secure-scan 1.2.2

package/dist/dependencies/database/cveDatabase.js

@@ -0,0 +1,393 @@
+"use strict";
+/**
+ * Known Vulnerable Packages Database
+ * Static database of known CVEs for offline vulnerability detection
+ * This is a sample database - in production, integrate with OSV, NVD, or Snyk APIs
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CVE_DATABASE = void 0;
+exports.isVersionVulnerable = isVersionVulnerable;
+exports.getCVEsForPackage = getCVEsForPackage;
+exports.getAllCVEs = getAllCVEs;
+const types_1 = require("../types");
+/**
+ * Sample CVE database with well-known vulnerabilities
+ */
+exports.CVE_DATABASE = [
+    // Log4Shell - Critical Java vulnerability
+    {
+        ecosystem: 'maven',
+        packageName: 'org.apache.logging.log4j:log4j-core',
+        cve: {
+            id: 'CVE-2021-44228',
+            description: 'Apache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.',
+            cvssScore: 10.0,
+            severity: types_1.Severity.CRITICAL,
+            publishedDate: '2021-12-10',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2021-44228',
+                'https://logging.apache.org/log4j/2.x/security.html'
+            ],
+            fixedVersion: '2.17.0',
+            cwes: ['CWE-502', 'CWE-400', 'CWE-20'],
+            exploitAvailable: true
+        },
+        vulnerableVersions: ['2.0-beta9', '2.0-rc1', '2.0-rc2', '2.0', '2.0.1', '2.0.2', '2.1', '2.2', '2.3', '2.4', '2.4.1', '2.5', '2.6', '2.6.1', '2.6.2', '2.7', '2.8', '2.8.1', '2.8.2', '2.9.0', '2.9.1', '2.10.0', '2.11.0', '2.11.1', '2.11.2', '2.12.0', '2.12.1', '2.13.0', '2.13.1', '2.13.2', '2.13.3', '2.14.0', '2.14.1', '2.15.0', '2.16.0']
+    },
+    // Lodash prototype pollution
+    {
+        ecosystem: 'npm',
+        packageName: 'lodash',
+        cve: {
+            id: 'CVE-2020-8203',
+            description: 'Prototype pollution vulnerability in lodash before 4.17.20 allows attackers to cause denial of service or execute arbitrary code via merge, mergeWith, and defaultsDeep functions.',
+            cvssScore: 7.4,
+            severity: types_1.Severity.HIGH,
+            publishedDate: '2020-07-15',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2020-8203',
+                'https://github.com/lodash/lodash/issues/4744'
+            ],
+            fixedVersion: '4.17.20',
+            cwes: ['CWE-1321'],
+            exploitAvailable: true
+        },
+        vulnerableVersions: ['<4.17.20']
+    },
+    {
+        ecosystem: 'npm',
+        packageName: 'lodash',
+        cve: {
+            id: 'CVE-2021-23337',
+            description: 'Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.',
+            cvssScore: 7.2,
+            severity: types_1.Severity.HIGH,
+            publishedDate: '2021-02-15',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2021-23337',
+                'https://snyk.io/vuln/SNYK-JS-LODASH-1040724'
+            ],
+            fixedVersion: '4.17.21',
+            cwes: ['CWE-94'],
+            exploitAvailable: true
+        },
+        vulnerableVersions: ['<4.17.21']
+    },
+    // Express.js vulnerabilities
+    {
+        ecosystem: 'npm',
+        packageName: 'express',
+        cve: {
+            id: 'CVE-2022-24999',
+            description: 'qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used.',
+            cvssScore: 7.5,
+            severity: types_1.Severity.HIGH,
+            publishedDate: '2022-11-26',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2022-24999'
+            ],
+            fixedVersion: '4.18.2',
+            cwes: ['CWE-1321'],
+            exploitAvailable: false
+        },
+        vulnerableVersions: ['<4.18.2']
+    },
+    // Django vulnerabilities
+    {
+        ecosystem: 'pip',
