@blamejs/exceptd-skills 0.13.125 → 0.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (28) hide show
  1. package/AGENTS.md +2 -2
  2. package/CHANGELOG.md +24 -0
  3. package/README.md +12 -9
  4. package/bin/exceptd.js +142 -35
  5. package/data/_indexes/_meta.json +9 -9
  6. package/data/_indexes/activity-feed.json +2 -2
  7. package/data/_indexes/catalog-summaries.json +2 -2
  8. package/data/_indexes/chains.json +375 -0
  9. package/data/atlas-ttps.json +2 -1
  10. package/data/attack-techniques.json +4 -2
  11. package/data/cve-catalog.json +104 -0
  12. package/data/cwe-catalog.json +4 -2
  13. package/data/framework-control-gaps.json +18 -9
  14. package/data/playbooks/citation-hygiene.json +820 -0
  15. package/data/zeroday-lessons.json +50 -0
  16. package/lib/collectors/cicd-pipeline-compromise.js +10 -1
  17. package/lib/collectors/citation-hygiene.js +465 -0
  18. package/lib/collectors/containers.js +12 -7
  19. package/lib/collectors/crypto-codebase.js +11 -5
  20. package/lib/collectors/library-author.js +82 -10
  21. package/lib/collectors/scan-excludes.js +85 -0
  22. package/lib/collectors/secrets.js +10 -6
  23. package/lib/flag-suggest.js +2 -2
  24. package/lib/refresh-external.js +15 -0
  25. package/manifest.json +44 -44
  26. package/package.json +1 -1
  27. package/sbom.cdx.json +91 -46
  28. package/scripts/check-agents-md-collectors.js +8 -0
package/data/playbooks/citation-hygiene.json ADDED
@@ -0,0 +1,820 @@
1
+ {
2
+ "_meta": {
3
+ "id": "citation-hygiene",
4
+ "version": "1.0.0",
5
+ "last_threat_review": "2026-05-26",
6
+ "threat_currency_score": 94,
7
+ "changelog": [
8
+ {
9
+ "version": "1.0.0",
10
+ "date": "2026-05-26",
11
+ "summary": "Initial seven-phase citation-hygiene playbook. Validates a codebase's OWN cited security references — CVE identifiers, RFC numbers, and the prose that surrounds them in source comments, docstrings, SECURITY.md, threat-model docs, and dependency-justification notes — against the shipped CVE and RFC catalogs. Where every other code-scope playbook audits what the source DOES, this one audits what the source CLAIMS: it catches CVE identifiers that are malformed or invented (CVE-2024-XXXX, CVE-2024-zlib), well-formed CVE citations the catalog records as rejected or disputed, RFC numbers paired with a title that does not match the actual RFC title (citing RFC 9404 as the Sieve spec when 9404 is JMAP Blob Management), and Internet-Drafts referenced as if they were the normative RFC for a wire codepoint. A wrong citation in a security comment or a SECURITY.md is a silent correctness bug: it routes a reader to the wrong threat model, defends against a vulnerability that was never real, or pins a protocol decision to a document that says something different. AI-assisted code generation routinely emits plausible-looking but fabricated CVE and RFC citations, so the citation surface now drifts faster than human review catches it.",
12
+ "cves_added": [],
13
+ "framework_gaps_updated": [
14
+ "nist-800-53-SA-15",
15
+ "nist-800-218-PW-7",
16
+ "iso-27001-2022-A.8.28",
17
+ "iso-27001-2022-A.5.36",
18
+ "eu-cra-annex-I-2"
19
+ ]
20
+ }
21
+ ],
22
+ "owner": "@blamejs/platform-security",
23
+ "air_gap_mode": false,
24
+ "scope": "code",
25
+ "preconditions": [
26
+ {
27
+ "id": "filesystem-read-repo",
28
+ "description": "Agent must be able to walk the working directory tree and read source files, comments, docstrings, and documentation.",
29
+ "check": "agent_has_filesystem_read == true",
30
+ "on_fail": "halt"
31
+ },
32
+ {
33
+ "id": "repo-cites-security-references",
34
+ "description": "The repo must contain at least one CVE or RFC citation in source, comments, or docs. A repo that never cites a security reference has no citation surface to validate.",
35
+ "check": "exists_any_citation('CVE-', 'RFC') == true",
36
+ "on_fail": "warn"
37
+ }
38
+ ],
39
+ "mutex": [],
40
+ "feeds_into": [
41
+ {
42
+ "playbook_id": "framework",
43
+ "condition": "analyze.compliance_theater_check.verdict == 'theater'"
44
+ },
45
+ {
46
+ "playbook_id": "sbom",
47
+ "condition": "analyze.classification == 'detected'"
48
+ }
49
+ ]
50
+ },
51
+ "domain": {
52
+ "name": "Cited security-reference hygiene (consumer self-citation audit)",
53
+ "attack_class": "compliance-theater",
54
+ "atlas_refs": [],
55
+ "attack_refs": [
56
+ "T1565.001"
57
+ ],
58
+ "cve_refs": [],
59
+ "cwe_refs": [
60
+ "CWE-345",
61
+ "CWE-693"
62
+ ],
63
+ "d3fend_refs": [],
64
+ "frameworks_in_scope": [
65
+ "nist-800-53",
66
+ "nist-csf-2",
67
+ "iso-27001-2022",
68
+ "soc2",
69
+ "nis2",
70
+ "dora",
71
+ "eu-cra",
72
+ "uk-caf",
73
+ "au-ism",
74
+ "au-essential-8",
75
+ "cmmc"
76
+ ]
77
+ },
78
+ "phases": {
79
+ "govern": {
80
+ "jurisdiction_obligations": [
81
+ {
82
+ "jurisdiction": "EU",
83
+ "regulation": "EU CRA Art.13 / Annex I §2",
84
+ "obligation": "publish_accurate_vulnerability_handling_documentation",
85
+ "window_hours": 8760,
86
+ "clock_starts": "manual",
87
+ "evidence_required": [
88
+ "vulnerability_handling_procedure",
89
+ "accurate_cve_reference_inventory",
90
+ "security_advisory_cross_reference_map"
91
+ ]
92
+ },
93
+ {
94
+ "jurisdiction": "US",
95
+ "regulation": "OMB M-22-09 / EO 14028 (secure-software attestation)",
96
+ "obligation": "attest_accurate_security_documentation",
97
+ "window_hours": 8760,
98
+ "clock_starts": "manual",
99
+ "evidence_required": [
100
+ "cisa_secure_software_attestation_form",
101
+ "verified_security_reference_inventory"
102
+ ]
103
+ },
104
+ {
105
+ "jurisdiction": "UK",
106
+ "regulation": "UK CAF (NCSC) B4.d (Secure development)",
107
+ "obligation": "maintain_verifiable_security_documentation",
108
+ "window_hours": 720,
109
+ "clock_starts": "manual",
110
+ "evidence_required": [
111
+ "documentation_review_record",
112
+ "cited_reference_verification_log"
113
+ ]
114
+ }
115
+ ],
116
+ "theater_fingerprints": [
117
+ {
118
+ "pattern_id": "security-comment-cites-nonexistent-cve",
119
+ "claim": "This code path is hardened against CVE-XXXX-YYYY (cited in a source comment, a mitigation note, or SECURITY.md).",
120
+ "fast_detection_test": "Extract every CVE identifier cited in source comments, docstrings, and docs. For each, confirm (a) it matches the canonical CVE-\\d{4}-\\d{4,} form — a trailing non-numeric token (CVE-2024-XXXX, CVE-2024-zlib, CVE-2024-TBD) is an invented placeholder that escaped a template; (b) the well-formed ones resolve to a real advisory. A mitigation comment citing a CVE that does not exist defends against nothing — the reviewer who trusts the comment never re-checks the code path. Cross-reference each well-formed citation against the shipped CVE catalog; identifiers absent from the curated catalog are inconclusive (the catalog is curated, not exhaustive) and need an out-of-band NVD lookup before the comment can be trusted.",
121
+ "implicated_controls": [
122
+ "nist-800-53-SA-15",
123
+ "iso-27001-2022-A.8.28",
