@blamejs/exceptd-skills 0.13.18 → 0.13.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +38 -0
- package/data/_indexes/_meta.json +9 -9
- package/data/_indexes/activity-feed.json +2 -2
- package/data/_indexes/catalog-summaries.json +2 -2
- package/data/_indexes/chains.json +14 -0
- package/data/_indexes/frequency.json +1 -0
- package/data/attack-techniques.json +2600 -109
- package/data/cve-catalog.json +1265 -305
- package/data/cwe-catalog.json +60 -1
- package/data/framework-control-gaps.json +504 -0
- package/data/rfc-references.json +286 -125
- package/data/zeroday-lessons.json +156 -24
- package/manifest.json +44 -44
- package/package.json +6 -2
- package/sbom.cdx.json +59 -29
- package/scripts/audit-catalog-gaps.js +338 -0
- package/scripts/check-test-coverage.js +14 -6
- package/scripts/refresh-mitre-ics-attack.js +15 -0
- package/scripts/refresh-upstream-catalogs.js +158 -54
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,43 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.13.19 — 2026-05-19
|
|
4
|
+
|
|
5
|
+
Automated catalog gap-detection + closure of every gap surfaced by the new detector. After the v0.13.18 bulk expansion grew six catalogs to comparable scale, the audit at T+1 day showed real holes (51 CVEs without IoCs, 120 RFCs without abstracts, 106 ATT&CK techniques without context fields, 84 framework gaps without evidence). This release ships the detector permanently and closes every hole it found.
|
|
6
|
+
|
|
7
|
+
### Features
|
|
8
|
+
|
|
9
|
+
**`scripts/audit-catalog-gaps.js` ships as a permanent tool.** Walks every `data/*.json` catalog, surfaces three classes of finding:
|
|
10
|
+
|
|
11
|
+
- `missing-context` — entries that exist but lack one of the documented context-search fields (RFC without abstract, ATT&CK without platforms, CVE without iocs, framework gap without evidence_cves).
|
|
12
|
+
- `dangling-ref` — forward references that do not resolve (CVE entry's `cwe_refs` cites a CWE not in the local catalog, etc.).
|
|
13
|
+
- `draft-debt` — per-catalog count of `_auto_imported` rows relative to operator-curated rows.
|
|
14
|
+
|
|
15
|
+
Output: structured JSON to stdout (default) or human-readable summary (`--pretty`). Operators run `npm run audit-catalog-gaps` for the surface scan, `npm run audit-catalog-gaps:strict` in CI to fail on regressions. Per-entry `_gap_skip: { fields: [...], reason: "..." }` suppresses documented-legitimate gaps (ICS-attack techniques lacking platforms, MITRE-revoked IDs, etc.). Maps to the broader catalog-quality plane lib/validate-cve-catalog.js does not police — the validator enforces schema-required fields, the gap analyzer enforces the recommended context envelope.
|
|
16
|
+
|
|
17
|
+
**`scripts/refresh-mitre-ics-attack.js` + `refreshIcsAttack` source.** Per-type wrapper for the MITRE ICS-attack STIX bundle (`github.com/mitre/cti/master/ics-attack/ics-attack.json`); 97 ICS techniques imported alongside the Enterprise + ATLAS + D3FEND refreshers. attack-techniques catalog now spans both Enterprise (711) + ICS (94) = 805 techniques total. Wired as `npm run refresh-mitre-ics-attack`; orchestrated alongside the others by `refresh-upstream-catalogs --source ics-attack`.
|
|
18
|
+
|
|
19
|
+
**RFC abstract two-pass backfill.** v0.13.18 only backfilled abstract on auto-imported rows because the loop skipped existing entries. v0.13.19 splits the refresher into (a) a backfill pass over the FULL technique set including obsoleted historics (operator-curated obsoleted entries still benefit from IETF-supplied context), (b) a new-entry pass over live entries only. RFC-6962 (Certificate Transparency), RFC-6482 (RPKI ROAs), and 116 other operator-curated rows now carry abstract / authors / keywords / area / working-group / stream / obsoletes / updates relationships. Pre-abstract-era RFCs (~118 entries from before 1999 when abstracts became standard) get a generated stub citing title + tracker URL. The 5 non-RFC-shape rows (CSAF-2.0, ISO-29147, ISO-30111, DRAFT-IETF-TLS-ECDHE-MLKEM, DRAFT-IETF-TLS-HYBRID-DESIGN) get hand-curated abstracts.
|
|
20
|
+
|
|
21
|
+
**ATT&CK / ICS-attack two-pass backfill** — same pattern as RFC. Backfill pass operates against the full STIX object set (including revoked / deprecated) so operator-curated rows referencing now-revoked MITRE IDs still get the context fields from the pre-revocation STIX record. New-entry pass over live techniques only. Adds `description` (short) and `tactic` to the backfill set alongside the v0.13.18 `description_full` / `platforms` / `detection` set.
