@blamejs/exceptd-skills 0.12.6 → 0.12.8

package/data/atlas-ttps.json

@@ -3,7 +3,7 @@
     "schema_version": "1.0.0",
     "atlas_version": "5.1.0",
     "atlas_release_date": "2025-11-01",
-    "last_updated": "2026-05-01",
+    "last_updated": "2026-05-13",
     "source": "https://atlas.mitre.org",
     "note": "AI-relevant ATLAS v5.1.0 TTPs with framework_gap field. framework_gap: no framework has a control that addresses this TTP.",
     "tlp": "CLEAR",
@@ -278,5 +278,193 @@
       "ai-c2-detection",
       "ai-attack-surface"
     ]
+  },
+  "AML.T0024": {
+    "id": "AML.T0024",
+    "name": "Exfiltration via ML Inference API",
+    "tactic": "Exfiltration",
+    "description": "Adversary uses an ML inference API as the exfiltration channel for stolen data — embedding sensitive content in prompts, retrieval queries, or function-call arguments and reconstructing it from responses, logs, or training feedback. Distinguished from classical exfiltration by the channel being a categorically-trusted AI endpoint that egress controls do not flag.",
+    "subtechniques": [
+      "AML.T0024.000 — Prompt-as-Exfil (embed secret in user-facing prompt to public LLM)",
+      "AML.T0024.001 — Retrieval-as-Exfil (poisoned RAG corpus reads attacker-controlled documents that include exfil instructions)",
+      "AML.T0024.002 — Tool-Call-as-Exfil (MCP tool argument or function-call parameter carries the payload)"
+    ],
+    "real_world_instances": [
+      "RAG exfiltration: attacker-injected document instructs the model to summarize org secrets into a follow-up query that hits an external endpoint",
+      "Coding-assistant exfil: AI completion suggestions carry repository secrets in trailing comments that the developer accepts without scrutiny"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "DLP controls (PCI-DSS-v4-A1, NIST-800-53-SC-7) inspect HTTP egress at the network boundary; AI inference traffic is categorically allowed and rarely DLP-classified. No framework requires content classification on the prompt+completion stream. SI-12 information handling does not contemplate the AI-as-side-channel case.",
+    "controls_that_partially_help": [
+      "NIST-800-53-SC-7",
+      "NIST-800-53-SI-4",
+      "ISO-27001-2022-A.8.12"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SC-13",
+      "PCI-DSS-v4-A1"
+    ],
+    "detection": "Content-aware DLP applied to outbound AI prompts and tool arguments; per-prompt secret-pattern scan before egress; behavioral baseline of typical prompt entropy + length per user; alert on unusual completion-response sizes correlated with sensitive-file reads",
+    "exceptd_skills": [
+      "dlp-gap-analysis",
+      "rag-pipeline-security",
+      "ai-attack-surface"
+    ]
+  },
+  "AML.T0044": {
+    "id": "AML.T0044",
+    "name": "Full ML Model Access",
+    "tactic": "Collection",
+    "description": "Adversary obtains complete read access to a deployed ML model — weights, architecture, tokenizer, training-data fingerprints — enabling offline adversarial-example crafting, distillation into a smaller offensive model, or extraction of memorized training data containing sensitive content.",
+    "subtechniques": [
+      "AML.T0044.000 — Model File Theft (read access to weights on disk / object storage)",
+      "AML.T0044.001 — Model Extraction via Query (reconstruct equivalent model from API responses)",
+      "AML.T0044.002 — Training Pipeline Compromise (snapshot weights mid-training)"
+    ],
+    "real_world_instances": [
+      "Cloud-bucket misconfigurations exposing fine-tuned model weights",
+      "Production query-budget abuse for model-distillation attacks against commercial LLM APIs"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No framework treats trained model weights as a regulated data class with specific protection requirements. AC-6 least privilege does not contemplate model-file read scope. SC-28 protection of information at rest covers data at rest categorically but does not require per-model-artifact key isolation. No framework requires distillation-resistance testing.",
+    "controls_that_partially_help": [
+      "NIST-800-53-AC-6",
