np-audit 1.5.1 → 2.1.0

package/src/core/detector.js

@@ -1,5 +1,7 @@
 'use strict';
 
+const { shannonEntropy } = require('../utils/entropy');
+
 // ─── Constants ───────────────────────────────────────────────────────────────
 
 const MAX_CODE_SIZE = 500000; // 500KB - chunk larger files
@@ -338,36 +340,10 @@ function checkFilesystemManipulation(code) {
   };
 }
 
-// ─── Entropy helper ──────────────────────────────────────────────────────────
-
-function shannonEntropy(str) {
-  if (!str || str.length === 0) return 0;
-  const freq = {};
-  for (const ch of str) freq[ch] = (freq[ch] || 0) + 1;
-  let entropy = 0;
-  for (const count of Object.values(freq)) {
-    const p = count / str.length;
-    entropy -= p * Math.log2(p);
-  }
-  return entropy;
-}
+// ─── Entropy helper (re-exported from utils/entropy.js) ─────────────────────
 
 // ─── Main detection function ─────────────────────────────────────────────────
 
-const CHECKS = [
-  checkEval,
-  checkObfuscatorIo,
-  checkHighEntropy,
-  checkHexEscapes,
-  checkFromCharCode,
-  checkBase64Exec,
-  checkChildProcess,
-  checkHexArray,
-  checkProcessEnv,
-  checkNetworkCalls,
-  checkFilesystemManipulation,
-];
-
 /**
  * Run all checks against a code string.
  * For large files, uses a sliding window (50% overlap) so payloads cannot
@@ -399,8 +375,12 @@ function detectObfuscation(code, config = { blockScore: 50, warnScore: 20 }) {
 
   const allFindings = new Map(); // Dedupe by name, keep highest score
 
+  // Combine inline checks with marshaller registry
+  const { getStaticMarshallers } = require('../marshallers');
+  const allChecks = getStaticMarshallers().map(m => m.check.bind(m));
+
   for (const chunk of chunks) {
-    for (const check of CHECKS) {
+    for (const check of allChecks) {
       const result = check(chunk);
       if (result) {
         const existing = allFindings.get(result.name);

package/src/core/scanner.js

@@ -8,6 +8,7 @@ const { parseTarGz, extractFile, getPackageJson }        = require('../utils/tar
 const { detectObfuscation }            = require('./detector');
 const { walkRequires, MAX_FILES_PER_PACKAGE, MAX_TOTAL_BYTES } = require('./requireWalker');
 const { parseCommand }                 = require('../utils/command');
+const { getPackageMarshallers }        = require('../marshallers');
 const output                           = require('../utils/output');
 
 // Lifecycle scripts that npm executes during install. The original tool only
@@ -73,10 +74,7 @@ async function scan(opts) {
     }
   }
 
-  // Track packages without install scripts (for skipped count)
-  let skippedCount = 0;
-
-  // Apply skip filters
+  // Apply user skip filters (scopes, packages, dev)
   packages = packages.filter(pkg => {
     if (noDev && pkg.dev) return false;
     if (pkg.inBundle || pkg.link) return false;
@@ -86,15 +84,15 @@ async function scan(opts) {
         if (pkg.name.startsWith(scope + '/') || pkg.name === scope) return false;
       }
     }
-    // For explicit packages, always include them but track if they have no scripts
-    if (explicitPackageNames.has(pkg.name)) {
-      if (!pkg.hasInstallScript) {
-        skippedCount++;
-        return false;
-      }
-      return true;
-    }
-    // v2/v3 lockfiles reliably report hasInstallScript — skip definitive negatives
+    return true;
+  });
+
+  // All non-skipped packages are eligible for package-level marshallers (CVE)
+  const allPackages = packages;
+
+  // Filter to only packages with lifecycle scripts for code analysis
+  packages = packages.filter(pkg => {
+    if (explicitPackageNames.has(pkg.name)) return true;
     if (lockfileVersion >= 2 && pkg.hasInstallScript === false) return false;
     return true;
   });
@@ -106,23 +104,52 @@ async function scan(opts) {
     return scanPackage(pkg, cwd, config, verbose);
   });
 
