@blamejs/exceptd-skills 0.13.16 → 0.13.17

package/lib/cve-regression-watcher.js

@@ -0,0 +1,218 @@
+'use strict';
+
+/**
+ * lib/cve-regression-watcher.js — NEW-CTRL-074 detection method.
+ *
+ * The MiniPlasma class. A researcher republishes a working PoC against a
+ * historical CVE (CVE-2020-17103, originally fixed December 2020) and
+ * demonstrates the fix has been silently reverted or never landed. The
+ * vendor does not issue a new CVE — the original ID is treated as
+ * authoritative. NVD / KEV / OSV feeds will never surface this as a
+ * current threat. Vendor advisory feeds (RHSA, USN, ZDI) won't either.
+ * Vendor security blogs won't unless Microsoft Security Blog elects to
+ * post about it (which, for a re-regression of their own fix, is a
+ * commercial-incentive misalignment).
+ *
+ * What this catches: a poller diff (from lib/source-advisories.js) whose
+ * extracted CVE-IDs include historical IDs (year <= currentYear - 2) that
+ * may be silently regressed against current shipping product. The
+ * detection method is signal-correlation, not source-extension:
+ *
+ *   1. Pull the union of cve_ids extracted from poller diffs in a given run.
+ *   2. Filter to historical IDs (CVE-YYYY-NNN where YYYY <= currentYear - 2).
+ *   3. For each historical hit, check whether the catalog has a parallel
+ *      "*-REREGRESSION-<year>" key whose `aliases[]` references it OR a
+ *      `discovery_attribution_note` that names a researcher republishing
+ *      the historical PoC.
+ *   4. Surface the unmatched historical hits as candidate regressions —
+ *      operators triage and decide whether to (a) create a *-REREGRESSION-
+ *      catalog entry (the MiniPlasma path) or (b) annotate the existing
+ *      historical entry with a re-regression-confirmed flag.
+ *
+ * Output shape:
+ *   {
+ *     candidates: [
+ *       {
+ *         historical_cve: 'CVE-2020-17103',
+ *         surfaced_by: ['bleepingcomputer-security', 'thehackernews'],
+ *         first_seen_titles: ['MiniPlasma — Windows ...', ...],
+ *         existing_regression_key: 'CVE-2020-17103-REREGRESSION-2026' | null,
+ *         action: 'annotate' | 'create-regression-entry' | 'already-covered',
+ *       }
+ *     ],
+ *     historical_id_threshold_year: 2024,
+ *     evaluated_diffs: N,
+ *   }
+ *
+ * Design notes:
+ *
+ * - The threshold (year <= currentYear - 2) is deliberately permissive.
+ *   A re-regression of a 2024 CVE is still a regression. The threshold
+ *   keeps the watcher from firing on every fresh CVE poller diff.
+ * - The watcher is REPORT-ONLY. It does not mutate the catalog. Operators
+ *   route candidates through `exceptd refresh --advisory <CVE-ID> --apply`
+ *   or via manual triage of a new *-REREGRESSION-<year> entry. This
+ *   matches ADVISORIES_SOURCE's conservative-by-default contract.
+ * - The CVE_RE matcher (lib/source-advisories.js) already handles the
+ *   historical-CVE extraction step — the watcher consumes diffs, not raw
+ *   feed bodies. This keeps the watcher decoupled from feed-fetch logic
+ *   so it works in fixture mode, cache mode, and live mode identically.
+ */
+
+const path = require('path');
+const fs = require('fs');
+
+const CVE_ID_RE = /^CVE-((?:19|20)\d{2})-\d{4,7}$/;
+const TODAY = new Date().toISOString().slice(0, 10);
+
+/**
+ * Extract the year from a CVE-YYYY-NNN identifier. Returns null for non-CVE
+ * IDs (e.g. MAL-*, GHSA-*, the HANDLE:* shape from the github-events parser).
+ */
+function cveYear(id) {
+  if (typeof id !== 'string') return null;
+  const m = id.match(CVE_ID_RE);
+  return m ? Number(m[1]) : null;
+}
+
+/**
+ * Find any catalog entry whose `aliases[]` includes the historical CVE-ID
+ * OR whose key derives from it via the *-REREGRESSION-<year> convention.
+ *
+ * Returns the key (e.g. 'CVE-2020-17103-REREGRESSION-2026') or null.
+ */
+function findRegressionEntry(catalog, historicalId) {
+  for (const key of Object.keys(catalog)) {
+    if (key === '_meta') continue;
+    if (key === historicalId) return key;
+    if (key.startsWith(`${historicalId}-REREGRESSION-`)) return key;
+    const entry = catalog[key];
+    if (entry && Array.isArray(entry.aliases) && entry.aliases.includes(historicalId)) {
+      return key;
+    }
+  }
+  return null;
+}
+
+/**
+ * Walk a list of poller diffs (the shape lib/source-advisories.js produces)
+ * and surface historical-CVE-ID references that are NOT yet covered by a
+ * regression entry in the catalog.
+ *
+ * @param {Array<{id: string, source?: string, title?: string, sources?: string[]}>} diffs
+ * @param {Object} catalog — data/cve-catalog.json shape, _meta key tolerated
+ * @param {Object} opts — { now?: Date, threshold_years_ago?: number }
