npm - muaddib-scanner - Versions diffs - 2.11.78 → 2.11.80 - Mend

muaddib-scanner 2.11.78 → 2.11.80

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +1 -1
package/{self-scan-v2.11.78.json → self-scan-v2.11.80.json} +1 -1
package/src/monitor/state.js +15 -2
package/src/monitor/webhook.js +34 -14

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.78",
+  "version": "2.11.80",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.78.json → self-scan-v2.11.80.json} RENAMED Viewed

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-08T18:21:33.065Z",
+  "timestamp": "2026-06-10T12:26:12.478Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/monitor/state.js CHANGED Viewed

@@ -1115,6 +1115,12 @@ function computeLedgerRollup(sinceTs, opts = {}) {
   const scannedKeys = new Set();
   const droppedKeys = new Set();
   let exactVanished = true;
+  // Distinct package NAMES (version-collapsed) for honest coverage. A package is
+  // "covered" if at least one of its versions reached a real scan (non-dropped).
+  // Bounded: names are only added while underCap, so |names| ≤ |keys| ≤ MAX_ROLLUP_KEYS.
+  // Exactness mirrors exactVanished (false iff the cap was hit mid-window).
+  const allNames = new Set();
+  const scannedNames = new Set();
   _iterateJsonlSync(file, (e) => {
     if (!e || !e.name) return;
@@ -1140,11 +1146,11 @@ function computeLedgerRollup(sinceTs, opts = {}) {
     const underCap = exactVanished && (scannedKeys.size + droppedKeys.size) < MAX_ROLLUP_KEYS;
     if (outcome === 'dropped') {
       dropped++; ecoNode.dropped++;
-      if (underCap) droppedKeys.add(key); else exactVanished = false;
+      if (underCap) { droppedKeys.add(key); allNames.add(e.name); } else exactVanished = false;
     } else {
       scanned++; ecoNode.scanned++;
       if (outcome === 'suspect' || outcome === 'confirmed') { alerted++; ecoNode.alerted++; }
-      if (underCap) scannedKeys.add(key); else exactVanished = false;
+      if (underCap) { scannedKeys.add(key); allNames.add(e.name); scannedNames.add(e.name); } else exactVanished = false;
     }
   });
@@ -1164,6 +1170,13 @@ function computeLedgerRollup(sinceTs, opts = {}) {
     alerted,
     // NOT a TPR — see the HONEST METRIC NOTE above. null when nothing was scanned.
     alertRate: scanned > 0 ? alerted / scanned : null,
+    // Honest, version-collapsed coverage: distinct package names seen vs scanned.
+    // Bounded ≤100% by construction (scannedNames ⊆ allNames). Unlike the raw
+    // event-count coverage in the embed, this is immune to version-spam inflation
+    // (e.g. a package publishing thousands of versions counts once).
+    distinctPackages: allNames.size,
+    distinctScanned: scannedNames.size,
+    distinctCoverage: allNames.size > 0 ? scannedNames.size / allNames.size : null,
     byOutcome,
     byEcosystem
   };

