@blamejs/exceptd-skills 0.13.126 → 0.14.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +5 -3
- package/CHANGELOG.md +30 -0
- package/README.md +43 -9
- package/bin/exceptd.js +148 -35
- package/data/_indexes/_meta.json +2 -2
- package/data/playbooks/citation-hygiene.json +820 -0
- package/lib/citation-resolve.js +226 -0
- package/lib/collectors/cicd-pipeline-compromise.js +10 -1
- package/lib/collectors/citation-hygiene.js +465 -0
- package/lib/collectors/containers.js +12 -7
- package/lib/collectors/crypto-codebase.js +11 -5
- package/lib/collectors/library-author.js +82 -10
- package/lib/collectors/scan-excludes.js +85 -0
- package/lib/collectors/secrets.js +10 -6
- package/lib/cve-cli.js +51 -0
- package/lib/flag-suggest.js +2 -2
- package/lib/refresh-external.js +15 -0
- package/lib/rfc-cli.js +68 -0
- package/lib/schemas/cve-catalog.schema.json +13 -0
- package/lib/source-ghsa.js +3 -0
- package/lib/source-osv.js +4 -0
- package/lib/validate-package.js +7 -2
- package/manifest.json +44 -44
- package/package.json +1 -1
- package/sbom.cdx.json +134 -44
- package/scripts/check-agents-md-collectors.js +8 -0
- package/sources/validators/cve-validator.js +46 -1
package/sbom.cdx.json
CHANGED
|
@@ -1,22 +1,22 @@
|
|
|
1
1
|
{
|
|
2
2
|
"bomFormat": "CycloneDX",
|
|
3
3
|
"specVersion": "1.6",
|
|
4
|
-
"serialNumber": "urn:uuid:
|
|
4
|
+
"serialNumber": "urn:uuid:f314cd42-a14d-460d-8188-2c921279d9fa",
|
|
5
5
|
"version": 1,
|
|
6
6
|
"metadata": {
|
|
7
|
-
"timestamp": "
|
|
7
|
+
"timestamp": "2155-03-27T16:45:54.000Z",
|
|
8
8
|
"tools": [
|
|
9
9
|
{
|
|
10
10
|
"vendor": "blamejs",
|
|
11
11
|
"name": "scripts/refresh-sbom.js",
|
|
12
|
-
"version": "0.
|
|
12
|
+
"version": "0.14.1"
|
|
13
13
|
}
|
|
14
14
|
],
|
|
15
15
|
"component": {
|
|
16
|
-
"bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.
|
|
16
|
+
"bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.14.1",
|
|
17
17
|
"type": "application",
|
|
18
18
|
"name": "@blamejs/exceptd-skills",
|
|
19
|
-
"version": "0.
|
|
19
|
+
"version": "0.14.1",
|
|
20
20
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (406 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
|
|
21
21
|
"licenses": [
|
|
22
22
|
{
|
|
@@ -25,17 +25,17 @@
|
|
|
25
25
|
}
|
|
26
26
|
}
|
|
27
27
|
],
|
|
28
|
-
"purl": "pkg:npm/%40blamejs/exceptd-skills@0.
|
|
28
|
+
"purl": "pkg:npm/%40blamejs/exceptd-skills@0.14.1",
|
|
29
29
|
"hashes": [
|
|
30
30
|
{
|
|
31
31
|
"alg": "SHA-256",
|
|
32
|
-
"content": "
|
|
32
|
+
"content": "6ea7d61c6ae7aba517340fd82e5b67162f72facb5a4e197fffeeab4f484f6f69"
|
|
33
33
|
}
|
|
34
34
|
],
|
|
35
35
|
"externalReferences": [
|
|
36
36
|
{
|
|
37
37
|
"type": "distribution",
|
|
38
|
-
"url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.
