muaddib-scanner 2.2.16 → 2.2.18

package/bin/muaddib.js

@@ -812,6 +812,34 @@ if (command === 'version' || command === '--version' || command === '-v') {
     console.error('[ERROR]', err.message);
     process.exit(1);
   });
+} else if (command === 'report') {
+  // Hidden/internal — not in --help
+  if (options.includes('--now')) {
+    const { sendReportNow } = require('../src/monitor.js');
+    sendReportNow().then(result => {
+      if (result.sent) {
+        console.log(`\n  \x1b[32m\u2713\x1b[0m ${result.message}\n`);
+      } else {
+        console.log(`\n  \x1b[33m!\x1b[0m ${result.message}\n`);
+      }
+      process.exit(result.sent ? 0 : 1);
+    }).catch(err => {
+      console.error('[ERROR]', err.message);
+      process.exit(1);
+    });
+  } else if (options.includes('--status')) {
+    const { getReportStatus } = require('../src/monitor.js');
+    const status = getReportStatus();
+    console.log('\n  MUAD\'DIB Report Status\n');
+    console.log(`  Last report sent:     ${status.lastDailyReportDate || 'Never'}`);
+    console.log(`  Packages scanned since: ${status.scannedSince}`);
+    console.log(`  Next scheduled report:  ${status.nextReport}`);
+    console.log('');
+    process.exit(0);
+  } else {
+    console.log('Usage: muaddib report --now | --status');
+    process.exit(1);
+  }
 } else if (command === 'help') {
   console.log(helpText);
   process.exit(0);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.2.16",
+  "version": "2.2.18",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -213,19 +213,20 @@ async function run(targetPath, options = {}) {
     }
   }
 
-  // Parallel execution of all independent scanners
-  // Sync scanners use yieldThen() to yield to event loop (keeps spinner animating)
+  // Sequential execution of scanners with event loop yields between each.
+  // All scanners (even "async" ones) are effectively synchronous (readFileSync, readdirSync).
+  // Running them via yieldThen ensures the spinner animates between each scanner.
   let scanResult;
   try {
     scanResult = await Promise.all([
-      scanPackageJson(targetPath),
-      scanShellScripts(targetPath),
-      analyzeAST(targetPath, { deobfuscate: deobfuscateFn }),
+      yieldThen(() => scanPackageJson(targetPath)),
+      yieldThen(() => scanShellScripts(targetPath)),
+      yieldThen(() => analyzeAST(targetPath, { deobfuscate: deobfuscateFn })),
       yieldThen(() => detectObfuscation(targetPath)),
-      scanDependencies(targetPath),
-      scanHashes(targetPath),
-      analyzeDataFlow(targetPath, { deobfuscate: deobfuscateFn }),
-      scanTyposquatting(targetPath),
+      yieldThen(() => scanDependencies(targetPath)),
+      yieldThen(() => scanHashes(targetPath)),
+      yieldThen(() => analyzeDataFlow(targetPath, { deobfuscate: deobfuscateFn })),
+      yieldThen(() => scanTyposquatting(targetPath)),
       yieldThen(() => scanGitHubActions(targetPath)),
       yieldThen(() => matchPythonIOCs(pythonDeps, targetPath)),
       yieldThen(() => checkPyPITyposquatting(pythonDeps, targetPath)),

package/src/monitor.js

@@ -1061,18 +1061,26 @@ function isDailyReportDue() {
 }
 
 function buildDailyReportEmbed() {
-  const avg = stats.scanned > 0 ? (stats.totalTimeMs / stats.scanned / 1000).toFixed(1) : '0.0';
+  // Use disk-based daily entries filtered by lastDailyReportDate for accurate delta
+  const { agg, top3: diskTop3 } = buildReportFromDisk();
 
