tangkal 1.1.0

package/README.md

@@ -0,0 +1,62 @@
+# Tangkal 🛡️
+
+**Tangkal** (Indonesian for "ward off" or "repel") is a lightweight, preventive security scanner designed to inspect cloned repositories *before* you run `npm install`.
+
+It is specifically built to detect malicious patterns often found in "Job Scam" repositories, such as:
+- **Obfuscated Code:** Base64 (atob, Buffer), Hexadecimal strings.
+- **Dynamic Execution:** `eval`, `new Function`.
+- **Hidden Network Calls:** Fetching payloads from remote URLs (e.g., JSON keepers).
+- **Dangerous Lifecycle Scripts:** `preinstall`, `postinstall` in `package.json`.
+- **Typosquatting:** Detects packages with names deceptively similar to popular libraries (e.g., `react-doom` vs `react-dom`).
+- **Vulnerability Scanning:** Aggregates data from **OSV**, **Snyk**, and **Exploit DB** to report known vulnerabilities.
+
+## Installation
+
+### From Source
+```bash
+git clone https://github.com/yourusername/tangkal.git
+cd tangkal
+npm install
+npm link
+```
+
+## Usage
+
+Run `tangkal` against any suspicious directory:
+
+```bash
+tangkal ./path-to-suspicious-repo
+```
+
+Or simply inside the directory:
+
+```bash
+cd suspicious-repo
+tangkal .
+```
+
+## Output Example
+
+Tangkal separates findings into two clear categories: **Malicious Code** and **Vulnerable Packages**.
+
+```text
+====================================
+ALERT: Malicious Code Detected
+====================================
+File: src/utils.js
+Line: 45
+Suspicious pattern detected.
+Code: new Function("return " + decodedPayload)()
+
+====================================
+ALERT: Vulnerable Package
+====================================
+[SOLUTION]: Upgrade lodash@4.17.15 to lodash@4.17.21 to fix.
+[HIGH Severity] [https://osv.dev/vulnerability/GHSA-xxx] [Snyk: https://security.snyk.io/vuln?search=CVE-2021-23337]
+lodash@4.17.15 Prototype Pollution
+introduced by lodash@4.17.15
+```
+
+## Disclaimer
+
+This tool uses heuristic pattern matching. It may produce false positives (e.g., in build scripts or test files) and cannot guarantee 100% safety. **Always review code manually if you are unsure.**

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":""}

package/dist/index.js

@@ -0,0 +1,4 @@
+#!/usr/bin/env node
+import { run } from './src/cli.js';
+run();
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAEnC,GAAG,EAAE,CAAC"}

package/dist/src/analyzers/dependencies.d.ts

@@ -0,0 +1,4 @@
+import type { Finding } from './static-analysis.js';
+export declare function checkTyposquatting(pkgJson: any): Promise<Finding[]>;
+export declare function checkVulnerabilities(cwd: string): Promise<Finding[]>;
+//# sourceMappingURL=dependencies.d.ts.map

package/dist/src/analyzers/dependencies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependencies.d.ts","sourceRoot":"","sources":["../../../src/analyzers/dependencies.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAIpD,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,GAAG,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CA4BzE;AAED,wBAAsB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CA2C1E"}

