npm - muaddib-scanner - Versions diffs - 2.10.31 → 2.10.32 - Mend

muaddib-scanner 2.10.31 → 2.10.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.31",
+  "version": "2.10.32",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -55,7 +55,7 @@
   },
   "devDependencies": {
     "@eslint/js": "10.0.1",
-    "eslint": "10.0.3",
+    "eslint": "10.1.0",
     "eslint-plugin-security": "^4.0.0",
     "globals": "17.4.0"
   }

package/src/monitor/daemon.js CHANGED Viewed

@@ -1,7 +1,8 @@
+const { execFileSync } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
-const { isDockerAvailable } = require('../sandbox/index.js');
+const { isDockerAvailable, SANDBOX_CONCURRENCY_MAX } = require('../sandbox/index.js');
 const { setVerboseMode, isSandboxEnabled, isCanaryEnabled } = require('./classify.js');
 const { loadState, saveState, loadDailyStats, saveDailyStats, purgeTarballCache, getParisHour } = require('./state.js');
 const { isTemporalEnabled, isTemporalAstEnabled, isTemporalPublishEnabled, isTemporalMaintainerEnabled } = require('./temporal.js');
@@ -33,6 +34,26 @@ function cleanupOrphanTmpDirs() {
   } catch {}
 }
+function cleanupOrphanContainers() {
+  try {
+    // List running containers with the sandbox name prefix (npm-audit-*)
+    const output = execFileSync('docker', ['ps', '-q', '--filter', 'name=npm-audit-'], {
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: 10000
+    }).toString().trim();
+    if (!output) return;
+    const ids = output.split(/\s+/).filter(Boolean);
+    for (const id of ids) {
+      try {
+        execFileSync('docker', ['rm', '-f', id], { stdio: 'pipe', timeout: 10000 });
+      } catch {}
+    }
+    console.log(`[MONITOR] Cleaned up ${ids.length} orphan sandbox container(s)`);
+  } catch {
+    // Docker not available or command failed — skip silently
+  }
+}
 function reportStats(stats) {
   const avg = stats.scanned > 0 ? (stats.totalTimeMs / stats.scanned / 1000).toFixed(1) : '0.0';
   const { t1, t1a, t1b, t2, t3 } = stats.suspectByTier;
@@ -67,6 +88,8 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
   // Cleanup temp dirs from previous runs (SIGTERM/crash may leave orphans)
   cleanupOrphanTmpDirs();
+  // Kill orphan sandbox containers from previous crash (npm-audit-* prefix)
+  cleanupOrphanContainers();
   // Layer 3: Purge expired cached tarballs on startup
   purgeTarballCache();
@@ -137,6 +160,7 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
   console.log(`[MONITOR] State loaded — npm last: ${state.npmLastPackage || 'none'}, pypi last: ${state.pypiLastPackage || 'none'}, npm seq: ${state.npmLastSeq || 'none'}`);
   console.log('[MONITOR] npm changes stream enabled (replicate.npmjs.com) with RSS fallback');
   console.log(`[MONITOR] Scan concurrency: ${SCAN_CONCURRENCY} (MUADDIB_SCAN_CONCURRENCY to override)`);
+  console.log(`[MONITOR] Sandbox concurrency: ${SANDBOX_CONCURRENCY_MAX} (MUADDIB_SANDBOX_CONCURRENCY to override)`);
   console.log(`[MONITOR] Polling every ${POLL_INTERVAL / 1000}s. Ctrl+C to stop.\n`);
   let running = true;
@@ -193,6 +217,7 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
 module.exports = {
   startMonitor,
   cleanupOrphanTmpDirs,
+  cleanupOrphanContainers,
   reportStats,
   isDailyReportDue,
   sleep,

