@blamejs/exceptd-skills 0.14.7 → 0.14.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +12 -0
- package/bin/exceptd.js +25 -0
- package/data/_indexes/_meta.json +2 -2
- package/lib/collectors/cicd-pipeline-compromise.js +16 -1
- package/lib/collectors/citation-hygiene.js +14 -1
- package/lib/collectors/containers.js +15 -1
- package/lib/collectors/crypto-codebase.js +17 -1
- package/lib/collectors/library-author.js +16 -1
- package/lib/collectors/sbom.js +12 -0
- package/lib/collectors/scan-excludes.js +0 -0
- package/lib/collectors/secrets.js +36 -1
- package/lib/playbook-runner.js +42 -2
- package/lib/refresh-external.js +28 -2
- package/manifest.json +44 -44
- package/package.json +1 -1
- package/sbom.cdx.json +34 -34
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,17 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.14.9 — 2026-05-27
|
|
4
|
+
|
|
5
|
+
`refresh --advisory <id> --air-gap` now refuses (no network) instead of egressing. The `--air-gap` flag was parsed but dropped before the fetch, so an air-gapped advisory seed silently reached GHSA/OSV — an air-gap-guarantee violation. Both the flag and the `EXCEPTD_AIR_GAP=1` env now refuse identically.
|
|
6
|
+
|
|
7
|
+
`--tlp` is wired through. It stamps the emitted bundle's CSAF `document.distribution` marking (TLP 2.0), validates the label against `CLEAR | GREEN | AMBER | AMBER+STRICT | RED`, and is refused on info-only verbs — previously it was accepted but never applied (a silent no-op).
|
|
8
|
+
|
|
9
|
+
`refresh --advisory ""` errors instead of silently running a full refresh, and `refresh --help` now documents refresh's own exit-code scheme — notably that its exit 3 means "draft produced, review pending" (distinct from `exceptd run`'s exit 3, "ran but no evidence"), so scripts should branch on the `ok` field rather than `$?`.
|
|
10
|
+
|
|
11
|
+
## 0.14.8 — 2026-05-27
|
|
12
|
+
|
|
13
|
+
SARIF output now carries file locations. A run's `results[].locations` are populated from per-indicator evidence locations, so a secret or file finding points at the file — and the line, when known — that triggered it instead of shipping location-less, which GitHub code scanning and most SARIF viewers drop or attribute to the repository root. A submission may supply locations directly (`evidence_locations: { "<indicator-id>": ["path", { "uri": "path", "startLine": N }] }`), and the code-scope collectors emit them from their hit data, so `exceptd collect <pb> | exceptd run <pb> --format sarif` produces located findings.
|
|
14
|
+
|
|
3
15
|
## 0.14.7 — 2026-05-27
|
|
4
16
|
|
|
5
17
|
The deprecated-alias help is now honest about behavior. `scan`, `dispatch`, `currency`, `validate-cves`, and `validate-rfcs` still run their original (legacy orchestrator) implementation and emit that older output shape — they are not transparent aliases of the canonical verbs listed as their replacements, and the help no longer implies otherwise.
|
package/bin/exceptd.js
CHANGED
|
@@ -1603,6 +1603,31 @@ function dispatchPlaybook(cmd, argv) {
|
|
|
1603
1603
|
runOpts.csafStatus = cs;
|
|
1604
1604
|
}
|
|
1605
1605
|
|
|
1606
|
+
// --tlp stamps the bundle's distribution marking (CSAF document.distribution
|
|
1607
|
+
// TLP). Previously this flag was allowlisted but never wired into runOpts, so
|
|
1608
|
+
// it was a silent no-op; the runner already emits distribution from
|
|
1609
|
+
// runOpts.tlp. Validate against TLP 2.0 labels and refuse on info-only verbs,
|
|
1610
|
+
// matching --csaf-status.
|
|
1611
|
+
if (args.tlp !== undefined) {
|
|
1612
|
+
if (!BUNDLE_FLAG_RELEVANT_VERBS.has(cmd)) {
|
|
1613
|
+
return emitError(
|
|
1614
|
+
`${cmd}: --tlp is irrelevant on this verb (no bundle is assembled). --tlp only applies to verbs that drive phases 5-7: ${[...BUNDLE_FLAG_RELEVANT_VERBS].sort().join(", ")}.`,
|
|
1615
|
+
{ verb: cmd, flag: "tlp", error_class: "irrelevant-flag", accepted_verbs: [...BUNDLE_FLAG_RELEVANT_VERBS].sort() },
|
|
1616
|
+
pretty
|
|
1617
|
+
);
|
|
1618
|
+
}
|
|
1619
|
+
const tlp = typeof args.tlp === "string" ? args.tlp.toUpperCase() : args.tlp;
|
|
1620
|
+
const allowedTlp = ["CLEAR", "GREEN", "AMBER", "AMBER+STRICT", "RED"];
|
|
1621
|
+
if (typeof tlp !== "string" || !allowedTlp.includes(tlp)) {
|
|
1622
|
+
return emitError(
|
|
1623
|
+
`${cmd}: --tlp must be one of ${JSON.stringify(allowedTlp)} (TLP 2.0). Got: ${JSON.stringify(String(args.tlp)).slice(0, 40)}`,
|
|
1624
|
+
{ verb: cmd, flag: "tlp", provided: args.tlp },
|
|
1625
|
+
pretty
|
|
1626
|
+
);
|
|
1627
|
+
}
|
|
1628
|
+
runOpts.tlp = tlp;
|
|
1629
|
+
}
|
|
1630
|
+
|
|
1606
1631
|
// --bundle-deterministic + --bundle-epoch (v0.12.27): opt-in deterministic
|
|
1607
1632
|
// bundle emit. When set, CSAF / OpenVEX / close-envelope timestamps freeze
|
|
1608
1633
|
// to the supplied epoch (or the playbook's last_threat_review fallback),
|
package/data/_indexes/_meta.json
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
{
|
|
2
2
|
"schema_version": "1.1.0",
|
|
3
|
-
"generated_at": "2026-05-
|
|
3
|
+
"generated_at": "2026-05-27T18:39:39.915Z",
|
|
4
4
|
"generator": "scripts/build-indexes.js",
|
|
5
5
|
"source_count": 54,
|
|
6
6
|
"source_hashes": {
|
|
7
|
-
"manifest.json": "
|
|
7
|
+
"manifest.json": "9b1abf00a40118b264552a1897b4d1857e831d33e929a5179a1bf83348e04999",
|
|
8
8
|
"data/atlas-ttps.json": "d24bc02859d40ccf1615db75cca68c077585904e41e0d8f6de448121e9b1abb0",
|
|
9
9
|
"data/attack-techniques.json": "fa193f0d2d248176a8beddb641e9fe56ba4faa9e15dc253ff876dbf0c5d58a77",
|
|
10
10
|
"data/cve-catalog.json": "3d451dda7ac0c7d57a4075ae4bafd3148c6184b35dc1bc59d8b81d1f2641e430",
|
|
@@ -21,7 +21,7 @@
|
|
|
21
21
|
|
|
22
22
|
const fs = require("node:fs");
|
|
23
23
|
const path = require("node:path");
|
|
24
|
-
const { isLinkedWorktreeDir } = require("./scan-excludes");
|
|
24
|
+
const { isLinkedWorktreeDir, buildEvidenceLocations } = require("./scan-excludes");
|
|
25
25
|
|
|
26
26
|
const COLLECTOR_ID = "cicd-pipeline-compromise";
|
|
27
27
|
|
|
@@ -294,6 +294,20 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
|
|
|
294
294
|
"wildcarded-oidc-sub-claim": oidcWildcards.length > 0 ? "hit" : "miss",
|
|
295
295
|
};
|
|
296
296
|
|
|
297
|
+
// Per-indicator file locations for every indicator flipped to "hit", so a
|
|
298
|
+
// SARIF result points at the workflow YAML (or OIDC trust JSON) that
|
|
299
|
+
// triggered it. Line-scanned indicators (workflow-injection-sink,
|
|
300
|
+
// actions-floating-tag-pin) carry a real line; the trigger-shape and
|
|
301
|
+
// OIDC-wildcard indicators record the file only and surface as file-level.
|
|
302
|
+
const evidence_locations = {};
|
|
303
|
+
const evidenceSources = { ...aggregateHits, "wildcarded-oidc-sub-claim": oidcWildcards };
|
|
304
|
+
for (const [id, list] of Object.entries(evidenceSources)) {
|
|
305
|
+
if (signal_overrides[id] === "hit") {
|
|
306
|
+
const locs = buildEvidenceLocations(list);
|
|
307
|
+
if (locs.length) evidence_locations[id] = locs;
|
|
308
|
+
}
|
|
309
|
+
}
|
|
310
|
+
|
|
297
311
|
const artifacts = {
|
|
298
312
|
"workflow-yaml-inventory": {
|
|
299
313
|
value: workflows.length ? workflows.map(w => w.rel).join(", ") : "no workflow files found at cwd",
|
|
@@ -348,6 +362,7 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
|
|
|
348
362
|
},
|
|
349
363
|
artifacts,
|
|
350
364
|
signal_overrides,
|
|
365
|
+
...(Object.keys(evidence_locations).length ? { evidence_locations } : {}),
|
|
351
366
|
collector_meta: {
|
|
352
367
|
collector_id: COLLECTOR_ID,
|
|
353
368
|
collector_version: "2026-05-21",
|
|
@@ -30,7 +30,7 @@
|
|
|
30
30
|
const fs = require("node:fs");
|
|
31
31
|
const path = require("node:path");
|
|
32
32
|
|
|
33
|
-
const { codeExcludeSet, isLinkedWorktreeDir } = require("./scan-excludes");
|
|
33
|
+
const { codeExcludeSet, isLinkedWorktreeDir, buildEvidenceLocations } = require("./scan-excludes");
|
|
34
34
|
|
|
35
35
|
const COLLECTOR_ID = "citation-hygiene";
|
|
36
36
|
|
|
@@ -447,12 +447,25 @@ function collect({ cwd = process.cwd() } = {}) {
|
|
|
447
447
|
},
|
|
448
448
|
};
|
|
449
449
|
|
|
450
|
+
// Per-indicator file locations for the indicators flipped to "hit",
|
|
451
|
+
// so SARIF results point at the source file that carries the bad
|
|
452
|
+
// citation. The hits record the file but not a line, so locations are
|
|
453
|
+
// file-level (no startLine).