|
|
38
|
+
"url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.14.1"
|
|
39
39
|
},
|
|
40
40
|
{
|
|
41
41
|
"type": "vcs",
|
|
@@ -86,11 +86,11 @@
|
|
|
86
86
|
"hashes": [
|
|
87
87
|
{
|
|
88
88
|
"alg": "SHA-256",
|
|
89
|
-
"content": "
|
|
89
|
+
"content": "6327718cdd949622fbd4af0846fab9a0a5a8f501e173f014534fe8ff4ba22110"
|
|
90
90
|
},
|
|
91
91
|
{
|
|
92
92
|
"alg": "SHA3-512",
|
|
93
|
-
"content": "
|
|
93
|
+
"content": "146c237d4f022c4a9819ad11d0328b592bc234d38dbcb7e5cf78149fe5497ed81769e68520e91a9600767200119594ed3a7234add92d1c12a087bd9b1fa7a116"
|
|
94
94
|
}
|
|
95
95
|
]
|
|
96
96
|
},
|
|
@@ -116,11 +116,11 @@
|
|
|
116
116
|
"hashes": [
|
|
117
117
|
{
|
|
118
118
|
"alg": "SHA-256",
|
|
119
|
-
"content": "
|
|
119
|
+
"content": "30c671180052f66a71168c21beec9a1d5c8487a739317e29b5d7228c2b0ab218"
|
|
120
120
|
},
|
|
121
121
|
{
|
|
122
122
|
"alg": "SHA3-512",
|
|
123
|
-
"content": "
|
|
123
|
+
"content": "5a7f8489061b1dfece4f08d2cfbce2188e83f7083eac4589db730af01d6e5ebbf1aae138bcb0a8648bd253bacc4d03e19042927cefad09d35a5081086767a00f"
|
|
124
124
|
}
|
|
125
125
|
]
|
|
126
126
|
},
|
|
@@ -176,11 +176,11 @@
|
|
|
176
176
|
"hashes": [
|
|
177
177
|
{
|
|
178
178
|
"alg": "SHA-256",
|
|
179
|
-
"content": "
|
|
179
|
+
"content": "ae39088caf4e044bf0449b97c99acfe76ad30b8a9d8e008b438f1cbda0dc16d5"
|
|
180
180
|
},
|
|
181
181
|
{
|
|
182
182
|
"alg": "SHA3-512",
|
|
183
|
-
"content": "
|
|
183
|
+
"content": "21a01dee170f40b3b5d77360fb209c89b60a8decbbf4c0a871d72176fed03cfb7b45698830741802a903deee84c601ab25a47db6d600679e259368a4ce4c171d"
|
|
184
184
|
}
|
|
185
185
|
]
|
|
186
186
|
},
|
|
@@ -281,11 +281,11 @@
|
|
|
281
281
|
"hashes": [
|
|
282
282
|
{
|
|
283
283
|
"alg": "SHA-256",
|
|
284
|
-
"content": "
|
|
284
|
+
"content": "348586ab0d2d6ffecb4d5533451cb4135e60f21340cd4a1147790390504d7f09"
|
|
285
285
|
},
|
|
286
286
|
{
|
|
287
287
|
"alg": "SHA3-512",
|
|
288
|
-
"content": "
|
|
288
|
+
"content": "33e828f638074f2066143cd8f3e6b5728a15b9d9601297f92bf02d131a975adbc4b5c5b1101ffbfe6172806949de1a87bd81fb15039d17456db0e3a1cee6770e"
|
|
289
289
|
}
|
|
290
290
|
]
|
|
291
291
|
},
|
|
@@ -469,6 +469,21 @@
|
|
|
469
469
|
}
|
|
470
470
|
]
|
|
471
471
|
},
|
|
472
|
+
{
|
|
473
|
+
"bom-ref": "file:data/playbooks/citation-hygiene.json",
|
|
474
|
+
"type": "file",
|
|
475
|
+
"name": "data/playbooks/citation-hygiene.json",
|
|
476
|
+
"hashes": [
|
|
477
|
+
{
|
|
478
|
+
"alg": "SHA-256",
|
|
479
|
+
"content": "69b25f892979583d886409379562b9a1a97f27f1dc0094480155b8086fec6798"
