secure-scan 1.2.2

package/dist/dependencies/detectors/vulnerabilityDetector.js

@@ -0,0 +1,289 @@
+"use strict";
+/**
+ * Vulnerability Detector
+ * Detects vulnerabilities, supply chain risks, and malicious packages
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VulnerabilityDetector = void 0;
+const types_1 = require("../types");
+const types_2 = require("../../types");
+const utils_1 = require("../../utils");
+const cveDatabase_1 = require("../database/cveDatabase");
+const maliciousPackages_1 = require("../database/maliciousPackages");
+const securityStandards_1 = require("./securityStandards");
+const logger_1 = require("../../utils/logger");
+/**
+ * Vulnerability Detector Class
+ * Detects various security issues in dependencies
+ */
+class VulnerabilityDetector {
+    /**
+     * Analyze a dependency for vulnerabilities and risks
+     */
+    async analyzeDependency(dependency) {
+        const vulnerabilities = [];
+        // Check for known malicious packages
+        const maliciousCheck = await this.checkMaliciousPackage(dependency);
+        if (maliciousCheck) {
+            vulnerabilities.push(maliciousCheck);
+        }
+        // Check for CVEs
+        const cveVulns = await this.checkCVEs(dependency);
+        vulnerabilities.push(...cveVulns);
+        // Check for typosquatting
+        const typosquatCheck = await this.checkTyposquatting(dependency);
+        if (typosquatCheck) {
+            vulnerabilities.push(typosquatCheck);
+        }
+        // Check for deprecated packages
+        const deprecatedCheck = await this.checkDeprecated(dependency);
+        if (deprecatedCheck) {
+            vulnerabilities.push(deprecatedCheck);
+        }
+        // Check for supply chain risks
+        const supplyChainRisks = await this.checkSupplyChainRisks(dependency);
+        vulnerabilities.push(...supplyChainRisks);
+        return vulnerabilities;
+    }
+    /**
+     * Check if package is known malicious
+     */
+    async checkMaliciousPackage(dependency) {
+        const malicious = (0, maliciousPackages_1.getMaliciousPackage)(dependency.name, dependency.ecosystem);
+        if (!malicious)
+            return null;
+        // Check if affected version
+        if (malicious.affectedVersions && malicious.affectedVersions !== '*') {
+            const version = dependency.resolvedVersion || dependency.version;
+            const affectedVersions = malicious.affectedVersions.split(',').map(v => v.trim());
+            if (!affectedVersions.some(v => v === version || v === '*')) {
+                return null;
+            }
+        }
+        logger_1.logger.debug(`[VulnDetector] Malicious package detected: ${dependency.name}`);
+        return {
+            id: (0, utils_1.generateId)(),
+            dependency,
+            severity: types_2.Severity.CRITICAL,
+            category: types_1.DependencyRiskCategory.MALICIOUS,
+            title: `Known Malicious Package: ${dependency.name}`,
+            description: malicious.description,
+            malwareIndicators: malicious.indicators,
+            standards: (0, securityStandards_1.getStandardsForDependencyRisk)(types_1.DependencyRiskCategory.MALICIOUS),
+            recommendation: types_1.DependencyRecommendation.REMOVE,
+            recommendationDetails: `Immediately remove ${dependency.name} from your project. This package has been reported as malicious. ${malicious.references.length > 0 ? 'See references for more information.' : ''}`,
+            confidence: 100,
+            timestamp: new Date()
+        };
+    }
+    /**
+     * Check for known CVEs
+     */
+    async checkCVEs(dependency) {
+        const vulnerabilities = [];
+        const version = dependency.resolvedVersion || dependency.version;
+        // Skip if no version specified
+        if (!version || version === '*') {
+            return vulnerabilities;
+        }
+        const cves = (0, cveDatabase_1.getCVEsForPackage)(dependency.name, dependency.ecosystem, version);
+        for (const cve of cves) {
+            logger_1.logger.debug(`[VulnDetector] CVE detected: ${cve.id} in ${dependency.name}@${version}`);
+            vulnerabilities.push({
+                id: (0, utils_1.generateId)(),
+                dependency,
+                severity: cve.severity,
+                category: types_1.DependencyRiskCategory.VULNERABILITY,
+                title: `${cve.id}: ${dependency.name}`,
