Comment on page
Verdicts

Verdicts are the output of lstn scans. Verdicts contain information regarding the behavioural activities detected inside dependencies.

The output format of verdicts could be generalized as a table of insights detected for a given npm package (identified by its name, version and shasum), and where each row in the verdicts table represents a single occurrence of that behavior, with the following properties:
message: A brief description of the behavior exhibited by the package
metadata: Details about the behavior, including the following fields:
commandline: The command line used to run the package
executable_path: The path to the executable file for the package
file_descriptor: The file descriptor for the package, if applicable
npm_package_name: The name of the npm package
npm_package_version: The version of the npm package
parent_name: The name of the parent package, if applicable
server_ip: The IP address detected in the network connection, if applicable
server_port: The port number detected in the network connection, if applicable
priority: A priority level for the vulnerability or risk, such as "critical", "medium", or "low"
This table would provide an overview of the security risks associated with a given npm package, making it easier for developers to understand the potential risks and make informed decisions about whether or not to use the package in their projects.
Example

Running the command lstn to jq analyzes a single package (jq) and produces the verdicts shown below.

Examining a portion of the output below, it can be seen that the transitive dependency [email protected] exhibits behavioural activity (spawning of npm processes and outbound network connections). In this case, the activity is observed due to the execution of node-gyp command (which downloads external binaries as part of the build process). This activity is known to be common and is not malicious in nature, hence the verdicts show "priority": "medium". This kind of alert can be ignored.

jq  1.7.0  X 4 verdicts  ✓ 0 problems
jq  1.7.2  X 4 verdicts  ✓ 0 problems
​
There are 4 verdicts and 0 problems for jq@1.7.2
​
  [medium] npm install spawned a process (from transitive dependency contextify@0.1.15)
    commandline: sh -c node-gyp rebuild
    executable_path: /bin/sh
    parent_name: node
  [medium] unexpected outbound connection destination (from transitive dependency contextify@0.1.15)
    commandline: node-gyp
    executable_path: /usr/local/bin/node
    file_descriptor: 10.0.2.100:51657->104.20.22.46:0
    server_ip: 104.20.22.46
  [medium] unexpected outbound connection destination (from transitive dependency contextify@0.1.15)
    commandline: node-gyp
    executable_path: /usr/local/bin/node
    file_descriptor: 10.0.2.100:60799->104.20.23.46:0
    server_ip: 104.20.23.46
  [medium] unexpected outbound connection destination (from transitive dependency contextify@0.1.15)
    commandline: node /usr/local/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js rebuild
    executable_path: /usr/local/bin/node
    file_descriptor: 10.0.2.100:36858->104.20.22.46:443
    server_ip: 104.20.22.46
​
​
There are 4 verdicts and 0 problems for jq@1.7.2
...
​
​
Running the same command with a --json flag outputs the entire JSON representation of the verdicts, for example:

$ lstn to jq

produces the output:
jq  1.7.0  X 4 verdicts  ✓ 0 problems
jq  1.7.2  X 4 verdicts  ✓ 0 problems
​
There are 4 verdicts and 0 problems for jq@1.7.0
​
  [medium] npm install spawned a process (from transitive dependency contextify@0.1.15)
    commandline: sh -c node-gyp rebuild
    executable_path: /bin/sh
    parent_name: node
  [medium] unexpected outbound connection destination (from transitive dependency contextify@0.1.15)
    commandline: node-gyp
    executable_path: /usr/local/bin/node
    file_descriptor: 10.0.2.100:51657->104.20.22.46:0
    server_ip: 104.20.22.46
  [medium] unexpected outbound connection destination (from transitive dependency contextify@0.1.15)
    commandline: node-gyp
    executable_path: /usr/local/bin/node
    file_descriptor: 10.0.2.100:60799->104.20.23.46:0
    server_ip: 104.20.23.46
  [medium] unexpected outbound connection destination (from transitive dependency contextify@0.1.15)
    commandline: node /usr/local/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js rebuild
    executable_path: /usr/local/bin/node
    file_descriptor: 10.0.2.100:36858->104.20.22.46:443
    server_ip: 104.20.22.46
​
​
There are 4 verdicts and 0 problems for jq@1.7.2
​
  [medium] npm install spawned a process (from transitive dependency contextify@0.1.15)
    commandline: sh -c node-gyp rebuild
    executable_path: /bin/sh
    parent_name: node
  [medium] unexpected outbound connection destination (from transitive dependency contextify@0.1.15)
    commandline: node-gyp
    executable_path: /usr/local/bin/node
    file_descriptor: ::ffff:10.0.2.100:42960->2606:4700:10::6814:162e:0
    server_ip: 2606:4700:10::6814:162e
  [medium] unexpected outbound connection destination (from transitive dependency contextify@0.1.15)
    commandline: node-gyp
    executable_path: /usr/local/bin/node
    file_descriptor: ::ffff:10.0.2.100:47690->2606:4700:10::6814:162e:0
    server_ip: 2606:4700:10::6814:162e
  [medium] unexpected outbound connection destination (from transitive dependency contextify@0.1.15)
    commandline: node /usr/local/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js rebuild
    executable_path: /usr/local/bin/node
    file_descriptor: 10.0.2.100:40398->104.20.22.46:443
    server_ip: 104.20.22.46
​
​
Last modified 7mo ago