supply-chain-guard 1.0.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.d.ts +2 -2
- package/dist/cli.js +92 -3
- package/dist/cli.js.map +1 -1
- package/dist/dependency-confusion.d.ts +25 -0
- package/dist/dependency-confusion.d.ts.map +1 -0
- package/dist/dependency-confusion.js +496 -0
- package/dist/dependency-confusion.js.map +1 -0
- package/dist/index.d.ts +4 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +9 -1
- package/dist/index.js.map +1 -1
- package/dist/lockfile-checker.d.ts +16 -0
- package/dist/lockfile-checker.d.ts.map +1 -0
- package/dist/lockfile-checker.js +309 -0
- package/dist/lockfile-checker.js.map +1 -0
- package/dist/patterns.d.ts +16 -0
- package/dist/patterns.d.ts.map +1 -1
- package/dist/patterns.js +403 -1
- package/dist/patterns.js.map +1 -1
- package/dist/pypi-scanner.d.ts +14 -0
- package/dist/pypi-scanner.d.ts.map +1 -0
- package/dist/pypi-scanner.js +449 -0
- package/dist/pypi-scanner.js.map +1 -0
- package/dist/scanner.d.ts.map +1 -1
- package/dist/scanner.js +222 -1
- package/dist/scanner.js.map +1 -1
- package/dist/types.d.ts +1 -1
- package/dist/types.d.ts.map +1 -1
- package/dist/vscode-scanner.d.ts +21 -0
- package/dist/vscode-scanner.d.ts.map +1 -0
- package/dist/vscode-scanner.js +585 -0
- package/dist/vscode-scanner.js.map +1 -0
- package/package.json +1 -1
package/dist/cli.d.ts
CHANGED
|
@@ -2,8 +2,8 @@
|
|
|
2
2
|
/**
|
|
3
3
|
* supply-chain-guard CLI
|
|
4
4
|
*
|
|
5
|
-
* Scan code repositories, npm packages,
|
|
6
|
-
* for supply-chain malware indicators.
|
|
5
|
+
* Scan code repositories, npm packages, PyPI packages, VS Code extensions,
|
|
6
|
+
* and project dependencies for supply-chain malware indicators.
|
|
7
7
|
*/
|
|
8
8
|
export {};
|
|
9
9
|
//# sourceMappingURL=cli.d.ts.map
|
package/dist/cli.js
CHANGED
|
@@ -3,19 +3,22 @@
|
|
|
3
3
|
/**
|
|
4
4
|
* supply-chain-guard CLI
|
|
5
5
|
*
|
|
6
|
-
* Scan code repositories, npm packages,
|
|
7
|
-
* for supply-chain malware indicators.
|
|
6
|
+
* Scan code repositories, npm packages, PyPI packages, VS Code extensions,
|
|
7
|
+
* and project dependencies for supply-chain malware indicators.
|
|
8
8
|
*/
|
|
9
9
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
10
|
const commander_1 = require("commander");
|
|
11
11
|
const scanner_js_1 = require("./scanner.js");
|
|
12
12
|
const npm_scanner_js_1 = require("./npm-scanner.js");
|
|
13
|
+
const pypi_scanner_js_1 = require("./pypi-scanner.js");
|
|
14
|
+
const vscode_scanner_js_1 = require("./vscode-scanner.js");
|
|
15
|
+
const dependency_confusion_js_1 = require("./dependency-confusion.js");
|
|
13
16
|
const solana_monitor_js_1 = require("./solana-monitor.js");
|
|
14
17
|
const reporter_js_1 = require("./reporter.js");
|
|
15
18
|
const program = new commander_1.Command();
|
|
16
19
|
program
|
|
17
20
|
.name("supply-chain-guard")
|
|
18
|
-
.description("Open-source supply-chain security scanner. Detects GlassWorm and similar malware campaigns in npm packages, code repos,
|
|
21
|
+
.description("Open-source supply-chain security scanner. Detects GlassWorm and similar malware campaigns in npm packages, PyPI packages, code repos, VS Code extensions, and project dependencies.")