+      "NIST-800-53-SC-28",
+      "ISO-27001-2022-A.8.3"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-CM-7"
+    ],
+    "detection": "Object-storage access audit on model artifact paths; query-budget anomaly detection (high-volume systematic queries from single identity); model-watermark verification on extracted artifacts",
+    "exceptd_skills": [
+      "dlp-gap-analysis",
+      "ai-attack-surface",
+      "ai-risk-management"
+    ]
+  },
+  "AML.T0048": {
+    "id": "AML.T0048",
+    "name": "Erode ML Model Integrity",
+    "tactic": "Impact",
+    "description": "Adversary causes gradual degradation of ML model output quality through sustained low-rate adversarial inputs, feedback-loop poisoning, RAG-corpus drift, or systematic query patterns that bias the model's behavior over time. Distinguished from acute poisoning (T0020) by the operational tempo: erosion is slow enough to evade output-monitoring thresholds while accumulating into a meaningful integrity loss.",
+    "subtechniques": [
+      "AML.T0048.000 — Feedback-Loop Erosion (poison reinforcement signal at low rate)",
+      "AML.T0048.001 — Corpus-Drift Erosion (continuously inject low-quality documents into RAG retrieval set)",
+      "AML.T0048.002 — Query-Pattern Erosion (systematic prompts that shift output distribution)"
+    ],
+    "real_world_instances": [
+      "CVE-2026-45321 — RAG/agentic-coding corpus erosion enabling staged supply-chain attacks",
+      "Adversarial query campaigns against production recommendation systems documented in 2025-2026 incident reports"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "Continuous-integrity monitoring on ML output distributions is not a framework control. SI-7 software/firmware integrity addresses code artifacts not model behavior. No framework requires drift detection against a known-good model baseline. NIST AI RMF MEASURE-2.7 recommends but does not require continuous adversarial robustness assessment.",
+    "controls_that_partially_help": [
+      "NIST-800-53-SI-7",
+      "NIST-AI-RMF-MEASURE-2.7"
+    ],
+    "controls_that_dont_help": [
+      "ISO-27001-2022-A.8.28",
+      "SOC2-CC7"
+    ],
+    "detection": "Statistical drift detection on output distribution; periodic golden-test-set regression scoring; user-feedback anomaly mining for unusual complaint clusters",
+    "exceptd_skills": [
+      "ai-attack-surface",
+      "rag-pipeline-security",
+      "ai-risk-management"
+    ]
+  },
+  "AML.T0053": {
+    "id": "AML.T0053",
+    "name": "LLM Plugin Compromise",
+    "tactic": "Execution",
+    "description": "Adversary compromises an LLM plugin / tool / MCP server registered with a host AI assistant, gaining the ability to execute attacker-controlled actions in the host's authorization context whenever the model invokes the plugin. Distinguished from supply-chain compromise (T0010) by targeting the runtime trust relationship between an installed plugin and the host AI rather than the install pathway.",
+    "subtechniques": [
+      "AML.T0053.000 — Malicious Plugin Publish (publish under typosquat or compromised account)",
+      "AML.T0053.001 — Plugin Update Backdoor (push backdoor in a version update after publisher trust is established)",
+      "AML.T0053.002 — Plugin-to-Plugin Pivot (compromised plugin instructs the model to invoke another plugin with attacker-chosen arguments)"
+    ],
+    "real_world_instances": [
+      "CVE-2026-30615 — Windsurf MCP zero-interaction RCE via plugin trust",
+      "Public MCP-registry typosquat campaigns documented 2025-2026"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No framework has a plugin-trust control specifically for LLM/agent tool registries. SA-12 supply chain protections do not contemplate model-invoked plugin runtimes. AC-3 access enforcement does not address the model-as-authorization-proxy pattern where the user's identity authenticates the model but the model chooses which plugin to invoke and with what arguments.",
+    "controls_that_partially_help": [
+      "NIST-800-53-SA-12",
+      "NIST-800-53-AC-3",
+      "ISO-27001-2022-A.8.30"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SI-3"