124
+ "eu-cra-annex-I-2"
125
+ ]
126
+ },
127
+ {
128
+ "pattern_id": "mitigation-note-cites-rejected-or-disputed-cve",
129
+ "claim": "We patched / mitigated CVE-XXXX-YYYY, so this component is safe.",
130
+ "fast_detection_test": "For each well-formed CVE citation, check the shipped catalog for a rejected-or-disputed marker (the catalog records dispute / rejection status in the entry's analyst notes). A citation to a REJECTED CVE points at an identifier MITRE withdrew — the mitigation note describes work done against a vulnerability that was retracted, which means either the real issue carries a different identifier or the work was unnecessary. A DISPUTED CVE (vendor contests it is a vulnerability) means the mitigation's necessity is contested; the comment should record the dispute, not assert a clean fix. Either way the citation misleads the next reader about what was actually defended.",
131
+ "implicated_controls": [
132
+ "nist-800-53-SA-15",
133
+ "nist-800-218-PW-7",
134
+ "iso-27001-2022-A.5.36"
135
+ ]
136
+ },
137
+ {
138
+ "pattern_id": "rfc-citation-title-mismatch",
139
+ "claim": "This implements / conforms to RFC NNNN (cited alongside a human-readable title in the same comment or doc line).",
140
+ "fast_detection_test": "Extract every RFC number cited with an adjacent title in the same line or comment block. Look up the actual title in the shipped RFC index. If the cited title does not match the real RFC title (citing RFC 9404 and calling it the Sieve email-filtering spec when RFC 9404 is the JMAP Blob Management Extension), the citation is wrong — either the number is a typo for a different RFC or the author conflated two documents. A conformance claim pinned to the wrong RFC sends an implementer to read the wrong wire format. The distinguishing test is exact: the real title is a fixed string in the index, not a judgement call.",
141
+ "implicated_controls": [
142
+ "iso-27001-2022-A.8.28",
143
+ "nist-800-218-PW-7"
144
+ ]
145
+ },
146
+ {
147
+ "pattern_id": "internet-draft-cited-as-normative-rfc",
148
+ "claim": "The wire format / codepoint follows RFC NNNN.",
149
+ "fast_detection_test": "Where a comment names an RFC as the normative source for a wire codepoint or algorithm identifier but the surrounding text refers to a draft / work-in-progress / terminology document, confirm the cited number is actually a published Standards-Track RFC, not a number borrowed from an Internet-Draft that never became that RFC. Pinning a codepoint to a draft-as-if-RFC means the implementation tracks a document that can still change under it. Keep this conservative — many comments legitimately cite both the draft and the RFC it became; only flag when the normative claim rests on a number that does not resolve to a published RFC.",
150
+ "implicated_controls": [
151
+ "iso-27001-2022-A.8.28"
152
+ ]
153
+ }
154
+ ],
155
+ "framework_context": {
156
+ "gap_summary": "No compliance framework binds the accuracy of the security references a codebase cites about itself. NIST 800-53 SA-15 (development process, standards, and tools) asks for a documented secure-development process but does not require that the CVE and RFC identifiers cited in that documentation actually resolve to the advisories and standards they name. NIST 800-218 SSDF PW.7 (review and analyze human-readable code) reviews code for vulnerabilities, not the citations in its comments. ISO 27001:2022 A.8.28 (secure coding) and A.5.36 (compliance with policies for information security) govern coding practice and documentation conformance but contain no requirement that cited threat references be verified against an authoritative source. EU CRA Annex I §2 (vulnerability handling) requires manufacturers to document and remediate vulnerabilities — a mitigation note citing a rejected, disputed, or fabricated CVE is documentation that fails that obligation in substance while passing it on paper. The structural gap: every framework treats a security comment or a SECURITY.md as evidence of diligence without testing whether the references inside it are real. AI-assisted code generation has made this gap operationally urgent — generated comments emit confident, well-formatted CVE and RFC citations that are frequently invented, and the citation surface now drifts faster than line-by-line human review catches it. The defending capability — cross-referencing cited identifiers against authoritative CVE and RFC catalogs — is mechanical and available offline, but no framework requires it.",
157
+ "lag_score": 540,
158
+ "per_framework_gaps": [
159
+ {
160
+ "framework": "nist-800-53",
161
+ "control_id": "SA-15",
162
+ "designed_for": "Development process, standards, and tools — a documented, repeatable secure-development process.",
163
+ "insufficient_because": "Requires a documented process and tooling; does not require that the CVE / RFC identifiers cited in security documentation resolve to real advisories and standards. A mitigation note citing a fabricated CVE satisfies SA-15's process-documentation surface while defending against nothing."
164
+ },
165
+ {
166
+ "framework": "nist-800-218",
167
+ "control_id": "PW.7",
168
+ "designed_for": "Review and analyze human-readable code to identify vulnerabilities and verify compliance with security requirements.",
169
+ "insufficient_because": "Reviews code for vulnerabilities; says nothing about validating the threat references cited in comments. A reviewer can pass PW.7 while trusting a comment that cites a disputed CVE the catalog would flag."
170
+ },
171
+ {
172
+ "framework": "iso-27001-2022",
173
+ "control_id": "A.8.28",
174
+ "designed_for": "Secure coding — secure coding practices throughout the development lifecycle.",
175
+ "insufficient_because": "Governs coding practice; contains no requirement that cited CVE / RFC references be verified against an authoritative catalog. Permits a codebase whose every mitigation comment cites a nonexistent advisory to claim secure-coding conformance."
176
+ },
177
+ {
178
+ "framework": "iso-27001-2022",
179
+ "control_id": "A.5.36",
180
+ "designed_for": "Compliance with policies, rules, and standards for information security.",
181
+ "insufficient_because": "Tests conformance to documented policy; does not require the security documentation itself to cite verifiable references. Paper-accurate documentation can rest on fabricated identifiers."
182
+ },
183
+ {
184
+ "framework": "eu-cra",
185
+ "control_id": "Annex I §2 (vulnerability handling)",
186
+ "designed_for": "Manufacturers must identify, document, and remediate vulnerabilities in products with digital elements.",
187
+ "insufficient_because": "Requires documentation and remediation; binding for vulnerability-handling provisions from 2026-09-11. A mitigation note citing a rejected / disputed / fabricated CVE passes the documentation obligation on its face while misrepresenting what was actually remediated."
