@blamejs/exceptd-skills 0.16.20 → 0.16.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +8 -0
- package/README.md +1 -1
- package/bin/exceptd.js +1 -16
- package/data/_indexes/_meta.json +2 -2
- package/lib/refresh-external.js +24 -2
- package/manifest.json +53 -53
- package/package.json +1 -1
- package/sbom.cdx.json +20 -20
- package/sources/validators/cve-validator.js +6 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.16.22 — 2026-06-05
|
|
4
|
+
|
|
5
|
+
When the automated external-data refresh applies a CISA KEV listing change to a catalog entry, it now updates the entry's RWEP factor and score in the same write, honouring whichever factor shape the entry stores. Previously only the flag flipped, leaving the stored score failing the factor-sum invariant the catalog enforces — the first real KEV listing the refresh applied surfaced this as a 25-point mismatch. A first listing also now carries its KEV date: the drift check emitted a date change only when the local entry already had one, so a newly listed CVE arrived dated null. The refresh workflow's post-apply gate now runs structural validation (catalog schema and RWEP coherence, cross-references, index freshness, skill lint) instead of the full test suite: the suite's curation-completeness checks assert guarantees that human curation supplies after import, so they gate the automated data PR's merge rather than its creation. The workflow also regenerates the SBOM over freshly applied data and consumes its own just-built prefetch cache on runners that have no signing key.
|
|
6
|
+
|
|
7
|
+
## 0.16.21 — 2026-06-04
|
|
8
|
+
|
|
9
|
+
The deprecation pointer for `prefetch` — on the help screen and in the README alias table — named `refresh --no-network`, which is a report-only dry run: an operator following it got a list of what would be fetched instead of a populated cache. Both now point at `refresh --prefetch`, which runs the same cache population as `prefetch` itself. The two scheduled repository workflows (external-data refresh, ATLAS currency) are also repaired: an upstream action tag had been re-pointed so its pinned commit no longer existed, and the Node setup step requested npm caching in a repo that intentionally ships no lock file — both workflows now run again, and the refresh job installs with `--no-package-lock` so a generated lock file can never ride along in its automated data PRs.
|
|
10
|
+
|
|
3
11
|
## 0.16.20 — 2026-06-02
|
|
4
12
|
|
|
5
13
|
CVE curation now accepts three operator-supplied fields it previously dropped or rejected: `ai_discovery_source` (the AI-discovery provenance category — vendor research, AI-augmented bug bounty, academic fuzzing, threat-actor-built, human, or unknown), `vendor_update_paths` (the restart-required vendor remediation steps), and the `theoretical` value of `active_exploitation` (a published proof-of-concept with no observed in-the-wild use). All three are already valid in the catalog and factored by RWEP scoring, so a curated entry that supplies them is no longer stripped of its provenance or remediation detail before being written.
|
package/README.md
CHANGED
|
@@ -522,7 +522,7 @@ The remaining v0.10.x verbs are still functional, no banner, no removal schedule
|
|
|
522
522
|
| `validate-rfcs` | `doctor --rfcs` | matches canonical |
|
|
523
523
|
| `list-attestations` | `attest list` | matches canonical |
|
|
524
524
|
| `reattest <sid>` | `attest diff <sid>` | matches canonical |
|
|
525
|
-
| `prefetch` | `refresh --
|
|
525
|
+
| `prefetch` | `refresh --prefetch` | matches canonical |
|
|
526
526
|
| `build-indexes` | `refresh --indexes-only` | matches canonical |
|
|
527
527
|
|
|
528
528
|
**Legacy passthrough verbs** — dispatch to the v0.10.x orchestrator script. The output shape is **NOT** identical to the canonical verb — it's the legacy `{timestamp, host, findings}` envelope. Use the canonical verb when you want the v0.11+ structured envelope contract; the passthrough is kept only for scripts that depend on the legacy output:
|
package/bin/exceptd.js
CHANGED
|
@@ -243,21 +243,6 @@ const REMOVED_VERBS = {
|
|
|
243
243
|
ingest: "run",
|
|
244
244
|
};
|
|
245
245
|
|
|
246
|
-
// Renamed but functionally-routed verbs (orchestrator-side dispatch still
|
|
247
|
-
// handles them as of v0.13). Distinct from REMOVED_VERBS — these aren't
|
|
248
|
-
// refused; they're just a soft hint that the rename happened. No banner
|
|
249
|
-
// is emitted post-v0.13.
|
|
250
|
-
const RENAMED_VERBS_HINT = {
|
|
251
|
-
scan: "discover --scan-only",
|
|
252
|
-
dispatch: "discover",
|
|
253
|
-
currency: "doctor --currency",
|
|
254
|
-
verify: "doctor --signatures",
|
|
255
|
-
"validate-cves": "doctor --cves",
|
|
256
|
-
"validate-rfcs": "doctor --rfcs",
|
|
257
|
-
prefetch: "refresh --no-network",
|
|
258
|
-
"build-indexes": "refresh --indexes-only",
|
|
259
|
-
};
|
|
260
|
-
|
|
261
246
|
/**
|
|
262
247
|
* v0.13.5: Windows ACL audit helper for `doctor --ai-config`. Replaces
|
|
263
248
|
* the v0.13.3 "manual review" placeholder with a real check.
|
|
@@ -515,7 +500,7 @@ surfaces.
|
|
|
515
500
|
[DEPRECATED] verify → doctor --signatures
|
|
516
501
|
[DEPRECATED] validate-cves → doctor --cves
|
|
517
502
|
[DEPRECATED] validate-rfcs → doctor --rfcs
|
|
518
|
-
[DEPRECATED] prefetch → refresh --
|
|
503
|
+
[DEPRECATED] prefetch → refresh --prefetch
|
|
519
504
|
[DEPRECATED] build-indexes → refresh --indexes-only
|
|
520
505
|
|
|
521
506
|
Accepted short forms (canonical — not deprecated):
|
package/data/_indexes/_meta.json
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
{
|
|
2
2
|
"schema_version": "1.1.0",
|
|
3
|
-
"generated_at": "2026-06-
|
|
3
|
+
"generated_at": "2026-06-05T14:37:44.664Z",
|
|
4
4
|
"generator": "scripts/build-indexes.js",
|
|
5
5
|
"source_count": 63,
|
|
6
6
|
"source_hashes": {
|
|
7
|
-
"manifest.json": "
|
|
7
|
+
"manifest.json": "0d633a546c8d60d593625a6ddc140c6bd6a8c1f940ea29cf0dc4dfddb72b6b39",
|
|
8
8
|
"data/atlas-ttps.json": "f66b456cf82a3c20575d8479de41f7b11b7ee5693eb1fcf64a67e162ae1b88a2",
|
|
9
9
|
"data/attack-techniques.json": "c39f28e3402ef13ad9b7076819f63fda67a22f97e3e375cfe01c4a4e0beff7c9",
|
|
10
10
|
"data/cve-catalog.json": "8264da4534d39c9493cfcd18acf7e38ed47ce2a81be15afd5a3f4baf1d504929",
|
package/lib/refresh-external.js
CHANGED
|
@@ -294,6 +294,24 @@ const KEV_SOURCE = {
|
|
|
294
294
|
continue;
|
|
295
295
|
}
|
|
296
296
|
catalog[d.id][d.field] = d.after;
|
|
297
|
+
// A cisa_kev flip changes the entry's RWEP: the KEV factor carries
|
|
298
|
+
// RWEP_WEIGHTS.cisa_kev points, and the catalog invariant requires
|
|
299
|
+
// rwep_score to equal the factor sum. Writing the flag without the
|
|
300
|
+
// factor + score left entries failing scoring.validate() (stored 45
|
|
301
|
+
// vs computed 70 on the first real KEV listing the refresh applied).