+        packageName: 'django',
+        cve: {
+            id: 'CVE-2023-36053',
+            description: 'Django 3.2 before 3.2.20, 4.1 before 4.1.10, and 4.2 before 4.2.3 allows a denial of service via EmailValidator/URLValidator regex backtracking.',
+            cvssScore: 7.5,
+            severity: types_1.Severity.HIGH,
+            publishedDate: '2023-07-03',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2023-36053',
+                'https://www.djangoproject.com/weblog/2023/jul/03/security-releases/'
+            ],
+            fixedVersion: '4.2.3',
+            cwes: ['CWE-1333'],
+            exploitAvailable: false
+        },
+        vulnerableVersions: ['<3.2.20', '>=4.0,<4.1.10', '>=4.2,<4.2.3']
+    },
+    {
+        ecosystem: 'pip',
+        packageName: 'django',
+        cve: {
+            id: 'CVE-2023-41164',
+            description: 'Django 3.2.x before 3.2.21, 4.1.x before 4.1.11, and 4.2.x before 4.2.5 allows a denial of service in django.utils.encoding.uri_to_iri.',
+            cvssScore: 7.5,
+            severity: types_1.Severity.HIGH,
+            publishedDate: '2023-09-04',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2023-41164'
+            ],
+            fixedVersion: '4.2.5',
+            cwes: ['CWE-400'],
+            exploitAvailable: false
+        },
+        vulnerableVersions: ['<3.2.21', '>=4.0,<4.1.11', '>=4.2,<4.2.5']
+    },
+    // Flask vulnerabilities
+    {
+        ecosystem: 'pip',
+        packageName: 'flask',
+        cve: {
+            id: 'CVE-2023-30861',
+            description: 'Flask is a lightweight WSGI web application framework. Versions prior to 2.2.5 and 2.3.2 are vulnerable to possible disclosure of permanent session cookie.',
+            cvssScore: 7.5,
+            severity: types_1.Severity.HIGH,
+            publishedDate: '2023-05-02',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2023-30861',
+                'https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq'
+            ],
+            fixedVersion: '2.3.2',
+            cwes: ['CWE-539'],
+            exploitAvailable: false
+        },
+        vulnerableVersions: ['<2.2.5', '>=2.3,<2.3.2']
+    },
+    // Axios vulnerabilities
+    {
+        ecosystem: 'npm',
+        packageName: 'axios',
+        cve: {
+            id: 'CVE-2023-45857',
+            description: 'An issue in Axios allows a request to a non-HTTPS destination to leak the secret XSRF-TOKEN cookie value.',
+            cvssScore: 6.5,
+            severity: types_1.Severity.MEDIUM,
+            publishedDate: '2023-11-08',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2023-45857'
+            ],
+            fixedVersion: '1.6.0',
+            cwes: ['CWE-352'],
+            exploitAvailable: false
+        },
+        vulnerableVersions: ['>=0.8.1,<1.6.0']
+    },
+    // jQuery vulnerabilities
+    {
+        ecosystem: 'npm',
+        packageName: 'jquery',
+        cve: {
+            id: 'CVE-2020-11023',
+            description: 'In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources to one of jQuerys DOM manipulation methods may execute untrusted code.',
+            cvssScore: 6.1,
+            severity: types_1.Severity.MEDIUM,
+            publishedDate: '2020-04-29',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2020-11023',
+                'https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/'
+            ],
+            fixedVersion: '3.5.0',
+            cwes: ['CWE-79'],
+            exploitAvailable: true
+        },
+        vulnerableVersions: ['>=1.0.3,<3.5.0']
+    },
+    // Symfony vulnerabilities
+    {
+        ecosystem: 'composer',
+        packageName: 'symfony/http-kernel',
+        cve: {
+            id: 'CVE-2023-46733',
