muaddib-scanner 1.4.3 → 1.6.0

package/docker/Dockerfile

@@ -1,7 +1,7 @@
 FROM node:20-alpine
 
 # Outils de monitoring
-RUN apk add --no-cache strace curl tcpdump
+RUN apk add --no-cache strace curl tcpdump coreutils findutils jq
 
 # User non-root
 RUN adduser -D sandboxuser

package/docker/sandbox-runner.sh

@@ -1,26 +1,154 @@
 #!/bin/sh
-PACKAGE=$1
+PACKAGE="$1"
 
-echo "[SANDBOX] Installing $PACKAGE..."
+if [ -z "$PACKAGE" ]; then
+  echo "Usage: sandbox-runner.sh <package-name>" >&2
+  exit 1
+fi
 
-# Capturer les connexions réseau en background
-tcpdump -i any -w /tmp/network.pcap 2>/dev/null &
+TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+START_MS=$(date +%s%3N 2>/dev/null || echo 0)
+
+# ── 1. Filesystem snapshot BEFORE install ──
+echo "[SANDBOX] Snapshot filesystem before install..." >&2
+find / -type f 2>/dev/null | sort > /tmp/fs-before.txt
+
+# ── 2. tcpdump in background (DNS + HTTP + HTTPS) ──
+echo "[SANDBOX] Starting network capture..." >&2
+tcpdump -i any -nn 'port 53 or port 80 or port 443' -l > /tmp/network.log 2>/dev/null &
 TCPDUMP_PID=$!
+sleep 1
+
+# ── 3. npm install with strace ──
+echo "[SANDBOX] Installing $PACKAGE..." >&2
+strace -f -e trace=network,process,open,openat,connect,execve,sendto,recvfrom \
+  -o /tmp/strace.log \
+  npm install "$PACKAGE" --ignore-scripts=false > /tmp/install.log 2>&1
+EXIT_CODE=$?
+
+# ── 4. Filesystem snapshot AFTER install ──
+echo "[SANDBOX] Snapshot filesystem after install..." >&2
+find / -type f 2>/dev/null | sort > /tmp/fs-after.txt
+
+# Stop tcpdump
+kill "$TCPDUMP_PID" 2>/dev/null
+wait "$TCPDUMP_PID" 2>/dev/null
+
+END_MS=$(date +%s%3N 2>/dev/null || echo 0)
+DURATION_MS=$((END_MS - START_MS))
+[ "$DURATION_MS" -lt 0 ] 2>/dev/null && DURATION_MS=0
+
+# ── 5. Filesystem diff (exclude /sandbox/node_modules/) ──
+echo "[SANDBOX] Analyzing filesystem changes..." >&2
+comm -13 /tmp/fs-before.txt /tmp/fs-after.txt | grep -v '^/sandbox/node_modules/' | grep -v '^/tmp/fs-\|^/tmp/install.log\|^/tmp/network.log\|^/tmp/strace.log\|^/tmp/sensitive-\|^/tmp/suspicious-cmds\|^/tmp/connections.txt\|^/tmp/dns-queries\|^/tmp/fs-created\|^/tmp/fs-deleted' > /tmp/fs-created.txt
+comm -23 /tmp/fs-before.txt /tmp/fs-after.txt | grep -v '^/sandbox/node_modules/' > /tmp/fs-deleted.txt
+
+# ── 6. Parse strace ──
+echo "[SANDBOX] Parsing strace..." >&2
+
+SENSITIVE='\.npmrc|\.ssh/|\.aws/|\.env|/etc/passwd|/etc/shadow|\.gitconfig|\.bash_history'
+
+# 6a. Sensitive file access (read)
+grep -E 'openat\(' /tmp/strace.log 2>/dev/null | \
+  grep -E "$SENSITIVE" | \
+  grep 'O_RDONLY' | \
+  sed 's/.*openat([^,]*, "\([^"]*\)".*/\1/' | \
+  sort -u > /tmp/sensitive-read.txt
+
+# 6b. Sensitive file access (write)
+grep -E 'openat\(' /tmp/strace.log 2>/dev/null | \
+  grep -E "$SENSITIVE" | \
+  grep -E 'O_WRONLY|O_RDWR|O_CREAT' | \
+  sed 's/.*openat([^,]*, "\([^"]*\)".*/\1/' | \
+  sort -u > /tmp/sensitive-written.txt
+
+# 6c. Suspicious execve (exclude node, npm, npx, sh, git)
+grep 'execve(' /tmp/strace.log 2>/dev/null | \
+  grep '= 0' | \
+  grep -vE 'execve\("[^"]*/(node|npm|npx|sh|git)"' | \
+  sed -n 's/.*\[pid \([0-9]*\)\].*execve("\([^"]*\)".*/\1\t\2/p' > /tmp/suspicious-cmds.txt
+
+grep 'execve(' /tmp/strace.log 2>/dev/null | \
+  grep '= 0' | \
+  grep -vE 'execve\("[^"]*/(node|npm|npx|sh|git)"' | \
+  grep -v '\[pid' | \
+  sed -n 's/.*execve("\([^"]*\)".*/0\t\1/p' >> /tmp/suspicious-cmds.txt
+
+# 6d. Outgoing connections (AF_INET, successful)
+grep 'connect(' /tmp/strace.log 2>/dev/null | \
+  grep 'AF_INET' | grep -v 'AF_INET6' | \
+  grep '= 0' | \
+  sed -n 's/.*sin_port=htons(\([0-9]*\)).*sin_addr=inet_addr("\([^"]*\)").*/\2\t\1/p' | \
+  grep -v '	65535$' | \
+  grep -v '^127\.' | \
+  sort -u > /tmp/connections.txt
+
+# ── 7. Parse tcpdump ──
+echo "[SANDBOX] Parsing network capture..." >&2
+
+grep -oE '(A|AAAA)\? [^ ]+' /tmp/network.log 2>/dev/null | \
+  awk '{print $2}' | \
+  sed 's/\.$//' | \
+  sort -u > /tmp/dns-queries.txt
+
+# ── 8. Build JSON with jq ──
+echo "[SANDBOX] Building report..." >&2
 