package/dist/src/analyzers/dependencies.js

@@ -0,0 +1,79 @@
+import levenshtein from 'fast-levenshtein';
+import { getPopularPackages } from '../utils/popular-packages.js';
+import { exec } from 'child_process';
+import { promisify } from 'util';
+const execAsync = promisify(exec);
+export async function checkTyposquatting(pkgJson) {
+    const findings = [];
+    const allDeps = {
+        ...pkgJson.dependencies,
+        ...pkgJson.devDependencies
+    };
+    const popularPackages = await getPopularPackages();
+    for (const depName of Object.keys(allDeps)) {
+        for (const popular of popularPackages) {
+            if (depName === popular)
+                continue; // Exact match is fine
+            const distance = levenshtein.get(depName, popular);
+            const threshold = popular.length < 5 ? 1 : 2;
+            if (distance <= threshold) {
+                findings.push({
+                    type: 'Typosquatting',
+                    name: depName,
+                    file: 'package.json', // Placeholder, caller handles file
+                    severity: 'high',
+                    description: `Package '${depName}' looks very similar to popular package '${popular}'.`
+                });
+            }
+        }
+    }
+    return findings;
+}
+export async function checkVulnerabilities(cwd) {
+    try {
+        const { stdout } = await execAsync('npm audit --json --audit-level=moderate', { cwd, maxBuffer: 10 * 1024 * 1024 });
+        const auditResult = JSON.parse(stdout);
+        const vulns = [];
+        if (auditResult.vulnerabilities) {
+            for (const [name, info] of Object.entries(auditResult.vulnerabilities)) {
+                if (info.severity === 'high' || info.severity === 'critical') {
+                    vulns.push({
+                        type: 'Vulnerability',
+                        name,
+                        file: 'package-lock.json',
+                        severity: info.severity,
+                        description: `Known vulnerability via ${info.via && info.via.join ? info.via.join(', ') : 'transitive dependency'}`
+                    });
+                }
+            }
+        }
+        return vulns;
+    }
+    catch (error) {
+        if (error.stdout) {
+            try {
+                const auditResult = JSON.parse(error.stdout);
+                const vulns = [];
+                if (auditResult.vulnerabilities) {
+                    for (const [name, info] of Object.entries(auditResult.vulnerabilities)) {
+                        if (info.severity === 'high' || info.severity === 'critical') {
+                            vulns.push({
+                                type: 'Vulnerability',
+                                name,
+                                file: 'package-lock.json',
+                                severity: info.severity,
+                                description: `Known vulnerability (Severity: ${info.severity})`
+                            });
+                        }
+                    }
+                }
+                return vulns;
+            }
+            catch (e) {
+                return [];
+            }
+        }
+        return [];
+    }
+}
+//# sourceMappingURL=dependencies.js.map

package/dist/src/analyzers/dependencies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependencies.js","sourceRoot":"","sources":["../../../src/analyzers/dependencies.ts"],"names":[],"mappings":"AAAA,OAAO,WAAW,MAAM,kBAAkB,CAAC;AAC3C,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AACrC,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAGjC,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;AAElC,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,OAAY;IACnD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG;QACd,GAAG,OAAO,CAAC,YAAY;QACvB,GAAG,OAAO,CAAC,eAAe;KAC3B,CAAC;IAEF,MAAM,eAAe,GAAG,MAAM,kBAAkB,EAAE,CAAC;IAEnD,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3C,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;YACtC,IAAI,OAAO,KAAK,OAAO;gBAAE,SAAS,CAAC,sBAAsB;YAEzD,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACnD,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAE7C,IAAI,QAAQ,IAAI,SAAS,EAAE,CAAC;gBAC1B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,eAAe;oBACrB,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,cAAc,EAAE,mCAAmC;oBACzD,QAAQ,EAAE,MAAM;oBAChB,WAAW,EAAE,YAAY,OAAO,4CAA4C,OAAO,IAAI;iBACxF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,GAAW;IACpD,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,yCAAyC,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC,CAAC;QACpH,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEvC,MAAM,KAAK,GAAc,EAAE,CAAC;QAC5B,IAAI,WAAW,CAAC,eAAe,EAAE,CAAC;YAC9B,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAM,WAAW,CAAC,eAAe,CAAC,EAAE,CAAC;gBAC1E,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;oBAC3D,KAAK,CAAC,IAAI,CAAC;wBACP,IAAI,EAAE,eAAe;wBACrB,IAAI;wBACJ,IAAI,EAAE,mBAAmB;wBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,WAAW,EAAE,2BAA2B,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,uBAAuB,EAAE;qBACtH,CAAC,CAAC;gBACP,CAAC;YACL,CAAC;QACL,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACf,IAAI,CAAC;gBACD,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;gBAC7C,MAAM,KAAK,GAAc,EAAE,CAAC;gBAC5B,IAAI,WAAW,CAAC,eAAe,EAAE,CAAC;oBAC9B,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAM,WAAW,CAAC,eAAe,CAAC,EAAE,CAAC;wBACzE,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;4BAC5D,KAAK,CAAC,IAAI,CAAC;gCACP,IAAI,EAAE,eAAe;gCACrB,IAAI;gCACJ,IAAI,EAAE,mBAAmB;gCACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gCACvB,WAAW,EAAE,kCAAkC,IAAI,CAAC,QAAQ,GAAG;6BAClE,CAAC,CAAC;wBACP,CAAC;oBACL,CAAC;gBACL,CAAC;gBACD,OAAO,KAAK,CAAC;YACjB,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBAAC,OAAO,EAAE,CAAC;YAAC,CAAC;QAC9B,CAAC;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC"}