+ * @returns {Object} report — { candidates, historical_id_threshold_year, evaluated_diffs }
+ */
+function findRegressionCandidates(diffs, catalog, opts) {
+  const now = (opts && opts.now) || new Date();
+  const yearsAgo = (opts && typeof opts.threshold_years_ago === 'number') ? opts.threshold_years_ago : 2;
+  const thresholdYear = now.getUTCFullYear() - yearsAgo;
+  const evaluated = Array.isArray(diffs) ? diffs.length : 0;
+
+  // Group historical-CVE refs by id so multi-feed surfacing collapses.
+  const byHistoricalId = new Map();
+  for (const d of (diffs || [])) {
+    if (!d || typeof d.id !== 'string') continue;
+    const year = cveYear(d.id);
+    if (year === null) continue;
+    if (year > thresholdYear) continue;
+    if (!byHistoricalId.has(d.id)) byHistoricalId.set(d.id, { sources: new Set(), titles: [] });
+    const slot = byHistoricalId.get(d.id);
+    if (Array.isArray(d.sources)) {
+      for (const s of d.sources) slot.sources.add(s);
+    } else if (typeof d.source === 'string') {
+      slot.sources.add(d.source);
+    }
+    if (typeof d.title === 'string' && d.title) slot.titles.push(d.title);
+  }
+
+  const candidates = [];
+  for (const [id, slot] of byHistoricalId.entries()) {
+    const existing = findRegressionEntry(catalog, id);
+    let action;
+    if (existing) {
+      // The historical CVE is the catalog key itself — annotate it.
+      if (existing === id) action = 'annotate';
+      // Already covered by a *-REREGRESSION-<year> entry — nothing to do.
+      else action = 'already-covered';
+    } else {
+      action = 'create-regression-entry';
+    }
+    candidates.push({
+      historical_cve: id,
+      surfaced_by: Array.from(slot.sources).sort(),
+      first_seen_titles: slot.titles.slice(0, 5),
+      existing_regression_key: existing,
+      action,
+    });
+  }
+
+  candidates.sort((a, b) => a.historical_cve.localeCompare(b.historical_cve));
+
+  return {
+    candidates,
+    historical_id_threshold_year: thresholdYear,
+    evaluated_diffs: evaluated,
+    generated_at: TODAY,
+    control_ref: 'NEW-CTRL-074',
+  };
+}
+
+/**
+ * Source-style wrapper so the watcher plugs into the refresh pipeline as a
+ * peer of ADVISORIES_SOURCE. fetchDiff() consumes the prior
+ * ADVISORIES_SOURCE.fetchDiff() result via ctx.advisoriesObservations
+ * (preferred — the full extracted-CVE list including IDs already in
+ * catalog, so the annotate verdict can fire on the MiniPlasma class) and
+ * falls back to ctx.advisoriesDiffs when the advisories source ran on a
+ * pre-v0.13.17 build that did not emit observations.
+ *
+ * Chaining is explicit — the watcher does not poll feeds itself.
+ * lib/refresh-external.js#loadCtx wires the prior advisories run output
+ * onto ctx.advisoriesObservations + ctx.advisoriesDiffs so order matters:
+ * advisories must run before cve-regression-watcher in a multi-source
+ * invocation.
+ */
+const REGRESSION_WATCHER_SOURCE = {
+  name: 'cve-regression-watcher',
+  description: 'NEW-CTRL-074 detection method — surfaces poller-diff historical-CVE references that may indicate silent vendor regression (the MiniPlasma class). Report-only; depends on ADVISORIES_SOURCE observations as input.',
+  applies_to: 'data/cve-catalog.json',
+  async fetchDiff(ctx) {
+    // Prefer observations (v0.13.17+ ADVISORIES_SOURCE return shape) over
+    // diffs[] (pre-v0.13.17). observations[] preserves in-catalog CVE
+    // refs which the annotate verdict requires.
+    const input = (ctx && ctx.advisoriesObservations) || (ctx && ctx.advisoriesDiffs) || [];
+    const catalog = (ctx && ctx.cveCatalog) || {};
+    const report = findRegressionCandidates(input, catalog, {});
+    return {
+      status: 'ok',
+      diffs: report.candidates,
+      errors: 0,
+      summary: `cve-regression-watcher: evaluated ${report.evaluated_diffs} poller observations against threshold ${report.historical_id_threshold_year}; ${report.candidates.length} candidate(s) surfaced`,
+      _meta: {
+        control_ref: report.control_ref,
+        threshold_year: report.historical_id_threshold_year,
+        generated_at: report.generated_at,
+        input_field_used: (ctx && ctx.advisoriesObservations) ? 'advisoriesObservations' : 'advisoriesDiffs',
+      },
+    };
+  },
+  // Report-only.
+  applyDiff(_ctx, _diffs) {
+    return {
+      updated: 0,
+      added: 0,
+      drift_updated: 0,
+      errors: [],
+      note: 'REGRESSION_WATCHER_SOURCE is report-only. Candidates are operator-triage input — create a *-REREGRESSION-<year> catalog entry or annotate the historical entry manually.',
+    };
+  },
+};
+
+module.exports = {
+  REGRESSION_WATCHER_SOURCE,
+  findRegressionCandidates,
+  findRegressionEntry,
+  cveYear,
+};

