@clear-capabilities/agentic-security-scanner 0.74.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (331) hide show
  1. package/CHANGELOG.md +1580 -0
  2. package/bin/.agentic-security/findings.json +1577 -0
  3. package/bin/.agentic-security/last-scan.json +1577 -0
  4. package/bin/.agentic-security/last-scan.json.sig +1 -0
  5. package/bin/.agentic-security/scan-history.json +465 -0
  6. package/bin/.agentic-security/streak.json +25 -0
  7. package/bin/agentic-security-audit.js +198 -0
  8. package/bin/agentic-security-consistency.js +80 -0
  9. package/bin/agentic-security-diff.js +136 -0
  10. package/bin/agentic-security-lsp.js +12 -0
  11. package/bin/agentic-security-mcp.js +40 -0
  12. package/bin/agentic-security-rule.js +153 -0
  13. package/bin/agentic-security.js +1683 -0
  14. package/dist/117.index.js +207 -0
  15. package/dist/178.index.js +250 -0
  16. package/dist/218.index.js +793 -0
  17. package/dist/227.index.js +192 -0
  18. package/dist/301.index.js +167 -0
  19. package/dist/384.index.js +18 -0
  20. package/dist/476.index.js +126 -0
  21. package/dist/513.index.js +373 -0
  22. package/dist/520.index.js +13 -0
  23. package/dist/601.index.js +1038 -0
  24. package/dist/634.index.js +1892 -0
  25. package/dist/637.index.js +216 -0
  26. package/dist/660.index.js +131 -0
  27. package/dist/675.index.js +451 -0
  28. package/dist/826.index.js +188 -0
  29. package/dist/830.index.js +133 -0
  30. package/dist/agentic-security.mjs +272 -0
  31. package/dist/agentic-security.mjs.sha256 +1 -0
  32. package/dist/calibration-seed.json +27 -0
  33. package/package.json +77 -0
  34. package/src/.agentic-security/findings.json +80844 -0
  35. package/src/.agentic-security/last-scan.json +80844 -0
  36. package/src/.agentic-security/last-scan.json.sig +1 -0
  37. package/src/.agentic-security/scan-history.json +8408 -0
  38. package/src/.agentic-security/streak.json +26 -0
  39. package/src/badge.js +188 -0
  40. package/src/compare.js +203 -0
  41. package/src/dataflow/.agentic-security/findings.json +3487 -0
  42. package/src/dataflow/.agentic-security/last-scan.json +3487 -0
  43. package/src/dataflow/.agentic-security/last-scan.json.sig +1 -0
  44. package/src/dataflow/.agentic-security/scan-history.json +735 -0
  45. package/src/dataflow/.agentic-security/streak.json +24 -0
  46. package/src/dataflow/CLAUDE.md +38 -0
  47. package/src/dataflow/access-paths.js +172 -0
  48. package/src/dataflow/async-sequencing.js +177 -0
  49. package/src/dataflow/backward.js +201 -0
  50. package/src/dataflow/catalog-expanded.js +485 -0
  51. package/src/dataflow/catalog.js +659 -0
  52. package/src/dataflow/cross-repo.js +219 -0
  53. package/src/dataflow/engine.js +588 -0
  54. package/src/dataflow/exception-flow.js +116 -0
  55. package/src/dataflow/exploit-prover.js +187 -0
  56. package/src/dataflow/higher-order.js +221 -0
  57. package/src/dataflow/ifds.js +347 -0
  58. package/src/dataflow/implicit-flow.js +129 -0
  59. package/src/dataflow/incremental.js +229 -0
  60. package/src/dataflow/index.js +181 -0
  61. package/src/dataflow/numeric-domain.js +192 -0
  62. package/src/dataflow/path-feasibility.js +114 -0
  63. package/src/dataflow/points-to.js +337 -0
  64. package/src/dataflow/polyglot.js +190 -0
  65. package/src/dataflow/proven-clean.js +159 -0
  66. package/src/dataflow/receiver-context.js +76 -0
  67. package/src/dataflow/sanitizer-proof.js +154 -0
  68. package/src/dataflow/soft-taint.js +140 -0
  69. package/src/dataflow/string-domain.js +234 -0
  70. package/src/dataflow/stub-aware-filter.js +100 -0
  71. package/src/dataflow/summaries.js +132 -0
  72. package/src/dataflow/symbolic-exec.js +238 -0
  73. package/src/dataflow/tabulation.js +135 -0
  74. package/src/engine.js +7763 -0
  75. package/src/history-scan.js +229 -0
  76. package/src/index.js +3 -0
  77. package/src/integrations/.agentic-security/findings.json +1504 -0
  78. package/src/integrations/.agentic-security/last-scan.json +1504 -0
  79. package/src/integrations/.agentic-security/scan-history.json +40 -0
  80. package/src/integrations/.agentic-security/streak.json +21 -0
  81. package/src/integrations/index.js +321 -0
  82. package/src/integrations/tickets.js +200 -0
  83. package/src/ir/.agentic-security/findings.json +3036 -0
  84. package/src/ir/.agentic-security/last-scan.json +3036 -0
  85. package/src/ir/.agentic-security/last-scan.json.sig +1 -0
  86. package/src/ir/.agentic-security/scan-history.json +364 -0
  87. package/src/ir/.agentic-security/streak.json +23 -0
  88. package/src/ir/CLAUDE.md +172 -0
  89. package/src/ir/callgraph.js +73 -0
  90. package/src/ir/class-hierarchy.js +195 -0
  91. package/src/ir/index.js +152 -0
  92. package/src/ir/parser-cs.js +260 -0
  93. package/src/ir/parser-java.js +286 -0
  94. package/src/ir/parser-js.js +413 -0
  95. package/src/ir/parser-kt.js +258 -0
  96. package/src/ir/parser-py-cst.js +136 -0
  97. package/src/ir/parser-py.helper.py +501 -0
  98. package/src/ir/parser-py.js +312 -0
  99. package/src/ir/ssa.js +315 -0
  100. package/src/ir/type-stubs.js +288 -0
  101. package/src/leaderboard.js +152 -0
  102. package/src/llm-validator/.agentic-security/findings.json +1891 -0
  103. package/src/llm-validator/.agentic-security/last-scan.json +1891 -0
  104. package/src/llm-validator/.agentic-security/last-scan.json.sig +1 -0
  105. package/src/llm-validator/.agentic-security/scan-history.json +168 -0
  106. package/src/llm-validator/.agentic-security/streak.json +20 -0
  107. package/src/llm-validator/consistency.js +141 -0
  108. package/src/llm-validator/index.js +437 -0
  109. package/src/lsp/.agentic-security/findings.json +28 -0
  110. package/src/lsp/.agentic-security/last-scan.json +28 -0
  111. package/src/lsp/.agentic-security/scan-history.json +79 -0
  112. package/src/lsp/.agentic-security/streak.json +22 -0
  113. package/src/lsp/server.js +275 -0
  114. package/src/mcp/.agentic-security/findings.json +8358 -0
  115. package/src/mcp/.agentic-security/last-scan.json +8358 -0
  116. package/src/mcp/.agentic-security/last-scan.json.sig +1 -0
  117. package/src/mcp/.agentic-security/scan-history.json +1125 -0
  118. package/src/mcp/.agentic-security/streak.json +22 -0
  119. package/src/mcp/CLAUDE.md +54 -0
  120. package/src/mcp/audit.js +136 -0
  121. package/src/mcp/redact.js +75 -0
  122. package/src/mcp/server.js +158 -0
  123. package/src/mcp/stdio.js +83 -0
  124. package/src/mcp/tools.js +940 -0
  125. package/src/mcp/validate.js +49 -0
  126. package/src/personality.js +164 -0
  127. package/src/poc-video.js +239 -0
  128. package/src/posture/.agentic-security/findings.json +51239 -0
  129. package/src/posture/.agentic-security/last-scan.json +51239 -0
  130. package/src/posture/.agentic-security/last-scan.json.sig +1 -0
  131. package/src/posture/.agentic-security/scan-history.json +5557 -0
  132. package/src/posture/.agentic-security/streak.json +24 -0
  133. package/src/posture/CLAUDE.md +42 -0
  134. package/src/posture/adversarial-self-test.js +114 -0
  135. package/src/posture/adversary-agent.js +204 -0
  136. package/src/posture/agents-memory.js +135 -0
  137. package/src/posture/ai-code-fingerprint.js +171 -0
  138. package/src/posture/aibom.js +284 -0
  139. package/src/posture/api-inventory.js +96 -0
  140. package/src/posture/attack-playbooks.js +305 -0
  141. package/src/posture/auditor-agent.js +115 -0
  142. package/src/posture/auth-posture-import.js +135 -0
  143. package/src/posture/baseline-compare.js +114 -0
  144. package/src/posture/blast-radius.js +836 -0
  145. package/src/posture/bounty-prediction.js +141 -0
  146. package/src/posture/business-logic.js +239 -0
  147. package/src/posture/calibration-drift.js +93 -0
  148. package/src/posture/calibration-seed.json +27 -0
  149. package/src/posture/calibration.js +204 -0
  150. package/src/posture/clustering.js +75 -0
  151. package/src/posture/concurrency-checker.js +265 -0
  152. package/src/posture/confidence.js +65 -0
  153. package/src/posture/container-runtime.js +149 -0
  154. package/src/posture/counterfactual.js +109 -0
  155. package/src/posture/cross-lang-graphql.js +165 -0
  156. package/src/posture/cross-lang-grpc.js +166 -0
  157. package/src/posture/cross-lang-meta.js +101 -0
  158. package/src/posture/cross-lang-openapi.js +187 -0
  159. package/src/posture/cross-lang-orm.js +153 -0
  160. package/src/posture/cross-lang-queues.js +210 -0
  161. package/src/posture/crown-jewels.js +110 -0
  162. package/src/posture/custom-rules.js +361 -0
  163. package/src/posture/cve-alert-daemon.js +433 -0
  164. package/src/posture/cve-lookup.js +129 -0
  165. package/src/posture/dead-code.js +430 -0
  166. package/src/posture/defender-agent.js +158 -0
  167. package/src/posture/deploy-platform.js +204 -0
  168. package/src/posture/detector-fuzz.js +61 -0
  169. package/src/posture/deterministic.js +99 -0
  170. package/src/posture/drift.js +165 -0
  171. package/src/posture/epss.js +156 -0
  172. package/src/posture/exploitability-probability.js +212 -0
  173. package/src/posture/exploitability.js +121 -0
  174. package/src/posture/feature-flags.js +110 -0
  175. package/src/posture/finding-defaults.js +132 -0
  176. package/src/posture/fix-history.js +411 -0
  177. package/src/posture/fix-plan.js +121 -0
  178. package/src/posture/fix-verify-loop.js +157 -0
  179. package/src/posture/fix-verify.js +130 -0
  180. package/src/posture/flow-narration.js +105 -0
  181. package/src/posture/grader-calibration.js +156 -0
  182. package/src/posture/harness-discovery.js +113 -0
  183. package/src/posture/holdout-eval.js +144 -0
  184. package/src/posture/iac-reachability.js +163 -0
  185. package/src/posture/iam-policy.js +128 -0
  186. package/src/posture/integrity.js +97 -0
  187. package/src/posture/learning.js +166 -0
  188. package/src/posture/license-policy.js +109 -0
  189. package/src/posture/llm-redteam-prompts.js +418 -0
  190. package/src/posture/llm-redteam.js +303 -0
  191. package/src/posture/material-change.js +163 -0
  192. package/src/posture/mitigation-composite.js +55 -0
  193. package/src/posture/mttr.js +91 -0
  194. package/src/posture/network-policy-import.js +126 -0
  195. package/src/posture/path-predicates.js +99 -0
  196. package/src/posture/persona-prioritization.js +153 -0
  197. package/src/posture/poc-cwe-map.js +51 -0
  198. package/src/posture/poc-generator.js +500 -0
  199. package/src/posture/policy-gate.js +174 -0
  200. package/src/posture/pre-incident-archaeology.js +110 -0
  201. package/src/posture/profile.js +93 -0
  202. package/src/posture/reachability-filter.js +42 -0
  203. package/src/posture/regression-test-gen.js +200 -0
  204. package/src/posture/reverse-blast-radius.js +110 -0
  205. package/src/posture/router.js +109 -0
  206. package/src/posture/rule-overrides.js +198 -0
  207. package/src/posture/rule-pack-signing.js +209 -0
  208. package/src/posture/rule-packs.js +143 -0
  209. package/src/posture/rule-synthesis.js +108 -0
  210. package/src/posture/ruleset-version.js +71 -0
  211. package/src/posture/sbom.js +129 -0
  212. package/src/posture/schema-aware-bridge.js +207 -0
  213. package/src/posture/security-trend.js +87 -0
  214. package/src/posture/semantic-clone.js +114 -0
  215. package/src/posture/specification-mining.js +170 -0
  216. package/src/posture/stable-id.js +75 -0
  217. package/src/posture/stack-playbook.js +229 -0
  218. package/src/posture/streak.js +249 -0
  219. package/src/posture/suppressions.js +135 -0
  220. package/src/posture/telemetry-ingest.js +112 -0
  221. package/src/posture/threat-model.js +145 -0
  222. package/src/posture/three-agent-pipeline.js +74 -0
  223. package/src/posture/triage.js +146 -0
  224. package/src/posture/trust-boundary-diagram.js +115 -0
  225. package/src/posture/type-narrowing.js +129 -0
  226. package/src/posture/validator-metrics.js +179 -0
  227. package/src/posture/verifier-ephemeral.js +118 -0
  228. package/src/posture/verifier-target.js +147 -0
  229. package/src/posture/verifier.js +257 -0
  230. package/src/posture/version.js +75 -0
  231. package/src/posture/waf-ingest.js +200 -0
  232. package/src/posture/why-fired.js +141 -0
  233. package/src/pr-comment.js +172 -0
  234. package/src/pr-delta.js +198 -0
  235. package/src/report/.agentic-security/findings.json +79 -0
  236. package/src/report/.agentic-security/last-scan.json +79 -0
  237. package/src/report/.agentic-security/last-scan.json.sig +1 -0
  238. package/src/report/.agentic-security/scan-history.json +332 -0
  239. package/src/report/.agentic-security/streak.json +23 -0
  240. package/src/report/index.js +1136 -0
  241. package/src/report/mascot.js +42 -0
  242. package/src/runScan.js +141 -0
  243. package/src/sast/.agentic-security/findings.json +5051 -0
  244. package/src/sast/.agentic-security/last-scan.json +5051 -0
  245. package/src/sast/.agentic-security/last-scan.json.sig +1 -0
  246. package/src/sast/.agentic-security/scan-history.json +788 -0
  247. package/src/sast/.agentic-security/streak.json +23 -0
  248. package/src/sast/CLAUDE.md +39 -0
  249. package/src/sast/_comment-strip.js +46 -0
  250. package/src/sast/agent-tool-escalation.js +131 -0
  251. package/src/sast/auth-provider.js +171 -0
  252. package/src/sast/authz.js +236 -0
  253. package/src/sast/bench-shape/.agentic-security/findings.json +28 -0
  254. package/src/sast/bench-shape/.agentic-security/last-scan.json +28 -0
  255. package/src/sast/bench-shape/.agentic-security/scan-history.json +24 -0
  256. package/src/sast/bench-shape/.agentic-security/streak.json +22 -0
  257. package/src/sast/bench-shape/index.js +62 -0
  258. package/src/sast/claude-hook-injection.js +199 -0
  259. package/src/sast/claude-md-prompt-injection.js +170 -0
  260. package/src/sast/claude-settings.js +165 -0
  261. package/src/sast/client-side.js +149 -0
  262. package/src/sast/cpp-bench-extras.js +122 -0
  263. package/src/sast/cpp-dataflow.js +430 -0
  264. package/src/sast/cpp.js +248 -0
  265. package/src/sast/csharp.js +152 -0
  266. package/src/sast/csrf.js +82 -0
  267. package/src/sast/dart-flutter.js +173 -0
  268. package/src/sast/db-rls.js +147 -0
  269. package/src/sast/db-taint.js +215 -0
  270. package/src/sast/defi-deep.js +242 -0
  271. package/src/sast/deserialization-gadgets.js +113 -0
  272. package/src/sast/django-hardening.js +230 -0
  273. package/src/sast/env-hygiene.js +125 -0
  274. package/src/sast/fastapi-hardening.js +145 -0
  275. package/src/sast/go-extended.js +84 -0