|
|
19
22
|
.version("1.0.0");
|
|
20
23
|
// ── scan command ────────────────────────────────────────────────────
|
|
21
24
|
program
|
|
@@ -79,6 +82,92 @@ program
|
|
|
79
82
|
process.exit(1);
|
|
80
83
|
}
|
|
81
84
|
});
|
|
85
|
+
// ── pypi command ────────────────────────────────────────────────────
|
|
86
|
+
program
|
|
87
|
+
.command("pypi")
|
|
88
|
+
.description("Scan a PyPI package for malware indicators (downloads without installing)")
|
|
89
|
+
.argument("<package>", "PyPI package name (e.g., requests, flask)")
|
|
90
|
+
.option("-f, --format <format>", "Output format: text, json, markdown", "text")
|
|
91
|
+
.option("-s, --min-severity <severity>", "Minimum severity to report")
|
|
92
|
+
.action(async (packageName, opts) => {
|
|
93
|
+
try {
|
|
94
|
+
const report = await (0, pypi_scanner_js_1.scanPypiPackage)(packageName, {
|
|
95
|
+
target: packageName,
|
|
96
|
+
format: opts.format,
|
|
97
|
+
minSeverity: opts.minSeverity,
|
|
98
|
+
});
|
|
99
|
+
console.log((0, reporter_js_1.formatReport)(report, opts.format));
|
|
100
|
+
if (report.summary.critical > 0) {
|
|
101
|
+
process.exit(2);
|
|
102
|
+
}
|
|
103
|
+
if (report.summary.high > 0) {
|
|
104
|
+
process.exit(1);
|
|
105
|
+
}
|
|
106
|
+
}
|
|
107
|
+
catch (err) {
|
|
108
|
+
const message = err instanceof Error ? err.message : String(err);
|
|
109
|
+
console.error(`\n Error: ${message}\n`);
|
|
110
|
+
process.exit(1);
|
|
111
|
+
}
|
|
112
|
+
});
|
|
113
|
+
// ── vscode command ──────────────────────────────────────────────────
|
|
114
|
+
program
|
|
115
|
+
.command("vscode")
|
|
116
|
+
.description("Scan a VS Code extension (.vsix file or marketplace ID) for malware indicators")
|
|
117
|
+
.argument("<target>", "Path to .vsix file or marketplace extension ID (e.g., publisher.extension-name)")
|
|
118
|
+
.option("-f, --format <format>", "Output format: text, json, markdown", "text")
|
|
119
|
+
.option("-s, --min-severity <severity>", "Minimum severity to report")
|
|
120
|
+
.action(async (target, opts) => {
|
|
121
|
+
try {
|
|
122
|
+
const report = await (0, vscode_scanner_js_1.scanVscodeExtension)({
|
|
123
|
+
target,
|
|
124
|
+
format: opts.format,
|
|
125
|
+
minSeverity: opts.minSeverity,
|
|
126
|
+
});
|
|
127
|
+
console.log((0, reporter_js_1.formatReport)(report, opts.format));
|
|
128
|
+
if (report.summary.critical > 0) {
|
|
129
|
+
process.exit(2);
|
|
130
|
+
}
|
|
131
|
+
if (report.summary.high > 0) {
|
|
132
|
+
process.exit(1);
|
|
133
|
+
}
|
|
134
|
+
}
|
|
135
|
+
catch (err) {
|
|
136
|
+
const message = err instanceof Error ? err.message : String(err);
|
|
137
|
+
console.error(`\n Error: ${message}\n`);
|
|
138
|
+
process.exit(1);
|
|
139
|
+
}
|
|
140
|
+
});
|
|
141
|
+
// ── confusion command ───────────────────────────────────────────────
|
|
142
|
+
program
|
|
143
|
+
.command("confusion")
|
|
144
|
+
.description("Detect dependency confusion risks in a project's package.json")
|
|
145
|
+
.argument("<target>", "Path to project directory or package.json file")
|
|
146
|
+