+    ],
+    "detection": "Plugin-manifest signature verification; plugin-call audit trail (model decision + plugin name + arguments + result); plugin reputation scoring; alert on newly-installed plugin invocations during the first 72h",
+    "exceptd_skills": [
+      "mcp-agent-trust",
+      "ai-attack-surface"
+    ]
+  },
+  "AML.T0055": {
+    "id": "AML.T0055",
+    "name": "Unsecured Credentials",
+    "tactic": "Credential Access",
+    "description": "Adversary obtains credentials — API keys, OAuth tokens, model-provider secrets, MCP server tokens, fine-tuning service credentials — that were stored in cleartext, exposed in logs, embedded in code, or persisted in checked-in configuration. Within the AI/ML scope this technique covers credentials specific to the model-development supply chain (HuggingFace tokens, OpenAI API keys, anthropic auth, fine-tuning service keys, vector-DB credentials).",
+    "subtechniques": [
+      "AML.T0055.000 — Credentials in Repository (.env, source, notebook output cells)",
+      "AML.T0055.001 — Credentials in Logs (training logs, inference logs, MCP debug output)",
+      "AML.T0055.002 — Credentials in Model Artifact Metadata (HuggingFace model card, ONNX metadata)"
+    ],
+    "real_world_instances": [
+      "Public-repository scans surface thousands of leaked OpenAI/Anthropic/HuggingFace tokens monthly",
+      "Notebook cell-output exposure of API keys in published Kaggle/Colab artifacts"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "IA-5 authenticator management does not contemplate AI-service credential classes specifically. No framework requires repository-time secret scanning to enforce AI-provider credentials. Most regulatory frameworks treat all API keys identically; the AI-provider key uniquely conveys budget + model-access + identity-impersonation when leaked.",
+    "controls_that_partially_help": [
+      "NIST-800-53-IA-5",
+      "NIST-800-53-SC-12",
+      "ISO-27001-2022-A.5.16"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-AC-2"
+    ],
+    "detection": "Pre-commit and CI-time secret scanning with AI-provider key signatures; notebook-output sanitization; log-aggregation regex on AI provider key shapes; vendor-side anomaly detection on leaked-key usage patterns",
+    "exceptd_skills": [
+      "dlp-gap-analysis",
+      "mcp-agent-trust",
+      "rag-pipeline-security"
+    ]
+  },
+  "AML.T0057": {
+    "id": "AML.T0057",
+    "name": "LLM Data Leakage",
+    "tactic": "Exfiltration",
+    "description": "Adversary causes an LLM to disclose information from its training data, retrieval corpus, system prompt, or conversation context that should not have been accessible. Includes training-data memorization recovery, system-prompt extraction, retrieved-document leakage to the wrong tenant, and cross-conversation context bleed.",
+    "subtechniques": [
+      "AML.T0057.000 — Memorization Recovery (extract memorized training records via crafted prompts)",
+      "AML.T0057.001 — System Prompt Leakage (induce the model to reveal its hidden instructions)",
+      "AML.T0057.002 — Retrieval Tenant Bleed (RAG returns documents from a different tenant)",
+      "AML.T0057.003 — Cross-Conversation Bleed (KV-cache or session-state confusion across requests)"
+    ],
+    "real_world_instances": [
+      "Production AI assistant prompt-extraction incidents 2025-2026",
+      "Public LLM training-data memorization studies (NYT v. OpenAI, Carlini et al. extraction works)"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No framework treats model output as a confidentiality boundary. SC-4 information in shared resources addresses traditional shared compute, not RAG retrieval namespaces. No framework requires per-tenant retrieval-context isolation testing. Privacy-impact assessments treat training data as transformed-and-anonymous, contradicting the memorization-recovery reality.",
+    "controls_that_partially_help": [
+      "NIST-800-53-SC-4",
+      "NIST-800-53-AC-3",
+      "ISO-27001-2022-A.5.34"
+    ],
+    "controls_that_dont_help": [
+      "ISO-27001-2022-A.8.28",
+      "NIST-800-53-SI-12"
+    ],