+            description: 'Symfony is a PHP framework. When using the RememberMe Bundle, an attacker can cause a session to survive an password change.',
+            cvssScore: 6.5,
+            severity: types_1.Severity.MEDIUM,
+            publishedDate: '2023-11-10',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2023-46733',
+                'https://symfony.com/cve-2023-46733'
+            ],
+            fixedVersion: '6.3.8',
+            cwes: ['CWE-613'],
+            exploitAvailable: false
+        },
+        vulnerableVersions: ['>=5.4,<5.4.31', '>=6.0,<6.3.8']
+    },
+    // Laravel vulnerabilities
+    {
+        ecosystem: 'composer',
+        packageName: 'laravel/framework',
+        cve: {
+            id: 'CVE-2021-43617',
+            description: 'Laravel Framework before 8.75.0 is vulnerable to cookie theft due to insecure default cookie serialization.',
+            cvssScore: 9.8,
+            severity: types_1.Severity.CRITICAL,
+            publishedDate: '2021-11-18',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2021-43617'
+            ],
+            fixedVersion: '8.75.0',
+            cwes: ['CWE-502'],
+            exploitAvailable: true
+        },
+        vulnerableVersions: ['<8.75.0']
+    },
+    // Spring Framework vulnerabilities
+    {
+        ecosystem: 'maven',
+        packageName: 'org.springframework:spring-core',
+        cve: {
+            id: 'CVE-2022-22965',
+            description: 'Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell)',
+            cvssScore: 9.8,
+            severity: types_1.Severity.CRITICAL,
+            publishedDate: '2022-03-31',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2022-22965',
+                'https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement'
+            ],
+            fixedVersion: '5.3.18',
+            cwes: ['CWE-94'],
+            exploitAvailable: true
+        },
+        vulnerableVersions: ['>=5.3.0,<5.3.18', '>=5.2.0,<5.2.20']
+    },
+    // Jackson vulnerabilities
+    {
+        ecosystem: 'maven',
+        packageName: 'com.fasterxml.jackson.core:jackson-databind',
+        cve: {
+            id: 'CVE-2020-36518',
+            description: 'jackson-databind allows Java stack overflow exception via a deeply nested JSON array.',
+            cvssScore: 7.5,
+            severity: types_1.Severity.HIGH,
+            publishedDate: '2022-03-11',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2020-36518'
+            ],
+            fixedVersion: '2.13.2.1',
+            cwes: ['CWE-787'],
+            exploitAvailable: false
+        },
+        vulnerableVersions: ['<2.13.2.1']
+    },
+    // Newtonsoft.Json vulnerabilities
+    {
+        ecosystem: 'nuget',
+        packageName: 'Newtonsoft.Json',
+        cve: {
+            id: 'CVE-2024-21907',
+            description: 'Newtonsoft.Json before 13.0.1 is vulnerable to a denial of service attack when parsing deeply nested JSON.',
+            cvssScore: 7.5,
+            severity: types_1.Severity.HIGH,
+            publishedDate: '2024-01-03',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2024-21907'
+            ],
+            fixedVersion: '13.0.1',
+            cwes: ['CWE-400'],
+            exploitAvailable: false
+        },
+        vulnerableVersions: ['<13.0.1']
+    },
+    // OpenSSL vulnerabilities
+    {
+        ecosystem: 'vcpkg',
+        packageName: 'openssl',
+        cve: {
+            id: 'CVE-2022-3602',
+            description: 'X.509 Email Address 4-byte Buffer Overflow in OpenSSL.',
+            cvssScore: 7.5,
+            severity: types_1.Severity.HIGH,
+            publishedDate: '2022-11-01',
+            references: [
+                'https://nvd.nist.gov/vuln/detail/CVE-2022-3602',
