npm-scan-plus 1.0.0

package/src/lib/vuln.ts

@@ -0,0 +1,321 @@
+/**
+ * Vulnerability databases API integration
+ * OSV, GitHub Advisory, npm Audit
+ */
+
+const OSV_API = 'https://api.osv.dev/v1/query';
+const GITHUB_ADVISORIES_API = 'https://api.github.com/advisories';
+const NPM_AUDIT_API = 'https://registry.npmjs.org/-/npm/v1/security/advisors';
+
+export interface Vulnerability {
+  id: string;
+  source: 'osv' | 'github' | 'npm';
+  severity: 'low' | 'medium' | 'high' | 'critical';
+  summary?: string;
+  details?: string;
+  aliases?: string[];
+  patched_versions?: string;
+  affected_versions?: string;
+  references?: string[];
+  published?: string;
+  modified?: string;
+}
+
+export interface VulnerabilityResult {
+  packageName: string;
+  vulnerabilities: Vulnerability[];
+  checkedAt: string;
+}
+
+/**
+ * OSV (Open Source Vulnerabilities) API client
+ * Free database maintained by Google
+ */
+export class OSVClient {
+  private apiUrl = OSV_API;
+
+  /**
+   * Query OSV for vulnerabilities in a package
+   */
+  async checkPackage(packageName: string, version?: string): Promise<Vulnerability[]> {
+    const query: any = {
+      package: {
+        name: packageName,
+        ecosystem: 'npm'
+      }
+    };
+
+    if (version) {
+      query.version = version;
+    }
+
+    try {
+      const response = await fetch(this.apiUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json'
+        },
+        body: JSON.stringify(query)
+      });
+
+      if (!response.ok) {
+        return [];
+      }
+
+      const data: any = await response.json();
+      const vulns = data.vulns || [];
+
+      return vulns.map(v => ({
+        id: v.id,
+        source: 'osv' as const,
+        severity: this.mapSeverity(v.severity),
+        summary: v.summary,
+        details: v.details,
+        aliases: v.aliases,
+        patched_versions: this.getPatchedVersions(v.affected),
+        affected_versions: this.getAffectedVersions(v.affected),
+        references: v.references?.map((r: any) => r.url),
+        published: v.published,
+        modified: v.modified
+      }));
+    } catch (error) {
+      console.error('OSV API error:', error);
+      return [];
+    }
+  }
+
+  /**
+   * Map OSV severity to our severity
+   */
+  private mapSeverity(severity: any): 'low' | 'medium' | 'high' | 'critical' {
+    const s = String(severity || '').toLowerCase();
+    if (s === 'critical') return 'critical';
+    if (s === 'high') return 'high';
+    if (s === 'medium') return 'medium';
+    return 'low';
+  }
+
+  /**
+   * Extract patched versions from OSV affected field
+   */
+  private getPatchedVersions(affected: any[]): string | undefined {
+    if (!affected || affected.length === 0) return undefined;
+
+    for (const a of affected) {
+      if (a.versions && a.ranges) {
+        for (const range of a.ranges) {
+          if (range.type === 'semver' && range.events) {
+            for (const event of range.events) {
+              if (event.introduced || event.fixed) {
+                return event.fixed || '<' + event.introduced;
+              }
+            }
+          }
+        }
+      }
+    }
+    return undefined;
+  }
+
+  /**
+   * Get affected versions string
+   */
+  private getAffectedVersions(affected: any[]): string | undefined {
+    if (!affected || affected.length === 0) return undefined;
+    const versions = affected.map(a => a.package?.version).filter(Boolean);
+    return versions.length > 0 ? versions.join(', ') : undefined;
+  }
+}
+
+/**
+ * GitHub Advisory Database API client
+ * Requires authentication for higher rate limits
+ */
+export class GitHubAdvisoryClient {
+  private token: string | undefined;
+  private apiUrl = GITHUB_ADVISORIES_API;
+
+  constructor(token?: string) {
+    this.token = token || process.env.GITHUB_TOKEN;
+  }
+
+  /**
+   * Fetch advisories for a specific package
+   */
+  async checkPackage(packageName: string): Promise<Vulnerability[]> {
+    // GitHub advisories are fetched from the ecosystem-wide list
+    // We filter by package name client-side
+    try {
+      const response = await fetch(
+        `${this.apiUrl}?ecosystem=npm&package=${packageName}`,
+        {
+          headers: this.getHeaders()
