@blamejs/exceptd-skills 0.16.28 → 0.16.30

package/scripts/sync-package-description.js

@@ -0,0 +1,74 @@
+'use strict';
+
+/**
+ * scripts/sync-package-description.js
+ *
+ * Regenerate the count-bearing tokens embedded in package.json.description from
+ * the live catalogs + manifest, so the description stays in sync when an
+ * auto-refresh changes an entry count. refresh-sbom copies the description into
+ * sbom.cdx.json, and check-sbom-currency validates every token against the live
+ * counts — without this sync, the first refresh that changes a count would fail
+ * the SBOM description-token gate on the auto-PR.
+ *
+ * Targeted, format-preserving: replaces only the integer in each known
+ * "<N> <label>" token (skills / catalogs / jurisdictions / per-catalog entry
+ * counts). Reuses check-sbom-currency's token table so the two can't drift.
+ *
+ * Run before refresh-sbom in the refresh apply path (and idempotent locally).
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const { DESCRIPTION_ENTRY_TOKENS, catalogEntryCount } = require('./check-sbom-currency');
+
+function syncPackageDescription(root = path.join(__dirname, '..')) {
+  const pkgPath = path.join(root, 'package.json');
+  const dataDir = path.join(root, 'data');
+  const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+  const manifest = JSON.parse(fs.readFileSync(path.join(root, 'manifest.json'), 'utf8'));
+
+  const before = pkg.description || '';
+  let desc = before;
+
+  const liveSkills = Array.isArray(manifest.skills) ? manifest.skills.length : 0;
+  const liveCatalogs = fs.readdirSync(dataDir).filter((f) => f.endsWith('.json')).length;
+  let liveJurisdictions = null;
+  try {
+    const gf = JSON.parse(fs.readFileSync(path.join(dataDir, 'global-frameworks.json'), 'utf8'));
+    liveJurisdictions = Object.keys(gf).filter((k) => !k.startsWith('_')).length;
+  } catch { /* leave null — skip the jurisdiction token */ }
+
+  // Replace only the integer in "<N> <label>"; `labelRe` is the same (already
+  // regex-escaped) pattern check-sbom-currency matches, and $2 preserves the
+  // matched label text verbatim.
+  const sub = (n, labelRe) => {
+    if (n == null) return;
+    desc = desc.replace(new RegExp('(\\d+)(\\s+' + labelRe + '\\b)'), String(n) + '$2');
+  };
+
+  sub(liveSkills, 'skills');
+  sub(liveCatalogs, 'catalogs?');
+  sub(liveJurisdictions, 'jurisdictions?');
+  for (const { file, label } of DESCRIPTION_ENTRY_TOKENS) {
+    sub(catalogEntryCount(dataDir, file), label);
+  }
+
+  const changed = desc !== before;
+  if (changed) {
+    pkg.description = desc;
+    fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
+  }
+  return { changed, description: desc };
+}
+
+if (require.main === module) {
+  const r = syncPackageDescription();
+  process.stdout.write(
+    r.changed
+      ? `package.json description synced from live counts:\n  ${r.description}\n`
+      : 'package.json description already in sync with live counts.\n'
+  );
+}
+
+module.exports = { syncPackageDescription };

package/scripts/verify-shipped-tarball.js

@@ -119,9 +119,15 @@ module.exports = {
 const ROOT = path.resolve(__dirname, "..");
 
 function emit(msg) { process.stdout.write(`[verify-shipped-tarball] ${msg}\n`); }
+// Sentinel thrown by fail() so the script body's try/finally still runs its
+// temp-dir cleanup. process.exit() would preempt the finally, leaking the
+// npm-pack temp dir on every run (predeploy gate + `npm test`). Abort by
+// throwing instead and set the exit code via process.exitCode.
+const ABORT = Symbol("verify-shipped-tarball:abort");
 function fail(msg, code = 1) {
   process.stderr.write(`[verify-shipped-tarball] FAIL: ${msg}\n`);
-  process.exit(code);
+  process.exitCode = code;
+  throw ABORT;
 }
 
