secmanifest 1.0.0

package/src/scanners/binaries.ts

@@ -0,0 +1,102 @@
+import { readFile, readdir } from "node:fs/promises";
+import { join } from "node:path";
+import type { Finding, ScanResult, ProjectInfo } from "../utils/types.js";
+
+const SUSPICIOUS_BINARY_PATTERNS = [
+  {
+    name: "Postinstall script",
+    regex: /(?:postinstall|preinstall|install)\s*[:"]/gi,
+    severity: "high" as const,
+    description: "El paquete ejecuta comandos durante la instalacion.",
+  },
+  {
+    name: "Native addon",
+    regex: /\.node['"]/g,
+    severity: "medium" as const,
+    description: "El paquete carga un binario nativo (.node).",
+  },
+  {
+    name: "Binary execution",
+    regex: /(?:exec|spawn|execSync|execFile)\s*\(\s*['"][^'"]*\.(?:exe|bin|dll|so|dylib)/gi,
+    severity: "critical" as const,
+    description: "El paquete ejecuta un binario externo.",
+  },
+];
+
+export async function scanBinaries(
+  projectInfo: ProjectInfo,
+  projectPath: string,
+): Promise<ScanResult> {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  const allDeps = {
+    ...projectInfo.dependencies,
+    ...projectInfo.devDependencies,
+  };
+
+  for (const [name] of Object.entries(allDeps)) {
+    const pkgDir = join(projectPath, "node_modules", name);
+
+    try {
+      const pkgJsonPath = join(pkgDir, "package.json");
+      const content = await readFile(pkgJsonPath, "utf-8");
+      const pkgJson = JSON.parse(content);
+
+      if (pkgJson.bin) {
+        const binaries = typeof pkgJson.bin === "string"
+          ? { [name]: pkgJson.bin }
+          : pkgJson.bin as Record<string, string>;
+
+        for (const [binName, binPath] of Object.entries(binaries)) {
+          const fullPath = join(pkgDir, binPath as string);
+          try {
+            await readFile(fullPath);
+          } catch {
+            findings.push({
+              id: `binary-missing-${name}-${binName}`,
+              severity: "medium",
+              category: "malware",
+              title: `Binario referenciado no encontrado: ${name}/${binName}`,
+              description: `${name} referencia el binario ${binName} -> ${binPath} pero el archivo no existe.`,
+              package: name,
+              recommendation: `Reinstalar ${name} o verificar que el binario es correcto.`,
+            });
+          }
+        }
+      }
+
+      if (pkgJson.gypfile) {
+        const gypPath = join(pkgDir, "binding.gyp");
+        try {
+          const gypContent = await readFile(gypPath, "utf-8");
+
+          for (const pattern of SUSPICIOUS_BINARY_PATTERNS) {
+            if (pattern.regex.test(gypContent)) {
+              findings.push({
+                id: `binary-suspicious-${name}-${pattern.name}`,
+                severity: pattern.severity,
+                category: "malware",
+                title: `${pattern.name} en codigo nativo: ${name}`,
+                description: `${name}: ${pattern.description}`,
+                package: name,
+                recommendation: `Verificar que el codigo nativo de ${name} es seguro.`,
+              });
+            }
+          }
+        } catch {
+          // binding.gyp not found
+        }
+      }
+    } catch {
+      // Package directory not accessible
+    }
+  }
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}

