npm-scan-plus 1.0.0

package/src/lib/extended.ts

@@ -0,0 +1,384 @@
+/**
+ * Extended security analysis module
+ * Additional checks: license, repo validation, maintainer trust, download anomalies
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+
+const NPM_REGISTRY = 'https://registry.npmjs.org';
+
+/** License risk classification */
+const LICENSE_RISK = {
+  // High risk - requires source sharing or has legal issues
+  'gpl-3.0': { level: 'high', reason: 'GPLv3 - copyleft, may affect proprietary code' },
+  'gpl-2.0': { level: 'medium', reason: 'GPLv2 - copyleft' },
+  'agpl-3.0': { level: 'high', reason: 'AGPLv3 - strong copyleft, SaaS exposure' },
+  'lgpl-3.0': { level: 'medium', reason: 'LGPLv3 - more permissive than GPL' },
+  'mpl-2.0': { level: 'low', reason: 'Mozilla Public License' },
+  ' EPL-2.0': { level: 'low', reason: 'Eclipse Public License' },
+  'eupl-1.2': { level: 'medium', reason: 'European Union Public License' },
+  // Low risk - permissive
+  'mit': { level: 'low', reason: 'Permissive' },
+  'bsd': { level: 'low', reason: 'Permissive' },
+  'apache-2.0': { level: 'low', reason: 'Permissive' },
+  'isc': { level: 'low', reason: 'Permissive' },
+  'unlicense': { level: 'low', reason: 'Public domain' },
+  // Suspicious - requires investigation
+  'custom': { level: 'medium', reason: 'Custom license - review required' },
+  'none': { level: 'high', reason: 'No license - copyright issues' },
+  'proprietary': { level: 'high', reason: 'Proprietary - may restrict use' }
+};
+
+/** Known package maintainers with trust scores */
+const TRUSTED_MAINTAINERS = new Set([
+  // Popular package maintainers
+  'ljharb', // Jordan Harband (lodash)
+  'sindresorhus', // Sindre Sohrus
+  'jdalton', // John-David Dalton (lodash creator)
+  'substack',
+  'juliangruber',
+  'rvagg',
+  'addaleax',
+  'bnb',
+  'fy',
+  'watson',
+  'leorom',
+  'd3',
+  'mbostock',
+  'mikaelbr',
+  'analog',
+  // Large organizations
+  'facebook',
+  'google',
+  'microsoft',
+  'amazon',
+  'netflix',
+  'stripe',
+  'paypal',
+  'twitter',
+  'uber'
+]);
+
+/** Suspicious TLDs for typosquatting detection */
+const SUSPICIOUS_TLDS = ['xyz', 'app', 'dev', 'io', 'co', 'sh', 'js', 'cn', 'ru'];
+
+/**
+ * Analyze license risk
+ */
+export function analyzeLicense(license: string | undefined): {
+  risk: 'low' | 'medium' | 'high' | 'critical';
+  details: string;
+  permissive: boolean;
+} {
+  if (!license) {
+    return {
+      risk: 'high',
+      details: 'No license specified - copyright issues',
+      permissive: false
+    };
+  }
+
+  // Normalize license string
+  const normalized = license.toString().replace(/^(\d+\.)+/, '').trim().toLowerCase();
+  const known = LICENSE_RISK[normalized as keyof typeof LICENSE_RISK];
+
+  if (known) {
+    return {
+      risk: known.level as any,
+      details: known.reason,
+      permissive: known.level === 'low'
+    };
+  }
+
+  // Check for OR patterns (multiple licenses)
+  if (license.includes(' OR ')) {
+    return {
+      risk: 'medium',
+      details: 'Multiple licenses - review required',
+      permissive: false
+    };
+  }
+
+  return {
+    risk: 'low',
+    details: 'Unknown but present',
+    permissive: true
+  };
+}
+
+/**
+ * Check if maintainer is trusted/known
+ */
+export function checkMaintainerTrust(maintainers: any[], publisher: any): {
+  score: number;
+  isTrusted: boolean;
+  details: string;
+} {
+  const allAuthors = [...(maintainers || []), publisher].filter(Boolean);
+  const names = allAuthors.map(m => m.username || m.name).filter(Boolean);