package/src/sandbox/index.js CHANGED Viewed

@@ -20,6 +20,41 @@ const DOCKER_IMAGE = 'muaddib-sandbox';
 const CONTAINER_TIMEOUT = 120000; // 120 seconds
 const SINGLE_RUN_TIMEOUT = 60000; // 60 seconds per run in multi-run mode
+// ── Sandbox concurrency limiter ──
+// Prevents Docker container saturation under load (16 workers × 3 runs = 48 containers).
+// Pattern: same semaphore as src/shared/http-limiter.js.
+const SANDBOX_CONCURRENCY_MAX = Math.max(1, parseInt(process.env.MUADDIB_SANDBOX_CONCURRENCY, 10) || 3);
+const _sandboxSemaphore = { active: 0, queue: [] };
+function acquireSandboxSlot() {
+  if (_sandboxSemaphore.active < SANDBOX_CONCURRENCY_MAX) {
+    _sandboxSemaphore.active++;
+    return Promise.resolve();
+  }
+  return new Promise(resolve => {
+    _sandboxSemaphore.queue.push(resolve);
+  });
+}
+function releaseSandboxSlot() {
+  if (_sandboxSemaphore.queue.length > 0) {
+    const next = _sandboxSemaphore.queue.shift();
+    next(); // Transfers slot to next waiter (active count stays the same)
+  } else {
+    _sandboxSemaphore.active--;
+  }
+}
+function resetSandboxLimiter() {
+  _sandboxSemaphore.active = 0;
+  _sandboxSemaphore.queue.length = 0;
+}
+function getSandboxSemaphore() {
+  return _sandboxSemaphore;
+}
 // Time offsets for multi-run sandbox execution (ms)
 const TIME_OFFSETS = [
   { offset: 0, label: 'immediate' },
@@ -238,11 +273,17 @@ async function runSingleSandbox(packageName, options = {}) {
     // Timeout: kill container
     const timer = setTimeout(() => {
       timedOut = true;
-      console.log(`[SANDBOX] Timeout (${runTimeout / 1000}s). Killing container...`);
+      console.log(`[SANDBOX] Timeout (${runTimeout / 1000}s). Killing container ${containerName}...`);
       try {
         execFileSync('docker', ['kill', containerName], { stdio: 'pipe', timeout: 5000 });
       } catch {
-        proc.kill('SIGKILL');
+        // docker kill failed (container in intermediate state) — force remove
+        try {
+          execFileSync('docker', ['rm', '-f', containerName], { stdio: 'pipe', timeout: 5000 });
+        } catch {
+          // Last resort: kill the docker client process (container may survive as orphan)
+          proc.kill('SIGKILL');
+        }
       }
     }, runTimeout);
@@ -441,69 +482,81 @@ async function runSandbox(packageName, options = {}) {
   }
   const mode = strict ? 'strict' : 'permissive';
-  console.log(`[SANDBOX] Analyzing "${displayName}" in isolated container (mode: ${mode}${canaryEnabled ? ', canary: on' : ''}${local ? ', local' : ''}, runs: ${TIME_OFFSETS.length})...`);
-  const allRuns = [];
-  let bestResult = cleanResult;
-  for (let i = 0; i < TIME_OFFSETS.length; i++) {
-    const { offset, label } = TIME_OFFSETS[i];
-    console.log(`[SANDBOX] Run ${i + 1}/${TIME_OFFSETS.length} (${label})...`);
-    const runResult = await runSingleSandbox(packageName, {
-      strict,
-      canaryTokens,
-      local,
-      localAbsPath,
-      displayName,
-      timeOffset: offset,
-      runTimeout: SINGLE_RUN_TIMEOUT
-    });
-    allRuns.push({
-      run: i + 1,
-      label,
-      timeOffset: offset,
-      score: runResult.score,
-      severity: runResult.severity,
-      findingCount: runResult.findings.length
-    });
+  // Acquire sandbox slot — blocks if SANDBOX_CONCURRENCY_MAX containers already running
+  const queueLen = _sandboxSemaphore.queue.length;
+  if (queueLen > 0) {
+    console.log(`[SANDBOX] Waiting for sandbox slot (${_sandboxSemaphore.active}/${SANDBOX_CONCURRENCY_MAX} active, ${queueLen} queued)...`);
+  }
+  await acquireSandboxSlot();
-    // Keep the result with the highest score
-    if (runResult.score > bestResult.score) {
-      bestResult = runResult;
+  try {
+    console.log(`[SANDBOX] Analyzing "${displayName}" in isolated container (mode: ${mode}${canaryEnabled ? ', canary: on' : ''}${local ? ', local' : ''}, runs: ${TIME_OFFSETS.length}, slots: ${_sandboxSemaphore.active}/${SANDBOX_CONCURRENCY_MAX})...`);