package/src/scanners/bundle-size.ts

@@ -0,0 +1,114 @@
+import { readdir, stat } from "node:fs/promises";
+import { join } from "node:path";
+import type { Finding, ScanResult, ProjectInfo } from "../utils/types.js";
+
+const LARGE_PACKAGE_THRESHOLD = 50 * 1024 * 1024;
+const MEDIUM_PACKAGE_THRESHOLD = 10 * 1024 * 1024;
+
+async function getDirSize(dirPath: string): Promise<number> {
+  let totalSize = 0;
+
+  try {
+    const entries = await readdir(dirPath, { withFileTypes: true });
+
+    for (const entry of entries) {
+      const fullPath = join(dirPath, entry.name);
+      if (entry.isDirectory()) {
+        totalSize += await getDirSize(fullPath);
+      } else {
+        try {
+          const fileStat = await stat(fullPath);
+          totalSize += fileStat.size;
+        } catch {
+          // Skip
+        }
+      }
+    }
+  } catch {
+    // Directory not accessible
+  }
+
+  return totalSize;
+}
+
+function formatSize(bytes: number): string {
+  if (bytes >= 1024 * 1024 * 1024) {
+    return `${(bytes / (1024 * 1024 * 1024)).toFixed(2)} GB`;
+  }
+  if (bytes >= 1024 * 1024) {
+    return `${(bytes / (1024 * 1024)).toFixed(2)} MB`;
+  }
+  if (bytes >= 1024) {
+    return `${(bytes / 1024).toFixed(2)} KB`;
+  }
+  return `${bytes} B`;
+}
+
+export async function scanBundleSize(
+  projectInfo: ProjectInfo,
+  projectPath: string,
+): Promise<ScanResult> {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  const allDeps = {
+    ...projectInfo.dependencies,
+    ...projectInfo.devDependencies,
+  };
+
+  const packageSizes: Array<{ name: string; size: number }> = [];
+
+  for (const [name] of Object.entries(allDeps)) {
+    const pkgDir = join(projectPath, "node_modules", name);
+    try {
+      const size = await getDirSize(pkgDir);
+      packageSizes.push({ name, size });
+    } catch {
+      // Package not accessible
+    }
+  }
+
+  const totalSize = packageSizes.reduce((sum, p) => sum + p.size, 0);
+
+  if (totalSize > 500 * 1024 * 1024) {
+    findings.push({
+      id: "bundle-total-large",
+      severity: "medium",
+      category: "vulnerability",
+      title: `node_modules muy grande: ${formatSize(totalSize)}`,
+      description: `El directorio node_modules ocupa ${formatSize(totalSize)}. Un proyecto muy grande puede indicar dependencias innecesarias.`,
+      recommendation: "Revisar y eliminar dependencias innecesarias.",
+    });
+  }
+
+  for (const pkg of packageSizes) {
+    if (pkg.size > LARGE_PACKAGE_THRESHOLD) {
+      findings.push({
+        id: `bundle-large-${pkg.name}`,
+        severity: "medium",
+        category: "malware",
+        title: `Paquete sospechosamente grande: ${pkg.name} (${formatSize(pkg.size)})`,
+        description: `${pkg.name} ocupa ${formatSize(pkg.size)}. Paquetes maliciosos suelen incluir archivos grandes para ocultar codigo.`,
+        package: pkg.name,
+        recommendation: `Revisar el contenido de ${pkg.name} para verificar que es legitimo.`,
+      });
+    } else if (pkg.size > MEDIUM_PACKAGE_THRESHOLD) {
+      findings.push({
+        id: `bundle-medium-${pkg.name}`,
+        severity: "low",
+        category: "malware",
+        title: `Paquete grande: ${pkg.name} (${formatSize(pkg.size)})`,
+        description: `${pkg.name} ocupa ${formatSize(pkg.size)}.`,
+        package: pkg.name,
+        recommendation: `Verificar que ${pkg.name} es necesario y no contiene archivos innecesarios.`,
+      });
+    }
+  }
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}

