@blamejs/exceptd-skills 0.16.21 → 0.16.23

package/scripts/check-sbom-currency.js

@@ -31,6 +31,39 @@ function resolveRoot(argv) {
   return path.join(__dirname, "..");
 }
 
+// Entry count for a data/*.json catalog: keys minus the _meta sentinel. The
+// catalogs are objects keyed by entry id (CVE-…, CWE-…, T…, AML.T…, D3-…,
+// RFC-…) with a single _meta block, so the live entry total is the key count
+// excluding _meta.
+function catalogEntryCount(dataDir, file) {
+  const p = path.join(dataDir, file);
+  // A --root pointed at a partial tree (no such catalog file) skips that
+  // token's check rather than crashing — catalog PRESENCE is asserted by
+  // the cardinality check above and the per-component hash check below,
+  // not by the description parser.
+  if (!fs.existsSync(p)) return null;
+  const j = JSON.parse(fs.readFileSync(p, "utf8"));
+  if (Array.isArray(j)) return j.length;
+  if (j && typeof j === "object") {
+    return Object.keys(j).filter((k) => k !== "_meta").length;
+  }
+  return 0;
+}
+
+// The description string embeds per-catalog ENTRY counts as free text, e.g.
+// "11 catalogs (439 CVEs / 177 CWEs / 805 ATT&CK + ICS / 170 ATLAS /
+// 468 D3FEND / 8888 RFCs)". Each token maps to one data/*.json catalog whose
+// live entry count must match. `label` is the regex-escaped text that follows
+// the number in the description.
+const DESCRIPTION_ENTRY_TOKENS = [
+  { file: "cve-catalog.json", label: "CVEs" },
+  { file: "cwe-catalog.json", label: "CWEs" },
+  { file: "attack-techniques.json", label: "ATT&CK \\+ ICS" },
+  { file: "atlas-ttps.json", label: "ATLAS" },
+  { file: "d3fend-catalog.json", label: "D3FEND" },
+  { file: "rfc-references.json", label: "RFCs" },
+];
+
 function checkSbomCurrency(root) {
   const sbomPath = path.join(root, "sbom.cdx.json");
   const manifestPath = path.join(root, "manifest.json");
@@ -64,6 +97,45 @@ function checkSbomCurrency(root) {
     errors.push("SBOM is not CycloneDX 1.6");
   }
 
+  // The SBOM ships per-catalog entry counts and a skill count embedded as free
+  // text in metadata.component.description (propagated verbatim from
+  // package.json). The numeric properties above only cover catalog/skill
+  // CARDINALITY (file count + skill count), so a catalog's entry total can
+  // drift past the count baked into the description while the dedicated SBOM
+  // gate still passes. Parse each token out of the description and assert it
+  // against the live entry count so a stale published-SBOM description fails
+  // the gate.
+  const description =
+    (sbom.metadata && sbom.metadata.component && sbom.metadata.component.description) || "";
+  for (const { file, label } of DESCRIPTION_ENTRY_TOKENS) {
+    const live = catalogEntryCount(dataDir, file);
+    if (live === null) continue;
+    const m = description.match(new RegExp("(\\d+)\\s+" + label + "\\b"));
+    if (!m) {
+      errors.push(
+        `SBOM description is missing the "${file.replace(/\.json$/, "")}" entry-count token (${label}) — regenerate via \`npm run refresh-sbom\``
+      );
+      continue;
+    }
+    const stated = Number(m[1]);
+    if (stated !== live) {
+      errors.push(
+        `SBOM description entry count for ${label} is ${stated} but live ${file} has ${live} — description is stale; update package.json.description and \`npm run refresh-sbom\``
+      );
+    }
+  }
+  // The skill count is embedded in the same description string ("N skills").
+  const skillMatch = description.match(/(\d+)\s+skills\b/);
+  if (!skillMatch) {
+    errors.push(
+      "SBOM description is missing the skill-count token (N skills) — regenerate via `npm run refresh-sbom`"
+    );
+  } else if (Number(skillMatch[1]) !== liveSkills) {
+    errors.push(
+      `SBOM description skill count is ${Number(skillMatch[1])} but live manifest has ${liveSkills} skills — description is stale; update package.json.description and \`npm run refresh-sbom\``
+    );
+  }
+
   // component-level cross-check. A renamed or version-bumped
   // skill that never made it into the SBOM refresh will pass the count
   // check (the cardinality is unchanged) but the per-component name +

package/scripts/release.js

@@ -503,21 +503,27 @@ function cmdRelease() {
   if (runId) {
     _run("gh", ["run", "watch", runId, "--exit-status"], { allowFail: true });
     var concl = _capture("gh", ["run", "view", runId, "--json", "conclusion", "--jq", ".conclusion"]).stdout;
+    // A non-success conclusion is a hard failure: the publish either failed or
+    // is unconfirmable, and either way the release is not done. Warning-and-
+    // continuing let a stalled publish read as a clean release.
     if (concl !== "success") {
-      console.error("warning: release.yml conclusion=" + concl + " — re-check before trusting npm");
-    } else {
-      _ok("release.yml: success");
+      throw new Error("release: release.yml conclusion=" + (concl || "(unknown)") +
+        " — the publish workflow did not finish successfully; re-check release.yml before treating the release as done");
     }
+    _ok("release.yml: success");
   } else {
-    console.log("no release.yml run found yet (tag push may still be propagating)");
+    throw new Error("release: no release.yml run found for the tag — the publish workflow has not started; " +
+      "confirm the tag was pushed and the workflow fired before treating the release as done");
   }
 
   _section("verify npm");
   var npmVersion = _capture("npm", ["view", PKG_NAME, "version"]).stdout;
   console.log("npm " + PKG_NAME + ": " + (npmVersion || "(unable to query)") + "   (expected " + next + ")");
+  // Require a POSITIVE confirmation: the queried npm version must equal `next`.
+  // The hard failure is asserted at the end of the phase (after the tarball
+  // verify). An empty stdout (registry/auth/network failure) is treated as a
+  // mismatch — an unconfirmable publish is a failure, not a success.
   if (npmVersion === next) _ok("npm matches " + next);
-  // A mismatch is asserted as a hard failure at the end of the phase (after
-  // the tarball verify), so a stalled publish can't read as a clean release.
 