+  // Run package-level marshallers (CVE checks) on ALL packages, not just those with scripts
+  if (config.checkVulnerabilities) {
+    const packageMarshallers = getPackageMarshallers();
+    const cveResults = await mapWithConcurrency(allPackages, config.parallelFetches, async (pkg) => {
+      for (const marshaller of packageMarshallers) {
+        const finding = await marshaller.checkPackage(pkg, config);
+        if (finding) return { pkg, finding };
+      }
+      return null;
+    });
+
+    for (const cveResult of cveResults) {
+      if (!cveResult) continue;
+      const { pkg, finding } = cveResult;
+      const existing = results.find(r => r && r.pkg && r.pkg.name === pkg.name);
+      if (existing) {
+        existing.findings.push(finding);
+        if (finding.score > existing.score) {
+          existing.score = finding.score;
+          existing.verdict = verdictFromScore(finding.score, config);
+        }
+      } else {
+        results.push({
+          pkg,
+          scripts: [],
+          score: finding.score,
+          findings: [finding],
+          verdict: verdictFromScore(finding.score, config),
+        });
+      }
+    }
+  }
+
   const scanned = results.filter(Boolean);
-  // Add packages that returned null from scanPackage (no scripts found during scan)
-  skippedCount += results.filter(r => r === null).length;
-
-  // Optionally scan the *current project's own* lifecycle scripts. This is
-  // off by default to avoid surprising users — `npa` is a drop-in replacement
-  // for `npm install` and most projects' own postinstall scripts are
-  // intentionally local. Set `scanSelf: true` in .npmauditor.json (or pass
-  // --scan-self) to opt in. Useful for CI on third-party PRs.
+
+  // Optionally scan the *current project's own* lifecycle scripts.
   if (config.scanSelf) {
     const selfResult = scanCwdProject(cwd, config);
     if (selfResult) scanned.unshift(selfResult);
-    else skippedCount++;
   }
 
-  // Attach metadata to results array
-  scanned.skippedCount = skippedCount;
+  // Scan IDE/tool config files that can auto-execute code
+  const ideResults = scanIdeConfigs(cwd, config);
+  scanned.push(...ideResults);
+
+  scanned.totalPackages = allPackages.length + ideResults.length;
   return scanned;
 }
 
@@ -155,6 +182,78 @@ function scanCwdProject(cwd, config) {
   return analyzeScriptsLocalFromDir(pkg, pkgJson, cwd, config);
 }
 
+const IDE_CONFIG_FILES = [
+  '.vscode/tasks.json',
+  '.vscode/settings.json',
+  '.vscode/launch.json',
+  '.claude/settings.json',
+];
+
+function scanIdeConfigs(cwd, config) {
+  const results = [];
+
+  for (const relPath of IDE_CONFIG_FILES) {
+    const fullPath = path.join(cwd, relPath);
+    if (!fs.existsSync(fullPath)) continue;
+
+    let code;
+    try { code = fs.readFileSync(fullPath, 'utf8'); } catch { continue; }
+
+    const result = detectObfuscation(code, config);
+    if (result.score === 0) continue;
+
+    results.push({
+      pkg: { name: relPath, version: '', self: true },
+      scripts: [{ lifecycle: 'ide-config', file: relPath, code, ...result }],
+      score: result.score,
+      findings: result.findings,
+      verdict: result.verdict,
+    });
+
+    // Also scan any files referenced by commands in tasks.json
+    if (relPath.endsWith('tasks.json')) {
+      const referenced = extractReferencedScripts(code, cwd);
+      for (const { file, scriptCode } of referenced) {
+        const scriptResult = detectObfuscation(scriptCode, config);
+        if (scriptResult.score > 0) {
+          const existing = results.find(r => r.pkg.name === relPath);
+          if (existing) {
+            existing.scripts.push({ lifecycle: 'task-script', file, code: scriptCode, ...scriptResult });
+            existing.findings.push(...scriptResult.findings);
+            if (scriptResult.score > existing.score) {
+              existing.score = scriptResult.score;
+              existing.verdict = verdictFromScore(scriptResult.score, config);
+            }
+          }
+        }
+      }
+    }
+  }
+
+  return results;
+}
+
+function extractReferencedScripts(tasksJson, cwd) {
+  const scripts = [];
+  try {
+    const tasks = JSON.parse(tasksJson);
+    for (const task of tasks.tasks || []) {
+      if (!task.command) continue;
+      // Extract file paths from commands like "node .claude/setup.mjs"
+      const match = task.command.match(/(?:node|bun|deno|sh|bash|python)\s+([^\s]+)/);
+      if (match) {
+        const scriptPath = path.join(cwd, match[1]);
+        if (fs.existsSync(scriptPath)) {
+          try {
+            scripts.push({ file: match[1], scriptCode: fs.readFileSync(scriptPath, 'utf8') });
+          } catch {}
+        }
+      }
+    }
+  } catch {}
+  return scripts;
+}
+
 /**
  * Analyze a package's lifecycle scripts using a directory root as the
  * filesystem base. Used for both node_modules packages and the CWD itself.
@@ -647,24 +746,55 @@ async function resolveSinglePackage(packageSpec, config) {
   const packages = [];
   const seen = new Set();
 
