# Security

## Reporting vulnerabilities

If you believe you have found a security issue in **node-tpm2**, please report it responsibly:

- **Email:** [support@hardproof.app](mailto:support@hardproof.app) (package maintainer contact from npm)
- **GitHub:** [Open a private security advisory](https://github.com/stacks0x/tpm2/security/advisories/new) on this repository

Do not open public issues for undisclosed vulnerabilities.

---

## Supply chain transparency (Socket.dev)

This package is analyzed by [Socket.dev](https://socket.dev/npm/package/node-tpm2). As of the initial transparency pass, typical scores were:

| Dimension | Score |
|-----------|------:|
| Quality | 100 |
| Maintenance | 94 |
| License | 100 |
| Vulnerability | 100 |
| **Supply Chain Security** | **71** |

**Supply Chain 71 is expected for a prebuilt native Node binding**, not evidence of a defect in this library. Static analysis flags structural patterns in the napi-rs loader and native-addon layout. Each alert is accounted for below.

Scores change over time on Socket's dashboard — this document explains **why the flags exist**, not how to chase a perfect number.

---

## Socket alert accounting

All locations below refer to the **published npm package**. The loader file `native.cjs` is **auto-generated by [napi-rs](https://napi.rs)** at build time — do not hand-edit it; regenerate with `npm run build`.

### Shell access (amber) — `child_process` in `native.cjs`

**What:** `isMuslFromChildProcess()` calls `execSync('ldd --version')` when filesystem and `process.report` musl/glibc detection both fail on Linux.

**Why it exists:** Choose the correct prebuilt binary (`*-gnu.node` vs `*-musl.node`) on ambiguous Linux environments.

**Risk:** Low. The command string is **hardcoded**. No user input, package name, or network data reaches this call. It runs at **module load** on Linux only, as a last-resort fallback after non-shell checks.

**Mitigation path:** Track upstream [napi-rs](https://github.com/napi-rs/napi-rs) loader changes; regenerate when a future release removes or replaces this fallback. We are already on current `@napi-rs/cli`.

---

### Dynamic require (informational) — `native.cjs`

**What:** The loader `require()`s the platform-specific prebuilt `.node` binary (and optional platform packages such as `node-tpm2-linux-x64-gnu`) based on `process.platform` / `process.arch` / musl detection.

**Why it exists:** Standard pattern for npm packages that ship prebuilt native addons via optional dependencies.

**Risk:** None inherent. The require target is chosen from a fixed platform matrix, not from caller-controlled strings (except the documented override below).

**Related:** `NAPI_RS_NATIVE_LIBRARY_PATH` allows loading a specific `.node` path for development/debugging — a documented napi-rs knob, not runtime API surface of this library.

---

### Filesystem access (informational) — `native.cjs` (+ library behavior)

**Loader (`native.cjs`):**

- Reads `/usr/bin/ldd` (text) for musl detection (`isMuslFromFilesystem`).
- Reads each optional binding's `package.json` for version consistency when `NAPI_RS_ENFORCE_VERSION_CHECK` is enabled.

**Library (Rust / JS):** Attestation and key APIs may read or write **AK blob files** when the **application** passes paths or persists exported blobs — that is documented product behavior, not covert file access.

**Risk:** None inherent in the loader paths above.

---

### Environment variable access (informational) — `native.cjs`

**What:** The loader reads napi-rs environment variables:

| Variable | Purpose |
|----------|---------|
| `NAPI_RS_NATIVE_LIBRARY_PATH` | Override path to a `.node` binary (dev/debug) |
| `NAPI_RS_FORCE_WASI` | Force or error on WASI binding load |
| `NAPI_RS_ENFORCE_VERSION_CHECK` | Enforce optional-deps version match (default on) |

**Risk:** None inherent. These are standard napi-rs configuration knobs documented upstream.

---

### URL strings (informational) — `native.cjs`

**What:** Error messages include URL strings (e.g. a link to an npm optional-dependencies bug report when platform packages fail to load).

**Risk:** None. Strings appear in error text only; the loader does not fetch URLs or open network connections.

---

### AI-detected code anomaly (informational) — package-wide

**What:** Socket's model flags atypical patterns in native bindings: low-level TPM command byte marshalling, Windows PCP/NCrypt integration, and Rust→NAPI exports.

**Risk:** None cited to a specific behavior. This alert reflects that the package is **not pure JavaScript**, not that a particular line is malicious.

---

## What this package does at runtime (trust boundary)

- **Linux:** Submits TPM 2.0 commands via `/dev/tpmrm0` (TBS-style raw commands).
- **Windows:** Submits TPM commands via TBS; attestation key persistence uses NCrypt Platform Crypto Provider (PCP).
- **No network I/O** in the library itself.
- **No shell** in application/Rust code — the only shell-related code is the napi-rs loader fallback above.

Consumers remain responsible for how they store AK blobs, NV indices, and sealed data in their own applications.

---

## Dependency surface

Runtime npm dependencies: **none** (only optional platform binding packages published alongside `node-tpm2`).

Build-time: Rust crates (compiled into the `.node` binary), `@napi-rs/cli` (dev only, not published to consumers).

See [README.md](./README.md) and [docs/api-reference.md](./docs/api-reference.md) for the public API and platform matrix.