Skip to content

Comments

fix: census accuracy - reclassify packages, fix NIST language, add data transparency#26

Merged
abdelsfane merged 1 commit intomainfrom
fix/census-accuracy
Feb 19, 2026
Merged

fix: census accuracy - reclassify packages, fix NIST language, add data transparency#26
abdelsfane merged 1 commit intomainfrom
fix/census-accuracy

Conversation

@abdelsfane
Copy link
Contributor

@abdelsfane abdelsfane commented Feb 19, 2026

Summary

Addresses expert review feedback on cryptographic accuracy across the census report.

  • Package reclassification: Removed non-crypto packages (object-hash, guava, commons-codec, digest-crc) and stdlib packages from the "weak" tier. Reclassified SHA-256/SHA-512/SHA-3 implementations to modern. Fixed NuGet BouncyCastle duplicate.
  • NIST deadline language: "deprecate classical" -> "deprecate quantum-vulnerable asymmetric crypto" (AES/SHA-2/SHA-3 remain approved beyond 2035)
  • Methodology fixes: Removed false NIST SP 800-131A / CNSA 2.0 claim. Added download count caveats and data source verification links.
  • Data transparency: Added "Verify our data" links and "Data Sources" section to terminal report

Test plan

  • All 271 tests pass
  • Package catalog tier coverage verified (all ecosystems still have all three tiers)
  • HTML report methodology updated with accurate language
  • Terminal report includes data sources section

@abdelsfane
fix: census accuracy - reclassify packages, fix NIST language, add da…
5209d7d 
…ta transparency

Addresses expert review feedback on cryptographic accuracy:

- Remove non-crypto packages from catalog (object-hash, guava, commons-codec,
  digest-crc) that inflated weak crypto numbers
- Remove stdlib packages providing both weak and strong algorithms (hashlib,
  digest, crypto for Erlang/Dart) -- classifying these as "weak" is inaccurate
- Reclassify SHA-256/SHA-512/SHA-3 packages from weak to modern (hash.js,
  jssha, js-sha256, js-sha512, js-sha3, sha.js, create-hash, create-hmac)
- Reclassify keccakf1600 (Keccak = SHA-3 core) from weak to modern
- Reclassify crypto/elliptic (API deprecated, not the crypto) to modern
- Reclassify Salsa20 (not broken, just superseded) to modern
- Fix NuGet BouncyCastle.Cryptography duplicate (was in both MODERN and PQC)
- Fix NIST deadline language: "deprecate classical" -> "deprecate quantum-
  vulnerable asymmetric crypto" (AES/SHA-2/SHA-3 remain approved beyond 2035)
- Fix methodology: remove false claim about NIST SP 800-131A / CNSA 2.0
- Add data source verification links (npm API, PyPI Stats, NVD, etc.)
- Add caveat that download counts reflect installs, not direct usage
- Add Data Sources section to terminal report
@github-actions
Copy link

github-actions bot commented Feb 19, 2026
edited
Loading

Claude finished @abdelsfane's task —— View job

Security Review Complete ✅

Comprehensive security analysis completed. All checks passed.

Summary

Files Reviewed:

  • sdk/javascript/lib/census/package-catalog.mjs (+21/-26)
  • sdk/javascript/lib/census/report-html.mjs (+20/-7)
  • sdk/javascript/lib/census/report-terminal.mjs (+12/-2)

Security Analysis Results

✅ Standard Security Checks (1-9): All PASS

  1. Injection vulnerabilities: ✅ PASS

    • No SQL queries, command execution, or path traversal
    • All data is static catalog entries

  2. Authentication/authorization bypasses: ✅ PASS

    • No auth logic present
    • Pure data reporting functionality

  3. Insecure deserialization/eval: ✅ PASS

    • No eval(), Function(), vm, pickle, or exec
    • JSON.stringify() used safely for HTML embedding

  4. Hardcoded credentials: ✅ PASS

    • No secrets, API keys, or credentials

  5. SSRF/open redirect: ✅ PASS

    • Only static documentation URLs
    • No URL construction from user input

  6. Cryptographic misuse: ✅ PASS

    • Tool analyzes crypto, doesn't implement it
    • Algorithm names used for classification (false positive suppression applies)

  7. Prototype pollution: ✅ PASS

    • No object spread from user input
    • No __proto__ access

  8. ReDoS vulnerabilities: ✅ PASS

    • No regex processing user input

  9. Command injection: ✅ PASS

    • No subprocess execution
✅ Logic Bug Analysis (10-12): All PASS

10. Scoring/gating functions: ✅ PASS

  • Verified tier filtering logic with 3 test cases:
    • Empty ecosystem → 0 downloads (correct)
    • Mixed tiers → each package counted in correct tier (correct)
    • Removed packages → no longer counted (correct)

11. Filter predicates: ✅ PASS

  • p.tier === tier at line 558 is neither tautology nor contradiction
  • Verified with test inputs: properly filters by tier

12. Boolean expressions: ✅ PASS

  • NIST deadline changes are text content only, no boolean logic affected
  • Display logic uses simple data accessors (DATA.nistDeadline2030Days)
✅ PR-Specific Change Validation

Package reclassifications (package-catalog.mjs):

  • ✅ Removed non-crypto packages from weak tier (object-hash, guava, commons-codec, digest-crc)
  • ✅ Moved SHA-256/SHA-512/SHA-3 implementations to MODERN tier (quantum-resistant hashes)
  • ✅ Fixed NuGet BouncyCastle duplicate

NIST language corrections (report-html.mjs):

  • ✅ Line 266: "deprecate classical" → "deprecate quantum-vulnerable asymmetric crypto" (accurate)
  • ✅ Lines 262, 376: Added clarification that AES/SHA-2/SHA-3 remain approved beyond 2035 (per NIST IR 8547)

Data transparency (both report files):

  • ✅ Added verification links to official data sources (npm, PyPI, NIST NVD, GitHub)
  • ✅ Added download count caveats about CI/CD and transitive dependencies
  • ✅ All external links point to legitimate official APIs

XSS risk assessment:

  • ✅ HTML report embeds data via JSON.stringify() which escapes <>& as Unicode (safe)
  • ✅ All data originates from static catalog or external APIs
  • ✅ No XSS vulnerability present

Code Quality Notes

Strengths:

  • Clean separation of data (catalog), transformation (aggregator), and presentation (reports)
  • Static typing hints via JSDoc
  • Accurate cryptographic classifications per NIST guidance
  • Transparent methodology with verifiable data sources

No security issues identified.

FINDINGS_COUNT=0

--- | Branch: fix/census-accuracy

@github-actions
Copy link

github-actions bot commented Feb 19, 2026

Manual review required. This PR did not meet auto-merge criteria:

  • Security review found issues (findings: unknown)
  • PR author 'abdelsfane' is not in the trusted auto-merge list
  • PR is too new (2 min < 5 min minimum)

@abdelsfane abdelsfane merged commit 955486a into main Feb 19, 2026
10 checks passed
@abdelsfane abdelsfane deleted the fix/census-accuracy branch February 19, 2026 21:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@abdelsfane