@blamejs/exceptd-skills 0.13.19 → 0.13.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +72 -0
- package/data/_indexes/_meta.json +6 -6
- package/data/attack-techniques.json +2 -3
- package/data/cve-catalog.json +301 -3792
- package/data/framework-control-gaps.json +168 -504
- package/data/zeroday-lessons.json +5 -3029
- package/lib/canonical-eq.js +88 -0
- package/lib/cve-regression-watcher.js +130 -9
- package/lib/gap-detectors.js +555 -0
- package/lib/source-advisories.js +9 -34
- package/lib/version-pins.js +73 -0
- package/lib/xml-tokenizer.js +344 -0
- package/manifest.json +44 -44
- package/package.json +4 -3
- package/sbom.cdx.json +108 -33
- package/scripts/audit-catalog-gaps.js +74 -13
- package/scripts/check-catalog-gap-budget.js +133 -0
- package/scripts/check-test-coverage.js +16 -18
- package/scripts/predeploy.js +14 -0
- package/scripts/refresh-upstream-catalogs.js +13 -0
package/scripts/predeploy.js
CHANGED
|
@@ -193,6 +193,20 @@ const GATES = [
|
|
|
193
193
|
// shares the integrity-tier framing with manifest-snapshot etc.
|
|
194
194
|
ciJobName: "Data integrity (catalog + manifest snapshot)",
|
|
195
195
|
},
|
|
196
|
+
{
|
|
197
|
+
// v0.13.21: catalog-gap budget gate. Runs the seven extended
|
|
198
|
+
// detection classes added in v0.13.21 (content-quality,
|
|
199
|
+
// temporal-staleness, logical-consistency, cross-ref-completeness,
|
|
200
|
+
// schema-evolution, operator-action-sla, unused-orphan) against
|
|
201
|
+
// the shipped catalog and fails if any class regresses beyond its
|
|
202
|
+
// documented budget. Mirrors the budget enforced by
|
|
203
|
+
// tests/shipped-catalog-integrity.test.js so the regression
|
|
204
|
+
// surfaces in BOTH the gate-summary table AND the test output.
|
|
205
|
+
name: "Catalog-gap budget (v0.13.21 extended detection classes)",
|
|
206
|
+
command: process.execPath,
|
|
207
|
+
args: [path.join(ROOT, "scripts", "check-catalog-gap-budget.js")],
|
|
208
|
+
ciJobName: "Data integrity (catalog + manifest snapshot)",
|
|
209
|
+
},
|
|
196
210
|
];
|
|
197
211
|
|
|
198
212
|
function runGate(gate) {
|
|
@@ -42,6 +42,19 @@ const path = require("path");
|
|
|
42
42
|
const ROOT = path.join(__dirname, "..");
|
|
43
43
|
const TODAY = new Date().toISOString().slice(0, 10);
|
|
44
44
|
|
|
45
|
+
// v0.13.20 class-3.11 fix: refreshers read their required-context list
|
|
46
|
+
// from the audit SPEC. Eliminates the parallel hardcoded field arrays
|
|
47
|
+
// that v0.13.17→19 carried (and forgot to keep in sync — the v0.13.19
|
|
48
|
+
// audit found 106 ATT&CK rows missing `description` + `tactic` because
|
|
49
|
+
// the v0.13.18 backfill list omitted those fields). One source of truth
|
|
50
|
+
// = the audit-catalog-gaps SPEC.
|
|
51
|
+
const AUDIT_SPEC = require("./audit-catalog-gaps.js").SPEC;
|
|
52
|
+
function specRequiredFields(catalogKey) {
|
|
53
|
+
const spec = AUDIT_SPEC[catalogKey];
|
|
54
|
+
if (!spec || !Array.isArray(spec.required_context)) return [];
|
|
55
|
+
return spec.required_context.map((r) => r.field);
|
|
56
|
+
}
|
|
57
|
+
|
|
45
58
|
function fetchUrl(url) {
|
|
46
59
|
return new Promise((resolve, reject) => {
|
|
47
60
|
https.get(url, { headers: { "User-Agent": "exceptd-refresh-upstream-catalogs" } }, (r) => {
|