secmanifest 1.0.0

package/src/scanners/lockfile-drift.ts

@@ -0,0 +1,182 @@
+import { readFile } from "node:fs/promises";
+import type { Finding, ScanResult, ProjectInfo } from "../utils/types.js";
+
+interface ParsedLockfile {
+  packages: Map<string, string>;
+}
+
+async function parsePnpmLock(
+  lockfilePath: string,
+): Promise<ParsedLockfile> {
+  const content = await readFile(lockfilePath, "utf-8");
+  const packages = new Map<string, string>();
+
+  const packageRegex =
+    /^  \/([^@]+)@([^:\s]+)/gm;
+  let match: RegExpExecArray | null;
+
+  while ((match = packageRegex.exec(content)) !== null) {
+    const name = match[1];
+    const version = match[2];
+    if (name && version) {
+      packages.set(name, version);
+    }
+  }
+
+  const snapshotRegex = /^  ['"]?([^'":\s]+)@([^'":\s]+)/gm;
+  while ((match = snapshotRegex.exec(content)) !== null) {
+    const name = match[1];
+    const version = match[2];
+    if (name && version && !packages.has(name)) {
+      packages.set(name, version);
+    }
+  }
+
+  return { packages };
+}
+
+async function parseYarnLock(
+  lockfilePath: string,
+): Promise<ParsedLockfile> {
+  const content = await readFile(lockfilePath, "utf-8");
+  const packages = new Map<string, string>();
+
+  const regex = /^"?([^@\s"]+)@[^"]*"?:\s*$/gm;
+  const versionRegex = /^\s+version\s+"?([^"\s]+)"?$/m;
+
+  let match: RegExpExecArray | null;
+  const lines = content.split("\n");
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (!line) continue;
+    const nameMatch = line.match(/^"?([^@\s"]+)@[^"]*"?:\s*$/);
+    if (nameMatch && nameMatch[1]) {
+      const name = nameMatch[1];
+      for (let j = i + 1; j < Math.min(i + 5, lines.length); j++) {
+        const versionMatch = lines[j]?.match(
+          /^\s+version\s+"?([^"\s]+)"?$/,
+        );
+        if (versionMatch && versionMatch[1]) {
+          packages.set(name, versionMatch[1]);
+          break;
+        }
+      }
+    }
+  }
+
+  return { packages };
+}
+
+async function parseBunLock(
+  lockfilePath: string,
+): Promise<ParsedLockfile> {
+  const content = await readFile(lockfilePath, "utf-8");
+  const packages = new Map<string, string>();
+
+  try {
+    const lockfile = JSON.parse(content);
+    if (lockfile.packages) {
+      for (const [key, value] of Object.entries(
+        lockfile.packages as Record<string, { version?: string }>,
+      )) {
+        const name = key.replace(/^.*?node_modules\//, "").replace(/\/.*$/, "");
+        if (value?.version) {
+          packages.set(name, value.version);
+        }
+      }
+    }
+  } catch {
+    const regex = /"([^"]+)":\s*\{\s*"version":\s*"([^"]+)"/g;
+    let match: RegExpExecArray | null;
+    while ((match = regex.exec(content)) !== null) {
+      if (match[1] && match[2]) {
+        packages.set(match[1], match[2]);
+      }
+    }
+  }
+
+  return { packages };
+}
+
+export async function scanLockfileDrift(
+  projectInfo: ProjectInfo,
+): Promise<ScanResult> {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  if (!projectInfo.lockfilePath) {
+    return {
+      findings,
+      errors: [
+        new Error("No se encontro lockfile para analizar."),
+      ],
+      duration: Date.now() - startTime,
+    };
+  }
+
+  let parsed: ParsedLockfile;
+
+  try {
+    switch (projectInfo.lockfileType) {
+      case "pnpm":
+        parsed = await parsePnpmLock(projectInfo.lockfilePath);
+        break;
+      case "yarn":
+        parsed = await parseYarnLock(projectInfo.lockfilePath);
+        break;
+      case "bun":
+        parsed = await parseBunLock(projectInfo.lockfilePath);
+        break;
+      default:
+        errors.push(
+          new Error(
+            `Tipo de lockfile no soportado: ${projectInfo.lockfileType}`,