|
|
302
|
+
if (d.field === "cisa_kev") {
|
|
303
|
+
const entry = catalog[d.id];
|
|
304
|
+
if (entry.rwep_factors && typeof entry.rwep_factors === "object") {
|
|
305
|
+
const scoring = require("./scoring");
|
|
306
|
+
// Match the stored factor shape: Shape A keeps the boolean,
|
|
307
|
+
// Shape B (the catalog norm) stores the post-weight contribution.
|
|
308
|
+
entry.rwep_factors.cisa_kev =
|
|
309
|
+
typeof entry.rwep_factors.cisa_kev === "boolean"
|
|
310
|
+
? !!d.after
|
|
311
|
+
: (d.after ? scoring.RWEP_WEIGHTS.cisa_kev : 0);
|
|
312
|
+
entry.rwep_score = scoring.deriveRwepFromFactors(entry.rwep_factors);
|
|
313
|
+
}
|
|
314
|
+
}
|
|
297
315
|
catalog[d.id].last_verified = TODAY;
|
|
298
316
|
updated++;
|
|
299
317
|
}
|
|
@@ -830,8 +848,12 @@ function kevDiffFromCache(ctx) {
|
|
|
830
848
|
diffs.push({ id, field: "cisa_kev", before: entry.cisa_kev, after: upstream, severity: "high" });
|
|
831
849
|
}
|
|
832
850
|
const upDate = kevDates.get(id) || null;
|
|
833
|
-
|
|
834
|
-
|
|
851
|
+
// First listings arrive with a null local date — emit the date diff
|
|
852
|
+
// whenever upstream has one that the local entry lacks or contradicts,
|
|
853
|
+
// so the flag flip and its listing date apply together (the strict
|
|
854
|
+
// catalog validator requires KEV-listed entries to carry the date).
|
|
855
|
+
if (upDate && (entry.cisa_kev_date || null) !== upDate) {
|
|
856
|
+
diffs.push({ id, field: "cisa_kev_date", before: entry.cisa_kev_date ?? null, after: upDate, severity: "low" });
|
|
835
857
|
}
|
|
836
858
|
}
|
|
837
859
|
return { status: "ok", diffs, errors: 0, summary: `${diffs.length} KEV diffs (from cache)` };
|
package/manifest.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "exceptd-security",
|
|
3
|
-
"version": "0.16.
|
|
3
|
+
"version": "0.16.22",
|
|
4
4
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
|
|
5
5
|
"homepage": "https://exceptd.com",
|
|
6
6
|
"license": "Apache-2.0",
|
|
@@ -53,7 +53,7 @@
|
|
|
53
53
|
],
|
|
54
54
|
"last_threat_review": "2026-05-15",
|
|
55
55
|
"signature": "0H+JfyUVmo/pVFEi5rLENATHjlukPVUqnOWmNPEH77wm8svKGK0aNJ46k6QU5GdHb8c9X9pVJKiuhON6AxDjDw==",
|
|
56
|
-
"signed_at": "2026-06-
|
|
56
|
+
"signed_at": "2026-06-05T14:36:05.079Z",
|
|
57
57
|
"cwe_refs": [
|
|
58
58
|
"CWE-125",
|
|
59
59
|
"CWE-362",
|
|
@@ -123,7 +123,7 @@
|
|
|
123
123
|
],
|
|
124
124
|
"last_threat_review": "2026-05-17",
|
|
125
125
|
"signature": "PHwHEsoy7ctBYOtlAfAdCDVfsq2Bpk9+qESSF+5dVkDcez2zp2v9Ihsv2vqMEs3QxMndyQ+t7NVezyt5VamSCg==",
|
|
126
|
-
"signed_at": "2026-06-
|
|
126
|
+
"signed_at": "2026-06-05T14:36:05.081Z",
|
|
127
127
|
"cwe_refs": [
|
|
128
128
|
"CWE-1039",
|
|
129
129
|
"CWE-1426",
|
|
@@ -196,7 +196,7 @@
|
|
|
196
196
|
],
|
|
197
197
|
"last_threat_review": "2026-05-17",
|
|
198
198
|
"signature": "dD4p7lcRtMyfITOncqLkpOeMy6x6gM0V7UlWHgLEdcxqODb1s75ar1cBtTqDWPbMv6ZAzVo2HJLDK1hVjjU2AQ==",
|
|
199
|
-
"signed_at": "2026-06-
|
|
199
|
+
"signed_at": "2026-06-05T14:36:05.081Z",
|
|
200
200
|
"cwe_refs": [
|
|
201
201
|
"CWE-22",
|
|
202
202
|
"CWE-345",
|
|
@@ -248,7 +248,7 @@
|
|
|
248
248
|
"framework_gaps": [],
|
|
249
249
|
"last_threat_review": "2026-05-22",
|
|
250
250
|
"signature": "wsw8Mlr/gyw6S7Iaao9BVHdU5LFPWl8WVymW17Lkq9J1Mui0+fCrTg6UbrsaeE3s7EW3TVgzBuK+8EFd1+H5AA==",
|
|
251
|
-
"signed_at": "2026-06-
|
|
251
|
+
"signed_at": "2026-06-05T14:36:05.082Z"
|
|
252
252
|
},
|
|
253
253
|
{
|
|
254
254
|
"name": "compliance-theater",
|
|
@@ -279,7 +279,7 @@
|
|
|
279
279
|
],
|
|
280
280
|
"last_threat_review": "2026-05-22",
|
|
281
281
|
"signature": "uVTc1QRKOKcIVDajBz+q2egjiEAyOQaDNsvVI2ghj5FD0VvquoUBBE5Naca2FkaZa790EHWCsVZ4hhdaSQs2DQ==",
|
|
282
|
-
"signed_at": "2026-06-
|
|
282
|
+
"signed_at": "2026-06-05T14:36:05.082Z"
|
|
283
283
|
},
|
|
284
284
|
{
|
|
285
285
|
"name": "exploit-scoring",
|
|
@@ -308,7 +308,7 @@
|
|
|
308
308
|
],
|
|
309
309
|
"last_threat_review": "2026-05-18",
|
|
310
310
|
"signature": "QuNpwnZ6HkCEAXTPC/jLbXSmMIc1JnBczqZAAIZmZj8OcEMVnw9mJYAnU3CxaEI7rvbcMkN2uS5E8yUCm/NiAg==",
|
|
311
|
-
"signed_at": "2026-06-
|
|
311
|
+
"signed_at": "2026-06-05T14:36:05.083Z"
|
|
312
312
|