|
|
454
|
+
const evidence_locations = {};
|
|
455
|
+
for (const id of Object.keys(hits)) {
|
|
456
|
+
if (signal_overrides[id] === "hit") {
|
|
457
|
+
const locs = buildEvidenceLocations(hits[id]);
|
|
458
|
+
if (locs.length) evidence_locations[id] = locs;
|
|
459
|
+
}
|
|
460
|
+
}
|
|
461
|
+
|
|
450
462
|
return {
|
|
451
463
|
precondition_checks: {
|
|
452
464
|
"repo-cites-security-references": totalCveCitations > 0 || totalRfcCitations > 0,
|
|
453
465
|
},
|
|
454
466
|
artifacts,
|
|
455
467
|
signal_overrides,
|
|
468
|
+
...(Object.keys(evidence_locations).length ? { evidence_locations } : {}),
|
|
456
469
|
// The citations the offline catalog could not confirm. `applyResolution`
|
|
457
470
|
// (opt-in --resolve) consumes this to resolve + flip them; on a plain
|
|
458
471
|
// collect it documents what still needs verification.
|
|
@@ -20,7 +20,7 @@
|
|
|
20
20
|
|
|
21
21
|
const fs = require("node:fs");
|
|
22
22
|
const path = require("node:path");
|
|
23
|
-
const { codeExcludeSet, isLinkedWorktreeDir } = require("./scan-excludes");
|
|
23
|
+
const { codeExcludeSet, isLinkedWorktreeDir, buildEvidenceLocations } = require("./scan-excludes");
|
|
24
24
|
|
|
25
25
|
const COLLECTOR_ID = "containers";
|
|
26
26
|
|
|
@@ -374,6 +374,19 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
|
|
|
374
374
|
signal_overrides[id] = list.length > 0 ? "hit" : "miss";
|
|
375
375
|
}
|
|
376
376
|
|
|
377
|
+
// Per-indicator file locations for every indicator flipped to "hit", so a
|
|
378
|
+
// SARIF result points at the Dockerfile / compose / k8s manifest line that
|
|
379
|
+
// triggered it. Line-scanned hits carry a real line number (emitted as
|
|
380
|
+
// startLine); whole-file hits (e.g. runs-as-root, cluster-admin-binding)
|
|
381
|
+
// record line 0 and surface as file-level locations.
|
|
382
|
+
const evidence_locations = {};
|
|
383
|
+
for (const [id, list] of Object.entries(allHits)) {
|
|
384
|
+
if (signal_overrides[id] === "hit") {
|
|
385
|
+
const locs = buildEvidenceLocations(list);
|
|
386
|
+
if (locs.length) evidence_locations[id] = locs;
|
|
387
|
+
}
|
|
388
|
+
}
|
|
389
|
+
|
|
377
390
|
const summarize = (list, limit = 5) => {
|
|
378
391
|
if (list.length === 0) return "0 hits";
|
|
379
392
|
const sample = list.slice(0, limit).map(h => `${h.file}:${h.line}`).join(", ");
|
|
@@ -415,6 +428,7 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
|
|
|
415
428
|
},
|
|
416
429
|
artifacts,
|
|
417
430
|
signal_overrides,
|
|
431
|
+
...(Object.keys(evidence_locations).length ? { evidence_locations } : {}),
|
|
418
432
|
collector_meta: {
|
|
419
433
|
collector_id: COLLECTOR_ID,
|
|
420
434
|
collector_version: "2026-05-20",
|
|
@@ -16,7 +16,7 @@
|
|
|
16
16
|
|
|
17
17
|
const fs = require("node:fs");
|
|
18
18
|
const path = require("node:path");
|
|
19
|
-
const { codeExcludeSet, isLinkedWorktreeDir } = require("./scan-excludes");
|
|
19
|
+
const { codeExcludeSet, isLinkedWorktreeDir, buildEvidenceLocations } = require("./scan-excludes");
|
|
20
20
|
|
|
21
21
|
const COLLECTOR_ID = "crypto-codebase";
|
|
22
22
|
|
|
@@ -455,12 +455,28 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
|
|
|
455
455
|
},
|
|
456
456
|
};
|
|
457
457
|
|
|
458
|
+
// Per-indicator file locations for the call-site indicators flipped to
|
|
459
|
+
// "hit". The cross-file derived indicators (ecdsa-without-pqc-roadmap,
|
|
460
|
+
// no-ml-kem-implementation, fips-claim-without-runtime-activation,
|
|
461
|
+
// vendored-pqc-no-provenance) describe a whole-repo state rather than a
|
|
462
|
+
// single offending file, so they carry no file-level location. The
|
|
463
|
+
// call-site scans record the file but not a line, so locations are
|
|
464
|
+
// file-level (no startLine).
|
|
465
|
+
const evidence_locations = {};
|
|
466
|
+
for (const id of Object.keys(hits)) {
|
|
467
|
+
if (signal_overrides[id] === "hit") {
|
|
468
|
+
const locs = buildEvidenceLocations(hits[id]);
|
|
469
|
+
if (locs.length) evidence_locations[id] = locs;
|
|
470
|
+
}
|
|
471
|
+
}
|
|
472
|
+
|
|
458
473
|
return {
|
|
459
474
|
precondition_checks: {
|
|
460
475
|
"repo-context": sourceFiles.length > 0,
|
|
461
476
|
},
|
|
462
477
|
artifacts,
|
|
463
478
|
signal_overrides,
|
|
479
|
+
...(Object.keys(evidence_locations).length ? { evidence_locations } : {}),
|
|
464
480
|
collector_meta: {
|
|
465
481
|
collector_id: COLLECTOR_ID,
|
|
466
482
|
collector_version: "2026-05-20",
|
|
@@ -31,7 +31,7 @@
|
|
|
31
31
|
|
|
32
32
|
const fs = require("node:fs");
|
|
33
33
|
const path = require("node:path");
|
|
34
|
-
const { codeExcludeSet, isLinkedWorktreeDir } = require("./scan-excludes");
|
|
34
|
+
const { codeExcludeSet, isLinkedWorktreeDir, buildEvidenceLocations } = require("./scan-excludes");
|
|
35
35
|
|
|
36
36
|
const COLLECTOR_ID = "library-author";
|
|
37
37
|
|
|
@@ -483,6 +483,20 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
|
|
|
483
483
|
signal_overrides["lockfile-missing-integrity"] = lockfileMissingIntegrity;
|
|
484
484
|
}
|
|
485
485
|
|
|
486
|
+
// Per-indicator file locations for the publish-workflow indicators
|
|
487
|
+
// flipped to "hit", so a SARIF result points at the workflow file (and,
|
|
488
|
+
// for mutable action refs, the offending `uses:` line). The other
|
|
489
|
+
// indicators (provenance / sbom / security.md / security.txt / vendor /
|
|
490
|
+
// lockfile) reflect a whole-repo presence-or-absence state with no single
|
|
491
|
+
// offending file, so they carry no file-level location here.
|
|
492
|
+
const evidence_locations = {};
|
|
493
|
+
for (const id of Object.keys(workflowHits)) {
|
|
494
|
+
if (signal_overrides[id] === "hit") {
|
|
495
|
+
const locs = buildEvidenceLocations(workflowHits[id]);
|
|
496
|
+
if (locs.length) evidence_locations[id] = locs;
|
|
497
|
+
}
|
|
498
|
+
}
|
|
499
|
+
|
|
486
500
|
const artifacts = {
|
|
487
501
|
"release-workflows": {
|
|
488
502
|
value: publishWorkflows.length
|
|
@@ -515,6 +529,7 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
|
|
|
515
529
|
},
|
|
516
530
|
artifacts,
|
|
517
531
|
signal_overrides,
|
|
532
|
+
...(Object.keys(evidence_locations).length ? { evidence_locations } : {}),
|
|
518
533
|
collector_meta: {
|
|
519
534
|
collector_id: COLLECTOR_ID,
|
|
520
535
|
collector_version: "2026-05-20",
|
package/lib/collectors/sbom.js
CHANGED
|
@@ -17,6 +17,7 @@
|
|
|
17
17
|
|
|
18
18
|
const fs = require("node:fs");
|
|
19
19
|
const path = require("node:path");
|
|
20
|
+
const { buildEvidenceLocations } = require("./scan-excludes");
|
|
20
21
|
|
|
21
22
|
const COLLECTOR_ID = "sbom";
|
|
22
23
|
|
|
@@ -377,12 +378,23 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
|
|
|
377
378
|
}
|
|
378
379
|
}
|
|
379
380
|
|
|
381
|
+
// Per-indicator file location for the one deterministically-decided
|
|
382
|
+
// indicator: a lockfile-no-integrity hit points at the npm lockfile that
|
|
383
|
+
// carries integrity-less entries. File-level (the gap is spread across
|
|
384
|
+
// many entries, not one line).