+                description: cve.description,
+                cve,
+                standards: (0, securityStandards_1.getStandardsForDependencyRisk)(types_1.DependencyRiskCategory.VULNERABILITY, cve.cwes),
+                recommendation: cve.fixedVersion
+                    ? types_1.DependencyRecommendation.UPGRADE
+                    : types_1.DependencyRecommendation.REVIEW,
+                recommendationDetails: cve.fixedVersion
+                    ? `Upgrade ${dependency.name} to version ${cve.fixedVersion} or later to fix ${cve.id}.`
+                    : `Review the usage of ${dependency.name} and consider alternative packages. No fixed version available.`,
+                confidence: 95,
+                timestamp: new Date()
+            });
+        }
+        return vulnerabilities;
+    }
+    /**
+     * Check for typosquatting
+     */
+    async checkTyposquatting(dependency) {
+        const popularPackages = (0, maliciousPackages_1.getPopularPackages)(dependency.ecosystem);
+        const candidates = this.findTyposquatCandidates(dependency.name, popularPackages);
+        if (candidates.length === 0)
+            return null;
+        const bestMatch = candidates[0];
+        // Only flag if similarity is high enough (potential typosquat)
+        if (bestMatch.similarityScore < 80)
+            return null;
+        logger_1.logger.debug(`[VulnDetector] Potential typosquatting: ${dependency.name} similar to ${bestMatch.legitimatePackage}`);
+        return {
+            id: (0, utils_1.generateId)(),
+            dependency,
+            severity: types_2.Severity.HIGH,
+            category: types_1.DependencyRiskCategory.SUPPLY_CHAIN,
+            title: `Potential Typosquatting: ${dependency.name}`,
+            description: `The package "${dependency.name}" is very similar to the popular package "${bestMatch.legitimatePackage}" (${bestMatch.similarityScore}% similarity). This could be a typosquatting attempt.`,
+            supplyChainRisks: [types_1.SupplyChainRisk.TYPOSQUATTING],
+            standards: (0, securityStandards_1.getStandardsForDependencyRisk)(types_1.DependencyRiskCategory.SUPPLY_CHAIN),
+            recommendation: types_1.DependencyRecommendation.REVIEW,
+            recommendationDetails: `Verify that "${dependency.name}" is the intended package and not a typosquat of "${bestMatch.legitimatePackage}". If this is a mistake, replace with the correct package.`,
+            confidence: bestMatch.similarityScore,
+            timestamp: new Date()
+        };
+    }
+    /**
+     * Find typosquatting candidates
+     */
+    findTyposquatCandidates(name, popularPackages) {
+        const candidates = [];
+        const normalizedName = name.toLowerCase();
+        for (const popular of popularPackages) {
+            const normalizedPopular = popular.toLowerCase();
+            // Skip if same package
+            if (normalizedName === normalizedPopular)
+                continue;
+            const similarity = this.calculateSimilarity(normalizedName, normalizedPopular);
+            if (similarity >= 70) {
+                const typosquatType = this.detectTyposquatType(normalizedName, normalizedPopular);
+                candidates.push({
+                    suspiciousName: name,
+                    legitimatePackage: popular,
+                    similarityScore: similarity,
+                    typosquatType
+                });
+            }
+        }
+        // Sort by similarity score descending
+        return candidates.sort((a, b) => b.similarityScore - a.similarityScore);
+    }
+    /**
+     * Calculate string similarity (Levenshtein distance based)
+     */
+    calculateSimilarity(a, b) {
+        const distance = this.levenshteinDistance(a, b);
+        const maxLength = Math.max(a.length, b.length);
+        return Math.round((1 - distance / maxLength) * 100);
+    }
+    /**
+     * Levenshtein distance algorithm
+     */
+    levenshteinDistance(a, b) {
+        const matrix = [];
+        for (let i = 0; i <= b.length; i++) {
+            matrix[i] = [i];
+        }
+        for (let j = 0; j <= a.length; j++) {
+            matrix[0][j] = j;
+        }
+        for (let i = 1; i <= b.length; i++) {
+            for (let j = 1; j <= a.length; j++) {
+                if (b.charAt(i - 1) === a.charAt(j - 1)) {
+                    matrix[i][j] = matrix[i - 1][j - 1];