|
|
480
|
+
},
|
|
481
|
+
{
|
|
482
|
+
"alg": "SHA3-512",
|
|
483
|
+
"content": "62a1b38da1c1865a18d1fe585e8a57cf0f346a3999e91df9dd1a4e52e942ec892b16dcf5af8f726e921f3297044ed54f627cf8549f6b78c6e71520e68f1d93aa"
|
|
484
|
+
}
|
|
485
|
+
]
|
|
486
|
+
},
|
|
472
487
|
{
|
|
473
488
|
"bom-ref": "file:data/playbooks/cloud-iam-incident.json",
|
|
474
489
|
"type": "file",
|
|
@@ -859,6 +874,21 @@
|
|
|
859
874
|
}
|
|
860
875
|
]
|
|
861
876
|
},
|
|
877
|
+
{
|
|
878
|
+
"bom-ref": "file:lib/citation-resolve.js",
|
|
879
|
+
"type": "file",
|
|
880
|
+
"name": "lib/citation-resolve.js",
|
|
881
|
+
"hashes": [
|
|
882
|
+
{
|
|
883
|
+
"alg": "SHA-256",
|
|
884
|
+
"content": "cbfe304f39dfcc2a889171ff92c17b0c8590ccf69f2883cf630499ef4e89d04f"
|
|
885
|
+
},
|
|
886
|
+
{
|
|
887
|
+
"alg": "SHA3-512",
|
|
888
|
+
"content": "92057e0bfc5e24cdac6251fd35aaab415afe3ea9a5a31623016779d0e7ad3d56fc607dea815c6cd7fd21ccbcc9294ecfe8817486c6611611b0ca4f9113d4178c"
|
|
889
|
+
}
|
|
890
|
+
]
|
|
891
|
+
},
|
|
862
892
|
{
|
|
863
893
|
"bom-ref": "file:lib/collectors/README.md",
|
|
864
894
|
"type": "file",
|
|
@@ -896,11 +926,26 @@
|
|
|
896
926
|
"hashes": [
|
|
897
927
|
{
|
|
898
928
|
"alg": "SHA-256",
|
|
899
|
-
"content": "
|
|
929
|
+
"content": "863401bc0695c24ff874651a7c1accf4f64bcce041cb38beccc4f0264d2ca2dc"
|
|
930
|
+
},
|
|
931
|
+
{
|
|
932
|
+
"alg": "SHA3-512",
|
|
933
|
+
"content": "2b522780fb1a08f9cd3485ce2d0b7f1789ee82fbb24ebab96eea3485b17815213bbbaba26d84a24bc522b813069288f27212b575205ebe423e9e5c3c31844643"
|
|
934
|
+
}
|
|
935
|
+
]
|
|
936
|
+
},
|
|
937
|
+
{
|
|
938
|
+
"bom-ref": "file:lib/collectors/citation-hygiene.js",
|
|
939
|
+
"type": "file",
|
|
940
|
+
"name": "lib/collectors/citation-hygiene.js",
|
|
941
|
+
"hashes": [
|
|
942
|
+
{
|
|
943
|
+
"alg": "SHA-256",
|
|
944
|
+
"content": "8968e632e4e77d7e13bce63579cebae448f2fe5aacb11984203891771bcc75f7"
|
|
900
945
|
},
|
|
901
946
|
{
|
|
902
947
|
"alg": "SHA3-512",
|
|
903
|
-
"content": "
|
|
948
|
+
"content": "575dd30aab3a6568d9b4f351df493b64bf740edf6c99e3db0003685f6851e286ac7c6b2bb3d7d94ad05a562d690c2c7a951c7176fbe586a518ecad65fe6f1e91"
|
|
904
949
|
}
|
|
905
950
|
]
|
|
906
951
|
},
|
|
@@ -911,11 +956,11 @@
|
|
|
911
956
|
"hashes": [
|
|
912
957
|
{
|
|
913
958
|
"alg": "SHA-256",
|
|
914
|
-
"content": "
|
|
959
|
+
"content": "262c2f130934dc1b6ebc913022c22416e5831d5a5d6edc561b76c238effce55a"
|
|
915
960
|
},
|
|
916
961
|
{
|
|
917
962
|
"alg": "SHA3-512",
|
|
918
|
-
"content": "
|
|
963
|
+
