@clear-capabilities/agentic-security-scanner 0.74.1 → 0.76.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (24) hide show
  1. package/CHANGELOG.md +88 -0
  2. package/bin/.agentic-security/findings.json +30 -11
  3. package/bin/.agentic-security/last-scan.json +30 -11
  4. package/bin/.agentic-security/last-scan.json.sig +1 -1
  5. package/bin/.agentic-security/scan-history.json +32 -22
  6. package/bin/.agentic-security/streak.json +5 -5
  7. package/bin/agentic-security.js +2 -2
  8. package/dist/838.index.js +152 -0
  9. package/dist/985.index.js +1769 -0
  10. package/dist/agentic-security.mjs +1 -1
  11. package/dist/agentic-security.mjs.sha256 +1 -1
  12. package/package.json +2 -2
  13. package/src/mcp/.agentic-security/findings.json +133 -88
  14. package/src/mcp/.agentic-security/last-scan.json +133 -88
  15. package/src/mcp/.agentic-security/last-scan.json.sig +1 -1
  16. package/src/mcp/.agentic-security/scan-history.json +138 -81
  17. package/src/mcp/.agentic-security/streak.json +4 -4
  18. package/src/mcp/tools.js +17 -2
  19. package/src/sca/.agentic-security/findings.json +1096 -0
  20. package/src/sca/.agentic-security/last-scan.json +1096 -0
  21. package/src/sca/.agentic-security/last-scan.json.sig +1 -0
  22. package/src/sca/.agentic-security/scan-history.json +18 -0
  23. package/src/sca/.agentic-security/streak.json +21 -0
  24. package/src/sca/base-images.json +1 -1
package/src/sca/.agentic-security/findings.json ADDED
@@ -0,0 +1,1096 @@
1
+ {
2
+ "scanId": "a0503a11-81c7-4743-a7a7-d72879ba1db3",
3
+ "startedAt": "2026-05-21T18:12:54.614Z",
4
+ "durationMs": 117,
5
+ "scanned": {
6
+ "files": 4,
7
+ "lines": 0
8
+ },
9
+ "findings": [
10
+ {
11
+ "id": "struct:dep-confusion.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
12
+ "kind": "sast",
13
+ "severity": "medium",
14
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
15
+ "cwe": "CWE-400",
16
+ "owaspLlm": null,
17
+ "stride": "Denial of Service",
18
+ "file": "dep-confusion.js",
19
+ "line": 56,
20
+ "snippet": "if (!fs.existsSync(p)) continue;",
21
+ "fix": null,
22
+ "reachable": false,
23
+ "triage": 22,
24
+ "dataClasses": [],
25
+ "chain": null,
26
+ "confidence": 0.212,
27
+ "toxicity": 28,
28
+ "toxicityFactors": [
29
+ "http-facing"
30
+ ],
31
+ "toxicityLabel": "Medium",
32
+ "sources": null,
33
+ "epssScore": null,
34
+ "epssPercentile": null,
35
+ "epssCve": null,
36
+ "exploitedNow": false,
37
+ "tags": null,
38
+ "blastRadius": {
39
+ "scope": "all-users",
40
+ "dataAtRisk": [
41
+ "config"
42
+ ],
43
+ "userCount": 50,
44
+ "industry": "generic",
45
+ "jurisdictions": [],
46
+ "controlsApplied": [],
47
+ "dollarBest": 23250,
48
+ "dollarLikely": 136250,
49
+ "dollarWorst": 775000,
50
+ "dollarLow": 23250,
51
+ "dollarHigh": 775000,
52
+ "components": {
53
+ "incidentResponse": {
54
+ "low": 8000,
55
+ "likely": 50000,
56
+ "high": 250000
57
+ },
58
+ "legal": {
59
+ "low": 10000,
60
+ "likely": 75000,
61
+ "high": 500000
62
+ },
63
+ "crisisPR": {
64
+ "low": 0,
65
+ "likely": 0,
66
+ "high": 0
67
+ },
68
+ "notification": {
69
+ "low": 5000,
70
+ "likely": 10000,
71
+ "high": 15000
72
+ },
73
+ "creditMonitoring": {
74
+ "low": 0,
75
+ "likely": 0,
76
+ "high": 0
77
+ },
78
+ "regulatoryFines": {
79
+ "low": 0,
80
+ "likely": 0,
81
+ "high": 0
82
+ },
83
+ "directDamage": {
84
+ "low": 250,
85
+ "likely": 1250,
86
+ "high": 10000
87
+ },
88
+ "classAction": {
89
+ "low": 0,
90
+ "likely": 0,
91
+ "high": 0
92
+ },
93
+ "lostBusiness": {
94
+ "low": 0,
95
+ "likely": 0,
96
+ "high": 0
97
+ }
98
+ },
99
+ "dominantDriver": "legal counsel",
100