+        }
+      );
+
+      if (!response.ok) {
+        if (response.status === 403) {
+          console.warn('GitHub API rate limited. Set GITHUB_TOKEN for higher limits.');
+        }
+        return [];
+      }
+
+      const data: any = await response.json();
+      const advisories = data.advisories || [];
+
+      return advisories.map((a: any) => ({
+        id: a.ghsa_id || a.cve_id,
+        source: 'github' as const,
+        severity: this.mapSeverity(a.severity),
+        summary: a.summary,
+        details: a.description,
+        aliases: a.cve_id ? [a.cve_id] : [],
+        patched_versions: a.vulnerabilities?.[0]?.patched_versions,
+        affected_versions: a.vulnerabilities?.[0]?.vulnerable_version_range,
+        references: a.references?.map((r: any) => r.url),
+        published: a.published_at,
+        modified: a.updated_at
+      }));
+    } catch (error) {
+      console.error('GitHub Advisory API error:', error);
+      return [];
+    }
+  }
+
+  /**
+   * Map GitHub severity to our severity
+   */
+  private mapSeverity(severity: any): 'low' | 'medium' | 'high' | 'critical' {
+    const s = String(severity || '').toLowerCase();
+    if (s === 'critical') return 'critical';
+    if (s === 'high') return 'high';
+    if (s === 'medium') return 'medium';
+    return 'low';
+  }
+
+  /**
+   * Get HTTP headers
+   */
+  private getHeaders(): Record<string, string> {
+    const headers: Record<string, string> = {
+      'Accept': 'application/vnd.github+json',
+      'X-GitHub-Api-Version': '2022-11-28'
+    };
+    if (this.token) {
+      headers['Authorization'] = `Bearer ${this.token}`;
+    }
+    return headers;
+  }
+}
+
+/**
+ * npm Audit API client
+ * Official npm security advisories
+ */
+export class NpmAuditClient {
+  private apiUrl = NPM_AUDIT_API;
+
+  /**
+   * Fetch advisories from npm
+   */
+  async checkPackage(packageName: string): Promise<Vulnerability[]> {
+    try {
+      const response = await fetch(
+        `${this.apiUrl}?package=${packageName}`,
+        {
+          headers: {
+            'Accept': 'application/json'
+          }
+        }
+      );
+
+      if (!response.ok) {
+        return [];
+      }
+
+      const data: any = await response.json();
+      const advisories = data.data || [];
+
+      return advisories.map((a: any) => ({
+        id: a.id,
+        source: 'npm' as const,
+        severity: this.mapSeverity(a.severity),
+        summary: a.title,
+        details: a.url,
+        patched_versions: a.patched_versions,
+        affected_versions: a.vulnerable_versions,
+        references: [a.url].filter(Boolean),
+        published: a.published,
+        modified: a.modified
+      }));
+    } catch (error) {
+      console.error('npm Audit API error:', error);
+      return [];
+    }
+  }
+
+  /**
+   * Map npm severity to our severity
+   */
+  private mapSeverity(severity: any): 'low' | 'medium' | 'high' | 'critical' {
+    const s = String(severity || '').toLowerCase();
+    if (s === 'critical') return 'critical';
+    if (s === 'high') return 'high';
+    if (s === 'medium') return 'medium';
+    return 'low';
+  }
+}
+
+/**
+ * Combined vulnerability checker
+ * Queries all three sources
+ */
+export class VulnerabilityChecker {
+  private osv: OSVClient;
+  private github: GitHubAdvisoryClient;
+  private npmAudit: NpmAuditClient;
+
+  constructor(githubToken?: string) {
+    this.osv = new OSVClient();
+    this.github = new GitHubAdvisoryClient(githubToken);
+    this.npmAudit = new NpmAuditClient();
+  }
+
+  /**
+   * Check a package against all vulnerability databases
+   */
+  async checkPackage(packageName: string, version?: string): Promise<VulnerabilityResult> {
+    const [osvVulns, githubVulns, npmVulns] = await Promise.all([
+      this.osv.checkPackage(packageName, version).catch(() => []),
+      this.github.checkPackage(packageName).catch(() => []),
+      this.npmAudit.checkPackage(packageName).catch(() => [])
+    ]);
+
+    // Deduplicate by CVE ID
+    const seen = new Set<string>();
+    const combined: Vulnerability[] = [];
+
+    for (const v of [...osvVulns, ...githubVulns, ...npmVulns]) {
+      const id = v.id || v.aliases?.[0];