+                }
+                else {
+                    matrix[i][j] = Math.min(matrix[i - 1][j - 1] + 1, matrix[i][j - 1] + 1, matrix[i - 1][j] + 1);
+                }
+            }
+        }
+        return matrix[b.length][a.length];
+    }
+    /**
+     * Detect type of typosquat
+     */
+    detectTyposquatType(suspicious, legitimate) {
+        const lenDiff = Math.abs(suspicious.length - legitimate.length);
+        if (lenDiff === 1) {
+            if (suspicious.length > legitimate.length) {
+                return 'extra_char';
+            }
+            else {
+                return 'missing_char';
+            }
+        }
+        if (lenDiff === 0) {
+            // Check for homograph (e.g., l vs 1, o vs 0)
+            const homographs = [['l', '1'], ['o', '0'], ['i', 'l'], ['rn', 'm']];
+            for (const [a, b] of homographs) {
+                if (suspicious.includes(a) && legitimate.includes(b)) {
+                    return 'homograph';
+                }
+                if (suspicious.includes(b) && legitimate.includes(a)) {
+                    return 'homograph';
+                }
+            }
+            return 'character_swap';
+        }
+        return 'bit_flip';
+    }
+    /**
+     * Check for deprecated packages
+     */
+    async checkDeprecated(dependency) {
+        const { deprecated, info } = (0, maliciousPackages_1.isDeprecatedPackage)(dependency.name);
+        if (!deprecated || !info)
+            return null;
+        // Check ecosystem match
+        if (info.ecosystem !== dependency.ecosystem)
+            return null;
+        logger_1.logger.debug(`[VulnDetector] Deprecated package: ${dependency.name}`);
+        return {
+            id: (0, utils_1.generateId)(),
+            dependency,
+            severity: types_2.Severity.LOW,
+            category: types_1.DependencyRiskCategory.OUTDATED,
+            title: `Deprecated Package: ${dependency.name}`,
+            description: `The package "${dependency.name}" is deprecated. ${info.reason}`,
+            standards: (0, securityStandards_1.getStandardsForDependencyRisk)(types_1.DependencyRiskCategory.OUTDATED),
+            recommendation: info.replacement
+                ? types_1.DependencyRecommendation.REPLACE
+                : types_1.DependencyRecommendation.REVIEW,
+            recommendationDetails: info.replacement
+                ? `Replace ${dependency.name} with ${info.replacement}.`
+                : `Review usage of ${dependency.name} and consider alternatives.`,
+            confidence: 90,
+            timestamp: new Date()
+        };
+    }
+    /**
+     * Check for supply chain risks
+     */
+    async checkSupplyChainRisks(dependency) {
+        const vulnerabilities = [];
+        const risks = [];
+        // Check for suspicious version patterns
+        const version = dependency.resolvedVersion || dependency.version;
+        // Flag 0.0.x versions as potentially new/untested
+        if (version && /^0\.0\.\d+/.test(version)) {
+            risks.push(types_1.SupplyChainRisk.NEW_PACKAGE);
+        }
+        // Flag packages with very recent versions (could be suspicious release)
+        // Note: This would need actual publish date data in production
+        if (risks.length > 0) {
+            vulnerabilities.push({
+                id: (0, utils_1.generateId)(),
+                dependency,
+                severity: types_2.Severity.INFO,
+                category: types_1.DependencyRiskCategory.SUPPLY_CHAIN,
+                title: `Supply Chain Risk: ${dependency.name}`,
+                description: `The package "${dependency.name}" has potential supply chain risks: ${risks.join(', ')}`,
+                supplyChainRisks: risks,
+                standards: (0, securityStandards_1.getStandardsForDependencyRisk)(types_1.DependencyRiskCategory.SUPPLY_CHAIN),
+                recommendation: types_1.DependencyRecommendation.MONITOR,
+                recommendationDetails: `Monitor ${dependency.name} for any suspicious activity or updates. Consider pinning to a specific trusted version.`,
+                confidence: 60,
+                timestamp: new Date()
+            });
+        }
+        return vulnerabilities;
+    }
+}
+exports.VulnerabilityDetector = VulnerabilityDetector;
+exports.default = VulnerabilityDetector;
+//# sourceMappingURL=vulnerabilityDetector.js.map