-  // Top 3 suspects sorted by findings count descending
-  const top3 = dailyAlerts
-    .slice()
-    .sort((a, b) => b.findingsCount - a.findingsCount)
-    .slice(0, 3);
+  // Prefer in-memory dailyAlerts for top suspects (richer data), fallback to disk
+  const top3 = dailyAlerts.length > 0
+    ? dailyAlerts.slice().sort((a, b) => b.findingsCount - a.findingsCount).slice(0, 3)
+    : diskTop3;
 
   const top3Text = top3.length > 0
-    ? top3.map((a, i) => `${i + 1}. **${a.ecosystem}/${a.name}@${a.version}** — ${a.findingsCount} finding(s)`).join('\n')
+    ? top3.map((a, i) => {
+        const name = a.ecosystem ? `${a.ecosystem}/${a.name || a.package}` : (a.name || a.package);
+        const version = a.version || 'N/A';
+        const count = a.findingsCount || (a.findings ? a.findings.length : 0);
+        return `${i + 1}. **${name}@${version}** — ${count} finding(s)`;
+      }).join('\n')
     : 'None';
 
+  // Avg scan time from in-memory stats (not available on disk)
+  const avg = stats.scanned > 0 ? (stats.totalTimeMs / stats.scanned / 1000).toFixed(1) : '0.0';
+
   const now = new Date();
   const readableTime = now.toISOString().replace('T', ' ').replace(/\.\d+Z$/, ' UTC');
 
@@ -1081,9 +1089,9 @@ function buildDailyReportEmbed() {
       title: '\uD83D\uDCCA MUAD\'DIB Daily Report',
       color: 0x3498db,
       fields: [
-        { name: 'Packages Scanned', value: `${stats.scanned}`, inline: true },
-        { name: 'Clean', value: `${stats.clean}`, inline: true },
-        { name: 'Suspects', value: `${stats.suspect}`, inline: true },
+        { name: 'Packages Scanned', value: `${agg.scanned}`, inline: true },
+        { name: 'Clean', value: `${agg.clean}`, inline: true },
+        { name: 'Suspects', value: `${agg.suspect}`, inline: true },
         { name: 'Errors', value: `${stats.errors}`, inline: true },
         { name: 'Avg Scan Time', value: `${avg}s/pkg`, inline: true },
         { name: 'Top Suspects', value: top3Text, inline: false }
@@ -1119,6 +1127,155 @@ async function sendDailyReport() {
   stats.lastDailyReportDate = getParisDateString();
 }
 