+      if (id && !seen.has(id)) {
+        seen.add(id);
+        combined.push(v);
+      }
+    }
+
+    return {
+      packageName,
+      vulnerabilities: combined,
+      checkedAt: new Date().toISOString()
+    };
+  }
+}
+
+// Export factory functions
+export function createVulnerabilityChecker(token?: string): VulnerabilityChecker {
+  return new VulnerabilityChecker(token);
+}
+
+export const osvClient = new OSVClient();
+export const githubAdvisoryClient = new GitHubAdvisoryClient();
+export const npmAuditClient = new NpmAuditClient();

package/src/types.ts

@@ -0,0 +1,102 @@
+/**
+ * npm-scan type definitions
+ */
+
+export interface PackageMetadata {
+  name: string;
+  version: string;
+  description?: string;
+  publisher?: {
+    username: string;
+    email: string;
+  };
+  maintainers?: Array<{
+    username: string;
+    email: string;
+  }>;
+  repository?: {
+    type: string;
+    url: string;
+  };
+  homepage?: string;
+  license?: string;
+  dependencies?: Record<string, string>;
+  devDependencies?: Record<string, string>;
+  peerDependencies?: Record<string, string>;
+  scripts?: Record<string, string>;
+  latest?: string;
+  time?: {
+    created: string;
+    modified: string;
+  };
+}
+
+export interface ScanResult {
+  packageName: string;
+  version: string;
+  status: 'safe' | 'warning' | 'danger' | 'blocked';
+  threats: Threat[];
+  metadata?: PackageMetadata;
+  score: number;
+}
+
+export interface Threat {
+  type: ThreatType;
+  severity: 'low' | 'medium' | 'high' | 'critical';
+  message: string;
+  details?: string;
+  location?: string;
+}
+
+export type ThreatType =
+  | 'blocklisted'
+  | 'vulnerability'
+  | 'obfuscation'
+  | 'suspicious_code'
+  | 'typosquatting'
+  | 'supply_chain'
+  | 'suspicious_script'
+  | 'unknown_publisher'
+  | 'dependency_confusion';
+
+export interface BlocklistEntry {
+  package: string;
+  reason: string;
+  addedAt: string;
+  severity: 'high' | 'critical';
+  source?: string;
+}
+
+export interface ScanOptions {
+  registry?: string;
+  blocklist?: string[];
+  checkVulnerabilities?: boolean;
+  checkObfuscation?: boolean;
+  checkPatterns?: boolean;
+  timeout?: number;
+}
+
+export interface PostInstallScanResult {
+  scannedPackages: number;
+  threats: FileThreat[];
+  duration: number;
+}
+
+export interface FileThreat {
+  package: string;
+  file: string;
+  type: ThreatType;
+  severity: 'low' | 'medium' | 'high' | 'critical';
+  message: string;
+  line?: number;
+  code?: string;
+}
+
+export interface CliOptions {
+  command: 'pre' | 'post' | 'scan' | 'blocklist';
+  subcommand?: 'add' | 'remove' | 'list';
+  package?: string;
+  version?: string;
+  folder?: string;
+  verbose?: boolean;
+}

package/tests/blocklist.test.ts

@@ -0,0 +1,89 @@
+/**
+ * Unit tests for blocklist module
+ */
+
+import { blocklistManager, TYPOSQUATTING_PATTERNS } from '../src/lib/blocklist';
+
+describe('BlocklistManager', () => {
+  describe('isBlocklisted', () => {
+    it('should return blocklist entry for known malicious package', () => {
+      const result = blocklistManager.isBlocklisted('event-stream');
+      expect(result).not.toBeNull();
+      expect(result?.package).toBe('event-stream');
+      expect(result?.severity).toBe('critical');
+    });
+
+    it('should return null for safe package', () => {
+      const result = blocklistManager.isBlocklisted('lodash');
+      expect(result).toBeNull();
+    });
+
+    it('should be case-insensitive', () => {
+      const result = blocklistManager.isBlocklisted('EVENT-STREAM');
+      expect(result).not.toBeNull();
+    });
+
+    it('should work for flatmap-stream', () => {
+      const result = blocklistManager.isBlocklisted('flatmap-stream');
+      expect(result).not.toBeNull();
+      expect(result?.severity).toBe('critical');
+    });
+  });
+
+  describe('detectTyposquatting', () => {
+    it('should detect typosquatting variations', () => {
+      // Test a known typosquat
+      const result = blocklistManager.detectTyposquatting('lodsh');
+      expect(result).toContain('lodash');
+    });
+
+    it('should return empty array for legitimate packages', () => {
+      const result = blocklistManager.detectTyposquatting('axios');