package/lib/refresh-external.js

@@ -643,6 +643,16 @@ const OSV_SOURCE = {
 // (ssh-keysign-pwn) where the existing NVD-based pollers lagged by 3+ days.
 const { ADVISORIES_SOURCE } = require('./source-advisories');
 
+// v0.13.17: REGRESSION_WATCHER_SOURCE is NEW-CTRL-074. Implements the
+// detection method that surfaces poller-diff historical-CVE references as
+// candidate silent-regression cases (the MiniPlasma class — a 2026 PoC
+// drop that re-broke CVE-2020-17103 without any new ID being assigned).
+// Report-only; consumes diffs + extracted-CVE-id list from a prior
+// advisories run (loadCtx populates ctx.advisoriesDiffs +
+// ctx.advisoriesExtractedCveIds when advisories runs alongside the
+// watcher, or operators can chain explicitly via the source registry).
+const { REGRESSION_WATCHER_SOURCE } = require('./cve-regression-watcher');
+
 const ALL_SOURCES = {
   kev: KEV_SOURCE,
   epss: EPSS_SOURCE,
@@ -652,6 +662,7 @@ const ALL_SOURCES = {
   ghsa: GHSA_SOURCE,
   osv: OSV_SOURCE,
   advisories: ADVISORIES_SOURCE,
+  'cve-regression-watcher': REGRESSION_WATCHER_SOURCE,
 };
 