+// --- CLI report helpers (muaddib report --now / --status) ---
+
+/**
+ * Read raw state file (without restoring into stats).
+ */
+function loadStateRaw() {
+  try {
+    const raw = fs.readFileSync(STATE_FILE, 'utf8');
+    return JSON.parse(raw);
+  } catch {
+    return {};
+  }
+}
+
+/**
+ * Reconstruct daily report data from persisted files (no in-memory stats needed).
+ * Used by `muaddib report --now` to send a report from a separate CLI process.
+ */
+function buildReportFromDisk() {
+  const scanData = loadScanStats();
+  const stateRaw = loadStateRaw();
+  // Default to today if no report ever sent (avoids summing entire history)
+  const lastDate = stateRaw.lastDailyReportDate || getParisDateString();
+
+  // Filter daily entries strictly AFTER last report date
+  const sinceDays = scanData.daily.filter(d => d.date > lastDate);
+
+  // Aggregate counters
+  const agg = { scanned: 0, clean: 0, suspect: 0 };
+  for (const d of sinceDays) {
+    agg.scanned += d.scanned || 0;
+    agg.clean += d.clean || 0;
+    agg.suspect += d.suspect || 0;
+  }
+
+  // Load detections since last report for top suspects
+  const detections = loadDetections();
+  const recentDetections = detections.detections.filter(
+    d => d.first_seen_at && d.first_seen_at.slice(0, 10) > lastDate
+  );
+
+  const top3 = recentDetections
+    .slice()
+    .sort((a, b) => (b.findings ? b.findings.length : 0) - (a.findings ? a.findings.length : 0))
+    .slice(0, 3);
+
+  return { agg, top3, hasData: agg.scanned > 0 };
+}
+
+/**
+ * Build a Discord embed from disk data (same format as buildDailyReportEmbed).
+ */
+function buildReportEmbedFromDisk() {
+  const { agg, top3, hasData } = buildReportFromDisk();
+  if (!hasData) return null;
+
+  const top3Text = top3.length > 0
+    ? top3.map((a, i) => `${i + 1}. **${a.ecosystem}/${a.package}@${a.version}** — ${a.findings ? a.findings.length : 0} finding(s)`).join('\n')
+    : 'None';
+
+  const now = new Date();
+  const readableTime = now.toISOString().replace('T', ' ').replace(/\.\d+Z$/, ' UTC');
+
+  return {
+    embeds: [{
+      title: '\uD83D\uDCCA MUAD\'DIB Daily Report (manual)',
+      color: 0x3498db,
+      fields: [
+        { name: 'Packages Scanned', value: `${agg.scanned}`, inline: true },
+        { name: 'Clean', value: `${agg.clean}`, inline: true },
+        { name: 'Suspects', value: `${agg.suspect}`, inline: true },
+        { name: 'Top Suspects', value: top3Text, inline: false }
+      ],
+      footer: {
+        text: `MUAD'DIB - Manual report | ${readableTime}`
+      },
+      timestamp: now.toISOString()
+    }]
+  };
+}
+
+/**
+ * Force send a daily report from persisted data.
+ * Returns { sent: boolean, message: string }.
+ */
+async function sendReportNow() {
+  const url = getWebhookUrl();
+  if (!url) {
+    return { sent: false, message: 'MUADDIB_WEBHOOK_URL not configured' };
+  }
+
+  const payload = buildReportEmbedFromDisk();
+  if (!payload) {
+    return { sent: false, message: 'No data to report' };
+  }
+
+  try {
+    await sendWebhook(url, payload, { rawPayload: true });
+  } catch (err) {
+    return { sent: false, message: `Webhook failed: ${err.message}` };
+  }
+
+  // Update lastDailyReportDate on disk
+  const stateRaw = loadStateRaw();
+  const state = {
+    npmLastPackage: stateRaw.npmLastPackage || '',
+    pypiLastPackage: stateRaw.pypiLastPackage || ''
+  };
+  stats.lastDailyReportDate = getParisDateString();
+  saveState(state);
+
+  return { sent: true, message: 'Daily report sent' };
+}
+
+/**
+ * Get report status for `muaddib report --status`.
+ */
+function getReportStatus() {
+  const stateRaw = loadStateRaw();
+  const lastDate = stateRaw.lastDailyReportDate || null;
+
+  // Count packages scanned since last report (default to today if never sent)
+  const scanData = loadScanStats();
+  const sinceDate = lastDate || getParisDateString();
+  const sinceDays = scanData.daily.filter(d => d.date > sinceDate);
+
+  let scannedSince = 0;
+  for (const d of sinceDays) {
+    scannedSince += d.scanned || 0;
+  }
+
+  // Compute next report time
+  const today = getParisDateString();
+  const parisHour = getParisHour();
+  let nextReport;
+  if (lastDate === today || (lastDate !== today && parisHour >= DAILY_REPORT_HOUR)) {
+    // Already sent today OR past 08:00 but not sent (will fire soon if monitor runs)
+    if (lastDate === today) {
+      nextReport = 'Tomorrow 08:00 (Europe/Paris)';
+    } else {
+      nextReport = 'Today 08:00 (Europe/Paris) — pending, monitor must be running';
+    }
+  } else {
+    nextReport = 'Today 08:00 (Europe/Paris)';
+  }
+
+  return { lastDailyReportDate: lastDate, scannedSince, nextReport };
+}
+
 // --- npm polling ---
 
 /**
@@ -1588,7 +1745,11 @@ module.exports = {
   getDetectionStats,
   SCAN_STATS_FILE,
   loadScanStats,
-  updateScanStats
+  updateScanStats,
+  buildReportFromDisk,
+  buildReportEmbedFromDisk,
+  sendReportNow,
+  getReportStatus
 };
 
 // Standalone entry point: node src/monitor.js

package/src/scanner/package.js

@@ -121,6 +121,8 @@ async function scanPackageJson(targetPath) {
 
   for (const [depName, depVersion] of Object.entries(allDeps)) {
     if (DANGEROUS_KEYS.has(depName)) continue;
+    // Skip local dependencies (link:, file:, workspace:) — they're local code, not npm packages
+    if (typeof depVersion === 'string' && /^(link:|file:|workspace:)/.test(depVersion)) continue;
     let malicious = null;
 
     // Use optimized Map for O(1) lookup if available

package/testssampleslink-deppackage.json

@@ -0,0 +1 @@
+{"name":"test-link","dependencies":{"eslint-plugin-react-internal":"link:./scripts/eslint-rules","lodash":"^4.17.21"}}