secure-scan 1.2.2

package/dist/rules/malware/types/index.js

@@ -0,0 +1,155 @@
+"use strict";
+/**
+ * @fileoverview Malware Detection Module - Type Definitions
+ * @module rules/malware/types
+ *
+ * Comprehensive type definitions for the malware detection engine.
+ * Supports multi-language analysis, AST-aware detection, and enterprise-level reporting.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MalwareCategory = exports.MitreTactic = exports.PatternType = exports.ConfidenceLevel = exports.MalwareSeverity = exports.MalwareThreatType = exports.SupportedLanguage = void 0;
+// ============================================================================
+// ENUMERATIONS
+// ============================================================================
+/**
+ * Supported programming languages for malware detection
+ */
+var SupportedLanguage;
+(function (SupportedLanguage) {
+    SupportedLanguage["JAVASCRIPT"] = "javascript";
+    SupportedLanguage["TYPESCRIPT"] = "typescript";
+    SupportedLanguage["PYTHON"] = "python";
+    SupportedLanguage["PHP"] = "php";
+    SupportedLanguage["C"] = "c";
+    SupportedLanguage["CPP"] = "cpp";
+    SupportedLanguage["CSHARP"] = "csharp";
+    SupportedLanguage["JAVA"] = "java";
+    SupportedLanguage["RUBY"] = "ruby";
+    SupportedLanguage["GO"] = "go";
+    SupportedLanguage["RUST"] = "rust";
+    SupportedLanguage["SHELL"] = "shell";
+    SupportedLanguage["POWERSHELL"] = "powershell";
+})(SupportedLanguage || (exports.SupportedLanguage = SupportedLanguage = {}));
+/**
+ * Malware threat categories based on behavior and intent
+ */
+var MalwareThreatType;
+(function (MalwareThreatType) {
+    // Backdoors & Remote Access
+    MalwareThreatType["REVERSE_SHELL"] = "reverse_shell";
+    MalwareThreatType["WEB_SHELL"] = "web_shell";
+    MalwareThreatType["BACKDOOR"] = "backdoor";
+    MalwareThreatType["RAT"] = "remote_access_trojan";
+    // Resource Abuse
+    MalwareThreatType["CRYPTOMINER"] = "cryptominer";
+    MalwareThreatType["RESOURCE_HIJACKER"] = "resource_hijacker";
+    // Data Theft
+    MalwareThreatType["KEYLOGGER"] = "keylogger";
+    MalwareThreatType["CREDENTIAL_STEALER"] = "credential_stealer";
+    MalwareThreatType["TOKEN_STEALER"] = "token_stealer";
+    MalwareThreatType["DATA_EXFILTRATION"] = "data_exfiltration";
+    MalwareThreatType["COOKIE_STEALER"] = "cookie_stealer";
+    // Loaders & Droppers
+    MalwareThreatType["DROPPER"] = "dropper";
+    MalwareThreatType["LOADER"] = "loader";
+    MalwareThreatType["DOWNLOADER"] = "downloader";
+    MalwareThreatType["MULTI_STAGE"] = "multi_stage";
+    // Evasion & Obfuscation
+    MalwareThreatType["OBFUSCATED_CODE"] = "obfuscated_code";
+    MalwareThreatType["ANTI_DEBUGGING"] = "anti_debugging";
+    MalwareThreatType["SANDBOX_EVASION"] = "sandbox_evasion";
+    // Network
+    MalwareThreatType["BOTNET"] = "botnet";
+    MalwareThreatType["C2_COMMUNICATION"] = "c2_communication";
+    MalwareThreatType["DNS_TUNNELING"] = "dns_tunneling";
+    // Persistence
