@blamejs/exceptd-skills 0.10.3 → 0.11.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +106 -0
- package/README.md +133 -61
- package/bin/exceptd.js +1621 -146
- package/data/_indexes/_meta.json +2 -2
- package/lib/playbook-runner.js +184 -4
- package/manifest-snapshot.json +1 -1
- package/manifest.json +39 -39
- package/orchestrator/index.js +51 -1
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
package/orchestrator/index.js
CHANGED
|
@@ -304,12 +304,62 @@ function runCurrency() {
|
|
|
304
304
|
}
|
|
305
305
|
|
|
306
306
|
async function runReport(format) {
|
|
307
|
+
// v0.11.1 feature #55: `report csaf` emits a CSAF 2.0 envelope covering
|
|
308
|
+
// every scanned finding + dispatched plan + currency posture. Useful for
|
|
309
|
+
// VEX downstreams that ingest CSAF JSON.
|
|
310
|
+
if (format === 'csaf') {
|
|
311
|
+
const scanResult = await scan();
|
|
312
|
+
const plan = dispatch(scanResult.findings);
|
|
313
|
+
const { currency_report } = currencyCheck();
|
|
314
|
+
const ver = (function(){try{return require('../package.json').version;}catch{return 'unknown';}})();
|
|
315
|
+
const csaf = {
|
|
316
|
+
document: {
|
|
317
|
+
category: 'csaf_security_advisory',
|
|
318
|
+
csaf_version: '2.0',
|
|
319
|
+
publisher: { category: 'vendor', name: 'exceptd', namespace: 'https://exceptd.com' },
|
|
320
|
+
title: `exceptd assessment report — ${scanResult.summary.total_findings} finding(s) across ${plan.plan.length} skill(s)`,
|
|
321
|
+
tracking: {
|
|
322
|
+
id: `exceptd-report-${Date.now()}`,
|
|
323
|
+
status: 'final',
|
|
324
|
+
version: ver,
|
|
325
|
+
initial_release_date: new Date().toISOString(),
|
|
326
|
+
revision_history: [{ number: '1', date: new Date().toISOString(), summary: 'Initial report emission' }],
|
|
327
|
+
},
|
|
328
|
+
},
|
|
329
|
+
vulnerabilities: scanResult.findings
|
|
330
|
+
.filter(f => f.cve_id)
|
|
331
|
+
.map(f => ({
|
|
332
|
+
cve: f.cve_id,
|
|
333
|
+
notes: [{ category: 'description', text: f.action_required || f.signal }],
|
|
334
|
+
scores: [{ products: [], cvss_v3: { base_score: 0 } }],
|
|
335
|
+
threats: f.severity === 'critical' ? [{ category: 'exploit_status', details: f.action_required }] : [],
|
|
336
|
+
})),
|
|
337
|
+
exceptd_extension: {
|
|
338
|
+
scan_summary: scanResult.summary,
|
|
339
|
+
dispatch_plan: plan,
|
|
340
|
+
skill_currency: currency_report,
|
|
341
|
+
host: scanResult.host,
|
|
342
|
+
},
|
|
343
|
+
};
|
|
344
|
+
process.stdout.write(JSON.stringify(csaf, null, 2) + '\n');
|
|
345
|
+
return;
|
|
346
|
+
}
|
|
347
|
+
|
|
307
348
|
console.log(`[orchestrator] Generating ${format} report...\n`);
|
|
308
349
|
const scanResult = await scan();
|
|
309
350
|
const plan = dispatch(scanResult.findings);
|
|
310
351
|
const { currency_report } = currencyCheck();
|
|
311
352
|
|
|
312
|
-
|
|
353
|
+
// Bug #48: header now self-describes the report flavor so a piped-to-file
|
|
354
|
+
// report carries its provenance internally. Previously only stderr
|
|
355
|
+
// (`[orchestrator] Generating <X> report`) distinguished the three.
|
|
356
|
+
const flavorTitle = {
|
|
357
|
+
executive: 'Executive Report',
|
|
358
|
+
technical: 'Technical Report',
|
|
359
|
+
compliance: 'Compliance Report',
|
|
360
|
+
}[format] || 'Report';
|
|
361
|
+
console.log(`# exceptd ${flavorTitle}`);
|
|
362
|
+
console.log(`<!-- exceptd-report:flavor=${format} version=${(function(){try{return require('../package.json').version;}catch{return 'unknown';}})()} -->`);
|
|
313
363
|
console.log(`Generated: ${new Date().toISOString()}\n`);
|
|
314
364
|
|
|
315
365
|
console.log('## Executive Summary');
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@blamejs/exceptd-skills",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.11.1",
|
|
4
4
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"ai-security",
|
package/sbom.cdx.json
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
{
|
|
2
2
|
"bomFormat": "CycloneDX",
|
|
3
3
|
"specVersion": "1.6",
|
|
4
|
-
"serialNumber": "urn:uuid:
|
|
4
|
+
"serialNumber": "urn:uuid:8c82a24f-1d6f-4e1f-80ad-08975a8a86ea",
|
|
5
5
|
"version": 1,
|
|
6
6
|
"metadata": {
|
|
7
|
-
"timestamp": "2026-05-
|
|
7
|
+
"timestamp": "2026-05-12T15:11:00.344Z",
|
|
8
8
|
"tools": [
|
|
9
9
|
{
|
|
10
10
|
"name": "hand-written",
|
|
@@ -13,10 +13,10 @@
|
|
|
13
13
|
}
|
|
14
14
|
],
|
|
15
15
|
"component": {
|
|
16
|
-
"bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.
|
|
16
|
+
"bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.1",
|
|
17
17
|
"type": "application",
|
|
18
18
|
"name": "@blamejs/exceptd-skills",
|
|
19
|
-
"version": "0.
|
|
19
|
+
"version": "0.11.1",
|
|
20
20
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
|
|
21
21
|
"licenses": [
|
|
22
22
|
{
|
|
@@ -25,11 +25,11 @@
|
|
|
25
25
|
}
|
|
26
26
|
}
|
|
27
27
|
],
|
|
28
|
-
"purl": "pkg:npm/%40blamejs/exceptd-skills@0.
|
|
28
|
+
"purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.1",
|
|
29
29
|
"externalReferences": [
|
|
30
30
|
{
|
|
31
31
|
"type": "distribution",
|
|
32
|
-
"url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.
|
|
32
|
+
"url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.1"
|
|
33
33
|
},
|
|
34
34
|
{
|
|
35
35
|
"type": "vcs",
|