+          ),
+        );
+        return {
+          findings,
+          errors,
+          duration: Date.now() - startTime,
+        };
+    }
+  } catch (error) {
+    errors.push(
+      new Error(
+        `Error al parsear lockfile: ${error instanceof Error ? error.message : String(error)}`,
+      ),
+    );
+    return {
+      findings,
+      errors,
+      duration: Date.now() - startTime,
+    };
+  }
+
+  const allDeclaredDeps = {
+    ...projectInfo.dependencies,
+    ...projectInfo.devDependencies,
+  };
+
+  for (const [lockName, lockVersion] of parsed.packages) {
+    if (!(lockName in allDeclaredDeps)) {
+      findings.push({
+        id: `drift-phantom-${lockName}`,
+        severity: "medium",
+        category: "drift",
+        title: `Paquete fantasma: ${lockName}`,
+        description: `${lockName} esta en el lockfile pero no declarado en package.json. Puede ser una dependencia no intencionada.`,
+        package: lockName,
+        version: lockVersion,
+        recommendation: `Ejecutar un fresh install o eliminar ${lockName} si no es necesario.`,
+      });
+    }
+  }
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}

package/src/scanners/malware.ts

@@ -0,0 +1,148 @@
+import type { Finding, ScanResult } from "../utils/types.js";
+
+const KNOWN_MALICIOUS_PACKAGES = new Set([
+  "event-stream",
+  "flatmap-stream",
+  "crossenv",
+  "cross-env.js",
+  "crossenv.js",
+  "getcookies",
+  "mongose",
+  "lodashs",
+  "colors.js",
+  "faker.js",
+  "babelcli",
+  "babelcli.js",
+  "chromium-poly",
+  "chromium-polyfill",
+  "coa",
+  "coa.js",
+  "rc",
+  "rc.js",
+  "ua-parser-js",
+  "ua-parser",
+  "npm-script",
+  "npm-script.js",
+  "opener",
+  "opener.js",
+  "eslint-scope",
+  "eslint-scope.js",
+  "prettier.js",
+  "prettierx",
+  "pirs",
+  "pirs.js",
+]);
+
+const TYPOSQUAT_PATTERNS: Array<{
+  target: string;
+  typos: string[];
+}> = [
+  { target: "express", typos: ["exress", "expresss", "exprss", "expres"] },
+  { target: "lodash", typos: ["lodahs", "lodashh", "lodah", "lodsh"] },
+  {
+    target: "react",
+    typos: ["reacr", "reactt", "reac", "reaact"],
+  },
+  { target: "webpack", typos: ["weback", "webpak", "webpacck"] },
+  { target: "typescript", typos: ["typescrip", "typescrpt", "tpyescript"] },
+  {
+    target: "eslint",
+    typos: ["eslit", "eslnt", "elint", "eslintt"],
+  },
+  {
+    target: "prettier",
+    typos: ["prettir", "prettieer"],
+  },
+  { target: "chalk", typos: ["chakl", "chal", "challk"] },
+  { target: "axios", typos: ["axois", "axio", "axiios"] },
+  { target: "moment", typos: ["momnet", "momment", "momet"] },
+  {
+    target: "commander",
+    typos: ["commandr", "comander"],
+  },
+  {
+    target: "inquirer",
+    typos: ["inquiere", "inquirerr"],
+  },
+  { target: "jest", typos: ["jset", "jestt", "jst"] },
+  { target: "mocha", typos: ["moch", "mochaa", "moccha"] },
+  { target: "next", typos: ["nexxt", "neext", "nextt"] },
+  { target: "nuxt", typos: ["nuxxt", "nuuxt", "nuxst"] },
+  { target: "vue", typos: ["vvue", "vuee", "vued"] },
+  { target: "angular", typos: ["angularr", "angularjs", "anngular"] },
+];
+
+const KNOWN_MALICIOUS_AUTHORS = new Set([
+  "admin@admin.com",
+  "test@test.com",
+  "unknown",
+]);
+
+function levenshteinDistance(a: string, b: string): number {
+  const m = a.length;
+  const n = b.length;
+  const dp: number[][] = Array.from({ length: m + 1 }, () =>
+    new Array<number>(n + 1).fill(0),
+  );
+
+  for (let i = 0; i <= m; i++) dp[i]![0] = i;
+  for (let j = 0; j <= n; j++) dp[0]![j] = j;
+
+  for (let i = 1; i <= m; i++) {
+    for (let j = 1; j <= n; j++) {
+      dp[i]![j] =
+        a[i - 1] === b[j - 1]
+          ? dp[i - 1]![j - 1]!
