npm - @blamejs/exceptd-skills - Versions diffs - 0.16.28 → 0.16.30 - Mend

@blamejs/exceptd-skills 0.16.28 → 0.16.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/CHANGELOG.md +28 -0
package/README.md +1 -1
package/bin/exceptd.js +251 -18
package/data/_indexes/_meta.json +4 -3
package/data/_indexes/jurisdiction-map.json +31 -158
package/data/playbooks/crypto.json +6 -0
package/lib/auto-discovery.js +8 -0
package/lib/collectors/README.md +3 -2
package/lib/collectors/library-author.js +26 -9
package/lib/collectors/secrets.js +8 -1
package/lib/cross-ref-api.js +96 -31
package/lib/lint-skills.js +6 -1
package/lib/playbook-runner.js +264 -52
package/lib/prefetch.js +78 -6
package/lib/refresh-external.js +106 -5
package/lib/scoring.js +49 -5
package/lib/validate-cve-catalog.js +14 -2
package/lib/validate-indexes.js +5 -0
package/lib/validate-playbooks.js +133 -38
package/manifest.json +53 -53
package/orchestrator/pipeline.js +16 -4
package/package.json +1 -1
package/sbom.cdx.json +73 -58
package/scripts/build-indexes.js +12 -1
package/scripts/check-sbom-currency.js +76 -14
package/scripts/refresh-sbom.js +1 -1
package/scripts/run-e2e-scenarios.js +41 -11
package/scripts/sync-package-description.js +74 -0
package/scripts/verify-shipped-tarball.js +18 -7
package/sources/validators/cve-validator.js +16 -6