+    MalwareThreatType["PERSISTENCE"] = "persistence";
+    MalwareThreatType["FILELESS"] = "fileless";
+    MalwareThreatType["LIVING_OFF_THE_LAND"] = "lotl";
+    // Supply Chain
+    MalwareThreatType["SUPPLY_CHAIN"] = "supply_chain";
+    MalwareThreatType["DEPENDENCY_CONFUSION"] = "dependency_confusion";
+    MalwareThreatType["TYPOSQUATTING"] = "typosquatting";
+    // Other
+    MalwareThreatType["EMBEDDED_PAYLOAD"] = "embedded_payload";
+    MalwareThreatType["SUSPICIOUS_NETWORK"] = "suspicious_network";
+    MalwareThreatType["TIME_BOMB"] = "time_bomb";
+    MalwareThreatType["LOGIC_BOMB"] = "logic_bomb";
+})(MalwareThreatType || (exports.MalwareThreatType = MalwareThreatType = {}));
+/**
+ * Severity levels for malware findings
+ */
+var MalwareSeverity;
+(function (MalwareSeverity) {
+    MalwareSeverity["CRITICAL"] = "critical";
+    MalwareSeverity["HIGH"] = "high";
+    MalwareSeverity["MEDIUM"] = "medium";
+    MalwareSeverity["LOW"] = "low";
+    MalwareSeverity["INFO"] = "info"; // Informational, context-dependent
+})(MalwareSeverity || (exports.MalwareSeverity = MalwareSeverity = {}));
+/**
+ * Confidence level of the detection
+ */
+var ConfidenceLevel;
+(function (ConfidenceLevel) {
+    ConfidenceLevel["CONFIRMED"] = "confirmed";
+    ConfidenceLevel["HIGH"] = "high";
+    ConfidenceLevel["MEDIUM"] = "medium";
+    ConfidenceLevel["LOW"] = "low";
+    ConfidenceLevel["TENTATIVE"] = "tentative"; // <40% certainty
+})(ConfidenceLevel || (exports.ConfidenceLevel = ConfidenceLevel = {}));
+/**
+ * Pattern matching strategies
+ */
+var PatternType;
+(function (PatternType) {
+    PatternType["REGEX"] = "regex";
+    PatternType["LITERAL"] = "literal";
+    PatternType["AST"] = "ast";
+    PatternType["SEMANTIC"] = "semantic";
+    PatternType["HEURISTIC"] = "heuristic";
+    PatternType["BEHAVIORAL"] = "behavioral";
+})(PatternType || (exports.PatternType = PatternType = {}));
+/**
+ * MITRE ATT&CK Tactics
+ */
+var MitreTactic;
+(function (MitreTactic) {
+    MitreTactic["INITIAL_ACCESS"] = "TA0001";
+    MitreTactic["EXECUTION"] = "TA0002";
+    MitreTactic["PERSISTENCE"] = "TA0003";
+    MitreTactic["PRIVILEGE_ESCALATION"] = "TA0004";
+    MitreTactic["DEFENSE_EVASION"] = "TA0005";
+    MitreTactic["CREDENTIAL_ACCESS"] = "TA0006";
+    MitreTactic["DISCOVERY"] = "TA0007";
+    MitreTactic["LATERAL_MOVEMENT"] = "TA0008";
+    MitreTactic["COLLECTION"] = "TA0009";
+    MitreTactic["COMMAND_AND_CONTROL"] = "TA0011";
+    MitreTactic["EXFILTRATION"] = "TA0010";
+    MitreTactic["IMPACT"] = "TA0040";
+})(MitreTactic || (exports.MitreTactic = MitreTactic = {}));
+// ============================================================================
+// CATEGORIES
+// ============================================================================
+/**
+ * Malware finding categories
+ */
+var MalwareCategory;
+(function (MalwareCategory) {
+    MalwareCategory["BACKDOOR"] = "backdoor";
+    MalwareCategory["CRYPTOMINER"] = "cryptominer";
+    MalwareCategory["SPYWARE"] = "spyware";