|
|
385
|
+
const evidence_locations = {};
|
|
386
|
+
if (signal_overrides["lockfile-no-integrity"] === "hit" && npmLockfile) {
|
|
387
|
+
const locs = buildEvidenceLocations([{ file: npmLockfile.file }]);
|
|
388
|
+
if (locs.length) evidence_locations["lockfile-no-integrity"] = locs;
|
|
389
|
+
}
|
|
390
|
+
|
|
380
391
|
return {
|
|
381
392
|
precondition_checks: {
|
|
382
393
|
"sbom-tool-available": hasAnything,
|
|
383
394
|
},
|
|
384
395
|
artifacts,
|
|
385
396
|
signal_overrides,
|
|
397
|
+
...(Object.keys(evidence_locations).length ? { evidence_locations } : {}),
|
|
386
398
|
collector_meta: {
|
|
387
399
|
collector_id: COLLECTOR_ID,
|
|
388
400
|
collector_version: "2026-05-20",
|
|
Binary file
|
|
@@ -18,7 +18,7 @@
|
|
|
18
18
|
|
|
19
19
|
const fs = require("node:fs");
|
|
20
20
|
const path = require("node:path");
|
|
21
|
-
const { codeExcludeSet, isLinkedWorktreeDir } = require("./scan-excludes");
|
|
21
|
+
const { codeExcludeSet, isLinkedWorktreeDir, buildEvidenceLocations } = require("./scan-excludes");
|
|
22
22
|
|
|
23
23
|
const COLLECTOR_ID = "secrets";
|
|
24
24
|
|
|
@@ -309,6 +309,40 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
|
|
|
309
309
|
const sshKeyPostures = process.platform === "win32" ? [] : sshPrivateKeys.map(f => ({ file: f.rel, ...statPosture(f.full) }));
|
|
310
310
|
signal_overrides["ssh-key-bad-perms"] = sshKeyPostures.some(p => p.error == null && p.mode !== 0o600) ? "hit" : "miss";
|
|
311
311
|
|
|
312
|
+
// Per-indicator file locations for every indicator flipped to "hit", so
|
|
313
|
+
// a SARIF result points at the file carrying the secret / bad posture.
|
|
314
|
+
// Content-regex hits record a byte offset rather than a line, so these
|
|
315
|
+
// are file-level locations (no startLine). The file-presence and
|
|
316
|
+
// posture indicators contribute the carrier file path directly.
|
|
317
|
+
const evidence_locations = {};
|
|
318
|
+
for (const p of INDICATOR_PATTERNS) {
|
|
319
|
+
if (signal_overrides[p.id] === "hit") {
|
|
320
|
+
const locs = buildEvidenceLocations(prodHitsByIndicator[p.id] || []);
|
|
321
|
+
if (locs.length) evidence_locations[p.id] = locs;
|
|
322
|
+
}
|
|
323
|
+
}
|
|
324
|
+
// ssh-private-key-block also fires on private-key file presence — fold in
|
|
325
|
+
// the discovered key files alongside any content-scan hits, de-duplicated.
|
|
326
|
+
if (signal_overrides["ssh-private-key-block"] === "hit") {
|
|
327
|
+
const locs = buildEvidenceLocations([
|
|
328
|
+
...(prodHitsByIndicator["ssh-private-key-block"] || []),
|
|
329
|
+
...prodSshPrivateKeys,
|
|
330
|
+
]);
|
|
331
|
+
if (locs.length) evidence_locations["ssh-private-key-block"] = locs;
|
|
332
|
+
}
|
|
333
|
+
if (signal_overrides["world-writable-env-file"] === "hit") {
|
|
334
|
+
const locs = buildEvidenceLocations(
|
|
335
|
+
envFilePostures.filter(p => p.error == null && (p.mode & 0o022) !== 0),
|
|
336
|
+
);
|
|
337
|
+
if (locs.length) evidence_locations["world-writable-env-file"] = locs;
|
|
338
|
+
}
|
|
339
|
+
if (signal_overrides["ssh-key-bad-perms"] === "hit") {
|
|
340
|
+
const locs = buildEvidenceLocations(
|
|
341
|
+
sshKeyPostures.filter(p => p.error == null && p.mode !== 0o600),
|
|
342
|
+
);
|
|
343
|
+
if (locs.length) evidence_locations["ssh-key-bad-perms"] = locs;
|
|
344
|
+
}
|
|
345
|
+
|
|
312
346
|
const summarizeFiles = (list) => list.map(f => f.rel).join(", ");
|
|
313
347
|
const artifacts = {
|
|
314
348
|
"repo-tree": {
|
|
@@ -355,6 +389,7 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
|
|
|
355
389
|
},
|
|
356
390
|
artifacts,
|
|
357
391
|
signal_overrides,
|
|
392
|
+
...(Object.keys(evidence_locations).length ? { evidence_locations } : {}),
|
|
358
393
|
collector_meta: {
|
|
359
394
|
collector_id: COLLECTOR_ID,
|
|
360
395
|
collector_version: "2026-05-20",
|
package/lib/playbook-runner.js
CHANGED
|
@@ -621,6 +621,14 @@ function detect(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
|
|
|
621
621
|
// on the per-indicator result. See AGENTS.md Hard Rule #6 (compliance
|
|
622
622
|
// theater) and AGENTS.md §"detect (AI)" — a `hit` without its FP checks
|
|
623
623
|
// is not yet a `detected` classification.
|
|
624
|
+
// Optional per-indicator evidence locations the submission supplies
|
|
625
|
+
// (`evidence_locations: { "<indicator-id>": ["path", {uri,startLine}] }`).
|
|
626
|
+
// Threaded onto each firing indicator so the SARIF renderer can populate
|
|
627
|
+
// results[].locations — without this, secret/file findings ship
|
|
628
|
+
// location-less and GitHub code-scanning drops them.
|
|
629
|
+
const _evLocs = (agentSubmission && typeof agentSubmission.evidence_locations === 'object'
|
|
630
|
+
&& agentSubmission.evidence_locations !== null && !Array.isArray(agentSubmission.evidence_locations))
|
|
631
|
+
? agentSubmission.evidence_locations : {};
|
|
624
632
|
const indicatorResults = (det.indicators || []).map(ind => {
|
|
625
633
|
const rawOverride = overrides[ind.id];
|
|
626
634
|
const override = canonicalize(rawOverride);
|
|
@@ -695,10 +703,12 @@ function detect(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
|
|
|
695
703
|
const anyCaptured = Object.values(artifacts).some(a => a && a.captured);
|
|
696
704
|
verdict = anyCaptured ? 'inconclusive' : 'miss';
|
|
697
705
|
}
|
|
706
|
+
const indLocs = (verdict === 'hit' && Array.isArray(_evLocs[ind.id]) && _evLocs[ind.id].length) ? _evLocs[ind.id] : null;
|
|
698
707
|
return {
|
|
699
708
|
id: ind.id, type: ind.type, confidence: ind.confidence,
|
|
700
709
|
deterministic: ind.deterministic, atlas_ref: ind.atlas_ref || null,
|
|
701
710
|
attack_ref: ind.attack_ref || null, verdict,
|
|
711
|
+
...(indLocs ? { evidence_locations: indLocs } : {}),
|
|
702
712
|
...(fpChecksUnsatisfied ? { fp_checks_unsatisfied: fpChecksUnsatisfied } : {})
|
|
703
713
|
};
|
|
704
714
|
});
|
|
@@ -1999,7 +2009,26 @@ function looksLikePath(src) {
|
|
|
1999
2009
|
return false;
|
|
2000
2010
|
}
|
|
2001
2011
|
function sarifLocationsForIndicator(playbook, indicator) {
|
|
2002
|
-
|
|
2012
|
+
// Prefer per-indicator evidence locations the submission supplied (threaded
|
|
2013
|
+
// onto the firing indicator by detect()). Each entry is a path string or
|
|
2014
|
+
// { uri, startLine?, endLine? }. This is what gives SARIF results a real
|
|
2015
|
+
// file location instead of the coarse playbook-source fallback below.
|
|
2016
|
+
const ev = indicator && Array.isArray(indicator.evidence_locations) ? indicator.evidence_locations : null;
|
|
2017
|
+
if (ev && ev.length) {
|
|
2018
|
+
const locs = [];
|
|
2019
|
+
for (const e of ev) {
|
|
2020
|
+
if (typeof e === "string" && e.trim()) {
|
|
2021
|
+
locs.push({ physicalLocation: { artifactLocation: { uri: e.trim() } } });
|
|
2022
|
+
} else if (e && typeof e === "object" && typeof e.uri === "string" && e.uri.trim()) {
|
|
2023
|
+
const pl = { artifactLocation: { uri: e.uri.trim() } };
|
|
2024
|
+
if (Number.isInteger(e.startLine) && e.startLine > 0) {
|
|
2025
|
+
pl.region = { startLine: e.startLine, ...(Number.isInteger(e.endLine) && e.endLine >= e.startLine ? { endLine: e.endLine } : {}) };
|
|
2026
|
+
}
|
|
2027
|
+
locs.push({ physicalLocation: pl });
|
|
2028
|
+
}
|
|
2029
|
+
}
|
|
2030
|
+
if (locs.length) return locs;
|
|
2031
|
+
}
|
|
2003
2032
|
const arts = (playbook.phases?.look?.artifacts) || [];
|
|
2004
2033
|
const candidates = arts
|
|
2005
2034
|
.map(a => a && (a.source || a.air_gap_alternative))
|
|
@@ -2428,8 +2457,15 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
|
|
|
2428
2457
|
// the whole distribution block when no level is declared; the
|
|
2429
2458
|
// pre-fix runner had no surface for this at all.
|
|
2430
2459
|
const allowedTlp = new Set(['CLEAR', 'GREEN', 'AMBER', 'AMBER+STRICT', 'RED']);
|
|
2460
|
+
// CSAF 2.0 §3.2.1.5.2 pins tlp.label to the TLP 1.0 enum
|
|
2461
|
+
// (WHITE/GREEN/AMBER/RED). Map the modern TLP 2.0 labels the CLI accepts
|
|
2462
|
+
// onto that enum so the emitted document stays schema-valid for strict
|
|
2463
|
+
// CSAF 2.0 consumers, while preserving the operator's exact label in the
|
|
2464
|
+
// free-form `text` field. (CLEAR≡WHITE; AMBER+STRICT carries AMBER's
|
|
2465
|
+
// disclosure scope plus a stricter handling note.)
