muaddib-scanner 1.0.10 → 1.0.11

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.0.10",
+  "version": "1.0.11",
   "description": "Supply-chain threat detection & response for npm",
   "main": "src/index.js",
   "bin": {

package/src/scanner/ast.js

@@ -11,29 +11,32 @@ const EXCLUDED_FILES = [
   'src/response/playbooks.js'
 ];
 
-const EXCLUDED_DIRS = ['test', 'tests', 'node_modules', '.git', 'src', 'vscode-extension'];
+const EXCLUDED_DIRS = [
+  'test', 'tests', 'node_modules', '.git', 'src', 'vscode-extension',
+  'scripts', 'bin', 'tools', 'build', 'dist', 'fixtures', 'examples',
+  '__tests__', '__mocks__', 'benchmark', 'benchmarks', 'docs', 'doc'
+];
 
 const DANGEROUS_CALLS = [
   'eval',
-  'Function',
-  'exec',
-  'execSync',
-  'spawn',
-  'spawnSync'
+  'Function'
 ];
 
 const SENSITIVE_STRINGS = [
   '.npmrc',
   '.ssh',
-  'GITHUB_TOKEN',
-  'NPM_TOKEN',
-  'AWS_SECRET',
-  'api.github.com',
   'Shai-Hulud',
   'The Second Coming',
   'Goldox-T3chs'
 ];
 
+// Strings qui ne sont PAS suspects
+const SAFE_STRINGS = [
+  'api.github.com',
+  'registry.npmjs.org',
+  'npmjs.com'
+];
+
 async function analyzeAST(targetPath) {
   const threats = [];
   const files = findJsFiles(targetPath);
@@ -45,6 +48,11 @@ async function analyzeAST(targetPath) {
       continue;
     }
     
+    // Ignorer les fichiers dans les dossiers de dev
+    if (isDevFile(relativePath)) {
+      continue;
+    }
+    
     const content = fs.readFileSync(file, 'utf8');
     const fileThreats = analyzeFile(content, file, targetPath);
     threats.push(...fileThreats);
@@ -53,6 +61,27 @@ async function analyzeAST(targetPath) {
   return threats;
 }
 
+function isDevFile(relativePath) {
+  const devPatterns = [
+    /^scripts\//,
+    /^bin\//,
+    /^tools\//,
+    /^build\//,
+    /^fixtures\//,
+    /^examples\//,
+    /^__tests__\//,
+    /^__mocks__\//,
+    /^benchmark/,
+    /^docs?\//,
+    /\.test\.js$/,
+    /\.spec\.js$/,
+    /test\.js$/,
+    /spec\.js$/
+  ];
+  
+  return devPatterns.some(pattern => pattern.test(relativePath));
+}
+
 function analyzeFile(content, filePath, basePath) {
   const threats = [];
   let ast;
@@ -64,7 +93,6 @@ function analyzeFile(content, filePath, basePath) {
       allowHashBang: true
     });
   } catch (e) {
-    // Fichier non parseable, peut etre obfusque
     if (content.length > 1000 && content.split('\n').length < 10) {
       threats.push({
         type: 'possible_obfuscation',
@@ -76,7 +104,6 @@ function analyzeFile(content, filePath, basePath) {
     return threats;
   }
 
-  // Analyse des appels de fonction
   walk.simple(ast, {
     CallExpression(node) {
       const callName = getCallName(node);
@@ -84,7 +111,7 @@ function analyzeFile(content, filePath, basePath) {
       if (DANGEROUS_CALLS.includes(callName)) {
         threats.push({
           type: 'dangerous_call_' + callName.toLowerCase(),
-          severity: callName === 'eval' ? 'HIGH' : 'MEDIUM',
+          severity: 'HIGH',
           message: `Appel dangereux "${callName}" detecte.`,
           file: path.relative(basePath, filePath)
         });
@@ -104,6 +131,11 @@ function analyzeFile(content, filePath, basePath) {
 
     Literal(node) {
       if (typeof node.value === 'string') {
+        // Ignorer les strings safe
+        if (SAFE_STRINGS.some(s => node.value.includes(s))) {
+          return;
+        }
+        
         for (const sensitive of SENSITIVE_STRINGS) {
           if (node.value.includes(sensitive)) {
             threats.push({
@@ -118,7 +150,6 @@ function analyzeFile(content, filePath, basePath) {
     },
 