package/dist/dependencies/detectors/vulnerabilityDetector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vulnerabilityDetector.js","sourceRoot":"","sources":["../../../src/dependencies/detectors/vulnerabilityDetector.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,oCASkB;AAClB,uCAAyD;AACzD,uCAAyC;AACzC,yDAA4D;AAC5D,qEAA6G;AAC7G,2DAAoE;AACpE,+CAA4C;AAE5C;;;GAGG;AACH,MAAa,qBAAqB;IAChC;;OAEG;IACH,KAAK,CAAC,iBAAiB,CAAC,UAAsB;QAC5C,MAAM,eAAe,GAA8B,EAAE,CAAC;QAEtD,qCAAqC;QACrC,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAC;QACpE,IAAI,cAAc,EAAE,CAAC;YACnB,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACvC,CAAC;QAED,iBAAiB;QACjB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAClD,eAAe,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;QAElC,0BAA0B;QAC1B,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;QACjE,IAAI,cAAc,EAAE,CAAC;YACnB,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACvC,CAAC;QAED,gCAAgC;QAChC,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;QAC/D,IAAI,eAAe,EAAE,CAAC;YACpB,eAAe,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACxC,CAAC;QAED,+BAA+B;QAC/B,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAC;QACtE,eAAe,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,CAAC;QAE1C,OAAO,eAAe,CAAC;IACzB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,qBAAqB,CAAC,UAAsB;QACxD,MAAM,SAAS,GAAG,IAAA,uCAAmB,EAAC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;QAE7E,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAE5B,4BAA4B;QAC5B,IAAI,SAAS,CAAC,gBAAgB,IAAI,SAAS,CAAC,gBAAgB,KAAK,GAAG,EAAE,CAAC;YACrE,MAAM,OAAO,GAAG,UAAU,CAAC,eAAe,IAAI,UAAU,CAAC,OAAO,CAAC;YACjE,MAAM,gBAAgB,GAAG,SAAS,CAAC,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAElF,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,OAAO,IAAI,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;gBAC5D,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,eAAM,CAAC,KAAK,CAAC,8CAA8C,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;QAE9E,OAAO;YACL,EAAE,EAAE,IAAA,kBAAU,GAAE;YAChB,UAAU;YACV,QAAQ,EAAE,gBAAQ,CAAC,QAAQ;YAC3B,QAAQ,EAAE,8BAAsB,CAAC,SAAS;YAC1C,KAAK,EAAE,4BAA4B,UAAU,CAAC,IAAI,EAAE;YACpD,WAAW,EAAE,SAAS,CAAC,WAAW;YAClC,iBAAiB,EAAE,SAAS,CAAC,UAAU;YACvC,SAAS,EAAE,IAAA,iDAA6B,EAAC,8BAAsB,CAAC,SAAS,CAAC;YAC1E,cAAc,EAAE,gCAAwB,CAAC,MAAM;YAC/C,qBAAqB,EAAE,sBAAsB,UAAU,CAAC,IAAI,oEAAoE,SAAS,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,sCAAsC,CAAC,CAAC,CAAC,EAAE,EAAE;YAC/M,UAAU,EAAE,GAAG;YACf,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,UAAsB;QAC5C,MAAM,eAAe,GAA8B,EAAE,CAAC;QACtD,MAAM,OAAO,GAAG,UAAU,CAAC,eAAe,IAAI,UAAU,CAAC,OAAO,CAAC;QAEjE,+BAA+B;QAC/B,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;YAChC,OAAO,eAAe,CAAC;QACzB,CAAC;QAED,MAAM,IAAI,GAAG,IAAA,+BAAiB,EAAC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAE/E,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,eAAM,CAAC,KAAK,CAAC,gCAAgC,GAAG,CAAC,EAAE,OAAO,UAAU,CAAC,IAAI,IAAI,OAAO,EAAE,CAAC,CAAC;YAExF,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