fix(llm-security): supply-chain gate bypasses — npm/yarn blocklist + pip-audit (#14-#19,#48)

#18 dep-auditor called 'pip audit' (no such subcommand) so Python CVE detection was a permanent silent no-op; now spawns 'pip-audit' with an argv array. #19 it audited the scanner HOST's env with results mislabelled to the target's requirements.txt; now audits the target via -r and skips cleanly when absent.

#14 the offline npm blocklist was skipped for bare/range/tag installs because it used the (null) parsed-spec version; now re-checks the resolved version before the OSV network path. #15 non-hoisted nested lockfile keys derived the wrong package name (leading-only node_modules/ strip); now strips to the last segment. #48 lockfileVersion-1 nested dependency trees are now walked recursively.

#16/#17 the yarn.lock matcher paired two unassociated whole-file substrings with an unanchored pkg@ (false BLOCK of a legit package) and only matched Yarn Classic quoted versions (Berry known-malware allowed); rewritten as a per-entry parser that associates version to its own entry, anchors the name, and matches both Classic and Berry. Suite 1931/0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Claude-Session: https://claude.ai/code/session_01TcQyMTQfyrsAapaCMPxTtQ
This commit is contained in:
Kjell Tore Guttormsen 2026-07-18 10:14:51 +02:00
commit 196517f38a
4 changed files with 330 additions and 24 deletions

View file

@ -152,6 +152,18 @@ async function checkNpm() {
const resolvedVersion = meta.version;
// Bare/range/tag installs (`npm i axios`) parse no version, so the blocklist
// check above ran with version=null and no-oped for version-pinned entries.
// Re-check against the registry-resolved version so the offline blocklist
// still applies before any network-dependent checks.
if (isCompromised(NPM_COMPROMISED, name, resolvedVersion)) {
blocks.push(
`COMPROMISED: ${name}@${resolvedVersion} (registry-resolved)\n` +
` Known supply chain attack. See: https://socket.dev/npm/package/${name}`
);
continue;
}
// --- Advisory check (OSV.dev) — catches compromised established packages ---
const advisories = await queryOSV('npm', name, resolvedVersion);
if (advisories.critical.length > 0) {
@ -281,11 +293,28 @@ function scanNpmLockfile() {
if (existsSync(lockPath)) {
try {
const lock = JSON.parse(readFileSync(lockPath, 'utf-8'));
for (const [key, info] of Object.entries(lock.packages || lock.dependencies || {})) {
const name = key.replace(/^node_modules\//, '');
if (name && isCompromised(NPM_COMPROMISED, name, info.version)) {
findings.push({ name, version: info.version, source: 'package-lock.json' });
if (lock.packages) {
// lockfileVersion 2/3: flat map keyed by install path. Non-hoisted
// copies nest ("node_modules/a/node_modules/evil") — strip to the
// LAST node_modules/ segment to recover the package name.
for (const [key, info] of Object.entries(lock.packages)) {
const name = key.replace(/^.*node_modules\//, '');
if (name && isCompromised(NPM_COMPROMISED, name, info.version)) {
findings.push({ name, version: info.version, source: 'package-lock.json' });
}
}
} else if (lock.dependencies) {
// lockfileVersion 1: dependencies is a nested tree — recurse so a
// non-hoisted nested copy of a blocklisted package is still found.
const walk = (deps) => {
for (const [name, info] of Object.entries(deps)) {
if (info && isCompromised(NPM_COMPROMISED, name, info.version)) {
findings.push({ name, version: info.version, source: 'package-lock.json' });
}
if (info && info.dependencies) walk(info.dependencies);
}
};
walk(lock.dependencies);
}
} catch { /* ignore */ }
}
@ -294,10 +323,28 @@ function scanNpmLockfile() {
if (existsSync(yarnLock)) {
try {
const content = readFileSync(yarnLock, 'utf-8');
for (const [pkg, versions] of Object.entries(NPM_COMPROMISED)) {
for (const v of versions) {
if (v === '*' ? content.includes(`${pkg}@`) : content.includes(`version "${v}"`) && content.includes(`${pkg}@`)) {
findings.push({ name: pkg, version: v === '*' ? '(any)' : v, source: 'yarn.lock' });
// Parse per entry: an entry starts at column 0 with one or more specs
// ending in ':' ("pkg@range" / Berry '"pkg@npm:range"'), followed by an
// indented body carrying `version "x"` (Classic v1) or `version: x`
// (Berry v2+). The version is associated with ITS OWN entry, and the
// package name is matched exactly (no unanchored substring matching).
for (const entry of content.split(/\n(?=\S)/)) {
const nl = entry.indexOf('\n');
if (nl === -1) continue;
const header = entry.slice(0, nl).trim();
if (!header.endsWith(':') || header.startsWith('#')) continue;
const vMatch = entry.match(/^\s+version:?\s+"?([^"\s]+)"?\s*$/m);
const entryVersion = vMatch ? vMatch[1] : null;
const names = new Set(header.slice(0, -1).split(',').map(part => {
const spec = part.trim().replace(/^"|"$/g, '');
const at = spec.indexOf('@', spec.startsWith('@') ? 1 : 0);
return at > 0 ? spec.slice(0, at) : spec;
}));
for (const name of names) {
for (const v of NPM_COMPROMISED[name] || []) {
if (v === '*' || v === entryVersion) {
findings.push({ name, version: v === '*' ? '(any)' : v, source: 'yarn.lock' });
}
}
}
}