+    "detection": "Differential-privacy-style output auditing; canary insertions in training data + retrieval corpus with leak-detection on outputs; tenant-tag verification on RAG-retrieved documents; system-prompt-leak red team during release",
+    "exceptd_skills": [
+      "rag-pipeline-security",
+      "ai-attack-surface",
+      "dlp-gap-analysis"
+    ]
   }
 }

package/data/cwe-catalog.json

@@ -1,7 +1,7 @@
 {
   "_meta": {
     "schema_version": "1.0.0",
-    "last_updated": "2026-05-11",
+    "last_updated": "2026-05-13",
     "cwe_version": "4.16",
     "cwe_version_release_date": "2024-11-19",
     "source": "https://cwe.mitre.org",
@@ -1013,5 +1013,294 @@
     "real_requirement": "Secure-by-default configurations shipped; insecure modes require explicit opt-in with a documented risk acknowledgment; for MCP servers, default to no-network, no-fs, requiring explicit capability grants.",
     "lag_notes": "CM-6 baseline configuration is set per-deployment; CWE-1188 is about the shipped default. Frameworks rarely audit product defaults — they audit organizational deployment.",
     "last_verified": "2026-05-11"
+  },
+  "CWE-250": {
+    "id": "CWE-250",
+    "name": "Execution with Unnecessary Privileges",
+    "abstraction": "Class",
+    "category": "Privilege Management",
+    "description": "The product performs an operation at a privilege level higher than the minimum required, expanding the consequences of any vulnerability in that code path. Common roots: long-lived root daemons, container processes running as UID 0 with no need, sudo-without-NOPASSWD prompt fatigue, setuid binaries with feature-creep.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000"],
+    "related_attack_patterns_capec": ["CAPEC-104", "CAPEC-470"],
+    "skills_referencing": ["container-runtime-security", "kernel-lpe-triage", "ot-ics-security"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-AC-6", "ISO-27001-2022-A.8.2", "PCI-DSS-v4-7.2"],
+    "real_requirement": "Per-syscall capability dropping enforced at process start; no long-lived root daemons in modern container runtimes; sudo audit trail with rate-limit on privileged invocations; setuid binaries replaced with capability(7) bits.",
+    "lag_notes": "AC-6 least privilege is a paper compliance target — frameworks accept role-based attestation. CWE-250 requires runtime evidence of capability minimization, which compliance audits rarely sample.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-256": {
+    "id": "CWE-256",
+    "name": "Plaintext Storage of a Password",
+    "abstraction": "Variant",
+    "category": "Credentials Management",
+    "description": "The product stores a password in cleartext on disk, in a config file, or in a database column without cryptographic hashing or encryption, exposing it on any read access to the storage medium.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000", "CWE-1003"],
+    "related_attack_patterns_capec": ["CAPEC-37"],
+    "skills_referencing": ["cred-stores", "ai-api", "dlp-gap-analysis"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-IA-5(1)", "ISO-27001-2022-A.5.16", "PCI-DSS-v4-8.3"],
+    "real_requirement": "Passwords hashed at rest with a memory-hard KDF (Argon2id, scrypt); legacy databases with cleartext passwords forcibly rotated on next-login; no service-account passwords in config files — secrets manager mandatory.",
+    "lag_notes": "IA-5(1) addresses authenticator storage but compliance attestation often accepts 'encrypted at rest' for the storage volume, missing that the password value itself must be hashed not encrypted. PCI 8.3 specifies strong cryptography but rarely audits the KDF choice.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-284": {
+    "id": "CWE-284",
+    "name": "Improper Access Control",
+    "abstraction": "Pillar",
+    "category": "Access Control",
+    "description": "The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. CWE-284 is the pillar — most authz/authn defects are specializations of this class.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000"],
+    "related_attack_patterns_capec": ["CAPEC-1", "CAPEC-19"],