|
|
2466
|
+
const CSAF_TLP_LABEL = { CLEAR: 'WHITE', 'AMBER+STRICT': 'AMBER', GREEN: 'GREEN', AMBER: 'AMBER', RED: 'RED' };
|
|
2431
2467
|
const csafDistribution = (runOpts.tlp && allowedTlp.has(runOpts.tlp))
|
|
2432
|
-
? { tlp: { label: runOpts.tlp }, text: `TLP:${runOpts.tlp}` }
|
|
2468
|
+
? { tlp: { label: CSAF_TLP_LABEL[runOpts.tlp] }, text: `TLP:${runOpts.tlp}` }
|
|
2433
2469
|
: null;
|
|
2434
2470
|
|
|
2435
2471
|
return {
|
|
@@ -2863,6 +2899,10 @@ function normalizeSubmission(submission, playbook) {
|
|
|
2863
2899
|
signal_overrides: { ...(submission.signal_overrides || {}) },
|
|
2864
2900
|
signals: { ...(submission.signals || {}) },
|
|
2865
2901
|
precondition_checks: { ...(submission.precondition_checks || {}) },
|
|
2902
|
+
// Carry per-indicator evidence locations through flat normalization so
|
|
2903
|
+
// detect() can thread them onto firing indicators for SARIF results[].locations.
|
|
2904
|
+
...(submission.evidence_locations && typeof submission.evidence_locations === 'object'
|
|
2905
|
+
? { evidence_locations: submission.evidence_locations } : {}),
|
|
2866
2906
|
_original_shape: 'flat (v0.11.0)',
|
|
2867
2907
|
// normalizeSubmission pushes structured errors (e.g.
|
|
2868
2908
|
// signal_overrides_invalid) onto submission._runErrors above. For flat
|
package/lib/refresh-external.js
CHANGED
|
@@ -200,6 +200,16 @@ Air-gap workflow:
|
|
|
200
200
|
Outputs:
|
|
201
201
|
refresh-report.json (gitignored) — per-source status + every diff
|
|
202
202
|
|
|
203
|
+
Exit codes (refresh's own scheme — distinct from the seven-phase verbs):
|
|
204
|
+
0 applied (or a clean dry-run with no diffs to surface)
|
|
205
|
+
2 error (unknown --source, unreadable fixture, invalid --advisory id, air-gap refusal)
|
|
206
|
+
3 draft produced, editorial review pending (a successful --advisory seed —
|
|
207
|
+
NOT a failure; run --advisory <id> --apply to land it, or curate first)
|
|
208
|
+
4 network/source unreachable
|
|
209
|
+
Note: exit 3 here means "review needed", which differs from \`exceptd run\`'s
|
|
210
|
+
exit 3 ("ran but no evidence"). Script \`refresh --advisory\` on the body's
|
|
211
|
+
\`ok\` field, not on \`$? == 0\`.
|
|
212
|
+
|
|
203
213
|
This module never auto-applies version-pin bumps — those require audit per
|
|
204
214
|
AGENTS.md Hard Rule #12 and are surfaced as report-only findings.
|
|
205
215
|
`);
|
|
@@ -1283,7 +1293,13 @@ async function seedSingleAdvisory(opts) {
|
|
|
1283
1293
|
const sourceName = useOsv ? "osv" : "ghsa";
|
|
1284
1294
|
const fixtureEnv = useOsv ? "EXCEPTD_OSV_FIXTURE" : "EXCEPTD_GHSA_FIXTURE";
|
|
1285
1295
|
|
|
1286
|
-
|
|
1296
|
+
// Thread the air-gap disposition (the --air-gap flag OR EXCEPTD_AIR_GAP=1)
|
|
1297
|
+
// into the fetch. Previously this passed {} and dropped --air-gap, so
|
|
1298
|
+
// `refresh --advisory <id> --air-gap` egressed to the network — an air-gap
|
|
1299
|
+
// violation. Both source modules refuse (no fixture) when airGap is set.
|
|
1300
|
+
const airGap = !!opts.airGap || process.env.EXCEPTD_AIR_GAP === "1";
|
|
1301
|
+
|
|
1302
|
+
let result = await sourceMod.fetchAdvisoryById(id, { airGap });
|
|
1287
1303
|
// F4 (v0.12.11): CVE-* identifiers may have an OSV record before GHSA
|
|
1288
1304
|
// publishes one (CNAs and OSV mirrors operate on different cadences).
|
|
1289
1305
|
// When GHSA returns 404 specifically, retry through OSV's /v1/vulns/{id}
|
|
@@ -1291,7 +1307,7 @@ async function seedSingleAdvisory(opts) {
|
|
|
1291
1307
|
// error message so operators know both sources were tried before failing.
|
|
1292
1308
|
let fallbackSourceUsed = null;
|
|
1293
1309
|
if (!result.ok && !useOsv && /^CVE-/i.test(id) && /HTTP 404/.test(result.error || "")) {
|
|
1294
|
-
const fallback = await osvMod.fetchAdvisoryById(id, {});
|
|
1310
|
+
const fallback = await osvMod.fetchAdvisoryById(id, { airGap });
|
|
1295
1311
|
if (fallback.ok) {
|
|
1296
1312
|
result = fallback;
|
|
1297
1313
|
fallbackSourceUsed = "osv";
|
|
@@ -1410,6 +1426,16 @@ async function main() {
|
|
|
1410
1426
|
// written, please review") so CI pipelines surface the needed editorial
|
|
1411
1427
|
// step. Operator must run `--apply` for the write to land; without it,
|
|
1412
1428
|
// the seed is printed to stdout for review.
|
|
1429
|
+
// An empty --advisory value (`--advisory ""` / `--advisory=`) must error
|
|
1430
|
+
// rather than silently falling through to a full-refresh dry-run.
|
|
1431
|
+
if (opts.advisory === "") {
|
|
1432
|
+
process.stderr.write(JSON.stringify({
|
|
1433
|
+
ok: false,
|
|
1434
|
+
error: "refresh: --advisory requires a non-empty identifier (e.g. CVE-2026-1234, GHSA-xxxx-xxxx-xxxx, MAL-2026-1).",
|
|
1435
|
+
}) + "\n");
|
|
1436
|
+
process.exitCode = 2;
|
|
1437
|
+
return;
|
|
1438
|
+
}
|
|
1413
1439
|
if (opts.advisory) {
|
|
1414
1440
|
return seedSingleAdvisory(opts);
|
|
1415
1441
|
}
|
package/manifest.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "exceptd-security",
|
|
3
|
-
"version": "0.14.
|
|
3
|
+
"version": "0.14.9",
|
|
4
4
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
|
|
5
5
|
"homepage": "https://exceptd.com",
|
|
6
6
|
"license": "Apache-2.0",
|
|
@@ -53,7 +53,7 @@
|
|
|
53
53
|
],
|
|
54
54
|
"last_threat_review": "2026-05-15",
|
|
55
55
|
"signature": "lXhZgoIrrVloO3XaTvo/43AxZn4mwErstd7DR0O/oVhD3AOGODM4HqrageYEou9WKOdMEGP5mJNTjJsXdP5NDA==",
|
|
56
|
-
"signed_at": "2026-05-
|
|
56
|
+
"signed_at": "2026-05-27T18:29:47.137Z",
|
|
57
57
|
"cwe_refs": [
|
|
58
58
|
"CWE-125",
|
|
59
59
|
"CWE-362",
|
|
@@ -123,7 +123,7 @@
|
|
|
123
123
|
],
|
|
124
124
|
"last_threat_review": "2026-05-17",
|
|
125
125
|
"signature": "ztSKk/zFMFbT12qRcEeBKpydBn7fTT86KxMmor0DTCoKQWk5fJ0fSInfP1XMSB6rFk4/SuSjKVxQRMKVJ5a+Cg==",
|
|
126
|
-
"signed_at": "2026-05-
|
|
126
|
+
"signed_at": "2026-05-27T18:29:47.138Z",
|
|
127
127
|
"cwe_refs": [
|
|
128
128
|
"CWE-1039",
|
|
129
129
|
"CWE-1426",
|
|
@@ -196,7 +196,7 @@
|
|
|
196
196
|
],
|
|
197
197
|
"last_threat_review": "2026-05-17",
|
|
198
198
|
"signature": "K6QdPHNK5c4K5QFjrW0QsUhjp71D7SOisSoulwPNSvKRdi2rY+yg0kdckijBMkLMsVPyUvcC9giu93mKJ1OZDg==",