188
+ }
189
+ ]
190
+ },
191
+ "skill_preload": [
192
+ "exploit-scoring",
193
+ "framework-gap-analysis",
194
+ "compliance-theater",
195
+ "coordinated-vuln-disclosure",
196
+ "threat-model-currency"
197
+ ]
198
+ },
199
+ "direct": {
200
+ "threat_context": "Citation-accuracy posture mid-2026: AI-assisted code generation is the dominant authoring channel for security comments and dependency-justification notes, and it routinely emits confident, well-formatted CVE and RFC citations that are fabricated or mis-attributed. Generated mitigation comments cite CVE identifiers with placeholder tails that survived a template (CVE-2024-XXXX), CVE numbers that resolve to a different product entirely, and RFC numbers paired with the wrong document title. The catalog's own audit history shows the failure mode is real in curated data, not just generated prose: NVD records carry DISPUTED status (the Anyscale Ray Job-API entry CVE-2023-48022, mass-exploited as ShadowRay yet vendor-disputed and absent from CISA KEV) and REJECTED status (a withdrawn React Server Components identifier associated-with but distinct-from the real CVE), so a comment citing the rejected identifier points at nothing while the real issue lives under a different number. RFC mis-citation is equally live: with 7000+ RFCs in the index, a one-digit transposition routes an implementer from the JMAP Blob Management Extension (RFC 9404) to an unrelated document, and a wire-codepoint comment that pins to an Internet-Draft number that never became the cited RFC tracks a document that can still change. The cost is silent: a wrong citation in a security comment defends against the wrong threat, and the reviewer who trusts the comment never re-derives the code path. The defending capability — mechanical cross-reference of every cited identifier against authoritative CVE and RFC catalogs — runs fully offline and in seconds across a large repo, exactly the kind of check AI-assisted review can run continuously.",
201
+ "rwep_threshold": {
202
+ "escalate": 70,
203
+ "monitor": 40,
204
+ "close": 20
205
+ },
206
+ "framework_lag_declaration": "NIST 800-53 SA-15, NIST 800-218 SSDF PW.7, ISO 27001:2022 A.8.28 / A.5.36, SOC 2 CC8.1, and EU CRA Annex I §2 all permit security documentation whose cited CVE and RFC references are never verified against an authoritative source. SA-15 binds the development process, not the accuracy of the threat references named in it. PW.7 reviews code for vulnerabilities, not the citations in its comments. A.8.28 / A.5.36 govern coding practice and policy conformance without a citation-verification requirement. EU CRA Annex I §2 (vulnerability handling, binding 2026-09-11) requires documentation and remediation but a mitigation note citing a fabricated, rejected, or disputed CVE satisfies the documentation surface while misrepresenting the substance. UK CAF B4.d (secure development) is outcome-based and does not require machine-verifiable citation accuracy; AU ISM's software-development guidelines and Essential 8 application-control / patch-application controls bind the operating organization's deployment posture, not the accuracy of the threat references its source cites. The defending capability — offline cross-reference of every cited identifier against authoritative CVE and RFC catalogs — has been mechanically available throughout, but no framework requires it; the lag is roughly 540 days between the availability of the check and any binding obligation to run it.",
207
+ "skill_chain": [
208
+ {
209
+ "skill": "exploit-scoring",
210
+ "purpose": "For every well-formed CVE citation that resolves to a catalog entry, pull KEV / PoC / AI-discovery / active-exploitation fields so a citation can be judged against the real risk it claims to address, and so a rejected / disputed status is surfaced with its operational context.",
211
+ "required": true
212
+ },
213
+ {
214
+ "skill": "compliance-theater",
215
+ "purpose": "Run the citation theater fingerprints in govern.theater_fingerprints; emit a verdict per cited reference (fabricated / rejected-or-disputed / title-mismatch / draft-as-rfc).",
216
+ "required": true
217
+ },
218
+ {
219
+ "skill": "framework-gap-analysis",
220
+ "purpose": "Map each citation-accuracy finding to the framework controls that fail to bind citation verification (SA-15, PW.7, A.8.28, A.5.36, CRA Annex I §2).",
221
+ "required": true
222
+ },
223
+ {
224
+ "skill": "threat-model-currency",
225
+ "purpose": "Assess whether a mitigation comment's cited reference is stale or superseded — a citation that was once accurate may now point at a withdrawn or re-scoped advisory.",
226
+ "skip_if": "no_well_formed_cve_citations_resolved",
227
+ "required": false
228
+ },
229
+ {
230
+ "skill": "coordinated-vuln-disclosure",
231
+ "purpose": "Where a fabricated or wrong citation appears in a published SECURITY.md or advisory, cross-walk to the disclosure-documentation obligations the wrong citation undermines.",
232
+ "skip_if": "no_citation_in_published_disclosure_surface",
233
+ "required": false
234
+ }
235
+ ],
236
+ "token_budget": {
237
+ "estimated_total": 20000,
238
+ "breakdown": {
239
+ "govern": 2800,
240
+ "direct": 1600,
241
+ "look": 2400,
242
+ "detect": 3200,
243
+ "analyze": 4400,
244
+ "validate": 3600,
245
+ "close": 2000
246
+ }
247
+ }
248
+ },
249
+ "look": {
250
+ "artifacts": [
251
+ {
252
+ "id": "cve-citations-in-source",
253
+ "type": "file",
254
+ "source": "Grep the repo (including comments and docstrings, excluding node_modules / vendor / .venv / target / dist / build / .git) for CVE identifiers. Pattern: `CVE-\\d{4}-[0-9A-Za-z]+` (deliberately permissive on the tail so malformed citations like CVE-2024-XXXX / CVE-2024-zlib are captured, not silently skipped). Capture file_path:line and the surrounding line text for each hit.",
255
+ "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same pattern against the working repo.",
256
+ "description": "Every CVE identifier cited anywhere in the source tree, including comments, docstrings, and string literals. The permissive tail is intentional — the whole point is to catch the citations that do NOT match the canonical numeric form.",
257
+ "required": true
258
+ },
259
+ {
260
+ "id": "rfc-citations-in-source",
261
+ "type": "file",
262
+ "source": "Grep the repo (including comments and docs, same exclusions) for RFC citations. Pattern: `RFC\\s?-?\\d+` (matches `RFC 9404`, `RFC9404`, `RFC-9404`). Capture file_path:line and the full surrounding line so an adjacent title can be extracted for the title-match check.",
263
+ "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same pattern against the working repo.",
264
+ "description": "Every RFC number cited in the source tree, with surrounding line text. The surrounding text is required so the cited number can be paired with any adjacent human-readable title for the title-mismatch indicator.",
265
+ "required": true
266
+ },
267
+ {
268
+ "id": "security-documentation",
269
+ "type": "config_file",
270
+ "source": "Read SECURITY.md, .github/SECURITY.md, docs/SECURITY.md, THREATMODEL.md, docs/threat-model*, CHANGELOG.md security sections, and any advisory / mitigation note files. Grep these for the same CVE and RFC patterns.",
271
+ "air_gap_alternative": "Identical local-filesystem read; no network dependency. Same Read against the working repo.",
272
+ "description": "Security documentation — the highest-trust citation surface. A wrong CVE / RFC reference in SECURITY.md or a threat model is read by downstream consumers and security researchers as authoritative.",
273
+ "required": false
274
+ },
275
+ {
276
+ "id": "cve-catalog",
277
+ "type": "config_file",
278
+ "source": "Load data/cve-catalog.json (shipped with the tool). Build the set of known CVE keys and, for each, read the analyst-note fields (cvss_note, active_exploitation_notes, vector, discovery_attribution_note) to detect rejected / disputed markers.",
279
+ "air_gap_alternative": "The catalog ships in the tarball; this is a local read with no network dependency.",
280
+ "description": "The authoritative CVE reference for the cross-check. Curated, not exhaustive — a citation absent from the catalog is inconclusive (needs an out-of-band NVD lookup), never a confirmed fabrication.",
281
+ "required": true
282
+ },
283
+ {
284
+ "id": "rfc-index",
285
+ "type": "config_file",
286
+ "source": "Load data/rfc-references.json (shipped with the tool). Build the number -> title map for every indexed RFC.",
287
+ "air_gap_alternative": "The index ships in the tarball; this is a local read with no network dependency.",
288
+ "description": "The authoritative RFC number -> title map for the title-mismatch and draft-as-RFC checks. Covers the current published RFC index.",
289
+ "required": true
290
+ }
291
+ ],
292
+ "collection_scope": {
293
+ "time_window": "current",
294
+ "asset_scope": "entire_source_tree_and_security_documentation_excluding_dependencies_and_build_artifacts",
295
+ "depth": "deep",
296
+ "sampling": "exhaustive — every source file, comment, docstring, and documentation file is grepped for CVE and RFC citations. Dependency trees (node_modules, vendor, .venv, target) and build output are excluded; their citations belong to upstream, not to this codebase's self-citation surface."