+          : 1 + Math.min(dp[i - 1]![j]!, dp[i]![j - 1]!, dp[i - 1]![j - 1]!);
+    }
+  }
+
+  return dp[m]![n]!;
+}
+
+export function scanMalware(
+  packages: Array<{ name: string; version: string }>,
+): ScanResult {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  for (const pkg of packages) {
+    if (KNOWN_MALICIOUS_PACKAGES.has(pkg.name)) {
+      findings.push({
+        id: `malware-known-${pkg.name}`,
+        severity: "critical",
+        category: "malware",
+        title: `Paquete malicioso conocido: ${pkg.name}`,
+        description: `${pkg.name} esta en la lista de paquetes maliciosos conocidos. Este paquete ha sido comprometido anteriormente.`,
+        package: pkg.name,
+        version: pkg.version,
+        recommendation: `Eliminar ${pkg.name} inmediatamente y buscar alternativas seguras.`,
+      });
+      continue;
+    }
+
+    for (const pattern of TYPOSQUAT_PATTERNS) {
+      const distance = levenshteinDistance(pkg.name, pattern.target);
+      if (distance > 0 && distance <= 2 && pkg.name.length > 2) {
+        findings.push({
+          id: `malware-typosquat-${pkg.name}`,
+          severity: "high",
+          category: "malware",
+          title: `Posible typosquatting: ${pkg.name} (similar a ${pattern.target})`,
+          description: `El paquete ${pkg.name} es sospechosamente similar a ${pattern.target}. Diferencia de编辑距离: ${distance}.`,
+          package: pkg.name,
+          version: pkg.version,
+          recommendation: `Verificar que ${pkg.name} es el paquete intencionado y no una suplantación.`,
+        });
+        break;
+      }
+    }
+  }
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}

package/src/scanners/metadata.ts

@@ -0,0 +1,148 @@
+import { readFile } from "node:fs/promises";
+import { join } from "node:path";
+import type { Finding, ScanResult, ProjectInfo } from "../utils/types.js";
+
+const SUSPICIOUS_METADATA_PATTERNS = [
+  {
+    field: "description",
+    check: (val: string, pkgName: string) => !val || val.length < 5,
+    title: "Paquete sin descripcion",
+    description: "El paquete no tiene descripcion o es muy corta. Los paquetes maliciosos suelen omitir metadatos.",
+    severity: "info" as const,
+    skipIfScoped: true,
+    skipIfTypes: true,
+  },
+  {
+    field: "repository",
+    check: (val: unknown) => !val,
+    title: "Paquete sin repositorio",
+    description: "El paquete no tiene repositorio asociado. Los paquetes legitimos usualmente tienen un repositorio publico.",
+    severity: "low" as const,
+    skipIfScoped: true,
+    skipIfTypes: true,
+  },
+  {
+    field: "license",
+    check: (val: unknown) => !val,
+    title: "Paquete sin licencia",
+    description: "El paquete no tiene licencia declarada. Esto puede indicar un paquete abandonado o malicioso.",
+    severity: "low" as const,
+    skipIfScoped: false,
+    skipIfTypes: true,
+  },
+];
+
+const BINARY_FIELDS = [
+  "bin",
+  "binary",
+  "native",
+  "gypfile",
+  "binding.gyp",
+];
+
+const NETWORK_ACCESS_FIELDS = [
+  "postinstall",
+  "preinstall",
+  "install",
+  "prepare",
+];
+
+export async function scanMetadata(
+  projectInfo: ProjectInfo,
+  projectPath: string,
+): Promise<ScanResult> {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  const allDeps = {
+    ...projectInfo.dependencies,
+    ...projectInfo.devDependencies,
+  };
+
+  for (const [name, version] of Object.entries(allDeps)) {
+    const pkgJsonPath = join(
+      projectPath,
