secmanifest 1.0.0

package/src/commands/audit.ts

@@ -0,0 +1,249 @@
+import { resolve } from "node:path";
+import { stat } from "node:fs/promises";
+import { confirm } from "@clack/prompts";
+import chalk from "chalk";
+import { t } from "../i18n/index.js";
+import { detectPackageManager } from "../core/package-manager.js";
+import {
+  analyzeProject,
+  getInstalledPackages,
+} from "../core/project-analyzer.js";
+import { calculateScore, renderReport } from "../core/reporter.js";
+import { scanVulnerabilities } from "../scanners/vulnerabilities.js";
+import { scanMalware } from "../scanners/malware.js";
+import { scanBackdoors } from "../scanners/backdoors.js";
+import { scanLockfileDrift } from "../scanners/lockfile-drift.js";
+import { scanSecrets } from "../scanners/secrets.js";
+import { scanLicenses } from "../scanners/licenses.js";
+import { scanOutdated } from "../scanners/outdated.js";
+import { scanMetadata } from "../scanners/metadata.js";
+import { scanObfuscation } from "../scanners/obfuscation.js";
+import { scanNodeVersion } from "../scanners/node-version.js";
+import { scanSocketDev } from "../scanners/socket-dev.js";
+import { scanTransitive } from "../scanners/transitive.js";
+import { scanBinaries } from "../scanners/binaries.js";
+import { scanDuplicates } from "../scanners/duplicates.js";
+import { scanBundleSize } from "../scanners/bundle-size.js";
+import { scanIntegrity } from "../scanners/integrity.js";
+import { fixMultiplePackages, printFixResults } from "../core/fixer.js";
+import { sendNotifications } from "../core/notify.js";
+import { saveHtmlReport } from "../core/html-report.js";
+import type { AuditReport, Finding } from "../utils/types.js";
+
+interface AuditOptions {
+  json?: boolean;
+  verbose?: boolean;
+  skipMalware?: boolean;
+  skipSecrets?: boolean;
+  skipLicenses?: boolean;
+  skipOutdated?: boolean;
+  skipMetadata?: boolean;
+  skipObfuscation?: boolean;
+  skipNodeVersion?: boolean;
+  skipSocket?: boolean;
+  skipTransitive?: boolean;
+  skipBinaries?: boolean;
+  skipDuplicates?: boolean;
+  skipBundleSize?: boolean;
+  skipIntegrity?: boolean;
+  quick?: boolean;
+  autoFix?: boolean;
+  html?: string | boolean;
+  notify?: boolean;
+  lang?: string;
+}
+
+function logStep(current: number, total: number, message: string): void {
+  const pct = Math.round((current / total) * 100);
+  const barLen = 20;
+  const filled = Math.round((pct / 100) * barLen);
+  const bar = "█".repeat(filled) + "░".repeat(barLen - filled);
+  console.log(
+    chalk.gray(`  [${bar}] ${pct}% `) + chalk.white(message),
+  );
+}
+
+export async function runAudit(
+  targetPath: string | undefined,
+  options: AuditOptions,
+): Promise<void> {
+  const projectPath = resolve(targetPath ?? ".");
+
+  try {
+    await stat(projectPath);
+  } catch {
+    console.error(
+      chalk.red(`${t("error.dir_not_found")} ${projectPath}`),
+    );
+    process.exit(1);
+  }
+
+  try {
+    await stat(`${projectPath}/package.json`);
+  } catch {
+    console.error(
+      chalk.red(`${t("error.no_package_json")} ${projectPath}`),
+    );
+    process.exit(1);
+  }
+
+  console.log(chalk.gray(`\n  ${t("audit.detecting_pm")}`));
+  const packageManager = await detectPackageManager();
+
+  if (packageManager.blocked) {
+    if (packageManager.name === "npm") {
+      console.log(chalk.red.bold(`\n  ${t("audit.veto_npm")}`));
+      console.log(chalk.yellow(`  ${t("audit.veto_npm_reason")}`));
+      console.log(chalk.yellow(`  ${t("audit.veto_npm_required")}\n`));
+    } else {
+      console.log(chalk.yellow.bold(`\n  ${t("audit.no_pm_warning")}`));
+      console.log(chalk.yellow(`  ${t("audit.no_pm_reason")}\n`));
+    }
+
+    const shouldContinue = await confirm({