+
+  if (names.length === 0) {
+    return {
+      score: 0,
+      isTrusted: false,
+      details: 'No maintainers identified'
+    };
+  }
+
+  // Check if any trusted maintainer
+  const trustedCount = names.filter(n => TRUSTED_MAINTAINERS.has(n.toLowerCase())).length;
+  const trustRatio = trustedCount / names.length;
+
+  if (trustRatio > 0.5) {
+    return {
+      score: 100,
+      isTrusted: true,
+      details: `${trustedCount} trusted maintainer(s): ${names.join(', ')}`
+    };
+  }
+
+  if (trustedCount > 0) {
+    return {
+      score: 50,
+      isTrusted: false,
+      details: `Some trusted maintainer(s): ${names.join(', ')}`
+    };
+  }
+
+  return {
+    score: 20,
+    isTrusted: false,
+    details: `Unknown maintainer(s): ${names.join(', ')}`
+  };
+}
+
+/**
+ * Validate repository URL exists and matches package
+ */
+export async function validateRepository(
+  repoUrl: string | undefined,
+  packageName: string
+): Promise<{
+  valid: boolean;
+  details: string;
+  issues: string[];
+}> {
+  const issues: string[] = [];
+
+  if (!repoUrl) {
+    return {
+      valid: false,
+      details: 'No repository URL',
+      issues: ['missing repository']
+    };
+  }
+
+  // Parse different repo formats
+  let normalizedUrl = repoUrl;
+
+  // Handle shorthand
+  if (!repoUrl.startsWith('http')) {
+    if (repoUrl.startsWith('github:')) {
+      normalizedUrl = 'https://' + repoUrl.replace('github:', '');
+    } else if (repoUrl.startsWith('gist:')) {
+      normalizedUrl = 'https://gist.github.com/' + repoUrl.replace('gist:', '');
+    } else if (repoUrl.startsWith('bitbucket:')) {
+      normalizedUrl = 'https://bitbucket.org/' + repoUrl.replace('bitbucket:', '');
+    } else if (repoUrl.startsWith('gitlab:')) {
+      normalizedUrl = 'https://gitlab.com/' + repoUrl.replace('gitlab:', '');
+    } else {
+      normalizedUrl = 'https://' + repoUrl;
+    }
+  }
+
+  // Extract owner/repo for GitHub
+  const githubMatch = normalizedUrl.match(/github\.com[/:]([\w-]+)\/([\w-.]+)/);
+  if (githubMatch) {
+    const [, owner, repo] = githubMatch;
+    const cleanRepo = repo.replace(/\.git$/, '');
+
+    // Check if repo name roughly matches package name
+    const expectedPackage = packageName.replace(/^@[\w-]+\//, ''); // Handle scoped packages
+    const nameMatch = cleanRepo.toLowerCase() === expectedPackage.toLowerCase() ||
+      cleanRepo.toLowerCase() === expectedPackage.replace(/[-_]/g, '').toLowerCase();
+
+    if (!nameMatch) {
+      issues.push(`repo name "${cleanRepo}" != package "${expectedPackage}"`);
+    }
+  }
+
+  // Check for suspicious domains
+  const url = new URL(normalizedUrl);
+  if (SUSPICIOUS_TLDS.includes(url.hostname.split('.').pop() || '')) {
+    issues.push(`suspicious TLD: ${url.hostname}`);
+  }
+
+  return {
+    valid: issues.length === 0,
+    details: normalizedUrl,
+    issues
+  };
+}
+
+/**
+ * Check for release anomalies (sudden popularity spike = typosquatting indicator)
+ */
+export async function checkReleaseAnomalies(
+  packageName: string,
+  metadata: any
+): Promise<{
+  suspicious: boolean;
+  details: string;
+  metrics: any;
+}> {
+  const metrics: any = {
+    versionCount: 0,
+    hasNewVersions: false,
+    rapidRelease: false
+  };
+
+  try {
+    // Fetch full package data
+    const response = await fetch(`${NPM_REGISTRY}/${packageName}`);
+    const data: any = await response.json();
+
+    const versions = Object.keys(data.versions || {});
+    metrics.versionCount = versions.length;
+