 // Gate the script body behind require.main === module so tests can
@@ -374,15 +380,20 @@ try {
   emit(`tarball verify result: ${pass}/${total} pass, ${fail_count} fail, ${miss} missing`);
   if (fail_count === 0 && miss === 0 && pass === total) {
     emit(`PASS — shipped tarball is internally consistent`);
-    process.exit(0);
+    process.exitCode = 0;
+  } else {
+    for (const f of failures.slice(0, 10)) emit(`  - ${f}`);
+    if (failures.length > 10) emit(`  ... and ${failures.length - 10} more`);
+    emit(`FAIL — shipped tarball would be broken on every fresh install. Refusing to publish.`);
+    process.exitCode = 1;
   }
-  for (const f of failures.slice(0, 10)) emit(`  - ${f}`);
-  if (failures.length > 10) emit(`  ... and ${failures.length - 10} more`);
-  emit(`FAIL — shipped tarball would be broken on every fresh install. Refusing to publish.`);
-  process.exit(1);
+} catch (e) {
+  // ABORT is the fail() sentinel — cleanup still runs via finally below. Any
+  // other error is unexpected: let finally run, then re-propagate it.
+  if (e !== ABORT) throw e;
 } finally {
   // Best-effort cleanup; leave on failure for diagnostics.
-  if (process.exitCode === 0) {
+  if (process.exitCode === 0 || process.exitCode === undefined) {
     try { fs.rmSync(tmpRoot, { recursive: true, force: true }); } catch {}
   } else {
     emit(`temp dir preserved for inspection: ${tmpRoot}`);

package/sources/validators/cve-validator.js

@@ -39,7 +39,7 @@ const KEV_FEED = 'https://www.cisa.gov/sites/default/files/feeds/known_exploited
 const EPSS_API = 'https://api.first.org/data/v1/epss?cve=';
 const REQUEST_TIMEOUT_MS = 10_000;
 
-const { selectNvdCvss } = require('../../lib/cvss');
+const { selectNvdCvss, cvssVersionOf } = require('../../lib/cvss');
 const EPSS_DRIFT_THRESHOLD = 0.05; // |Δscore| or |Δpercentile| > 0.05 flags drift
 const USER_AGENT = 'exceptd-security/cve-validator (+https://exceptd.com)';
 
@@ -269,13 +269,23 @@ async function validateCve(cveId, localEntry) {
   }
 
   // --- Compare CVSS (only if NVD reachable & has data) ---
-  if (cveFoundInNvd && fetched.cvss_score !== null && local.cvss_score !== null) {
-    if (Math.abs(fetched.cvss_score - local.cvss_score) > 0.05) {
+  // Guard against cross-version downgrades: NVD often carries only a legacy v2
+  // metric for older CVEs while the catalog is curated to CVSS:3.1. Surfacing
+  // (and, on `refresh --apply`, writing) the lower v2 score/vector over a
+  // curated v3.x value is a downgrade, not a drift. Mirror the cache path's
+  // suppression (lib/refresh-external.js nvdDiffFromCache) so the live and
+  // cache refresh paths converge; a same-version re-score still flows through.
+  const localCvssVersion = cvssVersionOf(local.cvss_vector);
+  const fetchedCvssVersion = cvssVersionOf(fetched.cvss_vector);
+  const cvssIsDowngrade =
+    fetchedCvssVersion != null && localCvssVersion != null && fetchedCvssVersion < localCvssVersion;
+  if (cveFoundInNvd && !cvssIsDowngrade) {
+    if (fetched.cvss_score !== null && local.cvss_score !== null &&
+        Math.abs(fetched.cvss_score - local.cvss_score) > 0.05) {
       pushDiscrepancy(discrepancies, 'cvss_score', local.cvss_score, fetched.cvss_score, 'high');
     }
-  }
-  if (cveFoundInNvd && fetched.cvss_vector && local.cvss_vector) {
-    if (fetched.cvss_vector !== local.cvss_vector) {
+    if (fetched.cvss_vector && local.cvss_vector &&
+        fetched.cvss_vector !== local.cvss_vector) {
       pushDiscrepancy(discrepancies, 'cvss_vector', local.cvss_vector, fetched.cvss_vector, 'medium');
     }
   }