+      message: t("audit.continue_anyway"),
+      initialValue: false,
+    });
+
+    if (shouldContinue !== true) {
+      console.log(chalk.gray(`\n  ${t("audit.cancelled")}`));
+      process.exit(0);
+    }
+    console.log();
+  }
+
+  if (packageManager.name && !packageManager.blocked) {
+    console.log(
+      chalk.green(
+        `  ${t("audit.pm_detected")} ${packageManager.name} ${packageManager.version ? `v${packageManager.version}` : ""}`,
+      ),
+    );
+  }
+
+  console.log(chalk.gray(`  ${t("audit.analyzing")}`));
+
+  let projectInfo;
+  try {
+    projectInfo = await analyzeProject(projectPath, packageManager);
+  } catch (error) {
+    console.error(
+      chalk.red(`${t("error.analyze_failed")} ${error instanceof Error ? error.message : String(error)}`),
+    );
+    process.exit(1);
+  }
+
+  console.log(chalk.gray(`  ${t("audit.project")} ${projectInfo.name}@${projectInfo.version}`));
+
+  const installedPackages = await getInstalledPackages(projectPath, packageManager);
+
+  console.log(chalk.gray(`  ${t("audit.packages_found")} ${installedPackages.length}`));
+
+  const allFindings: Finding[] = [];
+  const allErrors: Error[] = [];
+  const scannerStartTime = Date.now();
+
+  const scanners: Array<{
+    name: string;
+    fn: () => Promise<{ findings: Finding[]; errors: Error[]; duration: number }> | { findings: Finding[]; errors: Error[]; duration: number };
+    skip?: boolean;
+  }> = [
+    { name: t("scanner.malware"), fn: () => Promise.resolve(scanMalware(installedPackages)), skip: options.skipMalware },
+    { name: t("scanner.backdoors"), fn: () => Promise.resolve(scanBackdoors(projectInfo)) },
+    { name: t("scanner.drift"), fn: () => scanLockfileDrift(projectInfo) },
+    { name: t("scanner.secrets"), fn: () => scanSecrets(projectPath), skip: options.skipSecrets },
+    { name: t("scanner.licenses"), fn: () => Promise.resolve(scanLicenses(projectInfo)), skip: options.skipLicenses },
+    { name: t("scanner.metadata"), fn: () => scanMetadata(projectInfo, projectPath), skip: options.skipMetadata },
+    { name: t("scanner.obfuscation"), fn: () => scanObfuscation(projectInfo, projectPath), skip: options.skipObfuscation },
+    { name: t("scanner.node_version"), fn: () => scanNodeVersion(projectInfo, projectPath), skip: options.skipNodeVersion },
+    { name: t("scanner.socket_dev"), fn: () => scanSocketDev(installedPackages), skip: options.skipSocket || options.quick },
+    { name: t("scanner.transitive"), fn: () => scanTransitive(projectInfo, projectPath), skip: options.skipTransitive },
+    { name: t("scanner.binaries"), fn: () => scanBinaries(projectInfo, projectPath), skip: options.skipBinaries },
+    { name: t("scanner.duplicates"), fn: () => scanDuplicates(projectInfo, projectPath), skip: options.skipDuplicates },
+    { name: t("scanner.bundle_size"), fn: () => scanBundleSize(projectInfo, projectPath), skip: options.skipBundleSize },
+    { name: t("scanner.integrity"), fn: () => scanIntegrity(projectInfo, projectPath), skip: options.skipIntegrity },
+  ];
+
+  if (!options.quick) {
+    scanners.push({ name: t("scanner.sonatype"), fn: () => scanVulnerabilities(installedPackages) });
+    scanners.push({ name: t("scanner.outdated"), fn: () => scanOutdated(projectInfo, projectPath, packageManager.command || "bun"), skip: options.skipOutdated });
+  }
+
+  const activeScanners = scanners.filter((s) => !s.skip);
+  const totalSteps = activeScanners.length;
+
+  for (let i = 0; i < activeScanners.length; i++) {
+    const scanner = activeScanners[i]!;
+    logStep(i + 1, totalSteps, scanner.name);
+    try {
+      const result = await scanner.fn();
+      allFindings.push(...result.findings);
+      allErrors.push(...result.errors);