View file

@ -10,7 +10,7 @@ import { levenshtein, tokenize, tokenOverlap, TYPOSQUAT_SUSPICIOUS_TOKENS } from
import { readFile } from 'node:fs/promises';
import { join, dirname } from 'node:path';
import { existsSync } from 'node:fs';
import { execSync } from 'node:child_process';
import { execSync, spawnSync } from 'node:child_process';
import { fileURLToPath } from 'node:url';
// ---------------------------------------------------------------------------
@ -181,23 +181,24 @@ function runNpmAudit(targetPath) {
}
/**
* Run pip audit --format json and return findings.
* Gracefully handles pip audit not installed, timeout, parse errors.
* Run pip-audit --format json against the TARGET's requirements.txt.
* Skips cleanly when the target has no requirements.txt auditing the
* scanner host's environment would misattribute host findings to the target.
* Gracefully handles pip-audit not installed, timeout, parse errors.
* @param {string} targetPath
* @returns {object[]} findings
*/
function runPipAudit(targetPath) {
const findings = [];
let raw;
try {
raw = execSync('pip audit --format json', {
cwd: targetPath,
timeout: 30_000,
stdio: ['ignore', 'pipe', 'ignore'],
}).toString();
} catch (err) {
raw = err.stdout ? err.stdout.toString() : null;
}
const reqPath = join(targetPath, 'requirements.txt');
if (!existsSync(reqPath)) return findings;
const res = spawnSync('pip-audit', ['--format', 'json', '-r', reqPath], {
cwd: targetPath,
timeout: 30_000,
encoding: 'utf-8',
stdio: ['ignore', 'pipe', 'ignore'],
});
const raw = res.stdout || null;
if (!raw || raw.trim().length === 0) return findings;