"content": "cf58367fe3110bce44331acd279984e58a8eab417bd97afe12a48b68064234b3786a843294de17a90ae5c3f81bb60d9663b002bc84d03372e133a243c2fcdd7a"
|
|
919
964
|
}
|
|
920
965
|
]
|
|
921
966
|
},
|
|
@@ -941,11 +986,11 @@
|
|
|
941
986
|
"hashes": [
|
|
942
987
|
{
|
|
943
988
|
"alg": "SHA-256",
|
|
944
|
-
"content": "
|
|
989
|
+
"content": "0a787c60af275a8333087569725a61fdefc0baf2b76076689c2f0a84751b0f95"
|
|
945
990
|
},
|
|
946
991
|
{
|
|
947
992
|
"alg": "SHA3-512",
|
|
948
|
-
"content": "
|
|
993
|
+
"content": "98b61cb38b79aaa556c6b34243fbdd798f1307ecebab09ffdee647f92a7ad388d8110f47ba1e3bff0a01e833c306fb3b9ed243c945e4eb4d448a314bff042571"
|
|
949
994
|
}
|
|
950
995
|
]
|
|
951
996
|
},
|
|
@@ -1001,11 +1046,11 @@
|
|
|
1001
1046
|
"hashes": [
|
|
1002
1047
|
{
|
|
1003
1048
|
"alg": "SHA-256",
|
|
1004
|
-
"content": "
|
|
1049
|
+
"content": "6a40b3d23b3e524064e8fa4499f1a81e28238d08e3c2f91e6c2127ce6809f21a"
|
|
1005
1050
|
},
|
|
1006
1051
|
{
|
|
1007
1052
|
"alg": "SHA3-512",
|
|
1008
|
-
"content": "
|
|
1053
|
+
"content": "b097b4de51845a2f1d88ea8d4d891568f9a76e9b9bdd4d280e962ec84af57c5136a47804d0cd005e4e8fbdd50513d0666409463b5958a03da4520f20f750cfa9"
|
|
1009
1054
|
}
|
|
1010
1055
|
]
|
|
1011
1056
|
},
|
|
@@ -1054,6 +1099,21 @@
|
|
|
1054
1099
|
}
|
|
1055
1100
|
]
|
|
1056
1101
|
},
|
|
1102
|
+
{
|
|
1103
|
+
"bom-ref": "file:lib/collectors/scan-excludes.js",
|
|
1104
|
+
"type": "file",
|
|
1105
|
+
"name": "lib/collectors/scan-excludes.js",
|
|
1106
|
+
"hashes": [
|
|
1107
|
+
{
|
|
1108
|
+
"alg": "SHA-256",
|
|
1109
|
+
"content": "329a31ed657b2fc57b51a5e66e5bed05ada149b48e1c469ae02ed2242794efa9"
|
|
1110
|
+
},
|
|
1111
|
+
{
|
|
1112
|
+
"alg": "SHA3-512",
|
|
1113
|
+
"content": "c5024081f23b7d72c8b5287e2392f840b525bcba855d6a555ab9ed562fb84668eaacc801ae0b420b49439ad83f48dd1f653bcbb1f9aa6cf898c99ecc560a61ff"
|
|
1114
|
+
}
|
|
1115
|
+
]
|
|
1116
|
+
},
|
|
1057
1117
|
{
|
|
1058
1118
|
"bom-ref": "file:lib/collectors/secrets.js",
|
|
1059
1119
|
"type": "file",
|
|
@@ -1061,11 +1121,11 @@
|
|
|
1061
1121
|
"hashes": [
|
|
1062
1122
|
{
|
|
1063
1123
|
"alg": "SHA-256",
|
|
1064
|
-
"content": "
|
|
1124
|
+
"content": "40541ea833836853ab38775d6c840680c36da15a374508acd5710dc7f04a4181"
|
|
1065
1125
|
},
|
|
1066
1126
|
{
|
|
1067
1127
|
"alg": "SHA3-512",
|
|
1068
|
-
"content": "
|
|
1128
|
+
"content": "d63e298bd5c38e5c5a6b55770611df01d1a12ad46863875b2625a5b5dba29fd0d25e492c606d3a6e1bab3b56554555b44d2ef00714fcdded4ed495fb07fab8c4"
|
|
1069
1129
|
}
|
|
1070
1130
|
]
|
|
1071
1131
|
},
|
|
@@ -1084,6 +1144,21 @@
