muaddib-scanner 2.7.9 → 2.8.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.7.9",
+  "version": "2.8.0",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -592,7 +592,8 @@ async function run(targetPath, options = {}) {
   // Enrich each threat with rules
   const enrichedThreats = deduped.map(t => {
     const rule = getRule(t.type);
-    const points = SEVERITY_WEIGHTS[t.severity] || 0;
+    const confFactor = { high: 1.0, medium: 0.85, low: 0.6 }[rule.confidence] || 1.0;
+    const points = Math.round((SEVERITY_WEIGHTS[t.severity] || 0) * confFactor);
     return {
       ...t,
       rule_id: rule.id || t.type,

package/src/ioc/scraper.js

@@ -154,6 +154,8 @@ function loadStaticIOCs() {
 
 const MAX_REDIRECTS = 5;
 const MAX_RESPONSE_SIZE = 200 * 1024 * 1024; // 200MB
+const MAX_ENTRY_UNCOMPRESSED = 50 * 1024 * 1024;   // 50MB per zip entry
+const MAX_TOTAL_UNCOMPRESSED = 500 * 1024 * 1024;   // 500MB total budget per zip
 
 function fetchJSON(url, options = {}, redirectCount = 0) {
   return new Promise((resolve, reject) => {
@@ -762,6 +764,7 @@ async function scrapeOSVDataDump() {
 
     let malCount = 0;
     let skippedCount = 0;
+    let totalUncompressed = 0;
 
     const spinner = new Spinner();
     try {
@@ -775,6 +778,19 @@ async function scrapeOSVDataDump() {
         if (!name.startsWith('MAL-') || !name.endsWith('.json')) {
           skippedCount++;
         } else {
+          // Zip bomb protection: check declared uncompressed size
+          const entrySize = entry.header ? entry.header.size : 0;
+          if (entrySize > MAX_ENTRY_UNCOMPRESSED) {
+            console.warn(`[WARN] Zip bomb protection: skipping oversized entry ${name} (${entrySize} bytes)`);
+            skippedCount++;
+            continue;
+          }
+          totalUncompressed += entrySize;
+          if (totalUncompressed > MAX_TOTAL_UNCOMPRESSED) {
+            console.warn(`[WARN] Zip bomb protection: total uncompressed budget exceeded at entry ${name}, stopping`);
+            break;
+          }
+
           try {
             const content = entry.getData().toString('utf8');
             const vuln = JSON.parse(content);
@@ -784,8 +800,8 @@ async function scrapeOSVDataDump() {
             // Track known IDs so OSSF can skip them
             knownIds.add(vuln.id || path.basename(name, '.json'));
             malCount++;
-          } catch {
-            // Skip unparseable entries
+          } catch (parseErr) {
+            console.warn(`[WARN] Skipping unparseable entry: ${name}`);
           }
         }
 
@@ -824,6 +840,7 @@ async function scrapeOSVPyPIDataDump() {
 
     let malCount = 0;
     let skippedCount = 0;
+    let totalUncompressed = 0;
 
     const spinner = new Spinner();
     try {
@@ -837,14 +854,27 @@ async function scrapeOSVPyPIDataDump() {
         if (!name.startsWith('MAL-') || !name.endsWith('.json')) {
           skippedCount++;
         } else {
+          // Zip bomb protection: check declared uncompressed size
+          const entrySize = entry.header ? entry.header.size : 0;
+          if (entrySize > MAX_ENTRY_UNCOMPRESSED) {
+            console.warn(`[WARN] Zip bomb protection: skipping oversized entry ${name} (${entrySize} bytes)`);
+            skippedCount++;
+            continue;
+          }
+          totalUncompressed += entrySize;
+          if (totalUncompressed > MAX_TOTAL_UNCOMPRESSED) {
+            console.warn(`[WARN] Zip bomb protection: total uncompressed budget exceeded at entry ${name}, stopping`);
+            break;
+          }
+
           try {
             const content = entry.getData().toString('utf8');
             const vuln = JSON.parse(content);
             const parsed = parseOSVEntry(vuln, 'osv-malicious-pypi', 'PyPI');
             for (const p of parsed) packages.push(p);
             malCount++;
-          } catch {
-            // Skip unparseable entries
+          } catch (parseErr) {
+            console.warn(`[WARN] Skipping unparseable entry: ${name}`);
           }
         }
 