-  function collectDeps(deps) {
-    for (const [depName, range] of Object.entries(deps || {})) {
-      if (seen.has(depName)) continue;
-      seen.add(depName);
-      // Extract the first clean semver from the range (e.g. "4.22.1 || ^5" → "4.22.1", "^5.1.0" → "5.1.0")
+  async function collectDeps(deps, recurse) {
+    const queue = Object.entries(deps || {}).filter(([depName]) => !seen.has(depName));
+    // Mark all as seen first to avoid duplicate fetches
+    for (const [depName] of queue) seen.add(depName);
+
+    const resolutions = await mapWithConcurrency(queue, config.parallelFetches, async ([depName, range]) => {
       const exactVersion = extractSemver(range);
-      if (!exactVersion) continue; // skip unresolvable ranges — lockfile scan will cover them
-      packages.push({
-        name:             depName,
-        version:          exactVersion,
-        resolved:         buildTarballUrl(depName, exactVersion, config.registry),
-        integrity:        '',
-        hasInstallScript: false,
-        dev:              false,
-        optional:         false,
-        inBundle:         false,
-        link:             false,
-      });
+      if (!exactVersion) return null;
+
+      let depScripts = false;
+      let depDeps = null;
+      let depTarball = buildTarballUrl(depName, exactVersion, config.registry);
+      let depIntegrity = '';
+
+      try {
+        const encodedDep = depName.startsWith('@') ? `@${encodeURIComponent(depName.slice(1))}` : encodeURIComponent(depName);
+        const depMeta = await fetchJSON(`${config.registry}/${encodedDep}`, { timeout: config.timeout });
+        const depData = depMeta.versions && depMeta.versions[exactVersion];
+        if (depData) {
+          depScripts = !!(depData.scripts &&
+            (depData.scripts.preinstall || depData.scripts.postinstall || depData.scripts.install));
+          depTarball = depData.dist && depData.dist.tarball || depTarball;
+          depIntegrity = depData.dist && depData.dist.integrity || '';
+          depDeps = depData.dependencies;
+        }
+      } catch {
+        // Failed to fetch dep metadata — add with what we have
+      }
+
+      return {
+        pkg: {
+          name:             depName,
+          version:          exactVersion,
+          resolved:         depTarball,
+          integrity:        depIntegrity,
+          hasInstallScript: depScripts,
+          dev:              false,
+          optional:         false,
+          inBundle:         false,
+          link:             false,
+        },
+        depDeps,
+      };
+    });
+
+    for (const r of resolutions) {
+      if (!r) continue;
+      packages.push(r.pkg);
+      if (recurse && r.depDeps) await collectDeps(r.depDeps, true);
     }
   }
 
@@ -682,7 +812,8 @@ async function resolveSinglePackage(packageSpec, config) {
     link: false,
   });
 