+    const allRuns = [];
+    let bestResult = cleanResult;
+    for (let i = 0; i < TIME_OFFSETS.length; i++) {
+      const { offset, label } = TIME_OFFSETS[i];
+      console.log(`[SANDBOX] Run ${i + 1}/${TIME_OFFSETS.length} (${label})...`);
+      const runResult = await runSingleSandbox(packageName, {
+        strict,
+        canaryTokens,
+        local,
+        localAbsPath,
+        displayName,
+        timeOffset: offset,
+        runTimeout: SINGLE_RUN_TIMEOUT
+      });
+      allRuns.push({
+        run: i + 1,
+        label,
+        timeOffset: offset,
+        score: runResult.score,
+        severity: runResult.severity,
+        findingCount: runResult.findings.length
+      });
+      // Keep the result with the highest score
+      if (runResult.score > bestResult.score) {
+        bestResult = runResult;
+      }
+      // Early exit: CRITICAL found, skip remaining runs
+      if (runResult.score >= 80) {
+        console.log(`[SANDBOX] Critical score (${runResult.score}) detected in run ${i + 1}. Skipping remaining runs.`);
+        break;
+      }
     }
-    // Early exit: CRITICAL found, skip remaining runs
-    if (runResult.score >= 80) {
-      console.log(`[SANDBOX] Critical score (${runResult.score}) detected in run ${i + 1}. Skipping remaining runs.`);
-      break;
+    // If all runs were inconclusive (timeout), propagate inconclusive status
+    // instead of returning CLEAN (which would cause false FP relabeling)
+    if (bestResult.score === 0 && allRuns.length > 0 && allRuns.every(r => r.score === -1)) {
+      bestResult = {
+        score: -1,
+        severity: 'INCONCLUSIVE',
+        findings: [{
+          type: 'timeout',
+          severity: 'MEDIUM',
+          detail: `All ${allRuns.length} runs exceeded timeout — package too large or slow install`,
+          evidence: `All ${allRuns.length} runs timed out`
+        }],
+        raw_report: null,
+        suspicious: false,
+        inconclusive: true
+      };
     }
-  }
-  // If all runs were inconclusive (timeout), propagate inconclusive status
-  // instead of returning CLEAN (which would cause false FP relabeling)
-  if (bestResult.score === 0 && allRuns.length > 0 && allRuns.every(r => r.score === -1)) {
-    bestResult = {
-      score: -1,
-      severity: 'INCONCLUSIVE',
-      findings: [{
-        type: 'timeout',
-        severity: 'MEDIUM',
-        detail: `All ${allRuns.length} runs exceeded timeout — package too large or slow install`,
-        evidence: `All ${allRuns.length} runs timed out`
-      }],
-      raw_report: null,
-      suspicious: false,
-      inconclusive: true
-    };
-  }
-  // Attach multi-run metadata
-  bestResult.all_runs = allRuns;
-  displayResults(bestResult);
-  return bestResult;
+    // Attach multi-run metadata
+    bestResult.all_runs = allRuns;
+    displayResults(bestResult);
+    return bestResult;
+  } finally {
+    releaseSandboxSlot();
+  }
 }
 // ── Static canary detection ──
@@ -812,4 +865,4 @@ function displayResults(result) {
   }
 }
-module.exports = { buildSandboxImage, runSandbox, runSingleSandbox, scoreFindings, generateNetworkReport, EXFIL_PATTERNS, SAFE_DOMAINS, getSeverity, displayResults, isDockerAvailable, imageExists, STATIC_CANARY_TOKENS, detectStaticCanaryExfiltration, analyzePreloadLog, TIME_OFFSETS, SAFE_SANDBOX_CMDS };
+module.exports = { buildSandboxImage, runSandbox, runSingleSandbox, scoreFindings, generateNetworkReport, EXFIL_PATTERNS, SAFE_DOMAINS, getSeverity, displayResults, isDockerAvailable, imageExists, STATIC_CANARY_TOKENS, detectStaticCanaryExfiltration, analyzePreloadLog, TIME_OFFSETS, SAFE_SANDBOX_CMDS, SANDBOX_CONCURRENCY_MAX, acquireSandboxSlot, releaseSandboxSlot, resetSandboxLimiter, getSandboxSemaphore };