 // --- Cache-mode helpers ------------------------------------------------

package/lib/source-advisories.js

@@ -140,6 +140,40 @@ const FEEDS = [
     kind: 'rss',
     description: 'Embrace the Red (Johann Rehberger) — AI-tool prompt-injection + agentic-AI research. Anchored CVE-2025-53773 (Copilot YOLO mode) and the agentic-IDE host-execution class.',
   },
+  // v0.13.17 additions — closes the "researcher GitHub-release drop +
+  // tech-press writeup" intake gap surfaced by the four Nightmare-Eclipse
+  // catalog entries (MiniPlasma / YellowKey / GreenPlasma / UnDefend).
+  // The 12-feed set polled advisory venues + vendor research blogs but
+  // had no coverage for either (a) named researcher handles whose prior
+  // drops are already in the catalog (BlueHammer / CVE-2026-33825 was in,
+  // four sibling drops were not) nor (b) the canonical tech-press
+  // venues that surface "researcher dropped PoC on GitHub, no advisory
+  // yet" events. The bleepingcomputer-security + thehackernews feeds
+  // close (b); the nightmare-eclipse-github feed closes (a) as the
+  // anchor handle for the v0.13.17 backfill. NEW-CTRL-073 generalises
+  // the handle-tracker control — additional handles get registered as
+  // their drops land in the catalog. See also NEW-CTRL-074 (CVE-
+  // regression-watcher) in lib/cve-regression-watcher.js for the
+  // complementary detection method that catches re-broken historical
+  // CVEs without depending on a new ID being assigned.
+  {
+    name: 'bleepingcomputer-security',
+    url: 'https://www.bleepingcomputer.com/feed/',
+    kind: 'rss',
+    description: 'BleepingComputer security feed — canonical tech-press venue for "researcher dropped PoC on GitHub, no advisory yet" events (BlueHammer / RedSun / UnDefend / MiniPlasma / YellowKey / GreenPlasma anchor cluster). CVE-ID-bearing items extracted via the standard CVE_RE; non-CVE researcher drops surface as named-handle items consumed by NEW-CTRL-073 handle tracker. v0.13.17.',
+  },
+  {
+    name: 'thehackernews',
+    url: 'https://feeds.feedburner.com/TheHackersNews',
+    kind: 'rss',
+    description: 'The Hacker News RSS — canonical tech-press venue for PoC drops + zero-day weaponization writeups. Anchored MiniPlasma 2026-05-14 writeup which the 12-feed set missed. CVE-ID extraction same as bleepingcomputer-security. v0.13.17.',
+  },
+  {
+    name: 'nightmare-eclipse-github',
+    url: 'https://api.github.com/users/Nightmare-Eclipse/events/public',
+    kind: 'github-events',
+    description: 'GitHub public-events feed for the Nightmare-Eclipse / Chaotic Eclipse researcher handle. Anchored the BlueHammer (CVE-2026-33825) + MiniPlasma cluster — the handle is the canonical signal source for unpatched Windows LPE / BitLocker / Defender drops since April 2026. NEW-CTRL-073 handle-tracker class; additional handles registered as their drops land in the catalog. v0.13.17.',
+  },
 ];
 
 // Permissive CVE-ID matcher. The official format is CVE-YYYY-NNNN+ but
@@ -215,6 +249,57 @@ function parseCsafIndex(text) {
   });
 }
 