-  collectDeps(versionData.dependencies);
+  seen.add(name);
+  await collectDeps(versionData.dependencies, !!config.deepResolve);
 
   return packages;
 }

package/src/marshallers/base.js

@@ -0,0 +1,18 @@
+'use strict';
+
+class Marshaller {
+  constructor(name, title) {
+    this.name = name;
+    this.title = title;
+  }
+
+  check(code) {
+    return null;
+  }
+
+  async checkPackage(pkg, config) {
+    return null;
+  }
+}
+
+module.exports = { Marshaller };

package/src/marshallers/base64Exec.js

@@ -0,0 +1,23 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class Base64ExecMarshaller extends Marshaller {
+  constructor() {
+    super('encoded-decode', 'Encoded decode + execution detection');
+  }
+
+  check(code) {
+    const hasBase64 = /atob\s*\(|Buffer\.from\s*\([^)]*,\s*['"]base64['"]\)/.test(code);
+    const hasHexDecode = /Buffer\.from\s*\([^)]*,\s*['"]hex['"]\)/.test(code);
+    const hasExec   = /\beval\s*\(|new\s+Function\s*\(|\.exec\s*\(|\(\s*0\s*,\s*eval\s*\)\s*\(/.test(code);
+    if (!hasBase64 && !hasHexDecode) return null;
+    const kind = hasBase64 ? 'Base64' : 'Hex';
+    if (!hasExec) {
+      return { name: 'encoded-decode', score: 3, detail: `${kind} decode found — verify usage` };
+    }
+    return { name: 'encoded-decode+exec', score: 8, detail: `${kind} decode with code execution found` };
+  }
+}
+
+module.exports = new Base64ExecMarshaller();

package/src/marshallers/childProcess.js

@@ -0,0 +1,32 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class ChildProcessMarshaller extends Marshaller {
+  constructor() {
+    super('child-process', 'Shell / process execution detection');
+  }
+
+  check(code) {
+    const patterns = [
+      /require\s*\(\s*['"]child_process['"]\s*\)/,
+      /require\s*\(\s*['"]node:child_process['"]\s*\)/,
+      /require\s*\(\s*['"`][^'"`]*['"`](?:\s*\+\s*['"`][^'"`]*['"`])+\s*\)/,
+      /require\s*\(\s*[a-zA-Z_$][\w$]*\s*\[/,
+      /\bexec\s*\(/,
+      /\bspawn\s*\(/,
+      /\bexecSync\s*\(/,
+      /\bspawnSync\s*\(/,
+      /\bexecFile\s*\(/,
+      /\bexecFileSync\s*\(/,
+      /\bfork\s*\(/,
+      /require\s*\(\s*['"]worker_threads['"]\s*\)/,
+      /new\s+Worker\s*\(/,
+    ];
+    const matched = patterns.filter(p => p.test(code));
+    if (matched.length === 0) return null;
+    return { name: this.name, score: 5, detail: `Shell/process execution found (${matched.length} pattern(s))` };
+  }
+}
+
+module.exports = new ChildProcessMarshaller();