|
|
|
1084
1144
|
}
|
|
1085
1145
|
]
|
|
1086
1146
|
},
|
|
1147
|
+
{
|
|
1148
|
+
"bom-ref": "file:lib/cve-cli.js",
|
|
1149
|
+
"type": "file",
|
|
1150
|
+
"name": "lib/cve-cli.js",
|
|
1151
|
+
"hashes": [
|
|
1152
|
+
{
|
|
1153
|
+
"alg": "SHA-256",
|
|
1154
|
+
"content": "b1012dac78542a9c7fad7945ee1c15671d710a39d054ab9a6ef0a8f78c9282f2"
|
|
1155
|
+
},
|
|
1156
|
+
{
|
|
1157
|
+
"alg": "SHA3-512",
|
|
1158
|
+
"content": "6b2892048c6338da5ea68a490bd861d71e7ff31affb2fdbe13b48202d7b71b6b9ea453692f4cdca6c756725b747f4310fc174e21cf2700fda32022ab57955e20"
|
|
1159
|
+
}
|
|
1160
|
+
]
|
|
1161
|
+
},
|
|
1087
1162
|
{
|
|
1088
1163
|
"bom-ref": "file:lib/cve-curation.js",
|
|
1089
1164
|
"type": "file",
|
|
@@ -1151,11 +1226,11 @@
|
|
|
1151
1226
|
"hashes": [
|
|
1152
1227
|
{
|
|
1153
1228
|
"alg": "SHA-256",
|
|
1154
|
-
"content": "
|
|
1229
|
+
"content": "37998843b3fce6b56fd7f18124302ee21335e43174aa445e307c578b0cfcf8ea"
|
|
1155
1230
|
},
|
|
1156
1231
|
{
|
|
1157
1232
|
"alg": "SHA3-512",
|
|
1158
|
-
"content": "
|
|
1233
|
+
"content": "6953bae9370604540ecefb1434d622524e57083ec8afba76cf431f8b41f5a48ee948208667bc2677fcebb301440df74029fa3e075f366ecb915567de25079282"
|
|
1159
1234
|
}
|
|
1160
1235
|
]
|
|
1161
1236
|
},
|
|
@@ -1271,11 +1346,11 @@
|
|
|
1271
1346
|
"hashes": [
|
|
1272
1347
|
{
|
|
1273
1348
|
"alg": "SHA-256",
|
|
1274
|
-
"content": "
|
|
1349
|
+
"content": "15ad90a0ad6522d51f1e76b3ad9f7d6853f0545a9c26b9bd5571ce13273b1a36"
|
|
1275
1350
|
},
|
|
1276
1351
|
{
|
|
1277
1352
|
"alg": "SHA3-512",
|
|
1278
|
-
"content": "
|
|
1353
|
+
"content": "6ac2fed3aae167c69b9d06ead294a7dd6e9848c034ac65319ad1da6f7839dee852b85f36e9ab1e1bef3e63e386139ea092b79228d055d71573142f2f28d2a0cc"
|
|
1279
1354
|
}
|
|
1280
1355
|
]
|
|
1281
1356
|
},
|
|
@@ -1294,6 +1369,21 @@
|
|
|
1294
1369
|
}
|
|
1295
1370
|
]
|
|
1296
1371
|
},
|
|
1372
|
+
{
|
|
1373
|
+
"bom-ref": "file:lib/rfc-cli.js",
|
|
1374
|
+
"type": "file",
|
|
1375
|
+
"name": "lib/rfc-cli.js",
|
|
1376
|
+
"hashes": [
|
|
1377
|
+
{
|
|
1378
|
+
"alg": "SHA-256",
|
|
1379
|
+
"content": "53800bf89522a15e0f8f6f888c5f04410f6c17a2c6537738dc74d5e173a9d43c"
|
|
1380
|
+
},
|
|
1381
|
+
{
|
|
1382
|
+
"alg": "SHA3-512",
|
|
1383
|
+
"content": "170bbfd54710e1834f1d6e64d6c22c15f6e884bd874053c42c7d1dbbb42effa937572ba8d6617af7c0f698776e13b9a350ad020ebe06bac6a3f9cb972a30ec6c"
|
|
1384
|
+
}
|
|
1385
|
+
]
|
|
1386
|
+
},
|
|
1297
1387
|
{
|
|
1298
1388
|
"bom-ref": "file:lib/schemas/cve-catalog.schema.json",
|
|
1299
1389
|
"type": "file",
