@blamejs/exceptd-skills 0.13.19 → 0.13.20

package/scripts/audit-catalog-gaps.js

@@ -133,7 +133,12 @@ const SPEC = {
       { field: "control_name", check: (v) => typeof v === "string" && v.length > 0, label: "control_name" },
       { field: "real_requirement", check: (v) => typeof v === "string" && v.length > 20, label: "real_requirement (>20 chars)" },
       { field: "theater_test", check: (v) => v && typeof v.claim === "string" && typeof v.test === "string", label: "theater_test{claim,test}" },
-      { field: "evidence_cves", check: (v) => Array.isArray(v) && v.length > 0, label: "evidence_cves" }
+      // evidence_cves is required UNLESS the entry declares forward_looking:true.
+      // v0.13.19 used per-entry _gap_skip annotations on 84 framework gaps;
+      // v0.13.20 replaces that with a first-class schema field operators can
+      // see in the JSON. The check honors forward_looking via the entry
+      // parameter — see the SCHEMA_FORWARD_LOOKING block in inspect().
+      { field: "evidence_cves", check: (v, entry) => (entry && entry.forward_looking === true) || (Array.isArray(v) && v.length > 0), label: "evidence_cves (or forward_looking:true)" }
     ],
     refs: []
   },
@@ -175,7 +180,11 @@ function inspect(catalogKey) {
     const skip = e._gap_skip && Array.isArray(e._gap_skip.fields) ? new Set(e._gap_skip.fields) : new Set();
     for (const r of spec.required_context) {
       if (skip.has(r.field)) continue;
-      if (!r.check(e[r.field])) {
+      // Pass the entry as the second argument so per-field checks can
+      // inspect class-level schema flags (forward_looking, etc.). The
+      // legacy check-functions only consumed the value; new ones can
+      // opt into entry-aware evaluation.
+      if (!r.check(e[r.field], e)) {
         report.missing_context.push({ id, field: r.field, label: r.label });
       }
     }

package/scripts/check-test-coverage.js

@@ -329,6 +329,15 @@ function extractPlaybookIds(content) {
   return { indicators: ind, artifacts: arts };
 }
 
+// Canonical-form recursive equality replaces JSON.stringify comparison.
+// Pre-v0.13.20 the comparator was JSON.stringify(before.iocs) !==
+// JSON.stringify(after.iocs) — non-canonical: key order, trailing
+// whitespace, and numeric format differences all flagged as "changed"
+// when the operator made no semantic change. Symptoms were patched
+// twice with skip rules (_auto_imported, _iocs_stub) instead of fixing
+// the comparator. v0.13.20 fixes the root cause.
+const { canonicalEqual } = require("../lib/canonical-eq");
+
 function extractCveIocChanges(beforeStr, afterStr) {
   const before = safeParse(beforeStr) || {};
   const after = safeParse(afterStr) || {};
@@ -336,27 +345,16 @@ function extractCveIocChanges(beforeStr, afterStr) {
   const ids = new Set([...Object.keys(before), ...Object.keys(after)]);
   for (const id of ids) {
     if (!/^CVE-\d{4}-\d+/.test(id)) continue;
-    // v0.13.18: skip bulk-imported entries. Auto-imported rows carry stub
-    // IoCs by design; their per-entry IoCs are not the operator-curated
-    // surface the diff-coverage gate is designed to police.
+    // v0.13.18 retained skip rule: bulk-imported rows whose IoCs are
+    // stub-by-design on both sides — pure intake-class events, not
+    // operator curation. Removing this would surface every fresh KEV
+    // bulk-import as a per-CVE iocs-modified finding.
     const beforeAuto = !!(before[id] && before[id]._auto_imported);
     const afterAuto  = !!(after[id]  && after[id]._auto_imported);
     if (beforeAuto && afterAuto) continue;
-    // v0.13.19: also skip operator-curated rows whose IoCs are flagged
-    // as stubs (`_iocs_stub: true` — generic placeholder added by the
-    // gap-fix pass when an entry was missing iocs entirely). When an
-    // operator later curates real IoCs the diff-coverage check fires
-    // normally because the curation step removes _iocs_stub.
-    const beforeStub = !!(before[id] && before[id]._iocs_stub);
-    const afterStub  = !!(after[id]  && after[id]._iocs_stub);
-    // Existing entry going stub→curated (afterStub=false, beforeStub=true)
-    // is what we WANT to flag for review. Existing entry going non-stub→
-    // stub or stub→stub or absent→stub are all auto-fill events the
-    // diff-coverage gate should not police.
-    if (afterStub) continue;
-    const b = JSON.stringify((before[id] && before[id].iocs) || null);
-    const a = JSON.stringify((after[id] && after[id].iocs) || null);
-    if (b !== a) changed.add(id);
+    const bIocs = (before[id] && before[id].iocs) || null;
+    const aIocs = (after[id]  && after[id].iocs)  || null;
+    if (!canonicalEqual(bIocs, aIocs)) changed.add(id);
   }
   return changed;
 }

package/scripts/refresh-upstream-catalogs.js

@@ -42,6 +42,19 @@ const path = require("path");
 const ROOT = path.join(__dirname, "..");
 const TODAY = new Date().toISOString().slice(0, 10);
 
+// v0.13.20 class-3.11 fix: refreshers read their required-context list
+// from the audit SPEC. Eliminates the parallel hardcoded field arrays
+// that v0.13.17→19 carried (and forgot to keep in sync — the v0.13.19
+// audit found 106 ATT&CK rows missing `description` + `tactic` because
+// the v0.13.18 backfill list omitted those fields). One source of truth
+// = the audit-catalog-gaps SPEC.
+const AUDIT_SPEC = require("./audit-catalog-gaps.js").SPEC;
+function specRequiredFields(catalogKey) {
+  const spec = AUDIT_SPEC[catalogKey];
+  if (!spec || !Array.isArray(spec.required_context)) return [];
+  return spec.required_context.map((r) => r.field);
+}
+
 function fetchUrl(url) {
   return new Promise((resolve, reject) => {
     https.get(url, { headers: { "User-Agent": "exceptd-refresh-upstream-catalogs" } }, (r) => {