},
|
|
313
313
|
{
|
|
314
314
|
"name": "rag-pipeline-security",
|
|
@@ -345,7 +345,7 @@
|
|
|
345
345
|
],
|
|
346
346
|
"last_threat_review": "2026-05-22",
|
|
347
347
|
"signature": "5rw2i39SxY2WphBbDLEP28wufnbPPE9+PWt54hmaGdwHXr9RLiVt5liL/5xp14sehlVgFsfpR/bg9vy//xV0DA==",
|
|
348
|
-
"signed_at": "2026-06-
|
|
348
|
+
"signed_at": "2026-06-05T14:36:05.083Z",
|
|
349
349
|
"cwe_refs": [
|
|
350
350
|
"CWE-1395",
|
|
351
351
|
"CWE-1426"
|
|
@@ -405,7 +405,7 @@
|
|
|
405
405
|
],
|
|
406
406
|
"last_threat_review": "2026-05-17",
|
|
407
407
|
"signature": "Vqu49nzntFWjn9A/QeJzm7q/2xk/cZJ6HFQKtiNi1zgcxzXKm+MlFdkaLgYHWj5/9HJohxyIDyBJQTvcJ20eDQ==",
|
|
408
|
-
"signed_at": "2026-06-
|
|
408
|
+
"signed_at": "2026-06-05T14:36:05.084Z",
|
|
409
409
|
"d3fend_refs": [
|
|
410
410
|
"D3-CA",
|
|
411
411
|
"D3-CSPP",
|
|
@@ -440,7 +440,7 @@
|
|
|
440
440
|
"framework_gaps": [],
|
|
441
441
|
"last_threat_review": "2026-05-22",
|
|
442
442
|
"signature": "W87VdyVdAxAdcRI6P/8StaV+MS8ZSPKM9HOCK9n/bBO6BM3ZSE3uImVoyJVpAXQlUpUGN+A3lCJZXv64LuxwDg==",
|
|
443
|
-
"signed_at": "2026-06-
|
|
443
|
+
"signed_at": "2026-06-05T14:36:05.084Z",
|
|
444
444
|
"cwe_refs": [
|
|
445
445
|
"CWE-1188"
|
|
446
446
|
],
|
|
@@ -474,7 +474,7 @@
|
|
|
474
474
|
"framework_gaps": [],
|
|
475
475
|
"last_threat_review": "2026-05-18",
|
|
476
476
|
"signature": "wdVX+edeNekpaIldqkhvtraV6DquLvIsKAjuZVwPQYn3l1vS99HXuFxmNsD7UeMlO3qgC6Dysfsto9EnuH0RBg==",
|
|
477
|
-
"signed_at": "2026-06-
|
|
477
|
+
"signed_at": "2026-06-05T14:36:05.084Z",
|
|
478
478
|
"forward_watch": [
|
|
479
479
|
"New AI attack classes as ATLAS v6 publishes",
|
|
480
480
|
"Post-quantum adversary capability timeline",
|
|
@@ -513,7 +513,7 @@
|
|
|
513
513
|
"framework_gaps": [],
|
|
514
514
|
"last_threat_review": "2026-05-01",
|
|
515
515
|
"signature": "b5miTiY0cnxETd2btxorfZBdJKt/fLnQx20sGYUb9zEqGqtm0LMLpghkW68j4/9k48KNyuGMtNWiKTSnodUGBw==",
|
|
516
|
-
"signed_at": "2026-06-
|
|
516
|
+
"signed_at": "2026-06-05T14:36:05.085Z"
|
|
517
517
|
},
|
|
518
518
|
{
|
|
519
519
|
"name": "zeroday-gap-learn",
|
|
@@ -540,7 +540,7 @@
|
|
|
540
540
|
"framework_gaps": [],
|
|
541
541
|
"last_threat_review": "2026-05-18",
|
|
542
542
|
"signature": "xbkip0AQtWQKAu+O6r/gYECNjezS6O9k9xkkJsYbMlr+j8CdqH3p5/0l+GZmDidImRC/DL07GCnKrk9HRR/yDQ==",
|
|
543
|
-
"signed_at": "2026-06-
|
|
543
|
+
"signed_at": "2026-06-05T14:36:05.085Z",
|
|
544
544
|
"forward_watch": [
|
|
545
545
|
"New CISA KEV entries",
|
|
546
546
|
"New ATLAS TTP additions in each ATLAS release",
|
|
@@ -604,7 +604,7 @@
|
|
|
604
604
|
],
|
|
605
605
|
"last_threat_review": "2026-05-22",
|
|
606
606
|
"signature": "li2NnC1oeVIr22ComP5QbcQoh5xpWITuaKpza1s2SsUkH6kGnnt4wFfFAzaC1ORmH9x2cr8hN8kaNANG/eIMBQ==",
|
|
607
|
-
"signed_at": "2026-06-
|
|
607
|
+
"signed_at": "2026-06-05T14:36:05.085Z",
|
|
608
608
|
"cwe_refs": [
|
|
609
609
|
"CWE-327"
|
|
610
610
|
],
|
|
@@ -652,7 +652,7 @@
|
|
|
652
652
|
],
|
|
653
653
|
"last_threat_review": "2026-05-22",
|
|
654
654
|
"signature": "sZHlJ7ueHPdtzVbR+yXQ5+wKgNyjWsa1LKVg9aWTmg/Onl71DvEILMyJiLpPQjseT56Mnr1DMYJE8xOGlffBAw==",
|
|
655
|
-
"signed_at": "2026-06-
|
|
655
|
+
"signed_at": "2026-06-05T14:36:05.086Z"
|
|
656
656
|
},
|
|
657
657
|
{
|
|
658
658
|
"name": "security-maturity-tiers",
|
|
@@ -689,7 +689,7 @@
|
|
|
689
689
|
],
|
|
690
690
|
"last_threat_review": "2026-05-01",
|
|
691
691
|
"signature": "3AwFnEJu6DukPPNep/3SnuPWEuV060fJEQIwThFm7ujmdbFk0/Ii0XwGv1dkvbbK7ymMdOQpp35l4aLONAucDA==",
|
|
692
|
-
"signed_at": "2026-06-
|
|
692
|
+
"signed_at": "2026-06-05T14:36:05.086Z",
|
|
693
693
|
"cwe_refs": [
|
|
694
694
|
"CWE-1188"
|
|
695
695
|
]
|
|
@@ -724,7 +724,7 @@
|
|
|
724
724
|
"framework_gaps": [],
|
|
725
725
|
"last_threat_review": "2026-05-11",
|
|
726
726
|
"signature": "iJWevUBurLvt2v8X+Ch2eHmZkPWpKeAtIpxTIP4MwbUHyco3igDeBywJCyaR2vURYRx8LkzzIMM8DxQM4LAXBQ==",
|
|
727
|
-
"signed_at": "2026-06-
|
|
727
|
+
"signed_at": "2026-06-05T14:36:05.086Z"
|
|
728
728
|
},
|
|
729
729
|
{
|
|
730
730
|
"name": "attack-surface-pentest",
|
|
@@ -796,7 +796,7 @@
|
|
|
796
796
|
"Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
|
|
797
797
|
],
|
|
798
798