View file

@ -9,8 +9,10 @@
import { describe, it } from 'node:test';
import assert from 'node:assert/strict';
import { resolve } from 'node:path';
import { runHook } from './hook-helper.mjs';
import { join, resolve } from 'node:path';
import { mkdtempSync, rmSync, writeFileSync } from 'node:fs';
import { tmpdir } from 'node:os';
import { runHook, runHookWithEnv } from './hook-helper.mjs';
const SCRIPT = resolve(import.meta.dirname, '../../hooks/scripts/pre-install-supply-chain.mjs');
@ -206,3 +208,167 @@ describe('pre-install-supply-chain — E13 scope-hopping (checkScopeHop)', () =>
);
});
});
// ---------------------------------------------------------------------------
// v7.8.3 supply-chain gate fixes (#14, #15, #48, #16, #17)
// All deterministic + offline: an `npm` shim on PATH answers `npm view`
// (fixed registry metadata) and `npm audit` (empty JSON), so no network
// call is ever needed. CLAUDE_WORKING_DIR points at a per-test tmp project.
// ---------------------------------------------------------------------------
/** Create a PATH shim dir whose `npm` answers view/audit deterministically. */
function makeNpmShim(viewJson) {
const dir = mkdtempSync(join(tmpdir(), 'llmsec-supply-npmshim-'));
writeFileSync(join(dir, 'npm'), [
'#!/bin/sh',
'if [ "$1" = "view" ]; then',
` echo '${viewJson}'`,
'else',
" echo '{}'",
'fi',
'',
].join('\n'), { mode: 0o755 });
return dir;
}
describe('pre-install-supply-chain — v7.8.3 gate fixes', () => {
it('#14 blocks bare `npm install event-stream` when the registry resolves to compromised 3.3.6', async () => {
// parseSpec yields version=null for a bare install, so the blocklist must
// be re-checked against the registry-resolved version (meta.version).
const shimDir = makeNpmShim('{"name":"event-stream","version":"3.3.6"}');
try {
const result = await runHookWithEnv(SCRIPT, bashPayload('npm install event-stream'), {
PATH: `${shimDir}:${process.env.PATH}`,
});
assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`);
assert.match(result.stderr, /COMPROMISED: event-stream@3\.3\.6/);
} finally {
rmSync(shimDir, { recursive: true, force: true });
}
});
it('#15 blocks bare install when lockfileVersion 3 holds a non-hoisted nested compromised copy', async () => {
const shimDir = makeNpmShim('{}');
const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-'));
writeFileSync(join(projDir, 'package-lock.json'), JSON.stringify({
name: 'sample', lockfileVersion: 3, packages: {
'': { name: 'sample' },
'node_modules/a': { version: '1.0.0' },
'node_modules/a/node_modules/event-stream': { version: '3.3.6' },
},
}));
try {
const result = await runHookWithEnv(SCRIPT, bashPayload('npm install'), {
PATH: `${shimDir}:${process.env.PATH}`,
CLAUDE_WORKING_DIR: projDir,
});
assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`);
assert.match(result.stderr, /event-stream@3\.3\.6/);
assert.match(result.stderr, /package-lock\.json/);
} finally {
rmSync(shimDir, { recursive: true, force: true });
rmSync(projDir, { recursive: true, force: true });
}
});
it('#48 blocks bare install when lockfileVersion 1 nests a compromised copy below top level', async () => {
const shimDir = makeNpmShim('{}');
const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-'));
writeFileSync(join(projDir, 'package-lock.json'), JSON.stringify({
name: 'sample', lockfileVersion: 1, dependencies: {
a: {
version: '1.0.0',
dependencies: {
'event-stream': { version: '3.3.6' },
},
},
},
}));
try {
const result = await runHookWithEnv(SCRIPT, bashPayload('npm install'), {
PATH: `${shimDir}:${process.env.PATH}`,
CLAUDE_WORKING_DIR: projDir,
});
assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`);
assert.match(result.stderr, /event-stream@3\.3\.6/);
assert.match(result.stderr, /package-lock\.json/);
} finally {
rmSync(shimDir, { recursive: true, force: true });
rmSync(projDir, { recursive: true, force: true });
}
});
it('#16 does NOT block yarn install for a clean yarn.lock (ansi-colors + unrelated version "1.4.1")', async () => {
// Old matcher: unanchored `colors@` matched inside `ansi-colors@`, and the
// compromised colors version "1.4.1" matched a DIFFERENT entry's version
// line — two unassociated whole-file substrings caused a spurious BLOCK.
const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-'));
writeFileSync(join(projDir, 'yarn.lock'), [
'# yarn lockfile v1',
'',
'ansi-colors@^4.1.1:',
' version "4.1.3"',
' resolved "https://registry.yarnpkg.com/ansi-colors/-/ansi-colors-4.1.3.tgz"',
'',
'harmless-pkg@^1.4.0:',
' version "1.4.1"',
' resolved "https://registry.yarnpkg.com/harmless-pkg/-/harmless-pkg-1.4.1.tgz"',
'',
].join('\n'));
try {
const result = await runHookWithEnv(SCRIPT, bashPayload('yarn install'), {
CLAUDE_WORKING_DIR: projDir,
});
assert.equal(result.code, 0, `Expected exit 0 (no block), got ${result.code}. stderr: ${result.stderr}`);
} finally {
rmSync(projDir, { recursive: true, force: true });
}
});
it('#17 blocks yarn install when a Berry yarn.lock pins compromised event-stream (version: x format)', async () => {
const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-'));
writeFileSync(join(projDir, 'yarn.lock'), [
'# This file is generated by running "yarn install" inside your project.',
'',
'__metadata:',
' version: 8',
'',
'"event-stream@npm:^3.3.6":',
' version: 3.3.6',
' resolution: "event-stream@npm:3.3.6"',
'',
].join('\n'));
try {
const result = await runHookWithEnv(SCRIPT, bashPayload('yarn install'), {
CLAUDE_WORKING_DIR: projDir,
});
assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`);
assert.match(result.stderr, /event-stream@3\.3\.6/);
assert.match(result.stderr, /yarn\.lock/);
} finally {
rmSync(projDir, { recursive: true, force: true });
}
});
it('#16/#17 still blocks yarn install for a Classic yarn.lock pinning compromised event-stream', async () => {
const projDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-proj-'));
writeFileSync(join(projDir, 'yarn.lock'), [
'# yarn lockfile v1',
'',
'event-stream@^3.3.5:',
' version "3.3.6"',
' resolved "https://registry.yarnpkg.com/event-stream/-/event-stream-3.3.6.tgz"',
'',
].join('\n'));
try {
const result = await runHookWithEnv(SCRIPT, bashPayload('yarn install'), {
CLAUDE_WORKING_DIR: projDir,
});
assert.equal(result.code, 2, `Expected exit 2, got ${result.code}. stderr: ${result.stderr}`);
assert.match(result.stderr, /event-stream@3\.3\.6/);
assert.match(result.stderr, /yarn\.lock/);
} finally {
rmSync(projDir, { recursive: true, force: true });
}
});
});