   _section("fresh-tarball signature verify");
   // Verify against the EXACT bytes a downstream consumer installs — the
@@ -535,18 +541,19 @@ function cmdRelease() {
     throw new Error("release: scripts/verify-shipped-tarball.js missing — cannot verify the shipped artifact");
   }
 
-  // An npm-version mismatch after the workflow finished is not mere
-  // propagation lag — fail so a stalled/failed publish can't read as a
-  // completed release. (A genuinely in-flight publish is caught by the
-  // workflow-conclusion check above; by the time we query npm post-watch the
-  // version should be live.)
-  if (npmVersion && npmVersion !== next) {
-    throw new Error("release: npm shows " + npmVersion + " but expected " + next +
-      " — publish did not complete; re-check release.yml before treating the release as done");
+  // Require a positive npm confirmation after the workflow finished. A version
+  // that is empty (query failed) OR != next is not mere propagation lag — fail
+  // so a stalled/failed/unconfirmable publish can't read as a completed
+  // release. (A genuinely in-flight publish is caught by the workflow-
+  // conclusion check above; by the time we query npm post-watch the version
+  // should be live.) The message reports the value actually queried.
+  if (npmVersion !== next) {
+    throw new Error("release: npm shows " + (npmVersion || "(unable to query)") + " but expected " + next +
+      " — publish did not complete or could not be confirmed; re-check release.yml before treating the release as done");
   }
 
   console.log("\nThe landing site auto-injects the version from jsDelivr @latest — no manual deploy.");
-  console.log("Release complete: npm shows " + next + " and the shipped tarball verifies.");
+  console.log("Release complete: npm shows " + npmVersion + " and the shipped tarball verifies.");
 }
 
 function cmdAll(opts) {

package/skills/exploit-scoring/skill.md

@@ -109,7 +109,7 @@ RWEP = min(100, max(0,
   (poc_public    × 20) +
   (ai_assisted   × 15) +
   (active_expl   × 20) +
-  (blast_radius  × 15) -
+  (blast_radius  × 30) -
   (patch_avail   × 15) -
   (live_patch    × 10) +
   (reboot_req    × 5)
@@ -135,11 +135,11 @@ RWEP = min(100, max(0,
 - Score contribution: +20 points if confirmed
 - Rationale: Confirmed exploitation means the threat is not theoretical. Treat as an incident-level response trigger.
 
-**blast_radius** (0.0 to 1.0 scaled to 0–15): How broad is the affected population?
-- 15 points: Affects all Linux systems since a specific kernel version (e.g., Copy Fail: all 4.14+)
-- 10 points: Affects a major distribution's default configuration
-- 7 points: Affects a specific distribution or configuration
-- 3 points: Affects a narrow software version range
+**blast_radius** (0.0 to 1.0 scaled to 0–30): How broad is the affected population?
+- 30 points: Affects all Linux systems since a specific kernel version (e.g., Copy Fail: all 4.14+)
+- 20 points: Affects a major distribution's default configuration
+- 14 points: Affects a specific distribution or configuration
+- 6 points: Affects a narrow software version range
 - 0 points: Affects only highly specific configurations
 
 **patch_avail** (0 or 1): Is a patch available?
@@ -290,7 +290,7 @@ For a CVE not in the pre-calculated catalog, collect:
 
 ### Step 2: Apply RWEP formula
 
-Calculate factor values (binary 0/1 or scaled 0–1 for blast radius) and apply formula.
+Calculate factor values (binary 0/1, or scaled 0–30 for blast radius) and apply formula.
 
 ### Step 3: Generate remediation timeline
 
@@ -336,7 +336,7 @@ The skill produces a per-CVE Exploit Priority Assessment showing the RWEP score,
 | PoC Public | Yes/No | +20/0 |
 | AI-Assisted | Yes/No | +15/0 |
 | Active Exploitation | Confirmed/Suspected/No | +20/+10/0 |
-| Blast Radius | [description] | [0-15] |
+| Blast Radius | [description] | [0-30] |
 | Patch Available | Yes/No | -15/0 |
 | Live Patch Available | Yes/No | -10/0 |
 | Reboot Required | Yes/No | +5/0 |

package/sources/validators/cve-validator.js

@@ -286,7 +286,12 @@ async function validateCve(cveId, localEntry) {
     if (typeof local.cisa_kev === 'boolean' && local.cisa_kev !== fetched.in_kev) {
       pushDiscrepancy(discrepancies, 'cisa_kev', local.cisa_kev, fetched.in_kev, 'high');
     }
-    if (local.cisa_kev_date && fetched.kev_date && local.cisa_kev_date !== fetched.kev_date) {
+    // Emit whenever upstream carries a listing date the local entry lacks or
+    // contradicts — a first listing arrives as cisa_kev_date:null locally, and
+    // requiring a truthy local date here meant the flag flipped without its
+    // date, which the strict catalog validator rejects (KEV-listed entries
+    // must carry their listing date).
+    if (fetched.kev_date && local.cisa_kev_date !== fetched.kev_date) {
       pushDiscrepancy(discrepancies, 'cisa_kev_date', local.cisa_kev_date, fetched.kev_date, 'low');
     }
   }