|
|
@@ -1301,11 +1391,11 @@
|
|
|
1301
1391
|
"hashes": [
|
|
1302
1392
|
{
|
|
1303
1393
|
"alg": "SHA-256",
|
|
1304
|
-
"content": "
|
|
1394
|
+
"content": "8ed8c965f9f1725313333abbc032b0d85a03653cc979781948cc770b88c11659"
|
|
1305
1395
|
},
|
|
1306
1396
|
{
|
|
1307
1397
|
"alg": "SHA3-512",
|
|
1308
|
-
"content": "
|
|
1398
|
+
"content": "91b4583a35b86beecc84f6c217b5b3bc5a432f4b6c56667c9d83aad774b44fedc00d42186394084828abe7978f1bc645dc213a8aeccfe714f5b6dcdb3273b1fa"
|
|
1309
1399
|
}
|
|
1310
1400
|
]
|
|
1311
1401
|
},
|
|
@@ -1406,11 +1496,11 @@
|
|
|
1406
1496
|
"hashes": [
|
|
1407
1497
|
{
|
|
1408
1498
|
"alg": "SHA-256",
|
|
1409
|
-
"content": "
|
|
1499
|
+
"content": "06dc58abb5ed96d7e85c625e5fca1a49ccb23451771104de8ea1fbb097a484e1"
|
|
1410
1500
|
},
|
|
1411
1501
|
{
|
|
1412
1502
|
"alg": "SHA3-512",
|
|
1413
|
-
"content": "
|
|
1503
|
+
"content": "900372a6681d99d2dba8ce3bc1a575f0a5225f6ae34808fe96cf6b7b988a728b82bc1a2c798a7225915009d55115276f58e8b877be23b3a773e8d3548846e0ab"
|
|
1414
1504
|
}
|
|
1415
1505
|
]
|
|
1416
1506
|
},
|
|
@@ -1421,11 +1511,11 @@
|
|
|
1421
1511
|
"hashes": [
|
|
1422
1512
|
{
|
|
1423
1513
|
"alg": "SHA-256",
|
|
1424
|
-
"content": "
|
|
1514
|
+
"content": "73a41241f2b425aebada9ea641590cb8d596390f93f9e87d07c35f3cb1b1421c"
|
|
1425
1515
|
},
|
|
1426
1516
|
{
|
|
1427
1517
|
"alg": "SHA3-512",
|
|
1428
|
-
"content": "
|
|
1518
|
+
"content": "53728b018b92ab98300b76b097884c2984a2c7b56f4bf059c5be7b84c37eb8084fd90673588aba7f2f02b14b0e9959010026aa4684d3d6660e705f41308439cc"
|
|
1429
1519
|
}
|
|
1430
1520
|
]
|
|
1431
1521
|
},
|
|
@@ -1526,11 +1616,11 @@
|
|
|
1526
1616
|
"hashes": [
|
|
1527
1617
|
{
|
|
1528
1618
|
"alg": "SHA-256",
|
|
1529
|
-
"content": "
|
|
1619
|
+
"content": "fa34eff1166720bc4f2f72bb6b1cd2d98c1e803fd7e5b192631ae0f2fcba48dd"
|
|
1530
1620
|
},
|
|
1531
1621
|
{
|
|
1532
1622
|
"alg": "SHA3-512",
|
|
1533
|
-
"content": "
|
|
1623
|
+
"content": "062707a2721ff3b9f38a4220d377eae456ac28ca6765fd10ede310959fd62ec078649fea9fd21f826f041b84353cd4549c5a3f90004c7949a70b9aa128910707"
|
|
1534
1624
|
}
|
|
1535
1625
|
]
|
|
1536
1626
|
},
|
|
@@ -1661,11 +1751,11 @@
|
|
|
1661
1751
|
"hashes": [
|
|
1662
1752
|
{
|
|
1663
1753
|
"alg": "SHA-256",
|
|
1664
|
-
"content": "
|
|
1754
|
+
"content": "cc72d668222e9cd18eaef7928e173ad17434ff4b411235bbba2b13fca722db9e"
|
|
1665
1755
|
},
|
|
1666
1756
|
{
|
|
1667
1757
|
"alg": "SHA3-512",
|
|
1668
|
-
"content": "
|
|
1758
|
+