package/src/marshallers/cve.js

@@ -0,0 +1,116 @@
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+const os   = require('os');
+const { Marshaller } = require('./base');
+
+const SNYK_CONFIG_FILE = '.config/configstore/snyk.json';
+
+class CveMarshaller extends Marshaller {
+  constructor() {
+    super('known-vulnerability', 'Known vulnerability check (Snyk / OSV.dev)');
+  }
+
+  async checkPackage(pkg, config) {
+    if (!pkg.name || !pkg.version) return null;
+
+    try {
+      const token = this.getSnykToken();
+      const timeout = Math.min(config.timeout || 10000, 10000);
+      const result = token
+        ? await this.querySnyk(pkg.name, pkg.version, token, timeout)
+        : await this.queryOsv(pkg.name, pkg.version, timeout);
+
+      if (result.issuesCount === 0) return null;
+
+      if (result.isMalicious) {
+        return {
+          name: this.name,
+          score: 80,
+          detail: `Malicious package detected — ${result.issuesCount} advisory(ies) found`,
+        };
+      }
+
+      // Non-malicious CVEs are informational (WARN, never BLOCK)
+      let score = 4;
+      if (result.issuesCount >= 10) score = 6;
+      else if (result.issuesCount >= 5) score = 5;
+
+      const source = token ? 'Snyk' : 'OSV.dev';
+      return {
+        name: this.name,
+        score,
+        detail: `${result.issuesCount} known vulnerability(ies) via ${source}`,
+      };
+    } catch {
+      return null;
+    }
+  }
+
+  getSnykToken() {
+    const token = process.env.SNYK_API_TOKEN || process.env.SNYK_TOKEN;
+    if (token) return token;
+
+    try {
+      const configPath = path.join(os.homedir(), SNYK_CONFIG_FILE);
+      const cfg = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+      if (cfg && cfg.api) return cfg.api;
+    } catch {
+      // No Snyk config
+    }
+
+    return null;
+  }
+
+  async querySnyk(packageName, packageVersion, token, timeout) {
+    const { fetchJSON } = require('../utils/fetcher');
+    const apiUrl = process.env.SNYK_API_URL || process.env.SNYK_API || 'https://snyk.io/api/v1/vuln/npm';
+    const url = `${apiUrl}/${encodeURIComponent(packageName + '@' + packageVersion)}`;
+
+    const data = await fetchJSON(url, {
+      timeout,
+      headers: { Authorization: `token ${token}` },
+    });
+
+    if (data && data.vulnerabilities) {
+      const isMalicious = data.vulnerabilities.some(v => v.title === 'Malicious Package');
+      return { issuesCount: data.vulnerabilities.length, isMalicious };
+    }
+    return { issuesCount: 0, isMalicious: false };
+  }
+
+  async queryOsv(packageName, packageVersion, timeout) {
+    const { fetchJSON } = require('../utils/fetcher');
+    const url = 'https://api.osv.dev/v1/query';
+
+    const body = JSON.stringify({
+      version: packageVersion,
+      package: { name: packageName, ecosystem: 'npm' },
+    });
+
+    const data = await fetchJSON(url, {
+      timeout,
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body,
+    });
+
+    if (data && data.vulns && data.vulns.length > 0) {
+      const isMalicious = data.vulns.some(vuln => {
+        const ds = vuln.database_specific;
+        if (ds && ds['malicious-packages-origins'] && Array.isArray(ds['malicious-packages-origins'])) {
+          return true;
+        }
+        if (typeof vuln.summary === 'string' && vuln.summary.toLowerCase().startsWith('malicious')) {
+          return true;
+        }
+        return false;
+      });
+      return { issuesCount: data.vulns.length, isMalicious };
+    }
+    return { issuesCount: 0, isMalicious: false };
+  }
+}
+
+module.exports = new CveMarshaller();

package/src/marshallers/eval.js

@@ -0,0 +1,30 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class EvalMarshaller extends Marshaller {
+  constructor() {
+    super('eval/dynamic-exec', 'Eval / dynamic code execution');
+  }
+
+  check(code) {
+    const patterns = [
+      /\beval\s*\(/,
+      /new\s+Function\s*\(/,
+      /vm\.runInThisContext\s*\(/,
+      /vm\.runInNewContext\s*\(/,
+      /vm\.Script\s*\(/,
+      /\(\s*0\s*,\s*eval\s*\)\s*\(/,
+      /(?:global|globalThis|window|self|this)\s*\[\s*['"`](?:eval|Function)['"`]\s*\]\s*\(/,
+      /(?:global|globalThis|window|self|this)\s*\[\s*['"`][^'"`]*['"`](?:\s*\+\s*['"`][^'"`]*['"`]){1,}\s*\]\s*\(/,
+      /\.constructor\s*\.\s*constructor\s*\(/,
+      /\b(?:setTimeout|setInterval)\s*\(\s*['"`]/,
+      /require\s*\(\s*['"]vm['"]\s*\)/,
+    ];
+    const matched = patterns.filter(p => p.test(code));
+    if (matched.length === 0) return null;
+    return { name: this.name, score: 8, detail: `eval-like call found (${matched.length} pattern(s))` };
+  }
+}
+
+module.exports = new EvalMarshaller();