|
|
199
|
-
"signed_at": "2026-05-
|
|
199
|
+
"signed_at": "2026-05-27T18:29:47.139Z",
|
|
200
200
|
"cwe_refs": [
|
|
201
201
|
"CWE-22",
|
|
202
202
|
"CWE-345",
|
|
@@ -248,7 +248,7 @@
|
|
|
248
248
|
"framework_gaps": [],
|
|
249
249
|
"last_threat_review": "2026-05-22",
|
|
250
250
|
"signature": "Qd3SBWmUAaaT++e1Ry2wBIz/dCBmNBMl0+4Rb0etvJLES0fIBEAkU1mTbgNZnT5XOg9J5twdUpymWtmKnDDQCQ==",
|
|
251
|
-
"signed_at": "2026-05-
|
|
251
|
+
"signed_at": "2026-05-27T18:29:47.139Z"
|
|
252
252
|
},
|
|
253
253
|
{
|
|
254
254
|
"name": "compliance-theater",
|
|
@@ -279,7 +279,7 @@
|
|
|
279
279
|
],
|
|
280
280
|
"last_threat_review": "2026-05-22",
|
|
281
281
|
"signature": "F2Shxae0ua0gPtvwzTRVzzHaIgJcFDRT3/akLUAZ4aaMQhkleKkcTaTpkjp+pTVEdPfLeLGNCeAOMs+whVYOBg==",
|
|
282
|
-
"signed_at": "2026-05-
|
|
282
|
+
"signed_at": "2026-05-27T18:29:47.140Z"
|
|
283
283
|
},
|
|
284
284
|
{
|
|
285
285
|
"name": "exploit-scoring",
|
|
@@ -308,7 +308,7 @@
|
|
|
308
308
|
],
|
|
309
309
|
"last_threat_review": "2026-05-18",
|
|
310
310
|
"signature": "NA1hoQycvQhSUoG5rwlXX0mOVmGxoXRVezkELGEA2nZOdGis4gXkHT3O6Sfw7zxE4JuMrsCb65TEeOWk9WEPDg==",
|
|
311
|
-
"signed_at": "2026-05-
|
|
311
|
+
"signed_at": "2026-05-27T18:29:47.140Z"
|
|
312
312
|
},
|
|
313
313
|
{
|
|
314
314
|
"name": "rag-pipeline-security",
|
|
@@ -345,7 +345,7 @@
|
|
|
345
345
|
],
|
|
346
346
|
"last_threat_review": "2026-05-22",
|
|
347
347
|
"signature": "W3pS8lnaCP96TQzsJpG5d5yv5IwgaQyS4Z2Ctcz5BOJf6LbajSIgeDgTZ4f4Bhr5m4E7KsgWGjZS4x7Fwd33BQ==",
|
|
348
|
-
"signed_at": "2026-05-
|
|
348
|
+
"signed_at": "2026-05-27T18:29:47.141Z",
|
|
349
349
|
"cwe_refs": [
|
|
350
350
|
"CWE-1395",
|
|
351
351
|
"CWE-1426"
|
|
@@ -405,7 +405,7 @@
|
|
|
405
405
|
],
|
|
406
406
|
"last_threat_review": "2026-05-17",
|
|
407
407
|
"signature": "/WDGygh1Ck4yWlBWDGtEUVCqKB8d+UaJXoAoBXujtt+GAl8JbMNpaN1TvI0WkEltQ9dTxaAzSn20/eVDqv8iDQ==",
|
|
408
|
-
"signed_at": "2026-05-
|
|
408
|
+
"signed_at": "2026-05-27T18:29:47.141Z",
|
|
409
409
|
"d3fend_refs": [
|
|
410
410
|
"D3-CA",
|
|
411
411
|
"D3-CSPP",
|
|
@@ -440,7 +440,7 @@
|
|
|
440
440
|
"framework_gaps": [],
|
|
441
441
|
"last_threat_review": "2026-05-22",
|
|
442
442
|
"signature": "za1NKBpy9LC91F/ESO/qhUfmvVr8GNItQOjR5OJLeHm+2dQ9HHiFWQK2eo53V/n/0uhubuggURA3yS6kJuWwBg==",
|
|
443
|
-
"signed_at": "2026-05-
|
|
443
|
+
"signed_at": "2026-05-27T18:29:47.141Z",
|
|
444
444
|
"cwe_refs": [
|
|
445
445
|
"CWE-1188"
|
|
446
446
|
],
|
|
@@ -474,7 +474,7 @@
|
|
|
474
474
|
"framework_gaps": [],
|
|
475
475
|
"last_threat_review": "2026-05-18",
|
|
476
476
|
"signature": "xiHAhhdufm9hCKU8PLiPE0MX65ej2F4OZwtlWLGLCiie9/km+Kiqbt192LcMvr94v83C98pb9wIaqFsFWft6AQ==",
|
|
477
|
-
"signed_at": "2026-05-
|
|
477
|
+
"signed_at": "2026-05-27T18:29:47.142Z",
|
|
478
478
|
"forward_watch": [
|
|
479
479
|
"New AI attack classes as ATLAS v6 publishes",
|
|
480
480
|
"Post-quantum adversary capability timeline",
|
|
@@ -513,7 +513,7 @@
|
|
|
513
513
|
"framework_gaps": [],
|
|
514
514
|
"last_threat_review": "2026-05-01",
|
|
515
515
|
"signature": "oYsSk35N2Uzq7MRofACykylcVwkgPhI4luWZ14vmQT+gUKLyZiKVOUJbe1+7lGl6BYPRN0sUDQ0f7S5Eu5w2Ag==",
|
|
516
|
-
"signed_at": "2026-05-
|
|
516
|
+
"signed_at": "2026-05-27T18:29:47.142Z"
|
|
517
517
|
},
|
|
518
518
|
{
|
|
519
519
|
"name": "zeroday-gap-learn",
|
|
@@ -540,7 +540,7 @@
|
|
|
540
540
|
"framework_gaps": [],
|
|
541
541
|
"last_threat_review": "2026-05-18",
|
|
542
542
|
"signature": "igRqYyU1unRFH40BsPyAR62SPrk8QZv8dPGb8S9O9EvLCNOZAzm3t+HdT/NKqzWHwrpomOzkkkyLfYI/0qTUDA==",
|
|
543
|
-
"signed_at": "2026-05-
|
|
543
|
+
"signed_at": "2026-05-27T18:29:47.143Z",
|
|
544
544
|
"forward_watch": [
|
|
545
545
|
"New CISA KEV entries",
|
|
546
546
|
"New ATLAS TTP additions in each ATLAS release",
|
|
@@ -604,7 +604,7 @@
|
|
|
604
604
|
],
|
|
605
605
|
"last_threat_review": "2026-05-22",
|
|
606
606
|
"signature": "i/17u4kJiSpcZAz7LnTyRePFugQOstQ1P4kVoe0oGf4E2/j8oIN9U9DccjUn/YHZhKWIJ2AILG/DMhvMrr3bBg==",
|
|
607
|
-
"signed_at": "2026-05-
|
|
607
|
+
"signed_at": "2026-05-27T18:29:47.143Z",
|
|
608
608
|
"cwe_refs": [
|
|
609
609
|
"CWE-327"
|
|
610
610
|
],
|
|
@@ -652,7 +652,7 @@
|
|
|
652
652
|
],
|
|
653
653
|
"last_threat_review": "2026-05-22",
|
|
654
654
|
"signature": "QuOVaQ4E2Sl39TClbhZ7HA9XrYAyRrDL44HY3RTE7aWLue0hV2cxaBt40ALGmHS++631QGFDlZTLZI77Tr6nAA==",
|
|
655
|
-
"signed_at": "2026-05-
|
|
655
|
+
"signed_at": "2026-05-27T18:29:47.143Z"
|
|
656
656
|
},
|
|
657
657
|
{
|
|
658
658
|
"name": "security-maturity-tiers",
|
|
@@ -689,7 +689,7 @@
|
|
|
689
689
|
],
|
|
690
690
|
"last_threat_review": "2026-05-01",
|
|
691
691
|
"signature": "8Px1s2lDj10/Q6erwEQlXgUHM1+OTruUR8qAHPX7Oo3k/l69N6P9sm0PsafS9wDFtj9l5C/OiLiFgzMlMt6vBw==",
|
|
692
|
-
"signed_at": "2026-05-
|
|
692
|
+
"signed_at": "2026-05-27T18:29:47.143Z",
|
|
693
693
|
"cwe_refs": [
|
|
694
694
|
"CWE-1188"
|
|
695
695
|
]
|
|
@@ -724,7 +724,7 @@
|
|
|
724
724
|
"framework_gaps": [],
|
|
725
725
|
"last_threat_review": "2026-05-11",
|
|
726
726
|
"signature": "urRcataVWg6/utyEkSiOWoNxTL8sABRjPR7ShyDfZGnAozFph/yDktSoaPVxQDXwu9EfJE+qhUW5OYR/yJECBQ==",
|
|
727
|
-
"signed_at": "2026-05-
|
|
727
|
+
"signed_at": "2026-05-27T18:29:47.144Z"
|
|
728
728
|
},
|
|
729
729
|
{
|
|
730
730
|
"name": "attack-surface-pentest",
|
|
@@ -796,7 +796,7 @@
|
|
|
796
796
|
"Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
|
|
797
797
|
],
|
|
798
798
|
"signature": "C7lv65/Ecm8JJgSKxrX5lxx0YFzKWtrIQSKp+vy50I5e8945s1JmifGUUrnQwRQhq/Pkv7EmfiH5XSO8h75bDg==",
|
|
799
|
-
"signed_at": "2026-05-
|
|
799
|
+
"signed_at": "2026-05-27T18:29:47.144Z"
|
|
800
800
|
},
|
|
801
801
|
{
|
|
802
802
|
"name": "fuzz-testing-strategy",
|
|
@@ -856,7 +856,7 @@
|
|
|
856
856
|
"OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
|
|
857
857
|
],
|
|
858
858
|
"signature": "Z7ypCUnXx8JpLtgxxB6RHNi39w74AmrGY1N4ofAGCXhkuM2EaFVm1AU0dvl9UQ1bVLfHKEDGqMO/TwlIY7RABg==",
|
|
859
|
-
"signed_at": "2026-05-
|
|
859
|
+
"signed_at": "2026-05-27T18:29:47.144Z"
|
|
860
860
|
},
|
|
861
861
|
{
|
|
862
862
|
"name": "dlp-gap-analysis",
|
|
@@ -931,7 +931,7 @@
|
|
|
931