"content": "3103116d6bd5207b8850de36cbd1b4d2495b7b2be19429731f5232356058aaefb78e6aff2f9fdba80f1f3cc89759c10a8c4aa9ec30b7220e96263b10beb2697b"
|
|
1669
1759
|
}
|
|
1670
1760
|
]
|
|
1671
1761
|
},
|
|
@@ -2066,11 +2156,11 @@
|
|
|
2066
2156
|
"hashes": [
|
|
2067
2157
|
{
|
|
2068
2158
|
"alg": "SHA-256",
|
|
2069
|
-
"content": "
|
|
2159
|
+
"content": "5f7978dd042ae7c80e98610c6f26a9eade31618357c4611926023bba2483f2c4"
|
|
2070
2160
|
},
|
|
2071
2161
|
{
|
|
2072
2162
|
"alg": "SHA3-512",
|
|
2073
|
-
"content": "
|
|
2163
|
+
"content": "bec0430494961404b184d09d8271ebbe7c9145b5782cff7c6f5c0d66e5b68255019179177d00d8f12a201f67353e7c9d3cbf36eb9351b3b3ceb32dba47e56e37"
|
|
2074
2164
|
}
|
|
2075
2165
|
]
|
|
2076
2166
|
},
|
|
@@ -3056,11 +3146,11 @@
|
|
|
3056
3146
|
"hashes": [
|
|
3057
3147
|
{
|
|
3058
3148
|
"alg": "SHA-256",
|
|
3059
|
-
"content": "
|
|
3149
|
+
"content": "eadeff28bc343c7f7c270a6bc1a7593449cd1d238e49e4e3f74817d07b91de9a"
|
|
3060
3150
|
},
|
|
3061
3151
|
{
|
|
3062
3152
|
"alg": "SHA3-512",
|
|
3063
|
-
"content": "
|
|
3153
|
+
"content": "920540ecd16f41814cf345ebfe505093efb1501c58aa81cd3dfb58237ac2d25264b6c33331d0989d22944df2edbcfa1d656bb177ab5af98d928f3838e954a5ae"
|
|
3064
3154
|
}
|
|
3065
3155
|
]
|
|
3066
3156
|
},
|
|
@@ -58,6 +58,14 @@ function main() {
|
|
|
58
58
|
try {
|
|
59
59
|
collectorFiles = fs.readdirSync(COLLECTOR_DIR)
|
|
60
60
|
.filter(f => f.endsWith(".js"))
|
|
61
|
+
// A collector is a module exporting a collect() function. Shared
|
|
62
|
+
// helpers under lib/collectors/ (e.g. scan-excludes.js, the directory-
|
|
63
|
+
// walk exclusion policy) are not collectors and must not inflate the
|
|
64
|
+
// count or be required in the AGENTS.md enumeration.
|
|
65
|
+
.filter(f => {
|
|
66
|
+
try { return typeof require(path.join(COLLECTOR_DIR, f)).collect === "function"; }
|
|
67
|
+
catch { return false; }
|
|
68
|
+
})
|
|
61
69
|
.map(f => `lib/collectors/${f}`)
|
|
62
70
|
.sort();
|
|
63
71
|
} catch (e) {
|
|
@@ -112,6 +112,27 @@ function extractNvdCvss(nvdJson) {
|
|
|
112
112
|
};
|
|
113
113
|
}
|
|
114
114
|
|
|
115
|
+
// NVD carries the authoritative assignment lifecycle in `vulnStatus`
|
|
116
|
+
// ("Rejected", "Disputed", "Analyzed", "Awaiting Analysis", "Modified", …)
|
|
117
|
+
// and dispute/quality flags in `cveTags[].tags` (e.g. "disputed",
|
|
118
|
+
// "unsupported-when-assigned"). Both live on the same vuln object the CVSS
|
|
119
|
+
// extractor already reads — surfacing them is what lets exceptd answer
|
|
120
|
+
// "is this CVE rejected/disputed?" instead of leaving an agent to look it up.