package/dist/src/analyzers/network.d.ts

@@ -0,0 +1,17 @@
+import type { Finding } from './static-analysis.js';
+import type { Dependency } from '../utils/lockfile.js';
+/**
+ * Main entry point for network audit.
+ * Checks vulnerabilities for all packages.
+ * Checks reputation for a subset (or all if count is low) to avoid rate limiting.
+ */
+export declare function auditDependencies(packages: Dependency[]): Promise<Finding[]>;
+/**
+ * Checks the npm registry for package reputation (downloads, age).
+ */
+export declare function checkReputation(pkgName: string): Promise<Finding[]>;
+/**
+ * Checks for known vulnerabilities using OSV API (Batch Mode).
+ */
+export declare function checkVulnerabilitiesBatch(packages: Dependency[]): Promise<Finding[]>;
+//# sourceMappingURL=network.d.ts.map

package/dist/src/analyzers/network.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"network.d.ts","sourceRoot":"","sources":["../../../src/analyzers/network.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAIvD;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,QAAQ,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAuBlF;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CA2DzE;AAED;;GAEG;AACH,wBAAsB,yBAAyB,CAAC,QAAQ,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAsH1F"}

package/dist/src/analyzers/network.js

@@ -0,0 +1,203 @@
+import axios from 'axios';
+import pLimit from 'p-limit';
+const limit = pLimit(10); // Increased concurrency for network checks
+/**
+ * Main entry point for network audit.
+ * Checks vulnerabilities for all packages.
+ * Checks reputation for a subset (or all if count is low) to avoid rate limiting.
+ */
+export async function auditDependencies(packages) {
+    const findings = [];
+    // 1. Vulnerabilities (Batch API - Fast)
+    try {
+        const vulnFindings = await checkVulnerabilitiesBatch(packages);
+        findings.push(...vulnFindings);
+    }
+    catch (e) {
+        console.error('Vulnerability check failed:', e);
+    }
+    // 2. Reputation (Per-package API - Slow)
+    // Only check reputation if < 200 packages to avoid long wait times
+    if (packages.length < 200) {
+        const reputationPromises = packages.map(p => checkReputation(p.name));
+        const repResults = await Promise.all(reputationPromises);
+        repResults.forEach(r => findings.push(...r));
+    }
+    else {
+        // For large trees, maybe only check random sample? 
+        // Or just skip to be safe.
+    }
+    return findings;
+}
+/**
+ * Checks the npm registry for package reputation (downloads, age).
+ */
+export async function checkReputation(pkgName) {
+    return limit(async () => {
+        try {
+            // 1. Get Metadata (Time, Maintainers)
+            const regUrl = `https://registry.npmjs.org/${pkgName}`;
+            const { data: meta } = await axios.get(regUrl, { timeout: 3000 });
+            const findings = [];
+            const now = new Date();
+            const created = new Date(meta.time.created);
+            const ageDays = (now.getTime() - created.getTime()) / (1000 * 60 * 60 * 24);
+            if (ageDays < 14) {
+                findings.push({
+                    type: 'Reputation',
+                    name: pkgName,
+                    file: 'package.json',
+                    severity: 'high',
+                    description: `Package is brand new (created ${Math.round(ageDays)} days ago).`
+                });
+            }
+            // 2. Get Downloads (Popularity)
+            try {
+                const dlUrl = `https://api.npmjs.org/downloads/point/last-week/${pkgName}`;
+                const { data: dl } = await axios.get(dlUrl, { timeout: 3000 });
+                if (dl.downloads < 50) {
+                    findings.push({
+                        type: 'Reputation',
+                        name: pkgName,
+                        file: 'package.json',
+                        severity: 'medium',
+                        description: `Extremely low downloads (${dl.downloads}/week). Potential typosquat or abandoned.`
+                    });
+                }
+            }
+            catch (e) {
+                // Download stats might be private/unavailable
+            }
+            return findings;
+        }
+        catch (error) {
+            if (error.response && error.response.status === 404) {
+                const isScoped = pkgName.startsWith('@');
+                return [{
+                        type: 'Reputation',
+                        name: pkgName,
+                        file: 'package.json',
+                        severity: isScoped ? 'low' : 'critical',
+                        description: isScoped
+                            ? 'Scoped package not found in public registry (Likely Private).'
+                            : 'Unscoped package not found in registry (Possible Malware/Typosquat).'
+                    }];
+            }
+            return [];
+        }
+    });
+}
+/**
+ * Checks for known vulnerabilities using OSV API (Batch Mode).
+ */