|
"signature": "DDMzI+4En4aIkwBUCGW6nj1eEkCyLqHGn2LJ2rnwWfYatjPI1U5HrTZNAN/n9JqWtAzk8F3rmsKehaaz5iNWDA==",
|
|
799
|
-
"signed_at": "2026-06-
|
|
799
|
+
"signed_at": "2026-06-05T14:36:05.087Z"
|
|
800
800
|
},
|
|
801
801
|
{
|
|
802
802
|
"name": "fuzz-testing-strategy",
|
|
@@ -856,7 +856,7 @@
|
|
|
856
856
|
"OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
|
|
857
857
|
],
|
|
858
858
|
"signature": "dJB0iAstIUbyny+udl3OIkaLScEmqS97LNP73yQ8mxt+0bcqxZjpfXaWLzLuIQblGYvUvz75/H6rO2EJuGd4AQ==",
|
|
859
|
-
"signed_at": "2026-06-
|
|
859
|
+
"signed_at": "2026-06-05T14:36:05.087Z"
|
|
860
860
|
},
|
|
861
861
|
{
|
|
862
862
|
"name": "dlp-gap-analysis",
|
|
@@ -931,7 +931,7 @@
|
|
|
931
931
|
"Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
|
|
932
932
|
],
|
|
933
933
|
"signature": "KEAoMji3VcPX/ZXXqVe6OStxSkTssfY9fIRPyPcDYqh50GzOFQ6koNOTBVAiWOvjDjQ38g12xun5srbqgmvRAw==",
|
|
934
|
-
"signed_at": "2026-06-
|
|
934
|
+
"signed_at": "2026-06-05T14:36:05.088Z"
|
|
935
935
|
},
|
|
936
936
|
{
|
|
937
937
|
"name": "supply-chain-integrity",
|
|
@@ -1010,7 +1010,7 @@
|
|
|
1010
1010
|
"Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
|
|
1011
1011
|
],
|
|
1012
1012
|
"signature": "zuW8T0EMbVV83GsUP/W20Use2gBTicBW021T0sY7qsRY/U5qsPWkXYIWp3SdiKLTIKqTEd/0T7LQebjIs2QKCA==",
|
|
1013
|
-
"signed_at": "2026-06-
|
|
1013
|
+
"signed_at": "2026-06-05T14:36:05.088Z"
|
|
1014
1014
|
},
|
|
1015
1015
|
{
|
|
1016
1016
|
"name": "defensive-countermeasure-mapping",
|
|
@@ -1067,7 +1067,7 @@
|
|
|
1067
1067
|
],
|
|
1068
1068
|
"last_threat_review": "2026-05-11",
|
|
1069
1069
|
"signature": "Qe0Hg9BrX3Zm5pj0n2z/oiHbAXWdA2Dq461zc4izkkUjEX2CZ02rODjCI2ELbrVOU3GC7edxqAxA+5U/ObnHDQ==",
|
|
1070
|
-
"signed_at": "2026-06-
|
|
1070
|
+
"signed_at": "2026-06-05T14:36:05.088Z"
|
|
1071
1071
|
},
|
|
1072
1072
|
{
|
|
1073
1073
|
"name": "identity-assurance",
|
|
@@ -1134,7 +1134,7 @@
|
|
|
1134
1134
|
"d3fend_refs": [],
|
|
1135
1135
|
"last_threat_review": "2026-05-11",
|
|
1136
1136
|
"signature": "UV3458QXSkEpenzrOmdlTTfPHUD4hNyKMDHoeZDq/kiFb4mAG0ghQGTTgI9Ru8cJbSmYM1++m9N5TFIJ6JJPBg==",
|
|
1137
|
-
"signed_at": "2026-06-
|
|
1137
|
+
"signed_at": "2026-06-05T14:36:05.089Z"
|
|
1138
1138
|
},
|
|
1139
1139
|
{
|
|
1140
1140
|
"name": "ot-ics-security",
|
|
@@ -1190,7 +1190,7 @@
|
|
|
1190
1190
|
"d3fend_refs": [],
|
|
1191
1191
|
"last_threat_review": "2026-05-11",
|
|
1192
1192
|
"signature": "kIVzsPsJ72PzzWQwTuvjoHHoVEDCday5I52M9ohjB3/Ak+zlA8oyWLO/BKb/XuYY4fOApjfxTErSWv5uHQ2zDw==",
|
|
1193
|
-
"signed_at": "2026-06-
|
|
1193
|
+
"signed_at": "2026-06-05T14:36:05.089Z"
|
|
1194
1194
|
},
|
|
1195
1195
|
{
|
|
1196
1196
|
"name": "coordinated-vuln-disclosure",
|
|
@@ -1242,7 +1242,7 @@
|
|
|
1242
1242
|
"NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
|
|
1243
1243
|
],
|
|
1244
1244
|
"signature": "bWr27Q1uN9xCe1ib4QulszBa7YIDNkGqo72k5nm2cK98LyPblicD+sO9MnGckAyB22BTN/cIB+FwFMcI5IxvBw==",
|
|
1245
|
-
"signed_at": "2026-06-
|
|
1245
|
+
"signed_at": "2026-06-05T14:36:05.089Z"
|
|
1246
1246
|
},
|
|
1247
1247
|
{
|
|
1248
1248
|
"name": "threat-modeling-methodology",
|
|
@@ -1292,7 +1292,7 @@
|
|
|
1292
1292
|
"PASTA v2 updates incorporating AI/ML application threats"
|
|
1293
1293
|
],
|
|
1294
1294
|
"signature": "Q854yzLqXdOazc6EyQbZzgAlivuq2vGFDVUCrxSldSvx/HX/ZM/uzmJyP7aBG7ZsMHxj6Lmj/H82YQoo1e+NCQ==",
|
|
1295
|
-
"signed_at": "2026-06-
|
|
1295
|
+
"signed_at": "2026-06-05T14:36:05.090Z"
|
|
1296
1296
|
},
|
|
1297
1297
|
{
|
|
1298
1298
|
"name": "webapp-security",
|
|
@@ -1366,7 +1366,7 @@
|
|
|
1366
1366
|
"d3fend_refs": [],
|
|
1367
1367
|
"last_threat_review": "2026-05-11",
|
|
1368
1368
|
"signature": "4ccahkJpGJZtwD7EBpnGcN0sEGPMEw8eqV+tvePVS04YAkLgYVWtlkasI/8n0be9xB+77x+Sjj3kIi2j2Lf9CA==",
|
|
1369
|
-
"signed_at": "2026-06-
|
|
1369
|
+
"signed_at": "2026-06-05T14:36:05.090Z",
|
|
1370
1370
|
"forward_watch": [
|
|
1371
1371
|
"NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
|
|
1372
1372
|
]
|
|
@@ -1419,7 +1419,7 @@
|
|
|
1419
1419
|
"d3fend_refs": [],
|
|
1420
1420
|
"last_threat_review": "2026-05-15",
|
|
1421
1421
|
"signature": "SBB7c3wNYfIdkyOp4g4nW0WP7xS+YokMzg32aaeJdbf14LTGQRzQUvSqb2TCj2HFUSHESOyKT1JpkAfyHLSQBQ==",