+    // Check for recent rapid releases (potential automated publishing)
+    if (data.time) {
+      const timeKeys = Object.keys(data.time).filter(k => k !== 'created' && k !== 'modified');
+      if (timeKeys.length > 1) {
+        const sorted = timeKeys.sort((a, b) =>
+          new Date(data.time[a]).getTime() - new Date(data.time[b]).getTime()
+        );
+
+        // Check if multiple releases within hours
+        if (sorted.length >= 2) {
+          const lastRelease = new Date(data.time[sorted[sorted.length - 1]]);
+          const prevRelease = new Date(data.time[sorted[sorted.length - 2]]);
+          const hoursApart = (lastRelease.getTime() - prevRelease.getTime()) / (1000 * 60 * 60);
+
+          if (hoursApart < 1) {
+            metrics.rapidRelease = true;
+            metrics.hoursApart = hoursApart;
+          }
+        }
+      }
+    }
+  } catch (e) {
+    // Ignore - just for metrics
+  }
+
+  const suspicious = metrics.rapidRelease;
+
+  return {
+    suspicious,
+    details: suspicious ? 'Unusual rapid release pattern' : 'Normal release pattern',
+    metrics
+  };
+}
+
+/**
+ * Analyze dependencies for freshness and known issues
+ */
+export function analyzeDependencies(
+  dependencies: Record<string, string> | undefined,
+  devDependencies: Record<string, string> | undefined
+): {
+  outdatedCount: number;
+  issues: string[];
+  details: string[];
+} {
+  const allDeps = { ...dependencies, ...devDependencies };
+  const issues: string[] = [];
+  const details: string[] = [];
+
+  if (!allDeps || Object.keys(allDeps).length === 0) {
+    return { outdatedCount: 0, issues: [], details: [] };
+  }
+
+  // Check for very old/deprecated packages
+  const deprecated = [
+    'request', // Deprecated in favor of fetch, axios
+    'moment', // Deprecated in favor of date-fns, dayjs
+    'lodash', // Should use lodash-es for tree-shaking
+    'querystring', // Built into Node.js
+    'underscore' // Use lodash or native
+  ];
+
+  for (const [dep, ver] of Object.entries(allDeps)) {
+    if (deprecated.includes(dep)) {
+      issues.push(`${dep} is deprecated or not recommended`);
+      details.push(`${dep}@${ver}: consider alternatives`);
+    }
+
+    // Check for very old major versions still in use
+    if (ver.startsWith('^0.') || ver.startsWith('~0.')) {
+      issues.push(`${dep} using old major version`);
+      details.push(`${dep}@${ver}: may have vulnerabilities`);
+    }
+  }
+
+  return {
+    outdatedCount: issues.length,
+    issues,
+    details
+  };
+}
+
+/**
+ * Check file structure for suspicious patterns
+ */
+export function analyzeFileStructure(files: string[]): {
+  suspicious: boolean;
+  issues: string[];
+} {
+  const issues: string[] = [];
+
+  // Check for hidden files that shouldn't be there
+  const suspiciousFiles = [
+    /^\./,
+    /\.sh$/,
+    /\.bash$/,
+    / bash/,
+    /script/i
+  ];
+
+  // Check for common attack vectors
+  const suspiciousPaths = [
+    /proc\/self/,
+    /\/etc\//,
+    /~\/ /,
+    /\$HOME/,
+    /\.ssh\//
+  ];
+
+  for (const file of files) {
+    for (const pattern of suspiciousPaths) {
+      if (pattern.test(file)) {
+        issues.push(`suspicious path: ${file}`);
+      }
+    }
+  }
+
+  return {
+    suspicious: issues.length > 0,
+    issues
+  };
+}
+
+/**
+ * Combined extended analysis (sync parts only)
+ */
+export function extendedAnalysis(
+  packageName: string,
+  metadata: any
+) {
+  const license = analyzeLicense(metadata.license);
+  const maintainer = checkMaintainerTrust(metadata.maintainers, metadata.publisher);