+    "skills_referencing": ["container-runtime-security", "identity-assurance", "webapp-security"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-AC-3", "ISO-27001-2022-A.5.15", "SOC2-CC6"],
+    "real_requirement": "Authorization decisions enforced at the resource server, never client-side; deny-by-default policy with explicit allow; per-request authz check including for authenticated identities.",
+    "lag_notes": "AC-3 is the policy intent; compliance accepts the existence of an authorization framework. CWE-284 specifically calls out improper enforcement — the framework's existence does not imply the enforcement is correct.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-310": {
+    "id": "CWE-310",
+    "name": "Cryptographic Issues",
+    "abstraction": "Category",
+    "category": "Cryptography",
+    "description": "Top-level category covering cryptographic weaknesses — weak algorithms, insufficient key lengths, predictable IVs, missing integrity, broken random number generation. The category is retained as an umbrella for CWE-326, -327, -328, -329, -330 et al.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000"],
+    "related_attack_patterns_capec": ["CAPEC-97"],
+    "skills_referencing": ["pqc-first", "crypto-codebase"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-SC-13", "ISO-27001-2022-A.8.24", "FIPS-140-3"],
+    "real_requirement": "Cryptographic agility — algorithm choice expressed as policy, not hardcoded; periodic crypto inventory; PQC migration roadmap with hybrid signature support.",
+    "lag_notes": "SC-13 addresses approved cryptographic mechanisms but lags behind quantum-resistance reality. FIPS-140-3 approved list omits PQC primitives until NIST PQC standardization (FIPS 203/204/205) fully promulgates.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-312": {
+    "id": "CWE-312",
+    "name": "Cleartext Storage of Sensitive Information",
+    "abstraction": "Variant",
+    "category": "Data Protection",
+    "description": "The product stores sensitive information in cleartext within a resource that may be accessible to another control sphere — disk, log file, browser storage, environment variable that's printable by ps(1), Kubernetes ConfigMap when a Secret was the right primitive.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000", "CWE-1003"],
+    "related_attack_patterns_capec": ["CAPEC-37"],
+    "skills_referencing": ["secrets", "ai-api", "dlp-gap-analysis"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-SC-28", "ISO-27001-2022-A.8.24", "PCI-DSS-v4-3.5"],
+    "real_requirement": "Encryption-at-rest for all sensitive fields with per-tenant key isolation; structured logging schemas that mark sensitive fields and redact at emit time; Kubernetes Secrets with KMS-backed encryption-at-rest, not ConfigMaps.",
+    "lag_notes": "SC-28 'protection at rest' is typically satisfied by full-disk encryption — which does not protect against a logged-in process reading the cleartext. PCI 3.5 requires field-level cryptography but auditors often accept disk-level controls.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-326": {
+    "id": "CWE-326",
+    "name": "Inadequate Encryption Strength",
+    "abstraction": "Class",
+    "category": "Cryptography",
+    "description": "The product stores or transmits sensitive data using an encryption scheme that is too weak — short key length, deprecated algorithm (DES, RC4, 3DES, MD5-MAC), parameter choices outside current safe ranges. Distinguished from CWE-327 (broken algorithm) by the strength dimension rather than algorithm choice.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000", "CWE-310"],
+    "related_attack_patterns_capec": ["CAPEC-20", "CAPEC-97"],
+    "skills_referencing": ["pqc-first", "crypto-codebase", "crypto"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-SC-13", "NIST-SP-800-131A", "ISO-27001-2022-A.8.24"],
+    "real_requirement": "AES-256 minimum for symmetric; RSA-3072 or ECC P-384 minimum for asymmetric pre-PQC migration; hybrid PQC (ML-KEM + ECDHE) for new TLS deployments; reject TLS handshakes below 1.2.",