|
|
1422
|
-
"signed_at": "2026-06-
|
|
1422
|
+
"signed_at": "2026-06-05T14:36:05.090Z"
|
|
1423
1423
|
},
|
|
1424
1424
|
{
|
|
1425
1425
|
"name": "sector-healthcare",
|
|
@@ -1479,7 +1479,7 @@
|
|
|
1479
1479
|
"d3fend_refs": [],
|
|
1480
1480
|
"last_threat_review": "2026-05-11",
|
|
1481
1481
|
"signature": "U04GNLyRas1VmfEsB8khH4iqFZPwx96sPY0Kw9iVsSPU+KTeEFqwgtWK1X1pzgb+T16Pc7HSrCaXDOpTFvQEDw==",
|
|
1482
|
-
"signed_at": "2026-06-
|
|
1482
|
+
"signed_at": "2026-06-05T14:36:05.091Z"
|
|
1483
1483
|
},
|
|
1484
1484
|
{
|
|
1485
1485
|
"name": "sector-financial",
|
|
@@ -1560,7 +1560,7 @@
|
|
|
1560
1560
|
"TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
|
|
1561
1561
|
],
|
|
1562
1562
|
"signature": "xbylLqNPBuEsFE/MNVeGy/01K6yiJXMxQbzC1F4RWU5aseDGbNy5HrAv2JWI2+Aft05ozreNPjccvu66yJ5EBw==",
|
|
1563
|
-
"signed_at": "2026-06-
|
|
1563
|
+
"signed_at": "2026-06-05T14:36:05.091Z"
|
|
1564
1564
|
},
|
|
1565
1565
|
{
|
|
1566
1566
|
"name": "sector-federal-government",
|
|
@@ -1629,7 +1629,7 @@
|
|
|
1629
1629
|
"Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
|
|
1630
1630
|
],
|
|
1631
1631
|
"signature": "C9c3JuBhUbwcb7uZpDdy+PNT8sYmYIxzD4uRHu421ePW1aSFJ8fkMvuTzSO8vD/F/jOOg5opM4kov/xSAn+qCg==",
|
|
1632
|
-
"signed_at": "2026-06-
|
|
1632
|
+
"signed_at": "2026-06-05T14:36:05.092Z"
|
|
1633
1633
|
},
|
|
1634
1634
|
{
|
|
1635
1635
|
"name": "sector-energy",
|
|
@@ -1694,7 +1694,7 @@
|
|
|
1694
1694
|
"ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
|
|
1695
1695
|
],
|
|
1696
1696
|
"signature": "oz8Q5WVaY8au4IjbaZahx/DSaC00Q44ylSL3mDkTerCEpW/EyPUeiLeGxSrWxBCwVFEKSSJvnhJjhvX5lDPcCg==",
|
|
1697
|
-
"signed_at": "2026-06-
|
|
1697
|
+
"signed_at": "2026-06-05T14:36:05.092Z"
|
|
1698
1698
|
},
|
|
1699
1699
|
{
|
|
1700
1700
|
"name": "sector-telecom",
|
|
@@ -1780,7 +1780,7 @@
|
|
|
1780
1780
|
"O-RAN SFG / WG11 security specifications"
|
|
1781
1781
|
],
|
|
1782
1782
|
"signature": "NAtyzfLPXlUuB78Snb9nWmbZalC1CNlIYN9rYhdEmtB/xQGC6vVnThgrEAHlm7v/jMCFuknvEpUHKdscUnUADw==",
|
|
1783
|
-
"signed_at": "2026-06-
|
|
1783
|
+
"signed_at": "2026-06-05T14:36:05.092Z"
|
|
1784
1784
|
},
|
|
1785
1785
|
{
|
|
1786
1786
|
"name": "api-security",
|
|
@@ -1849,7 +1849,7 @@
|
|
|
1849
1849
|
"d3fend_refs": [],
|
|
1850
1850
|
"last_threat_review": "2026-05-18",
|
|
1851
1851
|
"signature": "1UTjZNC5Lyrgw93LAizdXVeSmv3jS8YQNT1db5OKsldub50+o1FXmAH4+3MxZozaOGDCX3yXbdDJSJaaSmfuAA==",
|
|
1852
|
-
"signed_at": "2026-06-
|
|
1852
|
+
"signed_at": "2026-06-05T14:36:05.093Z",
|
|
1853
1853
|
"forward_watch": [
|
|
1854
1854
|
"NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
|
|
1855
1855
|
"Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
|
|
@@ -1935,7 +1935,7 @@
|
|
|
1935
1935
|
"CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
|
|
1936
1936
|
],
|
|
1937
1937
|
"signature": "EdsY4xe7YA8X8m+KZUbq49JwoCXgRKEz2eg3m86O37rvBmpm8ppvl9hrsekygvpBh2VmCHL2dEYiOD8OM2n7CA==",
|
|
1938
|
-
"signed_at": "2026-06-
|
|
1938
|
+
"signed_at": "2026-06-05T14:36:05.093Z"
|
|
1939
1939
|
},
|
|
1940
1940
|
{
|
|
1941
1941
|
"name": "container-runtime-security",
|
|
@@ -1997,7 +1997,7 @@
|
|
|
1997
1997
|
"d3fend_refs": [],
|
|
1998
1998
|
"last_threat_review": "2026-05-15",
|
|
1999
1999
|
"signature": "fnLKPLkjjRCJ/F9wdmZ1w1lXmqEJvTYkv6Uu+9OTd5vZTWKz3QMuxKOsas+ctCdOvTaeloqPUUprXx+ZZdDpCg==",
|
|
2000
|
-
"signed_at": "2026-06-
|
|
2000
|
+
"signed_at": "2026-06-05T14:36:05.093Z",
|
|
2001
2001
|
"forward_watch": [
|
|
2002
2002
|
"Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
|
|
2003
2003
|
]
|
|
@@ -2071,7 +2071,7 @@
|
|
|
2071
2071
|
"MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
|
|
2072
2072
|
],
|
|
2073
2073
|
"signature": "t3dkdpTX04zvjitEeOJThpgjurLd1UO9GOut4LXSZgY3ULhfknI4zT7G5+m2RSZZTo7yyeZrwpg+7vEg9K6mAw==",
|
|
2074
|
-
"signed_at": "2026-06-
|
|
2074
|
+
"signed_at": "2026-06-05T14:36:05.094Z"
|
|
2075
2075
|
},
|
|
2076
2076
|
{
|
|
2077
2077
|
"name": "incident-response-playbook",
|
|
@@ -2133,7 +2133,7 @@
|
|
|
2133
2133
|
"NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
|
|
2134
2134
|
],
|
|
2135
2135
