npm-scan-plus 1.0.0

package/src/lib/scanner.ts

@@ -0,0 +1,447 @@
+/**
+ * Core scanner module
+ * Pre and post-install security scanning for npm packages
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+import { RegistryClient, createRegistryClient } from './registry';
+import { blocklistManager, TYPOSQUATTING_PATTERNS } from './blocklist';
+import { scanFile, scanDirectory, scanPackageJsonScripts, CODE_EXTENSIONS } from './patterns';
+import { VulnerabilityChecker, createVulnerabilityChecker } from './vuln';
+import {
+  analyzeLicense,
+  checkMaintainerTrust,
+  validateRepository,
+  analyzeDependencies,
+  analyzeFileStructure
+} from './extended';
+import { fullIntegrityCheck } from './integrity';
+import type {
+  PackageMetadata,
+  ScanResult,
+  Threat,
+  ThreatType,
+  ScanOptions,
+  PostInstallScanResult,
+  FileThreat
+} from '../types';
+
+/**
+ * Main scanner class
+ */
+export class Scanner {
+  private registry: RegistryClient;
+  private options: ScanOptions;
+  private vulnChecker: VulnerabilityChecker;
+
+  constructor(options: ScanOptions = {}) {
+    this.options = options;
+    this.registry = createRegistryClient({ registry: options.registry });
+    this.vulnChecker = createVulnerabilityChecker(process.env.GITHUB_TOKEN);
+  }
+
+  /**
+   * Pre-install scan: Check a package before installation
+   */
+  async preInstallScan(packageName: string, version?: string): Promise<ScanResult> {
+    const threats: Threat[] = [];
+    let score = 0;
+
+    // 1. Check blocklist
+    const blocklistEntry = blocklistManager.isBlocklisted(packageName);
+    if (blocklistEntry) {
+      threats.push({
+        type: 'blocklisted',
+        severity: blocklistEntry.severity,
+        message: `Package is blocklisted: ${blocklistEntry.reason}`,
+        details: `Source: ${blocklistEntry.source || 'internal'}`
+      });
+      score += blocklistEntry.severity === 'critical' ? 100 : 75;
+    }
+
+    // 2. Check typosquatting
+    const typosquatMatches = blocklistManager.detectTyposquatting(packageName);
+    if (typosquatMatches.length > 0) {
+      threats.push({
+        type: 'typosquatting',
+        severity: 'high',
+        message: `Possible typosquatting of "${typosquatMatches.join(', ')}"`,
+        details: 'This package name is similar to popular packages - may be attempting to confuse users'
+      });
+      score += 60;
+    }
+
+    // 3. Fetch metadata
+    let rawMetadata: any;
+    try {
+      rawMetadata = await this.registry.getPackageMetadata(packageName, version);
+    } catch (e: any) {
+      threats.push({
+        type: 'supply_chain',
+        severity: 'medium',
+        message: `Could not fetch package metadata: ${e.message}`
+      });
+      return {
+        packageName,
+        version: version || 'unknown',
+        status: 'warning',
+        threats,
+        score: Math.min(score, 100)
+      };
+    }
+
+    const metadata: PackageMetadata = {
+      name: rawMetadata.name,
+      version: rawMetadata['dist-tags']?.latest || version || 'unknown',
+      description: rawMetadata.description,
+      publisher: rawMetadata.publisher,
+      maintainers: rawMetadata.maintainers,
+      repository: rawMetadata.repository,
+      homepage: rawMetadata.homepage,
+      license: rawMetadata.license
+    };
+
+    // Get latest version data
+    const latestVersion = rawMetadata.versions?.[metadata.version] || {};
+    metadata.dependencies = latestVersion.dependencies;
+    metadata.devDependencies = latestVersion.devDependencies;
+    metadata.peerDependencies = latestVersion.peerDependencies;
+    metadata.scripts = latestVersion.scripts;
+    metadata.time = rawMetadata.time;
+
+    // 4. Check for suspicious scripts
+    if (metadata.scripts) {
+      const suspiciousScripts = ['postinstall', 'preinstall', 'postpublish', 'preuninstall', 'postuninstall'];
+      for (const script of suspiciousScripts) {
+        if (metadata.scripts?.[script]) {
+          const isComplex = metadata.scripts?.[script].length > 100 ||
+            /curl|wget|npm\|pipe|\$\(|\||\&\&/.test(metadata.scripts?.[script] || '');
+
+          threats.push({
+            type: 'suspicious_script',
+            severity: isComplex ? 'high' : 'medium',
+            message: `Package has "${script}" script that runs automatically`,
+            details: metadata.scripts?.[script].substring(0, 100)
+          });
+          score += isComplex ? 40 : 20;
+        }
+      }
+    }
+
+    // 5. Check publisher reputation
+    if (!metadata.publisher && !metadata.maintainers?.length) {
+      threats.push({
+        type: 'unknown_publisher',
+        severity: 'medium',
+        message: 'Package has no verified publisher information'
+      });
+      score += 15;
+    }
+
+    // 6. Check version age