297
+ },
298
+ "environment_assumptions": [
299
+ {
300
+ "assumption": "working directory is the codebase being audited (not a dependency checkout)",
301
+ "if_false": "If the working directory is a node_modules subtree or a registry checkout, the citations belong to an upstream author, not the consumer. Mark visibility_gap=upstream_not_consumer and re-run from the consumer's source repository."
302
+ },
303
+ {
304
+ "assumption": "agent has Grep + Read across the source tree and can load the shipped CVE / RFC catalogs",
305
+ "if_false": "Without the catalogs the cross-check cannot run. Downgrade catalog-dependent indicators to inconclusive and escalate."
306
+ },
307
+ {
308
+ "assumption": "the shipped CVE catalog is curated, not exhaustive",
309
+ "if_false": "A well-formed CVE citation absent from the catalog is inconclusive (needs an external NVD lookup), never a confirmed fabrication. Only malformed citations (non-numeric tail) are fabrications determinable offline."
310
+ }
311
+ ],
312
+ "fallback_if_unavailable": [
313
+ {
314
+ "artifact_id": "cve-citations-in-source",
315
+ "fallback_action": "mark_inconclusive",
316
+ "confidence_impact": "high"
317
+ },
318
+ {
319
+ "artifact_id": "rfc-citations-in-source",
320
+ "fallback_action": "mark_inconclusive",
321
+ "confidence_impact": "high"
322
+ },
323
+ {
324
+ "artifact_id": "security-documentation",
325
+ "fallback_action": "use_compensating_artifact",
326
+ "confidence_impact": "low"
327
+ },
328
+ {
329
+ "artifact_id": "cve-catalog",
330
+ "fallback_action": "escalate_to_human",
331
+ "confidence_impact": "high"
332
+ },
333
+ {
334
+ "artifact_id": "rfc-index",
335
+ "fallback_action": "escalate_to_human",
336
+ "confidence_impact": "high"
337
+ }
338
+ ]
339
+ },
340
+ "detect": {
341
+ "indicators": [
342
+ {
343
+ "id": "fabricated-cve-id",
344
+ "type": "file_path",
345
+ "value": "A cited CVE identifier whose tail is not the canonical all-numeric form. The citation matches `CVE-\\d{4}-[0-9A-Za-z]+` but NOT `CVE-\\d{4}-\\d{4,}` — i.e. the tail contains a non-digit (CVE-2024-XXXX, CVE-2024-zlib, CVE-2024-TBD) or is fewer than 4 digits. A non-numeric tail is a template placeholder or an invented identifier that never issued.",
346
+ "description": "Fabricated or malformed CVE citation. The identifier cannot resolve to any real advisory because it does not match the canonical CVE form. Hard fail — a mitigation comment citing it defends against nothing.",
347
+ "confidence": "deterministic",
348
+ "deterministic": true,
349
+ "false_positive_checks_required": [
350
+ "If the citation is inside a test fixture, a regex-pattern example, a documentation snippet illustrating the CVE format itself, or a template file (e.g. an issue / advisory template showing `CVE-YYYY-NNNNN` as a fill-in), it is illustrative, not a real citation; demote to miss.",
351
+ "If the surrounding text explicitly marks the identifier as a placeholder pending assignment (e.g. `CVE-TBD`, `pending CVE assignment`, an inline `<!-- placeholder -->`), record it as a known-placeholder rather than a fabrication — but confirm it is not shipped in operator-facing SECURITY.md / advisory text, where a placeholder is still a defect."
352
+ ]
353
+ },
354
+ {
355
+ "id": "rejected-or-disputed-cve",
356
+ "type": "file_path",
357
+ "value": "A well-formed CVE citation (matches `CVE-\\d{4}-\\d{4,}`) that resolves to a shipped-catalog entry whose analyst notes record a REJECTED or DISPUTED status. The catalog records dispute / rejection in entry note fields (cvss_note, active_exploitation_notes, vector, discovery_attribution_note); a case-insensitive match on `reject` / `disputed` in those fields for the cited entry flips this indicator.",
358
+ "description": "Citation to a rejected or disputed CVE. A REJECTED identifier was withdrawn by MITRE — the real issue, if any, carries a different number. A DISPUTED identifier is contested by the vendor — the mitigation's necessity is not settled. Either way the citation misrepresents what was defended.",
359
+ "confidence": "high",
360
+ "deterministic": false,
361
+ "false_positive_checks_required": [
362
+ "If the citation's surrounding text already acknowledges the dispute / rejection (e.g. `CVE-2023-48022 (disputed by vendor, mitigated by network isolation)`), the citation is honest about the status; demote to miss — the defect is an UNQUALIFIED citation, not the reference itself.",
363
+ "Confirm the catalog note actually marks THIS identifier as rejected / disputed and not merely a neighbouring identifier mentioned in the same note (catalog notes sometimes cross-reference a related disputed CVE). Match the rejection / dispute language to the cited key specifically before flagging.",
364
+ "If the cited identifier is absent from the shipped catalog entirely, this indicator does NOT fire — absence is inconclusive (the catalog is curated, not exhaustive), handled by the needs-verification path, not a rejected/disputed verdict."
365
+ ]
366
+ },
367
+ {
368
+ "id": "cve-citation-needs-external-verification",
369
+ "type": "behavioral_signal",
370
+ "value": "A well-formed CVE citation (matches `CVE-\\d{4}-\\d{4,}`) that is absent from the shipped CVE catalog. The catalog is curated for operational impact and framework coverage, not exhaustive, so absence is not evidence of fabrication — it means the citation could not be confirmed offline.",
371
+ "description": "Well-formed CVE citation that the offline catalog cannot confirm or refute. Needs an out-of-band NVD / vendor-advisory lookup before the comment that cites it can be trusted. Inconclusive by design — never a false clear, never a false fabrication.",
372
+ "confidence": "low",
373
+ "deterministic": false,
374
+ "false_positive_checks_required": [
375
+ "Resolve the identifier against an authoritative source (NVD, the issuing CNA's advisory) out of band. If it resolves to a real, non-rejected advisory whose product matches the surrounding claim, the citation is sound; record verified and demote to miss.",
376
+ "If it resolves to a REJECTED / DISPUTED record at NVD, re-classify under rejected-or-disputed-cve rather than leaving it inconclusive."