+      "node_modules",
+      name,
+      "package.json",
+    );
+
+    let pkgJson: Record<string, unknown>;
+    try {
+      const content = await readFile(pkgJsonPath, "utf-8");
+      pkgJson = JSON.parse(content);
+    } catch {
+      continue;
+    }
+
+    for (const rule of SUSPICIOUS_METADATA_PATTERNS) {
+      const value = pkgJson[rule.field];
+
+      if ("skipIfScoped" in rule && rule.skipIfScoped && name.startsWith("@")) {
+        continue;
+      }
+      if ("skipIfTypes" in rule && rule.skipIfTypes && name.startsWith("@types/")) {
+        continue;
+      }
+
+      if (rule.check(value as string, name)) {
+        findings.push({
+          id: `metadata-${rule.field}-${name}`,
+          severity: rule.severity,
+          category: "malware",
+          title: `${rule.title}: ${name}`,
+          description: `${name}: ${rule.description}`,
+          package: name,
+          version,
+          recommendation: "Verificar que el paquete es legitimo y esta activamente mantenido.",
+        });
+      }
+    }
+
+    if (pkgJson.gypfile === true) {
+      findings.push({
+        id: `metadata-native-${name}`,
+        severity: "medium",
+        category: "malware",
+        title: `Paquete con codigo nativo: ${name}`,
+        description: `${name} contiene codigo nativo (gypfile). Los binarios pueden ejecutar codigo arbitrario durante la instalacion.`,
+        package: name,
+        version,
+        recommendation: "Verificar que el codigo nativo es necesario y proviene de una fuente confiable.",
+      });
+    }
+
+    const scripts = pkgJson.scripts as Record<string, string> | undefined;
+    if (scripts) {
+      for (const hook of NETWORK_ACCESS_FIELDS) {
+        if (scripts[hook]) {
+          const scriptVal = scripts[hook];
+          if (
+            scriptVal.includes("curl") ||
+            scriptVal.includes("wget") ||
+            scriptVal.includes("http") ||
+            scriptVal.includes("download")
+          ) {
+            findings.push({
+              id: `metadata-network-${name}-${hook}`,
+              severity: "high",
+              category: "backdoor",
+              title: `${name} accede a red en "${hook}"`,
+              description: `${name} ejecuta acceso a red en el hook "${hook}": ${scriptVal.slice(0, 100)}`,
+              package: name,
+              version,
+              recommendation: "Este paquete descarga contenido durante la instalacion. Verificar que es seguro.",
+            });
+          }
+        }
+      }
+    }
+  }
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}

package/src/scanners/node-version.ts

@@ -0,0 +1,71 @@
+import { readFile } from "node:fs/promises";
+import { join } from "node:path";
+import type { Finding, ScanResult, ProjectInfo } from "../utils/types.js";
+
+const EOL_NODE_VERSIONS = [
+  { version: "0.10", eolDate: "2016-10-31", severity: "critical" as const },
+  { version: "0.12", eolDate: "2016-12-31", severity: "critical" as const },
+  { version: "4", eolDate: "2018-04-30", severity: "critical" as const },
+  { version: "5", eolDate: "2016-06-30", severity: "critical" as const },
+  { version: "6", eolDate: "2019-04-30", severity: "critical" as const },
+  { version: "7", eolDate: "2017-06-30", severity: "critical" as const },
+  { version: "8", eolDate: "2019-12-31", severity: "high" as const },
+  { version: "9", eolDate: "2018-06-30", severity: "high" as const },
