secmanifest 1.0.0

package/src/utils/http.ts

@@ -0,0 +1,134 @@
+const OSS_INDEX_URL = "https://ossindex.sonatype.org/api/v3/component-report";
+
+interface RequestOptions {
+  method?: string;
+  headers?: Record<string, string>;
+  body?: unknown;
+  timeout?: number;
+}
+
+export async function httpRequest<T>(
+  url: string,
+  options: RequestOptions = {},
+): Promise<T> {
+  const { method = "GET", headers = {}, body, timeout = 30000 } = options;
+
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeout);
+
+  try {
+    const response = await fetch(url, {
+      method,
+      headers: {
+        "Content-Type": "application/json",
+        ...headers,
+      },
+      body: body ? JSON.stringify(body) : undefined,
+      signal: controller.signal,
+    });
+
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+    }
+
+    return (await response.json()) as T;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+
+export async function checkOssIndex(
+  packages: Array<{ name: string; version: string }>,
+  token?: string,
+): Promise<
+  Array<{
+    coordinates: string;
+    vulnerabilities: Array<{
+      id: string;
+      displayName: string;
+      title: string;
+      description: string;
+      severity: string;
+      cvssScore: number;
+      cve: string;
+      reference: string;
+      versionRanges: string[];
+    }>;
+    reference: string;
+  }>
+> {
+  const components = packages.map(
+    (pkg) => `pkg:npm/${pkg.name}@${pkg.version}`,
+  );
+
+  const headers: Record<string, string> = {};
+  if (token) {
+    headers["Authorization"] = `Bearer ${token}`;
+  }
+
+  const results: Array<{
+    coordinates: string;
+    vulnerabilities: Array<{
+      id: string;
+      displayName: string;
+      title: string;
+      description: string;
+      severity: string;
+      cvssScore: number;
+      cve: string;
+      reference: string;
+      versionRanges: string[];
+    }>;
+    reference: string;
+  }> = [];
+
+  const BATCH_SIZE = 128;
+
+  for (let i = 0; i < components.length; i += BATCH_SIZE) {
+    const batch = components.slice(i, i + BATCH_SIZE);
+
+    let retries = 3;
+    let delay = 1000;
+
+    while (retries > 0) {
+      try {
+        const response = await httpRequest<{
+          components: Array<{
+            coordinates: string;
+            vulnerabilities: Array<{
+              id: string;
+              displayName: string;
+              title: string;
+              description: string;
+              severity: string;
+              cvssScore: number;
+              cve: string;
+              reference: string;
+              versionRanges: string[];
+            }>;
+            reference: string;
+          }>;
+        }>(OSS_INDEX_URL, {
+          method: "POST",
+          headers,
+          body: { components: batch.map((c) => ({ coordinates: c })) },
+          timeout: 60000,
+        });
+
+        results.push(...response.components);
+        break;
+      } catch (error) {
+        retries--;
+        if (retries === 0) throw error;
+        await new Promise((resolve) => setTimeout(resolve, delay));
+        delay *= 2;
+      }
+    }
+
+    if (i + BATCH_SIZE < components.length) {
+      await new Promise((resolve) => setTimeout(resolve, 500));
+    }
+  }
+
+  return results;
+}

