@blamejs/exceptd-skills 0.16.15 → 0.16.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +3 -1
- package/CHANGELOG.md +8 -0
- package/README.md +5 -5
- package/bin/exceptd.js +4 -1
- package/data/_indexes/_meta.json +18 -16
- package/data/_indexes/activity-feed.json +17 -3
- package/data/_indexes/catalog-summaries.json +1 -1
- package/data/_indexes/chains.json +22854 -4010
- package/data/_indexes/currency.json +19 -1
- package/data/_indexes/frequency.json +158 -75
- package/data/_indexes/handoff-dag.json +9 -1
- package/data/_indexes/jurisdiction-map.json +9 -3
- package/data/_indexes/section-offsets.json +170 -0
- package/data/_indexes/stale-content.json +1 -1
- package/data/_indexes/summary-cards.json +81 -0
- package/data/_indexes/token-budget.json +103 -3
- package/data/_indexes/trigger-table.json +96 -1
- package/data/_indexes/xref.json +48 -1
- package/data/cwe-catalog.json +64 -6
- package/data/playbooks/cloud-iam-incident.json +26 -5
- package/data/playbooks/crypto-codebase.json +31 -8
- package/data/playbooks/decompression-dos.json +626 -0
- package/data/playbooks/framework.json +2 -0
- package/data/playbooks/multitenancy-isolation.json +660 -0
- package/manifest-snapshot.json +110 -2
- package/manifest-snapshot.sha256 +1 -1
- package/manifest.json +165 -49
- package/package.json +2 -2
- package/sbom.cdx.json +92 -32
- package/skills/decompression-dos/skill.md +83 -0
- package/skills/multitenancy-isolation/skill.md +83 -0
package/data/cwe-catalog.json
CHANGED
|
@@ -88,6 +88,7 @@
|
|
|
88
88
|
"skills_referencing": [
|
|
89
89
|
"api-security",
|
|
90
90
|
"attack-surface-pentest",
|
|
91
|
+
"decompression-dos",
|
|
91
92
|
"mail-server-hardening",
|
|
92
93
|
"mcp-agent-trust",
|
|
93
94
|
"webapp-security"
|
|
@@ -1844,6 +1845,7 @@
|
|
|
1844
1845
|
"identity-assurance",
|
|
1845
1846
|
"idp-incident-response",
|
|
1846
1847
|
"mail-server-hardening",
|
|
1848
|
+
"multitenancy-isolation",
|
|
1847
1849
|
"sector-financial",
|
|
1848
1850
|
"vc-wallet-trust",
|
|
1849
1851
|
"webapp-security"
|
|
@@ -3070,7 +3072,9 @@
|
|
|
3070
3072
|
"_auto_imported": true,
|
|
3071
3073
|
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated",
|
|
3072
3074
|
"skills_referencing": [
|
|
3073
|
-
"
|
|
3075
|
+
"decompression-dos",
|
|
3076
|
+
"mail-server-hardening",
|
|
3077
|
+
"multitenancy-isolation"
|
|
3074
3078
|
]
|
|
3075
3079
|
},
|
|
3076
3080
|
"CWE-285": {
|
|
@@ -3577,7 +3581,10 @@
|
|
|
3577
3581
|
"last_verified": "2026-05-19",
|
|
3578
3582
|
"notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
|
|
3579
3583
|
"_auto_imported": true,
|
|
3580
|
-
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated"
|
|
3584
|
+
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated",
|
|
3585
|
+
"skills_referencing": [
|
|
3586
|
+
"multitenancy-isolation"
|
|
3587
|
+
]
|
|
3581
3588
|
},
|
|
3582
3589
|
"CWE-640": {
|
|
3583
3590
|
"id": "CWE-640",
|
|
@@ -3773,7 +3780,11 @@
|
|
|
3773
3780
|
"last_verified": "2026-05-19",
|
|
3774
3781
|
"notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
|
|
3775
3782
|
"_auto_imported": true,
|
|
3776
|
-
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated"
|
|
3783
|
+
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated",
|
|
3784
|
+
"skills_referencing": [
|
|
3785
|
+
"decompression-dos",
|
|
3786
|
+
"multitenancy-isolation"
|
|
3787
|
+
]
|
|
3777
3788
|
},
|
|
3778
3789
|
"CWE-772": {
|
|
3779
3790
|
"id": "CWE-772",
|
|
@@ -3811,7 +3822,10 @@
|
|
|
3811
3822
|
"last_verified": "2026-05-19",
|
|
3812
3823
|
"notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
|
|
3813
3824
|
"_auto_imported": true,
|
|
3814
|
-
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated"
|
|
3825
|
+
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated",
|
|
3826
|
+
"skills_referencing": [
|
|
3827
|
+
"decompression-dos"
|
|
3828
|
+
]
|
|
3815
3829
|
},
|
|
3816
3830
|
"CWE-778": {
|
|
3817
3831
|
"id": "CWE-778",
|
|
@@ -3871,7 +3885,10 @@
|
|
|
3871
3885
|
"last_verified": "2026-05-19",
|
|
3872
3886
|
"notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
|
|
3873
3887
|
"_auto_imported": true,
|
|
3874
|
-
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated"
|
|
3888
|
+
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated",
|
|
3889
|
+
"skills_referencing": [
|
|
3890
|
+
"decompression-dos"
|
|
3891
|
+
]
|
|
3875
3892
|
},
|
|
3876
3893
|
"CWE-835": {
|
|
3877
3894
|
"id": "CWE-835",
|
|
@@ -4462,7 +4479,10 @@
|
|
|
4462
4479
|
"CVE-2024-21626"
|
|
4463
4480
|
],
|
|
4464
4481
|
"last_verified": "2026-05-19",
|
|
4465
|
-
"notes": "Added v0.13.19 to back the runc /proc/self/fd container-escape (CVE-2024-21626) cwe_refs entry."