  276. package/src/sast/host-header.js +106 -0
  277. package/src/sast/index.js +17 -0
  278. package/src/sast/java-ast-folding.js +561 -0
  279. package/src/sast/java-bench-extras.js +708 -0
  280. package/src/sast/java-collection-passthrough.js +178 -0
  281. package/src/sast/java-constant-fold.js +244 -0
  282. package/src/sast/java-deserialization.js +125 -0
  283. package/src/sast/jndi.js +104 -0
  284. package/src/sast/juliet-shape.js +324 -0
  285. package/src/sast/jwt-exp.js +104 -0
  286. package/src/sast/kotlin.js +82 -0
  287. package/src/sast/laravel-hardening.js +198 -0
  288. package/src/sast/ldap-injection.js +100 -0
  289. package/src/sast/llm-owasp.js +465 -0
  290. package/src/sast/llm-stored-prompt.js +103 -0
  291. package/src/sast/llm-trading-agent.js +161 -0
  292. package/src/sast/llm.js +308 -0
  293. package/src/sast/logic.js +140 -0
  294. package/src/sast/mass-assignment.js +101 -0
  295. package/src/sast/mcp-audit.js +242 -0
  296. package/src/sast/mobile-manifest.js +195 -0
  297. package/src/sast/model-load.js +164 -0
  298. package/src/sast/mutation-xss.js +87 -0
  299. package/src/sast/nosql-injection.js +82 -0
  300. package/src/sast/open-redirect.js +119 -0
  301. package/src/sast/php.js +91 -0
  302. package/src/sast/pipeline.js +122 -0
  303. package/src/sast/primary-cwe-java.js +155 -0
  304. package/src/sast/prompt-firewall.js +151 -0
  305. package/src/sast/prompt-template.js +157 -0
  306. package/src/sast/prototype-pollution.js +112 -0
  307. package/src/sast/python-sinks.js +195 -0
  308. package/src/sast/quarkus-hardening.js +102 -0
  309. package/src/sast/rag-poisoning.js +118 -0
  310. package/src/sast/rate-limit.js +128 -0
  311. package/src/sast/response-splitting.js +138 -0
  312. package/src/sast/ruby.js +108 -0
  313. package/src/sast/rust.js +105 -0
  314. package/src/sast/solidity.js +167 -0
  315. package/src/sast/springboot-hardening.js +186 -0
  316. package/src/sast/ssrf-cloud-metadata.js +80 -0
  317. package/src/sast/ssti.js +116 -0
  318. package/src/sast/swift.js +162 -0
  319. package/src/sast/toctou.js +95 -0
  320. package/src/sast/webhook.js +101 -0
  321. package/src/sast/xpath-injection.js +51 -0
  322. package/src/sast/xxe.js +140 -0
  323. package/src/sast/zip-slip.js +200 -0
  324. package/src/sca/base-images.json +45 -0
  325. package/src/sca/container.js +107 -0
  326. package/src/sca/dep-confusion.js +134 -0
  327. package/src/sca/index.js +6 -0
  328. package/src/sca/popular-packages.json +41 -0
  329. package/src/sca/sarif-ingest.js +187 -0
  330. package/src/sca/vuln-function-hints.json +89 -0
  331. package/src/secrets/index.js +4 -0
package/src/dataflow/.agentic-security/findings.json ADDED
@@ -0,0 +1,3487 @@
1
+ {
2
+ "scanId": "c0ec088f-7109-4755-b599-aa770643cf19",
3
+ "startedAt": "2026-05-20T21:19:04.813Z",
4
+ "durationMs": 486,
5
+ "scanned": {
6
+ "files": 27,
7
+ "lines": 0
8
+ },
9
+ "findings": [
10
+ {
11
+ "id": "struct:incremental.js:50:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
12
+ "kind": "sast",
13
+ "severity": "medium",
14
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
15
+ "cwe": "CWE-400",
16
+ "owaspLlm": null,
17
+ "stride": "Denial of Service",
18
+ "file": "incremental.js",
19
+ "line": 50,
20
+ "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
21
+ "fix": null,
22
+ "reachable": false,
23
+ "triage": 22,
24
+ "dataClasses": [],
25
+ "chain": null,
26
+ "confidence": 0.212,
27
+ "toxicity": 28,
28
+ "toxicityFactors": [
29
+ "http-facing"
30
+ ],
31
+ "toxicityLabel": "Medium",
32
+ "sources": null,
33
+ "epssScore": null,
34
+ "epssPercentile": null,
35
+ "epssCve": null,
36
+ "exploitedNow": false,
37
+ "tags": null,
38
+ "blastRadius": {
39
+ "scope": "all-users",
40
+ "dataAtRisk": [
41
+ "config"
42
+ ],
43
+ "userCount": 50,
44
+ "industry": "generic",
45
+ "jurisdictions": [],
46
+ "controlsApplied": [],
47
+ "dollarBest": 23250,
48
+ "dollarLikely": 136250,
49
+ "dollarWorst": 775000,
50
+ "dollarLow": 23250,
51
+ "dollarHigh": 775000,
52
+ "components": {
53
+ "incidentResponse": {
54
+ "low": 8000,
55
+ "likely": 50000,
56
+ "high": 250000
57
+ },
58
+ "legal": {
59
+ "low": 10000,
60
+ "likely": 75000,
61
+ "high": 500000
62
+ },
63
+ "crisisPR": {
64
+ "low": 0,
65
+ "likely": 0,
66
+ "high": 0
67
+ },
68
+ "notification": {
69
+ "low": 5000,
70
+ "likely": 10000,
71
+ "high": 15000
72
+ },
73
+ "creditMonitoring": {
74
+ "low": 0,
75
+ "likely": 0,
76
+ "high": 0
77
+ },
78
+ "regulatoryFines": {
79
+ "low": 0,
80
+ "likely": 0,
81
+ "high": 0
82
+ },
83
+ "directDamage": {
84
+ "low": 250,
85
+ "likely": 1250,
86
+ "high": 10000
87
+ },
88
+ "classAction": {
89
+ "low": 0,
90
+ "likely": 0,
91
+ "high": 0
92
+ },
93
+ "lostBusiness": {
94
+ "low": 0,
95
+ "likely": 0,
96
+ "high": 0
97
+ }
98
+ },
99
+ "dominantDriver": "legal counsel",
100
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
101
+ "confidence": "low",
102
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
103
+ },
104
+ "stableId": "7e2db52a92ce3811",
105
+ "confidenceTier": "very-low",
106
+ "exploitability": 0.2,
107
+ "exploitabilityTier": "low",
108
+ "exploitabilityFactors": [
109
+ "sev:medium",
110
+ "unreachable"
111
+ ],
112
+ "clusterSize": null,
113
+ "unreachable": false,
114
+ "validator_verdict": "unvalidated",
115
+ "llm_confidence": null,
116
+ "unvalidated": true,
117
+ "cross_language": false,
118
+ "family": "dos-sync-io",
119
+ "_unsigned": false,
120
+ "_passThroughSigning": false,
121
+ "signatureStatus": "verified",
122
+ "regression_test": null,
123
+ "poc": null,
124
+ "calibrated_confidence": null,
125
+ "calibrated_confidence_ci": null,
126
+ "calibrated_n": 0,
127
+ "calibration_reason": "no-history",
128
+ "verifier_verdict": "cannot-verify",
129
+ "verifier_reason": "no-poc-no-sanitizer-rule",
130
+ "verifier_runner": null,
131
+ "narration": null,
132
+ "mitigationVerdict": "unreachable-in-prod",
133
+ "mitigationsApplied": [],
134
+ "mitigatedByWaf": false,
135
+ "wafRuleId": null,
136
+ "mitigatedByAuth": false,
137
+ "authMechanism": null,
138
+ "mitigatedByNetwork": false,
139
+ "networkExposure": null,
140
+ "featureFlag": null,
141
+ "featureFlagState": null,
142
+ "featureFlagRollout": null,
143
+ "exposedInProd": false,
144
+ "unreachableInProd": true,
145
+ "coldPath": false,
146
+ "hotPath": false,
147
+ "prodRequestCount": null,
148
+ "crownJewelScore": 0,
149
+ "crownJewelTier": "unknown",
150
+ "crownJewelFactors": [],
151
+ "cloneClusterId": "bf9643a065f64945",
152
+ "cloneClusterSize": 2,
153
+ "provenance": "human-likely",
154
+ "provenanceScore": 0.22,
155
+ "typeNarrowed": null,
156
+ "strideCategory": "denialOfService",
157
+ "personaScores": {
158
+ "script-kiddie": {
159
+ "score": 0.4,
160
+ "tier": "medium",
161
+ "factors": [
162
+ "sev:medium"
163
+ ]
164
+ },
165
+ "opportunistic-criminal": {
166
+ "score": 0.4,
167
+ "tier": "medium",
168
+ "factors": [
169
+ "sev:medium"
170
+ ]
171
+ },
172
+ "apt-nation-state": {
173
+ "score": 0.4,
174
+ "tier": "medium",
175
+ "factors": [
176
+ "sev:medium"
177
+ ]
178
+ },
179
+ "supply-chain-attacker": {
180
+ "score": 0.4,
181
+ "tier": "medium",
182
+ "factors": [
183
+ "sev:medium"
184
+ ]
185
+ },
186
+ "malicious-insider": {
187
+ "score": 0.4,
188
+ "tier": "medium",
189
+ "factors": [
190
+ "sev:medium"
191
+ ]
192
+ }
193
+ },
194
+ "personaTopTwo": [
195
+ "script-kiddie",
196
+ "opportunistic-criminal"
197
+ ],
198
+ "personaMaxName": "script-kiddie",
199
+ "personaMaxScore": 0.4,
200
+ "reverseExposure": null,
201
+ "specMined": null,
202
+ "whyFired": {
203
+ "detector": "sast/dos-sync-io",
204
+ "ruleId": "CWE-400",
205
+ "parser": "STRUCTURAL",
206
+ "evidence": {
207
+ "sinkSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
208
+ "sourceSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
209
+ "pathSteps": [],
210
+ "sanitizers": [],
211
+ "guards": []
212
+ },
213
+ "considered": {
214
+ "suppressionsApplied": [],
215
+ "suppressionsSkipped": [],
216
+ "reachabilityFilter": "unaffected",
217
+ "clusterCollapsed": false,
218
+ "typeNarrowed": false,
219
+ "crownJewelTier": "unknown",
220
+ "mitigationVerdict": "unreachable-in-prod"
221
+ },
222
+ "scanner": {
223
+ "rulesetVersion": null,
224
+ "packHash": null,
225
+ "modelId": null
226
+ }
227
+ },
228
+ "adversaryTranscript": null,
229
+ "predictedBountyUsd": {
230
+ "low": 10,
231
+ "likely": 40,
232
+ "high": 120,
233
+ "program": "web2"
234
+ },
235
+ "bountyConfidence": "high",
236
+ "attackPlaybook": null
237
+ },
238
+ {
239
+ "id": "struct:incremental.js:51:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
240
+ "kind": "sast",
241
+ "severity": "medium",
242
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
243
+ "cwe": "CWE-400",
244
+ "owaspLlm": null,
245
+ "stride": "Denial of Service",
246
+ "file": "incremental.js",
247
+ "line": 51,
248
+ "snippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
249
+ "fix": null,
250
+ "reachable": false,
251
+ "triage": 22,
252
+ "dataClasses": [],
253
+ "chain": null,
254
+ "confidence": 0.212,
255
+ "toxicity": 28,
256
+ "toxicityFactors": [
257
+ "http-facing"
258
+ ],
259
+ "toxicityLabel": "Medium",
260
+ "sources": null,
261
+ "epssScore": null,
262
+ "epssPercentile": null,
263
+ "epssCve": null,
264
+ "exploitedNow": false,
265
+ "tags": null,
266
+ "blastRadius": {
267
+ "scope": "all-users",
268
+ "dataAtRisk": [
269
+ "config"
270
+ ],
271
+ "userCount": 50,
272
+ "industry": "generic",
273
+ "jurisdictions": [],
274
+ "controlsApplied": [],
275
+ "dollarBest": 23250,
276
+ "dollarLikely": 136250,
277
+ "dollarWorst": 775000,
278
+ "dollarLow": 23250,
279
+ "dollarHigh": 775000,
280
+ "components": {
281
+ "incidentResponse": {
282
+ "low": 8000,
283
+ "likely": 50000,
284
+ "high": 250000
285
+ },
286
+ "legal": {
287
+ "low": 10000,
288
+ "likely": 75000,
289
+ "high": 500000
290
+ },
291
+ "crisisPR": {
292
+ "low": 0,
293
+ "likely": 0,
294
+ "high": 0
295
+ },
296
+ "notification": {
297
+ "low": 5000,
298
+ "likely": 10000,
299
+ "high": 15000
300
+ },
301
+ "creditMonitoring": {
302
+ "low": 0,
303
+ "likely": 0,
304
+ "high": 0
305
+ },
306
+ "regulatoryFines": {
307
+ "low": 0,
308
+ "likely": 0,
309
+ "high": 0
310
+ },
311
+ "directDamage": {
312
+ "low": 250,
313
+ "likely": 1250,
314
+ "high": 10000
315
+ },
316
+ "classAction": {
317
+ "low": 0,
318
+ "likely": 0,
319
+ "high": 0
320
+ },
321
+ "lostBusiness": {
322
+ "low": 0,
323
+ "likely": 0,
324
+ "high": 0
325
+ }
326
+ },
327
+ "dominantDriver": "legal counsel",
328
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
329
+ "confidence": "low",
330
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:51` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
331
+ },
332
+ "stableId": "333259288508799a",
333
+ "confidenceTier": "very-low",
334
+ "exploitability": 0.2,
335
+ "exploitabilityTier": "low",
336
+ "exploitabilityFactors": [
337
+ "sev:medium",
338
+ "unreachable"
339
+ ],
340
+ "clusterSize": null,
341
+ "unreachable": false,
342
+ "validator_verdict": "unvalidated",
343
+ "llm_confidence": null,
344
+ "unvalidated": true,
345
+ "cross_language": false,
346
+ "family": "dos-sync-io",
347
+ "_unsigned": false,
348
+ "_passThroughSigning": false,
349
+ "signatureStatus": "verified",
350
+ "regression_test": null,
351
+ "poc": null,
352
+ "calibrated_confidence": null,
353
+ "calibrated_confidence_ci": null,
354
+ "calibrated_n": 0,
355
+ "calibration_reason": "no-history",
356
+ "verifier_verdict": "cannot-verify",
357
+ "verifier_reason": "no-poc-no-sanitizer-rule",
358
+ "verifier_runner": null,
359
+ "narration": null,
360
+ "mitigationVerdict": "unreachable-in-prod",
361
+ "mitigationsApplied": [],
362
+ "mitigatedByWaf": false,
363
+ "wafRuleId": null,
364
+ "mitigatedByAuth": false,
365
+ "authMechanism": null,
366
+ "mitigatedByNetwork": false,
367
+ "networkExposure": null,
368
+ "featureFlag": null,
369
+ "featureFlagState": null,
370
+ "featureFlagRollout": null,
371
+ "exposedInProd": false,
372
+ "unreachableInProd": true,
373
+ "coldPath": false,
374
+ "hotPath": false,
375
+ "prodRequestCount": null,
376
+ "crownJewelScore": 0,
377
+ "crownJewelTier": "unknown",
378
+ "crownJewelFactors": [],
379
+ "cloneClusterId": "8b60c3f57d48c622",
380
+ "cloneClusterSize": 1,
381
+ "provenance": "human-likely",
382
+ "provenanceScore": 0.22,
383
+ "typeNarrowed": null,
384
+ "strideCategory": "denialOfService",
385
+ "personaScores": {
386
+ "script-kiddie": {
387
+ "score": 0.4,
388
+ "tier": "medium",
389
+ "factors": [
390
+ "sev:medium"
391
+ ]
392
+ },
393
+ "opportunistic-criminal": {
394
+ "score": 0.4,
395
+ "tier": "medium",
396
+ "factors": [
397
+ "sev:medium"
398
+ ]
399
+ },
400
+ "apt-nation-state": {
401
+ "score": 0.4,
402
+ "tier": "medium",
403
+ "factors": [
404
+ "sev:medium"
405
+ ]
406
+ },
407
+ "supply-chain-attacker": {
408
+ "score": 0.4,
409
+ "tier": "medium",
410
+ "factors": [
411
+ "sev:medium"
412
+ ]
413
+ },
414
+ "malicious-insider": {
415
+ "score": 0.4,
416
+ "tier": "medium",
417
+ "factors": [
418
+ "sev:medium"
419
+ ]
420
+ }
421
+ },
422
+ "personaTopTwo": [
423
+ "script-kiddie",
424
+ "opportunistic-criminal"
425
+ ],
426
+ "personaMaxName": "script-kiddie",
427
+ "personaMaxScore": 0.4,
428
+ "reverseExposure": null,
429
+ "specMined": null,
430
+ "whyFired": {
431
+ "detector": "sast/dos-sync-io",
432
+ "ruleId": "CWE-400",
433
+ "parser": "STRUCTURAL",
434
+ "evidence": {
435
+ "sinkSnippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
436
+ "sourceSnippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
437
+ "pathSteps": [],
438
+ "sanitizers": [],
439
+ "guards": []
440
+ },
441
+ "considered": {
442
+ "suppressionsApplied": [],
443
+ "suppressionsSkipped": [],
444
+ "reachabilityFilter": "unaffected",
445
+ "clusterCollapsed": false,
446
+ "typeNarrowed": false,
447
+ "crownJewelTier": "unknown",
448
+ "mitigationVerdict": "unreachable-in-prod"
449
+ },
450
+ "scanner": {
451
+ "rulesetVersion": null,
452
+ "packHash": null,
453
+ "modelId": null
454
+ }
455
+ },
456
+ "adversaryTranscript": null,
457
+ "predictedBountyUsd": {
458
+ "low": 10,
459
+ "likely": 40,
460
+ "high": 120,
461
+ "program": "web2"
462
+ },
463
+ "bountyConfidence": "high",
464
+ "attackPlaybook": null
465
+ },
466
+ {
467
+ "id": "struct:incremental.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
468
+ "kind": "sast",
469
+ "severity": "medium",
470
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
471
+ "cwe": "CWE-400",