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
101
+ "confidence": "low",
102
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `dep-confusion.js:56` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
103
+ },
104
+ "stableId": "bfbb208a409e9dd2",
105
+ "confidenceTier": "very-low",
106
+ "exploitability": 0.2,
107
+ "exploitabilityTier": "low",
108
+ "exploitabilityFactors": [
109
+ "sev:medium",
110
+ "unreachable"
111
+ ],
112
+ "clusterSize": null,
113
+ "unreachable": false,
114
+ "validator_verdict": "unvalidated",
115
+ "llm_confidence": null,
116
+ "unvalidated": true,
117
+ "cross_language": false,
118
+ "family": "dos-sync-io",
119
+ "parser": "STRUCTURAL",
120
+ "_unsigned": false,
121
+ "_passThroughSigning": false,
122
+ "signatureStatus": "verified",
123
+ "regression_test": null,
124
+ "poc": null,
125
+ "calibrated_confidence": null,
126
+ "calibrated_confidence_ci": null,
127
+ "calibrated_n": 0,
128
+ "calibration_reason": "no-history",
129
+ "verifier_verdict": "cannot-verify",
130
+ "verifier_reason": "no-poc-no-sanitizer-rule",
131
+ "verifier_runner": null,
132
+ "narration": null,
133
+ "mitigationVerdict": "unreachable-in-prod",
134
+ "mitigationsApplied": [],
135
+ "mitigatedByWaf": false,
136
+ "wafRuleId": null,
137
+ "mitigatedByAuth": false,
138
+ "authMechanism": null,
139
+ "mitigatedByNetwork": false,
140
+ "networkExposure": null,
141
+ "featureFlag": null,
142
+ "featureFlagState": null,
143
+ "featureFlagRollout": null,
144
+ "exposedInProd": false,
145
+ "unreachableInProd": true,
146
+ "coldPath": false,
147
+ "hotPath": false,
148
+ "prodRequestCount": null,
149
+ "crownJewelScore": 0,
150
+ "crownJewelTier": "unknown",
151
+ "crownJewelFactors": [],
152
+ "cloneClusterId": "eed315f4ee037434",
153
+ "cloneClusterSize": 2,
154
+ "provenance": "human-likely",
155
+ "provenanceScore": 0,
156
+ "typeNarrowed": null,
157
+ "strideCategory": "denialOfService",
158
+ "personaScores": {
159
+ "script-kiddie": {
160
+ "score": 0.4,
161
+ "tier": "medium",
162
+ "factors": [
163
+ "sev:medium"
164
+ ]
165
+ },
166
+ "opportunistic-criminal": {
167
+ "score": 0.4,
168
+ "tier": "medium",
169
+ "factors": [
170
+ "sev:medium"
171
+ ]
172
+ },
173
+ "apt-nation-state": {
174
+ "score": 0.4,
175
+ "tier": "medium",
176
+ "factors": [
177
+ "sev:medium"
178
+ ]
179
+ },
180
+ "supply-chain-attacker": {
181
+ "score": 0.4,
182
+ "tier": "medium",
183
+ "factors": [
184
+ "sev:medium"
185
+ ]
186
+ },
187
+ "malicious-insider": {
188
+ "score": 0.4,
189
+ "tier": "medium",
190
+ "factors": [
191
+ "sev:medium"
192
+ ]
193
+ }
194
+ },
195
+ "personaTopTwo": [
196
+ "script-kiddie",
197
+ "opportunistic-criminal"
198
+ ],
199
+ "personaMaxName": "script-kiddie",
200
+ "personaMaxScore": 0.4,
201
+ "reverseExposure": null,
202
+ "specMined": null,
203
+ "whyFired": {
204
+ "detector": "sast/dos-sync-io",
205
+ "ruleId": "CWE-400",
206
+ "parser": "STRUCTURAL",
207
+ "evidence": {
208
+ "sinkSnippet": "if (!fs.existsSync(p)) continue;",
209
+ "sourceSnippet": "if (!fs.existsSync(p)) continue;",
210
+ "pathSteps": [],
211
+ "sanitizers": [],
212
+ "guards": []
213
+ },
214
+ "considered": {
215
+ "suppressionsApplied": [],
216
+ "suppressionsSkipped": [],
217
+ "reachabilityFilter": "unaffected",
218
+ "clusterCollapsed": false,
219
+ "typeNarrowed": false,
220
+ "crownJewelTier": "unknown",
221
+ "mitigationVerdict": "unreachable-in-prod"
222
+ },
223
+ "scanner": {
224
+ "rulesetVersion": null,
225
+ "packHash": null,
226
+ "modelId": null
227
+ }
228
+ },
229
+ "adversaryTranscript": null,
230
+ "predictedBountyUsd": {
231
+ "low": 10,
232
+ "likely": 40,
233