-# Installer le package avec strace pour capturer les appels système
-strace -f -e trace=network,process,file -o /tmp/strace.log npm install "$PACKAGE" --ignore-scripts=false 2>&1
+# Ensure all temp files exist
+touch /tmp/fs-created.txt /tmp/fs-deleted.txt /tmp/dns-queries.txt \
+  /tmp/sensitive-read.txt /tmp/sensitive-written.txt \
+  /tmp/connections.txt /tmp/suspicious-cmds.txt /tmp/install.log
 
-# Arrêter tcpdump
-kill $TCPDUMP_PID 2>/dev/null
+INSTALL_OUTPUT=$(head -c 5000 /tmp/install.log)
 
-# Analyser les résultats
-echo "[SANDBOX] === NETWORK CONNECTIONS ==="
-grep -E "connect|sendto" /tmp/strace.log | head -20
+FS_CREATED=$(jq -R -s 'split("\n") | map(select(length > 0))' < /tmp/fs-created.txt)
+FS_DELETED=$(jq -R -s 'split("\n") | map(select(length > 0))' < /tmp/fs-deleted.txt)
+DNS=$(jq -R -s 'split("\n") | map(select(length > 0))' < /tmp/dns-queries.txt)
+SENS_READ=$(jq -R -s 'split("\n") | map(select(length > 0))' < /tmp/sensitive-read.txt)
+SENS_WRITTEN=$(jq -R -s 'split("\n") | map(select(length > 0))' < /tmp/sensitive-written.txt)
 
-echo "[SANDBOX] === PROCESS SPAWNS ==="
-grep -E "execve|clone" /tmp/strace.log | head -20
+CONNS=$(jq -R -s 'split("\n") | map(select(length > 0)) | map(
+  split("\t") | {host: .[0], port: (.[1] | tonumber), protocol: "TCP"}
+)' < /tmp/connections.txt)
 
-echo "[SANDBOX] === FILE ACCESS ==="
-grep -E "openat.*npmrc|openat.*ssh|openat.*aws" /tmp/strace.log | head -20
+PROCS=$(jq -R -s 'split("\n") | map(select(length > 0)) | map(
+  split("\t") | {command: .[1], pid: (.[0] | tonumber)}
+)' < /tmp/suspicious-cmds.txt)
 
