npm - pqcheck - Versions diffs - 0.7.8 → 0.7.9 - Mend

pqcheck 0.7.8 → 0.7.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -12,6 +12,10 @@ The same scanner that powers [quantapact.com](https://quantapact.com), the brows
 ---
+## What's new in 0.7.9
+**CSP verdict + vendor labels on `pqcheck deps`.** The supply-chain table now shows a friendly vendor label (`New Relic · errors` / `Cloudflare · cdn` / `Adobe Fonts · fonts`) per host instead of raw `bam.nr-data.net`-style hostnames, plus a one-line site-wide CSP verdict above the table (`✗ No CSP enforcement` / `⚠ CSP is permissive` / `✓ Strict CSP enforced`). Same data shape ships on `/r/<domain>` and in the browser extension — cross-surface parity for the supply-chain story. See [CHANGELOG.md](./CHANGELOG.md).
 ## What's new in 0.7.8
 **Supply-chain change detection in CI** — `pqcheck deps <domain> --baseline file.json` compares the current third-party host list to a stored baseline. New hosts since the last accepted state are flagged `*NEW*` in the pretty table and `"isNew": true` in JSON. Add `--fail-on-new` to exit `4` if anything new appeared — the Polyfill.io-style CI gate that fails PRs introducing third-party scripts until you deliberately accept them with `--write-baseline`. Each row also shows an `SRI` column (on/off/n/a) so you can see which scripts allow silent vendor-side content swaps. See [CHANGELOG.md](./CHANGELOG.md).

package/bin/pqcheck.js CHANGED Viewed

@@ -7,7 +7,7 @@
 // =============================================================================
 const API_BASE = process.env.PQCHECK_API_BASE || "https://quantapact.com";
-const VERSION = "0.7.8";
+const VERSION = "0.7.9";
 const ANSI = {
   reset:   "\x1b[0m",
@@ -932,12 +932,15 @@ async function runDepsCommand(args) {
   }
   if (!json) process.stderr.write(color("dim", `Fetching ${domain} HTML...`));
-  const html = await fetchPageHTML(domain);
+  const fetched = await fetchPageHTML(domain);
   if (!json) process.stderr.write("\r\x1b[K");
-  if (!html) {
+  if (!fetched) {
     console.error(color("red", `error: could not fetch https://${domain}/`));
     process.exit(1);
   }
+  const { html, headerCsp } = fetched;
+  const metaCsp = extractMetaCsp(html);
+  const cspVerdict = classifyCsp(headerCsp, metaCsp);
   const refs = extractThirdPartyRefs(html, domain);
   if (refs.length === 0) {
@@ -1032,12 +1035,16 @@ async function runDepsCommand(args) {
   // Build manifest
   const manifest = {
     $schema: "https://quantapact.com/schemas/deps/v1",
-    schemaVersion: "1.1", // bumped for SRI + baseline-diff fields
+    schemaVersion: "1.2", // bumped for CSP + vendor classification fields
     domain,
     scannedAt: new Date().toISOString(),
     tool: "pqcheck-cli",
     toolVersion: VERSION,
     summary,
+    csp: {
+      quality: cspVerdict.quality,           // "absent" | "weak" | "strict"
+      source: cspVerdict.source,             // "header" | "meta" | null
+    },
     baseline: baselineHosts ? {
       file: baselinePath,
       newHosts,
@@ -1049,6 +1056,7 @@ async function runDepsCommand(args) {
       types: r.types,
       occurrences: r.occurrences,
       sri: { allScriptsHaveSri: !r.anyMissingSri, allHttps: r.allHttps },
+      vendor: classifyVendor(r.host),        // { name, category } or null
       isNew: r.isNew || false,
       scan: r.scan,
       error: r.error,
@@ -1101,6 +1109,15 @@ async function runDepsCommand(args) {
   console.log("");
   console.log(`  ${color("bold", "Supply-chain HNDL exposure")} for ${color("violet", domain)}`);
   console.log(`  ${color("dim", `${summary.uniqueOrigins} unique third-party origins · ${summary.totalReferences} references · weakest: ${summary.weakestLink?.host ?? "—"} (${summary.weakestLink?.grade ?? "—"})`)}`);
+  // CSP-quality summary line — single line, site-wide. Mirrors the banner the
+  // extension shows on the Supply Chain tab.