+    "lag_notes": "SP 800-131A defines algorithm transitions but vendor compliance attestations lag — many auditors still accept 'AES + RSA-2048' without questioning quantum-resistance roadmap.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-328": {
+    "id": "CWE-328",
+    "name": "Use of Weak Hash",
+    "abstraction": "Class",
+    "category": "Cryptography",
+    "description": "The product uses a cryptographic hash that produces output that no longer offers cryptographic guarantees — MD5, SHA-1 for collision resistance, unsalted SHA-256 for password verification. Includes hashes used for HMAC where the construction extends MAC lifetime past the underlying hash's safe horizon.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000", "CWE-310"],
+    "related_attack_patterns_capec": ["CAPEC-97"],
+    "skills_referencing": ["crypto-codebase", "pqc-first"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-SC-13", "NIST-SP-800-131A"],
+    "real_requirement": "SHA-256 minimum for integrity; SHA-384/SHA-512 for high-assurance; Argon2id/scrypt for password verification; HMAC-SHA-256 minimum for MAC.",
+    "lag_notes": "SP 800-131A retired SHA-1 for digital signatures in 2013 but legacy MAC use in non-signature contexts continued in many codebases — frameworks rarely require active inventory.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-329": {
+    "id": "CWE-329",
+    "name": "Generation of Predictable IV with CBC Mode",
+    "abstraction": "Variant",
+    "category": "Cryptography",
+    "description": "The product generates an initialization vector (IV) for CBC-mode encryption that is predictable — counter-derived, low-entropy, zero, or reused. Predictable IV in CBC reveals plaintext patterns and breaks the IND-CPA security model.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000", "CWE-310"],
+    "related_attack_patterns_capec": ["CAPEC-97"],
+    "skills_referencing": ["crypto-codebase"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-SC-13", "NIST-SP-800-38A"],
+    "real_requirement": "Prefer AEAD modes (AES-GCM, ChaCha20-Poly1305) over CBC; if CBC is mandatory, IV from CSPRNG with no observable pattern; per-message IV uniqueness verified at encryption time.",
+    "lag_notes": "SP 800-38A specifies IV requirements but auditing typically focuses on algorithm presence not IV-generation correctness. CBC misuse is a recurring source of cryptographic weakness in production codebases.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-330": {
+    "id": "CWE-330",
+    "name": "Use of Insufficiently Random Values",
+    "abstraction": "Class",
+    "category": "Cryptography",
+    "description": "The product uses values intended to be random but produced from a source that is not cryptographically secure — Math.random(), time-seeded PRNG, weak entropy source. Pillar weakness for CWE-331, -338, -339, -342.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000", "CWE-310"],
+    "related_attack_patterns_capec": ["CAPEC-59", "CAPEC-485"],
+    "skills_referencing": ["crypto-codebase"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-SC-13", "NIST-SP-800-90A"],
+    "real_requirement": "Use OS CSPRNG (getrandom(2) on Linux, BCryptGenRandom on Windows) for any security-relevant random; reject Math.random() / java.util.Random / rand() in security contexts via lint rules.",
+    "lag_notes": "SP 800-90A specifies DRBG requirements at the algorithm level; codebase-level enforcement that a non-CSPRNG never reaches a security-critical path is absent from framework controls.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-331": {
+    "id": "CWE-331",
+    "name": "Insufficient Entropy",
+    "abstraction": "Class",
+    "category": "Cryptography",
+    "description": "The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values more likely than others. Common in early-boot entropy starvation, VM clones, container snapshots, embedded devices with limited entropy sources.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000", "CWE-310", "CWE-330"],
+    "related_attack_patterns_capec": ["CAPEC-59"],
+    "skills_referencing": ["crypto-codebase"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-SC-13", "NIST-SP-800-90B"],