-echo "[SANDBOX] Done."
+# ── Final JSON (ONLY output on stdout) ──
+jq -n \
+  --arg package "$PACKAGE" \
+  --arg timestamp "$TIMESTAMP" \
+  --argjson duration "${DURATION_MS:-0}" \
+  --argjson fs_created "$FS_CREATED" \
+  --argjson fs_deleted "$FS_DELETED" \
+  --argjson dns "$DNS" \
+  --argjson connections "$CONNS" \
+  --argjson processes "$PROCS" \
+  --argjson sensitive_read "$SENS_READ" \
+  --argjson sensitive_written "$SENS_WRITTEN" \
+  --arg install_output "$INSTALL_OUTPUT" \
+  --argjson exit_code "${EXIT_CODE:-1}" \
+  '{
+    package: $package,
+    timestamp: $timestamp,
+    duration_ms: $duration,
+    filesystem: {
+      created: $fs_created,
+      deleted: $fs_deleted,
+      modified: []
+    },
+    network: {
+      dns_queries: $dns,
+      http_connections: $connections
+    },
+    processes: {
+      spawned: $processes
+    },
+    sensitive_files: {
+      read: $sensitive_read,
+      written: $sensitive_written
+    },
+    install_output: $install_output,
+    exit_code: $exit_code
+  }'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.4.3",
+  "version": "1.6.0",
   "description": "Supply-chain threat detection & response for npm",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -80,7 +80,7 @@ function scanParanoid(targetPath) {
   }
 
   function walkDir(dir) {
-    const excluded = ['node_modules', '.git', 'test', 'tests', 'src', 'vscode-extension', '.muaddib-cache', 'data', 'iocs'];
+    const excluded = ['node_modules', '.git', 'test', 'tests', 'src', 'vscode-extension', '.muaddib-cache', 'data', 'iocs', 'docker'];
     try {
       const files = fs.readdirSync(dir);
       for (const file of files) {
@@ -150,6 +150,27 @@ async function run(targetPath, options = {}) {
     threats.push(...paranoidThreats);
   }
 
+  // Sandbox integration
+  let sandboxData = null;
+  if (options.sandboxResult && options.sandboxResult.findings) {
+    const sr = options.sandboxResult;
+    const pkg = sr.raw_report?.package || 'unknown';
+    sandboxData = {
+      package: pkg,
+      score: sr.score,
+      severity: sr.severity,
+      findings: sr.findings
+    };
+    for (const f of sr.findings) {
+      threats.push({
+        type: 'sandbox_' + f.type,
+        severity: f.severity,
+        message: f.detail,
+        file: `[SANDBOX] ${pkg}`
+      });
+    }
+  }
+
   // Deduplicate: same file + same type + same message = show once with count
   const deduped = [];
   const seen = new Map();
@@ -209,7 +230,8 @@ async function run(targetPath, options = {}) {
       low: lowCount,
       riskScore: riskScore,
       riskLevel: riskLevel
-    }
+    },
+    sandbox: sandboxData
   };
 
   // JSON output
@@ -252,6 +274,22 @@ async function run(targetPath, options = {}) {
         console.log('');
       });
     }
+
+    // Sandbox section (explain)
+    if (sandboxData) {
+      console.log(`\n[SANDBOX] Dynamic analysis — ${sandboxData.package}`);
+      console.log(`  Score:    ${sandboxData.score}/100`);
+      console.log(`  Severity: ${sandboxData.severity}`);
+      if (sandboxData.findings.length === 0) {
+        console.log('  No suspicious behavior detected.\n');
+      } else {
+        console.log(`  ${sandboxData.findings.length} finding(s):`);
+        sandboxData.findings.forEach(f => {
+          console.log(`    [${f.severity}] ${f.type}: ${f.detail}`);
+        });
+        console.log('');
+      }
+    }
   }
   // Normal output
   else {
@@ -279,6 +317,22 @@ async function run(targetPath, options = {}) {
         }
       });
     }
+
+    // Sandbox section (normal)
+    if (sandboxData) {
+      console.log(`[SANDBOX] Dynamic analysis — ${sandboxData.package}`);
+      console.log(`  Score:    ${sandboxData.score}/100`);
+      console.log(`  Severity: ${sandboxData.severity}`);
+      if (sandboxData.findings.length === 0) {
+        console.log('  No suspicious behavior detected.\n');
+      } else {
+        console.log(`  ${sandboxData.findings.length} finding(s):`);
+        sandboxData.findings.forEach(f => {
+          console.log(`    [${f.severity}] ${f.type}: ${f.detail}`);
+        });
+        console.log('');
+      }
+    }
   }
 
   // Send webhook if configured