+      expect(result).toHaveLength(0);
+    });
+  });
+
+  describe('addToBlocklist / removeFromBlocklist', () => {
+    it('should add package to user blocklist', () => {
+      const testPackage = 'test-malicious-' + Date.now();
+      blocklistManager.addToBlocklist(testPackage, 'Test reason', 'high');
+      const result = blocklistManager.isBlocklisted(testPackage);
+      expect(result).not.toBeNull();
+      expect(result?.reason).toBe('Test reason');
+
+      // Cleanup
+      blocklistManager.removeFromBlocklist(testPackage);
+    });
+
+    it('should remove package from blocklist', () => {
+      const testPackage = 'test-remove-' + Date.now();
+      blocklistManager.addToBlocklist(testPackage, 'Test', 'high');
+      blocklistManager.removeFromBlocklist(testPackage);
+      const result = blocklistManager.isBlocklisted(testPackage);
+      expect(result).toBeNull();
+    });
+  });
+
+  describe('getBlocklist', () => {
+    it('should return array of blocked packages', () => {
+      const list = blocklistManager.getBlocklist();
+      expect(Array.isArray(list)).toBe(true);
+      expect(list.length).toBeGreaterThan(0);
+    });
+
+    it('should include known malicious packages', () => {
+      const list = blocklistManager.getBlocklist();
+      const names = list.map(e => e.package);
+      expect(names).toContain('event-stream');
+    });
+  });
+});
+
+describe('TYPOSQUATTING_PATTERNS', () => {
+  it('should include common packages', () => {
+    const patterns = TYPOSQUATTING_PATTERNS.map(p => p.pattern);
+    expect(patterns).toContain('lodash');
+    expect(patterns).toContain('axios');
+    expect(patterns).toContain('express');
+  });
+});

package/tests/extended.test.ts

@@ -0,0 +1,204 @@
+/**
+ * Unit tests for extended analysis module
+ */
+
+import {
+  analyzeLicense,
+  checkMaintainerTrust,
+  validateRepository,
+  analyzeDependencies,
+  analyzeFileStructure
+} from '../src/lib/extended';
+
+describe('Extended Analysis', () => {
+  describe('analyzeLicense', () => {
+    it('should identify MIT as low risk', () => {
+      const result = analyzeLicense('MIT');
+      expect(result.risk).toBe('low');
+      expect(result.permissive).toBe(true);
+    });
+
+    it('should identify Apache-2.0 as low risk', () => {
+      const result = analyzeLicense('Apache-2.0');
+      expect(result.risk).toBe('low');
+    });
+
+    it('should identify BSD as low risk', () => {
+      const result = analyzeLicense('BSD');
+      expect(result.risk).toBe('low');
+    });
+
+    it('should identify ISC as low risk', () => {
+      const result = analyzeLicense('ISC');
+      expect(result.risk).toBe('low');
+    });
+
+    it('should identify GPL-3.0 as high risk', () => {
+      const result = analyzeLicense('GPL-3.0');
+      expect(result.risk).toBe('high');
+    });
+
+    it('should identify AGPL-3.0 as high risk', () => {
+      const result = analyzeLicense('AGPL-3.0');
+      expect(result.risk).toBe('high');
+    });
+
+    it('should identify missing license as high risk', () => {
+      const result = analyzeLicense(undefined);
+      expect(result.risk).toBe('high');
+    });
+
+    it('should handle no license string', () => {
+      const result = analyzeLicense(undefined);
+      expect(result.risk).toBe('high');
+    });
+
+    it('should identify custom licenses', () => {
+      const result = analyzeLicense('CUSTOM');
+      expect(result.risk).toBe('medium');
+    });
+
+    it('should handle OR patterns', () => {
+      const result = analyzeLicense('MIT OR Apache-2.0');
+      expect(result.risk).toBe('medium');
+    });
+  });
+
+  describe('checkMaintainerTrust', () => {
+    it('should recognize known maintainers', () => {
+      const maintainers = [{ username: 'ljharb' }];
+      const result = checkMaintainerTrust(maintainers, undefined);
+      expect(result.isTrusted).toBe(true);
+      expect(result.score).toBe(100);
+    });
+
+    it('should recognize jdalton as trusted', () => {
+      const maintainers = [{ username: 'jdalton' }];
+      const result = checkMaintainerTrust(maintainers, undefined);
+      expect(result.isTrusted).toBe(true);
+    });
+
+    it('should recognize org maintainers', () => {