package/lib/cross-ref-api.js CHANGED Viewed

@@ -119,6 +119,45 @@ function entries(catalog) {
   return Object.entries(catalog).filter(([k]) => !k.startsWith('_'));
 }
+// Single source of truth for the xref sub-maps the skill-correlation
+// queries read. These names MUST stay identical to the keys the index
+// builder emits into data/_indexes/xref.json; reading under a name the
+// builder never writes silently yields empty correlations. The TTP maps
+// are split by id space — ATLAS ids (AML.*) live in atlas_refs, ATT&CK
+// ids (T*) in attack_refs — so a TTP lookup unions both.
+const XREF_KEYS = {
+  cwe: 'cwe_refs',
+  atlas: 'atlas_refs',
+  attack: 'attack_refs',
+};
+// CWE -> [skill, ...] from the xref index.
+function skillsForCwe(xref, cweId) {
+  return (xref[XREF_KEYS.cwe] && xref[XREF_KEYS.cwe][cweId]) || [];
+}
+// TTP -> [skill, ...]; ATLAS and ATT&CK ids occupy separate maps, so a
+// single id resolves through whichever map owns its prefix (with a fall
+// back to the other in case a caller passes an unprefixed id).
+function skillsForTtp(xref, ttpId) {
+  const atlas = xref[XREF_KEYS.atlas] || {};
+  const attack = xref[XREF_KEYS.attack] || {};
+  return (ttpId.startsWith('AML.') ? atlas[ttpId] : attack[ttpId]) || atlas[ttpId] || attack[ttpId] || [];
+}
+// No CVE->skill map exists in the index (no skill declares a CVE list, so
+// the builder never emits one). The real linkage runs through the CVE's
+// declared CWEs: each CWE maps to skills via the cwe_refs map. Union the
+// skills across every CWE the CVE references, sorted + de-duplicated so
+// the result is stable regardless of CWE ordering.
+function skillsForCve(xref, cveEntry) {
+  const out = new Set();
+  for (const cwe of (cveEntry && cveEntry.cwe_refs) || []) {
+    for (const skill of skillsForCwe(xref, cwe)) out.add(skill);
+  }
+  return [...out].sort();
+}
 // --- public API ---
 /**
@@ -149,19 +188,28 @@ function byCve(cveId, opts) {
   const gaps = loadCatalog('framework-control-gaps.json');
   const lessons = loadCatalog('zeroday-lessons.json');
-  const skills = (xref[cveId] || xref.cves?.[cveId] || []).slice();
+  // Skills correlate to a CVE transitively through its declared CWEs
+  // (CVE -> cwe_refs -> xref.cwe_refs -> skills); there is no direct
+  // CVE->skill index.
+  const skills = skillsForCve(xref, entry);
   // (Recipes are use-case curated, not CVE-triggered — recipes.json has no
   // `triggered_by`/CVE keying, so a per-CVE recipe lookup was always empty.
   // The dead `recipes:[]` field is no longer emitted.)
-  const theater = entries(theaterFp).filter(([, t]) =>
-    Array.isArray(t.cve_refs) && t.cve_refs.includes(cveId)
-  ).map(([id, t]) => ({ id, distinguisher: t.distinguisher || t.test }));
+  //
+  // Theater fingerprints live under the index's `patterns` container; each
+  // pattern records a single `evidence.cve` (or `evidence.campaign`, which
+  // carries no CVE to match). The distinguishing check is `fast_test`.
+  const theater = Object.entries(theaterFp.patterns || {})
+    .filter(([, t]) => t && t.evidence && t.evidence.cve === cveId)
+    .map(([id, t]) => ({ id, pattern_name: t.pattern_name, distinguisher: t.fast_test }));
+  // Framework-control-gaps link CVEs through `evidence_cves`; the control
+  // identifier field is `control_id`.
   const framework_gaps = entries(gaps).filter(([, g]) =>
-    Array.isArray(g.cve_refs) && g.cve_refs.includes(cveId)
-  ).map(([id, g]) => ({ id, framework: g.framework, control: g.control, status: g.status }));
-  const lessons_learned = entries(lessons).filter(([, l]) =>
-    Array.isArray(l.cve_refs) && l.cve_refs.includes(cveId)
-  ).map(([id]) => id);
+    Array.isArray(g.evidence_cves) && g.evidence_cves.includes(cveId)
+  ).map(([id, g]) => ({ id, framework: g.framework, control: g.control_id, status: g.status }));
+  // Zero-day lessons are keyed by CVE id, so a referenced lesson is a
+  // direct key hit rather than a back-reference scan.
+  const lessons_learned = lessons[cveId] ? [cveId] : [];
   return {
     found: true,
@@ -185,7 +233,7 @@ function byCwe(cweId) {
   const entry = catalog[cweId];
   if (!entry) return { found: false, cwe_id: cweId };
   const xref = loadIndex('xref.json');
-  const skills = (xref.cwes?.[cweId] || []).slice();
+  const skills = skillsForCwe(xref, cweId).slice();
   const relatedCves = entries(loadCatalog('cve-catalog.json'))
     .filter(([, c]) => Array.isArray(c.cwe_refs) && c.cwe_refs.includes(cweId))
     .map(([id]) => id);
@@ -196,7 +244,7 @@ function byTtp(ttpId) {
   const atlas = loadCatalog('atlas-ttps.json');
   const xref = loadIndex('xref.json');
   const entry = atlas[ttpId] || null;
-  const skills = (xref.ttps?.[ttpId] || []).slice();
+  const skills = skillsForTtp(xref, ttpId).slice();
   const relatedCves = entries(loadCatalog('cve-catalog.json'))
     .filter(([, c]) =>
       (Array.isArray(c.atlas_refs) && c.atlas_refs.includes(ttpId)) ||
@@ -213,25 +261,34 @@ function bySkill(skillName) {
   const xref = loadIndex('xref.json');
   const summary = loadIndex('summary-cards.json');
   const card = summary[skillName] || summary.skills?.[skillName] || null;
-  const cveRefs = Object.entries(xref.cves || {})