|
"signature": "+1kmtA6rAvIyDjjy+cJHK6BcfylyVsa5cUjRFijlFR9GsQfB93JnmkEJOqML50pdlcxtJI3yUodHpL3/YJGtCA==",
|
|
2136
|
-
"signed_at": "2026-06-
|
|
2136
|
+
"signed_at": "2026-06-05T14:36:05.094Z"
|
|
2137
2137
|
},
|
|
2138
2138
|
{
|
|
2139
2139
|
"name": "ransomware-response",
|
|
@@ -2213,7 +2213,7 @@
|
|
|
2213
2213
|
],
|
|
2214
2214
|
"last_threat_review": "2026-05-22",
|
|
2215
2215
|
"signature": "h48ASCz63aBfHzLKxMVDADMuT4atriK0iE6bJeVzZTsx/e8+hyv4fLP7+zYxT9Oe0Gss3v/Xy+t+Wd9uwzV+Aw==",
|
|
2216
|
-
"signed_at": "2026-06-
|
|
2216
|
+
"signed_at": "2026-06-05T14:36:05.095Z"
|
|
2217
2217
|
},
|
|
2218
2218
|
{
|
|
2219
2219
|
"name": "email-security-anti-phishing",
|
|
@@ -2266,7 +2266,7 @@
|
|
|
2266
2266
|
"d3fend_refs": [],
|
|
2267
2267
|
"last_threat_review": "2026-05-18",
|
|
2268
2268
|
"signature": "FVBn4ex2qPIo9SHMVJ6tntoz4tVwjbIq3m6wDjjZyv2JODlS+90GBYCOkNamxxkmw/6de6SMs0YHQiF/xjo/DQ==",
|
|
2269
|
-
"signed_at": "2026-06-
|
|
2269
|
+
"signed_at": "2026-06-05T14:36:05.095Z"
|
|
2270
2270
|
},
|
|
2271
2271
|
{
|
|
2272
2272
|
"name": "age-gates-child-safety",
|
|
@@ -2334,7 +2334,7 @@
|
|
|
2334
2334
|
"US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
|
|
2335
2335
|
],
|
|
2336
2336
|
"signature": "ZHVdGWCcfG98tSVB0b9mwrsYwv71V3uUEl+6ss7omSQhmNvqV5s6MAZM5YladBt9MK/8T/zBrTYN4gAonOP+BQ==",
|
|
2337
|
-
"signed_at": "2026-06-
|
|
2337
|
+
"signed_at": "2026-06-05T14:36:05.095Z"
|
|
2338
2338
|
},
|
|
2339
2339
|
{
|
|
2340
2340
|
"name": "cloud-iam-incident",
|
|
@@ -2414,7 +2414,7 @@
|
|
|
2414
2414
|
],
|
|
2415
2415
|
"last_threat_review": "2026-05-15",
|
|
2416
2416
|
"signature": "r9ii4nb3HJELdtKCGF5qy9PHOiot3GC24yfxfGAKlLENHkdRvRkvvL99eV/6RXyfUaMyrnc2Te8tPQcNu5bsDg==",
|
|
2417
|
-
"signed_at": "2026-06-
|
|
2417
|
+
"signed_at": "2026-06-05T14:36:05.096Z",
|
|
2418
2418
|
"forward_watch": [
|
|
2419
2419
|
"AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
|
|
2420
2420
|
"GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
|
|
@@ -2508,7 +2508,7 @@
|
|
|
2508
2508
|
],
|
|
2509
2509
|
"last_threat_review": "2026-05-15",
|
|
2510
2510
|
"signature": "9mfDtMApMAg9V/lmwpniNxo/6gNZoOEoYDfyFvyWvKrPMtc7H9F8uz06FVoARe/J49saAKTVXOurNE1D/KtpCQ==",
|
|
2511
|
-
"signed_at": "2026-06-
|
|
2511
|
+
"signed_at": "2026-06-05T14:36:05.096Z",
|
|
2512
2512
|
"forward_watch": [
|
|
2513
2513
|
"Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
|
|
2514
2514
|
"Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
|
|
@@ -2580,7 +2580,7 @@
|
|
|
2580
2580
|
"d3fend_refs": [],
|
|
2581
2581
|
"last_threat_review": "2026-06-02",
|
|
2582
2582
|
"signature": "dOFgANMtHm64uSFRjMfeA0fWZS9ISwMTt59I2CbjaF1PgTtbtb8yg/f+3pC4eXcXIET0KPGxRRmENycfIz3rAw==",
|
|
2583
|
-
"signed_at": "2026-06-
|
|
2583
|
+
"signed_at": "2026-06-05T14:36:05.097Z"
|
|
2584
2584
|
},
|
|
2585
2585
|
{
|
|
2586
2586
|
"name": "mail-server-hardening",
|
|
@@ -2639,7 +2639,7 @@
|
|
|
2639
2639
|
"d3fend_refs": [],
|
|
2640
2640
|
"last_threat_review": "2026-06-02",
|
|
2641
2641
|
"signature": "5x8RGzKo/T2IbYnFkYMZs16ThD9a5FEdrKHsnwvtMuGxdyyfZsKNIJVWw2I8O0um0UOXwwkl17Z3zhch26ymCQ==",
|
|
2642
|
-
"signed_at": "2026-06-
|
|
2642
|
+
"signed_at": "2026-06-05T14:36:05.097Z"
|
|
2643
2643
|
},
|
|
2644
2644
|
{
|
|
2645
2645
|
"name": "network-trust",
|
|
@@ -2695,7 +2695,7 @@
|
|
|
2695
2695
|
"d3fend_refs": [],
|
|
2696
2696
|
"last_threat_review": "2026-06-02",
|
|
2697
2697
|
"signature": "C/RdmnGjXKreKiGkwJfUESIxUwQzisGJ9A7KBdE9cBRBHBYHkAcScV89L+Z3kOG032Qax6LeIQai7Lr3nrQBCA==",
|
|
2698
|
-
"signed_at": "2026-06-
|
|
2698
|
+
"signed_at": "2026-06-05T14:36:05.097Z"
|
|
2699
2699
|
},
|
|
2700
2700
|
{
|
|
2701
2701
|
"name": "audit-log-integrity",
|
|
@@ -2750,7 +2750,7 @@
|
|
|
2750
2750
|
"d3fend_refs": [],
|
|
2751
2751
|
"last_threat_review": "2026-06-02",
|
|
2752
2752
|
"signature": "LvUAq+rXCA8PgNy9lTKOmFqa8T9EJg4JEH0axXvEAf9MIHqbR51ergUkFMLaTuvFuApwsPu0r1C30QgScZbiAw==",
|
|
2753
|
-
"signed_at": "2026-06-
|
|
2753
|
+
"signed_at": "2026-06-05T14:36:05.097Z"
|
|
2754
2754
|
},
|
|
2755
2755
|
{
|
|
2756
2756
|
"name": "self-update-integrity",
|
|
@@ -2804,7 +2804,7 @@
|
|
|
2804
2804
|
"d3fend_refs": [],