472
+ "owaspLlm": null,
473
+ "stride": "Denial of Service",
474
+ "file": "incremental.js",
475
+ "line": 68,
476
+ "snippet": "if (!fs.existsSync(fp)) return fallback;",
477
+ "fix": null,
478
+ "reachable": false,
479
+ "triage": 22,
480
+ "dataClasses": [],
481
+ "chain": null,
482
+ "confidence": 0.212,
483
+ "toxicity": 28,
484
+ "toxicityFactors": [
485
+ "http-facing"
486
+ ],
487
+ "toxicityLabel": "Medium",
488
+ "sources": null,
489
+ "epssScore": null,
490
+ "epssPercentile": null,
491
+ "epssCve": null,
492
+ "exploitedNow": false,
493
+ "tags": null,
494
+ "blastRadius": {
495
+ "scope": "all-users",
496
+ "dataAtRisk": [
497
+ "config"
498
+ ],
499
+ "userCount": 50,
500
+ "industry": "generic",
501
+ "jurisdictions": [],
502
+ "controlsApplied": [],
503
+ "dollarBest": 23250,
504
+ "dollarLikely": 136250,
505
+ "dollarWorst": 775000,
506
+ "dollarLow": 23250,
507
+ "dollarHigh": 775000,
508
+ "components": {
509
+ "incidentResponse": {
510
+ "low": 8000,
511
+ "likely": 50000,
512
+ "high": 250000
513
+ },
514
+ "legal": {
515
+ "low": 10000,
516
+ "likely": 75000,
517
+ "high": 500000
518
+ },
519
+ "crisisPR": {
520
+ "low": 0,
521
+ "likely": 0,
522
+ "high": 0
523
+ },
524
+ "notification": {
525
+ "low": 5000,
526
+ "likely": 10000,
527
+ "high": 15000
528
+ },
529
+ "creditMonitoring": {
530
+ "low": 0,
531
+ "likely": 0,
532
+ "high": 0
533
+ },
534
+ "regulatoryFines": {
535
+ "low": 0,
536
+ "likely": 0,
537
+ "high": 0
538
+ },
539
+ "directDamage": {
540
+ "low": 250,
541
+ "likely": 1250,
542
+ "high": 10000
543
+ },
544
+ "classAction": {
545
+ "low": 0,
546
+ "likely": 0,
547
+ "high": 0
548
+ },
549
+ "lostBusiness": {
550
+ "low": 0,
551
+ "likely": 0,
552
+ "high": 0
553
+ }
554
+ },
555
+ "dominantDriver": "legal counsel",
556
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
557
+ "confidence": "low",
558
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
559
+ },
560
+ "stableId": "6862d6baf0b923f7",
561
+ "confidenceTier": "very-low",
562
+ "exploitability": 0.2,
563
+ "exploitabilityTier": "low",
564
+ "exploitabilityFactors": [
565
+ "sev:medium",
566
+ "unreachable"
567
+ ],
568
+ "clusterSize": null,
569
+ "unreachable": false,
570
+ "validator_verdict": "unvalidated",
571
+ "llm_confidence": null,
572
+ "unvalidated": true,
573
+ "cross_language": false,
574
+ "family": "dos-sync-io",
575
+ "_unsigned": false,
576
+ "_passThroughSigning": false,
577
+ "signatureStatus": "verified",
578
+ "regression_test": null,
579
+ "poc": null,
580
+ "calibrated_confidence": null,
581
+ "calibrated_confidence_ci": null,
582
+ "calibrated_n": 0,
583
+ "calibration_reason": "no-history",
584
+ "verifier_verdict": "cannot-verify",
585
+ "verifier_reason": "no-poc-no-sanitizer-rule",
586
+ "verifier_runner": null,
587
+ "narration": null,
588
+ "mitigationVerdict": "unreachable-in-prod",
589
+ "mitigationsApplied": [],
590
+ "mitigatedByWaf": false,
591
+ "wafRuleId": null,
592
+ "mitigatedByAuth": false,
593
+ "authMechanism": null,
594
+ "mitigatedByNetwork": false,
595
+ "networkExposure": null,
596
+ "featureFlag": null,
597
+ "featureFlagState": null,
598
+ "featureFlagRollout": null,
599
+ "exposedInProd": false,
600
+ "unreachableInProd": true,
601
+ "coldPath": false,
602
+ "hotPath": false,
603
+ "prodRequestCount": null,
604
+ "crownJewelScore": 0,
605
+ "crownJewelTier": "unknown",
606
+ "crownJewelFactors": [],
607
+ "cloneClusterId": "39f1d6db55cace1d",
608
+ "cloneClusterSize": 2,
609
+ "provenance": "human-likely",
610
+ "provenanceScore": 0.22,
611
+ "typeNarrowed": null,
612
+ "strideCategory": "denialOfService",
613
+ "personaScores": {
614
+ "script-kiddie": {
615
+ "score": 0.4,
616
+ "tier": "medium",
617
+ "factors": [
618
+ "sev:medium"
619
+ ]
620
+ },
621
+ "opportunistic-criminal": {
622
+ "score": 0.4,
623
+ "tier": "medium",
624
+ "factors": [
625
+ "sev:medium"
626
+ ]
627
+ },
628
+ "apt-nation-state": {
629
+ "score": 0.4,
630
+ "tier": "medium",
631
+ "factors": [
632
+ "sev:medium"
633
+ ]
634
+ },
635
+ "supply-chain-attacker": {
636
+ "score": 0.4,
637
+ "tier": "medium",
638
+ "factors": [
639
+ "sev:medium"
640
+ ]
641
+ },
642
+ "malicious-insider": {
643
+ "score": 0.4,
644
+ "tier": "medium",
645
+ "factors": [
646
+ "sev:medium"
647
+ ]
648
+ }
649
+ },
650
+ "personaTopTwo": [
651
+ "script-kiddie",
652
+ "opportunistic-criminal"
653
+ ],
654
+ "personaMaxName": "script-kiddie",
655
+ "personaMaxScore": 0.4,
656
+ "reverseExposure": null,
657
+ "specMined": null,
658
+ "whyFired": {
659
+ "detector": "sast/dos-sync-io",
660
+ "ruleId": "CWE-400",
661
+ "parser": "STRUCTURAL",
662
+ "evidence": {
663
+ "sinkSnippet": "if (!fs.existsSync(fp)) return fallback;",
664
+ "sourceSnippet": "if (!fs.existsSync(fp)) return fallback;",
665
+ "pathSteps": [],
666
+ "sanitizers": [],
667
+ "guards": []
668
+ },
669
+ "considered": {
670
+ "suppressionsApplied": [],
671
+ "suppressionsSkipped": [],
672
+ "reachabilityFilter": "unaffected",
673
+ "clusterCollapsed": false,
674
+ "typeNarrowed": false,
675
+ "crownJewelTier": "unknown",
676
+ "mitigationVerdict": "unreachable-in-prod"
677
+ },
678
+ "scanner": {
679
+ "rulesetVersion": null,
680
+ "packHash": null,
681
+ "modelId": null
682
+ }
683
+ },
684
+ "adversaryTranscript": null,
685
+ "predictedBountyUsd": {
686
+ "low": 10,
687
+ "likely": 40,
688
+ "high": 120,
689
+ "program": "web2"
690
+ },
691
+ "bountyConfidence": "high",
692
+ "attackPlaybook": null
693
+ },
694
+ {
695
+ "id": "struct:incremental.js:69:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
696
+ "kind": "sast",
697
+ "severity": "medium",
698
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
699
+ "cwe": "CWE-400",
700
+ "owaspLlm": null,
701
+ "stride": "Denial of Service",
702
+ "file": "incremental.js",
703
+ "line": 69,
704
+ "snippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
705
+ "fix": null,
706
+ "reachable": false,
707
+ "triage": 22,
708
+ "dataClasses": [],
709
+ "chain": null,
710
+ "confidence": 0.212,
711
+ "toxicity": 28,
712
+ "toxicityFactors": [
713
+ "http-facing"
714
+ ],
715
+ "toxicityLabel": "Medium",
716
+ "sources": null,
717
+ "epssScore": null,
718
+ "epssPercentile": null,
719
+ "epssCve": null,
720
+ "exploitedNow": false,
721
+ "tags": null,
722
+ "blastRadius": {
723
+ "scope": "all-users",
724
+ "dataAtRisk": [
725
+ "config"
726
+ ],
727
+ "userCount": 50,
728
+ "industry": "generic",
729
+ "jurisdictions": [],
730
+ "controlsApplied": [],
731
+ "dollarBest": 23250,
732
+ "dollarLikely": 136250,
733
+ "dollarWorst": 775000,
734
+ "dollarLow": 23250,
735
+ "dollarHigh": 775000,
736
+ "components": {
737
+ "incidentResponse": {
738
+ "low": 8000,
739
+ "likely": 50000,
740
+ "high": 250000
741
+ },
742
+ "legal": {
743
+ "low": 10000,
744
+ "likely": 75000,
745
+ "high": 500000
746
+ },
747
+ "crisisPR": {
748
+ "low": 0,
749
+ "likely": 0,
750
+ "high": 0
751
+ },
752
+ "notification": {
753
+ "low": 5000,
754
+ "likely": 10000,
755
+ "high": 15000
756
+ },
757
+ "creditMonitoring": {
758
+ "low": 0,
759
+ "likely": 0,
760
+ "high": 0
761
+ },
762
+ "regulatoryFines": {
763
+ "low": 0,
764
+ "likely": 0,
765
+ "high": 0
766
+ },
767
+ "directDamage": {
768
+ "low": 250,
769
+ "likely": 1250,
770
+ "high": 10000
771
+ },
772
+ "classAction": {
773
+ "low": 0,
774
+ "likely": 0,
775
+ "high": 0
776
+ },
777
+ "lostBusiness": {
778
+ "low": 0,
779
+ "likely": 0,
780
+ "high": 0
781
+ }
782
+ },
783
+ "dominantDriver": "legal counsel",
784
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
785
+ "confidence": "low",
786
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:69` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
787
+ },
788
+ "stableId": "7314934acc70477c",
789
+ "confidenceTier": "very-low",
790
+ "exploitability": 0.2,
791
+ "exploitabilityTier": "low",
792
+ "exploitabilityFactors": [
793
+ "sev:medium",
794
+ "unreachable"
795
+ ],
796
+ "clusterSize": null,
797
+ "unreachable": false,
798
+ "validator_verdict": "unvalidated",
799
+ "llm_confidence": null,
800
+ "unvalidated": true,
801
+ "cross_language": false,
802
+ "family": "dos-sync-io",
803
+ "_unsigned": false,
804
+ "_passThroughSigning": false,
805
+ "signatureStatus": "verified",
806
+ "regression_test": null,
807
+ "poc": null,
808
+ "calibrated_confidence": null,
809
+ "calibrated_confidence_ci": null,
810
+ "calibrated_n": 0,
811
+ "calibration_reason": "no-history",
812
+ "verifier_verdict": "cannot-verify",
813
+ "verifier_reason": "no-poc-no-sanitizer-rule",
814
+ "verifier_runner": null,
815
+ "narration": null,
816
+ "mitigationVerdict": "unreachable-in-prod",
817
+ "mitigationsApplied": [],
818
+ "mitigatedByWaf": false,
819
+ "wafRuleId": null,
820
+ "mitigatedByAuth": false,
821
+ "authMechanism": null,
822
+ "mitigatedByNetwork": false,
823
+ "networkExposure": null,
824
+ "featureFlag": null,
825
+ "featureFlagState": null,
826
+ "featureFlagRollout": null,
827
+ "exposedInProd": false,
828
+ "unreachableInProd": true,
829
+ "coldPath": false,
830
+ "hotPath": false,
831
+ "prodRequestCount": null,
832
+ "crownJewelScore": 0,
833
+ "crownJewelTier": "unknown",
834
+ "crownJewelFactors": [],
835
+ "cloneClusterId": "b8a597058e30c50c",
836
+ "cloneClusterSize": 1,
837
+ "provenance": "human-likely",
838
+ "provenanceScore": 0.22,
839
+ "typeNarrowed": null,
840
+ "strideCategory": "denialOfService",
841
+ "personaScores": {
842
+ "script-kiddie": {
843
+ "score": 0.4,
844
+ "tier": "medium",
845
+ "factors": [
846
+ "sev:medium"
847
+ ]
848
+ },
849
+ "opportunistic-criminal": {
850
+ "score": 0.4,
851
+ "tier": "medium",
852
+ "factors": [
853
+ "sev:medium"
854
+ ]
855
+ },
856
+ "apt-nation-state": {
857
+ "score": 0.4,
858
+ "tier": "medium",
859
+ "factors": [
860
+ "sev:medium"
861
+ ]
862
+ },
863
+ "supply-chain-attacker": {
864
+ "score": 0.4,
865
+ "tier": "medium",
866
+ "factors": [
867
+ "sev:medium"
868
+ ]
869
+ },
870
+ "malicious-insider": {
871
+ "score": 0.4,
872
+ "tier": "medium",
873
+ "factors": [
874
+ "sev:medium"
875
+ ]
876
+ }
877
+ },
878
+ "personaTopTwo": [
879
+ "script-kiddie",
880
+ "opportunistic-criminal"
881
+ ],
882
+ "personaMaxName": "script-kiddie",
883
+ "personaMaxScore": 0.4,
884
+ "reverseExposure": null,
885
+ "specMined": null,
886
+ "whyFired": {
887
+ "detector": "sast/dos-sync-io",
888
+ "ruleId": "CWE-400",
889
+ "parser": "STRUCTURAL",
890
+ "evidence": {
891
+ "sinkSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
892
+ "sourceSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
893
+ "pathSteps": [],
894
+ "sanitizers": [],
895
+ "guards": []
896
+ },
897
+ "considered": {
898
+ "suppressionsApplied": [],
899
+ "suppressionsSkipped": [],
900
+ "reachabilityFilter": "unaffected",
901
+ "clusterCollapsed": false,
902
+ "typeNarrowed": false,
903
+ "crownJewelTier": "unknown",
904
+ "mitigationVerdict": "unreachable-in-prod"
905
+ },
906
+ "scanner": {
907
+ "rulesetVersion": null,
908
+ "packHash": null,
909
+ "modelId": null
910
+ }
911
+ },
912
+ "adversaryTranscript": null,
913
+ "predictedBountyUsd": {
914
+ "low": 10,
915
+ "likely": 40,
916
+ "high": 120,
917
+ "program": "web2"
918
+ },
919
+ "bountyConfidence": "high",
920
+ "attackPlaybook": null
921
+ },
922
+ {
923
+ "id": "struct:incremental.js:203:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
924
+ "kind": "sast",
925
+ "severity": "medium",
926
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
927
+ "cwe": "CWE-400",
928
+ "owaspLlm": null,
929
+ "stride": "Denial of Service",
930
+ "file": "incremental.js",
931
+ "line": 203,
932
+ "snippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
933
+ "fix": null,
934
+ "reachable": false,
935
+ "triage": 22,
936
+ "dataClasses": [],
937
+ "chain": null,
938
+ "confidence": 0.212,
939
+ "toxicity": 28,
940
+ "toxicityFactors": [
941
+ "http-facing"
942
+ ],
943
+ "toxicityLabel": "Medium",
944
+ "sources": null,
945
+ "epssScore": null,
946
+ "epssPercentile": null,
947
+ "epssCve": null,
948
+ "exploitedNow": false,
949
+ "tags": null,
950
+ "blastRadius": {
951
+ "scope": "all-users",
952
+ "dataAtRisk": [
953
+ "config"
954
+ ],
955
+ "userCount": 50,
956
+ "industry": "generic",
957
+ "jurisdictions": [],
958
+ "controlsApplied": [],
959
+ "dollarBest": 23250,
960
+ "dollarLikely": 136250,
961
+ "dollarWorst": 775000,
962
+ "dollarLow": 23250,
963
+ "dollarHigh": 775000,
964
+ "components": {
965
+ "incidentResponse": {
966
+ "low": 8000,
967
+ "likely": 50000,
968
+ "high": 250000
969
+ },
970
+ "legal": {
971
+ "low": 10000,
972
+ "likely": 75000,
973
+ "high": 500000
974
+ },
975
+ "crisisPR": {
976
+ "low": 0,
977
+ "likely": 0,
978
+ "high": 0
979
+ },
980
+ "notification": {
981
+ "low": 5000,
982
+ "likely": 10000,
983
+ "high": 15000
984
+ },
985
+ "creditMonitoring": {
986
+ "low": 0,
987
+ "likely": 0,
988
+ "high": 0
989
+ },
990
+ "regulatoryFines": {
991
+ "low": 0,
992
+ "likely": 0,
993
+ "high": 0
994
+ },
995
+ "directDamage": {
996
+ "low": 250,
997
+ "likely": 1250,
998
+ "high": 10000
999
+ },
1000
+ "classAction": {
1001
+ "low": 0,
1002
+ "likely": 0,
1003
+ "high": 0
1004
+ },
1005
+ "lostBusiness": {
1006
+ "low": 0,
1007
+ "likely": 0,
1008
+ "high": 0
1009
+ }
1010
+ },
1011
+ "dominantDriver": "legal counsel",
1012
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1013
+ "confidence": "low",
1014
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:203` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1015
+ },
1016
+ "stableId": "71f79aead6c815a7",
1017
+ "confidenceTier": "very-low",
1018
+ "exploitability": 0.2,
1019
+ "exploitabilityTier": "low",
1020
+ "exploitabilityFactors": [
1021
+ "sev:medium",
1022
+ "unreachable"
1023
+ ],
1024
+ "clusterSize": null,
1025
+ "unreachable": false,
1026
+ "validator_verdict": "unvalidated",
1027
+ "llm_confidence": null,
1028
+ "unvalidated": true,
1029
+ "cross_language": false,
1030
+ "family": "dos-sync-io",
1031
+ "_unsigned": false,
1032
+ "_passThroughSigning": false,
1033
+ "signatureStatus": "verified",
1034
+ "regression_test": null,
1035
+ "poc": null,
1036
+ "calibrated_confidence": null,
1037
+ "calibrated_confidence_ci": null,
1038
+ "calibrated_n": 0,
1039
+ "calibration_reason": "no-history",
1040
+ "verifier_verdict": "cannot-verify",
1041
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1042
+ "verifier_runner": null,
1043
+ "narration": null,
1044
+ "mitigationVerdict": "unreachable-in-prod",
1045
+ "mitigationsApplied": [],
1046
+ "mitigatedByWaf": false,
1047