377
+ ]
378
+ },
379
+ {
380
+ "id": "rfc-number-title-mismatch",
381
+ "type": "file_path",
382
+ "value": "An RFC citation that names a number AND an adjacent human-readable title in the same line / comment, where the cited title does not match the actual RFC title from the shipped index. Example: a comment citing `RFC 9404` and describing it as the Sieve email-filtering spec, when RFC 9404 is the JSON Meta Application Protocol (JMAP) Blob Management Extension. The match is exact against the index title (token-overlap below a conservative threshold after normalising case / punctuation flips this indicator).",
383
+ "description": "RFC number paired with the wrong title. Either the number is a typo for a different RFC or the author conflated two documents. A conformance or wire-format claim pinned to the wrong RFC sends an implementer to read the wrong specification.",
384
+ "confidence": "high",
385
+ "deterministic": false,
386
+ "false_positive_checks_required": [
387
+ "If the adjacent text is a paraphrase / nickname rather than a title claim (e.g. `RFC 8446 (modern TLS)` — a description, not a wrong title), do not flag; only a stated title that conflicts with the index title is a mismatch.",
388
+ "If the cited number is not in the shipped RFC index at all, this indicator does NOT fire — an out-of-index number is handled as needs-verification, not a title mismatch (the index covers the current published set but a brand-new RFC may post-date it).",
389
+ "Confirm the title was extracted from the SAME citation, not from a different RFC cited later in the same comment block; pair each number with the title nearest it before comparing."
390
+ ]
391
+ },
392
+ {
393
+ "id": "draft-mislabeled-as-rfc",
394
+ "type": "behavioral_signal",
395
+ "value": "A comment names an RFC number as the normative source for a wire codepoint / algorithm identifier, but the cited number does not resolve to a published RFC in the shipped index AND the surrounding text refers to a draft / work-in-progress / terminology document. Best-effort heuristic — the absence from the index plus draft-language proximity together suggest a number borrowed from an Internet-Draft that never became that RFC.",
396
+ "description": "Internet-Draft cited as if it were the normative RFC for a codepoint. The implementation tracks a document that can still change. Conservative by design — only fires when the number is unresolved AND draft language is adjacent.",
397
+ "confidence": "low",
398
+ "deterministic": false,
399
+ "false_positive_checks_required": [
400
+ "If the comment legitimately cites both the draft and the RFC it became (e.g. `draft-ietf-tls-esni, later RFC 9XXX`), and the RFC number resolves in the index, the citation is sound; demote to miss.",
401
+ "If the cited number simply post-dates the shipped index (a newly published RFC), this is needs-verification, not a draft mislabel — confirm against the live RFC editor index before flagging.",
402
+ "Confirm the normative claim actually rests on the unresolved number and not on a separate, valid RFC cited in the same block."
403
+ ]
404
+ }
405
+ ],
406
+ "false_positive_profile": [
407
+ {
408
+ "indicator_id": "fabricated-cve-id",
409
+ "benign_pattern": "A CVE-format placeholder shown in a template, an issue form, a regex-example, or documentation that explains the CVE identifier format itself.",
410
+ "distinguishing_test": "Check the file's role. If the path is a template (.github/ISSUE_TEMPLATE, *.template, SECURITY.md scaffold), a test fixture, or documentation whose subject IS the CVE format, the malformed token is illustrative; annotate `illustrative_citation=true` and demote. A malformed token in a real mitigation comment or in shipped SECURITY.md prose stands."
411
+ },
412
+ {
413
+ "indicator_id": "rejected-or-disputed-cve",
414
+ "benign_pattern": "A citation that itself documents the dispute / rejection (e.g. cites the disputed CVE precisely to explain why a configuration-only mitigation was chosen).",
415
+ "distinguishing_test": "Read the surrounding sentence. If it already names the dispute / rejection and frames the mitigation accordingly, the citation is honest; demote. An unqualified mitigation claim against a rejected / disputed identifier — presented as a clean fix — stands."
416
+ },
417
+ {
418
+ "indicator_id": "rfc-number-title-mismatch",
419
+ "benign_pattern": "An RFC cited with a descriptive nickname rather than a title claim (`RFC 9110 (HTTP)`), or a title abbreviation that overlaps the real title.",
420
+ "distinguishing_test": "Compare the adjacent text to the index title after normalising case and punctuation. A descriptive nickname or an abbreviation with high token overlap is not a mismatch; only an adjacent title whose meaningful tokens conflict with the index title (different protocol / document subject) is a mismatch."
421
+ }
422
+ ],
423
+ "minimum_signal": {
424
+ "detected": "At least one CVE citation has a non-canonical tail in a real (non-illustrative) citation surface, OR at least one well-formed citation resolves to a catalog entry the notes mark rejected / disputed and the surrounding text does not acknowledge it, OR at least one RFC citation pairs a number with a title that conflicts with the shipped index title. Confirmed citation-accuracy defect: a reader trusting the comment is routed to the wrong threat model or specification.",
425
+ "inconclusive": "Citations were extracted but one or more catalog-dependent checks could not run (catalog unreadable), OR all flagged CVE citations are well-formed identifiers absent from the curated catalog (needs external NVD verification), OR all flagged RFC numbers post-date the shipped index. Cannot confirm or refute without an out-of-band lookup.",
426
+ "not_detected": "Every cited CVE identifier matches the canonical CVE-\\d{4}-\\d{4,} form and either resolves to a non-rejected, non-disputed catalog entry or is documented as needing external verification; every cited RFC number resolves in the index with a title consistent with the adjacent text; no normative wire-codepoint claim rests on an unresolved draft-as-RFC number."
427
+ }
428
+ },
429
+ "analyze": {
430
+ "rwep_inputs": [
431
+ {
432
+ "signal_id": "fabricated-cve-id",
433
+ "rwep_factor": "blast_radius",
434
+ "weight": 20,
435
+ "notes": "A fabricated CVE citation in shipped SECURITY.md / advisory text misleads every downstream reader; blast radius scaled by how operator-facing the citation surface is."
436
+ },
437
+ {
438
+ "signal_id": "fabricated-cve-id",
439
+ "rwep_factor": "public_poc",
440
+ "weight": 10,
441
+ "notes": "The defect is mechanically detectable; once known, the wrong citation is trivially demonstrable to any reader who checks the identifier."
442
+ },
443
+ {
444
+ "signal_id": "rejected-or-disputed-cve",
445
+ "rwep_factor": "blast_radius",
446
+ "weight": 20,
447
+ "notes": "A mitigation note citing a rejected / disputed CVE misrepresents what was defended across every consumer of the documentation."
448
+ },
449
+ {
450
+ "signal_id": "rejected-or-disputed-cve",
451
+ "rwep_factor": "active_exploitation",
452
+ "weight": 10,
453
+ "notes": "Disputed-but-exploited cases (e.g. ShadowRay) mean an unqualified citation understates a live risk the reader will discount."
454
+ },
455
+ {
456
+ "signal_id": "rfc-number-title-mismatch",
457
+ "rwep_factor": "blast_radius",
458
+ "weight": 15,
459
+ "notes": "A conformance / wire-format claim pinned to the wrong RFC routes implementers to the wrong specification; blast radius scaled by how many implementers read the citation."
460
+ },
461
+ {
462
+ "signal_id": "draft-mislabeled-as-rfc",
463
+ "rwep_factor": "blast_radius",
464
+ "weight": 10,
465
+ "notes": "Tracking a draft-as-RFC for a codepoint risks an implementation that diverges when the draft changes; conservative weight given the heuristic confidence."
466
+ }
467
+ ],
468
+ "blast_radius_model": {
469
+ "scope_question": "If this citation is wrong, how many readers are routed to the wrong threat model or specification, and how authoritative is the surface it appears on?",
470
+ "scoring_rubric": [
471
+ {
472
+ "condition": "wrong citation is in an internal code comment in a private repo with few readers",
473
+ "blast_radius_score": 1,
474
+ "description": "Limited blast; the wrong citation misleads only the team reading the comment."
475
+ },
476
+ {
477
+ "condition": "wrong citation is in a code comment of a published library / SDK that downstream consumers read while integrating",
478
+ "blast_radius_score": 2,
479
+ "description": "Bounded blast; integrators reading the comment inherit the wrong threat model."