|
|
2805
2805
|
"last_threat_review": "2026-06-02",
|
|
2806
2806
|
"signature": "BOQZ8G9LdyG/tfpz6rCU4THz5Dq2HGJkUV7uCqSTCMrqnXH6seNXKM41FWawYo0s2VUlXtRgaO7ETp5qgxw+CQ==",
|
|
2807
|
-
"signed_at": "2026-06-
|
|
2807
|
+
"signed_at": "2026-06-05T14:36:05.098Z"
|
|
2808
2808
|
},
|
|
2809
2809
|
{
|
|
2810
2810
|
"name": "multitenancy-isolation",
|
|
@@ -2862,7 +2862,7 @@
|
|
|
2862
2862
|
"d3fend_refs": [],
|
|
2863
2863
|
"last_threat_review": "2026-06-02",
|
|
2864
2864
|
"signature": "bncN0VE4ns0lxtPe48xDR33lerw54BPVkSwX7XlrLQcMHTrV94lmjO8z4ZP4Ko61n+KpuP2SNU8v9JT0bGMmAA==",
|
|
2865
|
-
"signed_at": "2026-06-
|
|
2865
|
+
"signed_at": "2026-06-05T14:36:05.098Z"
|
|
2866
2866
|
},
|
|
2867
2867
|
{
|
|
2868
2868
|
"name": "decompression-dos",
|
|
@@ -2920,7 +2920,7 @@
|
|
|
2920
2920
|
"d3fend_refs": [],
|
|
2921
2921
|
"last_threat_review": "2026-06-02",
|
|
2922
2922
|
"signature": "03i0ZO5ScHIOjGvDKUEsws6m+20fnlJrEhSBtMU7PJzQutrPpmW9gULE0wbayTD5H9URh5nSKZuuVjvjVhZNCg==",
|
|
2923
|
-
"signed_at": "2026-06-
|
|
2923
|
+
"signed_at": "2026-06-05T14:36:05.098Z"
|
|
2924
2924
|
},
|
|
2925
2925
|
{
|
|
2926
2926
|
"name": "log-injection-telemetry",
|
|
@@ -2975,7 +2975,7 @@
|
|
|
2975
2975
|
"d3fend_refs": [],
|
|
2976
2976
|
"last_threat_review": "2026-06-02",
|
|
2977
2977
|
"signature": "twTmA2l+Am2k2PCzB2DNxDQwoYlGopJp/3QgQwBsP7h2LF+uNudisqfuOVV/bYnWfrUhuYZUWbsR3mhzbJCUBw==",
|
|
2978
|
-
"signed_at": "2026-06-
|
|
2978
|
+
"signed_at": "2026-06-05T14:36:05.098Z"
|
|
2979
2979
|
},
|
|
2980
2980
|
{
|
|
2981
2981
|
"name": "privacy-consent-ops",
|
|
@@ -3030,11 +3030,11 @@
|
|
|
3030
3030
|
"d3fend_refs": [],
|
|
3031
3031
|
"last_threat_review": "2026-06-02",
|
|
3032
3032
|
"signature": "0sfKSVrIf555c9bDGkXB96fUClN52fMAMYoQsNQ9eUUSzDiWUwdou+q0gYt43nObtj3m9Yb9X6q3oCXDVMgUDg==",
|
|
3033
|
-
"signed_at": "2026-06-
|
|
3033
|
+
"signed_at": "2026-06-05T14:36:05.099Z"
|
|
3034
3034
|
}
|
|
3035
3035
|
],
|
|
3036
3036
|
"manifest_signature": {
|
|
3037
3037
|
"algorithm": "Ed25519",
|
|
3038
|
-
"signature_base64": "
|
|
3038
|
+
"signature_base64": "M6/54yATUpoQoKpa2XTdQtrhRJFf7lf/3i6uQa3i/f3dGXNEc8zENbjYEr7C0xt13cto2oMT/5zxeRQzrCc4BQ=="
|
|
3039
3039
|
}
|
|
3040
3040
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@blamejs/exceptd-skills",
|
|
3
|
-
"version": "0.16.
|
|
3
|
+
"version": "0.16.22",
|
|
4
4
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 51 skills, 11 catalogs (439 CVEs / 177 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"ai-security",
|
package/sbom.cdx.json
CHANGED
|
@@ -1,22 +1,22 @@
|
|
|
1
1
|
{
|
|
2
2
|
"bomFormat": "CycloneDX",
|
|
3
3
|
"specVersion": "1.6",
|
|
4
|
-
"serialNumber": "urn:uuid:
|
|
4
|
+
"serialNumber": "urn:uuid:46b4a92a-bd7d-4757-ba07-6c352346da2f",
|
|
5
5
|
"version": 1,
|
|
6
6
|
"metadata": {
|
|
7
|
-
"timestamp": "
|
|
7
|
+
"timestamp": "2063-08-04T16:28:26.000Z",
|
|
8
8
|
"tools": [
|
|
9
9
|
{
|
|
10
10
|
"vendor": "blamejs",
|
|
11
11
|
"name": "scripts/refresh-sbom.js",
|
|
12
|
-
"version": "0.16.
|
|
12
|
+
"version": "0.16.22"
|
|
13
13
|
}
|
|
14
14
|
],
|
|
15
15
|
"component": {
|
|
16
|
-
"bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.16.
|
|
16
|
+
"bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.16.22",
|
|
17
17
|
"type": "application",
|
|
18
18
|
"name": "@blamejs/exceptd-skills",
|
|
19
|
-
"version": "0.16.
|
|
19
|
+
"version": "0.16.22",
|
|
20
20
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 51 skills, 11 catalogs (439 CVEs / 177 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
|
|
21
21
|
"licenses": [
|
|
22
22
|
{
|
|
@@ -25,17 +25,17 @@
|
|
|
25
25
|
}
|
|
26
26
|
}
|
|
27
27
|
],
|
|
28
|
-
"purl": "pkg:npm/%40blamejs/exceptd-skills@0.16.
|
|
28
|
+
"purl": "pkg:npm/%40blamejs/exceptd-skills@0.16.22",
|
|
29
29
|
"hashes": [
|
|
30
30
|
{
|
|
31
31
|
"alg": "SHA-256",
|
|
32
|
-
"content": "
|
|
32
|
+
"content": "6cb5d96bc4b20597400be2b7a74dee0b32cec947f95827b86cab9c6d84af3a52"
|
|
33
33
|
}
|
|
34
34
|
],
|
|
35
35
|
"externalReferences": [
|
|
36
36
|
{
|
|
37
37
|
"type": "distribution",
|
|
38
|
-
"url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.16.