+  if (cspVerdict.quality === "absent") {
+    console.log(`  ${color("red", "✗ No CSP enforcement")} ${color("dim", "— vendor swaps go undetected by the browser")}`);
+  } else if (cspVerdict.quality === "weak") {
+    console.log(`  ${color("yellow", "⚠ CSP is permissive")} ${color("dim", `— uses unsafe-inline / wildcards / data: (${cspVerdict.source})`)}`);
+  } else if (cspVerdict.quality === "strict") {
+    console.log(`  ${color("green", "✓ Strict CSP enforced")} ${color("dim", `(${cspVerdict.source})`)}`);
+  }
   if (baselineHosts) {
     const baselineSize = baselineHosts.size;
     if (baselineSize === 0) {
@@ -1113,19 +1130,24 @@ async function runDepsCommand(args) {
     }
   }
   console.log("");
-  console.log(`  ${color("dim", "GRADE  HOST                                          PQC  SRI  TYPES")}`);
-  console.log(`  ${color("dim", "─────  ─────────────────────────────────────────  ───  ───  ─────")}`);
+  console.log(`  ${color("dim", "GRADE  HOST                                          VENDOR (CATEGORY)        PQC  SRI  TYPES")}`);
+  console.log(`  ${color("dim", "─────  ─────────────────────────────────────────  ──────────────────────  ───  ───  ─────")}`);
   for (const r of results) {
     const gradeStr = r.scan?.grade ?? "?";
     const gradeColored = gradeStr === "A" ? color("green", gradeStr) : gradeStr === "F" || gradeStr === "D" ? color("red", gradeStr) : color("yellow", gradeStr);
-    const isNewMark = r.isNew ? color("yellow", " *NEW*") : "";
     const hostRaw = r.host + (r.isNew ? " *NEW*" : "");
     const host = hostRaw.length > 41 ? hostRaw.slice(0, 40) + "…" : (r.host.padEnd(r.isNew ? 35 : 41, " ") + (r.isNew ? color("yellow", " *NEW*") : ""));
     const pqc = r.scan?.hybridPQC ? color("green", "yes") : color("dim", "no ");
     const hasScript = (r.types || []).includes("script");
     const sriCell = !hasScript ? color("dim", "n/a") : r.anyMissingSri ? color("yellow", "off") : color("green", "on ");
     const types = r.types.join(",");
-    console.log(`  ${gradeColored.padEnd(8, " ")}  ${host}  ${pqc}  ${sriCell}  ${color("dim", types)}`);
+    // Vendor classification — "(New Relic · errors)" beats "bam.nr-data.net"
+    // for comprehension. Padded to 22 chars so the table columns stay aligned.
+    const vendor = classifyVendor(r.host);
+    const vendorStrRaw = vendor ? `${vendor.name} (${vendor.category})` : "—";
+    const vendorTruncated = vendorStrRaw.length > 22 ? vendorStrRaw.slice(0, 21) + "…" : vendorStrRaw.padEnd(22, " ");
+    const vendorColored = vendor ? color("dim", vendorTruncated) : color("dim", vendorTruncated);
+    console.log(`  ${gradeColored.padEnd(8, " ")}  ${host}  ${vendorColored}  ${pqc}  ${sriCell}  ${color("dim", types)}`);
   }
   console.log("");
   if (baselineHosts && baselineHosts.size > 0 && newHosts.length > 0) {
@@ -1181,12 +1203,118 @@ async function fetchPageHTML(domain) {
     });
     clearTimeout(t);
     if (!resp.ok) return null;
-    return await resp.text();
+    const html = await resp.text();
+    // Also capture the CSP header so the deps view can show the site-wide
+    // enforcement level. Report-only header is ignored (not enforced).
+    const headerCsp = resp.headers.get("content-security-policy") || "";
+    return { html, headerCsp };
   } catch {
     return null;
   }
 }
+// Scrape <meta http-equiv="Content-Security-Policy" content="..."> from HTML
+// as a fallback when the response header is absent.
+function extractMetaCsp(html) {
+  const re = /<meta[^>]*\bhttp-equiv\s*=\s*["']?content-security-policy["']?[^>]*\bcontent\s*=\s*["']([^"']+)["']/i;
+  const m = html.match(re);
+  return m ? m[1] : "";
+}
+// Site-level CSP-quality classifier. Mirrors lib/serviceCatalog.ts and the
+// extension's classifyCsp(). Three buckets: absent / weak / strict.
+function classifyCsp(headerCsp, metaCsp) {
+  const policy = ((headerCsp || "").trim() || (metaCsp || "").trim()).toLowerCase();
+  if (!policy) return { quality: "absent", source: null, raw: "" };
+  const weakSignals = ["'unsafe-inline'", "'unsafe-eval'", "'unsafe-hashes'", " * ", " *;", "data:", "blob:"];
+  const weak = weakSignals.some((sig) => policy.includes(sig));
+  return {
+    quality: weak ? "weak" : "strict",
+    source: (headerCsp || "").trim() ? "header" : "meta",
+    raw: policy,
+  };
+}
+// Compact vendor catalog — covers ~50 most common third-party origins so the
+// pretty table can show "(New Relic · errors)" instead of just "bam.nr-data.net".
+// Mirror of lib/serviceCatalog.ts + extension/popup.js SERVICE_CATALOG; keep
+// the three in sync when adding vendors.