|
|
4482
|
+
"notes": "Added v0.13.19 to back the runc /proc/self/fd container-escape (CVE-2024-21626) cwe_refs entry.",
|
|
4483
|
+
"skills_referencing": [
|
|
4484
|
+
"multitenancy-isolation"
|
|
4485
|
+
]
|
|
4466
4486
|
},
|
|
4467
4487
|
"CWE-340": {
|
|
4468
4488
|
"id": "CWE-340",
|
|
@@ -4543,5 +4563,43 @@
|
|
|
4543
4563
|
"CVE-2023-51765",
|
|
4544
4564
|
"CVE-2023-51766"
|
|
4545
4565
|
]
|
|
4566
|
+
},
|
|
4567
|
+
"CWE-409": {
|
|
4568
|
+
"id": "CWE-409",
|
|
4569
|
+
"name": "Improper Handling of Highly Compressed Data (Data Amplification)",
|
|
4570
|
+
"abstraction": "Base",
|
|
4571
|
+
"category": "Resource Management",
|
|
4572
|
+
"description": "The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. MITRE-canonical; full text at https://cwe.mitre.org/data/definitions/409.html. Backs the decompression-bomb / zip-bomb / nested-archive class (no decompressed-size or ratio cap).",
|
|
4573
|
+
"top_25_rank_2024": null,
|
|
4574
|
+
"top_25_rank_2025": null,
|
|
4575
|
+
"view_memberships": [
|
|
4576
|
+
"CWE-1000"
|
|
4577
|
+
],
|
|
4578
|
+
"related_attack_patterns_capec": [
|
|
4579
|
+
"CAPEC-197"
|
|
4580
|
+
],
|
|
4581
|
+
"skills_referencing": [
|
|
4582
|
+
"decompression-dos"
|
|
4583
|
+
],
|
|
4584
|
+
"evidence_cves": []
|
|
4585
|
+
},
|
|
4586
|
+
"CWE-1333": {
|
|
4587
|
+
"id": "CWE-1333",
|
|
4588
|
+
"name": "Inefficient Regular Expression Complexity",
|
|
4589
|
+
"abstraction": "Base",
|
|
4590
|
+
"category": "Resource Management",
|
|
4591
|
+
"description": "The product uses a regular expression with inefficient, possibly exponential worst-case complexity on a value that can be controlled by an actor, enabling catastrophic backtracking (ReDoS). MITRE-canonical; full text at https://cwe.mitre.org/data/definitions/1333.html.",
|
|
4592
|
+
"top_25_rank_2024": null,
|
|
4593
|
+
"top_25_rank_2025": null,
|
|
4594
|
+
"view_memberships": [
|
|
4595
|
+
"CWE-1000"
|
|
4596
|
+
],
|
|
4597
|
+
"related_attack_patterns_capec": [
|
|
4598
|
+
"CAPEC-492"
|
|
4599
|
+
],
|
|
4600
|
+
"skills_referencing": [
|
|
4601
|
+
"decompression-dos"
|
|
4602
|
+
],
|
|
4603
|
+
"evidence_cves": []
|
|
4546
4604
|
}
|
|
4547
4605
|
}
|
|
@@ -60,7 +60,8 @@
|
|
|
60
60
|
}
|
|
61
61
|
],
|
|
62
62
|
"fed_by": [
|
|
63
|
-
"identity-sso-compromise"
|
|
63
|
+
"identity-sso-compromise",
|
|
64
|
+
"multitenancy-isolation"
|
|
64
65
|
]
|
|
65
66
|
},
|
|
66
67
|
"domain": {
|
|
@@ -976,7 +977,15 @@
|
|
|
976
977
|
"rotation_ownership_identified == true"
|
|
977
978
|
],
|
|
978
979
|
"priority": 1,
|
|
979
|
-
"for_signals": [
|
|
980
|
+
"for_signals": [
|
|
981
|
+
"root_login_from_new_asn",
|
|
982
|
+
"iam_access_key_created_no_iac_ticket",
|
|
983
|
+
"mass_iam_user_creation_outside_iac",
|
|
984
|
+