+export async function checkVulnerabilitiesBatch(packages) {
+    if (packages.length === 0)
+        return [];
+    const chunkSize = 500;
+    const chunks = [];
+    for (let i = 0; i < packages.length; i += chunkSize) {
+        chunks.push(packages.slice(i, i + chunkSize));
+    }
+    const allVulns = [];
+    for (const chunk of chunks) {
+        try {
+            const payload = {
+                queries: chunk.map(p => ({
+                    package: { name: p.name, ecosystem: 'npm' },
+                    version: p.version
+                }))
+            };
+            const { data } = await axios.post('https://api.osv.dev/v1/querybatch', payload, { timeout: 10000 });
+            const vulnIds = new Set();
+            data.results.forEach((res) => {
+                if (res.vulns) {
+                    res.vulns.forEach((v) => vulnIds.add(v.id));
+                }
+            });
+            const detailsMap = new Map();
+            const detailPromises = Array.from(vulnIds).map(id => limit(async () => {
+                try {
+                    const { data: detail } = await axios.get(`https://api.osv.dev/v1/vulns/${id}`, { timeout: 5000 });
+                    detailsMap.set(id, detail);
+                }
+                catch (e) { }
+            }));
+            await Promise.all(detailPromises);
+            data.results.forEach((res, idx) => {
+                if (res.vulns && res.vulns.length > 0) {
+                    const pkg = chunk[idx];
+                    if (!pkg)
+                        return;
+                    res.vulns.forEach((basicV) => {
+                        const v = detailsMap.get(basicV.id) || basicV;
+                        let fixedIn = 'Unknown';
+                        if (v.affected) {
+                            for (const affected of v.affected) {
+                                if (affected.ranges) {
+                                    for (const range of affected.ranges) {
+                                        if (range.events) {
+                                            for (const event of range.events) {
+                                                if (event.fixed) {
+                                                    if (fixedIn === 'Unknown' || event.fixed > fixedIn) {
+                                                        fixedIn = event.fixed;
+                                                    }
+                                                }
+                                            }
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                        let severity = 'high';
+                        if (v.database_specific && v.database_specific.severity) {
+                            severity = v.database_specific.severity.toLowerCase();
+                        }
+                        else if (v.severity && v.severity.length > 0) {
+                            severity = 'high';
+                        }
+                        else {
+                            const text = JSON.stringify(v).toLowerCase();
+                            if (text.includes('critical'))
+                                severity = 'critical';
+                            else if (text.includes('high'))
+                                severity = 'high';
+                            else if (text.includes('medium'))
+                                severity = 'medium';
+                            else
+                                severity = 'low';
+                        }
+                        const externalRefs = [];
+                        if (v.aliases) {
+                            v.aliases.forEach((alias) => {
+                                if (alias.startsWith('CVE-')) {
+                                    externalRefs.push(`Snyk: https://security.snyk.io/vuln?search=${alias}`);
+                                    externalRefs.push(`ExploitDB: https://www.exploit-db.com/search?cve=${alias.replace('CVE-', '')}`);
+                                }
+                            });
+                        }
+                        const osvUrl = `https://osv.dev/vulnerability/${v.id}`;
+                        const summary = v.summary || v.details?.split('\n')[0] || 'Vulnerability detected';
+                        allVulns.push({
+                            type: 'Vulnerability',
+                            name: pkg.name,
+                            version: pkg.version,
+                            severity: severity,
+                            file: 'package-lock.json',
+                            id: v.id,
+                            summary: summary,
+                            url: osvUrl,
+                            fixedIn: fixedIn,
+                            description: summary,
+                            references: externalRefs
+                        });
+                    });
+                }
+            });
+        }
+        catch (e) {
+            console.error(e);
+        }
+    }
+    return allVulns;
+}
+//# sourceMappingURL=network.js.map

