muaddib-scanner 2.2.17 → 2.2.19

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.2.17",
+  "version": "2.2.19",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -213,19 +213,20 @@ async function run(targetPath, options = {}) {
     }
   }
 
-  // Parallel execution of all independent scanners
-  // Sync scanners use yieldThen() to yield to event loop (keeps spinner animating)
+  // Sequential execution of scanners with event loop yields between each.
+  // All scanners (even "async" ones) are effectively synchronous (readFileSync, readdirSync).
+  // Running them via yieldThen ensures the spinner animates between each scanner.
   let scanResult;
   try {
     scanResult = await Promise.all([
-      scanPackageJson(targetPath),
-      scanShellScripts(targetPath),
-      analyzeAST(targetPath, { deobfuscate: deobfuscateFn }),
+      yieldThen(() => scanPackageJson(targetPath)),
+      yieldThen(() => scanShellScripts(targetPath)),
+      yieldThen(() => analyzeAST(targetPath, { deobfuscate: deobfuscateFn })),
       yieldThen(() => detectObfuscation(targetPath)),
-      scanDependencies(targetPath),
-      scanHashes(targetPath),
-      analyzeDataFlow(targetPath, { deobfuscate: deobfuscateFn }),
-      scanTyposquatting(targetPath),
+      yieldThen(() => scanDependencies(targetPath)),
+      yieldThen(() => scanHashes(targetPath)),
+      yieldThen(() => analyzeDataFlow(targetPath, { deobfuscate: deobfuscateFn })),
+      yieldThen(() => scanTyposquatting(targetPath)),
       yieldThen(() => scanGitHubActions(targetPath)),
       yieldThen(() => matchPythonIOCs(pythonDeps, targetPath)),
       yieldThen(() => checkPyPITyposquatting(pythonDeps, targetPath)),

package/src/monitor.js

@@ -1061,18 +1061,26 @@ function isDailyReportDue() {
 }
 
 function buildDailyReportEmbed() {
-  const avg = stats.scanned > 0 ? (stats.totalTimeMs / stats.scanned / 1000).toFixed(1) : '0.0';
+  // Use disk-based daily entries filtered by lastDailyReportDate for accurate delta
+  const { agg, top3: diskTop3 } = buildReportFromDisk();
 
-  // Top 3 suspects sorted by findings count descending
-  const top3 = dailyAlerts
-    .slice()
-    .sort((a, b) => b.findingsCount - a.findingsCount)
-    .slice(0, 3);
+  // Prefer in-memory dailyAlerts for top suspects (richer data), fallback to disk
+  const top3 = dailyAlerts.length > 0
+    ? dailyAlerts.slice().sort((a, b) => b.findingsCount - a.findingsCount).slice(0, 3)
+    : diskTop3;
 
   const top3Text = top3.length > 0
-    ? top3.map((a, i) => `${i + 1}. **${a.ecosystem}/${a.name}@${a.version}** — ${a.findingsCount} finding(s)`).join('\n')
+    ? top3.map((a, i) => {
+        const name = a.ecosystem ? `${a.ecosystem}/${a.name || a.package}` : (a.name || a.package);
+        const version = a.version || 'N/A';
+        const count = a.findingsCount || (a.findings ? a.findings.length : 0);
+        return `${i + 1}. **${name}@${version}** — ${count} finding(s)`;
+      }).join('\n')
     : 'None';
 
+  // Avg scan time from in-memory stats (not available on disk)
+  const avg = stats.scanned > 0 ? (stats.totalTimeMs / stats.scanned / 1000).toFixed(1) : '0.0';
+
   const now = new Date();
   const readableTime = now.toISOString().replace('T', ' ').replace(/\.\d+Z$/, ' UTC');
 
@@ -1081,9 +1089,9 @@ function buildDailyReportEmbed() {
       title: '\uD83D\uDCCA MUAD\'DIB Daily Report',
       color: 0x3498db,
       fields: [
-        { name: 'Packages Scanned', value: `${stats.scanned}`, inline: true },
-        { name: 'Clean', value: `${stats.clean}`, inline: true },
-        { name: 'Suspects', value: `${stats.suspect}`, inline: true },
+        { name: 'Packages Scanned', value: `${agg.scanned}`, inline: true },
+        { name: 'Clean', value: `${agg.clean}`, inline: true },
+        { name: 'Suspects', value: `${agg.suspect}`, inline: true },
         { name: 'Errors', value: `${stats.errors}`, inline: true },
         { name: 'Avg Scan Time', value: `${avg}s/pkg`, inline: true },
         { name: 'Top Suspects', value: top3Text, inline: false }
@@ -1142,7 +1150,8 @@ function buildReportFromDisk() {
   const stateRaw = loadStateRaw();
   const lastDate = stateRaw.lastDailyReportDate || null;
 
-  // Filter daily entries since last report
+  // If no report ever sent (null), include ALL daily entries (first report = full history).
+  // After first send, lastDailyReportDate is set and subsequent reports show delta only.
   const sinceDays = lastDate
     ? scanData.daily.filter(d => d.date > lastDate)
     : scanData.daily;
@@ -1241,7 +1250,7 @@ function getReportStatus() {
   const stateRaw = loadStateRaw();
   const lastDate = stateRaw.lastDailyReportDate || null;
 
-  // Count packages scanned since last report
+  // Count packages scanned since last report (all history if never sent)
   const scanData = loadScanStats();
   const sinceDays = lastDate
     ? scanData.daily.filter(d => d.date > lastDate)

package/src/scanner/package.js

@@ -121,6 +121,8 @@ async function scanPackageJson(targetPath) {
 
   for (const [depName, depVersion] of Object.entries(allDeps)) {
     if (DANGEROUS_KEYS.has(depName)) continue;
+    // Skip local dependencies (link:, file:, workspace:) — they're local code, not npm packages
+    if (typeof depVersion === 'string' && /^(link:|file:|workspace:)/.test(depVersion)) continue;
     let malicious = null;
 
     // Use optimized Map for O(1) lookup if available

package/testssampleslink-deppackage.json

@@ -0,0 +1 @@
+{"name":"test-link","dependencies":{"eslint-plugin-react-internal":"link:./scripts/eslint-rules","lodash":"^4.17.21"}}