+ "wafRuleId": null,
1048
+ "mitigatedByAuth": false,
1049
+ "authMechanism": null,
1050
+ "mitigatedByNetwork": false,
1051
+ "networkExposure": null,
1052
+ "featureFlag": null,
1053
+ "featureFlagState": null,
1054
+ "featureFlagRollout": null,
1055
+ "exposedInProd": false,
1056
+ "unreachableInProd": true,
1057
+ "coldPath": false,
1058
+ "hotPath": false,
1059
+ "prodRequestCount": null,
1060
+ "crownJewelScore": 0,
1061
+ "crownJewelTier": "unknown",
1062
+ "crownJewelFactors": [],
1063
+ "cloneClusterId": "347295aac188671b",
1064
+ "cloneClusterSize": 1,
1065
+ "provenance": "human-likely",
1066
+ "provenanceScore": 0.22,
1067
+ "typeNarrowed": null,
1068
+ "strideCategory": "denialOfService",
1069
+ "personaScores": {
1070
+ "script-kiddie": {
1071
+ "score": 0.4,
1072
+ "tier": "medium",
1073
+ "factors": [
1074
+ "sev:medium"
1075
+ ]
1076
+ },
1077
+ "opportunistic-criminal": {
1078
+ "score": 0.4,
1079
+ "tier": "medium",
1080
+ "factors": [
1081
+ "sev:medium"
1082
+ ]
1083
+ },
1084
+ "apt-nation-state": {
1085
+ "score": 0.4,
1086
+ "tier": "medium",
1087
+ "factors": [
1088
+ "sev:medium"
1089
+ ]
1090
+ },
1091
+ "supply-chain-attacker": {
1092
+ "score": 0.4,
1093
+ "tier": "medium",
1094
+ "factors": [
1095
+ "sev:medium"
1096
+ ]
1097
+ },
1098
+ "malicious-insider": {
1099
+ "score": 0.4,
1100
+ "tier": "medium",
1101
+ "factors": [
1102
+ "sev:medium"
1103
+ ]
1104
+ }
1105
+ },
1106
+ "personaTopTwo": [
1107
+ "script-kiddie",
1108
+ "opportunistic-criminal"
1109
+ ],
1110
+ "personaMaxName": "script-kiddie",
1111
+ "personaMaxScore": 0.4,
1112
+ "reverseExposure": null,
1113
+ "specMined": null,
1114
+ "whyFired": {
1115
+ "detector": "sast/dos-sync-io",
1116
+ "ruleId": "CWE-400",
1117
+ "parser": "STRUCTURAL",
1118
+ "evidence": {
1119
+ "sinkSnippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
1120
+ "sourceSnippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
1121
+ "pathSteps": [],
1122
+ "sanitizers": [],
1123
+ "guards": []
1124
+ },
1125
+ "considered": {
1126
+ "suppressionsApplied": [],
1127
+ "suppressionsSkipped": [],
1128
+ "reachabilityFilter": "unaffected",
1129
+ "clusterCollapsed": false,
1130
+ "typeNarrowed": false,
1131
+ "crownJewelTier": "unknown",
1132
+ "mitigationVerdict": "unreachable-in-prod"
1133
+ },
1134
+ "scanner": {
1135
+ "rulesetVersion": null,
1136
+ "packHash": null,
1137
+ "modelId": null
1138
+ }
1139
+ },
1140
+ "adversaryTranscript": null,
1141
+ "predictedBountyUsd": {
1142
+ "low": 10,
1143
+ "likely": 40,
1144
+ "high": 120,
1145
+ "program": "web2"
1146
+ },
1147
+ "bountyConfidence": "high",
1148
+ "attackPlaybook": null
1149
+ },
1150
+ {
1151
+ "id": "struct:incremental.js:204:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1152
+ "kind": "sast",
1153
+ "severity": "medium",
1154
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1155
+ "cwe": "CWE-400",
1156
+ "owaspLlm": null,
1157
+ "stride": "Denial of Service",
1158
+ "file": "incremental.js",
1159
+ "line": 204,
1160
+ "snippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
1161
+ "fix": null,
1162
+ "reachable": false,
1163
+ "triage": 22,
1164
+ "dataClasses": [],
1165
+ "chain": null,
1166
+ "confidence": 0.212,
1167
+ "toxicity": 28,
1168
+ "toxicityFactors": [
1169
+ "http-facing"
1170
+ ],
1171
+ "toxicityLabel": "Medium",
1172
+ "sources": null,
1173
+ "epssScore": null,
1174
+ "epssPercentile": null,
1175
+ "epssCve": null,
1176
+ "exploitedNow": false,
1177
+ "tags": null,
1178
+ "blastRadius": {
1179
+ "scope": "all-users",
1180
+ "dataAtRisk": [
1181
+ "config"
1182
+ ],
1183
+ "userCount": 50,
1184
+ "industry": "generic",
1185
+ "jurisdictions": [],
1186
+ "controlsApplied": [],
1187
+ "dollarBest": 23250,
1188
+ "dollarLikely": 136250,
1189
+ "dollarWorst": 775000,
1190
+ "dollarLow": 23250,
1191
+ "dollarHigh": 775000,
1192
+ "components": {
1193
+ "incidentResponse": {
1194
+ "low": 8000,
1195
+ "likely": 50000,
1196
+ "high": 250000
1197
+ },
1198
+ "legal": {
1199
+ "low": 10000,
1200
+ "likely": 75000,
1201
+ "high": 500000
1202
+ },
1203
+ "crisisPR": {
1204
+ "low": 0,
1205
+ "likely": 0,
1206
+ "high": 0
1207
+ },
1208
+ "notification": {
1209
+ "low": 5000,
1210
+ "likely": 10000,
1211
+ "high": 15000
1212
+ },
1213
+ "creditMonitoring": {
1214
+ "low": 0,
1215
+ "likely": 0,
1216
+ "high": 0
1217
+ },
1218
+ "regulatoryFines": {
1219
+ "low": 0,
1220
+ "likely": 0,
1221
+ "high": 0
1222
+ },
1223
+ "directDamage": {
1224
+ "low": 250,
1225
+ "likely": 1250,
1226
+ "high": 10000
1227
+ },
1228
+ "classAction": {
1229
+ "low": 0,
1230
+ "likely": 0,
1231
+ "high": 0
1232
+ },
1233
+ "lostBusiness": {
1234
+ "low": 0,
1235
+ "likely": 0,
1236
+ "high": 0
1237
+ }
1238
+ },
1239
+ "dominantDriver": "legal counsel",
1240
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1241
+ "confidence": "low",
1242
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:204` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1243
+ },
1244
+ "stableId": "16f0befb55d2a11a",
1245
+ "confidenceTier": "very-low",
1246
+ "exploitability": 0.2,
1247
+ "exploitabilityTier": "low",
1248
+ "exploitabilityFactors": [
1249
+ "sev:medium",
1250
+ "unreachable"
1251
+ ],
1252
+ "clusterSize": null,
1253
+ "unreachable": false,
1254
+ "validator_verdict": "unvalidated",
1255
+ "llm_confidence": null,
1256
+ "unvalidated": true,
1257
+ "cross_language": false,
1258
+ "family": "dos-sync-io",
1259
+ "_unsigned": false,
1260
+ "_passThroughSigning": false,
1261
+ "signatureStatus": "verified",
1262
+ "regression_test": null,
1263
+ "poc": null,
1264
+ "calibrated_confidence": null,
1265
+ "calibrated_confidence_ci": null,
1266
+ "calibrated_n": 0,
1267
+ "calibration_reason": "no-history",
1268
+ "verifier_verdict": "cannot-verify",
1269
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1270
+ "verifier_runner": null,
1271
+ "narration": null,
1272
+ "mitigationVerdict": "unreachable-in-prod",
1273
+ "mitigationsApplied": [],
1274
+ "mitigatedByWaf": false,
1275
+ "wafRuleId": null,
1276
+ "mitigatedByAuth": false,
1277
+ "authMechanism": null,
1278
+ "mitigatedByNetwork": false,
1279
+ "networkExposure": null,
1280
+ "featureFlag": null,
1281
+ "featureFlagState": null,
1282
+ "featureFlagRollout": null,
1283
+ "exposedInProd": false,
1284
+ "unreachableInProd": true,
1285
+ "coldPath": false,
1286
+ "hotPath": false,
1287
+ "prodRequestCount": null,
1288
+ "crownJewelScore": 0,
1289
+ "crownJewelTier": "unknown",
1290
+ "crownJewelFactors": [],
1291
+ "cloneClusterId": "cd20f49000f1b531",
1292
+ "cloneClusterSize": 1,
1293
+ "provenance": "human-likely",
1294
+ "provenanceScore": 0.22,
1295
+ "typeNarrowed": null,
1296
+ "strideCategory": "denialOfService",
1297
+ "personaScores": {
1298
+ "script-kiddie": {
1299
+ "score": 0.4,
1300
+ "tier": "medium",
1301
+ "factors": [
1302
+ "sev:medium"
1303
+ ]
1304
+ },
1305
+ "opportunistic-criminal": {
1306
+ "score": 0.4,
1307
+ "tier": "medium",
1308
+ "factors": [
1309
+ "sev:medium"
1310
+ ]
1311
+ },
1312
+ "apt-nation-state": {
1313
+ "score": 0.4,
1314
+ "tier": "medium",
1315
+ "factors": [
1316
+ "sev:medium"
1317
+ ]
1318
+ },
1319
+ "supply-chain-attacker": {
1320
+ "score": 0.4,
1321
+ "tier": "medium",
1322
+ "factors": [
1323
+ "sev:medium"
1324
+ ]
1325
+ },
1326
+ "malicious-insider": {
1327
+ "score": 0.4,
1328
+ "tier": "medium",
1329
+ "factors": [
1330
+ "sev:medium"
1331
+ ]
1332
+ }
1333
+ },
1334
+ "personaTopTwo": [
1335
+ "script-kiddie",
1336
+ "opportunistic-criminal"
1337
+ ],
1338
+ "personaMaxName": "script-kiddie",
1339
+ "personaMaxScore": 0.4,
1340
+ "reverseExposure": null,
1341
+ "specMined": null,
1342
+ "whyFired": {
1343
+ "detector": "sast/dos-sync-io",
1344
+ "ruleId": "CWE-400",
1345
+ "parser": "STRUCTURAL",
1346
+ "evidence": {
1347
+ "sinkSnippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
1348
+ "sourceSnippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
1349
+ "pathSteps": [],
1350
+ "sanitizers": [],
1351
+ "guards": []
1352
+ },
1353
+ "considered": {
1354
+ "suppressionsApplied": [],
1355
+ "suppressionsSkipped": [],
1356
+ "reachabilityFilter": "unaffected",
1357
+ "clusterCollapsed": false,
1358
+ "typeNarrowed": false,
1359
+ "crownJewelTier": "unknown",
1360
+ "mitigationVerdict": "unreachable-in-prod"
1361
+ },
1362
+ "scanner": {
1363
+ "rulesetVersion": null,
1364
+ "packHash": null,
1365
+ "modelId": null
1366
+ }
1367
+ },
1368
+ "adversaryTranscript": null,
1369
+ "predictedBountyUsd": {
1370
+ "low": 10,
1371
+ "likely": 40,
1372
+ "high": 120,
1373
+ "program": "web2"
1374
+ },
1375
+ "bountyConfidence": "high",
1376
+ "attackPlaybook": null
1377
+ },
1378
+ {
1379
+ "id": "struct:incremental.js:209:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1380
+ "kind": "sast",
1381
+ "severity": "medium",
1382
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1383
+ "cwe": "CWE-400",
1384
+ "owaspLlm": null,
1385
+ "stride": "Denial of Service",
1386
+ "file": "incremental.js",
1387
+ "line": 209,
1388
+ "snippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
1389
+ "fix": null,
1390
+ "reachable": false,
1391
+ "triage": 22,
1392
+ "dataClasses": [],
1393
+ "chain": null,
1394
+ "confidence": 0.212,
1395
+ "toxicity": 28,
1396
+ "toxicityFactors": [
1397
+ "http-facing"
1398
+ ],
1399
+ "toxicityLabel": "Medium",
1400
+ "sources": null,
1401
+ "epssScore": null,
1402
+ "epssPercentile": null,
1403
+ "epssCve": null,
1404
+ "exploitedNow": false,
1405
+ "tags": null,
1406
+ "blastRadius": {
1407
+ "scope": "all-users",
1408
+ "dataAtRisk": [
1409
+ "config"
1410
+ ],
1411
+ "userCount": 50,
1412
+ "industry": "generic",
1413
+ "jurisdictions": [],
1414
+ "controlsApplied": [],
1415
+ "dollarBest": 23250,
1416
+ "dollarLikely": 136250,
1417
+ "dollarWorst": 775000,
1418
+ "dollarLow": 23250,
1419
+ "dollarHigh": 775000,
1420
+ "components": {
1421
+ "incidentResponse": {
1422
+ "low": 8000,
1423
+ "likely": 50000,
1424
+ "high": 250000
1425
+ },
1426
+ "legal": {
1427
+ "low": 10000,
1428
+ "likely": 75000,
1429
+ "high": 500000
1430
+ },
1431
+ "crisisPR": {
1432
+ "low": 0,
1433
+ "likely": 0,
1434
+ "high": 0
1435
+ },
1436
+ "notification": {
1437
+ "low": 5000,
1438
+ "likely": 10000,
1439
+ "high": 15000
1440
+ },
1441
+ "creditMonitoring": {
1442
+ "low": 0,
1443
+ "likely": 0,
1444
+ "high": 0
1445
+ },
1446
+ "regulatoryFines": {
1447
+ "low": 0,
1448
+ "likely": 0,
1449
+ "high": 0
1450
+ },
1451
+ "directDamage": {
1452
+ "low": 250,
1453
+ "likely": 1250,
1454
+ "high": 10000
1455
+ },
1456
+ "classAction": {
1457
+ "low": 0,
1458
+ "likely": 0,
1459
+ "high": 0
1460
+ },
1461
+ "lostBusiness": {
1462
+ "low": 0,
1463
+ "likely": 0,
1464
+ "high": 0
1465
+ }
1466
+ },
1467
+ "dominantDriver": "legal counsel",
1468
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1469
+ "confidence": "low",
1470
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:209` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1471
+ },
1472
+ "stableId": "b6ab9f0eaa3c75e0",
1473
+ "confidenceTier": "very-low",
1474
+ "exploitability": 0.2,
1475
+ "exploitabilityTier": "low",
1476
+ "exploitabilityFactors": [
1477
+ "sev:medium",
1478
+ "unreachable"
1479
+ ],
1480
+ "clusterSize": null,
1481
+ "unreachable": false,
1482
+ "validator_verdict": "unvalidated",
1483
+ "llm_confidence": null,
1484
+ "unvalidated": true,
1485
+ "cross_language": false,
1486
+ "family": "dos-sync-io",
1487
+ "_unsigned": false,
1488
+ "_passThroughSigning": false,
1489
+ "signatureStatus": "verified",
1490
+ "regression_test": null,
1491
+ "poc": null,
1492
+ "calibrated_confidence": null,
1493
+ "calibrated_confidence_ci": null,
1494
+ "calibrated_n": 0,
1495
+ "calibration_reason": "no-history",
1496
+ "verifier_verdict": "cannot-verify",
1497
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1498
+ "verifier_runner": null,
1499
+ "narration": null,
1500
+ "mitigationVerdict": "unreachable-in-prod",
1501
+ "mitigationsApplied": [],
1502
+ "mitigatedByWaf": false,
1503
+ "wafRuleId": null,
1504
+ "mitigatedByAuth": false,
1505
+ "authMechanism": null,
1506
+ "mitigatedByNetwork": false,
1507
+ "networkExposure": null,
1508
+ "featureFlag": null,
1509
+ "featureFlagState": null,
1510
+ "featureFlagRollout": null,
1511
+ "exposedInProd": false,
1512
+ "unreachableInProd": true,
1513
+ "coldPath": false,
1514
+ "hotPath": false,
1515
+ "prodRequestCount": null,
1516
+ "crownJewelScore": 0,
1517
+ "crownJewelTier": "unknown",
1518
+ "crownJewelFactors": [],
1519
+ "cloneClusterId": "4a06d0af981828b5",
1520
+ "cloneClusterSize": 1,
1521
+ "provenance": "human-likely",
1522
+ "provenanceScore": 0.22,
1523
+ "typeNarrowed": null,
1524
+ "strideCategory": "denialOfService",
1525
+ "personaScores": {
1526
+ "script-kiddie": {
1527
+ "score": 0.4,
1528
+ "tier": "medium",
1529
+ "factors": [
1530
+ "sev:medium"
1531
+ ]
1532
+ },
1533
+ "opportunistic-criminal": {
1534
+ "score": 0.4,
1535
+ "tier": "medium",
1536
+ "factors": [
1537
+ "sev:medium"
1538
+ ]
1539
+ },
1540
+ "apt-nation-state": {
1541
+ "score": 0.4,
1542
+ "tier": "medium",
1543
+ "factors": [
1544
+ "sev:medium"
1545
+ ]
1546
+ },
1547
+ "supply-chain-attacker": {
1548
+ "score": 0.4,
1549
+ "tier": "medium",
1550
+ "factors": [
1551
+ "sev:medium"
1552
+ ]
1553
+ },
1554
+ "malicious-insider": {
1555
+ "score": 0.4,
1556
+ "tier": "medium",
1557
+ "factors": [
1558
+ "sev:medium"
1559
+ ]
1560
+ }
1561
+ },
1562
+ "personaTopTwo": [
1563
+ "script-kiddie",
1564
+ "opportunistic-criminal"
1565
+ ],
1566
+ "personaMaxName": "script-kiddie",
1567
+ "personaMaxScore": 0.4,
1568
+ "reverseExposure": null,
1569
+ "specMined": null,
1570
+ "whyFired": {
1571
+ "detector": "sast/dos-sync-io",
1572
+ "ruleId": "CWE-400",
1573
+ "parser": "STRUCTURAL",
1574
+ "evidence": {
1575
+ "sinkSnippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
1576
+ "sourceSnippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
1577
+ "pathSteps": [],
1578
+ "sanitizers": [],
1579
+ "guards": []
1580
+ },
1581
+ "considered": {
1582
+ "suppressionsApplied": [],
1583
+ "suppressionsSkipped": [],
1584
+ "reachabilityFilter": "unaffected",
1585
+ "clusterCollapsed": false,
1586
+ "typeNarrowed": false,
1587
+ "crownJewelTier": "unknown",
1588
+ "mitigationVerdict": "unreachable-in-prod"
1589
+ },
1590
+ "scanner": {
1591
+ "rulesetVersion": null,
1592
+ "packHash": null,
1593
+ "modelId": null
1594
+ }
1595
+ },
1596
+ "adversaryTranscript": null,
1597
+ "predictedBountyUsd": {
1598
+ "low": 10,
1599