-    .filter(([, skills]) => Array.isArray(skills) && skills.includes(skillName))
-    .map(([cve]) => cve);
-  const ttpRefs = Object.entries(xref.ttps || {})
+  // TTPs invert the atlas_refs + attack_refs maps: any TTP whose skill
+  // list contains this skill is a reference. Both id spaces contribute.
+  const ttpRefs = Object.entries({
+    ...(xref[XREF_KEYS.atlas] || {}),
+    ...(xref[XREF_KEYS.attack] || {}),
+  })
     .filter(([, skills]) => Array.isArray(skills) && skills.includes(skillName))
-    .map(([ttp]) => ttp);
+    .map(([ttp]) => ttp)
+    .sort();
+  // CVEs link to a skill transitively: a CVE references CWEs, and each CWE
+  // maps to skills via cwe_refs. Collect every CVE whose CWE set resolves
+  // to this skill.
+  const cveCatalog = loadCatalog('cve-catalog.json');
+  const cveRefs = entries(cveCatalog)
+    .filter(([, c]) => (c.cwe_refs || []).some(cwe => skillsForCwe(xref, cwe).includes(skillName)))
+    .map(([cve]) => cve)
+    .sort();
   return { skill: skillName, summary_card: card, cve_refs: cveRefs, ttp_refs: ttpRefs };
 }
-function byFramework(frameworkId, scenario) {
+function byFramework(frameworkId) {
   const gaps = loadCatalog('framework-control-gaps.json');
   const global = loadCatalog('global-frameworks.json');
-  const matching = entries(gaps).filter(([, g]) => {
-    if (g.framework !== frameworkId && g.framework !== 'ALL') return false;
-    if (scenario && Array.isArray(g.scenarios) && !g.scenarios.includes(scenario)) return false;
-    return true;
-  }).map(([id, g]) => ({ id, ...g }));
+  const matching = entries(gaps)
+    .filter(([, g]) => g.framework === frameworkId || g.framework === 'ALL')
+    .map(([id, g]) => ({ id, ...g }));
   const fwMeta = global[frameworkId] || null;
-  return { framework: frameworkId, scenario: scenario || null, framework_meta: fwMeta, gaps: matching, gap_count: matching.length };
+  return { framework: frameworkId, framework_meta: fwMeta, gaps: matching, gap_count: matching.length };
 }
 /**
@@ -242,12 +299,20 @@ function byFramework(frameworkId, scenario) {
 function theaterTestsFor({ cveIds = [], frameworkIds = [], skillIds = [] }) {
   const fp = loadIndex('theater-fingerprints.json');
   const matches = [];
-  for (const [id, t] of entries(fp)) {
-    const cveMatch  = cveIds.some(c => (t.cve_refs || []).includes(c));
-    const fwMatch   = frameworkIds.some(f => (t.framework_refs || []).includes(f));
-    const skillMatch = skillIds.some(s => (t.skill_refs || []).includes(s));
+  // Fingerprints are nested under the index's `patterns` container, not at
+  // the top level. Each pattern records a single `evidence.cve`, a list of
+  // `controls` (each {framework, control_id}), and a `source_skill`. A
+  // framework match accepts either the bare control id ("SI-2") or the
+  // qualified "framework::control_id" form the by_control index keys on.
+  for (const [id, t] of Object.entries(fp.patterns || {})) {
+    if (!t) continue;
+    const cveMatch = t.evidence && cveIds.includes(t.evidence.cve);
+    const fwMatch = (t.controls || []).some(c =>
+      frameworkIds.includes(c.control_id) || frameworkIds.includes(`${c.framework}::${c.control_id}`)
+    );
+    const skillMatch = skillIds.includes(t.source_skill);
     if (cveMatch || fwMatch || skillMatch) {
-      matches.push({ id, distinguisher: t.distinguisher || t.test, applies_when: t.applies_when });
+      matches.push({ id, pattern_name: t.pattern_name, distinguisher: t.fast_test, controls: t.controls });
     }
   }
   return matches;
@@ -264,12 +329,12 @@ function globalFrameworkContext({ cveIds = [], ttpIds = [] }) {
   const ttpSet = new Set(ttpIds);
   const grouped = {};
   for (const [id, g] of entries(gaps)) {
-    const cveHit = (g.cve_refs || []).some(c => cveSet.has(c));
-    const ttpHit = (g.ttp_refs || []).some(t => ttpSet.has(t));
+    const cveHit = (g.evidence_cves || []).some(c => cveSet.has(c));
+    const ttpHit = [...(g.atlas_refs || []), ...(g.attack_refs || [])].some(t => ttpSet.has(t));
     if (!cveHit && !ttpHit) continue;
     const fw = g.framework || 'unspecified';
     grouped[fw] = grouped[fw] || [];
-    grouped[fw].push({ id, control: g.control, status: g.status, scenarios: g.scenarios });
+    grouped[fw].push({ id, control: g.control_id, control_name: g.control_name, status: g.status });
   }
   return grouped;
 }

package/lib/lint-skills.js CHANGED Viewed

@@ -175,7 +175,12 @@ function readJson(p) {
  * accept malformed frontmatter.
  */
 function parseFrontmatter(text) {
-  const lines = text.split(/\r?\n/);
+  // Strip a trailing CR per line: split(/\r?\n/) consumes interior CRLFs, but a
+  // dangling `\r` survives on the final frontmatter line (the close marker
+  // consumed the `\n`, not the `\r`). `.` does not match `\r`, so that line's
+  // value would fail the per-line regex with a misleading "Could not parse
+  // frontmatter line N" on an otherwise valid CRLF skill.md.
+  const lines = text.split(/\r?\n/).map((l) => l.replace(/\r$/, ''));
   const result = {};
   // Track every top-level key we've already assigned. YAML's last-wins
   // semantics would let a tampered skill set name twice