@blamejs/exceptd-skills 0.16.16 → 0.16.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +2 -1
- package/CHANGELOG.md +4 -0
- package/README.md +5 -5
- package/bin/exceptd.js +2 -0
- package/data/_indexes/_meta.json +15 -14
- package/data/_indexes/activity-feed.json +10 -3
- package/data/_indexes/catalog-summaries.json +1 -1
- package/data/_indexes/chains.json +16829 -1572
- package/data/_indexes/currency.json +10 -1
- package/data/_indexes/frequency.json +79 -44
- package/data/_indexes/handoff-dag.json +5 -1
- package/data/_indexes/jurisdiction-map.json +6 -3
- package/data/_indexes/section-offsets.json +85 -0
- package/data/_indexes/stale-content.json +1 -1
- package/data/_indexes/summary-cards.json +41 -0
- package/data/_indexes/token-budget.json +53 -3
- package/data/_indexes/trigger-table.json +46 -0
- package/data/_indexes/xref.json +22 -0
- package/data/cwe-catalog.json +49 -2
- package/data/playbooks/crypto-codebase.json +31 -8
- package/data/playbooks/decompression-dos.json +626 -0
- package/data/playbooks/framework.json +1 -0
- package/manifest-snapshot.json +56 -2
- package/manifest-snapshot.sha256 +1 -1
- package/manifest.json +108 -50
- package/package.json +2 -2
- package/sbom.cdx.json +60 -30
- package/skills/decompression-dos/skill.md +83 -0
package/data/_indexes/xref.json
CHANGED
|
@@ -42,6 +42,7 @@
|
|
|
42
42
|
"CWE-22": [
|
|
43
43
|
"api-security",
|
|
44
44
|
"attack-surface-pentest",
|
|
45
|
+
"decompression-dos",
|
|
45
46
|
"mail-server-hardening",
|
|
46
47
|
"mcp-agent-trust",
|
|
47
48
|
"webapp-security"
|
|
@@ -238,6 +239,7 @@
|
|
|
238
239
|
"mail-server-hardening"
|
|
239
240
|
],
|
|
240
241
|
"CWE-400": [
|
|
242
|
+
"decompression-dos",
|
|
241
243
|
"mail-server-hardening",
|
|
242
244
|
"multitenancy-isolation"
|
|
243
245
|
],
|
|
@@ -251,10 +253,23 @@
|
|
|
251
253
|
"multitenancy-isolation"
|
|
252
254
|
],
|
|
253
255
|
"CWE-770": [
|
|
256
|
+
"decompression-dos",
|
|
254
257
|
"multitenancy-isolation"
|
|
255
258
|
],
|
|
256
259
|
"CWE-668": [
|
|
257
260
|
"multitenancy-isolation"
|
|
261
|
+
],
|
|
262
|
+
"CWE-409": [
|
|
263
|
+
"decompression-dos"
|
|
264
|
+
],
|
|
265
|
+
"CWE-1333": [
|
|
266
|
+
"decompression-dos"
|
|
267
|
+
],
|
|
268
|
+
"CWE-776": [
|
|
269
|
+
"decompression-dos"
|
|
270
|
+
],
|
|
271
|
+
"CWE-834": [
|
|
272
|
+
"decompression-dos"
|
|
258
273
|
]
|
|
259
274
|
},
|
|
260
275
|
"d3fend_refs": {
|
|
@@ -378,6 +393,7 @@
|
|
|
378
393
|
"framework_gaps": {
|
|
379
394
|
"NIST-800-53-SI-2": [
|
|
380
395
|
"audit-log-integrity",
|
|
396
|
+
"decompression-dos",
|
|
381
397
|
"kernel-lpe-triage",
|
|
382
398
|
"mail-server-hardening"
|
|
383
399
|
],
|
|
@@ -623,6 +639,7 @@
|
|
|
623
639
|
"sector-telecom"
|
|
624
640
|
],
|
|
625
641
|
"AU-ISM-1556": [
|
|
642
|
+
"decompression-dos",
|
|
626
643
|
"multitenancy-isolation",
|
|
627
644
|
"sector-telecom",
|
|
628
645
|
"self-update-integrity"
|