+  const dependencies = analyzeDependencies(metadata.dependencies, metadata.devDependencies);
+
+  return { license, maintainer, repository: { valid: true, details: '', issues: [] }, dependencies };
+}

package/src/lib/integrity.ts

@@ -0,0 +1,253 @@
+/**
+ * Package integrity verification
+ * Hash verification, signature checking, tarball analysis
+ */
+
+import * as crypto from 'crypto';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import * as tar from 'tar';
+
+const NPM_REGISTRY = 'https://registry.npmjs.org';
+
+/**
+ * Verify package integrity using npm registry integrity field
+ */
+export async function verifyIntegrity(
+  packageName: string,
+  version: string,
+  registry: string = NPM_REGISTRY
+): Promise<any> {
+  try {
+    const response = await fetch(`${registry}/${packageName}/${version}`);
+    const data: any = await response.json();
+
+    const expectedHash = data.dist?.integrity || null;
+
+    if (!expectedHash) {
+      return {
+        valid: true,
+        expectedHash: null,
+        actualHash: null,
+        algorithm: 'none',
+        details: 'No integrity hash in registry'
+      };
+    }
+
+    const algorithm = expectedHash.startsWith('sha512') ? 'sha512' : 'sha256';
+    const tarballUrl = data.dist?.tarball;
+
+    if (!tarballUrl) {
+      return {
+        valid: false,
+        expectedHash,
+        actualHash: null,
+        algorithm,
+        details: 'No tarball URL found'
+      };
+    }
+
+    const tarballResponse = await fetch(tarballUrl);
+    const buffer = Buffer.from(await tarballResponse.arrayBuffer());
+
+    const actualHash = algorithm === 'sha512'
+      ? 'sha512-' + crypto.createHash('sha512').update(buffer).digest('base64')
+      : 'sha256-' + crypto.createHash('sha256').update(buffer).digest('base64');
+
+    const valid = actualHash === expectedHash;
+
+    return {
+      valid,
+      expectedHash,
+      actualHash,
+      algorithm,
+      details: valid ? 'Integrity verified' : 'Integrity mismatch!'
+    };
+  } catch (error: any) {
+    return {
+      valid: false,
+      expectedHash: null,
+      actualHash: null,
+      algorithm: 'none',
+      details: `Verification failed: ${error.message}`
+    };
+  }
+}
+
+/**
+ * Analyze package size for anomalies
+ */
+export async function analyzePackageSize(
+  packageName: string,
+  version: string,
+  registry: string = NPM_REGISTRY
+): Promise<any> {
+  const THRESHOLD_MB = 50;
+
+  try {
+    const response = await fetch(`${registry}/${packageName}/${version}`);
+    const data: any = await response.json();
+
+    const size = data.dist?.unpackedSize || data.dist?.size || 0;
+    const sizeFormatted = formatBytes(size);
+
+    return {
+      size,
+      sizeFormatted,
+      suspicious: size > THRESHOLD_MB * 1024 * 1024,
+      threshold: THRESHOLD_MB,
+      details: size > THRESHOLD_MB * 1024 * 1024
+        ? `Package size ${sizeFormatted} exceeds ${THRESHOLD_MB}MB threshold`
+        : `Package size ${sizeFormatted} is normal`
+    };
+  } catch (error: any) {
+    return {
+      size: 0,
+      sizeFormatted: '0 B',
+      suspicious: false,
+      threshold: THRESHOLD_MB,
+      details: 'Could not determine package size'
+    };
+  }
+}
+
+/**
+ * Extract and analyze package.json from tarball
+ */
+export async function analyzeTarball(
+  packageName: string,
+  version: string,
+  registry: string = NPM_REGISTRY
+): Promise<any> {
+  const tempDir = path.join(os.tmpdir(), `npm-scan-tarball-${Date.now()}`);