480
+ },
481
+ {
482
+ "condition": "wrong citation is in published SECURITY.md / threat-model docs / release notes of a widely-used project",
483
+ "blast_radius_score": 3,
484
+ "description": "Significant blast; the citation is read as authoritative by downstream consumers and security researchers triaging the project."
485
+ },
486
+ {
487
+ "condition": "wrong citation is in a published security advisory / CSAF document / VEX statement the project issues about its own product",
488
+ "blast_radius_score": 4,
489
+ "description": "Massive blast; SBOM-scanning consumers and regulators route on the cited identifier; a wrong reference here corrupts downstream automated triage at scale."
490
+ },
491
+ {
492
+ "condition": "wrong citation is in a reference document or standard others cite in turn (a security guideline, a widely-vendored config template, a framework crosswalk)",
493
+ "blast_radius_score": 5,
494
+ "description": "Ecosystem-defining blast; the wrong citation propagates into every document that cites this one."
495
+ }
496
+ ]
497
+ },
498
+ "compliance_theater_check": {
499
+ "claim": "The codebase documents its security posture with cited CVE and RFC references, demonstrating diligence (NIST 800-53 SA-15, NIST 800-218 PW.7, ISO 27001:2022 A.8.28/A.5.36, EU CRA Annex I §2).",
500
+ "audit_evidence": "Security comments, SECURITY.md, threat-model docs, and advisory notes that cite specific CVE and RFC identifiers as evidence of identified-and-addressed threats and standards conformance.",
501
+ "reality_test": "Extract every cited identifier and cross-reference it against authoritative catalogs (no host probe). (1) CVE form test: every cited identifier must match `CVE-\\d{4}-\\d{4,}` — a non-numeric tail (CVE-2024-XXXX, CVE-2024-zlib) is a fabricated citation. (2) CVE status test: every well-formed citation that resolves to the shipped catalog must not be marked rejected / disputed in the entry notes unless the citing text acknowledges the status. (3) CVE coverage test: well-formed citations absent from the catalog are recorded as needs-external-verification, not silently trusted. (4) RFC title test: every RFC number cited with an adjacent title must match the shipped index title for that number. (5) RFC resolution test: every RFC number cited as normative for a wire codepoint must resolve to a published RFC, not a draft number. Theater if the documentation cites identifiers that fail (1), (2), or (4) while presenting itself as evidence of diligence.",
502
+ "theater_verdict_if_gap": "The codebase presents cited security references as evidence of diligence, but the references do not survive cross-checking: fabricated CVE identifiers defend against nothing, rejected / disputed citations misrepresent what was addressed, and wrong RFC titles route implementers to the wrong specification. Remediation paths: (a) correct each citation to the real identifier / title, (b) qualify rejected / disputed citations with their status and the actual mitigation basis, (c) resolve needs-verification citations against NVD and either confirm or correct them, OR (d) generate a defensible policy exception documenting the citations pending external verification with a verification deadline."
503
+ },
504
+ "framework_gap_mapping": [
505
+ {
506
+ "finding_id": "citation-accuracy-defect",
507
+ "framework": "nist-800-53",
508
+ "claimed_control": "SA-15 — Development Process, Standards, and Tools",
509
+ "actual_gap": "Requires a documented secure-development process; does not require that the CVE / RFC identifiers cited in that documentation resolve to real advisories and standards. Fabricated citations satisfy the process-documentation surface while defending against nothing.",
510
+ "required_control": "Add SA-15(CITE) requiring that security documentation cross-reference every cited CVE / RFC identifier against an authoritative catalog, with citations that cannot be confirmed flagged as needing verification rather than presented as settled."
511
+ },
512
+ {
513
+ "finding_id": "citation-accuracy-defect",
514
+ "framework": "nist-800-218",
515
+ "claimed_control": "PW.7 — Review and Analyze Human-Readable Code",
516
+ "actual_gap": "Reviews code for vulnerabilities; says nothing about validating the threat references cited in comments. A reviewer passes PW.7 while trusting a comment that cites a disputed or fabricated CVE.",
517
+ "required_control": "Extend PW.7 to include verification of cited security references against authoritative sources as part of human-readable-code review."
518
+ },
519
+ {
520
+ "finding_id": "citation-accuracy-defect",
521
+ "framework": "iso-27001-2022",
522
+ "claimed_control": "A.8.28 — Secure coding",
523
+ "actual_gap": "Governs coding practice; contains no requirement that cited CVE / RFC references be verified. Permits a codebase whose mitigation comments cite nonexistent advisories to claim secure-coding conformance.",
524
+ "required_control": "Amendment requiring cited threat references in security-relevant code and documentation to be validated against an authoritative catalog as a secure-coding practice."
525
+ },
526
+ {
527
+ "finding_id": "citation-accuracy-defect",
528
+ "framework": "eu-cra",
529
+ "claimed_control": "Annex I §2 — Vulnerability handling",
530
+ "actual_gap": "Requires documentation and remediation of vulnerabilities; a mitigation note citing a rejected / disputed / fabricated CVE passes the documentation obligation on its face while misrepresenting what was remediated.",
531
+ "required_control": "Implementing acts binding vulnerability-handling documentation to cite verifiable, non-rejected identifiers, with dispute status disclosed where it applies."