"cross_account_assume_role_anomaly",
|
|
985
|
+
"kms_key_policy_self_grant",
|
|
986
|
+
"s3_bucket_policy_public_grant",
|
|
987
|
+
"cloudtrail_logging_disabled_event"
|
|
988
|
+
],
|
|
980
989
|
"compensating_controls": [
|
|
981
990
|
"session-revocation",
|
|
982
991
|
"audit-log-review-for-misuse-window",
|
|
@@ -992,7 +1001,15 @@
|
|
|
992
1001
|
"iam_read_only_across_org == true"
|
|
993
1002
|
],
|
|
994
1003
|
"priority": 2,
|
|
995
|
-
"for_signals": [
|
|
1004
|
+
"for_signals": [
|
|
1005
|
+
"cross_account_assume_role_anomaly",
|
|
1006
|
+
"mass_iam_user_creation_outside_iac",
|
|
1007
|
+
"iam_access_key_created_no_iac_ticket",
|
|
1008
|
+
"kms_key_policy_self_grant",
|
|
1009
|
+
"s3_bucket_policy_public_grant",
|
|
1010
|
+
"gpu_instance_creation_spike",
|
|
1011
|
+
"unused_region_resource_creation"
|
|
1012
|
+
],
|
|
996
1013
|
"compensating_controls": [
|
|
997
1014
|
"iam-event-review-completed",
|
|
998
1015
|
"scp-tightened",
|
|
@@ -1007,7 +1024,9 @@
|
|
|
1007
1024
|
"imdsv2_migration_blocker_inventory_complete == true"
|
|
1008
1025
|
],
|
|
1009
1026
|
"priority": 2,
|
|
1010
|
-
"for_signals": [
|
|
1027
|
+
"for_signals": [
|
|
1028
|
+
"imds_v1_legacy_access"
|
|
1029
|
+
],
|
|
1011
1030
|
"compensating_controls": [
|
|
1012
1031
|
"imdsv2-enforced-org-wide",
|
|
1013
1032
|
"scp-deny-imdsv1-launch"
|
|
@@ -1021,7 +1040,9 @@
|
|
|
1021
1040
|
"federated_trust_inventory_complete == true"
|
|
1022
1041
|
],
|
|
1023
1042
|
"priority": 2,
|
|
1024
|
-
"for_signals": [
|
|
1043
|
+
"for_signals": [
|
|
1044
|
+
"cross_account_assume_role_anomaly"
|
|
1045
|
+
],
|
|
1025
1046
|
"compensating_controls": [
|
|
1026
1047
|
"federated-trust-tightened",
|
|
1027
1048
|
"conditional-access-mfa-required-on-admin"
|
|
@@ -57,6 +57,9 @@
|
|
|
57
57
|
"playbook_id": "secrets",
|
|
58
58
|
"condition": "analyze.classification == 'detected'"
|
|
59
59
|
}
|
|
60
|
+
],
|
|
61
|
+
"fed_by": [
|
|
62
|
+
"decompression-dos"
|
|
60
63
|
]
|
|
61
64
|
},
|
|
62
65
|
"domain": {
|
|
@@ -959,7 +962,11 @@
|
|
|
959
962
|
"api_stability_promise_permits_default_change == true OR major_version_bump_planned == true"
|
|
960
963
|
],
|
|
961
964
|
"priority": 1,
|
|
962
|
-
"for_signals": [
|
|
965
|
+
"for_signals": [
|
|
966
|
+
"no-ml-kem-implementation",
|
|
967
|
+
"rsa-1024-anywhere",
|
|
968
|
+
"tls-old-protocol"
|
|
969
|
+
],
|
|
963
970
|
"compensating_controls": [
|
|
964
971
|
"config_flag_for_classical_only_fallback_with_deprecation_warning",
|
|
965
972
|
"downstream_consumer_migration_guide_published"
|
|
@@ -974,7 +981,9 @@
|
|
|
974
981
|
"downstream_consumer_compat_path_planned == true"
|
|
975
982
|
],
|
|
976
983
|
"priority": 2,
|
|
977
|
-
"for_signals": [
|
|
984
|
+
"for_signals": [
|
|
985
|
+
"ecdsa-without-pqc-roadmap"
