supply-chain-guard 5.2.19 → 5.2.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +45 -11
- package/dist/cli.js +1 -1
- package/dist/ioc-blocklist.d.ts +0 -3
- package/dist/ioc-blocklist.d.ts.map +1 -1
- package/dist/ioc-blocklist.js +8 -0
- package/dist/ioc-blocklist.js.map +1 -1
- package/dist/lockfile-checker.js +6 -1
- package/dist/lockfile-checker.js.map +1 -1
- package/dist/patterns.d.ts.map +1 -1
- package/dist/patterns.js +81 -60
- package/dist/patterns.js.map +1 -1
- package/dist/reporter.js +4 -4
- package/dist/scanner.d.ts.map +1 -1
- package/dist/scanner.js +13 -3
- package/dist/scanner.js.map +1 -1
- package/dist/slsa-verifier.d.ts.map +1 -1
- package/dist/slsa-verifier.js +5 -0
- package/dist/slsa-verifier.js.map +1 -1
- package/dist/threat-intel.d.ts +0 -3
- package/dist/threat-intel.d.ts.map +1 -1
- package/dist/threat-intel.js +8 -0
- package/dist/threat-intel.js.map +1 -1
- package/dist/triage-engine.d.ts.map +1 -1
- package/dist/triage-engine.js +18 -11
- package/dist/triage-engine.js.map +1 -1
- package/package.json +1 -1
package/dist/triage-engine.js
CHANGED
|
@@ -77,17 +77,24 @@ function checkTriageGovernance(findings, decisions) {
|
|
|
77
77
|
for (const d of decisions) {
|
|
78
78
|
decisionMap.set(`${d.findingRule}|${d.findingFile ?? ""}`, d);
|
|
79
79
|
}
|
|
80
|
-
// Check for critical findings without owner
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
80
|
+
// Check for critical findings without owner.
|
|
81
|
+
// v5.2.20: only fire this meta-governance check when the project is actually
|
|
82
|
+
// using the triage system (i.e. has at least one decision recorded). Firing
|
|
83
|
+
// it by default on every scan produced a cascade of HIGH findings every time
|
|
84
|
+
// another pattern triggered a critical FP, on projects that never opted into
|
|
85
|
+
// triage in the first place.
|
|
86
|
+
if (decisions.length > 0) {
|
|
87
|
+
const criticalWithoutOwner = findings.filter((f) => f.severity === "critical" && !decisionMap.has(`${f.rule}|${f.file ?? ""}`));
|
|
88
|
+
if (criticalWithoutOwner.length > 0) {
|
|
89
|
+
govFindings.push({
|
|
90
|
+
rule: "CRITICAL_FINDING_NO_OWNER",
|
|
91
|
+
description: `${criticalWithoutOwner.length} critical finding(s) have no assigned owner or triage decision.`,
|
|
92
|
+
severity: "high",
|
|
93
|
+
confidence: 1.0,
|
|
94
|
+
category: "trust",
|
|
95
|
+
recommendation: "Assign owners to all critical findings. Unowned critical risks are unmanaged risks.",
|
|
96
|
+
});
|
|
97
|
+
}
|
|
91
98
|
}
|
|
92
99
|
// Check for accepted risks without expiry
|
|
93
100
|
const acceptedNoExpiry = decisions.filter((d) => d.status === "accepted-risk" && !d.dueDate);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"triage-engine.js","sourceRoot":"","sources":["../src/triage-engine.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAYH,kDASC;AAKD,kDAUC;AAKD,
|
|
1
|
+
{"version":3,"file":"triage-engine.js","sourceRoot":"","sources":["../src/triage-engine.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAYH,kDASC;AAKD,kDAUC;AAKD,sDAkFC;AAzHD,4CAA8B;AAC9B,gDAAkC;AAGlC,MAAM,UAAU,GAAG,cAAc,CAAC;AAClC,MAAM,WAAW,GAAG,uBAAuB,CAAC;AAE5C;;GAEG;AACH,SAAgB,mBAAmB,CAAC,GAAW;IAC7C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;IAC3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,EAAE,CAAC;IAE1C,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAqB,CAAC;IAC9E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB,CACjC,GAAW,EACX,SAA2B;IAE3B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IAC7C,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7C,EAAE,CAAC,aAAa,CACd,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,EACjC,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,CACnC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CACnC,QAAmB,EACnB,SAA2B;IAE3B,MAAM,WAAW,GAAc,EAAE,CAAC;IAClC,MAAM,WAAW,GAAG,IAAI,GAAG,EAA0B,CAAC;IAEtD,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;QAC1B,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,WAAW,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IAChE,CAAC;IAED,6CAA6C;IAC7C,6EAA6E;IAC7E,4EAA4E;IAC5E,6EAA6E;IAC7E,6EAA6E;IAC7E,6BAA6B;IAC7B,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,MAAM,oBAAoB,GAAG,QAAQ,CAAC,MAAM,CAC1C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC,CAClF,CAAC;QACF,IAAI,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,WAAW,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,2BAA2B;gBACjC,WAAW,EAAE,GAAG,oBAAoB,CAAC,MAAM,iEAAiE;gBAC5G,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,GAAG;gBACf,QAAQ,EAAE,OAAO;gBACjB,cAAc,EAAE,qFAAqF;aACtG,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,0CAA0C;IAC1C,MAAM,gBAAgB,GAAG,SAAS,CAAC,MAAM,CACvC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,eAAe,IAAI,CAAC,CAAC,CAAC,OAAO,CAClD,CAAC;IACF,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,WAAW,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,8BAA8B;YACpC,WAAW,EAAE,GAAG,gBAAgB,CAAC,MAAM,qFAAqF;YAC5H,QAAQ,EAAE,QAAQ;YAClB,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,OAAO;YACjB,cAAc,EAAE,4EAA4E;SAC7F,CAAC,CAAC;IACL,CAAC;IAED,qCAAqC;IACrC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,OAAO,GAAG,SAAS,CAAC,MAAM,CAC9B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,eAAe,IAAI,CAAC,CAAC,OAAO,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,GAAG,GAAG,CACxF,CAAC;IACF,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,WAAW,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,yBAAyB;YAC/B,WAAW,EAAE,GAAG,OAAO,CAAC,MAAM,0DAA0D;YACxF,QAAQ,EAAE,MAAM;YAChB,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,OAAO;YACjB,cAAc,EAAE,qFAAqF;SACtG,CAAC,CAAC;IACL,CAAC;IAED,gFAAgF;IAChF,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACnC,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,MAAM,KAAK,gBAAgB;YAAE,OAAO,KAAK,CAAC;QAC1E,MAAM,GAAG,GAAG,GAAG,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;QAClD,OAAO,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,UAAU;IACnD,CAAC,CAAC,CAAC;IACH,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,WAAW,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,wBAAwB;YAC9B,WAAW,EAAE,GAAG,KAAK,CAAC,MAAM,kFAAkF;YAC9G,QAAQ,EAAE,MAAM;YAChB,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,OAAO;YACjB,cAAc,EAAE,iFAAiF;SAClG,CAAC,CAAC;IACL,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "supply-chain-guard",
|
|
3
|
-
"version": "5.2.
|
|
3
|
+
"version": "5.2.21",
|
|
4
4
|
"description": "Open-source supply-chain security scanner for npm, PyPI, Cargo, Go, Docker, VS Code extensions, GitHub Actions, IaC and Solana C2. Detects GlassWorm, Shai-Hulud, PPE attacks, dependency confusion and 120+ malware indicators. Generates CycloneDX 1.6 SBOMs and verifies SLSA provenance.",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|