931
|
"Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
|
|
932
932
|
],
|
|
933
933
|
"signature": "IgEnpHOhCftAyfUNdKsjbrd169T9pJkk/rRM2ZEna+H18y7p5x48+1kME2sJMZjJuyAdQFBJi8PJXZFwLGI+DQ==",
|
|
934
|
-
"signed_at": "2026-05-
|
|
934
|
+
"signed_at": "2026-05-27T18:29:47.145Z"
|
|
935
935
|
},
|
|
936
936
|
{
|
|
937
937
|
"name": "supply-chain-integrity",
|
|
@@ -1010,7 +1010,7 @@
|
|
|
1010
1010
|
"Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
|
|
1011
1011
|
],
|
|
1012
1012
|
"signature": "pcLrM98A3vUSZRjwNAk0aZ9umvOwB41XCLLsCOy/IebB2F/06oIrGUKkMHtHwm4pTVPShMMcKdZQQ3jz30FnCg==",
|
|
1013
|
-
"signed_at": "2026-05-
|
|
1013
|
+
"signed_at": "2026-05-27T18:29:47.145Z"
|
|
1014
1014
|
},
|
|
1015
1015
|
{
|
|
1016
1016
|
"name": "defensive-countermeasure-mapping",
|
|
@@ -1067,7 +1067,7 @@
|
|
|
1067
1067
|
],
|
|
1068
1068
|
"last_threat_review": "2026-05-11",
|
|
1069
1069
|
"signature": "G5q5elh7Q7eu2xcwTVQJGDTGfvZR0OGQaLSLJPb2wjzCHFF8PWuZfCHZdjjqisiRzRWPyLlzgfHeMJqOdy7cBw==",
|
|
1070
|
-
"signed_at": "2026-05-
|
|
1070
|
+
"signed_at": "2026-05-27T18:29:47.145Z"
|
|
1071
1071
|
},
|
|
1072
1072
|
{
|
|
1073
1073
|
"name": "identity-assurance",
|
|
@@ -1134,7 +1134,7 @@
|
|
|
1134
1134
|
"d3fend_refs": [],
|
|
1135
1135
|
"last_threat_review": "2026-05-11",
|
|
1136
1136
|
"signature": "Wv5hGMeHjlaQK1zwicVCA7AvdKgJBgvcjdpGM9Ywahh9tagAKhbkOjybowDQZzu7OZ3bDkbh6pBYc1Sdwr6NAA==",
|
|
1137
|
-
"signed_at": "2026-05-
|
|
1137
|
+
"signed_at": "2026-05-27T18:29:47.146Z"
|
|
1138
1138
|
},
|
|
1139
1139
|
{
|
|
1140
1140
|
"name": "ot-ics-security",
|
|
@@ -1190,7 +1190,7 @@
|
|
|
1190
1190
|
"d3fend_refs": [],
|
|
1191
1191
|
"last_threat_review": "2026-05-11",
|
|
1192
1192
|
"signature": "8t5qKHd3yWi57dvG36YQkLN/X9bQWqtEiYjay4IfSmqhJpM/xXPaQVKNGz3wscrO8OLKUZ0OaX7Mj5kzpgBKBQ==",
|
|
1193
|
-
"signed_at": "2026-05-
|
|
1193
|
+
"signed_at": "2026-05-27T18:29:47.146Z"
|
|
1194
1194
|
},
|
|
1195
1195
|
{
|
|
1196
1196
|
"name": "coordinated-vuln-disclosure",
|
|
@@ -1242,7 +1242,7 @@
|
|
|
1242
1242
|
"NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
|
|
1243
1243
|
],
|
|
1244
1244
|
"signature": "GDGt4UPqBa04PjlpSmpyihGzd3OgfBN7jaAK5tfwp+LRSs3ygKOdbeivUCCHNagTY1hE6hG2Ou40ADfBFuXeAg==",
|
|
1245
|
-
"signed_at": "2026-05-
|
|
1245
|
+
"signed_at": "2026-05-27T18:29:47.147Z"
|
|
1246
1246
|
},
|
|
1247
1247
|
{
|
|
1248
1248
|
"name": "threat-modeling-methodology",
|
|
@@ -1292,7 +1292,7 @@
|
|
|
1292
1292
|
"PASTA v2 updates incorporating AI/ML application threats"
|
|
1293
1293
|
],
|
|
1294
1294
|
"signature": "rFBpOQEJUPpl+v88Lw/WqVJRhTl80vy0VbPAbzQj3Q0suJRRrJg368I9uKu5LXIBKFDvKxnGIcIzbGg9NUtaCA==",
|
|
1295
|
-
"signed_at": "2026-05-
|
|
1295
|
+
"signed_at": "2026-05-27T18:29:47.147Z"
|
|
1296
1296
|
},
|
|
1297
1297
|
{
|
|
1298
1298
|
"name": "webapp-security",
|
|
@@ -1366,7 +1366,7 @@
|
|
|
1366
1366
|
"d3fend_refs": [],
|
|
1367
1367
|
"last_threat_review": "2026-05-11",
|
|
1368
1368
|
"signature": "ux85YI4t2mVHOyt744Yin1HHy+z11JIFygjKfFfQOBBl5QVV3A267jeIy7utix85irMcpZm/T3yx/ooqiK2tBA==",
|
|
1369
|
-
"signed_at": "2026-05-
|
|
1369
|
+
"signed_at": "2026-05-27T18:29:47.147Z",
|
|
1370
1370
|
"forward_watch": [
|
|
1371
1371
|
"NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
|
|
1372
1372
|
]
|
|
@@ -1419,7 +1419,7 @@
|
|
|
1419
1419
|
"d3fend_refs": [],
|
|
1420
1420
|
"last_threat_review": "2026-05-15",
|
|
1421
1421
|
"signature": "IIXnkZ5ZNqFwOto5KfytADTLLZLoyXNZACD1ORZ40P1HUAQxe6u2uyXFzzsfuob4Uy06jNkRGr2FFgCphUH1Cw==",
|
|
1422
|
-
"signed_at": "2026-05-
|
|
1422
|
+
"signed_at": "2026-05-27T18:29:47.147Z"
|
|
1423
1423
|
},
|
|
1424
1424
|
{
|
|
1425
1425
|
"name": "sector-healthcare",
|
|
@@ -1479,7 +1479,7 @@
|
|
|
1479
1479
|
"d3fend_refs": [],
|
|
1480
1480
|
"last_threat_review": "2026-05-11",
|
|
1481
1481
|
"signature": "AhF9KF8ZBlDteciV+F8IBSmFVYCvQOn44GmD4rZjgLoPxfIv/QE1/vSkK32zyqDKtHWkLSXExbkkPkxA/V6dDw==",
|
|
1482
|
-
"signed_at": "2026-05-
|
|
1482
|
+
"signed_at": "2026-05-27T18:29:47.148Z"
|
|
1483
1483
|
},
|
|
1484
1484
|
{
|
|
1485
1485
|
"name": "sector-financial",
|
|
@@ -1560,7 +1560,7 @@
|
|
|
1560
1560
|
"TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
|
|
1561
1561
|
],
|
|
1562
1562
|
"signature": "HQgZvb4ReziEz5rNFr8i/O8/rJEZR+iHRROT7m/D2QUqhrcNISPkYXENsUZlG8xapzy/Ik92ehkseyj4hdmhCQ==",
|
|
1563
|
-
"signed_at": "2026-05-
|
|
1563
|
+
"signed_at": "2026-05-27T18:29:47.149Z"
|
|
1564
1564
|
},
|
|
1565
1565
|
{
|
|
1566
1566
|
"name": "sector-federal-government",
|
|
@@ -1629,7 +1629,7 @@
|
|
|
1629
1629
|
"Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
|
|
1630
1630
|
],
|
|
1631
1631
|
"signature": "linxmsXZiOYtcs71sSWgGCrvb8xQfmxmtTY5PRvZJ0/8FgJulo0tQtejzexYG775s7XhjAmGsDP238BQTQ8ADA==",
|
|
1632
|
-
"signed_at": "2026-05-
|
|
1632
|
+
"signed_at": "2026-05-27T18:29:47.149Z"
|
|
1633
1633
|
},
|
|
1634
1634
|
{
|
|
1635
1635
|
"name": "sector-energy",
|
|
@@ -1694,7 +1694,7 @@
|
|
|
1694
1694
|
"ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
|
|
1695
1695
|
],
|
|
1696
1696
|
"signature": "JjBfc0ovta560Clk0x3QGRM5osFJDwcvpy3rT7QEGdCIL827jzE8QCow1C8deXq+4JhY2sA/d7/8IsxikdlkCg==",
|
|
1697
|
-
"signed_at": "2026-05-
|
|
1697
|
+
"signed_at": "2026-05-27T18:29:47.149Z"
|
|
1698
1698
|
},
|
|
1699
1699
|
{
|
|
1700
1700
|
"name": "sector-telecom",
|
|
@@ -1780,7 +1780,7 @@
|
|
|
1780
1780
|
"O-RAN SFG / WG11 security specifications"
|
|
1781
1781
|
],
|
|
1782
1782
|
"signature": "JWVxKFoKrbX4d+Tko1d4OBdwyg25MfFFKn4CT6E/CzH+YwnU3T6Y76uBQIKg3+gIGTvPduqyvQwQQ5FxKDuPBw==",
|
|
1783
|
-
"signed_at": "2026-05-
|
|
1783
|
+
"signed_at": "2026-05-27T18:29:47.150Z"
|
|
1784
1784
|
},
|
|
1785
1785
|
{
|
|
1786
1786
|
"name": "api-security",
|
|
@@ -1849,7 +1849,7 @@
|
|
|
1849
1849
|
"d3fend_refs": [],
|
|
1850
1850
|
"last_threat_review": "2026-05-18",
|
|
1851
1851
|
"signature": "BmCRCestWqr55+fCynEhtAl5NWLT+xLTkpwS0Icp3SaoZOw/ce3Y6TtqjHRSKn4CBJq7YDiLRWxmhO3MStvOAA==",
|
|
1852
|
-
"signed_at": "2026-05-
|
|
1852
|
+
"signed_at": "2026-05-27T18:29:47.150Z",
|
|
1853
1853
|
"forward_watch": [
|
|
1854
1854
|
"NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
