@blamejs/exceptd-skills 0.16.7 → 0.16.9

package/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## 0.16.9 — 2026-06-01
+
+The catalog now covers a set of real, vendor-patched protocol-layer flaws it previously did not name, so scans, triage, and reports surface them with RWEP scoring and behavioral indicators:
+
+- **SMTP smuggling** — CVE-2023-51764 (Postfix), CVE-2023-51765 (Sendmail), CVE-2023-51766 (Exim): a mail server that accepts a non-standard end-of-data sequence lets an attacker smuggle a second message that passes SPF, DKIM, and DMARC on the outer envelope and spoofs the sender. The fix is an end-of-data hardening setting (or upgrade), not a control sender-authentication can supply.
+- **STARTTLS command/response injection** — CVE-2021-38371 (Exim), CVE-2021-33515 (Dovecot), CVE-2011-0411 (Postfix): a server that does not discard bytes buffered before the TLS handshake executes attacker-supplied plaintext inside the encrypted session. Transport encryption strength is irrelevant — the bytes cross the boundary before TLS applies.
+- **DNSSEC validating-resolver CPU exhaustion** — CVE-2023-50387 (KeyTrap) and CVE-2023-50868 (NSEC3): a single crafted DNSSEC response forces worst-case signature evaluation or NSEC3 hash iteration and stalls the resolver for every client.
+- **HTTP/2 Rapid Reset** — CVE-2023-44487 (CISA KEV, confirmed exploited): rapid stream open-then-reset cycles exhaust the server at near-zero cost to the attacker.
+
+CWE-93 (CRLF injection) is added to the weakness catalog to back the SMTP-smuggling class.
+
+## 0.16.8 — 2026-05-31
+
+`discover` now recommends the `containers` playbook whenever a Dockerfile, Containerfile, or compose file exists anywhere in the tree — a Dockerfile in a subdirectory, or a compose variant like `docker-compose.test.yml` — matching exactly the surface the containers collector scans. Previously it probed only for a root-level `Dockerfile` / `docker-compose.yml`, so a repository whose container config lived in a subdirectory or used a variant filename was never told to run the container security review and its Dockerfile findings went unsurfaced.
+
 ## 0.16.7 — 2026-05-31
 
 The default (human) run output now lists collector notices — for example a file skipped for exceeding the scan-size limit — under a "Collector notices" section, instead of carrying them only in `--json`. Previously a human reader saw "evidence: complete" with no indication that part of the tree was not scanned.
@@ -3631,7 +3646,7 @@ Adds detection for the npm supply-chain worm disclosed 2026-05-11 (84 malicious
 
 - `skills/supply-chain-integrity/SKILL.md` — adds the CVE-2026-45321 case at the top of Threat Context with the chained-primitives explanation and the new SLSA-L3-insufficient framing.
 
-### Eating own dogfood
+### Self-applied supply-chain hardening
 
 - `.npmrc` — adds `before=72h` + `minimumReleaseAge=4320` so this repo refuses fresh-publish installs. Survives downgrade to older npm via both flags.
 

package/bin/exceptd.js

@@ -6258,8 +6258,24 @@ function cmdDiscover(runner, args, runOpts, pretty) {
   const hasRust = detected.includes("Cargo.toml");
   const hasGo = detected.includes("go.mod");
   const hasProject = hasNode || hasPython || hasRust || hasGo;
+  // Container artifacts ANYWHERE in the tree (subdir Dockerfiles, compose
+  // variants like docker-compose.test.yml) — not just a root-level exact-name
+  // file. The root-only `probe()`s above miss them, so mirror exactly what the
+  // containers collector walks/classifies, otherwise discover under-recommends
+  // `containers` and an operator silently skips a relevant playbook.
+  let containerArtifacts = [];
+  try {
+    const containersMod = require(path.join(PKG_ROOT, "lib", "collectors", "containers.js"));
+    if (typeof containersMod.hasContainerArtifacts === "function") {
+      containerArtifacts = containersMod.hasContainerArtifacts(cwd);
+    }
+  } catch { /* best-effort detection; never break discover on a walk error */ }
+  if (containerArtifacts.length && !detected.includes("Dockerfile")
+      && !detected.includes("docker-compose.yml") && !detected.includes("docker-compose.yaml")) {
+    detected.push(`container-config (${containerArtifacts[0]})`);
+  }
   const hasContainers = detected.includes("Dockerfile") || detected.includes("docker-compose.yml")
-    || detected.includes("docker-compose.yaml");
+    || detected.includes("docker-compose.yaml") || containerArtifacts.length > 0;
   const isLinux = hostPlatform === "linux";
 