+                'https://www.openssl.org/news/secadv/20221101.txt'
+            ],
+            fixedVersion: '3.0.7',
+            cwes: ['CWE-120'],
+            exploitAvailable: true
+        },
+        vulnerableVersions: ['>=3.0.0,<3.0.7']
+    }
+];
+/**
+ * Check if a version matches a vulnerable version pattern
+ */
+function isVersionVulnerable(version, vulnerablePatterns) {
+    // Normalize version
+    const normalizedVersion = version.replace(/^[v=]/, '').trim();
+    for (const pattern of vulnerablePatterns) {
+        if (matchVersionPattern(normalizedVersion, pattern)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Match version against a pattern
+ * Supports: exact match, <version, <=version, >version, >=version, range
+ */
+function matchVersionPattern(version, pattern) {
+    // Exact match
+    if (pattern === version)
+        return true;
+    // Less than
+    if (pattern.startsWith('<')) {
+        const targetVersion = pattern.replace(/^<=?/, '');
+        const isLessOrEqual = pattern.startsWith('<=');
+        const comparison = compareVersions(version, targetVersion);
+        return isLessOrEqual ? comparison <= 0 : comparison < 0;
+    }
+    // Greater than
+    if (pattern.startsWith('>')) {
+        const targetVersion = pattern.replace(/^>=?/, '');
+        const isGreaterOrEqual = pattern.startsWith('>=');
+        const comparison = compareVersions(version, targetVersion);
+        return isGreaterOrEqual ? comparison >= 0 : comparison > 0;
+    }
+    // Range (e.g., ">=1.0.0,<2.0.0")
+    if (pattern.includes(',')) {
+        const parts = pattern.split(',');
+        return parts.every(p => matchVersionPattern(version, p.trim()));
+    }
+    // Wildcard match
+    if (pattern === '*')
+        return true;
+    return false;
+}
+/**
+ * Compare two semver versions
+ * Returns: -1 if a < b, 0 if a == b, 1 if a > b
+ */
+function compareVersions(a, b) {
+    const partsA = a.split('.').map(p => parseInt(p, 10) || 0);
+    const partsB = b.split('.').map(p => parseInt(p, 10) || 0);
+    const maxLength = Math.max(partsA.length, partsB.length);
+    for (let i = 0; i < maxLength; i++) {
+        const partA = partsA[i] || 0;
+        const partB = partsB[i] || 0;
+        if (partA < partB)
+            return -1;
+        if (partA > partB)
+            return 1;
+    }
+    return 0;
+}
+/**
+ * Get CVEs for a package
+ */
+function getCVEsForPackage(packageName, ecosystem, version) {
+    const entries = exports.CVE_DATABASE.filter(e => e.packageName.toLowerCase() === packageName.toLowerCase() &&
+        e.ecosystem === ecosystem);
+    if (!version) {
+        return entries.map(e => e.cve);
+    }
+    // Filter by vulnerable version
+    return entries
+        .filter(e => isVersionVulnerable(version, e.vulnerableVersions))
+        .map(e => e.cve);
+}
+/**
+ * Get all CVEs in the database
+ */
+function getAllCVEs() {
+    return exports.CVE_DATABASE;
+}
+//# sourceMappingURL=cveDatabase.js.map

package/dist/dependencies/database/cveDatabase.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cveDatabase.js","sourceRoot":"","sources":["../../../src/dependencies/database/cveDatabase.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAuUH,kDAWC;AA8DD,8CAcC;AAKD,gCAEC;AAnaD,oCAA+D;AAY/D;;GAEG;AACU,QAAA,YAAY,GAAuB;IAC9C,0CAA0C;IAC1C;QACE,SAAS,EAAE,OAAO;QAClB,WAAW,EAAE,qCAAqC;QAClD,GAAG,EAAE;YACH,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,mKAAmK;YAChL,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,gBAAQ,CAAC,QAAQ;YAC3B,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,iDAAiD;gBACjD,oDAAoD;aACrD;YACD,YAAY,EAAE,QAAQ;YACtB,IAAI,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;YACtC,gBAAgB,EAAE,IAAI;SACvB;QACD,kBAAkB,EAAE,CAAC,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