|
@@ -710,6 +727,7 @@
|
|
|
710
727
|
],
|
|
711
728
|
"NIS2-Art21-network-security": [
|
|
712
729
|
"audit-log-integrity",
|
|
730
|
+
"decompression-dos",
|
|
713
731
|
"mail-server-hardening",
|
|
714
732
|
"multitenancy-isolation",
|
|
715
733
|
"network-trust",
|
|
@@ -719,6 +737,7 @@
|
|
|
719
737
|
"network-trust"
|
|
720
738
|
],
|
|
721
739
|
"UK-CAF-B4": [
|
|
740
|
+
"decompression-dos",
|
|
722
741
|
"multitenancy-isolation",
|
|
723
742
|
"network-trust",
|
|
724
743
|
"self-update-integrity"
|
|
@@ -822,6 +841,7 @@
|
|
|
822
841
|
"T1059": [
|
|
823
842
|
"ai-attack-surface",
|
|
824
843
|
"attack-surface-pentest",
|
|
844
|
+
"decompression-dos",
|
|
825
845
|
"mcp-agent-trust",
|
|
826
846
|
"ransomware-response",
|
|
827
847
|
"webapp-security"
|
|
@@ -1013,9 +1033,11 @@
|
|
|
1013
1033
|
"self-update-integrity"
|
|
1014
1034
|
],
|
|
1015
1035
|
"T1499": [
|
|
1036
|
+
"decompression-dos",
|
|
1016
1037
|
"multitenancy-isolation"
|
|
1017
1038
|
],
|
|
1018
1039
|
"T1499.001": [
|
|
1040
|
+
"decompression-dos",
|
|
1019
1041
|
"multitenancy-isolation"
|
|
1020
1042
|
]
|
|
1021
1043
|
},
|
package/data/cwe-catalog.json
CHANGED
|
@@ -88,6 +88,7 @@
|
|
|
88
88
|
"skills_referencing": [
|
|
89
89
|
"api-security",
|
|
90
90
|
"attack-surface-pentest",
|
|
91
|
+
"decompression-dos",
|
|
91
92
|
"mail-server-hardening",
|
|
92
93
|
"mcp-agent-trust",
|
|
93
94
|
"webapp-security"
|
|
@@ -3071,6 +3072,7 @@
|
|
|
3071
3072
|
"_auto_imported": true,
|
|
3072
3073
|
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated",
|
|
3073
3074
|
"skills_referencing": [
|
|
3075
|
+
"decompression-dos",
|
|
3074
3076
|
"mail-server-hardening",
|
|
3075
3077
|
"multitenancy-isolation"
|
|
3076
3078
|
]
|
|
@@ -3780,6 +3782,7 @@
|
|
|
3780
3782
|
"_auto_imported": true,
|
|
3781
3783
|
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated",
|
|
3782
3784
|
"skills_referencing": [
|
|
3785
|
+
"decompression-dos",
|
|
3783
3786
|
"multitenancy-isolation"
|
|
3784
3787
|
]
|
|
3785
3788
|
},
|
|
@@ -3819,7 +3822,10 @@
|
|
|
3819
3822
|
"last_verified": "2026-05-19",
|
|
3820
3823
|
"notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
|
|
3821
3824
|
"_auto_imported": true,
|
|
3822
|
-
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated"
|
|
3825
|
+
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated",
|
|
3826
|
+
"skills_referencing": [
|
|
3827
|
+
"decompression-dos"
|
|
3828
|
+
]
|
|
3823
3829
|
},
|
|
3824
3830
|
"CWE-778": {
|
|
3825
3831
|
"id": "CWE-778",
|
|
@@ -3879,7 +3885,10 @@
|
|
|
3879
3885
|
"last_verified": "2026-05-19",
|
|
3880
3886
|
"notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
|
|
3881
3887
|
"_auto_imported": true,
|
|
3882
|
-
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated"
|
|
3888
|
+
"_intake_method": "v0.13.18-bulk-mitre-cwe-curated",
|
|
3889
|
+
"skills_referencing": [
|
|
3890
|
+
"decompression-dos"