+/**
+ * GitHub public-events parser — NEW-CTRL-073 researcher-handle tracker.
+ *
+ * Input is the JSON body of `https://api.github.com/users/<handle>/events/public`
+ * (array of event objects). Output flattens each event into a standard
+ * { title, link, published, body, researcher_handle } shape that
+ * extractCveIds() can scan and the diff-deduplicator can route. Events of
+ * interest: PushEvent (release commits), ReleaseEvent (tagged drops),
+ * CreateEvent (tag / branch creation often signals an upcoming drop),
+ * PublicEvent (a private repo flipped public — frequent drop pattern).
+ *
+ * The diff carries `researcher_handle` so callers + tests can assert the
+ * handle-tracker fired even when no CVE ID is present in the commit text
+ * (the MiniPlasma class — drop names a researcher-coined alias rather
+ * than a CVE ID until MITRE / vendor assigns).
+ */
+function parseGitHubEvents(body, feed) {
+  let arr;
+  try {
+    arr = JSON.parse(body);
+  } catch (e) {
+    return [];
+  }
+  if (!Array.isArray(arr)) return [];
+  const handle = (feed.url.match(/users\/([^/]+)\/events/) || [])[1] || null;
+  const out = [];
+  const wanted = new Set(['PushEvent', 'ReleaseEvent', 'CreateEvent', 'PublicEvent']);
+  for (const ev of arr) {
+    if (!ev || typeof ev !== 'object') continue;
+    if (!wanted.has(ev.type)) continue;
+    const repo = (ev.repo && ev.repo.name) || '';
+    const payload = ev.payload || {};
+    let label = '';
+    if (ev.type === 'ReleaseEvent') label = `release ${(payload.release && payload.release.tag_name) || ''} — ${(payload.release && payload.release.name) || ''}`;
+    else if (ev.type === 'PushEvent') label = `push ${payload.ref || ''} ${((payload.commits || []).map(c => c.message).join(' || '))}`;
+    else if (ev.type === 'CreateEvent') label = `create ${payload.ref_type || ''} ${payload.ref || ''} — ${payload.description || ''}`;
+    else if (ev.type === 'PublicEvent') label = 'repository made public';
+    const title = `[${ev.type}] ${repo} — ${label}`.slice(0, 240);
+    out.push({
+      title,
+      link: `https://github.com/${repo}`,
+      published: ev.created_at || '',
+      body: label,
+      researcher_handle: handle,
+      event_type: ev.type,
+      repo_name: repo,
+    });
+  }
+  return out;
+}
+
 /**
  * Fetch a feed body. In fixture / cache modes, read from disk.
  */
@@ -223,7 +308,7 @@ async function fetchFeed(feed, ctx) {
     return { ok: true, body: ctx.fixtures.advisories[feed.name] };
   }
   if (ctx.cacheDir) {
-    const ext = feed.kind === 'csaf-index' ? '.txt' : '.xml';
+    const ext = feed.kind === 'csaf-index' ? '.txt' : feed.kind === 'github-events' ? '.json' : '.xml';
     const p = path.join(ctx.cacheDir, 'advisories', `${feed.name}${ext}`);
     if (!fs.existsSync(p)) return { ok: false, error: `cache miss: ${p}` };
     return { ok: true, body: fs.readFileSync(p, 'utf8') };
@@ -253,27 +338,61 @@ async function checkFeed(feed, ctx) {
     items = parseCsafIndex(res.body);
     // Flatten cves_from_filename onto cve_ids field uniformly.
     items = items.map((it) => ({ ...it, cve_ids: it.cves_from_filename || [] }));
+  } else if (feed.kind === 'github-events') {
+    items = parseGitHubEvents(res.body, feed);
+    items = items.map((it) => ({ ...it, cve_ids: extractCveIds(`${it.title} ${it.body} ${it.link}`) }));
   } else {
     items = parseRssAtom(res.body);
     items = items.map((it) => ({ ...it, cve_ids: extractCveIds(`${it.title} ${it.body} ${it.link}`) }));
   }
   const diffs = [];
+  // v0.13.17: surface EVERY extracted CVE-ID — including IDs already in
+  // catalog — for NEW-CTRL-074 (cve-regression-watcher) consumption. The
+  // diffs[] array remains filtered to NOT-IN-CATALOG so existing callers
+  // see no behavior change, but a parallel observations[] carries the
+  // full set with the in_catalog flag preserved. The regression watcher
+  // routes historical-CVE references (e.g. CVE-2020-17103) through this
+  // path so its action: "annotate" verdict can fire even when the
+  // historical entry IS a catalog key.
+  const observations = [];
   for (const it of items) {
+    // Standard CVE-ID-bearing diff (every feed kind).
     for (const cveId of it.cve_ids) {
       const inCatalog = !!ctx.cveCatalog[cveId];
+      const baseRecord = {
+        id: cveId,
+        source: feed.name,
+        advisory_url: it.link || feed.url,
+        disclosed_at: it.published || null,
+        title: it.title.slice(0, 200),
+        in_catalog: inCatalog,
+      };
+      observations.push(baseRecord);
       if (!inCatalog) {
-        diffs.push({
-          id: cveId,
-          source: feed.name,
-          advisory_url: it.link || feed.url,
-          disclosed_at: it.published || null,
-          title: it.title.slice(0, 200),
-          in_catalog: false,
-        });
+        diffs.push({ ...baseRecord });
       }
     }
+    // NEW-CTRL-073 — researcher-handle diff. Github-events surfaces drop
+    // activity even when no CVE ID is present yet (the MiniPlasma class:
+    // researcher publishes alias name, vendor advisory + CVE assignment
+    // arrive days / weeks later). The diff carries handle + event_type
+    // so downstream triage can prioritise without waiting for an ID.
+    if (feed.kind === 'github-events' && it.cve_ids.length === 0 && (it.event_type === 'ReleaseEvent' || it.event_type === 'PublicEvent')) {
+      diffs.push({
+        id: `HANDLE:${it.researcher_handle || feed.name}:${it.repo_name || 'unknown'}@${(it.published || '').slice(0, 10)}`,
+        source: feed.name,
+        advisory_url: it.link || feed.url,
+        disclosed_at: it.published || null,
+        title: it.title.slice(0, 200),
+        in_catalog: false,
+        researcher_handle: it.researcher_handle || null,
+        repo_name: it.repo_name || null,
+        event_type: it.event_type,
+        triage_class: 'researcher-handle-drop',
+      });
+    }
   }
-  return { diffs, errors: 0, status: 'ok' };
+  return { diffs, observations, errors: 0, status: 'ok' };
 }
 