+    if (metadata.time?.created) {
+      const created = new Date(metadata.time.created);
+      const daysSince = (Date.now() - created.getTime()) / (1000 * 60 * 60 * 24);
+      if (daysSince < 7 && !metadata.maintainers?.length) {
+        threats.push({
+          type: 'supply_chain',
+          severity: 'medium',
+          message: `Package was published less than ${Math.floor(daysSince)} days ago with no maintainers`
+        });
+        score += 20;
+      }
+    }
+
+    // 7. Check dependencies
+    if (metadata.dependencies) {
+      const depCount = Object.keys(metadata.dependencies).length;
+      if (depCount > 100) {
+        threats.push({
+          type: 'supply_chain',
+          severity: 'low',
+          message: `Package has ${depCount} dependencies - large attack surface`
+        });
+        score += 10;
+      }
+
+      // Check for dependency confusion
+      for (const dep of Object.keys(metadata.dependencies)) {
+        if (dep.startsWith('@') && !dep.includes('/')) {
+          threats.push({
+            type: 'dependency_confusion',
+            severity: 'medium',
+            message: `Scoped dependency "@${dep}" may be internal package confusion`
+          });
+          score += 15;
+          break;
+        }
+      }
+    }
+
+    // 8. Check vulnerability databases (OSV, GitHub Advisory, npm Audit)
+    if (this.options.checkVulnerabilities !== false) {
+      try {
+        const vulnResult = await this.vulnChecker.checkPackage(packageName, version || metadata.version);
+
+        for (const vuln of vulnResult.vulnerabilities) {
+          if (vuln.id.startsWith('CVE-') || vuln.id.startsWith('GHSA-')) {
+            threats.push({
+              type: 'vulnerability',
+              severity: vuln.severity,
+              message: `${vuln.source.toUpperCase()} vulnerability: ${vuln.id}`,
+              details: vuln.summary || vuln.details,
+              location: vuln.patched_versions ? `Fixed in: ${vuln.patched_versions}` : undefined
+            });
+
+            if (vuln.severity === 'critical') score += 50;
+            else if (vuln.severity === 'high') score += 30;
+            else if (vuln.severity === 'medium') score += 15;
+            else score += 5;
+          }
+        }
+      } catch (e) {
+        // Vulnerability check failed, continue without
+      }
+    }
+
+    // 9. License analysis
+    const licenseAnalysis = analyzeLicense(metadata.license);
+    if (licenseAnalysis.risk === 'high') {
+      threats.push({
+        type: 'supply_chain',
+        severity: 'medium',
+        message: `License risk: ${licenseAnalysis.details}`,
+        details: metadata.license
+      });
+      score += 20;
+    } else if (licenseAnalysis.risk === 'critical') {
+      threats.push({
+        type: 'supply_chain',
+        severity: 'high',
+        message: `License: ${licenseAnalysis.details}`,
+        details: metadata.license
+      });
+      score += 40;
+    }
+
+    // 10. Maintainer trust check
+    const mainterTrust = checkMaintainerTrust(metadata.maintainers, metadata.publisher);
+    if (!mainterTrust.isTrusted && mainterTrust.score < 30) {
+      threats.push({
+        type: 'unknown_publisher',
+        severity: 'medium',
+        message: `Maintainer trust: ${mainterTrust.details}`
+      });
+      score += 15;
+    }
+
+    // 11. Repository validation
+    if (metadata.repository) {
+      const repoCheck = await validateRepository(metadata.repository.url, packageName);
+      if (!repoCheck.valid) {
+        for (const issue of repoCheck.issues) {
+          threats.push({
+            type: 'supply_chain',
+            severity: 'medium',
+            message: `Repository issue: ${issue}`,
+            details: repoCheck.details
+          });
+          score += 10;
+        }
+      }
+    }
+
+    // 12. Deprecated dependency check
+    const depAnalysis = analyzeDependencies(metadata.dependencies, metadata.devDependencies);
+    if (depAnalysis.outdatedCount > 0) {
+      threats.push({
+        type: 'supply_chain',
+        severity: 'low',
+        message: `${depAnalysis.outdatedCount} deprecated/outdated dependencies`,
+        details: depAnalysis.details.slice(0, 3).join('; ')
+      });
+      score += depAnalysis.outdatedCount * 2;
+    }
+
+    // 13. Package integrity check
+    const integrityChecked = await fullIntegrityCheck(packageName, version || metadata.version);
+    const integrity = integrityChecked.integrity;
+    const sizeInfo = integrityChecked.size;
+    const tarballInfo = integrityChecked.tarball;
+
+    if (!integrity.valid) {
+      threats.push({
+        type: 'supply_chain',
+        severity: 'high',
+        message: `Integrity check failed: ${integrity.details}`,