.option("-f, --format <format>", "Output format: text, json, markdown", "text")
|
|
147
|
+
.option("-s, --min-severity <severity>", "Minimum severity to report")
|
|
148
|
+
.option("--no-dev", "Exclude devDependencies from the check")
|
|
149
|
+
.action(async (target, opts) => {
|
|
150
|
+
try {
|
|
151
|
+
const report = await (0, dependency_confusion_js_1.scanDependencyConfusion)({
|
|
152
|
+
target,
|
|
153
|
+
format: opts.format,
|
|
154
|
+
minSeverity: opts.minSeverity,
|
|
155
|
+
includeDevDeps: opts.dev,
|
|
156
|
+
});
|
|
157
|
+
console.log((0, reporter_js_1.formatReport)(report, opts.format));
|
|
158
|
+
if (report.summary.critical > 0) {
|
|
159
|
+
process.exit(2);
|
|
160
|
+
}
|
|
161
|
+
if (report.summary.high > 0) {
|
|
162
|
+
process.exit(1);
|
|
163
|
+
}
|
|
164
|
+
}
|
|
165
|
+
catch (err) {
|
|
166
|
+
const message = err instanceof Error ? err.message : String(err);
|
|
167
|
+
console.error(`\n Error: ${message}\n`);
|
|
168
|
+
process.exit(1);
|
|
169
|
+
}
|
|
170
|
+
});
|
|
82
171
|
// ── monitor command ─────────────────────────────────────────────────
|
|
83
172
|
program
|
|
84
173
|
.command("monitor")
|
package/dist/cli.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";;AAEA;;;;;GAKG;;AAEH,yCAAoC;AACpC,6CAAoC;AACpC,qDAAkD;AAClD,2DAA8E;AAC9E,+CAA6C;AAG7C,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,oBAAoB,CAAC;KAC1B,WAAW,CACV,
|
|
1
|
+
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";;AAEA;;;;;GAKG;;AAEH,yCAAoC;AACpC,6CAAoC;AACpC,qDAAkD;AAClD,uDAAoD;AACpD,2DAA0D;AAC1D,uEAAoE;AACpE,2DAA8E;AAC9E,+CAA6C;AAG7C,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,oBAAoB,CAAC;KAC1B,WAAW,CACV,sLAAsL,CACvL;KACA,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,uEAAuE;AAEvE,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,8DAA8D,CAAC;KAC3E,QAAQ,CAAC,UAAU,EAAE,yCAAyC,CAAC;KAC/D,MAAM,CAAC,uBAAuB,EAAE,qCAAqC,EAAE,MAAM,CAAC;KAC9E,MAAM,CACL,+BAA+B,EAC/B,+DAA+D,CAChE;KACA,MAAM,CACL,uBAAuB,EACvB,6CAA6C,CAC9C;KACA,MAAM,CAAC,qBAAqB,EAAE,yBAAyB,EAAE,IAAI,CAAC;KAC9D,MAAM,CACL,KAAK,EACH,MAAc,EACd,IAKC,EACD,EAAE;IACF,IAAI,CAAC;QACH,MAAM,OAAO,GAAgB;YAC3B,MAAM;YACN,MAAM,EAAE,IAAI,CAAC,MAAsC;YACnD,WAAW,EAAE,IAAI,CAAC,WAAmC;YACrD,YAAY,EAAE,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC3D,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC;SACnC,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,IAAA,iBAAI,EAAC,OAAO,CAAC,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,IAAA,0BAAY,EAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;QAElD,0CAA0C;QAC1C,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,KAAK,CAAC,cAAc,OAAO,IAAI,CAAC,CAAC;QACzC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CACF,CAAC;AAEJ,uEAAuE;AAEvE,OAAO;KACJ,OAAO,CAAC,KAAK,CAAC;KACd,WAAW,CAAC,2EAA2E,CAAC;KACxF,QAAQ,CAAC,WAAW,EAAE,0CAA0C,CAAC;KACjE,MAAM,CAAC,uBAAuB,EAAE,qCAAqC,EAAE,MAAM,CAAC;KAC9E,MAAM,CACL,+BAA+B,EAC/B,4BAA4B,CAC7B;KACA,MAAM,CACL,KAAK,EACH,WAAmB,EACnB,IAA8C,EAC9C,EAAE;IACF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,+BAAc,EAAC,WAAW,EAAE;YAC/C,MAAM,EAAE,WAAW;YACnB,MAAM,EAAE,IAAI,CAAC,MAAsC;YACnD,WAAW,EAAE,IAAI,CAAC,WAAmC;SACtD,CAAC,CAAC;QAEH,OAAO,CAAC,GAAG,CAAC,IAAA,0BAAY,EAAC,MAAM,EAAE,IAAI,CAAC,MAAsC,CAAC,CAAC,CAAC;QAE/E,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,KAAK,CAAC,cAAc,OAAO,IAAI,CAAC,CAAC;QACzC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CACF,CAAC;AAEJ,uEAAuE;AAEvE,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,2EAA2E,CAAC;KACxF,QAAQ,CAAC,WAAW,EAAE,2CAA2C,CAAC;KAClE,MAAM,CAAC,uBAAuB,EAAE,qCAAqC,EAAE,MAAM,CAAC;KAC9E,MAAM,CACL,+BAA+B,EAC/B,4BAA4B,CAC7B;KACA,MAAM,CACL,KAAK,EACH,WAAmB,EACnB,IAA8C,EAC9C,EAAE;IACF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,iCAAe,EAAC,WAAW,EAAE;YAChD,MAAM,EAAE,WAAW;YACnB,MAAM,EAAE,IAAI,CAAC,MAAsC;YACnD,WAAW,EAAE,IAAI,CAAC,WAAmC;SACtD,CAAC,CAAC;QAEH,OAAO,CAAC,GAAG,CAAC,IAAA,0BAAY,EAAC,MAAM,EAAE,IAAI,CAAC,MAAsC,CAAC,CAAC,CAAC;QAE/E,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,KAAK,CAAC,cAAc,OAAO,IAAI,CAAC,CAAC;QACzC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CACF,CAAC;AAEJ,uEAAuE;AAEvE,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,gFAAgF,CAAC;KAC7F,QAAQ,CACP,UAAU,EACV,iFAAiF,CAClF;KACA,MAAM,CAAC,uBAAuB,EAAE,qCAAqC,EAAE,MAAM,CAAC;KAC9E,MAAM,CACL,+BAA+B,EAC/B,4BAA4B,CAC7B;KACA,MAAM,CACL,KAAK,EACH,MAAc,EACd,IAA8C,EAC9C,EAAE;IACF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,uCAAmB,EAAC;YACvC,MAAM;YACN,MAAM,EAAE,IAAI,CAAC,MAAsC;YACnD,WAAW,EAAE,IAAI,CAAC,WAAmC;SACtD,CAAC,CAAC;QAEH,OAAO,CAAC,GAAG,CAAC,IAAA,0BAAY,EAAC,MAAM,EAAE,IAAI,CAAC,MAAsC,CAAC,CAAC,CAAC;QAE/E,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,KAAK,CAAC,cAAc,OAAO,IAAI,CAAC,CAAC;QACzC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CACF,CAAC;AAEJ,uEAAuE;AAEvE,OAAO;KACJ,OAAO,CAAC,WAAW,CAAC;KACpB,WAAW,CAAC,+DAA+D,CAAC;KAC5E,QAAQ,CAAC,UAAU,EAAE,gDAAgD,CAAC;KACtE,MAAM,CAAC,uBAAuB,EAAE,qCAAqC,EAAE,MAAM,CAAC;KAC9E,MAAM,CACL,+BAA+B,EAC/B,4BAA4B,CAC7B;KACA,MAAM,CAAC,UAAU,EAAE,wCAAwC,CAAC;KAC5D,MAAM,CACL,KAAK,EACH,MAAc,EACd,IAA4D,EAC5D,EAAE;IACF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,iDAAuB,EAAC;YAC3C,MAAM;YACN,MAAM,EAAE,IAAI,CAAC,MAAsC;YACnD,WAAW,EAAE,IAAI,CAAC,WAAmC;YACrD,cAAc,EAAE,IAAI,CAAC,GAAG;SACzB,CAAC,CAAC;QAEH,OAAO,CAAC,GAAG,CAAC,IAAA,0BAAY,EAAC,MAAM,EAAE,IAAI,CAAC,MAAsC,CAAC,CAAC,CAAC;QAE/E,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,KAAK,CAAC,cAAc,OAAO,IAAI,CAAC,CAAC;QACzC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CACF,CAAC;AAEJ,uEAAuE;AAEvE,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,kDAAkD,CAAC;KAC/D,QAAQ,CAAC,WAAW,EAAE,kCAAkC,CAAC;KACzD,MAAM,CAAC,0BAA0B,EAAE,6BAA6B,EAAE,IAAI,CAAC;KACvE,MAAM,CAAC,qBAAqB,EAAE,2BAA2B,EAAE,IAAI,CAAC;KAChE,MAAM,CAAC,uBAAuB,EAAE,2BAA2B,EAAE,MAAM,CAAC;KACpE,MAAM,CAAC,QAAQ,EAAE,gDAAgD,CAAC;KAClE,MAAM,CACL,KAAK,EACH,OAAe,EACf,IAKC,EACD,EAAE;IACF,IAAI,CAAC;QACH,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,iBAAiB;YACjB,MAAM,OAAO,GAAG,MAAM,IAAA,+BAAW,EAC/B,OAAO,EACP,QAAQ,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC,CACzB,CAAC;YAEF,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAChD,CAAC;iBAAM,CAAC;gBACN