refactor(typo-squatting): remove on local scan or when similar >= 3 (#542)

Author: fraxken

.changeset/large-emus-taste.md

@@ -0,0 +1,5 @@
+---
+"@nodesecure/scanner": minor
+---
+
+Improve type-squatting global-warning by removing it on remote scan and also when there is to much similar packages

workspaces/scanner/src/depWalker.ts

@@ -289,7 +289,8 @@ export async function depWalker(
   try {
     const { warnings, illuminated } = await getDependenciesWarnings(
       dependencies,
-      options.highlight?.contacts
+      options.highlight?.contacts,
+      typeof location === "undefined"
     );
     payload.warnings = globalWarnings.concat(dependencyConfusionWarnings as GlobalWarning[]).concat(warnings);
     payload.highlighted = {

workspaces/scanner/src/i18n/english.js

@@ -4,7 +4,7 @@ import { taggedString as tS } from "@nodesecure/i18n";
 const scanner = {
   disable_scarf: "This dependency could collect data against your consent so think to disable it with the env var: SCARF_ANALYTICS",
   keylogging: "This dependency can retrieve your keyboard and mouse inputs. It can be used for 'keylogging' attacks/malwares.",
-  typo_squatting: tS`The package '${0}' is similar to the following popular packages: ${1}`,
+  typo_squatting: tS`Dependency '${0}' is similar to the following popular packages: ${1}`,
   dependency_confusion: "This dependency was found on both a public and private registry but its signature does not match",
   dependency_confusion_missing: "This dependency was found on the private but not on the public registry, this dependency is vulnerable to dependency confusion attacks.",
   dependency_confusion_missing_org: tS`The org '${0}' is not claimed on the public registry`

workspaces/scanner/src/i18n/french.js

@@ -4,7 +4,7 @@ import { taggedString as tS } from "@nodesecure/i18n";
 const scanner = {
   disable_scarf: "Cette dépendance peut récolter des données contre votre volonté, pensez donc à la désactiver en fournissant la variable d'environnement SCARF_ANALYTICS",
   keylogging: "Cette dépendance peut obtenir vos entrées clavier ou de souris. Cette dépendance peut être utilisée en tant que 'keylogging' attacks/malwares.",
-  typo_squatting: tS`Le package '${0}' est similaire aux packages populaires suivants : ${1}`,
+  typo_squatting: tS`La dépendance '${0}' est similaire aux packages populaires suivants : ${1}`,
   dependency_confusion: "Cette dépendance a été trouvée à la fois sur un registre public et privé, mais sa signature ne correspond pas.",
   dependency_confusion_missing: "Cette dépendance a été trouvée seulement sur le registre privé, cette dépendance est vulnérable à une attaque par confusion de dépendance.",
   dependency_confusion_missing_org: tS`L'organisation '${0}' n'est pas revendiquée sur le registre public`

workspaces/scanner/src/utils/warnings.ts

@@ -41,7 +41,8 @@ export interface GetWarningsResult {
 
 export async function getDependenciesWarnings(
   dependenciesMap: Map<string, Dependency>,
-  highlightContacts: Contact[] = []
+  highlightContacts: Contact[] = [],
+  isLocalScan = false
 ): Promise<GetWarningsResult> {
   const vulnerableDependencyNames = Object.keys(
     kDependencyWarnMessage
@@ -64,21 +65,14 @@ export async function getDependenciesWarnings(
   const dependencies: Record<string, ContactExtractorPackageMetadata> = Object.create(null);
   for (const [packageName, dependency] of dependenciesMap) {
     const { author, maintainers } = dependency.metadata;
-    const similarPackages = topPackages.getSimilarPackages(packageName);
-    if (similarPackages.length > 0) {
-      const warningMessage = await i18n.getToken(
-        "scanner.typo_squatting",
-        packageName,
-        similarPackages.join(", ")
-      );
-      warnings.push({
-        type: "typo-squatting",
-        message: warningMessage,
-        metadata: {
-          name: packageName,
-          similar: similarPackages
-        }
-      });
+
+    const warning = await (
+      isLocalScan ?
+        Promise.resolve(null) :
+        searchTypoSquattingByName(topPackages, packageName)
+    );
+    if (warning !== null) {
+      warnings.push(warning);
     }
 
     dependencies[packageName] = {
@@ -107,3 +101,30 @@ export async function getDependenciesWarnings(
   };
 }
 
+async function searchTypoSquattingByName(
+  topPackages: TopPackages,
+  packageName: string
+): Promise<GlobalWarning | null> {
+  const similarPackages = topPackages.getSimilarPackages(packageName);
+  if (
+    similarPackages.length > 0 &&
+    similarPackages.length <= 3
+  ) {
+    const warningMessage = await i18n.getToken(
+      "scanner.typo_squatting",
+      packageName,
+      similarPackages.join(", ")
+    );
+
+    return {
+      type: "typo-squatting",
+      message: warningMessage,
+      metadata: {
+        name: packageName,
+        similar: similarPackages
+      }
+    };
+  }
+
+  return null;
+}

workspaces/scanner/test/depWalker.spec.ts

@@ -132,11 +132,12 @@ test("execute depWalker on pkg.gitdeps", async() => {
   ].sort());
 });
 
-test("execute depWalker on typo-squatting", async() => {
+test("execute depWalker on typo-squatting (with location)", async() => {
   Vulnera.setStrategy(Vulnera.strategies.GITHUB_ADVISORY);
 
   const result = await depWalker(pkgTypoSquatting, {
-    registry: getLocalRegistryURL()
+    registry: getLocalRegistryURL(),
+    location: ""
   });
 
   assert.ok(result.warnings.length > 0);
@@ -145,10 +146,20 @@ test("execute depWalker on typo-squatting", async() => {
   assert.equal(warning.type, "typo-squatting");
   assert.strictEqual(
     result.warnings[0].message,
-    "The package 'mecha' is similar to the following popular packages: fecha, mocha"
+    "Dependency 'mecha' is similar to the following popular packages: fecha, mocha"
   );
 });
 
+test("execute depWalker on typo-squatting (with no location)", async() => {
+  Vulnera.setStrategy(Vulnera.strategies.GITHUB_ADVISORY);
+
+  const result = await depWalker(pkgTypoSquatting, {
+    registry: getLocalRegistryURL()
+  });
+
+  assert.ok(result.warnings.length === 0);
+});
+
 test("fetch payload of pacote on the npm registry", async() => {
   const result = await from("pacote", {
     maxDepth: 10,