+ "likely": 40,
1600
+ "high": 120,
1601
+ "program": "web2"
1602
+ },
1603
+ "bountyConfidence": "high",
1604
+ "attackPlaybook": null
1605
+ },
1606
+ {
1607
+ "id": "struct:incremental.js:220:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1608
+ "kind": "sast",
1609
+ "severity": "medium",
1610
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1611
+ "cwe": "CWE-400",
1612
+ "owaspLlm": null,
1613
+ "stride": "Denial of Service",
1614
+ "file": "incremental.js",
1615
+ "line": 220,
1616
+ "snippet": "if (!fs.existsSync(dir)) return true;",
1617
+ "fix": null,
1618
+ "reachable": false,
1619
+ "triage": 22,
1620
+ "dataClasses": [],
1621
+ "chain": null,
1622
+ "confidence": 0.212,
1623
+ "toxicity": 28,
1624
+ "toxicityFactors": [
1625
+ "http-facing"
1626
+ ],
1627
+ "toxicityLabel": "Medium",
1628
+ "sources": null,
1629
+ "epssScore": null,
1630
+ "epssPercentile": null,
1631
+ "epssCve": null,
1632
+ "exploitedNow": false,
1633
+ "tags": null,
1634
+ "blastRadius": {
1635
+ "scope": "all-users",
1636
+ "dataAtRisk": [
1637
+ "config"
1638
+ ],
1639
+ "userCount": 50,
1640
+ "industry": "generic",
1641
+ "jurisdictions": [],
1642
+ "controlsApplied": [],
1643
+ "dollarBest": 23250,
1644
+ "dollarLikely": 136250,
1645
+ "dollarWorst": 775000,
1646
+ "dollarLow": 23250,
1647
+ "dollarHigh": 775000,
1648
+ "components": {
1649
+ "incidentResponse": {
1650
+ "low": 8000,
1651
+ "likely": 50000,
1652
+ "high": 250000
1653
+ },
1654
+ "legal": {
1655
+ "low": 10000,
1656
+ "likely": 75000,
1657
+ "high": 500000
1658
+ },
1659
+ "crisisPR": {
1660
+ "low": 0,
1661
+ "likely": 0,
1662
+ "high": 0
1663
+ },
1664
+ "notification": {
1665
+ "low": 5000,
1666
+ "likely": 10000,
1667
+ "high": 15000
1668
+ },
1669
+ "creditMonitoring": {
1670
+ "low": 0,
1671
+ "likely": 0,
1672
+ "high": 0
1673
+ },
1674
+ "regulatoryFines": {
1675
+ "low": 0,
1676
+ "likely": 0,
1677
+ "high": 0
1678
+ },
1679
+ "directDamage": {
1680
+ "low": 250,
1681
+ "likely": 1250,
1682
+ "high": 10000
1683
+ },
1684
+ "classAction": {
1685
+ "low": 0,
1686
+ "likely": 0,
1687
+ "high": 0
1688
+ },
1689
+ "lostBusiness": {
1690
+ "low": 0,
1691
+ "likely": 0,
1692
+ "high": 0
1693
+ }
1694
+ },
1695
+ "dominantDriver": "legal counsel",
1696
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1697
+ "confidence": "low",
1698
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:220` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1699
+ },
1700
+ "stableId": "0276003493008082",
1701
+ "confidenceTier": "very-low",
1702
+ "exploitability": 0.2,
1703
+ "exploitabilityTier": "low",
1704
+ "exploitabilityFactors": [
1705
+ "sev:medium",
1706
+ "unreachable"
1707
+ ],
1708
+ "clusterSize": null,
1709
+ "unreachable": false,
1710
+ "validator_verdict": "unvalidated",
1711
+ "llm_confidence": null,
1712
+ "unvalidated": true,
1713
+ "cross_language": false,
1714
+ "family": "dos-sync-io",
1715
+ "_unsigned": false,
1716
+ "_passThroughSigning": false,
1717
+ "signatureStatus": "verified",
1718
+ "regression_test": null,
1719
+ "poc": null,
1720
+ "calibrated_confidence": null,
1721
+ "calibrated_confidence_ci": null,
1722
+ "calibrated_n": 0,
1723
+ "calibration_reason": "no-history",
1724
+ "verifier_verdict": "cannot-verify",
1725
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1726
+ "verifier_runner": null,
1727
+ "narration": null,
1728
+ "mitigationVerdict": "unreachable-in-prod",
1729
+ "mitigationsApplied": [],
1730
+ "mitigatedByWaf": false,
1731
+ "wafRuleId": null,
1732
+ "mitigatedByAuth": false,
1733
+ "authMechanism": null,
1734
+ "mitigatedByNetwork": false,
1735
+ "networkExposure": null,
1736
+ "featureFlag": null,
1737
+ "featureFlagState": null,
1738
+ "featureFlagRollout": null,
1739
+ "exposedInProd": false,
1740
+ "unreachableInProd": true,
1741
+ "coldPath": false,
1742
+ "hotPath": false,
1743
+ "prodRequestCount": null,
1744
+ "crownJewelScore": 0,
1745
+ "crownJewelTier": "unknown",
1746
+ "crownJewelFactors": [],
1747
+ "cloneClusterId": "b7114d1d9de39865",
1748
+ "cloneClusterSize": 1,
1749
+ "provenance": "human-likely",
1750
+ "provenanceScore": 0.22,
1751
+ "typeNarrowed": null,
1752
+ "strideCategory": "denialOfService",
1753
+ "personaScores": {
1754
+ "script-kiddie": {
1755
+ "score": 0.4,
1756
+ "tier": "medium",
1757
+ "factors": [
1758
+ "sev:medium"
1759
+ ]
1760
+ },
1761
+ "opportunistic-criminal": {
1762
+ "score": 0.4,
1763
+ "tier": "medium",
1764
+ "factors": [
1765
+ "sev:medium"
1766
+ ]
1767
+ },
1768
+ "apt-nation-state": {
1769
+ "score": 0.4,
1770
+ "tier": "medium",
1771
+ "factors": [
1772
+ "sev:medium"
1773
+ ]
1774
+ },
1775
+ "supply-chain-attacker": {
1776
+ "score": 0.4,
1777
+ "tier": "medium",
1778
+ "factors": [
1779
+ "sev:medium"
1780
+ ]
1781
+ },
1782
+ "malicious-insider": {
1783
+ "score": 0.4,
1784
+ "tier": "medium",
1785
+ "factors": [
1786
+ "sev:medium"
1787
+ ]
1788
+ }
1789
+ },
1790
+ "personaTopTwo": [
1791
+ "script-kiddie",
1792
+ "opportunistic-criminal"
1793
+ ],
1794
+ "personaMaxName": "script-kiddie",
1795
+ "personaMaxScore": 0.4,
1796
+ "reverseExposure": null,
1797
+ "specMined": null,
1798
+ "whyFired": {
1799
+ "detector": "sast/dos-sync-io",
1800
+ "ruleId": "CWE-400",
1801
+ "parser": "STRUCTURAL",
1802
+ "evidence": {
1803
+ "sinkSnippet": "if (!fs.existsSync(dir)) return true;",
1804
+ "sourceSnippet": "if (!fs.existsSync(dir)) return true;",
1805
+ "pathSteps": [],
1806
+ "sanitizers": [],
1807
+ "guards": []
1808
+ },
1809
+ "considered": {
1810
+ "suppressionsApplied": [],
1811
+ "suppressionsSkipped": [],
1812
+ "reachabilityFilter": "unaffected",
1813
+ "clusterCollapsed": false,
1814
+ "typeNarrowed": false,
1815
+ "crownJewelTier": "unknown",
1816
+ "mitigationVerdict": "unreachable-in-prod"
1817
+ },
1818
+ "scanner": {
1819
+ "rulesetVersion": null,
1820
+ "packHash": null,
1821
+ "modelId": null
1822
+ }
1823
+ },
1824
+ "adversaryTranscript": null,
1825
+ "predictedBountyUsd": {
1826
+ "low": 10,
1827
+ "likely": 40,
1828
+ "high": 120,
1829
+ "program": "web2"
1830
+ },
1831
+ "bountyConfidence": "high",
1832
+ "attackPlaybook": null
1833
+ },
1834
+ {
1835
+ "id": "struct:incremental.js:223:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1836
+ "kind": "sast",
1837
+ "severity": "medium",
1838
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1839
+ "cwe": "CWE-400",
1840
+ "owaspLlm": null,
1841
+ "stride": "Denial of Service",
1842
+ "file": "incremental.js",
1843
+ "line": 223,
1844
+ "snippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
1845
+ "fix": null,
1846
+ "reachable": false,
1847
+ "triage": 22,
1848
+ "dataClasses": [],
1849
+ "chain": null,
1850
+ "confidence": 0.212,
1851
+ "toxicity": 28,
1852
+ "toxicityFactors": [
1853
+ "http-facing"
1854
+ ],
1855
+ "toxicityLabel": "Medium",
1856
+ "sources": null,
1857
+ "epssScore": null,
1858
+ "epssPercentile": null,
1859
+ "epssCve": null,
1860
+ "exploitedNow": false,
1861
+ "tags": null,
1862
+ "blastRadius": {
1863
+ "scope": "all-users",
1864
+ "dataAtRisk": [
1865
+ "config"
1866
+ ],
1867
+ "userCount": 50,
1868
+ "industry": "generic",
1869
+ "jurisdictions": [],
1870
+ "controlsApplied": [],
1871
+ "dollarBest": 23250,
1872
+ "dollarLikely": 136250,
1873
+ "dollarWorst": 775000,
1874
+ "dollarLow": 23250,
1875
+ "dollarHigh": 775000,
1876
+ "components": {
1877
+ "incidentResponse": {
1878
+ "low": 8000,
1879
+ "likely": 50000,
1880
+ "high": 250000
1881
+ },
1882
+ "legal": {
1883
+ "low": 10000,
1884
+ "likely": 75000,
1885
+ "high": 500000
1886
+ },
1887
+ "crisisPR": {
1888
+ "low": 0,
1889
+ "likely": 0,
1890
+ "high": 0
1891
+ },
1892
+ "notification": {
1893
+ "low": 5000,
1894
+ "likely": 10000,
1895
+ "high": 15000
1896
+ },
1897
+ "creditMonitoring": {
1898
+ "low": 0,
1899
+ "likely": 0,
1900
+ "high": 0
1901
+ },
1902
+ "regulatoryFines": {
1903
+ "low": 0,
1904
+ "likely": 0,
1905
+ "high": 0
1906
+ },
1907
+ "directDamage": {
1908
+ "low": 250,
1909
+ "likely": 1250,
1910
+ "high": 10000
1911
+ },
1912
+ "classAction": {
1913
+ "low": 0,
1914
+ "likely": 0,
1915
+ "high": 0
1916
+ },
1917
+ "lostBusiness": {
1918
+ "low": 0,
1919
+ "likely": 0,
1920
+ "high": 0
1921
+ }
1922
+ },
1923
+ "dominantDriver": "legal counsel",
1924
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1925
+ "confidence": "low",
1926
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:223` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1927
+ },
1928
+ "stableId": "15ad072cb77cdfe4",
1929
+ "confidenceTier": "very-low",
1930
+ "exploitability": 0.2,
1931
+ "exploitabilityTier": "low",
1932
+ "exploitabilityFactors": [
1933
+ "sev:medium",
1934
+ "unreachable"
1935
+ ],
1936
+ "clusterSize": null,
1937
+ "unreachable": false,
1938
+ "validator_verdict": "unvalidated",
1939
+ "llm_confidence": null,
1940
+ "unvalidated": true,
1941
+ "cross_language": false,
1942
+ "family": "dos-sync-io",
1943
+ "_unsigned": false,
1944
+ "_passThroughSigning": false,
1945
+ "signatureStatus": "verified",
1946
+ "regression_test": null,
1947
+ "poc": null,
1948
+ "calibrated_confidence": null,
1949
+ "calibrated_confidence_ci": null,
1950
+ "calibrated_n": 0,
1951
+ "calibration_reason": "no-history",
1952
+ "verifier_verdict": "cannot-verify",
1953
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1954
+ "verifier_runner": null,
1955
+ "narration": null,
1956
+ "mitigationVerdict": "unreachable-in-prod",
1957
+ "mitigationsApplied": [],
1958
+ "mitigatedByWaf": false,
1959
+ "wafRuleId": null,
1960
+ "mitigatedByAuth": false,
1961
+ "authMechanism": null,
1962
+ "mitigatedByNetwork": false,
1963
+ "networkExposure": null,
1964
+ "featureFlag": null,
1965
+ "featureFlagState": null,
1966
+ "featureFlagRollout": null,
1967
+ "exposedInProd": false,
1968
+ "unreachableInProd": true,
1969
+ "coldPath": false,
1970
+ "hotPath": false,
1971
+ "prodRequestCount": null,
1972
+ "crownJewelScore": 0,
1973
+ "crownJewelTier": "unknown",
1974
+ "crownJewelFactors": [],
1975
+ "cloneClusterId": "07f8fac8b280cc73",
1976
+ "cloneClusterSize": 1,
1977
+ "provenance": "human-likely",
1978
+ "provenanceScore": 0.22,
1979
+ "typeNarrowed": null,
1980
+ "strideCategory": "denialOfService",
1981
+ "personaScores": {
1982
+ "script-kiddie": {
1983
+ "score": 0.4,
1984
+ "tier": "medium",
1985
+ "factors": [
1986
+ "sev:medium"
1987
+ ]
1988
+ },
1989
+ "opportunistic-criminal": {
1990
+ "score": 0.4,
1991
+ "tier": "medium",
1992
+ "factors": [
1993
+ "sev:medium"
1994
+ ]
1995
+ },
1996
+ "apt-nation-state": {
1997
+ "score": 0.4,
1998
+ "tier": "medium",
1999
+ "factors": [
2000
+ "sev:medium"
2001
+ ]
2002
+ },
2003
+ "supply-chain-attacker": {
2004
+ "score": 0.4,
2005
+ "tier": "medium",
2006
+ "factors": [
2007
+ "sev:medium"
2008
+ ]
2009
+ },
2010
+ "malicious-insider": {
2011
+ "score": 0.4,
2012
+ "tier": "medium",
2013
+ "factors": [
2014
+ "sev:medium"
2015
+ ]
2016
+ }
2017
+ },
2018
+ "personaTopTwo": [
2019
+ "script-kiddie",
2020
+ "opportunistic-criminal"
2021
+ ],
2022
+ "personaMaxName": "script-kiddie",
2023
+ "personaMaxScore": 0.4,
2024
+ "reverseExposure": null,
2025
+ "specMined": null,
2026
+ "whyFired": {
2027
+ "detector": "sast/dos-sync-io",
2028
+ "ruleId": "CWE-400",
2029
+ "parser": "STRUCTURAL",
2030
+ "evidence": {
2031
+ "sinkSnippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
2032
+ "sourceSnippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
2033
+ "pathSteps": [],
2034
+ "sanitizers": [],
2035
+ "guards": []
2036
+ },
2037
+ "considered": {
2038
+ "suppressionsApplied": [],
2039
+ "suppressionsSkipped": [],
2040
+ "reachabilityFilter": "unaffected",
2041
+ "clusterCollapsed": false,
2042
+ "typeNarrowed": false,
2043
+ "crownJewelTier": "unknown",
2044
+ "mitigationVerdict": "unreachable-in-prod"
2045
+ },
2046
+ "scanner": {
2047
+ "rulesetVersion": null,
2048
+ "packHash": null,
2049
+ "modelId": null
2050
+ }
2051
+ },
2052
+ "adversaryTranscript": null,
2053
+ "predictedBountyUsd": {
2054
+ "low": 10,
2055
+ "likely": 40,
2056
+ "high": 120,
2057
+ "program": "web2"
2058
+ },
2059
+ "bountyConfidence": "high",
2060
+ "attackPlaybook": null
2061
+ },
2062
+ {
2063
+ "id": "ssrf-meta-hardcoded:catalog.js:431",
2064
+ "kind": "sast",
2065
+ "severity": "medium",
2066
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
2067
+ "cwe": "CWE-918",
2068
+ "owaspLlm": null,
2069
+ "stride": "Information Disclosure",
2070
+ "file": "catalog.js",
2071
+ "line": 431,
2072
+ "snippet": "remediation: 'Resolve the host first, reject 169.254.169.254 / RFC1918 / localhost; or proxy through a server-side allow-list.' } },",
2073
+ "fix": null,
2074
+ "reachable": false,
2075
+ "triage": 22,
2076
+ "dataClasses": [],
2077
+ "chain": null,
2078
+ "confidence": 0.7,
2079
+ "toxicity": 8,
2080
+ "toxicityFactors": [],
2081
+ "toxicityLabel": "Low",
2082
+ "sources": null,
2083
+ "epssScore": null,
2084
+ "epssPercentile": null,
2085
+ "epssCve": null,
2086
+ "exploitedNow": false,
2087
+ "tags": null,
2088
+ "blastRadius": {
2089
+ "scope": "all-users",
2090
+ "dataAtRisk": [
2091
+ "credentials"
2092
+ ],
2093
+ "userCount": 50,
2094
+ "industry": "generic",
2095
+ "jurisdictions": [],
2096
+ "controlsApplied": [],
2097
+ "dollarBest": 24000,
2098
+ "dollarLikely": 138000,
2099
+ "dollarWorst": 777500,
2100
+ "dollarLow": 24000,
2101
+ "dollarHigh": 777500,
2102
+ "components": {
2103
+ "incidentResponse": {
2104
+ "low": 8000,
2105
+ "likely": 50000,
2106
+ "high": 250000
2107
+ },
2108
+ "legal": {
2109
+ "low": 10000,
2110
+ "likely": 75000,
2111
+ "high": 500000
2112
+ },
2113
+ "crisisPR": {
2114
+ "low": 0,
2115
+ "likely": 0,
2116
+ "high": 0
2117
+ },
2118
+ "notification": {
2119
+ "low": 5000,
2120
+ "likely": 10000,
2121
+ "high": 15000
2122
+ },
2123
+ "creditMonitoring": {
2124
+ "low": 0,
2125
+ "likely": 0,
2126
+ "high": 0
2127
+ },
2128
+ "regulatoryFines": {
2129
+ "low": 0,
2130
+ "likely": 0,
2131
+ "high": 0
2132
+ },
2133
+ "directDamage": {
2134
+ "low": 1000,
2135
+ "likely": 3000,
2136
+ "high": 12500
2137
+ },
2138
+ "classAction": {
2139
+ "low": 0,
2140
+ "likely": 0,
2141
+ "high": 0
2142
+ },
2143
+ "lostBusiness": {
2144
+ "low": 0,
2145
+ "likely": 0,
2146
+ "high": 0
2147
+ }
2148
+ },
2149
+ "dominantDriver": "legal counsel",
2150
+ "comparable": "Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)",
2151
+ "confidence": "low",
2152
+ "narrative": "SSRF: explicit reference to cloud instance-metadata endpoint on `catalog.js:431` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)."