+const SERVICE_CATALOG = {
+  "googletagmanager.com": { name: "Google Tag Manager", category: "analytics" },
+  "google-analytics.com": { name: "Google Analytics", category: "analytics" },
+  "googleadservices.com": { name: "Google Ads", category: "ads" },
+  "doubleclick.net": { name: "Google DoubleClick", category: "ads" },
+  "googleapis.com": { name: "Google APIs", category: "cdn" },
+  "gstatic.com": { name: "Google Static", category: "cdn" },
+  "recaptcha.net": { name: "Google reCAPTCHA", category: "captcha" },
+  "youtube.com": { name: "YouTube", category: "social" },
+  "cloudflare.com": { name: "Cloudflare", category: "cdn" },
+  "cdnjs.cloudflare.com": { name: "Cloudflare cdnjs", category: "cdn" },
+  "cloudflareinsights.com": { name: "Cloudflare Web Analytics", category: "analytics" },
+  "challenges.cloudflare.com": { name: "Cloudflare Turnstile", category: "captcha" },
+  "stripe.com": { name: "Stripe", category: "payments" },
+  "js.stripe.com": { name: "Stripe Checkout", category: "payments" },
+  "amazonaws.com": { name: "AWS S3", category: "cdn" },
+  "cloudfront.net": { name: "AWS CloudFront", category: "cdn" },
+  "clarity.ms": { name: "Microsoft Clarity", category: "analytics" },
+  "azureedge.net": { name: "Azure CDN", category: "cdn" },
+  "facebook.com": { name: "Facebook", category: "social" },
+  "facebook.net": { name: "Facebook Pixel", category: "ads" },
+  "fbcdn.net": { name: "Facebook CDN", category: "cdn" },
+  "connect.facebook.net": { name: "Facebook Pixel", category: "ads" },
+  "twitter.com": { name: "Twitter (X)", category: "social" },
+  "linkedin.com": { name: "LinkedIn", category: "social" },
+  "snap.licdn.com": { name: "LinkedIn Tracking", category: "ads" },
+  "use.typekit.net": { name: "Adobe Fonts", category: "fonts" },
+  "typekit.net": { name: "Adobe Fonts", category: "fonts" },
+  "paypal.com": { name: "PayPal", category: "payments" },
+  "auth0.com": { name: "Auth0", category: "auth" },
+  "okta.com": { name: "Okta", category: "auth" },
+  "intercomcdn.com": { name: "Intercom", category: "support" },
+  "zendesk.com": { name: "Zendesk", category: "support" },
+  "sentry.io": { name: "Sentry", category: "errors" },
+  "browser.sentry-cdn.com": { name: "Sentry", category: "errors" },
+  "js-agent.newrelic.com": { name: "New Relic", category: "errors" },
+  "bam.nr-data.net": { name: "New Relic", category: "errors" },
+  "datadoghq.com": { name: "Datadog", category: "errors" },
+  "browser-intake-datadoghq.com": { name: "Datadog RUM", category: "errors" },
+  "mailchimp.com": { name: "Mailchimp", category: "analytics" },
+  "hubspot.com": { name: "HubSpot", category: "analytics" },
+  "js.hubspot.com": { name: "HubSpot Tracking", category: "analytics" },
+  "segment.com": { name: "Segment", category: "analytics" },
+  "amplitude.com": { name: "Amplitude", category: "analytics" },
+  "mxpnl.com": { name: "Mixpanel", category: "analytics" },
+  "hotjar.com": { name: "Hotjar", category: "analytics" },
+  "plausible.io": { name: "Plausible Analytics", category: "analytics" },
+  "js.hcaptcha.com": { name: "hCaptcha", category: "captcha" },
+  "cdn.jsdelivr.net": { name: "jsDelivr CDN", category: "cdn" },
+  "unpkg.com": { name: "unpkg CDN", category: "cdn" },
+  "code.jquery.com": { name: "jQuery CDN", category: "cdn" },
+  "akamaihd.net": { name: "Akamai CDN", category: "cdn" },
+  "akamaized.net": { name: "Akamai CDN", category: "cdn" },
+  "fastly.net": { name: "Fastly CDN", category: "cdn" },
+  "bootstrapcdn.com": { name: "Bootstrap CDN", category: "cdn" },
+  "maxcdn.bootstrapcdn.com": { name: "Bootstrap CDN", category: "cdn" },
+  "cookielaw.org": { name: "OneTrust Cookie Consent", category: "consent" },
+  "cookiebot.com": { name: "Cookiebot", category: "consent" },
+  "vimeo.com": { name: "Vimeo", category: "social" },
+  "shopify.com": { name: "Shopify", category: "ecommerce" },
+  "cdn.shopify.com": { name: "Shopify CDN", category: "ecommerce" },
+  "tiktok.com": { name: "TikTok", category: "social" },
+};
+function classifyVendor(host) {
+  if (!host) return null;
+  const lower = host.toLowerCase();
+  if (SERVICE_CATALOG[lower]) return SERVICE_CATALOG[lower];
+  for (const pattern of Object.keys(SERVICE_CATALOG)) {
+    if (lower === pattern || lower.endsWith("." + pattern)) {
+      return SERVICE_CATALOG[pattern];
+    }
+  }
+  return null;
+}
 function extractThirdPartyRefs(html, targetDomain) {
   const out = [];
   const targetRoot = registeredDomain(targetDomain);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pqcheck",
-  "version": "0.7.8",
+  "version": "0.7.9",
   "description": "Decryption Blast Radius scanner — find out how much of your data unlocks when quantum decryption arrives.",
   "keywords": [
     "post-quantum",