package/src/scanners/duplicates.ts

@@ -0,0 +1,116 @@
+import { readFile } from "node:fs/promises";
+import { join } from "node:path";
+import type { Finding, ScanResult, ProjectInfo } from "../utils/types.js";
+
+interface DuplicateInfo {
+  name: string;
+  versions: Map<string, string[]>;
+}
+
+export async function scanDuplicates(
+  projectInfo: ProjectInfo,
+  projectPath: string,
+): Promise<ScanResult> {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  const allDeps = {
+    ...projectInfo.dependencies,
+    ...projectInfo.devDependencies,
+  };
+
+  const versionMap = new Map<string, string[]>();
+
+  for (const [name, version] of Object.entries(allDeps)) {
+    const versions = versionMap.get(name) ?? [];
+    versions.push(version);
+    versionMap.set(name, versions);
+  }
+
+  for (const pkgDir of ["node_modules"]) {
+    try {
+      const entries = await import("node:fs/promises").then((fs) =>
+        fs.readdir(join(projectPath, pkgDir), { withFileTypes: true })
+      );
+
+      for (const entry of entries) {
+        if (entry.name.startsWith(".")) continue;
+
+        if (entry.name.startsWith("@")) {
+          const scopePath = join(projectPath, pkgDir, entry.name);
+          const scopedEntries = await import("node:fs/promises").then((fs) =>
+            fs.readdir(scopePath, { withFileTypes: true })
+          );
+
+          for (const scopedEntry of scopedEntries) {
+            if (scopedEntry.isDirectory()) {
+              const fullName = `${entry.name}/${scopedEntry.name}`;
+              const pkgJsonPath = join(scopePath, scopedEntry.name, "package.json");
+              try {
+                const content = await readFile(pkgJsonPath, "utf-8");
+                const pkgJson = JSON.parse(content);
+                const installedVersion = pkgJson.version as string;
+
+                if (installedVersion && pkgJson.dependencies) {
+                  for (const [depName, depVersion] of Object.entries(pkgJson.dependencies as Record<string, string>)) {
+                    if (!versionMap.has(depName)) {
+                      const versions = versionMap.get(depName) ?? [];
+                      versions.push(depVersion);
+                      versionMap.set(depName, versions);
+                    }
+                  }
+                }
+              } catch {
+                // Skip
+              }
+            }
+          }
+        } else {
+          const pkgJsonPath = join(projectPath, pkgDir, entry.name, "package.json");
+          try {
+            const content = await readFile(pkgJsonPath, "utf-8");
+            const pkgJson = JSON.parse(content);
+            const installedVersion = pkgJson.version as string;
+
+            if (installedVersion && pkgJson.dependencies) {
+              for (const [depName, depVersion] of Object.entries(pkgJson.dependencies as Record<string, string>)) {
+                if (!versionMap.has(depName)) {
+                  const versions = versionMap.get(depName) ?? [];
+                  versions.push(depVersion);
+                  versionMap.set(depName, versions);
+                }
+              }
+            }
+          } catch {
+            // Skip
+          }
+        }
+      }
+    } catch {
+      // node_modules not accessible
+    }
+  }
+
+  for (const [name, versions] of versionMap) {
+    const uniqueVersions = [...new Set(versions)];
+    if (uniqueVersions.length > 1) {
+      findings.push({
+        id: `duplicate-${name}`,
+        severity: "low",
+        category: "drift",
+        title: `Dependencia duplicada: ${name}`,
+        description: `${name} tiene multiples versiones instaladas: ${uniqueVersions.join(", ")}. Las dependencias duplicadas incrementan el bundle size.`,
+        package: name,
+        version: uniqueVersions.join(", "),
+        recommendation: `Consolidar a una sola version de ${name}.`,
+      });
+    }
+  }
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}

package/src/scanners/integrity.ts

@@ -0,0 +1,108 @@
+import { readFile } from "node:fs/promises";
+import { join } from "node:path";
+import { createHash } from "node:crypto";
+import type { Finding, ScanResult, ProjectInfo } from "../utils/types.js";
+
+async function getFileHash(filePath: string): Promise<string | null> {
+  try {
+    const content = await readFile(filePath);
+    return createHash("sha256").update(content).digest("hex");
+  } catch {
+    return null;
+  }
+}
+
+export async function scanIntegrity(
+  projectInfo: ProjectInfo,
+  projectPath: string,
+): Promise<ScanResult> {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  const allDeps = {
+    ...projectInfo.dependencies,
+    ...projectInfo.devDependencies,
+  };
+
+  for (const [name] of Object.entries(allDeps)) {
+    const pkgJsonPath = join(projectPath, "node_modules", name, "package.json");
+    try {
+      const content = await readFile(pkgJsonPath, "utf-8");
+      const pkgJson = JSON.parse(content);
+
+      if (pkgJson.dist?.integrity) {
+        const actualHash = await getFileHash(
+          join(projectPath, "node_modules", name, "package.json"),
+        );
+
+        if (actualHash && !pkgJson.dist.integrity.includes(actualHash.substring(0, 12))) {
+          findings.push({
+            id: `integrity-mismatch-${name}`,
+            severity: "high",
+            category: "malware",
+            title: `Integridad comprometida: ${name}`,
+            description: `${name} tiene un hash de integridad que no coincide. El paquete pudo haber sido modificado.`,
+            package: name,
+            recommendation: `Reinstalar ${name} con "secmanifest fix ${name}" o manualmente.`,
+          });
+        }
+      }
+
+      if (pkgJson.dist?.tarball) {
+        findings.push({
+          id: `integrity-tarball-${name}`,
+          severity: "info",
+          category: "vulnerability",
+          title: `Paquete con tarball: ${name}`,
+          description: `${name} se distribuye via tarball: ${pkgJson.dist.tarball}`,
+          package: name,
+          recommendation: "Verificar que el tarball proviene de una fuente confiable.",
+        });
+      }
+    } catch {
+      // Package not accessible
+    }
+  }
+
+  const lockfileIntegrity = await checkLockfileIntegrity(projectPath, projectInfo);
+  findings.push(...lockfileIntegrity);
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}
+
+async function checkLockfileIntegrity(
+  projectPath: string,
+  projectInfo: ProjectInfo,
+): Promise<Finding[]> {
+  const findings: Finding[] = [];
+
+  if (!projectInfo.lockfilePath) return findings;
+
+  const lockfileContent = await readFile(projectInfo.lockfilePath, "utf-8");
+  const lockfileHash = createHash("sha256").update(lockfileContent).digest("hex");
+
+  const hashFilePath = `${projectInfo.lockfilePath}.hash`;
+  try {
+    const savedHash = await readFile(hashFilePath, "utf-8");
+    if (savedHash !== lockfileHash) {
+      findings.push({
+        id: "integrity-lockfile-changed",
+        severity: "high",
+        category: "drift",
+        title: "Lockfile modificado desde la ultima verificacion",
+        description: "El lockfile ha cambiado desde la ultima verificacion de integridad.",
+        recommendation: "Ejecutar un fresh install o verificar los cambios.",
+      });
+    }
+  } catch {
+    const { writeFile } = await import("node:fs/promises");
+    await writeFile(hashFilePath, lockfileHash, "utf-8").catch(() => {});
+  }
+
+  return findings;
+}