+    MalwareCategory["TROJAN"] = "trojan";
+    MalwareCategory["WORM"] = "worm";
+    MalwareCategory["RANSOMWARE"] = "ransomware";
+    MalwareCategory["ADWARE"] = "adware";
+    MalwareCategory["ROOTKIT"] = "rootkit";
+    MalwareCategory["BOTNET"] = "botnet";
+    MalwareCategory["EXPLOIT"] = "exploit";
+    MalwareCategory["DROPPER"] = "dropper";
+    MalwareCategory["OBFUSCATION"] = "obfuscation";
+    MalwareCategory["EVASION"] = "evasion";
+    MalwareCategory["SUPPLY_CHAIN"] = "supply_chain";
+    MalwareCategory["SUSPICIOUS"] = "suspicious";
+})(MalwareCategory || (exports.MalwareCategory = MalwareCategory = {}));
+//# sourceMappingURL=index.js.map

package/dist/rules/malware/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/rules/malware/types/index.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAEH,+EAA+E;AAC/E,eAAe;AACf,+EAA+E;AAE/E;;GAEG;AACH,IAAY,iBAcX;AAdD,WAAY,iBAAiB;IAC3B,8CAAyB,CAAA;IACzB,8CAAyB,CAAA;IACzB,sCAAiB,CAAA;IACjB,gCAAW,CAAA;IACX,4BAAO,CAAA;IACP,gCAAW,CAAA;IACX,sCAAiB,CAAA;IACjB,kCAAa,CAAA;IACb,kCAAa,CAAA;IACb,8BAAS,CAAA;IACT,kCAAa,CAAA;IACb,oCAAe,CAAA;IACf,8CAAyB,CAAA;AAC3B,CAAC,EAdW,iBAAiB,iCAAjB,iBAAiB,QAc5B;AAED;;GAEG;AACH,IAAY,iBAiDX;AAjDD,WAAY,iBAAiB;IAC3B,4BAA4B;IAC5B,oDAA+B,CAAA;IAC/B,4CAAuB,CAAA;IACvB,0CAAqB,CAAA;IACrB,iDAA4B,CAAA;IAE5B,iBAAiB;IACjB,gDAA2B,CAAA;IAC3B,4DAAuC,CAAA;IAEvC,aAAa;IACb,4CAAuB,CAAA;IACvB,8DAAyC,CAAA;IACzC,oDAA+B,CAAA;IAC/B,4DAAuC,CAAA;IACvC,sDAAiC,CAAA;IAEjC,qBAAqB;IACrB,wCAAmB,CAAA;IACnB,sCAAiB,CAAA;IACjB,8CAAyB,CAAA;IACzB,gDAA2B,CAAA;IAE3B,wBAAwB;IACxB,wDAAmC,CAAA;IACnC,sDAAiC,CAAA;IACjC,wDAAmC,CAAA;IAEnC,UAAU;IACV,sCAAiB,CAAA;IACjB,0DAAqC,CAAA;IACrC,oDAA+B,CAAA;IAE/B,cAAc;IACd,gDAA2B,CAAA;IAC3B,0CAAqB,CAAA;IACrB,iDAA4B,CAAA;IAE5B,eAAe;IACf,kDAA6B,CAAA;IAC7B,kEAA6C,CAAA;IAC7C,oDAA+B,CAAA;IAE/B,QAAQ;IACR,0DAAqC,CAAA;IACrC,8DAAyC,CAAA;IACzC,4CAAuB,CAAA;IACvB,8CAAyB,CAAA;AAC3B,CAAC,EAjDW,iBAAiB,iCAAjB,iBAAiB,QAiD5B;AAED;;GAEG;AACH,IAAY,eAMX;AAND,WAAY,eAAe;IACzB,wCAAqB,CAAA;IACrB,gCAAa,CAAA;IACb,oCAAiB,CAAA;IACjB,8BAAW,CAAA;IACX,gCAAa,CAAA,CAAa,mCAAmC;AAC/D,CAAC,EANW,eAAe,+BAAf,eAAe,QAM1B;AAED;;GAEG;AACH,IAAY,eAMX;AAND,WAAY,eAAe;IACzB,0CAAuB,CAAA;IACvB,gCAAa,CAAA;IACb,oCAAiB,CAAA;IACjB,8BAAW,CAAA;IACX,0CAAuB,CAAA,CAAG,iBAAiB;AAC7C,CAAC,EANW,eAAe,+BAAf,eAAe,QAM1B;AAED;;GAEG;AACH,IAAY,WAOX;AAPD,WAAY,WAAW;IACrB,8BAAe,CAAA;IACf,kCAAmB,CAAA;IACnB,0BAAW,CAAA;IACX,oCAAqB,CAAA;IACrB,sCAAuB,CAAA;IACvB,wCAAyB,CAAA;AAC3B,CAAC,EAPW,WAAW,2BAAX,WAAW,QAOtB;AAED;;GAEG;AACH,IAAY,WAaX;AAbD,WAAY,WAAW;IACrB,wCAAyB,CAAA;IACzB,mCAAoB,CAAA;IACpB,qCAAsB,CAAA;IACtB,8CAA+B,CAAA;IAC/B,yCAA0B,CAAA;IAC1B,2CAA4B,CAAA;IAC5B,mCAAoB,CAAA;IACpB,0CAA2B,CAAA;IAC3B,oCAAqB,CAAA;IACrB,6CAA8B,CAAA;IAC9B,sCAAuB,CAAA;IACvB,gCAAiB,CAAA;AACnB,CAAC,EAbW,WAAW,2BAAX,WAAW,QAatB;AAwgBD,+EAA+E;AAC/E,aAAa;AACb,+EAA+E;AAE/E;;GAEG;AACH,IAAY,eAgBX;AAhBD,WAAY,eAAe;IACzB,wCAAqB,CAAA;IACrB,8CAA2B,CAAA;IAC3B,sCAAmB,CAAA;IACnB,oCAAiB,CAAA;IACjB,gCAAa,CAAA;IACb,4CAAyB,CAAA;IACzB,oCAAiB,CAAA;IACjB,sCAAmB,CAAA;IACnB,oCAAiB,CAAA;IACjB,sCAAmB,CAAA;IACnB,sCAAmB,CAAA;IACnB,8CAA2B,CAAA;IAC3B,sCAAmB,CAAA;IACnB,gDAA6B,CAAA;IAC7B,4CAAyB,CAAA;AAC3B,CAAC,EAhBW,eAAe,+BAAf,eAAe,QAgB1B"}

