quantum-audit 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/workflows/publish.yml +19 -0
- package/README.md +8 -0
- package/bin/cli.js +76 -0
- package/data/risk-db.json +13 -0
- package/package.json +15 -0
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
name: Publish to npm
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
tags:
|
|
6
|
+
- 'v*'
|
|
7
|
+
|
|
8
|
+
jobs:
|
|
9
|
+
publish:
|
|
10
|
+
runs-on: ubuntu-latest
|
|
11
|
+
steps:
|
|
12
|
+
- uses: actions/checkout@v4
|
|
13
|
+
- uses: actions/setup-node@v4
|
|
14
|
+
with:
|
|
15
|
+
node-version: '20'
|
|
16
|
+
registry-url: 'https://registry.npmjs.org'
|
|
17
|
+
- run: npm publish --access public
|
|
18
|
+
env:
|
|
19
|
+
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
package/README.md
ADDED
package/bin/cli.js
ADDED
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
const fs = require('fs');
|
|
3
|
+
const path = require('path');
|
|
4
|
+
|
|
5
|
+
const riskDb = require('../data/risk-db.json');
|
|
6
|
+
|
|
7
|
+
function getAllDependencies(dir) {
|
|
8
|
+
const pkgPath = path.join(dir, 'package.json');
|
|
9
|
+
if (!fs.existsSync(pkgPath)) {
|
|
10
|
+
console.error('No package.json found in this directory.');
|
|
11
|
+
process.exit(1);
|
|
12
|
+
}
|
|
13
|
+
const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
|
|
14
|
+
const deps = {
|
|
15
|
+
...(pkg.dependencies || {}),
|
|
16
|
+
...(pkg.devDependencies || {})
|
|
17
|
+
};
|
|
18
|
+
|
|
19
|
+
const nodeModulesPath = path.join(dir, 'node_modules');
|
|
20
|
+
const allFound = new Set(Object.keys(deps));
|
|
21
|
+
|
|
22
|
+
if (fs.existsSync(nodeModulesPath)) {
|
|
23
|
+
const entries = fs.readdirSync(nodeModulesPath);
|
|
24
|
+
entries.forEach(entry => allFound.add(entry));
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
return Array.from(allFound);
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
function auditProject(dir) {
|
|
31
|
+
const allDeps = getAllDependencies(dir);
|
|
32
|
+
const flagged = [];
|
|
33
|
+
|
|
34
|
+
allDeps.forEach(dep => {
|
|
35
|
+
if (riskDb[dep]) {
|
|
36
|
+
flagged.push({ package: dep, ...riskDb[dep] });
|
|
37
|
+
}
|
|
38
|
+
});
|
|
39
|
+
|
|
40
|
+
return flagged;
|
|
41
|
+
}
|
|
42
|
+
|
|
43
|
+
function scoreResult(flagged) {
|
|
44
|
+
const highCount = flagged.filter(f => f.severity === 'high').length;
|
|
45
|
+
const medCount = flagged.filter(f => f.severity === 'medium').length;
|
|
46
|
+
const penalty = highCount * 15 + medCount * 5;
|
|
47
|
+
const score = Math.max(0, 100 - penalty);
|
|
48
|
+
return score;
|
|
49
|
+
}
|
|
50
|
+
|
|
51
|
+
function printReport(flagged, score) {
|
|
52
|
+
console.log('\n=== Quantum-Audit Report ===\n');
|
|
53
|
+
|
|
54
|
+
if (flagged.length === 0) {
|
|
55
|
+
console.log('No known quantum-vulnerable packages detected.');
|
|
56
|
+
} else {
|
|
57
|
+
flagged.forEach(f => {
|
|
58
|
+
console.log(`[${f.severity.toUpperCase()}] ${f.package} — ${f.reason}`);
|
|
59
|
+
});
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
console.log(`\nQuantum-Readiness Score: ${score}/100\n`);
|
|
63
|
+
}
|
|
64
|
+
|
|
65
|
+
const targetDir = process.cwd();
|
|
66
|
+
const flagged = auditProject(targetDir);
|
|
67
|
+
const score = scoreResult(flagged);
|
|
68
|
+
printReport(flagged, score);
|
|
69
|
+
|
|
70
|
+
const jsonReport = {
|
|
71
|
+
score,
|
|
72
|
+
flagged,
|
|
73
|
+
scannedAt: new Date().toISOString()
|
|
74
|
+
};
|
|
75
|
+
fs.writeFileSync(path.join(targetDir, 'quantum-audit-report.json'), JSON.stringify(jsonReport, null, 2));
|
|
76
|
+
console.log('Full report saved to quantum-audit-report.json');
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
{
|
|
2
|
+
"elliptic": { "severity": "high", "reason": "ECC implementation, broken by Shor's algorithm" },
|
|
3
|
+
"secp256k1": { "severity": "high", "reason": "Elliptic curve crypto, broken by Shor's algorithm" },
|
|
4
|
+
"eccrypto": { "severity": "high", "reason": "ECC-based encryption, broken by Shor's algorithm" },
|
|
5
|
+
"node-rsa": { "severity": "high", "reason": "RSA implementation, broken by Shor's algorithm" },
|
|
6
|
+
"jsrsasign": { "severity": "high", "reason": "RSA/ECDSA toolkit, broken by Shor's algorithm" },
|
|
7
|
+
"node-forge": { "severity": "medium", "reason": "Supports RSA/ECC; flag if used for those, not just TLS" },
|
|
8
|
+
"jsonwebtoken": { "severity": "medium", "reason": "Often configured with RS256/ES256 (quantum-vulnerable signing)" },
|
|
9
|
+
"jose": { "severity": "medium", "reason": "JWT/JWS library, check for RSA/EC algorithm usage" },
|
|
10
|
+
"tweetnacl": { "severity": "high", "reason": "Curve25519-based, broken by Shor's algorithm" },
|
|
11
|
+
"bitcoinjs-lib": { "severity": "high", "reason": "Uses secp256k1 ECDSA for signing" },
|
|
12
|
+
"ethereumjs-util": { "severity": "high", "reason": "Uses secp256k1 ECDSA for signing" }
|
|
13
|
+
}
|
package/package.json
ADDED
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "quantum-audit",
|
|
3
|
+
"version": "0.1.0",
|
|
4
|
+
"description": "Scans npm projects for quantum-vulnerable cryptography in their dependency tree",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"bin": {
|
|
7
|
+
"quantum-audit": "./bin/cli.js"
|
|
8
|
+
},
|
|
9
|
+
"scripts": {
|
|
10
|
+
"test": "node bin/cli.js"
|
|
11
|
+
},
|
|
12
|
+
"keywords": ["quantum", "cryptography", "security", "npm", "audit", "post-quantum"],
|
|
13
|
+
"license": "MIT",
|
|
14
|
+
"author": "Takundanashe Muchena"
|
|
15
|
+
}
|