   // .github/workflows/ directory probe — surfaces the CI/CD posture

package/data/_indexes/_meta.json

@@ -1,21 +1,21 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-31T23:02:26.834Z",
+  "generated_at": "2026-06-02T05:46:26.678Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "a7f763262eeb00756a434038ddd8959b3156461c5d45c954dfa853d03b5cd2ab",
-    "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "318bf8e9c5aee1d0a4a1dc37c4b211f2fbc937bf332a401a22483cc7d0547252",
-    "data/cve-catalog.json": "1aac7e75eae24ece2ef09d1c63977bdd7a1f81a9f11609ebb966109be316426c",
-    "data/cwe-catalog.json": "b0e4d8f90b655b2b35b1e91c682ee66f2aa51ae5d38efb14f0e1b77f75ec5f7b",
+    "manifest.json": "3dab3ebc6c86b2318f956da3e343ad7b470f05dd30e2afbee5a8e3b3a845a926",
+    "data/atlas-ttps.json": "f66b456cf82a3c20575d8479de41f7b11b7ee5693eb1fcf64a67e162ae1b88a2",
+    "data/attack-techniques.json": "c39f28e3402ef13ad9b7076819f63fda67a22f97e3e375cfe01c4a4e0beff7c9",
+    "data/cve-catalog.json": "8264da4534d39c9493cfcd18acf7e38ed47ce2a81be15afd5a3f4baf1d504929",
+    "data/cwe-catalog.json": "5def8d82bbe51382ec55fc7186722974077e1289194e4ea002df0e3c52c6a017",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
-    "data/framework-control-gaps.json": "49cfbcaf0f27662db7e12340839c29f05d4ae31bc255dc9fa49ad1b4a45d0fa3",
+    "data/framework-control-gaps.json": "3f9ad83198da40d920e70933e615ac14ade4add037e1c664586c2ee3524edec4",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "c7419ef8265a8385ab29e37e3f3237f120dd2fa448692f9dc1aa2fd79339fc76",
+    "data/zeroday-lessons.json": "b6403d31f06e8f081217c338d2d5c515f8352295fbf58395f3c571cd95a05de0",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",
@@ -72,8 +72,8 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 538,
-    "chains_cve_entries": 417,
-    "chains_cwe_entries": 173,
+    "chains_cve_entries": 426,
+    "chains_cwe_entries": 174,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 42,
     "summary_cards": 42,

package/data/_indexes/activity-feed.json

@@ -6,12 +6,28 @@
   },
   "events": [
     {
-      "date": "2026-05-30",
+      "date": "2026-06-01",
       "type": "catalog_update",
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 430
+      "entry_count": 439
+    },
+    {
+      "date": "2026-06-01",
+      "type": "catalog_update",
+      "artifact": "data/cwe-catalog.json",
+      "path": "data/cwe-catalog.json",
+      "schema_version": "1.0.0",
+      "entry_count": 174
+    },
+    {
+      "date": "2026-06-01",
+      "type": "catalog_update",
+      "artifact": "data/zeroday-lessons.json",
+      "path": "data/zeroday-lessons.json",
+      "schema_version": "1.1.0",
+      "entry_count": 439
     },
     {
       "date": "2026-05-27",
@@ -100,14 +116,6 @@
       "schema_version": "1.0.0",
       "entry_count": 805
     },
-    {
-      "date": "2026-05-19",
-      "type": "catalog_update",
-      "artifact": "data/cwe-catalog.json",
-      "path": "data/cwe-catalog.json",
-      "schema_version": "1.0.0",
-      "entry_count": 173
-    },
     {
       "date": "2026-05-19",
       "type": "catalog_update",
@@ -159,14 +167,6 @@
       "schema_version": "1.0.0",
       "entry_count": 194
     },
-    {
-      "date": "2026-05-18",
-      "type": "catalog_update",
-      "artifact": "data/zeroday-lessons.json",
-      "path": "data/zeroday-lessons.json",
-      "schema_version": "1.1.0",
-      "entry_count": 430
-    },
     {
       "date": "2026-05-17",
       "type": "skill_review",

package/data/_indexes/catalog-summaries.json

@@ -53,7 +53,7 @@
       "path": "data/cve-catalog.json",
       "purpose": "Per-CVE record (CVSS, EPSS, CISA KEV, RWEP, AI-discovery, vendor advisories, framework gaps, ATLAS/ATT&CK mappings). Cross-validated against NVD + CISA KEV + FIRST EPSS via validate-cves.",
       "schema_version": "1.0.0",
-      "last_updated": "2026-05-30",
+      "last_updated": "2026-06-01",
       "tlp": "CLEAR",
       "source_confidence_default": "A1",
       "freshness_policy": {
@@ -62,7 +62,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 430,
+      "entry_count": 439,
       "sample_keys": [
         "CVE-2022-23812",
         "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM",
@@ -75,7 +75,7 @@
       "path": "data/cwe-catalog.json",
       "purpose": "MITRE CWE entries used by the project (subset with skill citations), with severity hint and category. Pinned to a CWE catalog version.",
       "schema_version": "1.0.0",
-      "last_updated": "2026-05-19",
+      "last_updated": "2026-06-01",
       "tlp": "CLEAR",
       "source_confidence_default": "A1",
       "freshness_policy": {
@@ -84,7 +84,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 173,
+      "entry_count": 174,
       "sample_keys": [
         "CWE-20",
         "CWE-22",
@@ -229,7 +229,7 @@
       "path": "data/zeroday-lessons.json",
       "purpose": "Distilled lessons from notable zero-days and campaigns (SesameOp, Copy Fail, Dirty Frag, Copilot RCE, Windsurf MCP). Each entry: technique, distinguishing characteristic, what it means for the framework lag.",
       "schema_version": "1.1.0",
-      "last_updated": "2026-05-18",
+      "last_updated": "2026-06-01",
       "tlp": "CLEAR",
       "source_confidence_default": "B2",
       "freshness_policy": {
@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 430,
+      "entry_count": 439,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",