,IAAA,kBAAU,GAAE;gBAChB,UAAU;gBACV,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,QAAQ,EAAE,8BAAsB,CAAC,aAAa;gBAC9C,KAAK,EAAE,GAAG,GAAG,CAAC,EAAE,KAAK,UAAU,CAAC,IAAI,EAAE;gBACtC,WAAW,EAAE,GAAG,CAAC,WAAW;gBAC5B,GAAG;gBACH,SAAS,EAAE,IAAA,iDAA6B,EAAC,8BAAsB,CAAC,aAAa,EAAE,GAAG,CAAC,IAAI,CAAC;gBACxF,cAAc,EAAE,GAAG,CAAC,YAAY;oBAC9B,CAAC,CAAC,gCAAwB,CAAC,OAAO;oBAClC,CAAC,CAAC,gCAAwB,CAAC,MAAM;gBACnC,qBAAqB,EAAE,GAAG,CAAC,YAAY;oBACrC,CAAC,CAAC,WAAW,UAAU,CAAC,IAAI,eAAe,GAAG,CAAC,YAAY,oBAAoB,GAAG,CAAC,EAAE,GAAG;oBACxF,CAAC,CAAC,uBAAuB,UAAU,CAAC,IAAI,iEAAiE;gBAC3G,UAAU,EAAE,EAAE;gBACd,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,kBAAkB,CAAC,UAAsB;QACrD,MAAM,eAAe,GAAG,IAAA,sCAAkB,EAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QACjE,MAAM,UAAU,GAAG,IAAI,CAAC,uBAAuB,CAAC,UAAU,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;QAElF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEzC,MAAM,SAAS,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;QAEhC,+DAA+D;QAC/D,IAAI,SAAS,CAAC,eAAe,GAAG,EAAE;YAAE,OAAO,IAAI,CAAC;QAEhD,eAAM,CAAC,KAAK,CAAC,2CAA2C,UAAU,CAAC,IAAI,eAAe,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC;QAErH,OAAO;YACL,EAAE,EAAE,IAAA,kBAAU,GAAE;YAChB,UAAU;YACV,QAAQ,EAAE,gBAAQ,CAAC,IAAI;YACvB,QAAQ,EAAE,8BAAsB,CAAC,YAAY;YAC7C,KAAK,EAAE,4BAA4B,UAAU,CAAC,IAAI,EAAE;YACpD,WAAW,EAAE,gBAAgB,UAAU,CAAC,IAAI,6CAA6C,SAAS,CAAC,iBAAiB,MAAM,SAAS,CAAC,eAAe,uDAAuD;YAC1M,gBAAgB,EAAE,CAAC,uBAAe,CAAC,aAAa,CAAC;YACjD,SAAS,EAAE,IAAA,iDAA6B,EAAC,8BAAsB,CAAC,YAAY,CAAC;YAC7E,cAAc,EAAE,gCAAwB,CAAC,MAAM;YAC/C,qBAAqB,EAAE,gBAAgB,UAAU,CAAC,IAAI,qDAAqD,SAAS,CAAC,iBAAiB,4DAA4D;YAClM,UAAU,EAAE,SAAS,CAAC,eAAe;YACrC,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,uBAAuB,CAAC,IAAY,EAAE,eAAyB;QACrE,MAAM,UAAU,GAA6B,EAAE,CAAC;QAChD,MAAM,cAAc,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAE1C,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;YACtC,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;YAEhD,uBAAuB;YACvB,IAAI,cAAc,KAAK,iBAAiB;gBAAE,SAAS;YAEnD,MAAM,UAAU,GAAG,IAAI,CAAC,mBAAmB,CAAC,cAAc,EAAE,iBAAiB,CAAC,CAAC;YAE/E,IAAI,UAAU,IAAI,EAAE,EAAE,CAAC;gBACrB,MAAM,aAAa,GAAG,IAAI,CAAC,mBAAmB,CAAC,cAAc,EAAE,iBAAiB,CAAC,CAAC;gBAElF,UAAU,CAAC,IAAI,CAAC;oBACd,cAAc,EAAE,IAAI;oBACpB,iBAAiB,EAAE,OAAO;oBAC1B,eAAe,EAAE,UAAU;oBAC3B,aAAa;iBACd,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,sCAAsC;QACtC,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,GAAG,CAAC,CAAC,eAAe,CAAC,CAAC;IAC1E,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,CAAS,EAAE,CAAS;QAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,mBAAmB,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAChD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,QAAQ,GAAG,SAAS,CAAC,GAAG,GAAG,CAAC,CAAC;IACtD,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,CAAS,EAAE,CAAS;QAC9C,MAAM,MAAM,GAAe,EAAE,CAAC;QAE9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACnB,CAAC;QAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACnC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;oBACxC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBACtC,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CACrB,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,EACxB,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,EACpB,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CACrB,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,UAAkB,EAAE,UAAkB;QAChE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;QAEhE,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;YAClB,IAAI,UAAU,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC;gBAC1C,OAAO,YAAY,CAAC;YACtB,CAAC;iBAAM,CAAC;gBACN,OAAO,cAAc,CAAC;YACxB,CAAC;QACH,CAAC;QAED,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;YAClB,6CAA6C;YAC7C,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;YACrE,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,UAAU,EAAE,CAAC;gBAChC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;oBACrD,OAAO,WAAW,CAAC;gBACrB,CAAC;gBACD,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;oBACrD,OAAO,WAAW,CAAC;gBACrB,CAAC;YACH,CAAC;YACD,OAAO,gBAAgB,CAAC;QAC1B,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,eAAe,CAAC,UAAsB;QAClD,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,IAAA,uCAAmB,EAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAElE,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEtC,wBAAwB;QACxB,IAAI,IAAI,CAAC,SAAS,KAAK,UAAU,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAEzD,eAAM,CAAC,KAAK,CAAC,sCAAsC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;QAEtE,OAAO;YACL,EAAE,EAAE,IAAA,kBAAU,GAAE;YAChB,UAAU;YACV,QAAQ,EAAE,gBAAQ,CAAC,GAAG;YACtB,QAAQ,EAAE,8BAAsB,CAAC,QAAQ;YACzC,KAAK,EAAE,uBAAuB,UAAU,CAAC,IAAI,EAAE;YAC/C,WAAW,EAAE,gBAAgB,UAAU,CAAC,IAAI,oBAAoB,IAAI,CAAC,MAAM,EAAE;YAC7E,SAAS,EAAE,IAAA,iDAA6B,EAAC,8BAAsB,CAAC,QAAQ,CAAC;YACzE,cAAc,EAAE,IAAI,CAAC,WAAW;gBAC9B,CAAC,CAAC,gCAAwB,CAAC,OAAO;gBAClC,CAAC,CAAC,gCAAwB,CAAC,MAAM;YACnC,qBAAqB,EAAE,IAAI,CAAC,WAAW;gBACrC,CAAC,CAAC,WAAW,UAAU,CAAC,IAAI,SAAS,IAAI,CAAC,WAAW,GAAG;gBACxD,CAAC,CAAC,mBAAmB,UAAU,CAAC,IAAI,6BAA6B;YACnE,UAAU,EAAE,EAAE;YACd,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,qBAAqB,CAAC,UAAsB;QACxD,MAAM,eAAe,GAA8B,EAAE,CAAC;QACtD,MAAM,KAAK,GAAsB,EAAE,CAAC;QAEpC,wCAAwC;QACxC,MAAM,OAAO,GAAG,UAAU,CAAC,eAAe,IAAI,UAAU,CAAC,OAAO,CAAC;QAEjE,kDAAkD;QAClD,IAAI,OAAO,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1C,KAAK,CAAC,IAAI,CAAC,uBAAe,CAAC,WAAW,CAAC,CAAC;QAC1C,CAAC;QAED,wEAAwE;QACxE,+DAA+D;QAE/D,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,IAAA,kBAAU,GAAE;gBAChB,UAAU;gBACV,QAAQ,EAAE,gBAAQ,CAAC,IAAI;gBACvB,QAAQ,EAAE,8BAAsB,CAAC,YAAY;gBAC7C,KAAK,EAAE,sBAAsB,UAAU,CAAC,IAAI,EAAE;gBAC9C,WAAW,EAAE,gBAAgB,UAAU,CAAC,IAAI,uCAAuC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBACrG,gBAAgB,EAAE,KAAK;gBACvB,SAAS,EAAE,IAAA,iDAA6B,EAAC,8BAAsB,CAAC,YAAY,CAAC;gBAC7E,cAAc,EAAE,gCAAwB,CAAC,OAAO;gBAChD,qBAAqB,EAAE,WAAW,UAAU,CAAC,IAAI,0FAA0F;gBAC3I,UAAU,EAAE,EAAE;gBACd,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;CACF;AA1TD,sDA0TC;AAED,kBAAe,qBAAqB,CAAC"}