+  { version: "10", eolDate: "2021-04-30", severity: "high" as const },
+  { version: "11", eolDate: "2019-06-30", severity: "high" as const },
+  { version: "12", eolDate: "2022-04-30", severity: "medium" as const },
+  { version: "13", eolDate: "2020-06-01", severity: "high" as const },
+  { version: "14", eolDate: "2023-04-30", severity: "medium" as const },
+  { version: "15", eolDate: "2021-06-01", severity: "medium" as const },
+  { version: "16", eolDate: "2023-09-11", severity: "low" as const },
+  { version: "17", eolDate: "2022-06-01", severity: "medium" as const },
+  { version: "18", eolDate: "2025-04-30", severity: "low" as const },
+  { version: "19", eolDate: "2023-06-01", severity: "low" as const },
+];
+
+const ENGINES_FIELD_PATTERN = /(\d+)(?:\.x)?/;
+
+export async function scanNodeVersion(
+  projectInfo: ProjectInfo,
+  projectPath: string,
+): Promise<ScanResult> {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  const pkgJsonPath = join(projectPath, "package.json");
+  try {
+    const content = await readFile(pkgJsonPath, "utf-8");
+    const pkgJson = JSON.parse(content);
+
+    const engines = pkgJson.engines as { node?: string } | undefined;
+    if (engines?.node) {
+      const match = engines.node.match(ENGINES_FIELD_PATTERN);
+      if (match && match[1]) {
+        const majorVersion = parseInt(match[1], 10);
+        const eolVersion = EOL_NODE_VERSIONS.find(
+          (v) => parseInt(v.version, 10) === majorVersion,
+        );
+
+        if (eolVersion) {
+          findings.push({
+            id: `node-eol-${majorVersion}`,
+            severity: eolVersion.severity,
+            category: "vulnerability",
+            title: `Node.js ${majorVersion} esta en End-of-Life`,
+            description: `El proyecto requiere Node.js ${majorVersion} que reaching EOL el ${eolVersion.eolDate}. Sin actualizaciones de seguridad.`,
+            recommendation: `Actualizar a una version soportada de Node.js (18+ recomendado).`,
+          });
+        }
+      }
+    }
+  } catch {
+    // Could not read package.json
+  }
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}

package/src/scanners/obfuscation.ts

@@ -0,0 +1,151 @@
+import { readFile } from "node:fs/promises";
+import { join } from "node:path";
+import type { Finding, ScanResult, ProjectInfo } from "../utils/types.js";
+
+const OBFUSCATION_PATTERNS = [
+  {
+    name: "Base64 encoded execution",
+    regex: /(?:eval|exec|Function)\s*\(\s*(?:atob|Buffer\.from)\s*\(/g,
+    severity: "critical" as const,
+    description: "Ejecucion de codigo codificado en Base64. Patron comun en malware.",
+  },
+  {
+    name: "Base64 string literal",
+    regex: /['"][A-Za-z0-9+/]{40,}={0,2}['"]/g,
+    severity: "medium" as const,
+    description: "String Base64 largo detectado. Puede contener codigo ofuscado.",
+  },
+  {
+    name: "eval with concatenation",
+    regex: /eval\s*\(\s*['"].*['"]\s*\+/g,
+    severity: "high" as const,
+    description: "eval() con concatenacion de strings. Patron de inyeccion de codigo.",
+  },
+  {
+    name: "String.fromCharCode",
+    regex: /String\.fromCharCode\s*\(/g,
+    severity: "medium" as const,
+    description: "Uso de fromCharCode para construir strings. Comun en ofuscacion.",
+  },
+  {
+    name: "Hex escape sequences",
+    regex: /(?:\\x[0-9a-f]{2}){4,}/gi,
+    severity: "medium" as const,
+    description: "Secuencias de escape hexadecimales. Puede ocultar codigo malicioso.",
+  },
+  {
+    name: "Unicode escape sequences",