     MemberExpression(node) {
-      // Detecte process.env.XXX
       if (
         node.object?.object?.name === 'process' &&
         node.object?.property?.name === 'env'

package/src/scanner/dataflow.js

@@ -3,13 +3,24 @@ const path = require('path');
 const acorn = require('acorn');
 const walk = require('acorn-walk');
 
-const EXCLUDED_DIRS = ['test', 'tests', 'node_modules', '.git', 'src', 'vscode-extension'];
+const EXCLUDED_DIRS = [
+  'test', 'tests', 'node_modules', '.git', 'src', 'vscode-extension',
+  'scripts', 'bin', 'tools', 'build', 'dist', 'fixtures', 'examples',
+  '__tests__', '__mocks__', 'benchmark', 'benchmarks', 'docs', 'doc'
+];
 
 async function analyzeDataFlow(targetPath) {
   const threats = [];
   const files = findJsFiles(targetPath);
 
   for (const file of files) {
+    const relativePath = path.relative(targetPath, file).replace(/\\/g, '/');
+    
+    // Ignorer les fichiers de dev/build/scripts
+    if (isDevFile(relativePath)) {
+      continue;
+    }
+    
     const content = fs.readFileSync(file, 'utf8');
     const fileThreats = analyzeFile(content, file, targetPath);
     threats.push(...fileThreats);
@@ -18,6 +29,29 @@ async function analyzeDataFlow(targetPath) {
   return threats;
 }
 
+function isDevFile(relativePath) {
+  const devPatterns = [
+    /^scripts\//,
+    /^bin\//,
+    /^tools\//,
+    /^build\//,
+    /^fixtures\//,
+    /^examples\//,
+    /^__tests__\//,
+    /^__mocks__\//,
+    /^benchmark/,
+    /^docs?\//,
+    /^compiler\//,
+    /^packages\/.*\/scripts\//,
+    /\.test\.js$/,
+    /\.spec\.js$/,
+    /test\.js$/,
+    /spec\.js$/
+  ];
+  
+  return devPatterns.some(pattern => pattern.test(relativePath));
+}
+
 function analyzeFile(content, filePath, basePath) {
   const threats = [];
   let ast;
@@ -32,15 +66,13 @@ function analyzeFile(content, filePath, basePath) {
     return threats;
   }
 
-  const sources = [];  // Ou les donnees sensibles sont lues
-  const sinks = [];    // Ou les donnees sont envoyees
+  const sources = [];
+  const sinks = [];
 
   walk.simple(ast, {
-    // Detecte les lectures de fichiers sensibles
     CallExpression(node) {
       const callName = getCallName(node);
       
-      // fs.readFileSync, fs.readFile
       if (callName === 'readFileSync' || callName === 'readFile') {
         const arg = node.arguments[0];
         if (arg && isCredentialPath(arg, content)) {
@@ -52,7 +84,6 @@ function analyzeFile(content, filePath, basePath) {
         }
       }
 
-      // Detecte les envois reseau
       if (callName === 'request' || callName === 'fetch' || callName === 'post' || callName === 'get') {
         sinks.push({
           type: 'network_send',
@@ -61,7 +92,6 @@ function analyzeFile(content, filePath, basePath) {
         });
       }
 
-      // exec avec curl/wget
       if (callName === 'exec' || callName === 'execSync') {
         const arg = node.arguments[0];
         if (arg && arg.type === 'Literal' && typeof arg.value === 'string') {
@@ -76,7 +106,6 @@ function analyzeFile(content, filePath, basePath) {
       }
     },
 
-    // Detecte les acces process.env sensibles
     MemberExpression(node) {
       if (
         node.object?.object?.name === 'process' &&
@@ -94,7 +123,6 @@ function analyzeFile(content, filePath, basePath) {
     }
   });
 