package/dist/dependencies/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Dependency Analysis Module Exports
+ * Software Composition Analysis (SCA) for Secure-Scan
+ */
+export * from './types';
+export * from './parsers';
+export * from './detectors';
+export * from './database';
+export * from './dependencyAnalyzer';
+export { default as DependencyAnalyzer } from './dependencyAnalyzer';
+export * from './aiDependencyAnalyzer';
+export { default as AIDependencyAnalyzer } from './aiDependencyAnalyzer';
+export * from './installed';
+//# sourceMappingURL=index.d.ts.map

package/dist/dependencies/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/dependencies/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,cAAc,SAAS,CAAC;AAGxB,cAAc,WAAW,CAAC;AAG1B,cAAc,aAAa,CAAC;AAG5B,cAAc,YAAY,CAAC;AAG3B,cAAc,sBAAsB,CAAC;AACrC,OAAO,EAAE,OAAO,IAAI,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAGrE,cAAc,wBAAwB,CAAC;AACvC,OAAO,EAAE,OAAO,IAAI,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAGzE,cAAc,aAAa,CAAC"}

package/dist/dependencies/index.js

@@ -0,0 +1,43 @@
+"use strict";
+/**
+ * Dependency Analysis Module Exports
+ * Software Composition Analysis (SCA) for Secure-Scan
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AIDependencyAnalyzer = exports.DependencyAnalyzer = void 0;
+// Types
+__exportStar(require("./types"), exports);
+// Parsers
+__exportStar(require("./parsers"), exports);
+// Detectors
+__exportStar(require("./detectors"), exports);
+// Database
+__exportStar(require("./database"), exports);
+// Main analyzer
+__exportStar(require("./dependencyAnalyzer"), exports);
+var dependencyAnalyzer_1 = require("./dependencyAnalyzer");
+Object.defineProperty(exports, "DependencyAnalyzer", { enumerable: true, get: function () { return __importDefault(dependencyAnalyzer_1).default; } });
+// AI Analyzer
+__exportStar(require("./aiDependencyAnalyzer"), exports);
+var aiDependencyAnalyzer_1 = require("./aiDependencyAnalyzer");
+Object.defineProperty(exports, "AIDependencyAnalyzer", { enumerable: true, get: function () { return __importDefault(aiDependencyAnalyzer_1).default; } });
+// Installed Dependencies Scanner (Malware Detection)
+__exportStar(require("./installed"), exports);
+//# sourceMappingURL=index.js.map

package/dist/dependencies/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/dependencies/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;AAEH,QAAQ;AACR,0CAAwB;AAExB,UAAU;AACV,4CAA0B;AAE1B,YAAY;AACZ,8CAA4B;AAE5B,WAAW;AACX,6CAA2B;AAE3B,gBAAgB;AAChB,uDAAqC;AACrC,2DAAqE;AAA5D,yIAAA,OAAO,OAAsB;AAEtC,cAAc;AACd,yDAAuC;AACvC,+DAAyE;AAAhE,6IAAA,OAAO,OAAwB;AAExC,qDAAqD;AACrD,8CAA4B"}

package/dist/dependencies/installed/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Installed Dependencies Module
+ * Exports for scanning installed packages for malware
+ */
+export * from './types';
+export * from './installedScanner';
+export * from './malwarePatterns';
+//# sourceMappingURL=index.d.ts.map

package/dist/dependencies/installed/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/dependencies/installed/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,SAAS,CAAC;AACxB,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC"}

package/dist/dependencies/installed/index.js

@@ -0,0 +1,24 @@
+"use strict";
+/**
+ * Installed Dependencies Module
+ * Exports for scanning installed packages for malware
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./types"), exports);
+__exportStar(require("./installedScanner"), exports);
+__exportStar(require("./malwarePatterns"), exports);
+//# sourceMappingURL=index.js.map