package/dist/src/analyzers/network.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"network.js","sourceRoot":"","sources":["../../../src/analyzers/network.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,MAAM,MAAM,SAAS,CAAC;AAI7B,MAAM,KAAK,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,2CAA2C;AAErE;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,QAAsB;IAC5D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,wCAAwC;IACxC,IAAI,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,yBAAyB,CAAC,QAAQ,CAAC,CAAC;QAC/D,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACT,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,CAAC,CAAC,CAAC;IACpD,CAAC;IAED,yCAAyC;IACzC,mEAAmE;IACnE,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACxB,MAAM,kBAAkB,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QACtE,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QACzD,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC;SAAM,CAAC;QACJ,oDAAoD;QACpD,2BAA2B;IAC/B,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,OAAe;IACnD,OAAO,KAAK,CAAC,KAAK,IAAI,EAAE;QACtB,IAAI,CAAC;YACH,sCAAsC;YACtC,MAAM,MAAM,GAAG,8BAA8B,OAAO,EAAE,CAAC;YACvD,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;YAElE,MAAM,QAAQ,GAAc,EAAE,CAAC;YAC/B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAE5C,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;YAE5E,IAAI,OAAO,GAAG,EAAE,EAAE,CAAC;gBACjB,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,YAAY;oBAClB,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,cAAc;oBACpB,QAAQ,EAAE,MAAM;oBAChB,WAAW,EAAE,iCAAiC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa;iBAC/E,CAAC,CAAC;YACL,CAAC;YAED,gCAAgC;YAChC,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,mDAAmD,OAAO,EAAE,CAAC;gBAC3E,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;gBAE/D,IAAI,EAAE,CAAC,SAAS,GAAG,EAAE,EAAE,CAAC;oBACrB,QAAQ,CAAC,IAAI,CAAC;wBACb,IAAI,EAAE,YAAY;wBAClB,IAAI,EAAE,OAAO;wBACb,IAAI,EAAE,cAAc;wBACpB,QAAQ,EAAE,QAAQ;wBAClB,WAAW,EAAE,4BAA4B,EAAE,CAAC,SAAS,2CAA2C;qBACjG,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACV,8CAA8C;YACjD,CAAC;YAED,OAAO,QAAQ,CAAC;QAElB,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,IAAI,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;gBACzC,OAAO,CAAC;wBACN,IAAI,EAAE,YAAY;wBAClB,IAAI,EAAE,OAAO;wBACb,IAAI,EAAE,cAAc;wBACpB,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU;wBACvC,WAAW,EAAE,QAAQ;4BACnB,CAAC,CAAC,+DAA+D;4BACjE,CAAC,CAAC,sEAAsE;qBAC3E,CAAC,CAAC;YACL,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAAC,QAAsB;IACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAErC,MAAM,SAAS,GAAG,GAAG,CAAC;IACtB,MAAM,MAAM,GAAmB,EAAE,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,IAAI,SAAS,EAAE,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG;gBACd,OAAO,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBACvB,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE;oBAC3C,OAAO,EAAE,CAAC,CAAC,OAAO;iBACnB,CAAC,CAAC;aACJ,CAAC;YAEF,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,mCAAmC,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YAEpG,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;YAClC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAQ,EAAE,EAAE;gBAChC,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;oBACd,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;gBACnD,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,MAAM,UAAU,GAAG,IAAI,GAAG,EAAe,CAAC;YAC1C,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAClD,KAAK,CAAC,KAAK,IAAI,EAAE;gBACf,IAAI,CAAC;oBACH,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,gCAAgC,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;oBAClG,UAAU,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;gBAC7B,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC,CAAA,CAAC;YAChB,CAAC,CAAC,CACH,CAAC;YAEF,MAAM,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAElC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAQ,EAAE,GAAW,EAAE,EAAE;gBAC7C,IAAI,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACtC,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC;oBACvB,IAAI,CAAC,GAAG;wBAAE,OAAO;oBAEjB,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAW,EAAE,EAAE;wBAC/B,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC;wBAE9C,IAAI,OAAO,GAAG,SAAS,CAAC;wBACxB,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;4BACd,KAAK,MAAM,QAAQ,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;gCAChC,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;oCAClB,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;wCAClC,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;4CACf,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gDAC/B,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;oDACd,IAAI,OAAO,KAAK,SAAS,IAAI,KAAK,CAAC,KAAK,GAAG,OAAO,EAAE,CAAC;wDACjD,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC;oDAC1B,CAAC;gDACL,CAAC;4CACL,CAAC;wCACL,CAAC;oCACL,CAAC;gCACL,CAAC;4BACL,CAAC;wBACJ,CAAC;wBAED,IAAI,QAAQ,GAA2C,MAAM,CAAC;wBAC9D,IAAI,CAAC,CAAC,iBAAiB,IAAI,CAAC,CAAC,iBAAiB,CAAC,QAAQ,EAAE,CAAC;4BACvD,QAAQ,GAAG,CAAC,CAAC,iBAAiB,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;wBACzD,CAAC;6BAAM,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;4BAC7C,QAAQ,GAAG,MAAM,CAAC;wBACtB,CAAC;6BAAM,CAAC;4BACL,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;4BAC7C,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;gCAAE,QAAQ,GAAG,UAAU,CAAC;iCAChD,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;gCAAE,QAAQ,GAAG,MAAM,CAAC;iCAC7C,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;gCAAE,QAAQ,GAAG,QAAQ,CAAC;;gCACjD,QAAQ,GAAG,KAAK,CAAC;wBACzB,CAAC;wBAED,MAAM,YAAY,GAAa,EAAE,CAAC;wBAClC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;4BACZ,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAa,EAAE,EAAE;gCAChC,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;oCAC3B,YAAY,CAAC,IAAI,CAAC,8CAA8C,KAAK,EAAE,CAAC,CAAC;oCACzE,YAAY,CAAC,IAAI,CAAC,oDAAoD,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;gCACvG,CAAC;4BACL,CAAC,CAAC,CAAC;wBACP,CAAC;wBAED,MAAM,MAAM,GAAG,iCAAiC,CAAC,CAAC,EAAE,EAAE,CAAC;wBACvD,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,wBAAwB,CAAC;wBAEnF,QAAQ,CAAC,IAAI,CAAC;4BACX,IAAI,EAAE,eAAe;4BACrB,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,OAAO,EAAE,GAAG,CAAC,OAAO;4BACpB,QAAQ,EAAE,QAAQ;4BAClB,IAAI,EAAE,mBAAmB;4BACzB,EAAE,EAAE,CAAC,CAAC,EAAE;4BACR,OAAO,EAAE,OAAO;4BAChB,GAAG,EAAE,MAAM;4BACX,OAAO,EAAE,OAAO;4BAChB,WAAW,EAAE,OAAO;4BACpB,UAAU,EAAE,YAAY;yBAC1B,CAAC,CAAC;oBACN,CAAC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;QAEL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/src/analyzers/static-analysis.d.ts

@@ -0,0 +1,18 @@
+export interface Finding {
+    type: string;
+    name?: string;
+    file: string;
+    line?: number;
+    severity: 'critical' | 'high' | 'medium' | 'low';
+    content?: string;
+    description: string;
+    version?: string;
+    id?: string;
+    summary?: string;
+    url?: string;
+    fixedIn?: string;
+    references?: string[];
+}
+export declare function analyzeStream(filePath: string): Promise<Finding[]>;
+export declare function analyzeContent(content: string, file: string): Finding[];
+//# sourceMappingURL=static-analysis.d.ts.map

package/dist/src/analyzers/static-analysis.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"static-analysis.d.ts","sourceRoot":"","sources":["../../../src/analyzers/static-analysis.ts"],"names":[],"mappings":"AASA,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACjD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CA4CxE;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,EAAE,CA+MvE"}