muaddib-scanner 2.2.9 → 2.2.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.fr.md +11 -1
- package/README.md +11 -1
- package/package.json +1 -1
package/README.fr.md
CHANGED
|
@@ -720,9 +720,19 @@ Output (CLI, JSON, HTML, SARIF, Webhook, Threat Feed)
|
|
|
720
720
|
|----------|----------|---------|
|
|
721
721
|
| **TPR** (Ground Truth) | **100%** (4/4) | Attaques reelles : event-stream, ua-parser-js, coa, node-ipc |
|
|
722
722
|
| **FPR** (Benign) | **17.5%** (92/527) | 529 packages npm, vrai code source via `npm pack`, seuil > 20 |
|
|
723
|
+
| **FPR** (Packages standard) | **6.0%** (15/251) | Packages avec <10 fichiers JS — librairies et outils typiques |
|
|
723
724
|
| **ADR** (Adversarial) | **100%** (35/35) | 35 samples evasifs sur 4 vagues red team |
|
|
724
725
|
| **Holdouts** (pre-tuning) | 40/40 pass | Tous les holdouts passent apres corrections |
|
|
725
726
|
|
|
727
|
+
**FPR par taille de package** — Le FPR correle lineairement avec la taille du package. Les gros frameworks (Next.js, Gatsby, Webpack) accumulent des findings legitimes qui declenchent les heuristiques :
|
|
728
|
+
|
|
729
|
+
| Categorie | Packages | FP | FPR |
|
|
730
|
+
|-----------|----------|-----|-----|
|
|
731
|
+
| Petits (<10 fichiers JS) | 251 | 15 | **6.0%** |
|
|
732
|
+
| Moyens (10-50 fichiers JS) | 137 | 27 | 19.7% |
|
|
733
|
+
| Gros (50-100 fichiers JS) | 38 | 14 | 36.8% |
|
|
734
|
+
| Tres gros (100+ fichiers JS) | 62 | 29 | 46.8% |
|
|
735
|
+
|
|
726
736
|
**Progression FPR** : 0% (invalide, dirs vides, v2.2.0-v2.2.6) → 38% (premiere vraie mesure, v2.2.7) → 19.4% (v2.2.8) → **17.5%** (v2.2.9)
|
|
727
737
|
|
|
728
738
|
**Progression holdout** (scores pre-tuning, regles gelees) :
|
|
@@ -736,7 +746,7 @@ Output (CLI, JSON, HTML, SARIF, Webhook, Threat Feed)
|
|
|
736
746
|
| v5 | 50% (5/10) | Dataflow inter-module (nouveau scanner) |
|
|
737
747
|
|
|
738
748
|
- **TPR** (True Positive Rate) : taux de detection sur 4 attaques supply-chain reelles (event-stream, ua-parser-js, coa, node-ipc)
|
|
739
|
-
- **FPR** (False Positive Rate) : packages avec score > 20 sur 529 packages npm reels (code source scanne, pas des dirs vides)
|
|
749
|
+
- **FPR** (False Positive Rate) : packages avec score > 20 sur 529 packages npm reels (code source scanne, pas des dirs vides). Le 6% sur les packages standard (<10 fichiers JS, 251 packages) est la metrique la plus representative pour un usage typique — la plupart des packages npm sont petits.
|
|
740
750
|
- **ADR** (Adversarial Detection Rate) : taux de detection sur 35 samples malveillants evasifs sur 4 vagues red team
|
|
741
751
|
- **Holdout** (pre-tuning) : taux de detection sur 10 samples jamais vus avec regles gelees (mesure de generalisation)
|
|
742
752
|
|
package/README.md
CHANGED
|
@@ -723,9 +723,19 @@ Output (CLI, JSON, HTML, SARIF, Webhook, Threat Feed)
|
|
|
723
723
|
|--------|--------|---------|
|
|
724
724
|
| **TPR** (Ground Truth) | **100%** (4/4) | Real-world attacks: event-stream, ua-parser-js, coa, node-ipc |
|
|
725
725
|
| **FPR** (Benign) | **17.5%** (92/527) | 529 npm packages, real source code via `npm pack`, threshold > 20 |
|
|
726
|
+
| **FPR** (Standard packages) | **6.0%** (15/251) | Packages with <10 JS files — typical libraries and tools |
|
|
726
727
|
| **ADR** (Adversarial) | **100%** (35/35) | 35 evasive samples across 4 red-team waves |
|
|
727
728
|
| **Holdouts** (pre-tuning) | 40/40 pass | All holdout samples pass after corrections |
|
|
728
729
|
|
|
730
|
+
**FPR by package size** — FPR correlates linearly with package size. Large frameworks (Next.js, Gatsby, Webpack) accumulate legitimate findings that trigger heuristics:
|
|
731
|
+
|
|
732
|
+
| Category | Packages | FP | FPR |
|
|
733
|
+
|----------|----------|-----|-----|
|
|
734
|
+
| Small (<10 JS files) | 251 | 15 | **6.0%** |
|
|
735
|
+
| Medium (10-50 JS files) | 137 | 27 | 19.7% |
|
|
736
|
+
| Large (50-100 JS files) | 38 | 14 | 36.8% |
|
|
737
|
+
| Very large (100+ JS files) | 62 | 29 | 46.8% |
|
|
738
|
+
|
|
729
739
|
**FPR progression**: 0% (invalid, empty dirs, v2.2.0-v2.2.6) → 38% (first real measurement, v2.2.7) → 19.4% (v2.2.8) → **17.5%** (v2.2.9)
|
|
730
740
|
|
|
731
741
|
**Holdout progression** (pre-tuning scores, rules frozen):
|
|
@@ -739,7 +749,7 @@ Output (CLI, JSON, HTML, SARIF, Webhook, Threat Feed)
|
|
|
739
749
|
| v5 | 50% (5/10) | Inter-module dataflow (new scanner) |
|
|
740
750
|
|
|
741
751
|
- **TPR** (True Positive Rate): detection rate on 4 real-world supply-chain attacks (event-stream, ua-parser-js, coa, node-ipc)
|
|
742
|
-
- **FPR** (False Positive Rate): packages scoring > 20 out of 529 real npm packages (source code scanned, not empty dirs)
|
|
752
|
+
- **FPR** (False Positive Rate): packages scoring > 20 out of 529 real npm packages (source code scanned, not empty dirs). The 6% on standard packages (<10 JS files, 251 packages) is the most representative metric for typical use — most npm packages are small.
|
|
743
753
|
- **ADR** (Adversarial Detection Rate): detection rate on 35 evasive malicious samples across 4 red-team waves
|
|
744
754
|
- **Holdout** (pre-tuning): detection rate on 10 unseen samples with rules frozen (measures generalization)
|
|
745
755
|
|