package/dist/rules/malware/utils/index.d.ts

@@ -0,0 +1,117 @@
+/**
+ * @fileoverview Malware Detection Utilities
+ * @module rules/malware/utils
+ *
+ * Core utility functions for malware detection including entropy calculation,
+ * code normalization, obfuscation detection, and pattern matching helpers.
+ */
+import { SupportedLanguage, PatternMatch, SourceLocation, RegexPattern } from '../types';
+/**
+ * Calculate Shannon entropy of a string
+ * Higher entropy indicates more randomness/potential obfuscation
+ *
+ * @param content - String to analyze
+ * @returns Entropy value (0-8 for ASCII)
+ */
+export declare function calculateEntropy(content: string): number;
+/**
+ * Calculate entropy per line and detect anomalies
+ *
+ * @param content - Source code content
+ * @returns Object with average entropy and lines with high entropy
+ */
+export declare function analyzeEntropyByLine(content: string): {
+    averageEntropy: number;
+    maxEntropy: number;
+    highEntropyLines: Array<{
+        line: number;
+        entropy: number;
+        content: string;
+    }>;
+};
+/**
+ * Normalize code for analysis by removing common obfuscation patterns
+ * IMPORTANT: This does NOT execute any code
+ *
+ * @param content - Source code to normalize
+ * @param language - Programming language
+ * @returns Normalized code
+ */
+export declare function normalizeCode(content: string, language: SupportedLanguage): string;
+/**
+ * Remove comments from code based on language
+ */
+declare function removeComments(content: string, language: SupportedLanguage): string;
+/**
+ * Normalize whitespace
+ */
+declare function normalizeWhitespace(content: string): string;
+/**
+ * Safely decode escape sequences without execution
+ */
+declare function decodeEscapeSequences(content: string): string;
+/**
+ * Normalize string concatenation
+ * "e" + "v" + "a" + "l" -> "eval"
+ */
+declare function normalizeStringConcatenation(content: string): string;
+/**
+ * Detect obfuscation level in code
+ *
+ * @param content - Source code to analyze
+ * @param language - Programming language
+ * @returns Obfuscation score (0-1)
+ */
+export declare function detectObfuscationLevel(content: string, language: SupportedLanguage): number;
+/**
+ * Detect anti-debugging techniques
+ */
+export declare function detectAntiDebugging(content: string, language: SupportedLanguage): {
+    detected: boolean;
+    techniques: string[];
+};
+/**
+ * Detect environment-dependent activation (time bombs, sandbox evasion)
+ */
+export declare function detectEnvironmentChecks(content: string): {
+    detected: boolean;
+    checks: string[];
+};
+/**
+ * Safe regex matching with timeout protection
+ */
+export declare function matchWithTimeout(content: string, pattern: RegExp, timeout?: number): Promise<RegExpMatchArray | null>;
+/**
+ * Apply regex pattern with safety limits
+ */