+    regex: /(?:\\u[0-9a-f]{4}){4,}/gi,
+    severity: "medium" as const,
+    description: "Secuencias de escape Unicode. Comun en ofuscacion de codigo.",
+  },
+  {
+    name: "Obfuscated require",
+    regex: /require\s*\(\s*['"][^'"]*\\x[^'"]*['"]\s*\)/g,
+    severity: "critical" as const,
+    description: "require() con path ofuscado. Intento de ocultar dependencias.",
+  },
+  {
+    name: "Dynamic import with eval",
+    regex: /import\s*\(\s*eval\s*\(/g,
+    severity: "critical" as const,
+    description: "import() dinamico con eval. Carga de modulos arbitrarios.",
+  },
+  {
+    name: "Process.env access pattern",
+    regex: /process\.env\s*\[\s*['"][^'"]*['"]\s*\]/g,
+    severity: "low" as const,
+    description: "Acceso a process.env con bracket notation. Puede ocultar acceso a secrets.",
+  },
+  {
+    name: "Child process spawn",
+    regex: /(?:child_process|spawn|execSync|execFile)\s*\.\s*(?:spawn|exec|execSync)\s*\(/g,
+    severity: "high" as const,
+    description: "Ejecucion de procesos hijos. Comun en malware para ejecutar comandos del sistema.",
+  },
+];
+
+const COMPRESSION_PATTERNS = [
+  {
+    name: "zlib inflate",
+    regex: /zlib\s*\.\s*inflate(?:Sync)?\s*\(/g,
+    severity: "medium" as const,
+    description: "Descompresion zlib. Puede usarse para desempaquetar codigo malicioso.",
+  },
+  {
+    name: "gzip decompress",
+    regex: /(?:gunzip|ungzip|createGunzip)\s*\(/g,
+    severity: "medium" as const,
+    description: "Descompresion gzip en tiempo de ejecucion.",
+  },
+];
+
+async function scanFileForObfuscation(
+  filePath: string,
+  findings: Finding[],
+): Promise<void> {
+  let content: string;
+  try {
+    content = await readFile(filePath, "utf-8");
+  } catch {
+    return;
+  }
+
+  const allPatterns = [...OBFUSCATION_PATTERNS, ...COMPRESSION_PATTERNS];
+
+  for (const pattern of allPatterns) {
+    const regex = new RegExp(pattern.regex.source, pattern.regex.flags);
+    const matches = content.match(regex);
+
+    if (matches && matches.length > 0) {
+      findings.push({
+        id: `obfuscation-${pattern.name.toLowerCase().replace(/\s+/g, "-")}-${filePath}`,
+        severity: pattern.severity,
+        category: "malware",
+        title: `${pattern.name} en ${filePath}`,
+        description: `${pattern.description}. Ocurrencias: ${matches.length}`,
+        recommendation: `Revisar manualmente el archivo ${filePath} para confirmar que no es malicioso.`,
+      });
+    }
+  }
+}
+
+export async function scanObfuscation(
+  projectInfo: ProjectInfo,
+  projectPath: string,
+): Promise<ScanResult> {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  const allDeps = {
+    ...projectInfo.dependencies,
+    ...projectInfo.devDependencies,
+  };
+
+  const sourceExtensions = [".js", ".ts", ".mjs", ".cjs"];
+
+  for (const [name] of Object.entries(allDeps)) {
+    const pkgDir = join(projectPath, "node_modules", name);
+
+    try {
+      const { readdir } = await import("node:fs/promises");
+      const entries = await readdir(pkgDir, { withFileTypes: true });
+
+      for (const entry of entries) {
+        if (entry.isFile() && sourceExtensions.some((ext) => entry.name.endsWith(ext))) {
+          const filePath = join(pkgDir, entry.name);
+          await scanFileForObfuscation(filePath, findings);
+        }
+      }
+    } catch {
+      // Package directory not accessible
+    }
+  }
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}