package/src/marshallers/filesystemManipulation.js

@@ -0,0 +1,47 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class FilesystemManipulationMarshaller extends Marshaller {
+  constructor() {
+    super('filesystem-manipulation', 'Filesystem manipulation detection');
+  }
+
+  check(code) {
+    const writePatterns = [
+      /fs\.write(?:File)?(?:Sync)?\s*\(/,
+      /fs\.append(?:File)?(?:Sync)?\s*\(/,
+      /fs\.create(?:WriteStream)?\s*\(/,
+      /\.pipe\s*\(/,
+    ];
+    const permissionPatterns = [
+      /fs\.chmod(?:Sync)?\s*\(/,
+      /fs\.chown(?:Sync)?\s*\(/,
+      /fs\.access(?:Sync)?\s*\(/,
+    ];
+    const linkPatterns = [
+      /fs\.symlink(?:Sync)?\s*\(/,
+      /fs\.link(?:Sync)?\s*\(/,
+    ];
+
+    const writeMatches = writePatterns.filter(p => p.test(code)).length;
+    const permMatches = permissionPatterns.filter(p => p.test(code)).length;
+    const linkMatches = linkPatterns.filter(p => p.test(code)).length;
+
+    if (writeMatches === 0 && permMatches === 0 && linkMatches === 0) return null;
+
+    const details = [];
+    if (writeMatches > 0) details.push(`${writeMatches} write operation(s)`);
+    if (permMatches > 0) details.push(`${permMatches} permission change(s)`);
+    if (linkMatches > 0) details.push(`${linkMatches} symlink operation(s)`);
+
+    let score = 3;
+    if ((writeMatches > 0 ? 1 : 0) + (permMatches > 0 ? 1 : 0) + (linkMatches > 0 ? 1 : 0) >= 2) {
+      score = 4;
+    }
+
+    return { name: this.name, score, detail: details.join(', ') };
+  }
+}
+
+module.exports = new FilesystemManipulationMarshaller();

package/src/marshallers/fromCharCode.js

@@ -0,0 +1,40 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class FromCharCodeMarshaller extends Marshaller {
+  constructor() {
+    super('fromCharCode', 'String.fromCharCode obfuscation detection');
+  }
+
+  check(code) {
+    let maxArgs = 0;
+    const direct = /(?:String|[\w$]+)\.fromCharCode\s*\(([^)]+)\)/g;
+    let match;
+    while ((match = direct.exec(code)) !== null) {
+      const args = match[1].split(',').filter(a => /^\s*\d+\s*$/.test(a));
+      if (args.length > maxArgs) maxArgs = args.length;
+    }
+
+    const arrRe = /\[\s*((?:\d{1,3}\s*,\s*){7,}\d{1,3})\s*\]/g;
+    let arrMatch;
+    let maxArr = 0;
+    while ((arrMatch = arrRe.exec(code)) !== null) {
+      const nums = arrMatch[1].split(',')
+        .map(s => parseInt(s.trim(), 10))
+        .filter(n => !Number.isNaN(n));
+      const printable = nums.filter(n => n >= 32 && n <= 126).length;
+      if (printable / nums.length >= 0.9 && nums.length > maxArr) maxArr = nums.length;
+    }
+
+    if (maxArgs >= 5) {
+      return { name: this.name, score: 7, detail: `fromCharCode with ${maxArgs} numeric args` };
+    }
+    if (maxArr >= 16) {
+      return { name: this.name, score: 7, detail: `decimal char-code array of length ${maxArr}` };
+    }
+    return null;
+  }
+}
+
+module.exports = new FromCharCodeMarshaller();

package/src/marshallers/hexArray.js

@@ -0,0 +1,21 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class HexArrayMarshaller extends Marshaller {
+  constructor() {
+    super('hex-array', 'Hex literal array detection');
+  }
+
+  check(code) {
+    const hexLiterals = (code.match(/\b0x[0-9a-fA-F]+\b/g) || []).length;
+    if (hexLiterals < 20) return null;
+    let score = 7;
+    if (hexLiterals > 2000) score = 60;
+    else if (hexLiterals > 500) score = 40;
+    else if (hexLiterals > 100) score = 20;
+    return { name: this.name, score, detail: `${hexLiterals} hex literal values found` };
+  }
+}
+
+module.exports = new HexArrayMarshaller();