package/src/utils/registry.ts

@@ -0,0 +1,170 @@
+import { httpRequest } from "./http.js";
+
+interface NpmPackageMetadata {
+  name: string;
+  "dist-tags": Record<string, string>;
+  versions: Record<string, {
+    version: string;
+    dist: {
+      tarball: string;
+      integrity: string;
+    };
+    deprecated?: string;
+    time?: string;
+  }>;
+  time: Record<string, string>;
+}
+
+export interface SafeVersionResult {
+  packageName: string;
+  currentVersion: string;
+  latestVersion: string;
+  safeVersion: string | null;
+  reason: string;
+  allVersions: string[];
+}
+
+const UNSAFE_KEYWORDS = [
+  "deprecated",
+  "malicious",
+  "security",
+  "vulnerability",
+  "compromised",
+  "backdoor",
+  "malware",
+  "trojan",
+];
+
+export async function getPackageMetadata(
+  packageName: string,
+): Promise<NpmPackageMetadata | null> {
+  try {
+    const response = await httpRequest<NpmPackageMetadata>(
+      `https://registry.npmjs.org/${encodeURIComponent(packageName)}`,
+      {
+        headers: {
+          Accept: "application/vnd.npm.install-v1+json",
+        },
+        timeout: 10000,
+      },
+    );
+    return response;
+  } catch {
+    return null;
+  }
+}
+
+export async function findSafeVersion(
+  packageName: string,
+  currentVersion: string,
+): Promise<SafeVersionResult> {
+  const metadata = await getPackageMetadata(packageName);
+
+  if (!metadata) {
+    return {
+      packageName,
+      currentVersion,
+      latestVersion: currentVersion,
+      safeVersion: null,
+      reason: "No se pudo consultar el registry de npm",
+      allVersions: [],
+    };
+  }
+
+  const latestVersion = metadata["dist-tags"]?.["latest"] ?? currentVersion;
+  const allVersions = Object.keys(metadata.versions ?? {}).sort(
+    (a, b) => {
+      const timeA = metadata.time?.[a] ?? "";
+      const timeB = metadata.time?.[b] ?? "";
+      return timeB.localeCompare(timeA);
+    },
+  );
+
+  const currentMeta = metadata.versions?.[currentVersion];
+  if (currentMeta?.deprecated) {
+    const safeVersion = findNonDeprecatedVersion(
+      allVersions,
+      metadata,
+      currentVersion,
+    );
+
+    return {
+      packageName,
+      currentVersion,
+      latestVersion,
+      safeVersion,
+      reason: `Version ${currentVersion} esta deprecada: ${currentMeta.deprecated}`,
+      allVersions,
+    };
+  }
+
+  const isLatestUnsafe = latestVersion !== currentVersion;
+  if (isLatestUnsafe) {
+    const latestMeta = metadata.versions?.[latestVersion];
+    if (latestMeta?.deprecated) {
+      const safeVersion = findNonDeprecatedVersion(
+        allVersions,
+        metadata,
+        currentVersion,
+      );
+
+      return {
+        packageName,
+        currentVersion,
+        latestVersion,
+        safeVersion,
+        reason: `Version latest (${latestVersion}) esta deprecada`,
+        allVersions,
+      };
+    }
+  }
+
+  return {
+    packageName,
+    currentVersion,
+    latestVersion,
+    safeVersion: null,
+    reason: "Version actual parece segura",
+    allVersions,
+  };
+}
+
+function findNonDeprecatedVersion(
+  versions: string[],
+  metadata: NpmPackageMetadata,
+  excludeVersion: string,
+): string | null {
+  for (const version of versions) {
+    if (version === excludeVersion) continue;
+    const meta = metadata.versions?.[version];
+    if (meta && !meta.deprecated) {
+      return version;
+    }
+  }
+  return null;
+}
+
+export async function findLatestSafeVersion(
+  packageName: string,
+): Promise<string | null> {
+  const metadata = await getPackageMetadata(packageName);
+  if (!metadata) return null;
+
+  const latest = metadata["dist-tags"]?.["latest"];
+  if (!latest) return null;
+
+  const meta = metadata.versions?.[latest];
+  if (meta && !meta.deprecated) {
+    return latest;
+  }
+
+  const allVersions = Object.keys(metadata.versions ?? {}).sort(
+    (a, b) => {
+      const timeA = metadata.time?.[a] ?? "";
+      const timeB = metadata.time?.[b] ?? "";
+      return timeB.localeCompare(timeA);
+    },
+  );
+
+  return findNonDeprecatedVersion(allVersions, metadata, latest);
+}

package/src/utils/types.ts

@@ -0,0 +1,67 @@
+export type Severity = "critical" | "high" | "medium" | "low" | "info";
+
+export interface Finding {
+  id: string;
+  severity: Severity;
+  category: "vulnerability" | "malware" | "backdoor" | "drift" | "secrets" | "license" | "metadata" | "obfuscation" | "node-version";
+  title: string;
+  description: string;
+  package?: string;
+  version?: string;
+  cve?: string;
+  recommendation?: string;
+  reference?: string;
+}
+
+export interface ScanResult {
+  findings: Finding[];
+  errors: Error[];
+  duration: number;
+}
+
+export interface PackageManager {
+  name: "pnpm" | "bun" | "yarn" | "npm" | null;
+  command: string;
+  version?: string;
+  blocked: boolean;
+  reason?: string;
+}
+
+export interface ProjectInfo {
+  name: string;
+  version: string;
+  dependencies: Record<string, string>;
+  devDependencies: Record<string, string>;
+  scripts: Record<string, string>;
+  lockfilePath: string | null;
+  lockfileType: "pnpm" | "bun" | "yarn" | null;
+}
+
+export interface AuditReport {
+  projectPath: string;
+  projectName: string;
+  packageManager: PackageManager;
+  totalPackages: number;
+  findings: Finding[];
+  score: number;
+  duration: number;
+  timestamp: string;
+}
+
+export interface OssIndexResponse {
+  coordinates: string;
+  vulnerabilities: OssIndexVulnerability[];
+  reference: string;
+}
+
+export interface OssIndexVulnerability {
+  id: string;
+  displayName: string;
+  title: string;
+  description: string;
+  severity: string;
+  cvssScore: number;
+  cve: string;
+  reference: string;
+  versionRanges: string[];
+}