package/src/monitor/webhook.js CHANGED Viewed

@@ -1027,25 +1027,41 @@ function buildDailyReportEmbed(stats, dailyAlerts, ledgerRollup) {
   // Avg scan time from in-memory stats
   const avg = stats.scanned > 0 ? (stats.totalTimeMs / stats.scanned / 1000).toFixed(1) : '0.0';
-  // --- Coverage estimation ---
-  // Numerator: unique (ecosystem, name, version) tuples that reached a scan
-  // attempt (post-dedup). Denominator: raw publish events seen on either
-  // changes stream BEFORE per-package filtering, plus npm catch-up gaps and
-  // PyPI publish events that survived per-(name,version) dedup. This stays
-  // bounded near 100% — old "scanned/changesStreamPackages" was racing PyPI
-  // scans and ATO burst extras against an npm-only denominator.
+  // --- Phase 0b: per-scan ledger rollup (resolved early so Coverage can use it) ---
+  // Caller may pass a precomputed rollup (sendDailyReport does, to persist the same
+  // numbers it displays); undefined → compute here; explicit null → omit the section.
+  const ledger = ledgerRollup !== undefined ? ledgerRollup : safeLedgerRollup();
+  // --- Coverage ---
+  // HEADLINE: honest, version-collapsed coverage from the scan-ledger — distinct
+  // package NAMES actually scanned vs distinct names seen (scanned + dropped) in
+  // the window. Bounded ≤100% by construction and immune to version-spam (a
+  // package publishing thousands of versions counts once). The raw publish-event
+  // ratio is kept as a SECONDARY line for continuity but is no longer the headline:
+  // it races re-scans / PyPI / burst extras against an npm-only event denominator
+  // and routinely exceeds 100% (see AUDIT 4 — daily-reports-analysis.md).
   const attempted = stats.uniqueScanAttempts || 0;
   const npmPub = stats.npmPublishEventsSeen || 0;
   const pypiPub = stats.pypiChangelogPackages || 0;
   const published = npmPub + pypiPub;
-  const coverageRatio = published > 0 ? (attempted / published * 100).toFixed(0) : '0';
   const catchupSkipped = (stats.npmCatchupSkippedSeqs || 0) + (stats.pypiCatchupSkippedEvents || 0);
   const opsSuffix = catchupSkipped > 0
     ? `\nOps: ${stats.scanned} | Catch-up skip: ${catchupSkipped}`
     : `\nOps: ${stats.scanned}`;
-  const coverageText = published > 0
-    ? `${attempted}/${published} (${coverageRatio}%)${opsSuffix}`
-    : `${attempted} attempted${opsSuffix}`;
+  let coverageText;
+  if (ledger && ledger.distinctPackages > 0 && ledger.distinctCoverage != null) {
+    const pct = (ledger.distinctCoverage * 100).toFixed(0);
+    const approx = ledger.exactVanished === false ? '~' : '';
+    coverageText = `${ledger.distinctScanned}/${ledger.distinctPackages} pkgs (${approx}${pct}%)`;
+    if (published > 0) coverageText += `\nRaw events: ${attempted}/${published}`;
+    coverageText += opsSuffix;
+  } else if (published > 0) {
+    // Fallback: ledger unavailable (first boot / empty ledger) → legacy event ratio.
+    const coverageRatio = (attempted / published * 100).toFixed(0);
+    coverageText = `${attempted}/${published} (${coverageRatio}%)${opsSuffix}`;
+  } else {
+    coverageText = `${attempted} attempted${opsSuffix}`;
+  }
   // --- Timeouts ---
   const staticTimeouts = (stats.errorsByType && stats.errorsByType.static_timeout) || 0;
@@ -1108,9 +1124,7 @@ function buildDailyReportEmbed(stats, dailyAlerts, ledgerRollup) {
   const healthText = `Up ${uptimeH}h${uptimeM}m | Heap ${heapMB}MB${jsonlInfo}`;
   // --- Phase 0b: per-scan ledger rollup (operational coverage) ---
-  // Caller may pass a precomputed rollup (sendDailyReport does, to persist the same
-  // numbers it displays); undefined → compute here; explicit null → omit the section.
-  const ledger = ledgerRollup !== undefined ? ledgerRollup : safeLedgerRollup();
+  // `ledger` was resolved above (Coverage uses it). explicit null → omit the section.
   const ledgerField = formatLedgerField(ledger);
   const now = new Date();
@@ -1207,6 +1221,12 @@ async function sendDailyReport(stats, dailyAlerts, recentlyScanned, downloadsCac
     deferredProcessed: stats.deferredProcessed || 0,
     deferredExpired: stats.deferredExpired || 0,
     changesStreamPackages: stats.changesStreamPackages || 0,
+    // Honest version-collapsed coverage (AUDIT 4): top-level mirror of the
+    // ledger fields so trend analysis can read them without descending into
+    // metrics.ledger. null when the ledger window was empty.
+    distinctPackages: ledgerRollup ? (ledgerRollup.distinctPackages ?? null) : null,
+    distinctScanned: ledgerRollup ? (ledgerRollup.distinctScanned ?? null) : null,
+    distinctCoverage: ledgerRollup ? (ledgerRollup.distinctCoverage ?? null) : null,
     restartsToday: stats.restartsToday || 0,
     temporalLoadShed: stats.temporalLoadShed || 0,
     queueHardDrops: stats.queueHardDrops || 0,