+export declare function safeRegexMatch(content: string, pattern: RegexPattern): PatternMatch[];
+/**
+ * Convert string index to line/column location
+ */
+export declare function getLocationFromIndex(content: string, startIndex: number, length: number): SourceLocation;
+/**
+ * Extract code snippet with context
+ */
+export declare function extractSnippet(content: string, location: SourceLocation, contextLines?: number): string;
+/**
+ * Detect and analyze base64 encoded content
+ * Does NOT decode potentially malicious content
+ */
+export declare function analyzeBase64Content(content: string): {
+    found: boolean;
+    count: number;
+    longestLength: number;
+    locations: SourceLocation[];
+};
+/**
+ * Extract suspicious strings from code
+ */
+export declare function extractSuspiciousStrings(content: string): {
+    urls: string[];
+    ips: string[];
+    emails: string[];
+    paths: string[];
+    commands: string[];
+};
+export { removeComments, normalizeWhitespace, decodeEscapeSequences, normalizeStringConcatenation };
+//# sourceMappingURL=index.d.ts.map

package/dist/rules/malware/utils/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/rules/malware/utils/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,cAAc,EAGd,YAAY,EACb,MAAM,UAAU,CAAC;AAWlB;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAoBxD;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG;IACrD,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC7E,CAgBA;AAMD;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,iBAAiB,GAC1B,MAAM,CAgBR;AAED;;GAEG;AACH,iBAAS,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,iBAAiB,GAAG,MAAM,CAwC5E;AAED;;GAEG;AACH,iBAAS,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAKpD;AAED;;GAEG;AACH,iBAAS,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAsBtD;AAED;;;GAGG;AACH,iBAAS,4BAA4B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAa7D;AAMD;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,iBAAiB,GAC1B,MAAM,CA+CR;AA4CD;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,iBAAiB,GAC1B;IAAE,QAAQ,EAAE,OAAO,CAAC;IAAC,UAAU,EAAE,MAAM,EAAE,CAAA;CAAE,CAgD7C;AAMD;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG;IACxD,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB,CAwCA;AAMD;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,OAAO,GAAE,MAA6B,GACrC,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAelC;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,YAAY,GACpB,YAAY,EAAE,CAiChB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,GACb,cAAc,CAmBhB;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,cAAc,EACxB,YAAY,GAAE,MAA6B,GAC1C,MAAM,CASR;AAMD;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG;IACrD,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,cAAc,EAAE,CAAC;CAC7B,CAmBA;AAMD;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG;IACzD,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,GAAG,EAAE,MAAM,EAAE,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB,CAuCA;AAMD,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,qBAAqB,EACrB,4BAA4B,EAC7B,CAAC"}