|
|
986
|
+
],
|
|
978
987
|
"compensating_controls": [
|
|
979
988
|
"dual_signature_envelope_during_migration",
|
|
980
989
|
"explicit_algorithm_identifier_in_signed_payload"
|
|
@@ -988,7 +997,10 @@
|
|
|
988
997
|
"weak_hash_call_sites_inventoried == true"
|
|
989
998
|
],
|
|
990
999
|
"priority": 3,
|
|
991
|
-
"for_signals": [
|
|
1000
|
+
"for_signals": [
|
|
1001
|
+
"weak-hash-import",
|
|
1002
|
+
"weak-cipher-mode"
|
|
1003
|
+
],
|
|
992
1004
|
"compensating_controls": [
|
|
993
1005
|
"deprecation_warning_emitted_when_legacy_hash_method_invoked",
|
|
994
1006
|
"telemetry_to_track_legacy_method_consumer_usage"
|
|
@@ -1003,7 +1015,10 @@
|
|
|
1003
1015
|
"performance_regression_acceptable_in_current_release == true"
|
|
1004
1016
|
],
|
|
1005
1017
|
"priority": 4,
|
|
1006
|
-
"for_signals": [
|
|
1018
|
+
"for_signals": [
|
|
1019
|
+
"pbkdf2-under-iterated",
|
|
1020
|
+
"bcrypt-cost-low"
|
|
1021
|
+
],
|
|
1007
1022
|
"compensating_controls": [
|
|
1008
1023
|
"kdf_parameter_floor_enforced_at_runtime_not_just_default",
|
|
1009
1024
|
"consumer_documentation_about_password_rehash_on_login_for_legacy_storage"
|
|
@@ -1017,7 +1032,9 @@
|
|
|
1017
1032
|
"rng_call_sites_inventoried == true"
|
|
1018
1033
|
],
|
|
1019
1034
|
"priority": 5,
|
|
1020
|
-
"for_signals": [
|
|
1035
|
+
"for_signals": [
|
|
1036
|
+
"math-random-in-security-path"
|
|
1037
|
+
],
|
|
1021
1038
|
"compensating_controls": [
|
|
1022
1039
|
"linter_rule_added_to_ci",
|
|
1023
1040
|
"data_flow_analysis_for_residual_paths"
|
|
@@ -1031,7 +1048,9 @@
|
|
|
1031
1048
|
"fips_provider_available_in_target_dep == true"
|
|
1032
1049
|
],
|
|
1033
1050
|
"priority": 6,
|
|
1034
|
-
"for_signals": [
|
|
1051
|
+
"for_signals": [
|
|
1052
|
+
"fips-claim-without-runtime-activation"
|
|
1053
|
+
],
|
|
1035
1054
|
"compensating_controls": [
|
|
1036
1055
|
"fips_runtime_assertion_in_init_path",
|
|
1037
1056
|
"ci_job_running_against_fips_provider_config"
|
|
@@ -1045,7 +1064,9 @@
|
|
|
1045
1064
|
"vendored_crypto_inventoried == true"
|
|
1046
1065
|
],
|
|
1047
1066
|
"priority": 7,
|
|
1048
|
-
"for_signals": [
|
|
1067
|
+
"for_signals": [
|
|
1068
|
+
"vendored-pqc-no-provenance"
|
|
1069
|
+
],
|
|
1049
1070
|
"compensating_controls": [
|
|
1050
1071
|
"vendored_copy_pinned_to_release_tag_not_branch",
|
|
1051
1072
|
"automated_upstream_security_advisory_subscription"
|
|
@@ -1059,7 +1080,9 @@
|
|
|
1059
1080
|
"api_change_acceptable_in_next_major == true"
|
|
1060
1081
|
],
|
|
1061
1082
|
"priority": 8,
|
|
1062
|
-
"for_signals": [
|
|
1083
|
+
"for_signals": [
|
|
1084
|
+
"no-crypto-agility-abstraction"
|
|
1085
|
+
],
|
|
1063
1086
|
"compensating_controls": [
|
|
1064
1087
|
"deprecation_path_for_old_api",
|
|
1065
1088
|
"migration_guide_published"
|