+      const maintainers = [{ username: 'google' }];
+      const result = checkMaintainerTrust(maintainers, undefined);
+      expect(result.isTrusted).toBe(true);
+    });
+
+    it('should handle empty maintainers', () => {
+      const result = checkMaintainerTrust([], undefined);
+      expect(result.isTrusted).toBe(false);
+      expect(result.score).toBe(0);
+    });
+
+    it('should handle unknown maintainers', () => {
+      const maintainers = [{ username: 'unknownuser123' }];
+      const result = checkMaintainerTrust(maintainers, undefined);
+      expect(result.isTrusted).toBe(false);
+      expect(result.score).toBeLessThan(50);
+    });
+
+    it('should handle publisher', () => {
+      const publisher = { username: 'ljharb' };
+      const result = checkMaintainerTrust([], publisher);
+      expect(result.isTrusted).toBe(true);
+    });
+
+    it('should handle mixed trust levels', () => {
+      const maintainers = [{ username: 'ljharb' }, { username: 'unknown' }];
+      const result = checkMaintainerTrust(maintainers, undefined);
+      expect(result.isTrusted).toBe(false);
+      expect(result.score).toBeGreaterThan(0);
+    });
+  });
+
+  describe('validateRepository', () => {
+    it('should accept valid GitHub repo', async () => {
+      const result = await validateRepository(
+        'https://github.com/lodash/lodash',
+        'lodash'
+      );
+      expect(result.valid).toBe(true);
+    });
+
+    it('should reject missing repo', async () => {
+      const result = await validateRepository(undefined, 'lodash');
+      expect(result.valid).toBe(false);
+    });
+
+    it('should handle shorthand github:', async () => {
+      const result = await validateRepository(
+        'github:lodash/lodash',
+        'lodash'
+      );
+      // Shorthand converts to https://lodash/lodash
+      expect(result.details).toContain('https://');
+    });
+
+    it('should handle bitbucket shorthand', async () => {
+      const result = await validateRepository(
+        'bitbucket:owner/repo',
+        'repo'
+      );
+      expect(result.details).toContain('bitbucket.org');
+    });
+  });
+
+  describe('analyzeDependencies', () => {
+    it('should flag deprecated packages', () => {
+      const deps = { request: '^2.88.0' };
+      const result = analyzeDependencies(deps, undefined);
+      expect(result.outdatedCount).toBeGreaterThan(0);
+    });
+
+    it('should flag moment as deprecated', () => {
+      const deps = { moment: '^2.29.0' };
+      const result = analyzeDependencies(deps, undefined);
+      expect(result.outdatedCount).toBeGreaterThan(0);
+    });
+
+    it('should flag old versions', () => {
+      const deps = { lodash: '^0.1.0' };
+      const result = analyzeDependencies(deps, undefined);
+      expect(result.outdatedCount).toBeGreaterThan(0);
+    });
+
+    it('should handle empty dependencies', () => {
+      const result = analyzeDependencies(undefined, undefined);
+      expect(result.outdatedCount).toBe(0);
+    });
+
+    it('should handle modern packages', () => {
+      const deps = { axios: '^1.0.0', express: '^4.18.0' };
+      const result = analyzeDependencies(deps, undefined);
+      expect(result.outdatedCount).toBe(0);
+    });
+
+    it('should include devDependencies', () => {
+      const deps = {};
+      const devDeps = { jest: '^29.0.0' };
+      const result = analyzeDependencies(deps, devDeps);
+      // jest shouldn't be flagged
+      expect(result.outdatedCount).toBe(0);
+    });
+  });
+
+  describe('analyzeFileStructure', () => {
+    it('should detect suspicious paths', () => {
+      const files = ['../../etc/passwd', '/home/user/.ssh/id_rsa'];
+      const result = analyzeFileStructure(files);
+      expect(result.suspicious).toBe(true);
+      expect(result.issues.length).toBeGreaterThan(0);
+    });
+
+    it('should allow normal paths', () => {
+      const files = ['index.js', 'lib/utils.js', 'package.json'];
+      const result = analyzeFileStructure(files);
+      expect(result.suspicious).toBe(false);
+    });
+
+    it('should handle empty file list', () => {
+      const result = analyzeFileStructure([]);
+      expect(result.suspicious).toBe(false);
+    });
+  });
+});