|
|
1855
1855
|
"Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
|
|
@@ -1935,7 +1935,7 @@
|
|
|
1935
1935
|
"CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
|
|
1936
1936
|
],
|
|
1937
1937
|
"signature": "/DV3pmZwrRySrk1OCbyI+0BQESacjupJfUX3eC2NGtXuYOBro0vndIP+z27heFxumnjU3a9sfla7/U9X+pqnDw==",
|
|
1938
|
-
"signed_at": "2026-05-
|
|
1938
|
+
"signed_at": "2026-05-27T18:29:47.150Z"
|
|
1939
1939
|
},
|
|
1940
1940
|
{
|
|
1941
1941
|
"name": "container-runtime-security",
|
|
@@ -1997,7 +1997,7 @@
|
|
|
1997
1997
|
"d3fend_refs": [],
|
|
1998
1998
|
"last_threat_review": "2026-05-15",
|
|
1999
1999
|
"signature": "E2UGSf9ATyYgzBr8uM/0ubOUmDqo1jVA7f9mVxv6LHfWGCNuQNXDyuNou9VAmUCeeXEeUYIi3AFjXkJqpOkxDA==",
|
|
2000
|
-
"signed_at": "2026-05-
|
|
2000
|
+
"signed_at": "2026-05-27T18:29:47.151Z",
|
|
2001
2001
|
"forward_watch": [
|
|
2002
2002
|
"Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
|
|
2003
2003
|
]
|
|
@@ -2071,7 +2071,7 @@
|
|
|
2071
2071
|
"MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
|
|
2072
2072
|
],
|
|
2073
2073
|
"signature": "IL+DlRCDJN/p08iiJCFkasKcoyjcB0uWrJ6ORLjQcS1HrUa5Xt62QxVjYPHzaevlm5y36ZdmfESqsZJmzK3lCg==",
|
|
2074
|
-
"signed_at": "2026-05-
|
|
2074
|
+
"signed_at": "2026-05-27T18:29:47.151Z"
|
|
2075
2075
|
},
|
|
2076
2076
|
{
|
|
2077
2077
|
"name": "incident-response-playbook",
|
|
@@ -2133,7 +2133,7 @@
|
|
|
2133
2133
|
"NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
|
|
2134
2134
|
],
|
|
2135
2135
|
"signature": "MmjLjlmOMLjhJJ4ZfR8MYlHam+ZB+eSqfh6Nv+DecaG4O5zeo9DBP/iL3cbyDVZxmhnhivgJild2ccYeWTeZAg==",
|
|
2136
|
-
"signed_at": "2026-05-
|
|
2136
|
+
"signed_at": "2026-05-27T18:29:47.151Z"
|
|
2137
2137
|
},
|
|
2138
2138
|
{
|
|
2139
2139
|
"name": "ransomware-response",
|
|
@@ -2213,7 +2213,7 @@
|
|
|
2213
2213
|
],
|
|
2214
2214
|
"last_threat_review": "2026-05-22",
|
|
2215
2215
|
"signature": "ssueL03g9fWlhXpTe+IiY5l7RqQkunN4DTN5QETKE+VOX+qggdjAR8PONxk77ol4xWYmHrM/VcH8CNtXUEvgBA==",
|
|
2216
|
-
"signed_at": "2026-05-
|
|
2216
|
+
"signed_at": "2026-05-27T18:29:47.152Z"
|
|
2217
2217
|
},
|
|
2218
2218
|
{
|
|
2219
2219
|
"name": "email-security-anti-phishing",
|
|
@@ -2266,7 +2266,7 @@
|
|
|
2266
2266
|
"d3fend_refs": [],
|
|
2267
2267
|
"last_threat_review": "2026-05-18",
|
|
2268
2268
|
"signature": "rK+WnuS+9tqEABmwc0jO/PEmxcLjG1/tmUb897HsClQeKzf+TQOlwBE+OsbtuKxpjYNwur62Xxs3TxObkwm8Cw==",
|
|
2269
|
-
"signed_at": "2026-05-
|
|
2269
|
+
"signed_at": "2026-05-27T18:29:47.152Z"
|
|
2270
2270
|
},
|
|
2271
2271
|
{
|
|
2272
2272
|
"name": "age-gates-child-safety",
|
|
@@ -2334,7 +2334,7 @@
|
|
|
2334
2334
|
"US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
|
|
2335
2335
|
],
|
|
2336
2336
|
"signature": "Rgho5TOFUL1txOzcVR0kASCNdovSU4yt99JlGilJlJRyg0A+BdeeQYrZrhPF6Vx2reUAVG0BeHfcZtSbi+cwCg==",
|
|
2337
|
-
"signed_at": "2026-05-
|
|
2337
|
+
"signed_at": "2026-05-27T18:29:47.153Z"
|
|
2338
2338
|
},
|
|
2339
2339
|
{
|
|
2340
2340
|
"name": "cloud-iam-incident",
|
|
@@ -2414,7 +2414,7 @@
|
|
|
2414
2414
|
],
|
|
2415
2415
|
"last_threat_review": "2026-05-15",
|
|
2416
2416
|
"signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
|
|
2417
|
-
"signed_at": "2026-05-
|
|
2417
|
+
"signed_at": "2026-05-27T18:29:47.153Z",
|
|
2418
2418
|
"forward_watch": [
|
|
2419
2419
|
"AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
|
|
2420
2420
|
"GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
|
|
@@ -2508,7 +2508,7 @@
|
|
|
2508
2508
|
],
|
|
2509
2509
|
"last_threat_review": "2026-05-15",
|
|
2510
2510
|
"signature": "ew9Kglc9fAZzbn0ZIfGP7WSK/j4eV2VhSvpy+s5bEfNEVYIMa2kZjnGBapgUsyGDLes9H9K2ovjQyX17+GKiBw==",
|
|
2511
|
-
"signed_at": "2026-05-
|
|
2511
|
+
"signed_at": "2026-05-27T18:29:47.153Z",
|
|
2512
2512
|
"forward_watch": [
|
|
2513
2513
|
"Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
|
|
2514
2514
|
"Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
|
|
@@ -2526,6 +2526,6 @@
|
|
|
2526
2526
|
],
|
|
2527
2527
|
"manifest_signature": {
|
|
2528
2528
|
"algorithm": "Ed25519",
|
|
2529
|
-
"signature_base64": "
|
|
2529
|
+
"signature_base64": "4DNEWKnVCmwe9oYsRLs/AuYmQiFU+xGm34LG0Y+OpMNSel71e6VFy7zfbw2Bw99UcfNVIdU4esjhk4awdAlCAA=="
|
|
2530
2530
|
}
|
|
2531
2531
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@blamejs/exceptd-skills",
|
|
3
|
-
"version": "0.14.
|
|
3
|
+
"version": "0.14.9",
|
|
4
4
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (406 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"ai-security",
|
package/sbom.cdx.json
CHANGED
|
@@ -1,22 +1,22 @@
|
|
|
1
1
|
{
|
|
2
2
|
"bomFormat": "CycloneDX",
|
|
3
3
|
"specVersion": "1.6",
|
|
4
|
-
"serialNumber": "urn:uuid:
|
|
4
|
+
"serialNumber": "urn:uuid:1a8b234b-ced4-4ad0-b8ba-31f02f4294a8",
|
|
5
5
|
"version": 1,
|
|
6
6
|
"metadata": {
|
|
7
|
-
"timestamp": "
|
|
7
|
+
"timestamp": "2040-02-11T05:42:35.000Z",
|
|
8
8
|
"tools": [
|
|
9
9
|
{
|
|
10
10
|
"vendor": "blamejs",
|
|
11
11
|
"name": "scripts/refresh-sbom.js",
|
|
12
|
-
"version": "0.14.
|
|
12
|
+
"version": "0.14.9"
|
|
13
13
|
}
|
|
14
14
|
],
|
|
15
15
|
"component": {
|
|
16
|
-
"bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.14.
|
|
16
|
+
"bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.14.9",
|
|
17
17
|
"type": "application",
|
|
18
18
|
"name": "@blamejs/exceptd-skills",
|
|
19
|
-
"version": "0.14.
|
|
19
|
+
"version": "0.14.9",
|
|
20
20
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (406 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
|
|
21
21
|
"licenses": [
|
|
22
22
|
{
|
|
@@ -25,17 +25,17 @@
|
|
|
25
25
|
}
|
|
26
26
|
}
|
|
27
27
|
],
|
|
28
|
-
"purl": "pkg:npm/%40blamejs/exceptd-skills@0.14.
|
|
28
|
+
"purl": "pkg:npm/%40blamejs/exceptd-skills@0.14.9",
|
|
29
29
|
"hashes": [
|
|
30
30
|
{
|
|
31
31
|
"alg": "SHA-256",
|
|
32
|
-
"content": "
|
|
32
|
+
"content": "ed8f9d23b7f84f4cbe1372f27c299f02d97d7d259797cd60cdbf4f838a479b14"
|
|
33
33
|
}
|
|
34
34
|
],
|
|
35
35
|
"externalReferences": [
|
|
36
36
|
{
|
|
37
37
|
"type": "distribution",
|
|
38
|
-
"url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.14.