 /**
@@ -286,9 +405,11 @@ const ADVISORIES_SOURCE = {
   async fetchDiff(ctx) {
     const results = await Promise.all(FEEDS.map((feed) => checkFeed(feed, ctx)));
     const allDiffs = [];
+    const allObservations = [];
     let unreachable = 0;
     for (const r of results) {
       allDiffs.push(...r.diffs);
+      if (Array.isArray(r.observations)) allObservations.push(...r.observations);
       if (r.status === 'unreachable') unreachable++;
     }
     // Deduplicate by CVE-ID across feeds — multiple advisories for the
@@ -309,14 +430,43 @@ const ADVISORIES_SOURCE = {
       delete d.advisory_url;
       return d;
     });
+    // v0.13.17: observations are the FULL per-feed extraction list,
+    // including in-catalog CVE-IDs. NEW-CTRL-074 cve-regression-watcher
+    // consumes this so an "annotate" verdict can fire on historical IDs
+    // (CVE-2020-17103) that are already keys in the catalog — diffs[]
+    // alone would have filtered them out and broken the watcher's
+    // annotate path. Dedupe + sources[] follow the diffs[] pattern so
+    // downstream consumers see one record per CVE with all observing
+    // feed names listed.
+    const obsByCve = new Map();
+    for (const o of allObservations) {
+      // The github-events handle-drop diffs use a HANDLE:* id shape and
+      // are not CVE observations — skip them.
+      if (!/^CVE-/.test(o.id)) continue;
+      if (!obsByCve.has(o.id)) {
+        obsByCve.set(o.id, {
+          id: o.id,
+          sources: [o.source],
+          advisory_urls: [o.advisory_url],
+          first_title: o.title,
+          in_catalog: o.in_catalog,
+        });
+      } else {
+        const existing = obsByCve.get(o.id);
+        if (!existing.sources.includes(o.source)) existing.sources.push(o.source);
+        if (!existing.advisory_urls.includes(o.advisory_url)) existing.advisory_urls.push(o.advisory_url);
+      }
+    }
+    const observations = Array.from(obsByCve.values());
     const status =
       unreachable === 0 ? 'ok' :
       unreachable === FEEDS.length ? 'unreachable' : 'partial';
     return {
       status,
       diffs,
+      observations,
       errors: unreachable,
-      summary: `${FEEDS.length - unreachable}/${FEEDS.length} feeds reachable; ${diffs.length} new CVE references found across primary advisory sources`,
+      summary: `${FEEDS.length - unreachable}/${FEEDS.length} feeds reachable; ${diffs.length} new CVE references found, ${observations.length} total CVE observations across primary advisory sources`,
     };
   },
   // Report-only: no applyDiff. Operators route promising CVE IDs through
@@ -339,4 +489,5 @@ module.exports = {
   extractCveIds,
   parseRssAtom,
   parseCsafIndex,
+  parseGitHubEvents,
 };