+    "real_requirement": "Entropy pool seeded before security-sensitive operations; getrandom(2) blocking call honored on Linux until entropy is initialized; container/VM image entropy reseed-on-boot.",
+    "lag_notes": "SP 800-90B specifies entropy source requirements; supply chain attacks against entropy (e.g. predictable VM clones) are not addressed by any deployment-side framework control.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-338": {
+    "id": "CWE-338",
+    "name": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
+    "abstraction": "Variant",
+    "category": "Cryptography",
+    "description": "The product uses a non-cryptographic PRNG (linear congruential, Mersenne Twister, Math.random) in a security context where attacker prediction of subsequent values breaks the security property.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000", "CWE-310", "CWE-330"],
+    "related_attack_patterns_capec": ["CAPEC-485"],
+    "skills_referencing": ["crypto-codebase"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-SC-13"],
+    "real_requirement": "Linters that flag Math.random(), java.util.Random, rand() in security contexts; pin random-token generation to CSPRNG via type-level distinctions (e.g. SecureRandom in Java; secrets module in Python).",
+    "lag_notes": "Framework controls reference 'cryptographic randomness' abstractly; static-analysis enforcement that a non-CSPRNG cannot reach a security-relevant code path is left to development teams.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-353": {
+    "id": "CWE-353",
+    "name": "Missing Support for Integrity Check",
+    "abstraction": "Base",
+    "category": "Integrity",
+    "description": "The product transmits or stores data without an integrity check, allowing modification in transit or at rest to go undetected. Common in custom binary protocols, log shippers without HMAC, package distribution without signatures.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000"],
+    "related_attack_patterns_capec": ["CAPEC-75", "CAPEC-39"],
+    "skills_referencing": ["library-author", "supply-chain-integrity"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-SI-7", "NIST-800-53-SC-8(1)", "ISO-27001-2022-A.8.24"],
+    "real_requirement": "All package distribution signed (Sigstore, in-toto, OpenPGP); HMAC on every internal RPC; SLSA L3+ provenance for shipped artifacts.",
+    "lag_notes": "SI-7 covers software/firmware integrity; SLSA-style provenance is not a framework-mandated control. SC-8(1) addresses transmission integrity at the network layer, not application-layer message integrity.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-426": {
+    "id": "CWE-426",
+    "name": "Untrusted Search Path",
+    "abstraction": "Base",
+    "category": "Privilege Management",
+    "description": "The product searches for resources along a path that includes locations writable by an unprivileged actor, enabling privilege escalation or code-execution hijacks. Includes PATH-injection on setuid binaries, DLL search-path attacks, LD_LIBRARY_PATH abuse, Python sys.path injection.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000"],
+    "related_attack_patterns_capec": ["CAPEC-38", "CAPEC-471"],
+    "skills_referencing": ["kernel-lpe-triage", "hardening"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-AC-6", "ISO-27001-2022-A.8.20"],
+    "real_requirement": "Setuid binaries use absolute paths exclusively; secure_getenv() for PATH-derived lookups in libc-linked privileged binaries; Windows: SetDllDirectoryW with empty string; LSan-style search-path audit in CI.",
+    "lag_notes": "AC-6 least privilege is the conceptual control; runtime evidence that no privileged binary reaches a writable-by-attacker location during search is rarely audited.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-522": {
+    "id": "CWE-522",
+    "name": "Insufficiently Protected Credentials",
+    "abstraction": "Class",
+    "category": "Credentials Management",