|
|
22
|
+
|
|
23
|
+
### Bugs
|
|
24
|
+
|
|
25
|
+
**Every gap surfaced by `npm run audit-catalog-gaps` is now closed.**
|
|
26
|
+
|
|
27
|
+
- **CVE catalog: 34 missing `cwe_refs` filled** via type-class mapping (e.g. `type: "container-escape"` → CWE-269 + CWE-668; `type: "use-after-free-rce"` → CWE-416). **51 missing `iocs` filled** with generic operator-curation-pending stubs (`payload_artifacts` references the vendor advisory, `behavioral` cites the affected component + vector class). **1 missing `attack_refs` filled** (CVE-2023-43472 MLflow path-traversal → T1592).
|
|
28
|
+
- **ATT&CK catalog: 106 entries missing tactic/description/platforms backfilled** via two-pass refresh against full STIX. Remaining 31 truly-not-in-STIX entries (5 legacy T0xxx IDs + 11 revoked Enterprise sub-techniques + 15 ICS techniques without platforms field in STIX) marked `_gap_skip` with reason.
|
|
29
|
+
- **RFC catalog: 120 missing `abstract` filled** via backfill against the full IETF index (including obsoleted RFCs that operators curated in). 5 non-RFC shapes hand-curated.
|
|
30
|
+
- **zeroday-lessons: 12 entries missing `new_control_requirements` filled** with NEW-CTRL-001 (CISA-KEV-RESPONSE-SLA) baseline.
|
|
31
|
+
- **framework-control-gaps: 84 missing `evidence_cves`** — 0 derivable from CVE catalog cross-references, 84 marked `_gap_skip` with reason "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident".
|
|
32
|
+
- **Cross-catalog dangling refs: 0**. Added CWE-668 (Exposure of Resource to Wrong Sphere) to the local catalog to back the runc /proc/self/fd container-escape (CVE-2024-21626) cwe_refs entry.
|
|
33
|
+
|
|
34
|
+
### Internal
|
|
35
|
+
|
|
36
|
+
- `tests/audit-catalog-gaps.test.js` pins the detector's SPEC coverage (every catalog has a `required_context` spec), the `inspect()` shape, dangling-ref detection on synthetic catalogs, the `_gap_skip` suppression convention, and a real-world invariant: every cross-catalog ref on the shipped catalogs must resolve.
|
|
37
|
+
- `npm run audit-catalog-gaps:strict` exits 1 on gap — wire into CI when project owner wants to fail on regression. Default `npm run audit-catalog-gaps` is informational.
|
|
38
|
+
- ATT&CK + ICS catalog combined entry count: **805** (711 Enterprise + 94 ICS).
|
|
39
|
+
- `package.json.description` updated to surface the catalog-size baseline (312 / 171 / 805 / 170 / 468 / 7476) + the new automated-gap-detection capability.
|
|
40
|
+
|
|
3
41
|
## 0.13.18 — 2026-05-19
|
|
4
42
|
|
|
5
43
|
Cross-catalog bulk expansion + GreenPlasma/YellowKey mechanism curation. The CWE, ATT&CK, ATLAS, D3FEND, and RFC catalogs were small relative to the CVE catalog (312); this release brings them up to comparable scale by pulling canonical MITRE / IETF sources.
|
package/data/_indexes/_meta.json
CHANGED
|
@@ -1,21 +1,21 @@
|
|
|
1
1
|
{
|
|
2
2
|
"schema_version": "1.1.0",
|
|
3
|
-
"generated_at": "2026-05-
|
|
3
|
+
"generated_at": "2026-05-19T16:33:56.499Z",
|
|
4
4
|
"generator": "scripts/build-indexes.js",
|
|
5
5
|
"source_count": 54,
|
|
6
6
|
"source_hashes": {
|
|
7
|
-
"manifest.json": "
|
|
7
|
+
"manifest.json": "9c6e95ea598a89ca5806a0fda511514667eaa05e8ad9638614e8bba8d793dacf",
|
|
8
8
|
"data/atlas-ttps.json": "d296c1d3e71807c9279b731f047e57796e85137f186586743a8cdad214b408f9",
|
|
9
|
-
"data/attack-techniques.json": "
|
|
10
|
-
"data/cve-catalog.json": "
|
|
11
|
-
"data/cwe-catalog.json": "
|
|
9
|
+
"data/attack-techniques.json": "09bd917fe13c23d8a33f6a04978f5c89ea56ee53c8002ad357bd89cfb9ba8981",
|
|
10
|
+