|
|
3891
|
+
]
|
|
3883
3892
|
},
|
|
3884
3893
|
"CWE-835": {
|
|
3885
3894
|
"id": "CWE-835",
|
|
@@ -4554,5 +4563,43 @@
|
|
|
4554
4563
|
"CVE-2023-51765",
|
|
4555
4564
|
"CVE-2023-51766"
|
|
4556
4565
|
]
|
|
4566
|
+
},
|
|
4567
|
+
"CWE-409": {
|
|
4568
|
+
"id": "CWE-409",
|
|
4569
|
+
"name": "Improper Handling of Highly Compressed Data (Data Amplification)",
|
|
4570
|
+
"abstraction": "Base",
|
|
4571
|
+
"category": "Resource Management",
|
|
4572
|
+
"description": "The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. MITRE-canonical; full text at https://cwe.mitre.org/data/definitions/409.html. Backs the decompression-bomb / zip-bomb / nested-archive class (no decompressed-size or ratio cap).",
|
|
4573
|
+
"top_25_rank_2024": null,
|
|
4574
|
+
"top_25_rank_2025": null,
|
|
4575
|
+
"view_memberships": [
|
|
4576
|
+
"CWE-1000"
|
|
4577
|
+
],
|
|
4578
|
+
"related_attack_patterns_capec": [
|
|
4579
|
+
"CAPEC-197"
|
|
4580
|
+
],
|
|
4581
|
+
"skills_referencing": [
|
|
4582
|
+
"decompression-dos"
|
|
4583
|
+
],
|
|
4584
|
+
"evidence_cves": []
|
|
4585
|
+
},
|
|
4586
|
+
"CWE-1333": {
|
|
4587
|
+
"id": "CWE-1333",
|
|
4588
|
+
"name": "Inefficient Regular Expression Complexity",
|
|
4589
|
+
"abstraction": "Base",
|
|
4590
|
+
"category": "Resource Management",
|
|
4591
|
+
"description": "The product uses a regular expression with inefficient, possibly exponential worst-case complexity on a value that can be controlled by an actor, enabling catastrophic backtracking (ReDoS). MITRE-canonical; full text at https://cwe.mitre.org/data/definitions/1333.html.",
|
|
4592
|
+
"top_25_rank_2024": null,
|
|
4593
|
+
"top_25_rank_2025": null,
|
|
4594
|
+
"view_memberships": [
|
|
4595
|
+
"CWE-1000"
|
|
4596
|
+
],
|
|
4597
|
+
"related_attack_patterns_capec": [
|
|
4598
|
+
"CAPEC-492"
|
|
4599
|
+
],
|
|
4600
|
+
"skills_referencing": [
|
|
4601
|
+
"decompression-dos"
|
|
4602
|
+
],
|
|
4603
|
+
"evidence_cves": []
|
|
4557
4604
|
}
|
|
4558
4605
|
}
|
|
@@ -57,6 +57,9 @@
|
|
|
57
57
|
"playbook_id": "secrets",
|
|
58
58
|
"condition": "analyze.classification == 'detected'"
|
|
59
59
|
}
|
|
60
|
+
],
|
|
61
|
+
"fed_by": [
|
|
62
|
+
"decompression-dos"
|
|
60
63
|
]
|
|
61
64
|
},
|
|
62
65
|
"domain": {
|
|
@@ -959,7 +962,11 @@
|
|
|
959
962
|
"api_stability_promise_permits_default_change == true OR major_version_bump_planned == true"
|
|
960
963
|
],
|
|
961
964
|
"priority": 1,
|
|
962
|
-
"for_signals": [
|
|
965
|
+
"for_signals": [
|
|
966
|
+
"no-ml-kem-implementation",
|
|
967
|
+
"rsa-1024-anywhere",
|
|
968
|
+
"tls-old-protocol"
|
|
969
|
+
],
|
|
963
970
|
"compensating_controls": [
|
|
964
971
|
"config_flag_for_classical_only_fallback_with_deprecation_warning",
|
|
965
972
|
"downstream_consumer_migration_guide_published"
|
|
@@ -974,7 +981,9 @@
|
|
|
974
981
|
"downstream_consumer_compat_path_planned == true"
|
|
975
982
|