+  const tarballPath = path.join(tempDir, 'package.tgz');
+
+  try {
+    const response = await fetch(`${registry}/${packageName}/${version}`);
+    const data: any = await response.json();
+
+    const tarballUrl = data.dist?.tarball;
+    if (!tarballUrl) {
+      return {
+        hasPkgJson: false,
+        main: null,
+        bin: {},
+        files: [],
+        fileCount: 0,
+        hasNativeCode: false,
+        details: 'No tarball URL'
+      };
+    }
+
+    fs.mkdirSync(tempDir, { recursive: true });
+
+    const tarballResponse = await fetch(tarballUrl);
+    fs.writeFileSync(tarballPath, Buffer.from(await tarballResponse.arrayBuffer()));
+
+    const extractDir = path.join(tempDir, 'extracted');
+    fs.mkdirSync(extractDir, { recursive: true });
+
+    await tar.extract({
+      file: tarballPath,
+      cwd: extractDir
+    });
+
+    const entries = fs.readdirSync(extractDir);
+    const pkgDir = entries.find(e => e.startsWith('package'));
+    const packageJsonPath = path.join(extractDir, pkgDir || '', 'package.json');
+
+    if (!fs.existsSync(packageJsonPath)) {
+      return {
+        hasPkgJson: false,
+        main: null,
+        bin: {},
+        files: [],
+        fileCount: 0,
+        hasNativeCode: false,
+        details: 'package.json not found in tarball'
+      };
+    }
+
+    const pkgJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
+    const allFiles = getAllFiles(path.join(extractDir, pkgDir || ''));
+
+    const nativeExtensions = ['.node', '.dll', '.dylib', '.so', '.a', '.o'];
+    const hasNativeCode = allFiles.some(f => nativeExtensions.some(ext => f.endsWith(ext)));
+
+    return {
+      hasPkgJson: true,
+      main: pkgJson.main || null,
+      bin: pkgJson.bin || {},
+      files: allFiles,
+      fileCount: allFiles.length,
+      hasNativeCode,
+      details: hasNativeCode ? 'Contains native code' : 'Pure JavaScript'
+    };
+  } catch (error: any) {
+    return {
+      hasPkgJson: false,
+      main: null,
+      bin: {},
+      files: [],
+      fileCount: 0,
+      hasNativeCode: false,
+      details: `Analysis failed: ${error.message}`
+    };
+  } finally {
+    try {
+      fs.rmSync(tempDir, { recursive: true, force: true });
+    } catch (e) {}
+  }
+}
+
+function formatBytes(bytes: number): string {
+  if (bytes === 0) return '0 B';
+
+  const units = ['B', 'KB', 'MB', 'GB'];
+  let unitIndex = 0;
+  let size = bytes;
+
+  while (size >= 1024 && unitIndex < units.length - 1) {
+    size = size / 1024;
+    unitIndex++;
+  }
+
+  return size.toFixed(2) + ' ' + units[unitIndex];
+}
+
+function getAllFiles(dir: string, baseDir?: string): string[] {
+  const files: string[] = [];
+  const base = baseDir || dir;
+
+  try {
+    const entries = fs.readdirSync(dir, { withFileTypes: true });
+
+    for (const entry of entries) {
+      const fullPath = path.join(dir, entry.name);
+      const relativePath = path.relative(base, fullPath);
+
+      if (entry.isDirectory()) {
+        files.push(...getAllFiles(fullPath, base));
+      } else if (entry.isFile()) {
+        files.push(relativePath);
+      }
+    }
+  } catch (e) {}
+
+  return files;
+}
+
+export async function fullIntegrityCheck(
+  packageName: string,
+  version: string,
+  registry?: string
+): Promise<any> {
+  const [integrity, size, tarball] = await Promise.all([
+    verifyIntegrity(packageName, version, registry),
+    analyzePackageSize(packageName, version, registry),
+    analyzeTarball(packageName, version, registry)
+  ]);
+
+  return { integrity, size, tarball };
+}