View file

@ -9,8 +9,10 @@
import { describe, it, beforeEach } from 'node:test';
import assert from 'node:assert/strict';
import { resolve } from 'node:path';
import { join, resolve } from 'node:path';
import { fileURLToPath } from 'node:url';
import { existsSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
import { tmpdir } from 'node:os';
import { resetCounter } from '../../scanners/lib/output.mjs';
import { scan } from '../../scanners/dep-auditor.mjs';
@ -129,3 +131,93 @@ describe('dep-auditor integration', () => {
assert.equal(result.findings[0].id, 'DS-DEP-001');
});
});
// ---------------------------------------------------------------------------
// pip-audit invocation (v7.8.3 #18/#19)
// The scanner must invoke the real `pip-audit` binary (not the nonexistent
// `pip audit` subcommand), and it must audit the TARGET's requirements.txt
// (-r <target>/requirements.txt) — never the scanner host's environment.
// Both binaries are shimmed on PATH so the tests are deterministic + offline:
// pip-audit — records its argv and emits one fixed vulnerability
// pip — emits a "host environment" vulnerability the scanner must
// never surface (proves host-env audits are gone)
// ---------------------------------------------------------------------------
function makePipShims(shimDir, argvLog) {
writeFileSync(join(shimDir, 'pip-audit'), [
'#!/bin/sh',
`echo "$@" > "${argvLog}"`,
`echo '{"dependencies":[{"name":"requests","version":"2.0.0","vulns":[{"id":"PYSEC-TEST-0001","fix_versions":["2.31.0"],"description":"shim vulnerability"}]}]}'`,
'',
].join('\n'), { mode: 0o755 });
writeFileSync(join(shimDir, 'pip'), [
'#!/bin/sh',
`echo '{"dependencies":[{"name":"host-only-pkg","version":"1.0.0","vulns":[{"id":"PYSEC-HOST-9999","fix_versions":[],"description":"host environment"}]}]}'`,
'',
].join('\n'), { mode: 0o755 });
}
describe('dep-auditor pip-audit invocation', () => {
beforeEach(() => {
resetCounter();
});
it('invokes pip-audit with -r <target>/requirements.txt (not "pip audit" against the host)', async () => {
const shimDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-shim-'));
const target = mkdtempSync(join(tmpdir(), 'llmsec-supply-target-'));
const argvLog = join(shimDir, 'argv.log');
makePipShims(shimDir, argvLog);
writeFileSync(join(target, 'requirements.txt'), 'requests==2.0.0\n');
const oldPath = process.env.PATH;
process.env.PATH = `${shimDir}:${oldPath}`;
try {
const result = await scan(target, { files: [] });
assert.equal(result.status, 'ok', `Expected status 'ok', got '${result.status}'`);
const shimFinding = result.findings.find(f => f.title.includes('PYSEC-TEST-0001'));
assert.ok(
shimFinding,
`Expected a finding from the pip-audit shim (PYSEC-TEST-0001). ` +
`Findings: ${result.findings.map(f => f.title).join('; ')}`
);
const hostFinding = result.findings.find(f => f.title.includes('PYSEC-HOST-9999'));
assert.equal(hostFinding, undefined, 'Host-environment audit result must never be surfaced');
assert.ok(existsSync(argvLog), 'pip-audit shim was never invoked');
const argv = readFileSync(argvLog, 'utf8');
assert.match(argv, /-r/, `pip-audit must receive -r, got argv: ${argv}`);
assert.ok(
argv.includes(join(target, 'requirements.txt')),
`pip-audit must audit the target requirements.txt, got argv: ${argv}`
);
} finally {
process.env.PATH = oldPath;
rmSync(shimDir, { recursive: true, force: true });
rmSync(target, { recursive: true, force: true });
}
});
it('skips the CVE audit cleanly when the target has pyproject.toml but no requirements.txt', async () => {
const shimDir = mkdtempSync(join(tmpdir(), 'llmsec-supply-shim-'));
const target = mkdtempSync(join(tmpdir(), 'llmsec-supply-target-'));
const argvLog = join(shimDir, 'argv.log');
makePipShims(shimDir, argvLog);
writeFileSync(join(target, 'pyproject.toml'), '[project]\nname = "sample"\n');
const oldPath = process.env.PATH;
process.env.PATH = `${shimDir}:${oldPath}`;
try {
const result = await scan(target, { files: [] });
assert.equal(result.status, 'ok', `Expected status 'ok', got '${result.status}'`);
const hostFinding = result.findings.find(f => f.title.includes('PYSEC-HOST-9999'));
assert.equal(hostFinding, undefined, 'Without requirements.txt the host env must not be audited');
assert.equal(existsSync(argvLog), false, 'pip-audit must not run when requirements.txt is absent');
} finally {
process.env.PATH = oldPath;
rmSync(shimDir, { recursive: true, force: true });
rmSync(target, { recursive: true, force: true });
}
});
});