+        details: `Expected: ${integrity.expectedHash?.substring(0, 20)}...`
+      });
+      score += 50;
+    }
+    if (sizeInfo.suspicious) {
+      threats.push({
+        type: 'supply_chain',
+        severity: 'medium',
+        message: sizeInfo.details
+      });
+      score += 20;
+    }
+    if (tarballInfo.hasNativeCode) {
+      // Native code is usually fine for big packages, but warn
+      threats.push({
+        type: 'supply_chain',
+        severity: 'low',
+        message: 'Package contains native code'
+      });
+      score += 5;
+    }
+
+    // Determine status
+    const status = this.determineStatus(threats, score);
+
+    return {
+      packageName,
+      version: metadata?.version || version || 'unknown',
+      status,
+      threats,
+      metadata,
+      score
+    };
+  }
+
+  /**
+   * Post-install scan: Scan downloaded packages
+   */
+  async postInstallScan(folderPath?: string): Promise<PostInstallScanResult> {
+    const startTime = Date.now();
+    const scanFolder = folderPath || path.join(process.cwd(), 'node_modules');
+    const allThreats: FileThreat[] = [];
+    let scannedPackages = 0;
+
+    if (!fs.existsSync(scanFolder)) {
+      throw new Error(`node_modules folder not found: ${scanFolder}`);
+    }
+
+    // Find all packages
+    const packages = this.findPackages(scanFolder);
+
+    for (const pkg of packages) {
+      scannedPackages++;
+
+      // Scan package directory
+      if (fs.existsSync(pkg)) {
+        const files = scanDirectory(pkg);
+
+        for (const [filePath, content] of files) {
+          const fileThreats = scanFile(filePath, content);
+          allThreats.push(...fileThreats.map(t => ({
+            ...t,
+            package: pkg.split(path.sep).slice(-2).join(path.sep)
+          })));
+        }
+
+        // Check package.json
+        const packageJsonPath = path.join(pkg, 'package.json');
+        if (fs.existsSync(packageJsonPath)) {
+          try {
+            const pkgJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
+            if (pkgJson.scripts) {
+              const scriptThreats = scanPackageJsonScripts(pkgJson.scripts);
+              allThreats.push(...scriptThreats.map(t => ({
+                ...t,
+                package: pkg.split(path.sep).slice(-2).join(path.sep)
+              })));
+            }
+          } catch (e) {
+            // Skip invalid package.json
+          }
+        }
+      }
+    }
+
+    return {
+      scannedPackages,
+      threats: allThreats,
+      duration: Date.now() - startTime
+    };
+  }
+
+  /**
+   * Full scan: Pre-scan, then install, then post-scan
+   */
+  async fullScan(packageName: string, version?: string, folderPath?: string): Promise<{
+    pre: ScanResult;
+    post: PostInstallScanResult;
+  }> {
+    const pre = await this.preInstallScan(packageName, version);
+
+    if (pre.status === 'blocked') {
+      return { pre, post: { scannedPackages: 0, threats: [], duration: 0 } };
+    }
+
+    // Run post-install scan if folder provided
+    let post: PostInstallScanResult = { scannedPackages: 0, threats: [], duration: 0 };
+    if (folderPath) {
+      post = await this.postInstallScan(folderPath);
+    }
+
+    return { pre, post };
+  }
+
+  /**
+   * Find all packages in node_modules
+   */
+  private findPackages(nodeModulesPath: string): string[] {
+    const packages: string[] = [];
+
+    function findPkgs(dir: string, depth: number = 0) {
+      if (depth > 3) return; // Limit depth
+
+      try {
+        const entries = fs.readdirSync(dir, { withFileTypes: true });
+
+        for (const entry of entries) {
+          if (entry.isDirectory()) {
+            const fullPath = path.join(dir, entry.name);
+
+            // Skip scoped packages at root level
+            if (entry.name.startsWith('@')) {
+              findPkgs(fullPath, depth + 1);
+            } else if (fs.existsSync(path.join(fullPath, 'package.json'))) {
+              packages.push(fullPath);
+            }
+          }
+        }
+      } catch (e) {
+        // Skip inaccessible
+      }
+    }
+
+    findPkgs(nodeModulesPath);
+    return packages;
+  }
+
+  /**
+   * Determine overall status from threats and score
+   */
+  private determineStatus(threats: Threat[], score: number): 'safe' | 'warning' | 'danger' | 'blocked' {
+    if (threats.some(t => t.type === 'blocklisted')) {
+      return 'blocked';
+    }
+    if (score >= 60 || threats.some(t => t.severity === 'critical')) {
+      return 'danger';
+    }
+    if (score >= 30 || threats.some(t => t.severity === 'high')) {
+      return 'warning';
+    }
+    return 'safe';
+  }
+}
+
+export function createScanner(options?: ScanOptions): Scanner {
+  return new Scanner(options);
+}
+
+// Export for CLI
+export default { Scanner, createScanner };