2153
+ },
2154
+ "stableId": "3dfe482b8d5e3a09",
2155
+ "confidenceTier": "medium",
2156
+ "exploitability": 0.2,
2157
+ "exploitabilityTier": "low",
2158
+ "exploitabilityFactors": [
2159
+ "sev:medium",
2160
+ "unreachable"
2161
+ ],
2162
+ "clusterSize": null,
2163
+ "unreachable": false,
2164
+ "validator_verdict": "unvalidated",
2165
+ "llm_confidence": null,
2166
+ "unvalidated": true,
2167
+ "cross_language": false,
2168
+ "family": "ssrf",
2169
+ "_unsigned": false,
2170
+ "_passThroughSigning": false,
2171
+ "signatureStatus": "verified",
2172
+ "regression_test": {
2173
+ "lang": "node",
2174
+ "framework": "jest",
2175
+ "filename": "security_3dfe482b8d5e3a09.test.mjs",
2176
+ "runHint": "npx jest",
2177
+ "code": "// Regression test for SSRF: explicit reference to cloud instance-metadata endpoint (CWE-918).\n// Auto-generated from P1.1 PoC; fails on vulnerable code, passes after the fix.\n\nimport { test, expect } from '@jest/globals';\n\ntest('SSRF: explicit reference to cloud instance-metadata endpoint', async () => {\n const URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\n const METHOD = \"POST\";\n const PAYLOAD = \"http://127.0.0.1:65533/poc-ssrf-sentinel\";\n const body = METHOD === 'GET' ? null : JSON.stringify({ input: PAYLOAD });\n const reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + 'input=' + encodeURIComponent(PAYLOAD)\n : URL_;\n const r = await fetch(reqUrl, { method: METHOD, headers: { 'Content-Type': 'application/json' }, body });\n const text = await r.text();\n // The assertion below is the \"exploit demonstrated\" signal — when this\n // test PASSES, the vuln is still present. After the fix, this assertion\n // SHOULD fail. Inverse the assertion in a green build.\n const demonstrated = text.includes('PoC') || /syntax error/i.test(text) || text.includes('<script>');\n expect(demonstrated).toBe(false);\n});\n"
2178
+ },
2179
+ "poc": {
2180
+ "lang": "node",
2181
+ "kind": "http-payload",
2182
+ "cwe": "CWE-918",
2183
+ "family": "ssrf",
2184
+ "runHint": "node poc.mjs",
2185
+ "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n"
2186
+ },
2187
+ "calibrated_confidence": null,
2188
+ "calibrated_confidence_ci": null,
2189
+ "calibrated_n": 24,
2190
+ "calibration_reason": "insufficient-samples",
2191
+ "verifier_verdict": "verified-sanitizer-absence",
2192
+ "verifier_reason": "no-sanitizer-in-window",
2193
+ "verifier_runner": null,
2194
+ "narration": null,
2195
+ "mitigationVerdict": "unreachable-in-prod",
2196
+ "mitigationsApplied": [],
2197
+ "mitigatedByWaf": false,
2198
+ "wafRuleId": null,
2199
+ "mitigatedByAuth": false,
2200
+ "authMechanism": null,
2201
+ "mitigatedByNetwork": false,
2202
+ "networkExposure": null,
2203
+ "featureFlag": null,
2204
+ "featureFlagState": null,
2205
+ "featureFlagRollout": null,
2206
+ "exposedInProd": false,
2207
+ "unreachableInProd": true,
2208
+ "coldPath": false,
2209
+ "hotPath": false,
2210
+ "prodRequestCount": null,
2211
+ "crownJewelScore": 0.15,
2212
+ "crownJewelTier": "low-value",
2213
+ "crownJewelFactors": [
2214
+ "shell-execution"
2215
+ ],
2216
+ "cloneClusterId": null,
2217
+ "cloneClusterSize": 1,
2218
+ "provenance": "human-likely",
2219
+ "provenanceScore": 0.26,
2220
+ "typeNarrowed": null,
2221
+ "strideCategory": "tampering",
2222
+ "personaScores": {
2223
+ "script-kiddie": {
2224
+ "score": 0.4,
2225
+ "tier": "medium",
2226
+ "factors": [
2227
+ "sev:medium"
2228
+ ]
2229
+ },
2230
+ "opportunistic-criminal": {
2231
+ "score": 0.6,
2232
+ "tier": "high",
2233
+ "factors": [
2234
+ "sev:medium",
2235
+ "bias:ssrf+0.20"
2236
+ ]
2237
+ },
2238
+ "apt-nation-state": {
2239
+ "score": 0.7,
2240
+ "tier": "high",
2241
+ "factors": [
2242
+ "sev:medium",
2243
+ "bias:ssrf+0.30"
2244
+ ]
2245
+ },
2246
+ "supply-chain-attacker": {
2247
+ "score": 0.4,
2248
+ "tier": "medium",
2249
+ "factors": [
2250
+ "sev:medium"
2251
+ ]
2252
+ },
2253
+ "malicious-insider": {
2254
+ "score": 0.4,
2255
+ "tier": "medium",
2256
+ "factors": [
2257
+ "sev:medium"
2258
+ ]
2259
+ }
2260
+ },
2261
+ "personaTopTwo": [
2262
+ "apt-nation-state",
2263
+ "opportunistic-criminal"
2264
+ ],
2265
+ "personaMaxName": "apt-nation-state",
2266
+ "personaMaxScore": 0.7,
2267
+ "reverseExposure": null,
2268
+ "specMined": null,
2269
+ "whyFired": {
2270
+ "detector": "sast/ssrf",
2271
+ "ruleId": "CWE-918",
2272
+ "parser": "SSRF-METADATA",
2273
+ "evidence": {
2274
+ "sinkSnippet": "remediation: 'Resolve the host first, reject 169.254.169.254 / RFC1918 / localhost; or proxy through a server-side allow-list.' } },",
2275
+ "sourceSnippet": null,
2276
+ "pathSteps": [],
2277
+ "sanitizers": [],
2278
+ "guards": []
2279
+ },
2280
+ "considered": {
2281
+ "suppressionsApplied": [],
2282
+ "suppressionsSkipped": [],
2283
+ "reachabilityFilter": "unaffected",
2284
+ "clusterCollapsed": false,
2285
+ "typeNarrowed": false,
2286
+ "crownJewelTier": "low-value",
2287
+ "mitigationVerdict": "unreachable-in-prod"
2288
+ },
2289
+ "scanner": {
2290
+ "rulesetVersion": null,
2291
+ "packHash": null,
2292
+ "modelId": null
2293
+ }
2294
+ },
2295
+ "adversaryTranscript": null,
2296
+ "predictedBountyUsd": {
2297
+ "low": 30,
2298
+ "likely": 120,
2299
+ "high": 350,
2300
+ "program": "web2"
2301
+ },
2302
+ "bountyConfidence": "high",
2303
+ "attackPlaybook": null
2304
+ },
2305
+ {
2306
+ "id": "ssrf-meta-hardcoded:exploit-prover.js:33",
2307
+ "kind": "sast",
2308
+ "severity": "medium",
2309
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
2310
+ "cwe": "CWE-918",
2311
+ "owaspLlm": null,
2312
+ "stride": "Information Disclosure",
2313
+ "file": "exploit-prover.js",
2314
+ "line": 33,
2315
+ "snippet": "'CWE-918': `http://169.254.169.254/latest/meta-data/`, // SSRF",
2316
+ "fix": null,
2317
+ "reachable": false,
2318
+ "triage": 22,
2319
+ "dataClasses": [],
2320
+ "chain": null,
2321
+ "confidence": 0.7,
2322
+ "toxicity": 8,
2323
+ "toxicityFactors": [],
2324
+ "toxicityLabel": "Low",
2325
+ "sources": null,
2326
+ "epssScore": null,
2327
+ "epssPercentile": null,
2328
+ "epssCve": null,
2329
+ "exploitedNow": false,
2330
+ "tags": null,
2331
+ "blastRadius": {
2332
+ "scope": "all-users",
2333
+ "dataAtRisk": [
2334
+ "credentials"
2335
+ ],
2336
+ "userCount": 50,
2337
+ "industry": "generic",
2338
+ "jurisdictions": [],
2339
+ "controlsApplied": [],
2340
+ "dollarBest": 24000,
2341
+ "dollarLikely": 138000,
2342
+ "dollarWorst": 777500,
2343
+ "dollarLow": 24000,
2344
+ "dollarHigh": 777500,
2345
+ "components": {
2346
+ "incidentResponse": {
2347
+ "low": 8000,
2348
+ "likely": 50000,
2349
+ "high": 250000
2350
+ },
2351
+ "legal": {
2352
+ "low": 10000,
2353
+ "likely": 75000,
2354
+ "high": 500000
2355
+ },
2356
+ "crisisPR": {
2357
+ "low": 0,
2358
+ "likely": 0,
2359
+ "high": 0
2360
+ },
2361
+ "notification": {
2362
+ "low": 5000,
2363
+ "likely": 10000,
2364
+ "high": 15000
2365
+ },
2366
+ "creditMonitoring": {
2367
+ "low": 0,
2368
+ "likely": 0,
2369
+ "high": 0
2370
+ },
2371
+ "regulatoryFines": {
2372
+ "low": 0,
2373
+ "likely": 0,
2374
+ "high": 0
2375
+ },
2376
+ "directDamage": {
2377
+ "low": 1000,
2378
+ "likely": 3000,
2379
+ "high": 12500
2380
+ },
2381
+ "classAction": {
2382
+ "low": 0,
2383
+ "likely": 0,
2384
+ "high": 0
2385
+ },
2386
+ "lostBusiness": {
2387
+ "low": 0,
2388
+ "likely": 0,
2389
+ "high": 0
2390
+ }
2391
+ },
2392
+ "dominantDriver": "legal counsel",
2393
+ "comparable": "Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)",
2394
+ "confidence": "low",
2395
+ "narrative": "SSRF: explicit reference to cloud instance-metadata endpoint on `exploit-prover.js:33` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)."