-  // Si on a des sources ET des sinks = flux suspect
   if (sources.length > 0 && sinks.length > 0) {
     threats.push({
       type: 'suspicious_dataflow',
@@ -126,7 +154,6 @@ function isCredentialPath(arg, content) {
            val.includes('.gitconfig') ||
            val.includes('.env');
   }
-  // Verifie aussi les templates strings et concatenations
   if (arg.type === 'TemplateLiteral' || arg.type === 'BinaryExpression') {
     return content.includes('.npmrc') || 
            content.includes('.ssh') ||
@@ -136,7 +163,8 @@ function isCredentialPath(arg, content) {
 }
 
 function isSensitiveEnv(name) {
-  const sensitive = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL', 'AUTH', 'NPM', 'GITHUB', 'AWS', 'AZURE', 'GCP'];
+  const sensitive = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL', 'AUTH', 'NPM', 'AWS', 'AZURE', 'GCP'];
+  // Ignore GITHUB — trop de faux positifs dans les scripts de release
   return sensitive.some(s => name.toUpperCase().includes(s));
 }
 

package/src/scanner/typosquat.js

@@ -7,13 +7,13 @@ const POPULAR_PACKAGES = [
   'request', 'async', 'bluebird', 'underscore', 'uuid', 'debug', 'mkdirp',
   'glob', 'minimist', 'webpack', 'babel-core', 'typescript', 'eslint',
   'prettier', 'jest', 'mocha', 'chai', 'sinon', 'mongoose', 'sequelize',
-  'mysql', 'redis', 'mongodb', 'socket.io', 'express-session',
+  'redis', 'mongodb', 'socket.io', 'express-session',
   'body-parser', 'cookie-parser', 'cors', 'helmet', 'morgan', 'dotenv',
   'jsonwebtoken', 'bcrypt', 'passport', 'nodemailer', 'aws-sdk', 'stripe',
-  'twilio', 'firebase', 'graphql', 'apollo-server', 'next', 'nuxt',
+  'twilio', 'firebase', 'graphql', 'apollo-server', 'nuxt',
   'gatsby', 'angular', 'svelte', 'electron', 'puppeteer', 'cheerio',
   'sharp', 'jimp', 'canvas', 'pdf-lib', 'exceljs', 'csv-parser', 'xml2js',
-  'yaml', 'config', 'yargs', 'inquirer', 'ora', 'colors',
+  'yaml', 'config', 'yargs', 'colors',
   'winston', 'bunyan', 'pino', 'log4js', 'ramda', 'immutable',
   'mobx', 'redux', 'zustand', 'formik', 'yup', 'ajv', 'validator',
   'date-fns', 'dayjs', 'luxon', 'numeral', 'accounting', 'currency.js',
@@ -28,7 +28,7 @@ const WHITELIST = [
   'co', 'q', 'n', 'i', 'a', 'v', 'x', 'y', 'z',
   'ejs', 'nyc', 'ini', 'joi', 'vue', 'npm', 'got', 'ora',
   'vary', 'mime', 'send', 'etag', 'raw', 'tar', 'uid', 'cjs',
-  'rxjs', 'yarn', 'pnpm',
+  'rxjs', 'yarn', 'pnpm', 'next',
   
   // Packages legitimes avec noms similaires
   'acorn', 'acorn-walk', 'js-yaml', 'cross-env', 'node-fetch', 'node-gyp',
@@ -42,7 +42,24 @@ const WHITELIST = [
   'depd', 'destroy', 'encodeurl', 'escape-html', 'fresh', 'merge-descriptors',
   'methods', 'on-finished', 'parseurl', 'path-to-regexp', 'proxy-addr',
   'range-parser', 'safe-buffer', 'safer-buffer', 'setprototypeof',
-  'statuses', 'type-is', 'unpipe', 'utils-merge'
+  'statuses', 'type-is', 'unpipe', 'utils-merge',
+  
+  // Packages CLI et outils legitimes
+  'jest-cli', 'prettier-2', 'prettier-1', 'eslint-cli',
+  'inquirer', 'enquirer', 'prompts',
+  'mysql2', 'pg-native', 'sqlite3', 'better-sqlite3',
+  'node-sass', 'sass', 'less',
+  'esbuild', 'rollup', 'parcel', 'vite',
+  'husky', 'lint-staged', 'commitlint',
+  'nodemon', 'pm2', 'forever', 'concurrently',
+  'lerna', 'turbo', 'nx',
+  'chalk', 'colors', 'picocolors', 'colorette',
+  'commander', 'yargs', 'meow', 'cac',
+  'execa', 'shelljs', 'cross-spawn',
+  'rimraf', 'del', 'trash-cli',
+  'globby', 'fast-glob', 'tiny-glob',
+  'chokidar', 'watchpack', 'nsfw',
+  'dotenv', 'dotenv-expand', 'env-cmd'
 ];
 
