }
+      }
+    }
+  } catch (error) {
+    console.error('Error analyzing install scripts:', error.message);
+  }
+  return warnings;
+}
+/**
+ * Perform comprehensive supply chain security analysis
+ */
+async function analyzeSupplyChain(projectPath, dependencies) {
+  const warnings = [];
+  const database = loadMaliciousDatabase();
+  // Check each dependency
+  for (const [packageName, version] of Object.entries(dependencies)) {
+    // 1. Check if known malicious
+    const maliciousCheck = checkMaliciousPackage(packageName, database);
+    if (maliciousCheck) {
+      warnings.push(maliciousCheck);
+    }
+    // 2. Detect typosquatting
+    const typosquatWarnings = detectTyposquatting(packageName, version, database);
+    warnings.push(...typosquatWarnings);
+  }
+  // 3. Analyze install scripts
+  const scriptWarnings = analyzeInstallScripts(projectPath, dependencies);
+  warnings.push(...scriptWarnings);
+  return warnings;
+}
+/**
+ * Get supply chain statistics
+ */
+function getSupplyChainStats(warnings) {
+  return {
+    total: warnings.length,
+    critical: warnings.filter(w => w.severity === 'critical').length,
+    high: warnings.filter(w => w.severity === 'high').length,
+    medium: warnings.filter(w => w.severity === 'medium').length,
+    malicious: warnings.filter(w => w.type === 'malicious').length,
+    typosquatting: warnings.filter(w => w.type === 'typosquatting' || w.type === 'typosquatting_suspected').length,
+    installScripts: warnings.filter(w => w.type === 'install_script').length
+  };
+}
+module.exports = {
+  analyzeSupplyChain,
+  detectTyposquatting,
+  checkMaliciousPackage,
+  analyzeInstallScripts,
+  getSupplyChainStats,
+  loadMaliciousDatabase
+};