2396
+ },
2397
+ "stableId": "88ebc2728475812c",
2398
+ "confidenceTier": "medium",
2399
+ "exploitability": 0.2,
2400
+ "exploitabilityTier": "low",
2401
+ "exploitabilityFactors": [
2402
+ "sev:medium",
2403
+ "unreachable"
2404
+ ],
2405
+ "clusterSize": null,
2406
+ "unreachable": false,
2407
+ "validator_verdict": "unvalidated",
2408
+ "llm_confidence": null,
2409
+ "unvalidated": true,
2410
+ "cross_language": false,
2411
+ "family": "ssrf",
2412
+ "_unsigned": false,
2413
+ "_passThroughSigning": false,
2414
+ "signatureStatus": "verified",
2415
+ "regression_test": {
2416
+ "lang": "node",
2417
+ "framework": "jest",
2418
+ "filename": "security_88ebc2728475812c.test.mjs",
2419
+ "runHint": "npx jest",
2420
+ "code": "// Regression test for SSRF: explicit reference to cloud instance-metadata endpoint (CWE-918).\n// Auto-generated from P1.1 PoC; fails on vulnerable code, passes after the fix.\n\nimport { test, expect } from '@jest/globals';\n\ntest('SSRF: explicit reference to cloud instance-metadata endpoint', async () => {\n const URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\n const METHOD = \"POST\";\n const PAYLOAD = \"http://127.0.0.1:65533/poc-ssrf-sentinel\";\n const body = METHOD === 'GET' ? null : JSON.stringify({ input: PAYLOAD });\n const reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + 'input=' + encodeURIComponent(PAYLOAD)\n : URL_;\n const r = await fetch(reqUrl, { method: METHOD, headers: { 'Content-Type': 'application/json' }, body });\n const text = await r.text();\n // The assertion below is the \"exploit demonstrated\" signal — when this\n // test PASSES, the vuln is still present. After the fix, this assertion\n // SHOULD fail. Inverse the assertion in a green build.\n const demonstrated = text.includes('PoC') || /syntax error/i.test(text) || text.includes('<script>');\n expect(demonstrated).toBe(false);\n});\n"
2421
+ },
2422
+ "poc": {
2423
+ "lang": "node",
2424
+ "kind": "http-payload",
2425
+ "cwe": "CWE-918",
2426
+ "family": "ssrf",
2427
+ "runHint": "node poc.mjs",
2428
+ "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n"
2429
+ },
2430
+ "calibrated_confidence": null,
2431
+ "calibrated_confidence_ci": null,
2432
+ "calibrated_n": 24,
2433
+ "calibration_reason": "insufficient-samples",
2434
+ "verifier_verdict": "verified-sanitizer-absence",
2435
+ "verifier_reason": "no-sanitizer-in-window",
2436
+ "verifier_runner": null,
2437
+ "narration": null,
2438
+ "mitigationVerdict": "unreachable-in-prod",
2439
+ "mitigationsApplied": [],
2440
+ "mitigatedByWaf": false,
2441
+ "wafRuleId": null,
2442
+ "mitigatedByAuth": false,
2443
+ "authMechanism": null,
2444
+ "mitigatedByNetwork": false,
2445
+ "networkExposure": null,
2446
+ "featureFlag": null,
2447
+ "featureFlagState": null,
2448
+ "featureFlagRollout": null,
2449
+ "exposedInProd": false,
2450
+ "unreachableInProd": true,
2451
+ "coldPath": false,
2452
+ "hotPath": false,
2453
+ "prodRequestCount": null,
2454
+ "crownJewelScore": 0,
2455
+ "crownJewelTier": "unknown",
2456
+ "crownJewelFactors": [],
2457
+ "cloneClusterId": null,
2458
+ "cloneClusterSize": 1,
2459
+ "provenance": "mixed",
2460
+ "provenanceScore": 0.3,
2461
+ "typeNarrowed": null,
2462
+ "strideCategory": "tampering",
2463
+ "personaScores": {
2464
+ "script-kiddie": {
2465
+ "score": 0.4,
2466
+ "tier": "medium",
2467
+ "factors": [
2468
+ "sev:medium"
2469
+ ]
2470
+ },
2471
+ "opportunistic-criminal": {
2472
+ "score": 0.6,
2473
+ "tier": "high",
2474
+ "factors": [
2475
+ "sev:medium",
2476
+ "bias:ssrf+0.20"
2477
+ ]
2478
+ },
2479
+ "apt-nation-state": {
2480
+ "score": 0.7,
2481
+ "tier": "high",
2482
+ "factors": [
2483
+ "sev:medium",
2484
+ "bias:ssrf+0.30"
2485
+ ]
2486
+ },
2487
+ "supply-chain-attacker": {
2488
+ "score": 0.4,
2489
+ "tier": "medium",
2490
+ "factors": [
2491
+ "sev:medium"
2492
+ ]
2493
+ },
2494
+ "malicious-insider": {
2495
+ "score": 0.4,
2496
+ "tier": "medium",
2497
+ "factors": [
2498
+ "sev:medium"
2499
+ ]
2500
+ }
2501
+ },
2502
+ "personaTopTwo": [
2503
+ "apt-nation-state",
2504
+ "opportunistic-criminal"
2505
+ ],
2506
+ "personaMaxName": "apt-nation-state",
2507
+ "personaMaxScore": 0.7,
2508
+ "reverseExposure": null,
2509
+ "specMined": null,
2510
+ "whyFired": {
2511
+ "detector": "sast/ssrf",
2512
+ "ruleId": "CWE-918",
2513
+ "parser": "SSRF-METADATA",
2514
+ "evidence": {
2515
+ "sinkSnippet": "'CWE-918': `http://169.254.169.254/latest/meta-data/`, // SSRF",
2516
+ "sourceSnippet": null,
2517
+ "pathSteps": [],
2518
+ "sanitizers": [],
2519
+ "guards": []
2520
+ },
2521
+ "considered": {
2522
+ "suppressionsApplied": [],
2523
+ "suppressionsSkipped": [],
2524
+ "reachabilityFilter": "unaffected",
2525
+ "clusterCollapsed": false,
2526
+ "typeNarrowed": false,
2527
+ "crownJewelTier": "unknown",
2528
+ "mitigationVerdict": "unreachable-in-prod"
2529
+ },
2530
+ "scanner": {
2531
+ "rulesetVersion": null,
2532
+ "packHash": null,
2533
+ "modelId": null
2534
+ }
2535
+ },
2536
+ "adversaryTranscript": null,
2537
+ "predictedBountyUsd": {
2538
+ "low": 30,
2539
+ "likely": 120,
2540
+ "high": 350,
2541
+ "program": "web2"
2542
+ },
2543
+ "bountyConfidence": "high",
2544
+ "attackPlaybook": null
2545
+ },
2546
+ {
2547
+ "id": "toctou-fs:incremental.js:50",
2548
+ "kind": "sast",
2549
+ "severity": "medium",
2550
+ "vuln": "TOCTOU: file existence/permission check before open",
2551
+ "cwe": "CWE-367",
2552
+ "owaspLlm": null,
2553
+ "stride": "Tampering",
2554
+ "file": "incremental.js",
2555
+ "line": 50,
2556
+ "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
2557
+ "fix": null,
2558
+ "reachable": false,
2559
+ "triage": 22,
2560
+ "dataClasses": [],
2561
+ "chain": null,
2562
+ "confidence": 0.7,
2563
+ "toxicity": 8,
2564
+ "toxicityFactors": [],
2565
+ "toxicityLabel": "Low",
2566
+ "sources": null,
2567
+ "epssScore": null,
2568
+ "epssPercentile": null,
2569
+ "epssCve": null,
2570
+ "exploitedNow": false,
2571
+ "tags": null,
2572
+ "blastRadius": {
2573
+ "scope": "all-users",
2574
+ "dataAtRisk": [
2575
+ "config"
2576
+ ],
2577
+ "userCount": 50,
2578
+ "industry": "generic",
2579
+ "jurisdictions": [],
2580
+ "controlsApplied": [],
2581
+ "dollarBest": 23250,
2582
+ "dollarLikely": 136250,
2583
+ "dollarWorst": 775000,
2584
+ "dollarLow": 23250,
2585
+ "dollarHigh": 775000,
2586
+ "components": {
2587
+ "incidentResponse": {
2588
+ "low": 8000,
2589
+ "likely": 50000,
2590
+ "high": 250000
2591
+ },
2592
+ "legal": {
2593
+ "low": 10000,
2594
+ "likely": 75000,
2595
+ "high": 500000
2596
+ },
2597
+ "crisisPR": {
2598
+ "low": 0,
2599
+ "likely": 0,
2600
+ "high": 0
2601
+ },
2602
+ "notification": {
2603
+ "low": 5000,
2604
+ "likely": 10000,
2605
+ "high": 15000
2606
+ },
2607
+ "creditMonitoring": {
2608
+ "low": 0,
2609
+ "likely": 0,
2610
+ "high": 0
2611
+ },
2612
+ "regulatoryFines": {
2613
+ "low": 0,
2614
+ "likely": 0,
2615
+ "high": 0
2616
+ },
2617
+ "directDamage": {
2618
+ "low": 250,
2619
+ "likely": 1250,
2620
+ "high": 10000
2621
+ },
2622
+ "classAction": {
2623
+ "low": 0,
2624
+ "likely": 0,
2625
+ "high": 0
2626
+ },
2627
+ "lostBusiness": {
2628
+ "low": 0,
2629
+ "likely": 0,
2630
+ "high": 0
2631
+ }
2632
+ },
2633
+ "dominantDriver": "legal counsel",
2634
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
2635
+ "confidence": "low",
2636
+ "narrative": "TOCTOU: file existence/permission check before open on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
2637
+ },
2638
+ "stableId": "3184d498fcca8634",
2639
+ "confidenceTier": "medium",
2640
+ "exploitability": 0.2,
2641
+ "exploitabilityTier": "low",
2642
+ "exploitabilityFactors": [
2643
+ "sev:medium",
2644
+ "unreachable"
2645
+ ],
2646
+ "clusterSize": null,
2647
+ "unreachable": false,
2648
+ "validator_verdict": "unvalidated",
2649
+ "llm_confidence": null,
2650
+ "unvalidated": true,
2651
+ "cross_language": false,
2652
+ "family": "toctou-file-existence-permission-check-b",
2653
+ "_unsigned": false,
2654
+ "_passThroughSigning": false,
2655
+ "signatureStatus": "verified",
2656
+ "regression_test": null,
2657
+ "poc": null,
2658
+ "calibrated_confidence": null,
2659
+ "calibrated_confidence_ci": null,
2660
+ "calibrated_n": 0,
2661
+ "calibration_reason": "no-history",
2662
+ "verifier_verdict": "cannot-verify",
2663
+ "verifier_reason": "no-poc-no-sanitizer-rule",
2664
+ "verifier_runner": null,
2665
+ "narration": null,
2666
+ "mitigationVerdict": "unreachable-in-prod",
2667
+ "mitigationsApplied": [],
2668
+ "mitigatedByWaf": false,
2669
+ "wafRuleId": null,
2670
+ "mitigatedByAuth": false,
2671
+ "authMechanism": null,
2672
+ "mitigatedByNetwork": false,
2673
+ "networkExposure": null,
2674
+ "featureFlag": null,
2675
+ "featureFlagState": null,
2676
+ "featureFlagRollout": null,
2677
+ "exposedInProd": false,
2678
+ "unreachableInProd": true,
2679
+ "coldPath": false,
2680
+ "hotPath": false,
2681
+ "prodRequestCount": null,
2682
+ "crownJewelScore": 0,
2683
+ "crownJewelTier": "unknown",
2684
+ "crownJewelFactors": [],
2685
+ "cloneClusterId": "bf9643a065f64945",
2686
+ "cloneClusterSize": 2,
2687
+ "provenance": "human-likely",
2688
+ "provenanceScore": 0.22,
2689
+ "typeNarrowed": null,
2690
+ "strideCategory": "tampering",
2691
+ "personaScores": {
2692
+ "script-kiddie": {
2693
+ "score": 0.4,
2694
+ "tier": "medium",
2695
+ "factors": [
2696
+ "sev:medium"
2697
+ ]
2698
+ },
2699
+ "opportunistic-criminal": {
2700
+ "score": 0.4,
2701
+ "tier": "medium",
2702
+ "factors": [
2703
+ "sev:medium"
2704
+ ]
2705
+ },
2706
+ "apt-nation-state": {
2707
+ "score": 0.4,
2708
+ "tier": "medium",
2709
+ "factors": [
2710
+ "sev:medium"
2711
+ ]
2712
+ },
2713
+ "supply-chain-attacker": {
2714
+ "score": 0.4,
2715
+ "tier": "medium",
2716
+ "factors": [
2717
+ "sev:medium"
2718
+ ]
2719
+ },
2720
+ "malicious-insider": {
2721
+ "score": 0.4,
2722
+ "tier": "medium",
2723
+ "factors": [
2724
+ "sev:medium"
2725
+ ]
2726
+ }
2727
+ },
2728
+ "personaTopTwo": [
2729
+ "script-kiddie",
2730
+ "opportunistic-criminal"
2731
+ ],
2732
+ "personaMaxName": "script-kiddie",
2733
+ "personaMaxScore": 0.4,
2734
+ "reverseExposure": null,
2735
+ "specMined": null,
2736
+ "whyFired": {
2737
+ "detector": "sast/toctou-file-existence-permission-check-b",
2738
+ "ruleId": "CWE-367",
2739
+ "parser": "TOCTOU",
2740
+ "evidence": {
2741
+ "sinkSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
2742
+ "sourceSnippet": null,
2743
+ "pathSteps": [],
2744
+ "sanitizers": [],
2745
+ "guards": []
2746
+ },
2747
+ "considered": {
2748
+ "suppressionsApplied": [],
2749
+ "suppressionsSkipped": [],
2750
+ "reachabilityFilter": "unaffected",
2751
+ "clusterCollapsed": false,
2752
+ "typeNarrowed": false,
2753
+ "crownJewelTier": "unknown",
2754
+ "mitigationVerdict": "unreachable-in-prod"
2755
+ },
2756
+ "scanner": {
2757
+ "rulesetVersion": null,
2758
+ "packHash": null,
2759
+ "modelId": null
2760
+ }
2761
+ },
2762
+ "adversaryTranscript": null,
2763
+ "predictedBountyUsd": null,
2764
+ "bountyConfidence": null,
2765
+ "attackPlaybook": null
2766
+ },
2767
+ {
2768
+ "id": "toctou-fs:incremental.js:68",
2769
+ "kind": "sast",
2770
+ "severity": "medium",
2771
+ "vuln": "TOCTOU: file existence/permission check before open",
2772
+ "cwe": "CWE-367",
2773
+ "owaspLlm": null,
2774
+ "stride": "Tampering",
2775
+ "file": "incremental.js",
2776
+ "line": 68,
2777
+ "snippet": "if (!fs.existsSync(fp)) return fallback;",
2778
+ "fix": null,
2779
+ "reachable": false,
2780
+ "triage": 22,
2781
+ "dataClasses": [],
2782
+ "chain": null,
2783
+ "confidence": 0.7,
2784
+ "toxicity": 8,
2785
+ "toxicityFactors": [],
2786
+ "toxicityLabel": "Low",
2787
+ "sources": null,
2788
+ "epssScore": null,
2789
+ "epssPercentile": null,
2790
+ "epssCve": null,
2791
+ "exploitedNow": false,
2792
+ "tags": null,
2793
+ "blastRadius": {
2794
+ "scope": "all-users",
2795
+ "dataAtRisk": [
2796
+ "config"
2797
+ ],
2798
+ "userCount": 50,
2799
+ "industry": "generic",
2800
+ "jurisdictions": [],
2801
+ "controlsApplied": [],
2802
+ "dollarBest": 23250,
2803
+ "dollarLikely": 136250,
2804
+ "dollarWorst": 775000,
2805
+ "dollarLow": 23250,
2806
+ "dollarHigh": 775000,
2807
+ "components": {
2808
+ "incidentResponse": {
2809
+ "low": 8000,
2810
+ "likely": 50000,
2811
+ "high": 250000
2812
+ },
2813
+ "legal": {
2814
+ "low": 10000,
2815
+ "likely": 75000,
2816
+ "high": 500000
2817
+ },
2818
+ "crisisPR": {
2819
+ "low": 0,
2820
+ "likely": 0,
2821
+ "high": 0
2822
+ },
2823
+ "notification": {
2824
+ "low": 5000,
2825
+ "likely": 10000,
2826
+ "high": 15000
2827
+ },
2828
+ "creditMonitoring": {
2829
+ "low": 0,
2830
+ "likely": 0,
2831
+ "high": 0
2832
+ },
2833
+ "regulatoryFines": {
2834
+ "low": 0,
2835
+ "likely": 0,
2836
+ "high": 0
2837
+ },
2838
+ "directDamage": {
2839
+ "low": 250,
2840
+ "likely": 1250,
2841
+ "high": 10000
2842
+ },
2843
+ "classAction": {
2844
+ "low": 0,
2845
+ "likely": 0,
2846
+ "high": 0
2847
+ },
2848
+ "lostBusiness": {
2849
+ "low": 0,
2850
+ "likely": 0,
2851
+ "high": 0
2852
+ }
2853
+ },
2854
+ "dominantDriver": "legal counsel",
2855
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
2856
+ "confidence": "low",
2857
+ "narrative": "TOCTOU: file existence/permission check before open on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
2858
+ },
2859
+ "stableId": "ca2e725c38df4ef6",
2860
+ "confidenceTier": "medium",
2861
+ "exploitability": 0.2,
2862
+ "exploitabilityTier": "low",
2863
+ "exploitabilityFactors": [
2864
+ "sev:medium",
2865
+ "unreachable"
2866
+ ],
2867
+ "clusterSize": null,
2868
+ "unreachable": false,
2869
+ "validator_verdict": "unvalidated",
2870
+ "llm_confidence": null,
2871
+ "unvalidated": true,
2872
+ "cross_language": false,
2873
+ "family": "toctou-file-existence-permission-check-b",
2874
+ "_unsigned": false,
2875
+ "_passThroughSigning": false,
2876
+ "signatureStatus": "verified",
2877
+ "regression_test": null,
2878
+ "poc": null,
2879
+ "calibrated_confidence": null,
2880
+ "calibrated_confidence_ci": null,
2881
+ "calibrated_n": 0,
2882
+ "calibration_reason": "no-history",
2883
+ "verifier_verdict": "cannot-verify",
2884
+ "verifier_reason": "no-poc-no-sanitizer-rule",
2885
+ "verifier_runner": null,
2886
+ "narration": null,
2887
+ "mitigationVerdict": "unreachable-in-prod",
2888
+ "mitigationsApplied": [],
2889
+ "mitigatedByWaf": false,
2890
+ "wafRuleId": null,
2891
+ "mitigatedByAuth": false,
2892
+ "authMechanism": null,
2893
+ "mitigatedByNetwork": false,
2894
+ "networkExposure": null,
2895
+ "featureFlag": null,
2896
+ "featureFlagState": null,
2897
+ "featureFlagRollout": null,
2898
+ "exposedInProd": false,
2899
+ "unreachableInProd": true,
2900
+ "coldPath": false,