;KACpV;IAED,6BAA6B;IAC7B;QACE,SAAS,EAAE,KAAK;QAChB,WAAW,EAAE,QAAQ;QACrB,GAAG,EAAE;YACH,EAAE,EAAE,eAAe;YACnB,WAAW,EAAE,oLAAoL;YACjM,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,gBAAQ,CAAC,IAAI;YACvB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,gDAAgD;gBAChD,8CAA8C;aAC/C;YACD,YAAY,EAAE,SAAS;YACvB,IAAI,EAAE,CAAC,UAAU,CAAC;YAClB,gBAAgB,EAAE,IAAI;SACvB;QACD,kBAAkB,EAAE,CAAC,UAAU,CAAC;KACjC;IACD;QACE,SAAS,EAAE,KAAK;QAChB,WAAW,EAAE,QAAQ;QACrB,GAAG,EAAE;YACH,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,iGAAiG;YAC9G,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,gBAAQ,CAAC,IAAI;YACvB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,iDAAiD;gBACjD,6CAA6C;aAC9C;YACD,YAAY,EAAE,SAAS;YACvB,IAAI,EAAE,CAAC,QAAQ,CAAC;YAChB,gBAAgB,EAAE,IAAI;SACvB;QACD,kBAAkB,EAAE,CAAC,UAAU,CAAC;KACjC;IAED,6BAA6B;IAC7B;QACE,SAAS,EAAE,KAAK;QAChB,WAAW,EAAE,SAAS;QACtB,GAAG,EAAE;YACH,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,uGAAuG;YACpH,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,gBAAQ,CAAC,IAAI;YACvB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,iDAAiD;aAClD;YACD,YAAY,EAAE,QAAQ;YACtB,IAAI,EAAE,CAAC,UAAU,CAAC;YAClB,gBAAgB,EAAE,KAAK;SACxB;QACD,kBAAkB,EAAE,CAAC,SAAS,CAAC;KAChC;IAED,yBAAyB;IACzB;QACE,SAAS,EAAE,KAAK;QAChB,WAAW,EAAE,QAAQ;QACrB,GAAG,EAAE;YACH,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,kJAAkJ;YAC/J,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,gBAAQ,CAAC,IAAI;YACvB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,iDAAiD;gBACjD,qEAAqE;aACtE;YACD,YAAY,EAAE,OAAO;YACrB,IAAI,EAAE,CAAC,UAAU,CAAC;YAClB,gBAAgB,EAAE,KAAK;SACxB;QACD,kBAAkB,EAAE,CAAC,SAAS,EAAE,eAAe,EAAE,cAAc,CAAC;KACjE;IACD;QACE,SAAS,EAAE,KAAK;QAChB,WAAW,EAAE,QAAQ;QACrB,GAAG,EAAE;YACH,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,yIAAyI;YACtJ,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,gBAAQ,CAAC,IAAI;YACvB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,iDAAiD;aAClD;YACD,YAAY,EAAE,OAAO;YACrB,IAAI,EAAE,CAAC,SAAS,CAAC;YACjB,gBAAgB,EAAE,KAAK;SACxB;QACD,kBAAkB,EAAE,CAAC,SAAS,EAAE,eAAe,EAAE,cAAc,CAAC;KACjE;IAED,wBAAwB;IACxB;QACE,SAAS,EAAE,KAAK;QAChB,WAAW,EAAE,OAAO;QACpB,GAAG,EAAE;YACH,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,6JAA6J;YAC1K,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,gBAAQ,CAAC,IAAI;YACvB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,iDAAiD;gBACjD,0EAA0E;aAC3E;YACD,YAAY,EAAE,OAAO;YACrB,IAAI,EAAE,CAAC,SAAS,CAAC;YACjB,gBAAgB,EAAE,KAAK;SACxB;QACD,kBAAkB,EAAE,CAAC,QAAQ,EAAE,cAAc,CAAC;KAC/C;IAED,wBAAwB;IACxB;QACE,SAAS,EAAE,KAAK;QAChB,WAAW,EAAE,OAAO;QACpB,GAAG,EAAE;YACH,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,2GAA2G;YACxH,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,gBAAQ,CAAC,MAAM;YACzB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,iDAAiD;aAClD;YACD,YAAY,EAAE,OAAO;YACrB,IAAI,EAAE,CAAC,SAAS,CAAC;YACjB,gBAAgB,EAAE,KAAK;SACxB;QACD,kBAAkB,EAAE,CAAC,gBAAgB,CAAC;KACvC;IAED,yBAAyB;IACzB;QACE,SAAS,EAAE,KAAK;QAChB,WAAW,EAAE,QAAQ;QACrB,GAAG,EAAE;YACH,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,6MAA6M;YAC1N,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,gBAAQ,CAAC,MAAM;YACzB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,iDAAiD;gBACjD,2DAA2D;aAC5D;YACD,YAAY,EAAE,OAAO;YACrB,IAAI,EAAE,CAAC,QAAQ,CAAC;YAChB,gBAAgB,EAAE,IAAI;SACvB;QACD,kBAAkB,EAAE,CAAC,gBAAgB,CAAC;KACvC;IAED,0BAA0B;IAC1B;QACE,SAAS,EAAE,UAAU;QACrB,WAAW,EAAE,qBAAqB;QAClC,GAAG,EAAE;YACH,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,8HAA8H;YAC3I,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,gBAAQ,CAAC,MAAM;YACzB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,iDAAiD;gBACjD,oCAAoC;aACrC;YACD,YAAY,EAAE,OAAO;YACrB,IAAI,EAAE,CAAC,SAAS,CAAC;YACjB,gBAAgB,EAAE,KAAK;SACxB;QACD,kBAAkB,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