npm - @blamejs/exceptd-skills - Versions diffs - 0.13.11 → 0.13.12 - Mend

@blamejs/exceptd-skills 0.13.11 → 0.13.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md +12 -0
package/data/_indexes/_meta.json +2 -2
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +720 -12
package/scripts/check-sbom-currency.js +35 -6
package/scripts/refresh-sbom.js +27 -1

package/scripts/check-sbom-currency.js CHANGED Viewed

@@ -162,21 +162,50 @@ function checkSbomCurrency(root) {
       );
       continue;
     }
-    const sha256Entry = (comp.hashes || []).find(
-      (h) => h && h.alg === "SHA-256",
-    );
+    // v0.13.12: verify SHA-256 AND SHA3-512 when present. SHA-256 is
+    // the universal-tool contract (CycloneDX 1.6 default, Anchore /
+    // Trivy / Dependency-Track / GitHub Dependency Graph). SHA3-512
+    // is the SHA-3 family hedge, matching the existing key-fingerprint
+    // pattern (lib/verify.js). Both must agree with the live bytes;
+    // a mismatch on either fires the same drift error. A missing
+    // SHA-256 is a hard error (the universal contract is the floor);
+    // a missing SHA3-512 surfaces as a downgrade-attack warning so an
+    // operator who intentionally strips the second hash from an
+    // SBOM (post-quantum posture relaxation) sees it in the gate
+    // output, not in the JSON downstream.
+    const sha256Entry = (comp.hashes || []).find((h) => h && h.alg === "SHA-256");
+    const sha3Entry = (comp.hashes || []).find((h) => h && h.alg === "SHA3-512");
     if (!sha256Entry || typeof sha256Entry.content !== "string") {
       errors.push(
         `SBOM file component "${relPath}" lacks a SHA-256 hash entry`
       );
       continue;
     }
-    const live = crypto.createHash("sha256").update(fs.readFileSync(absPath)).digest("hex");
-    if (live !== sha256Entry.content) {
+    const fileBytes = fs.readFileSync(absPath);
+    const liveSha256 = crypto.createHash("sha256").update(fileBytes).digest("hex");
+    if (liveSha256 !== sha256Entry.content) {
       errors.push(
-        `SBOM file component "${relPath}" hash drift: recorded ${sha256Entry.content.slice(0, 12)}…, live ${live.slice(0, 12)}… — re-sign skills (\`node $(exceptd path)/lib/sign.js sign-all\` from a contributor checkout) and then \`npm run refresh-sbom\`, in that order (sbom must regenerate AFTER the final sign).`,
+        `SBOM file component "${relPath}" SHA-256 drift: recorded ${sha256Entry.content.slice(0, 12)}…, live ${liveSha256.slice(0, 12)}… — re-sign skills (\`node $(exceptd path)/lib/sign.js sign-all\` from a contributor checkout) and then \`npm run refresh-sbom\`, in that order (sbom must regenerate AFTER the final sign).`,
       );
     }
+    // Codex P1 on PR #52: the dual-hash contract requires SHA3-512 to be
+    // PRESENT, not just verified when present. An attacker (or a careless
+    // sbom-generator regression) that strips the SHA3-512 column would
+    // silently pass the gate under an `if (sha3Entry)` guard, defeating
+    // the downgrade defense the dual-hash design is supposed to provide.
+    // Refuse absence as a hard error.
+    if (!sha3Entry || typeof sha3Entry.content !== "string") {
+      errors.push(
+        `SBOM file component "${relPath}" lacks a SHA3-512 hash entry — the dual-hash contract (SHA-256 + SHA3-512) requires both algorithms on every file: component. Regenerate via \`npm run refresh-sbom\` (v0.13.12+).`
+      );
+    } else {
+      const liveSha3 = crypto.createHash("sha3-512").update(fileBytes).digest("hex");
+      if (liveSha3 !== sha3Entry.content) {
+        errors.push(
+          `SBOM file component "${relPath}" SHA3-512 drift: recorded ${sha3Entry.content.slice(0, 12)}…, live ${liveSha3.slice(0, 12)}… — same remediation as SHA-256 drift (re-sign then refresh-sbom).`,
+        );
+      }
+    }
     fileComponentsChecked++;
   }

package/scripts/refresh-sbom.js CHANGED Viewed

@@ -185,6 +185,29 @@ function sha256File(absPath) {
     .digest('hex');
 }
+// v0.13.12 — emit SHA3-512 alongside SHA-256 for every file: component.
+// CycloneDX 1.6 supports multiple hash entries per component. Rationale
+// mirrors the existing key-fingerprint emission in lib/verify.js:
+//
+//   - SHA-256 stays as the universal-tool contract (Anchore / Trivy /
+//     Dependency-Track / GitHub Dependency Graph all parse it).
+//   - SHA3-512 is the SHA-3 family (Keccak / sponge), different
+//     mathematical foundation. Hedges against future SHA-2 weaknesses
+//     and aligns with the project's PQ posture (ML-KEM / ML-DSA both
+//     internally hash with SHA-3).
+//
+// check-sbom-currency.js verifies BOTH when present and refuses if a
+// SHA3-512 entry is recorded but its content drifts from the live
+// bytes — so a downgrade attack that drops SHA3-512 from the recorded
+// SBOM (leaving only SHA-256) is observable as a missing-hash error,
+// not a silent acceptance.
+function sha3_512File(absPath) {
+  return crypto
+    .createHash('sha3-512')
+    .update(fs.readFileSync(absPath))
+    .digest('hex');
+}
 function fileComponents(allowlist) {
   const rels = expandAllowlist(allowlist);
   const out = [];
@@ -194,7 +217,10 @@ function fileComponents(allowlist) {
       'bom-ref': `file:${rel}`,
       type: 'file',
       name: rel,
-      hashes: [{ alg: 'SHA-256', content: sha256File(abs) }],
+      hashes: [
+        { alg: 'SHA-256', content: sha256File(abs) },
+        { alg: 'SHA3-512', content: sha3_512File(abs) },
+      ],
     });
   }
   return out;