+    } catch (error) {
+      allErrors.push(new Error(`Error in scanner "${scanner.name}": ${error instanceof Error ? error.message : String(error)}`));
+    }
+  }
+
+  const totalDuration = Date.now() - scannerStartTime;
+
+  if (allErrors.length > 0 && options.verbose) {
+    console.log(chalk.yellow(`\n  ${t("audit.errors_during_scan")}`));
+    for (const error of allErrors) {
+      console.log(chalk.yellow(`    - ${error.message}`));
+    }
+  }
+
+  const score = calculateScore(allFindings);
+
+  const report: AuditReport = {
+    projectPath,
+    projectName: projectInfo.name,
+    packageManager,
+    totalPackages: installedPackages.length,
+    findings: allFindings,
+    score,
+    duration: totalDuration,
+    timestamp: new Date().toISOString(),
+  };
+
+  if (options.json) {
+    console.log(JSON.stringify(report, null, 2));
+  } else {
+    renderReport(report);
+  }
+
+  if (options.html) {
+    const htmlPath = typeof options.html === "string" ? options.html : undefined;
+    const savedPath = await saveHtmlReport(report, htmlPath);
+    console.log(chalk.green(`\n  HTML report saved to: ${savedPath}`));
+  }
+
+  if (options.notify) {
+    await sendNotifications(report);
+  }
+
+  if (!options.json && allFindings.length > 0) {
+    const fixablePackages = allFindings
+      .filter((f) => f.package && f.version && (f.id.startsWith("backdoor-latest-version-") || f.id.startsWith("backdoor-open-version-") || f.severity === "critical"))
+      .map((f) => ({ name: f.package!, version: f.version!, reason: f.title }));
+
+    const uniqueFixable = fixablePackages.filter((pkg, index, self) => index === self.findIndex((p) => p.name === pkg.name));
+
+    if (uniqueFixable.length > 0) {
+      console.log(chalk.yellow(`\n  ${uniqueFixable.length} package(s) can be auto-fixed:`));
+      for (const pkg of uniqueFixable) {
+        console.log(chalk.yellow(`    - ${pkg.name}@${pkg.version}: ${pkg.reason}`));
+      }
+
+      if (!options.autoFix) {
+        const shouldFix = await confirm({ message: "Auto-fix these packages?", initialValue: false });
+        if (shouldFix === true) {
+          const results = await fixMultiplePackages(uniqueFixable, packageManager, projectPath);
+          printFixResults(results);
+        }
+      } else {
+        const results = await fixMultiplePackages(uniqueFixable, packageManager, projectPath);
+        printFixResults(results);
+      }
+    }
+  }
+}

package/src/commands/fix.ts

@@ -0,0 +1,88 @@
+import { resolve } from "node:path";
+import { stat } from "node:fs/promises";
+import chalk from "chalk";
+import { t } from "../i18n/index.js";
+import { detectPackageManager } from "../core/package-manager.js";
+import { analyzeProject, getInstalledPackages } from "../core/project-analyzer.js";
+import { fixMultiplePackages, printFixResults } from "../core/fixer.js";
+import { findSafeVersion } from "../utils/registry.js";
+
+interface FixOptions {
+  dryRun?: boolean;
+  lang?: string;
+}
+
+export async function runFix(packages: string[], options: FixOptions): Promise<void> {
+  const projectPath = resolve(".");
+
+  try {
+    await stat(`${projectPath}/package.json`);
+  } catch {
+    console.error(chalk.red(`${t("error.no_package_json")} ${projectPath}`));
+    process.exit(1);
+  }
+
+  console.log(chalk.gray(`\n  ${t("audit.detecting_pm")}`));
+  const packageManager = await detectPackageManager();
+
+  if (packageManager.blocked) {
+    console.error(chalk.red(`Error: A secure package manager is required (pnpm, bun, yarn).`));
+    process.exit(1);
+  }
+
+  console.log(chalk.green(`  ${t("audit.pm_detected")} ${packageManager.name} ${packageManager.version ? `v${packageManager.version}` : ""}`));
+
+  let projectInfo;