,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACzB,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;gBACnD,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,CAAC,MAAM,yBAAyB,CAAC,CAAC;oBAClE,KAAK,MAAM,EAAE,IAAI,OAAO,EAAE,CAAC;wBACzB,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC,SAAS,EAAE,CAAC,CAAC;wBAC5C,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;wBACnD,IAAI,EAAE,CAAC,SAAS,EAAE,CAAC;4BACjB,OAAO,CAAC,GAAG,CACT,gBAAgB,IAAI,IAAI,CAAC,EAAE,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE,CAC9D,CAAC;wBACJ,CAAC;wBACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;oBAClB,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO;QACT,CAAC;QAED,wBAAwB;QACxB,MAAM,IAAA,iCAAa,EACjB;YACE,OAAO;YACP,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC;YACrC,KAAK,EAAE,QAAQ,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC;YAC/B,MAAM,EAAE,IAAI,CAAC,MAAyB;SACvC,EACD,CAAC,KAAK,EAAE,EAAE;YACR,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAC9C,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,IAAA,+BAAW,EAAC,KAAK,CAAC,CAAC,CAAC;YAClC,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,CAAC,KAAK,CAAC,cAAc,OAAO,IAAI,CAAC,CAAC;QACzC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CACF,CAAC;AAEJ,OAAO,CAAC,KAAK,EAAE,CAAC"}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Dependency Confusion Detector
|
|
3
|
+
*
|
|
4
|
+
* Analyzes a project's package.json to detect potential dependency confusion attacks.
|
|
5
|
+
* Checks if dependencies exist on the public npm registry and flags suspicious ones:
|
|
6
|
+
* - Unscoped packages that look like internal names
|
|
7
|
+
* - Packages with no README, very recent publish, or low download counts
|
|
8
|
+
* - Packages where the public version was published AFTER the project started using it
|
|
9
|
+
*/
|
|
10
|
+
import type { ScanReport, Severity } from "./types.js";
|
|
11
|
+
export interface ConfusionScanOptions {
|
|
12
|
+
/** Path to the project directory (containing package.json) */
|
|
13
|
+
target: string;
|
|
14
|
+
/** Output format */
|
|
15
|
+
format: "text" | "json" | "markdown";
|
|
16
|
+
/** Minimum severity to report */
|
|
17
|
+
minSeverity?: Severity;
|
|
18
|
+
/** Include devDependencies in the check */
|
|
19
|
+
includeDevDeps?: boolean;
|
|
20
|
+
}
|
|
21
|
+
/**
|
|
22
|
+
* Scan a project for dependency confusion risks.
|
|
23
|
+
*/
|
|
24
|
+
export declare function scanDependencyConfusion(options: ConfusionScanOptions): Promise<ScanReport>;
|
|
25
|
+
//# sourceMappingURL=dependency-confusion.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dependency-confusion.d.ts","sourceRoot":"","sources":["../src/dependency-confusion.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,OAAO,KAAK,EAAW,UAAU,EAAe,QAAQ,EAAE,MAAM,YAAY,CAAC;AAwD7E,MAAM,WAAW,oBAAoB;IACnC,8DAA8D;IAC9D,MAAM,EAAE,MAAM,CAAC;IACf,oBAAoB;IACpB,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,UAAU,CAAC;IACrC,iCAAiC;IACjC,WAAW,CAAC,EAAE,QAAQ,CAAC;IACvB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,UAAU,CAAC,CA6DrB"}
|