2901
+ "hotPath": false,
2902
+ "prodRequestCount": null,
2903
+ "crownJewelScore": 0,
2904
+ "crownJewelTier": "unknown",
2905
+ "crownJewelFactors": [],
2906
+ "cloneClusterId": "39f1d6db55cace1d",
2907
+ "cloneClusterSize": 2,
2908
+ "provenance": "human-likely",
2909
+ "provenanceScore": 0.22,
2910
+ "typeNarrowed": null,
2911
+ "strideCategory": "tampering",
2912
+ "personaScores": {
2913
+ "script-kiddie": {
2914
+ "score": 0.4,
2915
+ "tier": "medium",
2916
+ "factors": [
2917
+ "sev:medium"
2918
+ ]
2919
+ },
2920
+ "opportunistic-criminal": {
2921
+ "score": 0.4,
2922
+ "tier": "medium",
2923
+ "factors": [
2924
+ "sev:medium"
2925
+ ]
2926
+ },
2927
+ "apt-nation-state": {
2928
+ "score": 0.4,
2929
+ "tier": "medium",
2930
+ "factors": [
2931
+ "sev:medium"
2932
+ ]
2933
+ },
2934
+ "supply-chain-attacker": {
2935
+ "score": 0.4,
2936
+ "tier": "medium",
2937
+ "factors": [
2938
+ "sev:medium"
2939
+ ]
2940
+ },
2941
+ "malicious-insider": {
2942
+ "score": 0.4,
2943
+ "tier": "medium",
2944
+ "factors": [
2945
+ "sev:medium"
2946
+ ]
2947
+ }
2948
+ },
2949
+ "personaTopTwo": [
2950
+ "script-kiddie",
2951
+ "opportunistic-criminal"
2952
+ ],
2953
+ "personaMaxName": "script-kiddie",
2954
+ "personaMaxScore": 0.4,
2955
+ "reverseExposure": null,
2956
+ "specMined": null,
2957
+ "whyFired": {
2958
+ "detector": "sast/toctou-file-existence-permission-check-b",
2959
+ "ruleId": "CWE-367",
2960
+ "parser": "TOCTOU",
2961
+ "evidence": {
2962
+ "sinkSnippet": "if (!fs.existsSync(fp)) return fallback;",
2963
+ "sourceSnippet": null,
2964
+ "pathSteps": [],
2965
+ "sanitizers": [],
2966
+ "guards": []
2967
+ },
2968
+ "considered": {
2969
+ "suppressionsApplied": [],
2970
+ "suppressionsSkipped": [],
2971
+ "reachabilityFilter": "unaffected",
2972
+ "clusterCollapsed": false,
2973
+ "typeNarrowed": false,
2974
+ "crownJewelTier": "unknown",
2975
+ "mitigationVerdict": "unreachable-in-prod"
2976
+ },
2977
+ "scanner": {
2978
+ "rulesetVersion": null,
2979
+ "packHash": null,
2980
+ "modelId": null
2981
+ }
2982
+ },
2983
+ "adversaryTranscript": null,
2984
+ "predictedBountyUsd": null,
2985
+ "bountyConfidence": null,
2986
+ "attackPlaybook": null
2987
+ },
2988
+ {
2989
+ "id": "77f1352c8462f8db",
2990
+ "kind": "logic",
2991
+ "severity": "medium",
2992
+ "vuln": "Race Condition (TOCTOU)",
2993
+ "cwe": "CWE-367",
2994
+ "stride": "Tampering",
2995
+ "file": "incremental.js",
2996
+ "line": 223,
2997
+ "snippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
2998
+ "fix": {
2999
+ "description": "Use atomic operations instead of check-then-act patterns.",
3000
+ "code": "// BEFORE\nif (fs.existsSync(p)) fs.unlinkSync(p);\n\n// AFTER\ntry { fs.unlinkSync(p); } catch(e) { if(e.code!=='ENOENT') throw e; }"
3001
+ },
3002
+ "blastRadius": {
3003
+ "scope": "all-users",
3004
+ "dataAtRisk": [
3005
+ "config"
3006
+ ],
3007
+ "userCount": 50,
3008
+ "industry": "generic",
3009
+ "jurisdictions": [],
3010
+ "controlsApplied": [],
3011
+ "dollarBest": 23250,
3012
+ "dollarLikely": 136250,
3013
+ "dollarWorst": 775000,
3014
+ "dollarLow": 23250,
3015
+ "dollarHigh": 775000,
3016
+ "components": {
3017
+ "incidentResponse": {
3018
+ "low": 8000,
3019
+ "likely": 50000,
3020
+ "high": 250000
3021
+ },
3022
+ "legal": {
3023
+ "low": 10000,
3024
+ "likely": 75000,
3025
+ "high": 500000
3026
+ },
3027
+ "crisisPR": {
3028
+ "low": 0,
3029
+ "likely": 0,
3030
+ "high": 0
3031
+ },
3032
+ "notification": {
3033
+ "low": 5000,
3034
+ "likely": 10000,
3035
+ "high": 15000
3036
+ },
3037
+ "creditMonitoring": {
3038
+ "low": 0,
3039
+ "likely": 0,
3040
+ "high": 0
3041
+ },
3042
+ "regulatoryFines": {
3043
+ "low": 0,
3044
+ "likely": 0,
3045
+ "high": 0
3046
+ },
3047
+ "directDamage": {
3048
+ "low": 250,
3049
+ "likely": 1250,
3050
+ "high": 10000
3051
+ },
3052
+ "classAction": {
3053
+ "low": 0,
3054
+ "likely": 0,
3055
+ "high": 0
3056
+ },
3057
+ "lostBusiness": {
3058
+ "low": 0,
3059
+ "likely": 0,
3060
+ "high": 0
3061
+ }
3062
+ },
3063
+ "dominantDriver": "legal counsel",
3064
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3065
+ "confidence": "low",
3066
+ "narrative": "Race Condition (TOCTOU) on `incremental.js:223` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3067
+ }
3068
+ },
3069
+ {
3070
+ "id": "logic:incremental.js:50:TOCTOU:_existsSync_followed_by_file_op",
3071
+ "kind": "logic",
3072
+ "severity": "medium",
3073
+ "vuln": "TOCTOU: existsSync followed by file op",
3074
+ "cwe": "CWE-367",
3075
+ "stride": "Tampering",
3076
+ "file": "incremental.js",
3077
+ "line": 50,
3078
+ "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
3079
+ "fix": {
3080
+ "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
3081
+ "code": ""
3082
+ },
3083
+ "blastRadius": {
3084
+ "scope": "all-users",
3085
+ "dataAtRisk": [
3086
+ "config"
3087
+ ],
3088
+ "userCount": 50,
3089
+ "industry": "generic",
3090
+ "jurisdictions": [],
3091
+ "controlsApplied": [],
3092
+ "dollarBest": 23250,
3093
+ "dollarLikely": 136250,
3094
+ "dollarWorst": 775000,
3095
+ "dollarLow": 23250,
3096
+ "dollarHigh": 775000,
3097
+ "components": {
3098
+ "incidentResponse": {
3099
+ "low": 8000,
3100
+ "likely": 50000,
3101
+ "high": 250000
3102
+ },
3103
+ "legal": {
3104
+ "low": 10000,
3105
+ "likely": 75000,
3106
+ "high": 500000
3107
+ },
3108
+ "crisisPR": {
3109
+ "low": 0,
3110
+ "likely": 0,
3111
+ "high": 0
3112
+ },
3113
+ "notification": {
3114
+ "low": 5000,
3115
+ "likely": 10000,
3116
+ "high": 15000
3117
+ },
3118
+ "creditMonitoring": {
3119
+ "low": 0,
3120
+ "likely": 0,
3121
+ "high": 0
3122
+ },
3123
+ "regulatoryFines": {
3124
+ "low": 0,
3125
+ "likely": 0,
3126
+ "high": 0
3127
+ },
3128
+ "directDamage": {
3129
+ "low": 250,
3130
+ "likely": 1250,
3131
+ "high": 10000
3132
+ },
3133
+ "classAction": {
3134
+ "low": 0,
3135
+ "likely": 0,
3136
+ "high": 0
3137
+ },
3138
+ "lostBusiness": {
3139
+ "low": 0,
3140
+ "likely": 0,
3141
+ "high": 0
3142
+ }
3143
+ },
3144
+ "dominantDriver": "legal counsel",
3145
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3146
+ "confidence": "low",
3147
+ "narrative": "TOCTOU: existsSync followed by file op on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3148
+ }
3149
+ },
3150
+ {
3151
+ "id": "logic:incremental.js:68:TOCTOU:_existsSync_followed_by_file_op",
3152
+ "kind": "logic",
3153
+ "severity": "medium",
3154
+ "vuln": "TOCTOU: existsSync followed by file op",
3155
+ "cwe": "CWE-367",
3156
+ "stride": "Tampering",
3157
+ "file": "incremental.js",
3158
+ "line": 68,
3159
+ "snippet": "if (!fs.existsSync(fp)) return fallback;",
3160
+ "fix": {
3161
+ "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
3162
+ "code": ""
3163
+ },
3164
+ "blastRadius": {
3165
+ "scope": "all-users",
3166
+ "dataAtRisk": [
3167
+ "config"
3168
+ ],
3169
+ "userCount": 50,
3170
+ "industry": "generic",
3171
+ "jurisdictions": [],
3172
+ "controlsApplied": [],
3173
+ "dollarBest": 23250,
3174
+ "dollarLikely": 136250,
3175
+ "dollarWorst": 775000,
3176
+ "dollarLow": 23250,
3177
+ "dollarHigh": 775000,
3178
+ "components": {
3179
+ "incidentResponse": {
3180
+ "low": 8000,
3181
+ "likely": 50000,
3182
+ "high": 250000
3183
+ },
3184
+ "legal": {
3185
+ "low": 10000,
3186
+ "likely": 75000,
3187
+ "high": 500000
3188
+ },
3189
+ "crisisPR": {
3190
+ "low": 0,
3191
+ "likely": 0,
3192
+ "high": 0
3193
+ },
3194
+ "notification": {
3195
+ "low": 5000,
3196
+ "likely": 10000,
3197
+ "high": 15000
3198
+ },
3199
+ "creditMonitoring": {
3200
+ "low": 0,
3201
+ "likely": 0,
3202
+ "high": 0
3203
+ },
3204
+ "regulatoryFines": {
3205
+ "low": 0,
3206
+ "likely": 0,
3207
+ "high": 0
3208
+ },
3209
+ "directDamage": {
3210
+ "low": 250,
3211
+ "likely": 1250,
3212
+ "high": 10000
3213
+ },
3214
+ "classAction": {
3215
+ "low": 0,
3216
+ "likely": 0,
3217
+ "high": 0
3218
+ },
3219
+ "lostBusiness": {
3220
+ "low": 0,
3221
+ "likely": 0,
3222
+ "high": 0
3223
+ }
3224
+ },
3225
+ "dominantDriver": "legal counsel",
3226
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3227
+ "confidence": "low",
3228
+ "narrative": "TOCTOU: existsSync followed by file op on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3229
+ }
3230
+ },
3231
+ {
3232
+ "id": "logic:incremental.js:223:TOCTOU:_existsSync_followed_by_file_op",
3233
+ "kind": "logic",
3234
+ "severity": "medium",
3235
+ "vuln": "TOCTOU: existsSync followed by file op",
3236
+ "cwe": "CWE-367",
3237
+ "stride": "Tampering",
3238
+ "file": "incremental.js",
3239
+ "line": 223,
3240
+ "snippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
3241
+ "fix": {
3242
+ "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
3243
+ "code": ""
3244
+ },
3245
+ "blastRadius": {
3246
+ "scope": "all-users",
3247
+ "dataAtRisk": [
3248
+ "config"
3249
+ ],
3250
+ "userCount": 50,
3251
+ "industry": "generic",
3252
+ "jurisdictions": [],
3253
+ "controlsApplied": [],
3254
+ "dollarBest": 23250,
3255
+ "dollarLikely": 136250,
3256
+ "dollarWorst": 775000,
3257
+ "dollarLow": 23250,
3258
+ "dollarHigh": 775000,
3259
+ "components": {
3260
+ "incidentResponse": {
3261
+ "low": 8000,
3262
+ "likely": 50000,
3263
+ "high": 250000
3264
+ },
3265
+ "legal": {
3266
+ "low": 10000,
3267
+ "likely": 75000,
3268
+ "high": 500000
3269
+ },
3270
+ "crisisPR": {
3271
+ "low": 0,
3272
+ "likely": 0,
3273
+ "high": 0
3274
+ },
3275
+ "notification": {
3276
+ "low": 5000,
3277
+ "likely": 10000,
3278
+ "high": 15000
3279
+ },
3280
+ "creditMonitoring": {
3281
+ "low": 0,
3282
+ "likely": 0,
3283
+ "high": 0
3284
+ },
3285
+ "regulatoryFines": {
3286
+ "low": 0,
3287
+ "likely": 0,
3288
+ "high": 0
3289
+ },
3290
+ "directDamage": {
3291
+ "low": 250,
3292
+ "likely": 1250,
3293
+ "high": 10000
3294
+ },
3295
+ "classAction": {
3296
+ "low": 0,
3297
+ "likely": 0,
3298
+ "high": 0
3299
+ },
3300
+ "lostBusiness": {
3301
+ "low": 0,
3302
+ "likely": 0,
3303
+ "high": 0
3304
+ }
3305
+ },
3306
+ "dominantDriver": "legal counsel",
3307
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3308
+ "confidence": "low",
3309
+ "narrative": "TOCTOU: existsSync followed by file op on `incremental.js:223` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3310
+ }
3311
+ }
3312
+ ],
3313
+ "bundles": [],
3314
+ "routes": [],
3315
+ "components": [],
3316
+ "suppressedCount": 12,
3317
+ "blastRadiusSignals": {
3318
+ "industry": "generic",
3319
+ "industryConfidence": "low",
3320
+ "jurisdictions": [],
3321
+ "controls": [],
3322
+ "estimatedUsers": 50,
3323
+ "revenueIndicator": "pre-revenue",
3324
+ "hasStripe": false,
3325
+ "hasAuth": false,
3326
+ "hasUserTable": false,
3327
+ "hasPII": false,
3328
+ "hasPHI": false,
3329
+ "hasS3": false
3330
+ },
3331
+ "_v3": {
3332
+ "counterfactual": {
3333
+ "spofControls": [],
3334
+ "controlsDetected": 195
3335
+ },
3336
+ "threatModel": {
3337
+ "summary": {
3338
+ "assetCount": 0,
3339
+ "boundaryCount": 2,
3340
+ "strideCounts": {
3341
+ "spoofing": 0,
3342
+ "tampering": 4,
3343
+ "repudiation": 0,
3344
+ "informationDisclosure": 0,
3345
+ "denialOfService": 9,
3346
+ "elevationOfPrivilege": 0
3347
+ }
3348
+ },
3349
+ "assets": [],
3350
+ "trustBoundaries": [
3351
+ {
3352
+ "type": "db-edge",
3353
+ "file": "catalog.js",
3354
+ "line": 52,
3355
+ "label": null
3356
+ },
3357
+ {
3358
+ "type": "db-edge",
3359
+ "file": "catalog.js",
3360
+ "line": 55,
3361
+ "label": null
3362
+ }
3363
+ ],
3364
+ "stride": {
3365
+ "spoofing": [],
3366
+ "tampering": [
3367
+ {
3368
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
3369
+ "file": "catalog.js",
3370
+ "line": 431,
3371
+ "severity": "medium"
3372
+ },
3373
+ {
3374
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
3375
+ "file": "exploit-prover.js",
3376
+ "line": 33,
3377
+ "severity": "medium"
3378
+ },
3379
+ {
3380
+ "vuln": "TOCTOU: file existence/permission check before open",
3381
+ "file": "incremental.js",
3382
+ "line": 50,
3383
+ "severity": "medium"
3384
+ },
3385
+ {
3386
+ "vuln": "TOCTOU: file existence/permission check before open",
3387
+ "file": "incremental.js",
3388
+ "line": 68,
3389
+ "severity": "medium"
3390
+ }
3391
+ ],
3392
+ "repudiation": [],
3393
+ "informationDisclosure": [],
3394
+ "denialOfService": [
3395
+ {
3396
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3397
+ "file": "incremental.js",
3398
+ "severity": "medium"
3399
+ },
3400
+ {
3401
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3402
+ "file": "incremental.js",
3403
+ "severity": "medium"
3404
+ },
3405
+ {
3406
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3407
+ "file": "incremental.js",
3408
+ "severity": "medium"
3409
+ },
3410
+ {
3411
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3412
+ "file": "incremental.js",
3413
+ "severity": "medium"
3414
+ },
3415
+ {
3416
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3417
+ "file": "incremental.js",
3418
+ "severity": "medium"
3419
+ },
3420
+ {
3421
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3422
+ "file": "incremental.js",
3423
+ "severity": "medium"
3424
+ },
3425
+ {
3426
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3427
+ "file": "incremental.js",
3428
+ "severity": "medium"
3429
+ },
3430
+ {
3431
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3432
+ "file": "incremental.js",
3433
+ "severity": "medium"
3434
+ },
3435
+ {
3436
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3437
+ "file": "incremental.js",
3438
+ "severity": "medium"
3439
+ }
3440
+ ],
3441
+ "elevationOfPrivilege": []
3442
+ }
3443
+ },
3444
+ "trustBoundaryDiagram": {
3445
+ "mermaid": "flowchart LR\n INTERNET((Internet))\n APP[\"Application\"]\n db_catalog_js_52[(\"db@catalog.js:52\")]\n db_catalog_js_55[(\"db@catalog.js:55\")]\n APP -->|db| db_catalog_js_52\n APP -->|db| db_catalog_js_55\n classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n classDef sev_medium fill:#fff3cd,stroke:#a80;\n classDef sev_low fill:#e8eaf6,stroke:#557;",
3446
+ "nodes": [
3447
+ {
3448
+ "id": "INTERNET",
3449
+ "kind": "external",
3450
+ "label": "Internet"
3451
+ },
3452
+ {
3453
+ "id": "APP",
3454
+ "kind": "app",
3455
+ "label": "Application"
3456
+ },
3457
+ {
3458
+ "kind": "db",
3459
+ "id": "db_catalog_js_52",
3460
+ "label": "db@catalog.js:52"
3461
+ },
3462
+ {
3463
+ "kind": "db",
3464
+ "id": "db_catalog_js_55",
3465
+ "label": "db@catalog.js:55"
3466
+ }
3467
+ ],
3468
+ "edges": [
3469
+ {
3470
+ "from": "APP",
3471
+ "to": "db_catalog_js_52",
3472
+ "kind": "db"
3473
+ },
3474
+ {
3475
+ "from": "APP",
3476
+ "to": "db_catalog_js_55",
3477
+ "kind": "db"
3478
+ }
3479
+ ],
3480
+ "decorations": []
3481
+ },
3482
+ "calibrationDrift": {
3483
+ "alarms": [],
3484
+ "note": "no-feedback-data"
3485
+ }
3486
+ }
3487
+ }