;KACtD;IAED,0BAA0B;IAC1B;QACE,SAAS,EAAE,UAAU;QACrB,WAAW,EAAE,mBAAmB;QAChC,GAAG,EAAE;YACH,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,6GAA6G;YAC1H,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,gBAAQ,CAAC,QAAQ;YAC3B,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,iDAAiD;aAClD;YACD,YAAY,EAAE,QAAQ;YACtB,IAAI,EAAE,CAAC,SAAS,CAAC;YACjB,gBAAgB,EAAE,IAAI;SACvB;QACD,kBAAkB,EAAE,CAAC,SAAS,CAAC;KAChC;IAED,mCAAmC;IACnC;QACE,SAAS,EAAE,OAAO;QAClB,WAAW,EAAE,iCAAiC;QAC9C,GAAG,EAAE;YACH,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,gEAAgE;YAC7E,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,gBAAQ,CAAC,QAAQ;YAC3B,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,iDAAiD;gBACjD,2EAA2E;aAC5E;YACD,YAAY,EAAE,QAAQ;YACtB,IAAI,EAAE,CAAC,QAAQ,CAAC;YAChB,gBAAgB,EAAE,IAAI;SACvB;QACD,kBAAkB,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;KAC3D;IAED,0BAA0B;IAC1B;QACE,SAAS,EAAE,OAAO;QAClB,WAAW,EAAE,6CAA6C;QAC1D,GAAG,EAAE;YACH,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,uFAAuF;YACpG,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,gBAAQ,CAAC,IAAI;YACvB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,iDAAiD;aAClD;YACD,YAAY,EAAE,UAAU;YACxB,IAAI,EAAE,CAAC,SAAS,CAAC;YACjB,gBAAgB,EAAE,KAAK;SACxB;QACD,kBAAkB,EAAE,CAAC,WAAW,CAAC;KAClC;IAED,kCAAkC;IAClC;QACE,SAAS,EAAE,OAAO;QAClB,WAAW,EAAE,iBAAiB;QAC9B,GAAG,EAAE;YACH,EAAE,EAAE,gBAAgB;YACpB,WAAW,EAAE,4GAA4G;YACzH,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,gBAAQ,CAAC,IAAI;YACvB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,iDAAiD;aAClD;YACD,YAAY,EAAE,QAAQ;YACtB,IAAI,EAAE,CAAC,SAAS,CAAC;YACjB,gBAAgB,EAAE,KAAK;SACxB;QACD,kBAAkB,EAAE,CAAC,SAAS,CAAC;KAChC;IAED,0BAA0B;IAC1B;QACE,SAAS,EAAE,OAAO;QAClB,WAAW,EAAE,SAAS;QACtB,GAAG,EAAE;YACH,EAAE,EAAE,eAAe;YACnB,WAAW,EAAE,wDAAwD;YACrE,SAAS,EAAE,GAAG;YACd,QAAQ,EAAE,gBAAQ,CAAC,IAAI;YACvB,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE;gBACV,gDAAgD;gBAChD,kDAAkD;aACnD;YACD,YAAY,EAAE,OAAO;YACrB,IAAI,EAAE,CAAC,SAAS,CAAC;YACjB,gBAAgB,EAAE,IAAI;SACvB;QACD,kBAAkB,EAAE,CAAC,gBAAgB,CAAC;KACvC;CACF,CAAC;AAEF;;GAEG;AACH,SAAgB,mBAAmB,CAAC,OAAe,EAAE,kBAA4B;IAC/E,oBAAoB;IACpB,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAE9D,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACzC,IAAI,mBAAmB,CAAC,iBAAiB,EAAE,OAAO,CAAC,EAAE,CAAC;YACpD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAAC,OAAe,EAAE,OAAe;IAC3D,cAAc;IACd,IAAI,OAAO,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IAErC,YAAY;IACZ,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAClD,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,UAAU,GAAG,eAAe,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,OAAO,aAAa,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC;IAC1D,CAAC;IAED,eAAe;IACf,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAClD,MAAM,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,eAAe,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC3D,OAAO,gBAAgB,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC;IAC7D,CAAC;IAED,iCAAiC;IACjC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjC,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,mBAAmB,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAClE,CAAC;IAED,iBAAiB;IACjB,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAEjC,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CAAC,CAAS,EAAE,CAAS;IAC3C,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;IAE3D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IAEzD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAE7B,IAAI,KAAK,GAAG,KAAK;YAAE,OAAO,CAAC,CAAC,CAAC;QAC7B,IAAI,KAAK,GAAG,KAAK;YAAE,OAAO,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,WAAmB,EAAE,SAA2B,EAAE,OAAgB;IAClG,MAAM,OAAO,GAAG,oBAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACtC,CAAC,CAAC,WAAW,CAAC,WAAW,EAAE,KAAK,WAAW,CAAC,WAAW,EAAE;QACzD,CAAC,CAAC,SAAS,KAAK,SAAS,CAC1B,CAAC;IAEF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAED,+BAA+B;IAC/B,OAAO,OAAO;SACX,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,mBAAmB,CAAC,OAAO,EAAE,CAAC,CAAC,kBAAkB,CAAC,CAAC;SAC/D,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,SAAgB,UAAU;IACxB,OAAO,oBAAY,CAAC;AACtB,CAAC"}