|
|
121
|
+
function extractNvdStatus(nvdJson) {
|
|
122
|
+
const vuln = nvdJson?.vulnerabilities?.[0]?.cve;
|
|
123
|
+
if (!vuln) return { vulnStatus: null, tags: [] };
|
|
124
|
+
const tags = [];
|
|
125
|
+
for (const ct of (Array.isArray(vuln.cveTags) ? vuln.cveTags : [])) {
|
|
126
|
+
for (const t of (Array.isArray(ct?.tags) ? ct.tags : [])) {
|
|
127
|
+
if (typeof t === 'string') tags.push(t);
|
|
128
|
+
}
|
|
129
|
+
}
|
|
130
|
+
return {
|
|
131
|
+
vulnStatus: typeof vuln.vulnStatus === 'string' ? vuln.vulnStatus : null,
|
|
132
|
+
tags,
|
|
133
|
+
};
|
|
134
|
+
}
|
|
135
|
+
|
|
115
136
|
function pushDiscrepancy(list, field, local, fetched, severity = 'warning') {
|
|
116
137
|
list.push({ field, local, fetched, severity });
|
|
117
138
|
}
|
|
@@ -153,6 +174,9 @@ async function validateCve(cveId, localEntry) {
|
|
|
153
174
|
in_kev: null,
|
|
154
175
|
kev_date: null,
|
|
155
176
|
epss: null,
|
|
177
|
+
nvd_vuln_status: null, // NVD's authoritative status string, e.g. "Rejected"
|
|
178
|
+
cve_tags: [], // NVD cveTags, e.g. ["disputed"]
|
|
179
|
+
description: null, // NVD English description — the product/scope claim a citation must match
|
|
156
180
|
sources: { nvd: null, kev: null, epss: null },
|
|
157
181
|
};
|
|
158
182
|
const discrepancies = [];
|
|
@@ -175,6 +199,12 @@ async function validateCve(cveId, localEntry) {
|
|
|
175
199
|
fetched.sources.nvd = { reachable: true, found: false };
|
|
176
200
|
} else {
|
|
177
201
|
cveFoundInNvd = true;
|
|
202
|
+
const st = extractNvdStatus(nvdResult.json);
|
|
203
|
+
fetched.nvd_vuln_status = st.vulnStatus;
|
|
204
|
+
fetched.cve_tags = st.tags;
|
|
205
|
+
const vuln = nvdResult.json?.vulnerabilities?.[0]?.cve;
|
|
206
|
+
const enDesc = (Array.isArray(vuln?.descriptions) ? vuln.descriptions : []).find(d => d?.lang === "en");
|
|
207
|
+
fetched.description = (enDesc && typeof enDesc.value === "string") ? enDesc.value : null;
|
|
178
208
|
const cvss = extractNvdCvss(nvdResult.json);
|
|
179
209
|
if (cvss) {
|
|
180
210
|
fetched.cvss_score = cvss.score;
|
|
@@ -224,6 +254,21 @@ async function validateCve(cveId, localEntry) {
|
|
|
224
254
|
return { cve_id: cveId, status: 'missing', discrepancies, fetched, local, drift };
|
|
225
255
|
}
|
|
226
256
|
|
|
257
|
+
// --- Rejected / disputed short-circuit ---
|
|
258
|
+
// A MITRE/NVD-REJECTED record still returns totalResults:1, so without this
|
|
259
|
+
// a rejected CVE would fall through and be CVSS-drift-checked as if valid.
|
|
260
|
+
// Surface it as its own status — this is the signal that catches a cited
|
|
261
|
+
// CVE that was withdrawn after assignment (the class an agent otherwise has
|
|
262
|
+
// to confirm by hand against NVD).
|
|
263
|
+
if (cveFoundInNvd && /^rejected$/i.test(fetched.nvd_vuln_status || '')) {
|
|
264
|
+
return { cve_id: cveId, status: 'rejected', discrepancies, fetched, local, drift };
|
|
265
|
+
}
|
|
266
|
+
const disputed = (fetched.cve_tags || []).some(t => /disputed/i.test(t)) ||
|
|
267
|
+
/disputed/i.test(fetched.nvd_vuln_status || '');
|
|
268
|
+
if (cveFoundInNvd && disputed) {
|
|
269
|
+
pushDiscrepancy(discrepancies, 'cve_status', local?.status ?? null, 'disputed', 'high');
|
|
270
|
+
}
|
|
271
|
+
|
|
227
272
|
// --- Compare CVSS (only if NVD reachable & has data) ---
|
|
228
273
|
if (cveFoundInNvd && fetched.cvss_score !== null && local.cvss_score !== null) {
|
|
229
274
|
if (Math.abs(fetched.cvss_score - local.cvss_score) > 0.05) {
|
|
@@ -274,4 +319,4 @@ async function validateCve(cveId, localEntry) {
|
|
|
274
319
|
return { cve_id: cveId, status, discrepancies, fetched, local, drift };
|
|
275
320
|
}
|
|
276
321
|
|
|
277
|
-
module.exports = { validateCve, getKevCache, resetKevCache };
|
|
322
|
+
module.exports = { validateCve, getKevCache, resetKevCache, extractNvdStatus };
|