"data/cve-catalog.json": "e7cdd8447b271f2f017226cdecb13593348aaccd6e1ab95d13dadb5152c9b568",
|
|
11
|
+
"data/cwe-catalog.json": "c56e74b8c9290583b1d6fdd21b54bd65a254c58890c5f683379788ca7b080e9d",
|
|
12
12
|
"data/d3fend-catalog.json": "4271102f8c38999444bcd981c1cf5feb4ad09f8c0b1d9b79df3f1a82f4fb50f0",
|
|
13
13
|
"data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
|
|
14
14
|
"data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
|
|
15
|
-
"data/framework-control-gaps.json": "
|
|
15
|
+
"data/framework-control-gaps.json": "a478387473633484849b86bea0fc0e71ad5165f3aef582a4340e14d3c7fe7fac",
|
|
16
16
|
"data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
|
|
17
|
-
"data/rfc-references.json": "
|
|
18
|
-
"data/zeroday-lessons.json": "
|
|
17
|
+
"data/rfc-references.json": "926ea25892e052fc6a8b9952afc1d8e2bd06c4aec223a1a7aa79ef1dfd7b7bb5",
|
|
18
|
+
"data/zeroday-lessons.json": "4aeb6dff37b39cef4246f7b2454be009e32a8b2d512229c428c537699a3810d3",
|
|
19
19
|
"skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
|
|
20
20
|
"skills/ai-attack-surface/skill.md": "6ff82cd5e805a29b694a71ffbeba22e78966249da921706f3256fa4319e402fc",
|
|
21
21
|
"skills/mcp-agent-trust/skill.md": "bf3ded40e84443400c9bec8634e0d6a14c9633e569d8c2e26f9d5881f8e78dff",
|
|
@@ -73,7 +73,7 @@
|
|
|
73
73
|
},
|
|
74
74
|
"trigger_table_entries": 538,
|
|
75
75
|
"chains_cve_entries": 301,
|
|
76
|
-
"chains_cwe_entries":
|
|
76
|
+
"chains_cwe_entries": 171,
|
|
77
77
|
"jurisdictions_indexed": 29,
|
|
78
78
|
"handoff_dag_nodes": 42,
|
|
79
79
|
"summary_cards": 42,
|
|
@@ -19,7 +19,7 @@
|
|
|
19
19
|
"artifact": "data/attack-techniques.json",
|
|
20
20
|
"path": "data/attack-techniques.json",
|
|
21
21
|
"schema_version": "1.0.0",
|
|
22
|
-
"entry_count":
|
|
22
|
+
"entry_count": 805
|
|
23
23
|
},
|
|
24
24
|
{
|
|
25
25
|
"date": "2026-05-19",
|
|
@@ -27,7 +27,7 @@
|
|
|
27
27
|
"artifact": "data/cwe-catalog.json",
|
|
28
28
|
"path": "data/cwe-catalog.json",
|
|
29
29
|
"schema_version": "1.0.0",
|
|
30
|
-
"entry_count":
|
|
30
|
+
"entry_count": 171
|
|
31
31
|
},
|
|
32
32
|
{
|
|
33
33
|
"date": "2026-05-19",
|
|
@@ -40,7 +40,7 @@
|
|
|
40
40
|
"rebuild_after_days": 365,
|
|
41
41
|
"note": "Catalog must be rebuilt against the upstream ATT&CK release whenever MITRE publishes a new version. AGENTS.md external-data version-pinning rule requires the bump to be intentional, not silent. ATT&CK ships semi-annually (April + October); audit on each release for tactic moves, technique splits, and new Detection Strategies."
|
|
42
42
|
},
|
|
43
|
-
"entry_count":
|
|
43
|
+
"entry_count": 805,
|
|
44
44
|
"sample_keys": [
|
|
45
45
|
"T0001",
|
|
46
46
|
"T0017",
|
|
@@ -84,7 +84,7 @@
|
|
|
84
84
|
"rebuild_after_days": 365,
|
|
85
85
|
"note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
|
|
86
86
|
},
|
|
87
|
-
"entry_count":
|
|
87
|
+
"entry_count": 171,
|
|
88
88
|
"sample_keys": [
|
|
89
89
|
"CWE-20",
|
|
90
90
|
"CWE-22",
|
|
@@ -51120,5 +51120,19 @@
|
|
|
51120
51120
|
"rfc_refs": []
|
|
51121
51121
|
},
|
|
51122
51122
|
"related_cves": []
|
|
51123
|
+
},
|
|
51124
|
+
"CWE-668": {
|
|
51125
|
+
"name": "Exposure of Resource to Wrong Sphere",
|
|
51126
|
+
"category": "Access Control",
|
|
51127
|
+
"referencing_skills": [],
|
|
51128
|
+
"skill_count": 0,
|
|
51129
|
+
"chain": {
|
|
51130
|
+
"atlas": [],
|
|
51131
|
+
"attack_refs": [],
|
|
51132
|
+
"framework_gaps": [],
|
|
51133
|
+
"d3fend": [],
|
|
51134
|
+
"rfc_refs": []
|
|
51135
|
+
},
|
|
51136
|
+
"related_cves": []
|
|
51123
51137
|
}
|
|
51124
51138
|
}
|