 // Seuil minimum de longueur pour eviter faux positifs
@@ -86,8 +103,10 @@ async function scanTyposquatting(targetPath) {
 }
 
 function findTyposquatMatch(name) {
+  const nameLower = name.toLowerCase();
+  
   // Ignore les packages whitelistes
-  if (WHITELIST.includes(name.toLowerCase())) return null;
+  if (WHITELIST.includes(nameLower)) return null;
   
   // Ignore les packages scoped (@org/package)
   if (name.startsWith('@')) return null;
@@ -95,14 +114,17 @@ function findTyposquatMatch(name) {
   // Ignore les packages tres courts (trop de faux positifs)
   if (name.length < MIN_PACKAGE_LENGTH) return null;
 
+  // Ignore les packages avec suffixes legitimes courants
+  if (isLegitimateVariant(nameLower)) return null;
+
   for (const popular of POPULAR_PACKAGES) {
     // Ignore si c'est exactement le meme
-    if (name.toLowerCase() === popular.toLowerCase()) continue;
+    if (nameLower === popular.toLowerCase()) continue;
 
     // Ignore si le package populaire est trop court
     if (popular.length < MIN_PACKAGE_LENGTH) continue;
 
-    const distance = levenshteinDistance(name.toLowerCase(), popular.toLowerCase());
+    const distance = levenshteinDistance(nameLower, popular.toLowerCase());
     
     // Distance de 1 = tres suspect (une seule lettre de difference)
     if (distance === 1) {
@@ -121,25 +143,45 @@ function findTyposquatMatch(name) {
         distance: distance
       };
     }
-
-    // Verifie les tricks de suffixe
-    if (isSuffixTrick(name, popular)) {
-      return {
-        original: popular,
-        type: 'suffix_trick',
-        distance: distance
-      };
-    }
   }
 
   return null;
 }
 
+function isLegitimateVariant(name) {
+  // Suffixes legitimes qui ne sont PAS du typosquatting
+  const legitimateSuffixes = [
+    '-cli', '-core', '-utils', '-plugin', '-loader', '-webpack',
+    '-react', '-vue', '-angular', '-node', '-browser',
+    '-esm', '-cjs', '-umd',
+    '-types', '-typings',
+    '2', '3', '4', '5', // versions majeures (mysql2, etc)
+    '-v2', '-v3', '-next', '-latest', '-stable', '-lts'
+  ];
+  
+  for (const suffix of legitimateSuffixes) {
+    if (name.endsWith(suffix)) return true;
+  }
+  
+  // Prefixes legitimes
+  const legitimatePrefixes = [
+    '@types/', '@babel/', '@jest/', '@testing-library/',
+    'eslint-plugin-', 'eslint-config-',
+    'babel-plugin-', 'babel-preset-',
+    'webpack-plugin-', 'rollup-plugin-', 'vite-plugin-'
+  ];
+  
+  for (const prefix of legitimatePrefixes) {
+    if (name.startsWith(prefix)) return true;
+  }
+  
+  return false;
+}
+
 function detectTyposquatType(typo, original) {
   if (typo.length === original.length - 1) return 'missing_char';
   if (typo.length === original.length + 1) return 'extra_char';
   if (typo.length === original.length) {
-    // Verifie si swap
     let diffs = 0;
     for (let i = 0; i < typo.length; i++) {
       if (typo[i] !== original[i]) diffs++;
@@ -150,25 +192,6 @@ function detectTyposquatType(typo, original) {
   return 'unknown';
 }
 
-function isSuffixTrick(name, popular) {
-  const nameLower = name.toLowerCase();
-  const popularLower = popular.toLowerCase();
-  
-  const suffixes = ['-js', '.js', '-node', '-npm', '-cli', '-api', '-lib', '-pkg', '-dev', '-pro'];
-  for (const suffix of suffixes) {
-    if (nameLower === popularLower + suffix) return true;
-    if (nameLower === popularLower.replace('-', '') + suffix) return true;
-  }
-  
-  // Verifie aussi les prefixes
-  const prefixes = ['node-', 'npm-', 'js-', 'get-', 'the-'];
-  for (const prefix of prefixes) {
-    if (nameLower === prefix + popularLower) return true;
-  }
-  
-  return false;
-}
-
 function levenshteinDistance(a, b) {
   const matrix = [];