+  try {
+    projectInfo = await analyzeProject(projectPath, packageManager);
+  } catch (error) {
+    console.error(chalk.red(`${t("error.analyze_failed")} ${error instanceof Error ? error.message : String(error)}`));
+    process.exit(1);
+  }
+
+  const installedPackages = await getInstalledPackages(projectPath, packageManager);
+
+  let targetPackages: Array<{ name: string; version: string; reason: string }>;
+
+  if (packages.length > 0) {
+    targetPackages = [];
+    for (const pkgName of packages) {
+      const found = installedPackages.find((p) => p.name === pkgName);
+      if (found) {
+        targetPackages.push({ name: found.name, version: found.version, reason: "User specified" });
+      } else {
+        console.log(chalk.yellow(`  Package not found: ${pkgName}`));
+      }
+    }
+  } else {
+    console.log(chalk.gray(`\n  ${t("fix.analyzing_packages")}`));
+    const allDeps = { ...projectInfo.dependencies, ...projectInfo.devDependencies };
+    targetPackages = [];
+
+    for (const [name, version] of Object.entries(allDeps)) {
+      if (version === "latest") { targetPackages.push({ name, version, reason: 'Uses "latest"' }); continue; }
+      if (version === "*" || version === ">=0.0.0" || version === ">=0") { targetPackages.push({ name, version, reason: "Open version range" }); continue; }
+      const safeInfo = await findSafeVersion(name, version);
+      if (safeInfo.safeVersion) targetPackages.push({ name, version, reason: safeInfo.reason });
+    }
+  }
+
+  if (targetPackages.length === 0) {
+    console.log(chalk.green(`\n  ${t("fix.no_packages")}`));
+    return;
+  }
+
+  console.log(chalk.yellow(`\n  ${t("fix.packages_to_fix")} ${targetPackages.length}`));
+  for (const pkg of targetPackages) console.log(chalk.yellow(`    - ${pkg.name}@${pkg.version}: ${pkg.reason}`));
+
+  if (options.dryRun) {
+    console.log(chalk.cyan(`\n  ${t("fix.dry_run")}`));
+    return;
+  }
+
+  const results = await fixMultiplePackages(targetPackages, packageManager, projectPath);
+  printFixResults(results);
+
+  const fixedCount = results.filter((r) => r.success).length;
+  if (fixedCount > 0) console.log(chalk.green(`\n  ${fixedCount} ${t("fix.packages_fixed")} ${t("fix.run_audit")}`));
+}

package/src/commands/watch.ts

@@ -0,0 +1,40 @@
+import { resolve } from "node:path";
+import chalk from "chalk";
+import { t } from "../i18n/index.js";
+import { runAudit } from "./audit.js";
+
+interface WatchOptions {
+  interval?: number;
+  json?: boolean;
+  quick?: boolean;
+  lang?: string;
+}
+
+export async function runWatch(targetPath: string | undefined, options: WatchOptions): Promise<void> {
+  const projectPath = resolve(targetPath ?? ".");
+  const intervalMs = (options.interval ?? 300) * 1000;
+
+  console.log(chalk.bold.cyan(`\n  ${t("watch.title")}`));
+  console.log(chalk.gray(`  ${t("watch.directory")} ${projectPath}`));
+  console.log(chalk.gray(`  ${t("watch.interval")} ${intervalMs / 1000}s`));
+  console.log(chalk.gray(`  ${t("watch.press_ctrlc")}\n`));
+
+  let scanCount = 0;
+
+  const runScan = async () => {
+    scanCount++;
+    console.log(chalk.bold(`\n  [Scan #${scanCount}] ${new Date().toLocaleTimeString()}`));
+    try {
+      await runAudit(targetPath, { ...options, json: false });
+    } catch (error) {
+      console.error(chalk.red(`Error in scan: ${error instanceof Error ? error.message : String(error)}`));
+    }
+    console.log(chalk.gray(`\n  ${t("watch.next_scan")} ${intervalMs / 1000}s...`));
+  };
+
+  await runScan();
+  const interval = setInterval(async () => { await runScan(); }, intervalMs);
+
+  process.on("SIGINT", () => { clearInterval(interval); console.log(chalk.gray(`\n\n  ${t("watch.stopping")}`)); process.exit(0); });