package/dist/dependencies/installed/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/dependencies/installed/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;AAEH,0CAAwB;AACxB,qDAAmC;AACnC,oDAAkC"}

package/dist/dependencies/installed/installedScanner.d.ts

@@ -0,0 +1,91 @@
+/**
+ * Installed Dependencies Scanner
+ * Scans installed packages (node_modules, vendor, venv) for malware
+ */
+import { InstalledDependenciesScanResult, InstalledScanConfig } from './types';
+/**
+ * Installed Dependencies Scanner Class
+ */
+export declare class InstalledDependenciesScanner {
+    private config;
+    private scannedFiles;
+    private stats;
+    constructor(config: InstalledScanConfig);
+    /**
+     * Run the installed dependencies scan
+     */
+    scan(): Promise<InstalledDependenciesScanResult>;
+    /**
+     * Find dependency folders in the project
+     */
+    private findDependencyFolders;
+    /**
+     * Find site-packages in a Python virtual environment
+     */
+    private findSitePackages;
+    /**
+     * Scan a dependency folder
+     */
+    private scanDependencyFolder;
+    /**
+     * Get folder type from path
+     */
+    private getFolderType;
+    /**
+     * Get ecosystem from folder path
+     */
+    private getEcosystemFromFolder;
+    /**
+     * Get package directories in a dependency folder
+     */
+    private getPackageDirectories;
+    /**
+     * Parse an installed package directory
+     */
+    private parseInstalledPackage;
+    /**
+     * Find .dist-info directory for Python packages
+     */
+    private findDistInfoDir;
+    /**
+     * Parse Python package metadata
+     */
+    private parsePythonMetadata;
+    /**
+     * Analyze a post-install script
+     */
+    private analyzeScript;
+    /**
+     * Analyze post-install scripts for a package
+     */
+    private analyzePostInstallScripts;
+    /**
+     * Calculate directory size
+     */
+    private calculateDirectorySize;
+    /**
+     * Scan a package for malware
+     */
+    private scanPackageForMalware;
+    /**
+     * Get recommendation for malware indicator
+     */
+    private getRecommendation;
+    /**
+     * Verify package integrity
+     */
+    private verifyPackageIntegrity;
+    /**
+     * Load lock file data
+     */
+    private loadLockFile;
+    /**
+     * Initialize statistics
+     */
+    private initializeStats;
+}
+/**
+ * Quick scan function
+ */
+export declare function scanInstalledDependencies(projectPath: string): Promise<InstalledDependenciesScanResult>;
+//# sourceMappingURL=installedScanner.d.ts.map

package/dist/dependencies/installed/installedScanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"installedScanner.d.ts","sourceRoot":"","sources":["../../../src/dependencies/installed/installedScanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,EAGL,+BAA+B,EAC/B,mBAAmB,EAQpB,MAAM,SAAS,CAAC;AAgCjB;;GAEG;AACH,qBAAa,4BAA4B;IACvC,OAAO,CAAC,MAAM,CAAsB;IACpC,OAAO,CAAC,YAAY,CAA0B;IAC9C,OAAO,CAAC,KAAK,CAAqB;gBAEtB,MAAM,EAAE,mBAAmB;IAKvC;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,+BAA+B,CAAC;IA2DtD;;OAEG;IACH,OAAO,CAAC,qBAAqB;IA+B7B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA4BxB;;OAEG;YACW,oBAAoB;IA4DlC;;OAEG;IACH,OAAO,CAAC,aAAa;IAYrB;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAS9B;;OAEG;YACW,qBAAqB;IA8BnC;;OAEG;YACW,qBAAqB;IAsFnC;;OAEG;IACH,OAAO,CAAC,eAAe;IAkBvB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAsB3B;;OAEG;IACH,OAAO,CAAC,aAAa;IAiDrB;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAoBjC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IA4B9B;;OAEG;YACW,qBAAqB;IA4FnC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAczB;;OAEG;YACW,sBAAsB;IA4DpC;;OAEG;YACW,YAAY;IA6D1B;;OAEG;IACH,OAAO,CAAC,eAAe;CAcxB;AAED;;GAEG;AACH,wBAAsB,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,+BAA+B,CAAC,CAG7G"}