532
+ }
533
+ ],
534
+ "escalation_criteria": [
535
+ {
536
+ "condition": "blast_radius_score >= 3 AND any deterministic indicator fires",
537
+ "action": "raise_severity"
538
+ },
539
+ {
540
+ "condition": "compliance_theater_check.verdict == 'theater' AND citation appears in published disclosure surface",
541
+ "action": "trigger_playbook",
542
+ "target_playbook": "framework"
543
+ },
544
+ {
545
+ "condition": "rejected-or-disputed-cve fires for an identifier whose catalog active_exploitation == 'confirmed'",
546
+ "action": "raise_severity"
547
+ }
548
+ ]
549
+ },
550
+ "validate": {
551
+ "remediation_paths": [
552
+ {
553
+ "id": "correct-fabricated-cve-citation",
554
+ "description": "For each malformed / fabricated CVE citation: determine the real identifier the author intended (from the surrounding context, the linked advisory, or the dependency's changelog) and replace the placeholder with the canonical CVE-\\d{4}-\\d{4,} form. If no real identifier exists, remove the claim — a comment that cites a nonexistent CVE should not assert a mitigation.",
555
+ "preconditions": [
556
+ "fabricated_citations_inventoried == true"
557
+ ],
558
+ "priority": 1,
559
+ "compensating_controls": [
560
+ "lint_rule_rejecting_non_canonical_cve_form_in_comments_and_docs",
561
+ "ci_check_cross_referencing_cited_cves_against_an_authoritative_catalog"
562
+ ],
563
+ "estimated_time_hours": 3
564
+ },
565
+ {
566
+ "id": "qualify-rejected-or-disputed-citation",
567
+ "description": "For each citation to a rejected / disputed CVE: either re-point to the correct identifier (if the real issue carries a different number) or annotate the citation with its rejected / disputed status and the actual basis for the mitigation (e.g. configuration / network control rather than a vendor patch). The reader must see the status, not an unqualified clean-fix claim.",
568
+ "preconditions": [
569
+ "rejected_disputed_citations_inventoried == true"
570
+ ],
571
+ "priority": 2,
572
+ "compensating_controls": [
573
+ "ci_check_flagging_citations_to_catalog_rejected_disputed_entries",
574
+ "documentation_review_step_requiring_status_disclosure"
575
+ ],
576
+ "estimated_time_hours": 4
577
+ },
578
+ {
579
+ "id": "correct-rfc-title-mismatch",
580
+ "description": "For each RFC citation whose title conflicts with the index: confirm the intended document, then correct either the number or the title so the citation names a single coherent RFC. Where a wire codepoint or algorithm identifier was pinned to the wrong RFC, re-verify the implementation against the correct specification.",
581
+ "preconditions": [
582
+ "rfc_title_mismatches_inventoried == true"
583
+ ],
584
+ "priority": 3,
585
+ "compensating_controls": [
586
+ "ci_check_matching_cited_rfc_numbers_to_index_titles",
587
+ "implementation_re_review_against_corrected_rfc"
588
+ ],
589
+ "estimated_time_hours": 4
590
+ },
591
+ {
592
+ "id": "resolve-needs-verification-citations",
593
+ "description": "For each well-formed CVE citation absent from the offline catalog and each RFC number post-dating the index: resolve against the authoritative live source (NVD / vendor advisory / RFC editor index). Confirm the identifier is real, non-rejected, and product-matched; correct or qualify it otherwise.",
594
+ "preconditions": [
595
+ "external_lookup_available == true"
596
+ ],
597
+ "priority": 4,
598
+ "compensating_controls": [
599
+ "scheduled_re_verification_when_catalog_refreshes",
600
+ "needs_verification_register_maintained_until_resolved"
601
+ ],
602
+ "estimated_time_hours": 2
603
+ },
604
+ {
605
+ "id": "policy-exception",
606
+ "description": "If a citation cannot be resolved within the review window (e.g. an embargoed advisory not yet public, an RFC pending publication): generate an auditor-ready policy exception recording the pending citation, the verification deadline, and the interim caveat added to the documentation.",
607
+ "preconditions": [
608
+ "remediation_paths[1..4] blocked for this specific citation due to external_dependency == true"
609
+ ],
610
+ "priority": 5,
611
+ "compensating_controls": [
612
+ "interim_caveat_added_to_citation_marking_it_unverified",
613
+ "verification_deadline_tracked",
614
+ "documentation_review_owner_assigned"
615
+ ],
616
+ "estimated_time_hours": 2
617
+ }
618
+ ],
619
+ "validation_tests": [
620
+ {
621
+ "id": "all-cited-cves-canonical-form",
622
+ "test": "Run `rg -nP 'CVE-\\d{4}-[0-9A-Za-z]+'` across source and docs (excluding test/fixture/template paths) and confirm every match also satisfies `CVE-\\d{4}-\\d{4,}`. Expect zero non-canonical tails in real citation surfaces.",
623
+ "expected_result": "Every cited CVE identifier is in canonical numeric form; no placeholder / invented tails remain.",
624
+ "test_type": "functional"
625
+ },
626
+ {
627
+ "id": "no-unqualified-rejected-or-disputed-citations",
628
+ "test": "For every well-formed CVE citation that resolves to the shipped catalog, confirm the entry is not marked rejected / disputed, OR the citing text discloses the status. Expect zero unqualified clean-fix claims against rejected / disputed identifiers.",
629
+ "expected_result": "No mitigation claim presents a rejected / disputed CVE as a clean fix without disclosing the status.",
630
+ "test_type": "functional"
631
+ },
632
+ {
633
+ "id": "rfc-titles-match-index",
634
+ "test": "For every RFC citation that pairs a number with a title, confirm the title matches the shipped index title for that number. Expect zero conflicting titles.",
635
+ "expected_result": "Every cited RFC number is paired with a title consistent with the authoritative index.",
636
+ "test_type": "functional"
637
+ },
638
+ {
639
+ "id": "needs-verification-citations-resolved",
640
+ "test": "For each previously flagged needs-verification citation, confirm an external-source resolution was recorded (verified, corrected, or qualified). Expect an empty open needs-verification register or every entry carrying a resolution.",
641
+ "expected_result": "No well-formed citation remains in an unresolved needs-verification state past its deadline.",
642
+ "test_type": "regression"
643
+ },
644
+ {
645
+ "id": "citation-lint-gate-in-ci",
646
+ "test": "Confirm a CI step now cross-references cited CVE / RFC identifiers against the authoritative catalogs and fails on a non-canonical CVE form, a catalog-rejected/disputed citation without disclosure, or an RFC title mismatch.",
647
+ "expected_result": "CI rejects a re-introduced citation defect; the regression cannot land silently.",
648
+ "test_type": "negative"
649
+ }
650
+ ],
651
+ "residual_risk_statement": {
652
+ "risk": "Citations to identifiers absent from the offline catalog remain unconfirmed until an external lookup runs, and newly published advisories / RFCs can post-date the shipped catalogs. A citation that is accurate today can be invalidated when an advisory is later rejected or an RFC is obsoleted.",
653
+ "why_remains": "The offline catalogs are curated and time-bounded; they cannot confirm every well-formed identifier nor anticipate future rejections. Citation accuracy is a moving target — the defending check reduces but does not eliminate the long tail, because authoritative status changes upstream after the citation is written. The codebase's obligation is to cite canonical, currently-valid references, disclose known disputes, and re-verify on catalog refresh; the residual is the window between an upstream status change and the next verification pass.",
654
+ "acceptance_level": "manager",
655
+ "compensating_controls_in_place": [
656
+ "ci_citation_cross_reference_gate",
657
+ "needs_verification_register_with_deadlines",
658
+ "scheduled_re_verification_on_catalog_refresh",
659
+ "documentation_review_requiring_status_disclosure_for_disputed_citations"
660
+ ]
661
+ },
662
+ "evidence_requirements": [
663
+ {
664
+ "evidence_type": "scan_report",
665
+ "description": "Full-tree citation extraction report showing every cited CVE / RFC identifier, its canonical-form verdict, its catalog-resolution status (resolved / rejected / disputed / needs-verification), and every RFC title-match verdict against the index.",
666
+ "retention_period": "audit_cycle",
667
+ "framework_satisfied": [
668
+ "nist-800-53-SA-15",
669
+ "nist-800-218-PW-7",
670
+ "iso-27001-2022-A.8.28"
671
+ ]
672
+ },
673
+ {
674
+ "evidence_type": "config_diff",
675
+ "description": "Before/after diff of corrected citations: malformed identifiers replaced with canonical form, rejected / disputed citations qualified with status, wrong RFC titles corrected. Tied to the documentation-review approval reference.",