+  process.on("SIGTERM", () => { clearInterval(interval); process.exit(0); });
+}

package/src/core/fixer.ts

@@ -0,0 +1,89 @@
+import { $ } from "bun";
+import chalk from "chalk";
+import { t } from "../i18n/index.js";
+import type { PackageManager } from "../utils/types.js";
+import { findSafeVersion, type SafeVersionResult } from "../utils/registry.js";
+
+export interface FixResult {
+  packageName: string;
+  success: boolean;
+  previousVersion: string;
+  newVersion: string | null;
+  error?: string;
+}
+
+export async function fixPackage(
+  packageName: string,
+  currentVersion: string,
+  packageManager: PackageManager,
+  projectPath: string,
+): Promise<FixResult> {
+  console.log(chalk.gray(`    ${t("fix.searching_safe")} ${packageName}@${currentVersion}...`));
+
+  const safeInfo = await findSafeVersion(packageName, currentVersion);
+
+  if (!safeInfo.safeVersion) {
+    return { packageName, success: false, previousVersion: currentVersion, newVersion: null, error: `No safe alternative found. ${safeInfo.reason}` };
+  }
+
+  console.log(chalk.yellow(`    ${t("fix.unsafe_version")} ${currentVersion} -> ${t("fix.safe_version")} ${safeInfo.safeVersion}`));
+
+  try {
+    console.log(chalk.gray(`    ${t("fix.uninstalling")} ${packageName}@${currentVersion}...`));
+    const pm = packageManager.command || "bun";
+    await $`${pm} remove ${packageName}`.cwd(projectPath).quiet();
+
+    const versionSpec = `^${safeInfo.safeVersion}`;
+    console.log(chalk.gray(`    ${t("fix.installing")} ${packageName}@${versionSpec}...`));
+    await $`${pm} add ${packageName}@${versionSpec}`.cwd(projectPath).quiet();
+
+    console.log(chalk.green(`    ${packageName} ${t("fix.installed_successfully")} (${safeInfo.safeVersion})`));
+    return { packageName, success: true, previousVersion: currentVersion, newVersion: safeInfo.safeVersion };
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    console.log(chalk.red(`    ${t("fix.install_error")} ${packageName}: ${msg}`));
+    try {
+      console.log(chalk.gray(`    ${t("fix.restoring")}`));
+      const pm = packageManager.command || "bun";
+      await $`${pm} add ${packageName}@${currentVersion}`.cwd(projectPath).quiet();
+    } catch { /* Restore failed */ }
+    return { packageName, success: false, previousVersion: currentVersion, newVersion: null, error: msg };
+  }
+}
+
+export async function fixMultiplePackages(
+  packages: Array<{ name: string; version: string; reason: string }>,
+  packageManager: PackageManager,
+  projectPath: string,
+): Promise<FixResult[]> {
+  const results: FixResult[] = [];
+  for (const pkg of packages) {
+    console.log();
+    console.log(chalk.bold(`  ${t("fix.packages_to_fix")} ${pkg.name}@${pkg.version}...`));
+    console.log(chalk.gray(`    Razon: ${pkg.reason}`));
+    const result = await fixPackage(pkg.name, pkg.version, packageManager, projectPath);
+    results.push(result);
+  }
+  return results;
+}
+
+export function printFixResults(results: FixResult[]): void {
+  console.log();
+  console.log(chalk.bold(`  ${t("fix.results")}`));
+  console.log(chalk.gray("  ─────────────────────────────────────"));
+
+  const fixed = results.filter((r) => r.success);
+  const failed = results.filter((r) => !r.success);
+
+  if (fixed.length > 0) {
+    console.log(chalk.green(`\n  ${fixed.length} ${t("fix.packages_fixed")}`));
+    for (const r of fixed) console.log(chalk.green(`    ${r.packageName}: ${r.previousVersion} -> ${r.newVersion}`));
+  }
+
+  if (failed.length > 0) {
+    console.log(chalk.red(`\n  ${failed.length} ${t("fix.packages_failed")}`));
+    for (const r of failed) console.log(chalk.red(`    ${r.packageName}: ${r.error ?? "Unknown error"}`));
+  }
+
+  console.log();
+}