|
|
38
|
+
"url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.14.9"
|
|
39
39
|
},
|
|
40
40
|
{
|
|
41
41
|
"type": "vcs",
|
|
@@ -116,11 +116,11 @@
|
|
|
116
116
|
"hashes": [
|
|
117
117
|
{
|
|
118
118
|
"alg": "SHA-256",
|
|
119
|
-
"content": "
|
|
119
|
+
"content": "8128bd72e9113823c1bca4b32ee9b6dc4b229818bd5c8602784250e143b0b9f0"
|
|
120
120
|
},
|
|
121
121
|
{
|
|
122
122
|
"alg": "SHA3-512",
|
|
123
|
-
"content": "
|
|
123
|
+
"content": "813fd105884701ec6b6ccc987d2d0877e1f1d410d2babb111419a6cbd91332d7b59147a3183e564e60b29b769aeff233f9ac9841114a0b2313e0772516fc9053"
|
|
124
124
|
}
|
|
125
125
|
]
|
|
126
126
|
},
|
|
@@ -281,11 +281,11 @@
|
|
|
281
281
|
"hashes": [
|
|
282
282
|
{
|
|
283
283
|
"alg": "SHA-256",
|
|
284
|
-
"content": "
|
|
284
|
+
"content": "67aac0637fc151141902aafa2108ebacdc6b96d1a3782e0f1ef3d086c631a6f9"
|
|
285
285
|
},
|
|
286
286
|
{
|
|
287
287
|
"alg": "SHA3-512",
|
|
288
|
-
"content": "
|
|
288
|
+
"content": "2acb7366429edf455cabe9992c4babb9440fc92cf2f8a0fbfaca65111a573b5c99e2ae4071af556fb65df3687e98105a3ecd0a13b234f9c38b81ea8bef47a352"
|
|
289
289
|
}
|
|
290
290
|
]
|
|
291
291
|
},
|
|
@@ -926,11 +926,11 @@
|
|
|
926
926
|
"hashes": [
|
|
927
927
|
{
|
|
928
928
|
"alg": "SHA-256",
|
|
929
|
-
"content": "
|
|
929
|
+
"content": "d406014a161ca337c2914be650190d8539a5c9e159c6ed8b79cd276c64cafd14"
|
|
930
930
|
},
|
|
931
931
|
{
|
|
932
932
|
"alg": "SHA3-512",
|
|
933
|
-
"content": "
|
|
933
|
+
"content": "24c1d46c3426d695f15320bb75a2a0da84f571bd898a767f3effc1819b06ad9d06a2f638e2bd838f9aabcb1aa676e1809462272736515e4c817e2793c293a546"
|
|
934
934
|
}
|
|
935
935
|
]
|
|
936
936
|
},
|
|
@@ -941,11 +941,11 @@
|
|
|
941
941
|
"hashes": [
|
|
942
942
|
{
|
|
943
943
|
"alg": "SHA-256",
|
|
944
|
-
"content": "
|
|
944
|
+
"content": "302103324d99f623036027fc589da04c2c9f23c1c45d3e00c6f47df38a1ae236"
|
|
945
945
|
},
|
|
946
946
|
{
|
|
947
947
|
"alg": "SHA3-512",
|
|
948
|
-
"content": "
|
|
948
|
+
"content": "e6ebd328eb2bb79263e8ccdcefb4ed3345c269f41296d1ec0844c649e2fe8817054c72bdf3647e4a212c5321bf1248f3feac5ee9741edefa5dfdf1f532b6e365"
|
|
949
949
|
}
|
|
950
950
|
]
|
|
951
951
|
},
|
|
@@ -956,11 +956,11 @@
|
|
|
956
956
|
"hashes": [
|
|
957
957
|
{
|
|
958
958
|
"alg": "SHA-256",
|
|
959
|
-
"content": "
|
|
959
|
+
"content": "73fca55e2330e73529d06eb8944114d2f18b483294d373719356dce0556a831d"
|
|
960
960
|
},
|
|
961
961
|
{
|
|
962
962
|
"alg": "SHA3-512",
|
|
963
|
-
"content": "
|
|
963
|
+
"content": "d1deb64457f7be99a4dd5fcc504cffdc6b4ddec26d778946af93c5ea60ee399f9c6bb82de1a4cb0165e7708914a7a56e1b61f4f443e6c83b62ece23ceff2d11b"
|
|
964
964
|
}
|
|
965
965
|
]
|
|
966
966
|
},
|
|
@@ -986,11 +986,11 @@
|
|
|
986
986
|
"hashes": [
|
|
987
987
|
{
|
|
988
988
|
"alg": "SHA-256",
|
|
989
|
-
"content": "
|
|
989
|
+
"content": "536c55f5043145bac0221ee954052d5afd9e89cdb7984fa2357a6bdb46a2dd59"
|
|
990
990
|
},
|
|
991
991
|
{
|
|
992
992
|
"alg": "SHA3-512",
|
|
993
|
-
"content": "
|
|
993
|
+
"content": "ae704ef06e34bcc36c0c72a7fe54ac6ae53b2d2964ea27edac285bbf5eae07a90b795acb5a600d2b829cf7f384532b8addcad1a127741d63ab0557fdff72aa07"
|
|
994
994
|
}
|
|
995
995
|
]
|
|
996
996
|
},
|
|
@@ -1046,11 +1046,11 @@
|
|
|
1046
1046
|
"hashes": [
|
|
1047
1047
|
{
|
|
1048
1048
|
"alg": "SHA-256",
|
|
1049
|
-
"content": "
|
|
1049
|
+
"content": "f8a32293e9a8707e05846bbc0c07336d9f5f31a3551ec9df9c146386005cba7c"
|
|
1050
1050
|
},
|
|
1051
1051
|
{
|
|
1052
1052
|
"alg": "SHA3-512",
|
|
1053
|
-
"content": "
|
|
1053
|
+
"content": "b4859aec9f78d53ce82a871eba0069714a6cee8c2b1ce043dc3389fad6ee3e17127c8f5e3e5ae901737410be5491df016412cd1b00954278a768a446252b5b1e"
|
|
1054
1054
|
}
|
|
1055
1055
|
]
|
|
1056
1056
|
},
|
|
@@ -1091,11 +1091,11 @@
|
|
|
1091
1091
|
"hashes": [
|
|
1092
1092
|
{
|
|
1093
1093
|
"alg": "SHA-256",
|
|
1094
|
-
"content": "
|
|
1094
|
+
"content": "465fdfd904c1fd5c63b2178d79f7fd47988d023f10178065e2726b742aa657df"
|
|
1095
1095
|
},
|
|
1096
1096
|
{
|
|
1097
1097
|
"alg": "SHA3-512",
|
|
1098
|
-
"content": "
|
|
1098
|
+
"content": "f4fc95ed4cf22f078e21ca1bf767c8f53ebb096702046902edf4d4c5ea484bb7d4184cb7ab3fee1ecc5c4bfaec3564c87d3ffd8b9d798a12bf72616c32e3a942"
|
|
1099
1099
|
}
|
|
1100
1100
|
]
|
|
1101
1101
|
},
|
|
@@ -1106,11 +1106,11 @@
|
|
|
1106
1106
|
"hashes": [
|
|
1107
1107
|
{
|
|
1108
1108
|
"alg": "SHA-256",
|
|
1109
|
-
"content": "
|
|
1109
|
+
"content": "66b9b2769bcbe2a5ce10c45d3ab1d673ef6aeec2b69d708bd82001bc3833a44a"
|
|
1110
1110
|
},
|
|
1111
1111
|
{
|
|
1112
1112
|
"alg": "SHA3-512",
|
|
1113
|
-
"content": "
|
|
1113
|
+
"content": "1682ce067416147cfc772ca1217e440e02bf90440273f0aba2c2d069913af9bb282a570f9530f3163af3e85d3a2c37f502c98ca6564b28c6fa719d7612d483c8"
|
|
1114
1114
|
}
|
|
1115
1115
|
]
|
|
1116
1116
|
},
|
|
@@ -1121,11 +1121,11 @@
|
|
|
1121
1121
|
"hashes": [
|
|
1122
1122
|
{
|
|
1123
1123
|
"alg": "SHA-256",
|
|
1124
|
-
"content": "
|
|
1124
|
+
"content": "b507b1a6bcb1a0d4511c72921bdb0406f37a9a602d1d0614d270aad8cbe41691"
|
|
1125
1125
|
},
|
|
1126
1126
|
{
|
|
1127
1127
|
"alg": "SHA3-512",
|
|
1128
|
-
"content": "
|
|
1128
|
+
"content": "bd26426ef94c0eecd346ebea1e2bb78aae0ffa01a54831b61034656b68f3896c2ae89406deee0faf16bc86088ba284e1b6944c1aab5906050dc0657c8d684728"
|
|
1129
1129
|
}
|
|
1130
1130
|
]
|
|
1131
1131
|
},
|
|
@@ -1316,11 +1316,11 @@
|
|
|
1316
1316
|
"hashes": [
|
|
1317
1317
|
{
|
|
1318
1318
|
"alg": "SHA-256",
|
|
1319
|
-
"content": "
|
|
1319
|
+
"content": "65403ab5a2824a6647612167ac08fc458580fb796b5c2581be7c80431cc8572d"
|
|
1320
1320
|
},
|
|
1321
1321
|
{
|
|
1322
1322
|
"alg": "SHA3-512",
|
|
1323
|
-
"content": "
|
|
1323
|
+
"content": "9ac3d18231c5e92c18f9dca043d36539dd05e85ac251c225dd96c5c1822d9bc82b1fbc80a03f6fd95c5ce76fc6f44b0aeb6199d3c503a8f88d2ff3c53f432f35"
|
|
1324
1324
|
}
|
|
1325
1325
|
]
|
|
1326
1326
|
},
|
|
@@ -1346,11 +1346,11 @@
|
|
|
1346
1346
|
"hashes": [
|
|
1347
1347
|
{
|
|
1348
1348
|
"alg": "SHA-256",
|
|
1349
|
-
"content": "
|
|
1349
|
+
"content": "19d6d3ebed46e74a44d8dd51f3b872af2a6ccc822956f7e36c68aeb8dea6a251"
|
|
1350
1350
|
},
|
|
1351
1351
|
{
|
|
1352
1352
|
"alg": "SHA3-512",
|
|
1353
|
-
"content": "
|
|
1353
|
+
"content": "4c8f2b37db734bf999d145fd29a48ae1847652a9eed14f3db14d90527eafbff27146e80fc34f40439b988ea76783572053e59c1b9b113308d84327913af2ef6c"
|
|
1354
1354
|
}
|
|
1355
1355
|
]
|
|
1356
1356
|
},
|
|
@@ -1751,11 +1751,11 @@
|
|
|
1751
1751
|
"hashes": [
|
|
1752
1752
|
{
|
|
1753
1753
|
"alg": "SHA-256",
|
|
1754
|
-
"content": "
|
|
1754
|
+
"content": "9b1abf00a40118b264552a1897b4d1857e831d33e929a5179a1bf83348e04999"
|
|
1755
1755
|
},
|
|
1756
1756
|
{
|
|
1757
1757
|
"alg": "SHA3-512",
|
|
1758
|
-
"content": "
|
|
1758
|
+
"content": "78595bf8934afe4e4fb9a715ec84d89febbb3e60225419af5b919ab8b28bf614030a18b5ce2e085d7267ab7132ee7f01dc1ce2511a80fca0c2f119a2e7ac1c99"
|
|
1759
1759
|
}
|
|
1760
1760
|
]
|
|
1761
1761
|
},
|