@@ -1356,7 +1386,8 @@ module.exports = {
   parseCSVLine, parseCSV, extractVersions, parseOSVEntry,
   createFreshness, isAllowedRedirect, loadStaticIOCs,
   validateIOCEntry,
-  CONFIDENCE_ORDER, ALLOWED_REDIRECT_DOMAINS
+  CONFIDENCE_ORDER, ALLOWED_REDIRECT_DOMAINS,
+  MAX_ENTRY_UNCOMPRESSED, MAX_TOTAL_UNCOMPRESSED
 };
 
 // Direct execution if called as CLI

package/src/ioc/updater.js

@@ -345,7 +345,7 @@ function createOptimizedIOCs(iocs) {
 const NEVER_WILDCARD = new Set([
   'event-stream', 'ua-parser-js', 'coa', 'rc',
   'colors', 'faker', 'node-ipc',
-  'posthog-node', 'ngx-bootstrap', '@asyncapi/specs'
+  'posthog-node', 'posthog-js', 'ngx-bootstrap', '@asyncapi/specs'
 ]);
 
 function generateCompactIOCs(fullIOCs) {

package/src/scoring.js

@@ -1,3 +1,5 @@
+const { getRule } = require('./rules/index.js');
+
 // ============================================
 // SCORING CONSTANTS
 // ============================================
@@ -38,6 +40,13 @@ const MAX_RISK_SCORE = 100;
 // to limit noise while preserving some signal. CRITICAL and HIGH prototype_hook findings still score normally.
 const PROTO_HOOK_MEDIUM_CAP = 15;
 
+// Confidence-weighted scoring factors (v2.7.10)
+// High-confidence detections (eval, IOC, shell injection) score at full weight.
+// Medium-confidence heuristics (lifecycle_script, obfuscation, high_entropy) are discounted.
+// Low-confidence informational findings (possible_obfuscation, base64_in_script) are heavily discounted.
+// Unknown/paranoid rules default to 1.0 (no penalty).
+const CONFIDENCE_FACTORS = { high: 1.0, medium: 0.85, low: 0.6 };
+
 // ============================================
 // PER-FILE MAX SCORING (v2.2.11)
 // ============================================
@@ -76,24 +85,24 @@ function isPackageLevelThreat(threat) {
  * @returns {number} score 0-100
  */
 function computeGroupScore(threats) {
-  const criticalCount = threats.filter(t => t.severity === 'CRITICAL').length;
-  const highCount = threats.filter(t => t.severity === 'HIGH').length;
-  const mediumCount = threats.filter(t => t.severity === 'MEDIUM').length;
-  const lowCount = threats.filter(t => t.severity === 'LOW').length;
+  let score = 0;
+  let protoHookMediumPoints = 0;
 
-  const mediumProtoHookCount = threats.filter(
-    t => t.type === 'prototype_hook' && t.severity === 'MEDIUM'
-  ).length;
-  const protoHookPoints = Math.min(mediumProtoHookCount * SEVERITY_WEIGHTS.MEDIUM, PROTO_HOOK_MEDIUM_CAP);
-  const otherMediumCount = mediumCount - mediumProtoHookCount;
+  for (const t of threats) {
+    const weight = SEVERITY_WEIGHTS[t.severity] || 0;
+    const rule = getRule(t.type);
+    const factor = CONFIDENCE_FACTORS[rule.confidence] || 1.0;
 
-  let score = 0;
-  score += criticalCount * SEVERITY_WEIGHTS.CRITICAL;
-  score += highCount * SEVERITY_WEIGHTS.HIGH;
-  score += otherMediumCount * SEVERITY_WEIGHTS.MEDIUM;
-  score += protoHookPoints;
-  score += lowCount * SEVERITY_WEIGHTS.LOW;
-  return Math.min(MAX_RISK_SCORE, score);
+    if (t.type === 'prototype_hook' && t.severity === 'MEDIUM') {
+      protoHookMediumPoints += weight * factor;
+      continue;
+    }
+
+    score += weight * factor;
+  }
+
+  score += Math.min(protoHookMediumPoints, PROTO_HOOK_MEDIUM_CAP);
+  return Math.min(MAX_RISK_SCORE, Math.round(score));
 }
 
 // ============================================
@@ -434,6 +443,6 @@ function calculateRiskScore(deduped, intentResult) {
 }
 
 module.exports = {
-  SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE,
+  SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, CONFIDENCE_FACTORS,
   isPackageLevelThreat, computeGroupScore, applyFPReductions, calculateRiskScore
 };