package/src/scanners/licenses.ts

@@ -0,0 +1,111 @@
+import { readFile } from "node:fs/promises";
+import type { Finding, ScanResult, ProjectInfo } from "../utils/types.js";
+
+const RESTRICTED_LICENSES: Array<{
+  pattern: RegExp;
+  severity: Finding["severity"];
+  name: string;
+  reason: string;
+}> = [
+  {
+    pattern: /\bAGPL[\s-]3/i,
+    severity: "high",
+    name: "AGPL-3.0",
+    reason: "Requiere liberar codigo fuente completo incluso en SaaS. Riesgo de divulgacion de codigo privado.",
+  },
+  {
+    pattern: /\bGPL[\s-]3/i,
+    severity: "medium",
+    name: "GPL-3.0",
+    reason: "Requiere liberar codigo fuente de trabajos derivados. Puede forzar disclosure de codigo privado.",
+  },
+  {
+    pattern: /\bGPL[\s-]2/i,
+    severity: "medium",
+    name: "GPL-2.0",
+    reason: "Copyleft fuerte. Cualquier modificacion debe ser liberada bajo la misma licencia.",
+  },
+  {
+    pattern: /\bSSPL\b/i,
+    severity: "high",
+    name: "SSPL",
+    reason: "Server Side Public License. Requiere liberar todo el stack de servicios si se usa como SaaS.",
+  },
+  {
+    pattern: /\bEUPL\b/i,
+    severity: "low",
+    name: "EUPL",
+    reason: "European Union Public License. Copyleft con implicaciones legales en la UE.",
+  },
+  {
+    pattern: /\bOSL[\s-]3/i,
+    severity: "medium",
+    name: "OSL-3.0",
+    reason: "Open Software License. Copyleft fuerte que aplica a trabajos derivados.",
+  },
+  {
+    pattern: /\bCC[\s-]BY[\s-]NC/i,
+    severity: "low",
+    name: "CC-BY-NC",
+    reason: "Creative Commons No Comercial. Prohibe uso comercial.",
+  },
+  {
+    pattern: /\bCC[\s-]BY[\s-]ND/i,
+    severity: "low",
+    name: "CC-BY-ND",
+    reason: "Creative Commons Sin Derivadas. Prohibe modificaciones.",
+  },
+];
+
+const SAFE_LICENSES = new Set([
+  "MIT",
+  "ISC",
+  "BSD-2-Clause",
+  "BSD-3-Clause",
+  "Apache-2.0",
+  "0BSD",
+  "Unlicense",
+  "CC0-1.0",
+  "Zlib",
+  "BlueOak-1.0.0",
+]);
+
+export function scanLicenses(projectInfo: ProjectInfo): ScanResult {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  const allDeps = {
+    ...projectInfo.dependencies,
+    ...projectInfo.devDependencies,
+  };
+
+  for (const [name, version] of Object.entries(allDeps)) {
+    const lowerName = name.toLowerCase();
+    const lowerVersion = version.toLowerCase();
+
+    for (const license of RESTRICTED_LICENSES) {
+      if (
+        license.pattern.test(lowerName) ||
+        license.pattern.test(lowerVersion)
+      ) {
+        findings.push({
+          id: `license-${license.name}-${name}`,
+          severity: license.severity,
+          category: "backdoor",
+          title: `Licencia restrictiva: ${name} usa ${license.name}`,
+          description: `${name} tiene una licencia ${license.name}. ${license.reason}`,
+          package: name,
+          version,
+          recommendation: `Evaluar alternativas con licencias mas permisivas (MIT, ISC, Apache-2.0).`,
+        });
+      }
+    }
+  }
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}