],
|
|
976
983
|
"priority": 2,
|
|
977
|
-
"for_signals": [
|
|
984
|
+
"for_signals": [
|
|
985
|
+
"ecdsa-without-pqc-roadmap"
|
|
986
|
+
],
|
|
978
987
|
"compensating_controls": [
|
|
979
988
|
"dual_signature_envelope_during_migration",
|
|
980
989
|
"explicit_algorithm_identifier_in_signed_payload"
|
|
@@ -988,7 +997,10 @@
|
|
|
988
997
|
"weak_hash_call_sites_inventoried == true"
|
|
989
998
|
],
|
|
990
999
|
"priority": 3,
|
|
991
|
-
"for_signals": [
|
|
1000
|
+
"for_signals": [
|
|
1001
|
+
"weak-hash-import",
|
|
1002
|
+
"weak-cipher-mode"
|
|
1003
|
+
],
|
|
992
1004
|
"compensating_controls": [
|
|
993
1005
|
"deprecation_warning_emitted_when_legacy_hash_method_invoked",
|
|
994
1006
|
"telemetry_to_track_legacy_method_consumer_usage"
|
|
@@ -1003,7 +1015,10 @@
|
|
|
1003
1015
|
"performance_regression_acceptable_in_current_release == true"
|
|
1004
1016
|
],
|
|
1005
1017
|
"priority": 4,
|
|
1006
|
-
"for_signals": [
|
|
1018
|
+
"for_signals": [
|
|
1019
|
+
"pbkdf2-under-iterated",
|
|
1020
|
+
"bcrypt-cost-low"
|
|
1021
|
+
],
|
|
1007
1022
|
"compensating_controls": [
|
|
1008
1023
|
"kdf_parameter_floor_enforced_at_runtime_not_just_default",
|
|
1009
1024
|
"consumer_documentation_about_password_rehash_on_login_for_legacy_storage"
|
|
@@ -1017,7 +1032,9 @@
|
|
|
1017
1032
|
"rng_call_sites_inventoried == true"
|
|
1018
1033
|
],
|
|
1019
1034
|
"priority": 5,
|
|
1020
|
-
"for_signals": [
|
|
1035
|
+
"for_signals": [
|
|
1036
|
+
"math-random-in-security-path"
|
|
1037
|
+
],
|
|
1021
1038
|
"compensating_controls": [
|
|
1022
1039
|
"linter_rule_added_to_ci",
|
|
1023
1040
|
"data_flow_analysis_for_residual_paths"
|
|
@@ -1031,7 +1048,9 @@
|
|
|
1031
1048
|
"fips_provider_available_in_target_dep == true"
|
|
1032
1049
|
],
|
|
1033
1050
|
"priority": 6,
|
|
1034
|
-
"for_signals": [
|
|
1051
|
+
"for_signals": [
|
|
1052
|
+
"fips-claim-without-runtime-activation"
|
|
1053
|
+
],
|
|
1035
1054
|
"compensating_controls": [
|
|
1036
1055
|
"fips_runtime_assertion_in_init_path",
|
|
1037
1056
|
"ci_job_running_against_fips_provider_config"
|
|
@@ -1045,7 +1064,9 @@
|
|
|
1045
1064
|
"vendored_crypto_inventoried == true"
|
|
1046
1065
|
],
|
|
1047
1066
|
"priority": 7,
|
|
1048
|
-
"for_signals": [
|
|
1067
|
+
"for_signals": [
|
|
1068
|
+
"vendored-pqc-no-provenance"
|
|
1069
|
+
],
|
|
1049
1070
|
"compensating_controls": [
|
|
1050
1071
|
"vendored_copy_pinned_to_release_tag_not_branch",
|
|
1051
1072
|
"automated_upstream_security_advisory_subscription"
|
|
@@ -1059,7 +1080,9 @@
|
|
|
1059
1080
|
"api_change_acceptable_in_next_major == true"
|
|
1060
1081
|
],
|
|
1061
1082
|
"priority": 8,
|
|
1062
|
-
"for_signals": [
|
|
1083
|
+
"for_signals": [
|
|
1084
|
+
"no-crypto-agility-abstraction"
|
|
1085
|
+
],
|
|
1063
1086
|
"compensating_controls": [
|
|
1064
1087
|
"deprecation_path_for_old_api",
|
|
1065
1088
|
"migration_guide_published"
|