676
+ "retention_period": "audit_cycle",
677
+ "framework_satisfied": [
678
+ "iso-27001-2022-A.8.28",
679
+ "iso-27001-2022-A.5.36"
680
+ ]
681
+ },
682
+ {
683
+ "evidence_type": "attestation",
684
+ "description": "Verified-citation inventory: each cited security reference with its authoritative-source resolution and verification date, signed and retained as evidence of accurate vulnerability-handling documentation.",
685
+ "retention_period": "7_years",
686
+ "framework_satisfied": [
687
+ "eu-cra-annex-I-2",
688
+ "us-cisa-secure-software-attestation"
689
+ ]
690
+ }
691
+ ],
692
+ "regression_trigger": [
693
+ {
694
+ "condition": "new_cve_or_rfc_citation_added_to_source_or_docs",
695
+ "interval": "on_event"
696
+ },
697
+ {
698
+ "condition": "cve_or_rfc_catalog_refreshed",
699
+ "interval": "on_event"
700
+ },
701
+ {
702
+ "condition": "pre_release_publish",
703
+ "interval": "on_event"
704
+ },
705
+ {
706
+ "condition": "quarterly",
707
+ "interval": "90d"
708
+ }
709
+ ]
710
+ },
711
+ "close": {
712
+ "evidence_package": {
713
+ "bundle_format": "json",
714
+ "contents": [
715
+ "scan_report",
716
+ "config_diff",
717
+ "attestation",
718
+ "compliance_theater_verdict",
719
+ "framework_gap_mapping",
720
+ "residual_risk_statement",
721
+ "needs_verification_register"
722
+ ],
723
+ "destination": "local_only",
724
+ "signed": true
725
+ },
726
+ "learning_loop": {
727
+ "enabled": true,
728
+ "lesson_template": {
729
+ "attack_vector": "Cited security-reference drift: a codebase's own CVE and RFC citations — in comments, docstrings, SECURITY.md, and threat-model docs — drift into fabricated identifiers (non-canonical CVE tails escaping templates), citations to rejected / disputed CVEs presented as clean fixes, and RFC numbers paired with the wrong title. A reader who trusts the citation is routed to the wrong threat model or specification; the wrong reference defends against nothing while passing as diligence. AI-assisted authoring accelerates the drift by emitting confident, well-formatted, wrong citations.",
730
+ "control_gap": "No control verifies the cited security references in a codebase against an authoritative source. NIST 800-53 SA-15 and 800-218 PW.7 review process and code, not citations. ISO 27001:2022 A.8.28 / A.5.36 govern coding and policy conformance without a citation-verification requirement. The defending check — offline cross-reference against CVE and RFC catalogs — is mechanical and available but unrequired.",
731
+ "framework_gap": "Frameworks treat a cited security reference as evidence of diligence without testing whether the reference is real, non-rejected, and correctly titled. EU CRA Annex I §2 (binding 2026-09-11) requires vulnerability-handling documentation but a citation to a fabricated / rejected CVE satisfies the surface while misrepresenting the substance.",
732
+ "new_control_requirement": "Add citation-verification sub-controls to SA-15, PW.7, A.8.28, A.5.36, and CRA Annex I §2 requiring: (a) canonical-form enforcement on every cited CVE identifier, (b) cross-reference of every well-formed CVE citation against an authoritative catalog with rejected / disputed status disclosed, (c) RFC number -> title consistency against the published index, (d) a needs-verification register for citations the offline catalog cannot confirm, (e) a CI gate that fails on a re-introduced citation defect."
733
+ },
734
+ "feeds_back_to_skills": [
735
+ "exploit-scoring",
736
+ "compliance-theater",
737
+ "framework-gap-analysis",
738
+ "threat-model-currency",
739
+ "zeroday-gap-learn"
740
+ ]
741
+ },
742
+ "notification_actions": [
743
+ {
744
+ "obligation_ref": "EU/EU CRA Art.13 / Annex I §2 8760h",
745
+ "deadline": "computed_at_runtime",
746
+ "recipient": "internal_legal",
747
+ "evidence_attached": [
748
+ "vulnerability_handling_procedure",
749
+ "accurate_cve_reference_inventory",
750
+ "security_advisory_cross_reference_map"
751
+ ],
752
+ "draft_notification": "EU CRA Art.13 / Annex I §2 documentation accuracy record: ${manufacturer_name} confirms the vulnerability-handling documentation for ${product_name} v${current_version} cites verified, canonical, non-rejected CVE identifiers and index-consistent RFC references. Corrected citations: ${corrected_citation_summary}. Citations pending external verification: ${needs_verification_summary}. Re-verification cadence: ${cadence}."
753
+ },
754
+ {
755
+ "obligation_ref": "US/OMB M-22-09 / EO 14028 (secure-software attestation) 8760h",
756
+ "deadline": "computed_at_runtime",
757
+ "recipient": "internal_legal",
758
+ "evidence_attached": [
759
+ "cisa_secure_software_attestation_form",
760
+ "verified_security_reference_inventory"
761
+ ],
762
+ "draft_notification": "CISA secure-software attestation supporting evidence: ${manufacturer_name} attests that security documentation for ${product_name} cites verified security references. Verified-citation inventory attached. Open needs-verification items: ${needs_verification_count}."
763
+ },
764
+ {
765
+ "obligation_ref": "UK/UK CAF (NCSC) B4.d (Secure development) 720h",
766
+ "deadline": "computed_at_runtime",
767
+ "recipient": "internal_legal",
768
+ "evidence_attached": [
769
+ "documentation_review_record",
770
+ "cited_reference_verification_log"
771
+ ],
772
+ "draft_notification": "UK CAF B4.d secure-development documentation review: ${manufacturer_name} records a citation-verification review for ${product_name}, confirming cited CVE / RFC references were cross-checked against authoritative catalogs. Findings and corrections: ${review_summary}."
773
+ }
774
+ ],
775
+ "exception_generation": {
776
+ "trigger_condition": "remediation_blocked == true OR citation_pending_external_publication == true",
777
+ "exception_template": {
778
+ "scope": "Codebase ${product_name} retains citation(s) ${pending_citations} that cannot be confirmed against an authoritative source within the review window (e.g. embargoed advisory not yet public, RFC pending publication). Each is marked unverified in the documentation pending resolution.",
779
+ "duration": "until_next_audit",
780
+ "compensating_controls": [
781
+ "interim_caveat_marking_the_citation_unverified",
782
+ "verification_deadline_tracked",
783
+ "ci_gate_preventing_new_unverified_citations_from_being_presented_as_settled",
784
+ "documentation_review_owner_assigned"
785
+ ],
786
+ "risk_acceptance_owner": "manager",
787
+ "auditor_ready_language": "Pursuant to ${framework_id} ${control_id} (Development Process / Secure Coding / Vulnerability Handling), ${manufacturer_name} documents a time-bound risk acceptance for cited security reference(s) ${pending_citations} in ${product_name} versions ${affected_versions} that could not be confirmed against an authoritative catalog within the review window. The citation(s) are marked unverified in the documentation; a CI gate prevents any new citation from being presented as settled until cross-referenced. The accepted risk class is citation-uncertainty: a reader may treat an unverified reference as authoritative until it is resolved. ${manufacturer_name} acknowledges its obligation under EU CRA Annex I §2 (vulnerability handling, binding 2026-09-11) and ISO 27001:2022 A.8.28 to maintain accurate security documentation and tracks resolution to deadline ${verification_deadline}. Risk accepted by ${reviewer_name} on ${acceptance_date}. Re-evaluation triggers: the embargoed advisory becomes public, the pending RFC publishes, the CVE / RFC catalog refreshes, or the citation surface is published to a wider audience."
788
+ }
789
+ },
790
+ "regression_schedule": {
791
+ "next_run": "computed_at_runtime",
792
+ "trigger": "both",
793
+ "notify_on_skip": true
794
+ }
795
+ }
796
+ },
797
+ "directives": [
798
+ {
799
+ "id": "cited-cve-validation",
800
+ "title": "Validate every cited CVE identifier against canonical form and the shipped catalog (catch-all)",
801
+ "applies_to": {
802
+ "always": true
803
+ }
804
+ },
805
+ {
806
+ "id": "cited-rfc-validation",
807
+ "title": "Validate every cited RFC number and adjacent title against the shipped RFC index",
808
+ "applies_to": {
809
+ "always": true
810
+ }
811
+ },
812
+ {
813
+ "id": "tamper-of-defenses-via-wrong-citation",
814
+ "title": "Wrong security citation as a defense-integrity defect (T1565.001)",
815
+ "applies_to": {
816
+ "attack_technique": "T1565.001"
817
+ }
818
+ }
819
+ ]
820
+ }