package/dist/dependencies/database/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Database Module Exports
+ */
+export * from './maliciousPackages';
+export * from './cveDatabase';
+//# sourceMappingURL=index.d.ts.map

package/dist/dependencies/database/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/dependencies/database/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,qBAAqB,CAAC;AACpC,cAAc,eAAe,CAAC"}

package/dist/dependencies/database/index.js

@@ -0,0 +1,22 @@
+"use strict";
+/**
+ * Database Module Exports
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./maliciousPackages"), exports);
+__exportStar(require("./cveDatabase"), exports);
+//# sourceMappingURL=index.js.map

package/dist/dependencies/database/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/dependencies/database/index.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;AAEH,sDAAoC;AACpC,gDAA8B"}

package/dist/dependencies/database/maliciousPackages.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Known Malicious Packages Database
+ * Static database of known malicious packages for offline detection
+ * Updated: 2024-01
+ */
+import { MaliciousPackageEntry, PackageEcosystem } from '../types';
+/**
+ * Database of known malicious packages
+ * Sources: npm security advisories, PyPI reports, Snyk, etc.
+ */
+export declare const KNOWN_MALICIOUS_PACKAGES: MaliciousPackageEntry[];
+/**
+ * Popular package names for typosquatting detection
+ */
+export declare const POPULAR_PACKAGES: Record<PackageEcosystem, string[]>;
+/**
+ * Known abandoned/deprecated packages
+ */
+export declare const DEPRECATED_PACKAGES: Record<string, {
+    ecosystem: PackageEcosystem;
+    replacement?: string;
+    reason: string;
+}>;
+/**
+ * Packages known to have dangerous post-install scripts
+ */
+export declare const DANGEROUS_POSTINSTALL_PACKAGES: string[];
+/**
+ * Get malicious package entry if exists
+ */
+export declare function getMaliciousPackage(name: string, ecosystem: PackageEcosystem): MaliciousPackageEntry | undefined;
+/**
+ * Check if package is deprecated
+ */
+export declare function isDeprecatedPackage(name: string): {
+    deprecated: boolean;
+    info?: typeof DEPRECATED_PACKAGES[string];
+};
+/**
+ * Get popular packages for an ecosystem (for typosquatting detection)
+ */
+export declare function getPopularPackages(ecosystem: PackageEcosystem): string[];
+//# sourceMappingURL=maliciousPackages.d.ts.map

package/dist/dependencies/database/maliciousPackages.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"maliciousPackages.d.ts","sourceRoot":"","sources":["../../../src/dependencies/database/maliciousPackages.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,qBAAqB,EAAoB,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAErF;;;GAGG;AACH,eAAO,MAAM,wBAAwB,EAAE,qBAAqB,EA4K3D,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAiD/D,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE;IAAE,SAAS,EAAE,gBAAgB,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAUrH,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,8BAA8B,EAAE,MAAM,EAGlD,CAAC;AAEF;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,gBAAgB,GAAG,qBAAqB,GAAG,SAAS,CAIhH;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,UAAU,EAAE,OAAO,CAAC;IAAC,IAAI,CAAC,EAAE,OAAO,mBAAmB,CAAC,MAAM,CAAC,CAAA;CAAE,CAGpH;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,gBAAgB,GAAG,MAAM,EAAE,CAExE"}