+    "description": "The product stores or transmits authentication credentials but uses insufficient protection — weak hashing, no encryption in transit, plaintext in logs, recoverable via password-reset enumeration. Pillar for several credential-handling weaknesses.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000", "CWE-1003"],
+    "related_attack_patterns_capec": ["CAPEC-49", "CAPEC-555"],
+    "skills_referencing": ["cred-stores", "ai-api", "identity-assurance"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-IA-5", "ISO-27001-2022-A.5.16", "PCI-DSS-v4-8.3"],
+    "real_requirement": "Argon2id/scrypt for password hashes; TLS 1.3 for credential transmission; structured logging that redacts credential fields; secret-scanning gates on commits; vendor credentials in secrets managers with rotation policy.",
+    "lag_notes": "IA-5 authenticator management speaks to the lifecycle but rarely audits the actual storage cryptography. Credential leak in logs is the failure mode most often missed by compliance review.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-759": {
+    "id": "CWE-759",
+    "name": "Use of a One-Way Hash without a Salt",
+    "abstraction": "Variant",
+    "category": "Cryptography",
+    "description": "The product hashes a password or similar credential using a one-way hash without including a per-credential salt, enabling rainbow-table attacks against the resulting hash collection.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000", "CWE-310"],
+    "related_attack_patterns_capec": ["CAPEC-55"],
+    "skills_referencing": ["crypto-codebase"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-IA-5(1)", "NIST-SP-800-63B"],
+    "real_requirement": "Use Argon2id/scrypt for password hashing — salt is intrinsic to the construction; never store bare-hashed passwords; per-credential salts ≥ 128 bits.",
+    "lag_notes": "SP 800-63B requires salted hashing for memorized secrets; codebase inventories rarely catch legacy unsalted hashes in long-lived tables. CWE-916 is the related insufficient-effort variant.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-760": {
+    "id": "CWE-760",
+    "name": "Use of a One-Way Hash with a Predictable Salt",
+    "abstraction": "Variant",
+    "category": "Cryptography",
+    "description": "The product hashes a password using a per-credential salt that is predictable (username-derived, timestamp-derived, counter), undermining the salt's defense against rainbow-table attacks.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000", "CWE-310"],
+    "related_attack_patterns_capec": ["CAPEC-55"],
+    "skills_referencing": ["crypto-codebase"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-IA-5(1)", "NIST-SP-800-63B"],
+    "real_requirement": "Salt generated from CSPRNG, ≥ 128 bits, stored alongside the hash; never derived from any user-controllable or deterministic input.",
+    "lag_notes": "Compliance frameworks audit the presence of a salt; correctness of salt generation is rarely sampled.",
+    "last_verified": "2026-05-13"
+  },
+  "CWE-916": {
+    "id": "CWE-916",
+    "name": "Use of Password Hash With Insufficient Computational Effort",
+    "abstraction": "Variant",
+    "category": "Cryptography",
+    "description": "The product hashes a password with a fast cryptographic hash (MD5, SHA-1, single-pass SHA-256) where computational effort is not tuned to make offline cracking economically infeasible. Allows GPU-accelerated brute-force at scale.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": ["CWE-1000", "CWE-310"],
+    "related_attack_patterns_capec": ["CAPEC-55", "CAPEC-49"],
+    "skills_referencing": ["crypto-codebase", "cred-stores"],
+    "evidence_cves": [],
+    "framework_controls_partially_addressing": ["NIST-800-53-IA-5(1)", "NIST-SP-800-63B"],
+    "real_requirement": "Argon2id (memory-hard, RFC 9106) with tuned m/t/p; scrypt as fallback; bcrypt with work factor ≥ 12 acceptable for legacy. PBKDF2 only with iteration count ≥ 600,000 (NIST SP 800-63B 2022 update).",
+    "lag_notes": "SP 800-63B updated iteration guidance in 2022; many compliance attestations still cite the 2017 numbers. Argon2id is RFC-9106 (2021) but absent from FIPS-approved lists, creating policy friction in federal contexts.",
+    "last_verified": "2026-05-13"
   }
 }