|
|
38
|
+
"url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.16.22"
|
|
39
39
|
},
|
|
40
40
|
{
|
|
41
41
|
"type": "vcs",
|
|
@@ -116,11 +116,11 @@
|
|
|
116
116
|
"hashes": [
|
|
117
117
|
{
|
|
118
118
|
"alg": "SHA-256",
|
|
119
|
-
"content": "
|
|
119
|
+
"content": "427a300d2504f88006479c1a06fa09df4af0b8cc6bd28951b2c721b3f41d4d42"
|
|
120
120
|
},
|
|
121
121
|
{
|
|
122
122
|
"alg": "SHA3-512",
|
|
123
|
-
"content": "
|
|
123
|
+
"content": "d74dea4228b60326186f0c96398cc6095c17a8ee69a2ee2a4768e56e1a3246fab54200f9de18afc501d2f7273e4bd2fafda779e50d2d639d275076c6e956f23f"
|
|
124
124
|
}
|
|
125
125
|
]
|
|
126
126
|
},
|
|
@@ -176,11 +176,11 @@
|
|
|
176
176
|
"hashes": [
|
|
177
177
|
{
|
|
178
178
|
"alg": "SHA-256",
|
|
179
|
-
"content": "
|
|
179
|
+
"content": "6e6a604ad389643aa456c1fc4ef799ec68ecd4a565918630b194d7873182d128"
|
|
180
180
|
},
|
|
181
181
|
{
|
|
182
182
|
"alg": "SHA3-512",
|
|
183
|
-
"content": "
|
|
183
|
+
"content": "e46a828d192fa0aba4ec6f8589d8d6aa4dc03f7d238bb1ac418d3f9076350a164e81bbe8de0d01e21a28f231954d65a57770715c6f64ae001466cdea315b9e81"
|
|
184
184
|
}
|
|
185
185
|
]
|
|
186
186
|
},
|
|
@@ -281,11 +281,11 @@
|
|
|
281
281
|
"hashes": [
|
|
282
282
|
{
|
|
283
283
|
"alg": "SHA-256",
|
|
284
|
-
"content": "
|
|
284
|
+
"content": "76c366c043c6c66fa91601bfd2187163a92b1aef069d41fd7a86bb42f7391683"
|
|
285
285
|
},
|
|
286
286
|
{
|
|
287
287
|
"alg": "SHA3-512",
|
|
288
|
-
"content": "
|
|
288
|
+
"content": "a87357eaaea985def5ec8a41af76b9dc4a142a7042f382177e02f7158a63f4d9f2f745921c0c2c5e2ccb6b89b6f36258ccdd6d923183b51ee7d730c20e9ddadc"
|
|
289
289
|
}
|
|
290
290
|
]
|
|
291
291
|
},
|
|
@@ -1481,11 +1481,11 @@
|
|
|
1481
1481
|
"hashes": [
|
|
1482
1482
|
{
|
|
1483
1483
|
"alg": "SHA-256",
|
|
1484
|
-
"content": "
|
|
1484
|
+
"content": "d776211b708863ccc221c9bb4ed90954158c15e24bd1781e92533dd17899b795"
|
|
1485
1485
|
},
|
|
1486
1486
|
{
|
|
1487
1487
|
"alg": "SHA3-512",
|
|
1488
|
-
"content": "
|
|
1488
|
+
"content": "e95febc356efbfa8b4c5a444ea44b41a34a3dc6d01f091b0d56a357969358e32fbcd4f87e1d7836aaf0bcccca03fcd57703b362831fbed051770ea21d679a592"
|
|
1489
1489
|
}
|
|
1490
1490
|
]
|
|
1491
1491
|
},
|
|
@@ -1886,11 +1886,11 @@
|
|
|
1886
1886
|
"hashes": [
|
|
1887
1887
|
{
|
|
1888
1888
|
"alg": "SHA-256",
|
|
1889
|
-
"content": "
|
|
1889
|
+
"content": "0d633a546c8d60d593625a6ddc140c6bd6a8c1f940ea29cf0dc4dfddb72b6b39"
|
|
1890
1890
|
},
|
|
1891
1891
|
{
|
|
1892
1892
|
"alg": "SHA3-512",
|
|
1893
|
-
"content": "
|
|
1893
|
+
"content": "750c1040ba0b4e3cbe53eea6f4be171be72178a73189bb34322bbf9082291daf31f7849f25cf6de372673df2cda837b919a26c8e98b68a38c8516cde79628d55"
|
|
1894
1894
|
}
|
|
1895
1895
|
]
|
|
1896
1896
|
},
|
|
@@ -3476,11 +3476,11 @@
|
|
|
3476
3476
|
"hashes": [
|
|
3477
3477
|
{
|
|
3478
3478
|
"alg": "SHA-256",
|
|
3479
|
-
"content": "
|
|
3479
|
+
"content": "c96c23ae03353ed1c7ebf3a31be2cc3fe9caaa7c35762ae5b1f3a371744b4eaa"
|
|
3480
3480
|
},
|
|
3481
3481
|
{
|
|
3482
3482
|
"alg": "SHA3-512",
|
|
3483
|
-
"content": "
|
|
3483
|
+
"content": "b95a1b4b43a94a8f20e9d0e5454d5da290cd0b66be60e3ffb9f9c8d80af51bd081b44fd974f49171d3a02279a4560c4c675190b2aea1d6c3a26d5fda14877523"
|
|
3484
3484
|
}
|
|
3485
3485
|
]
|
|
3486
3486
|
},
|
|
@@ -286,7 +286,12 @@ async function validateCve(cveId, localEntry) {
|
|
|
286
286
|
if (typeof local.cisa_kev === 'boolean' && local.cisa_kev !== fetched.in_kev) {
|
|
287
287
|
pushDiscrepancy(discrepancies, 'cisa_kev', local.cisa_kev, fetched.in_kev, 'high');
|
|
288
288
|
}
|
|
289
|
-
|
|
289
|
+
// Emit whenever upstream carries a listing date the local entry lacks or
|
|
290
|
+
// contradicts — a first listing arrives as cisa_kev_date:null locally, and
|
|
291
|
+
// requiring a truthy local date here meant the flag flipped without its
|
|
292
|
+
// date, which the strict catalog validator rejects (KEV-listed entries
|
|
293
|
+
// must carry their listing date).
|
|
294
|
+
if (fetched.kev_date && local.cisa_kev_date !== fetched.kev_date) {
|
|
290
295
|
pushDiscrepancy(discrepancies, 'cisa_kev_date', local.cisa_kev_date, fetched.kev_date, 'low');
|
|
291
296
|
}
|
|
292
297
|
}
|