+ "high": 120,
234
+ "program": "web2"
235
+ },
236
+ "bountyConfidence": "high",
237
+ "attackPlaybook": null
238
+ },
239
+ {
240
+ "id": "struct:dep-confusion.js:58:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
241
+ "kind": "sast",
242
+ "severity": "medium",
243
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
244
+ "cwe": "CWE-400",
245
+ "owaspLlm": null,
246
+ "stride": "Denial of Service",
247
+ "file": "dep-confusion.js",
248
+ "line": 58,
249
+ "snippet": "const doc = yaml.load(fs.readFileSync(p, 'utf8'));",
250
+ "fix": null,
251
+ "reachable": false,
252
+ "triage": 22,
253
+ "dataClasses": [],
254
+ "chain": null,
255
+ "confidence": 0.212,
256
+ "toxicity": 28,
257
+ "toxicityFactors": [
258
+ "http-facing"
259
+ ],
260
+ "toxicityLabel": "Medium",
261
+ "sources": null,
262
+ "epssScore": null,
263
+ "epssPercentile": null,
264
+ "epssCve": null,
265
+ "exploitedNow": false,
266
+ "tags": null,
267
+ "blastRadius": {
268
+ "scope": "all-users",
269
+ "dataAtRisk": [
270
+ "config"
271
+ ],
272
+ "userCount": 50,
273
+ "industry": "generic",
274
+ "jurisdictions": [],
275
+ "controlsApplied": [],
276
+ "dollarBest": 23250,
277
+ "dollarLikely": 136250,
278
+ "dollarWorst": 775000,
279
+ "dollarLow": 23250,
280
+ "dollarHigh": 775000,
281
+ "components": {
282
+ "incidentResponse": {
283
+ "low": 8000,
284
+ "likely": 50000,
285
+ "high": 250000
286
+ },
287
+ "legal": {
288
+ "low": 10000,
289
+ "likely": 75000,
290
+ "high": 500000
291
+ },
292
+ "crisisPR": {
293
+ "low": 0,
294
+ "likely": 0,
295
+ "high": 0
296
+ },
297
+ "notification": {
298
+ "low": 5000,
299
+ "likely": 10000,
300
+ "high": 15000
301
+ },
302
+ "creditMonitoring": {
303
+ "low": 0,
304
+ "likely": 0,
305
+ "high": 0
306
+ },
307
+ "regulatoryFines": {
308
+ "low": 0,
309
+ "likely": 0,
310
+ "high": 0
311
+ },
312
+ "directDamage": {
313
+ "low": 250,
314
+ "likely": 1250,
315
+ "high": 10000
316
+ },
317
+ "classAction": {
318
+ "low": 0,
319
+ "likely": 0,
320
+ "high": 0
321
+ },
322
+ "lostBusiness": {
323
+ "low": 0,
324
+ "likely": 0,
325
+ "high": 0
326
+ }
327
+ },
328
+ "dominantDriver": "legal counsel",
329
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
330
+ "confidence": "low",
331
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `dep-confusion.js:58` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
332
+ },
333
+ "stableId": "85a3f4d03fefd43d",
334
+ "confidenceTier": "very-low",
335
+ "exploitability": 0.2,
336
+ "exploitabilityTier": "low",
337
+ "exploitabilityFactors": [
338
+ "sev:medium",
339
+ "unreachable"
340
+ ],
341
+ "clusterSize": null,
342
+ "unreachable": false,
343
+ "validator_verdict": "unvalidated",
344
+ "llm_confidence": null,
345
+ "unvalidated": true,
346
+ "cross_language": false,
347
+ "family": "dos-sync-io",
348
+ "parser": "STRUCTURAL",
349
+ "_unsigned": false,
350
+ "_passThroughSigning": false,
351
+ "signatureStatus": "verified",
352
+ "regression_test": null,
353
+ "poc": null,
354
+ "calibrated_confidence": null,
355
+ "calibrated_confidence_ci": null,
356
+ "calibrated_n": 0,
357
+ "calibration_reason": "no-history",
358
+ "verifier_verdict": "cannot-verify",
359
+ "verifier_reason": "no-poc-no-sanitizer-rule",
360
+ "verifier_runner": null,
361
+ "narration": null,
362
+ "mitigationVerdict": "unreachable-in-prod",
363
+ "mitigationsApplied": [],
364
+ "mitigatedByWaf": false,
365
+ "wafRuleId": null,
366
+ "mitigatedByAuth": false,
367
+ "authMechanism": null,
368
+ "mitigatedByNetwork": false,
369
+ "networkExposure": null,
370
+ "featureFlag": null,
371
+ "featureFlagState": null,
372
+ "featureFlagRollout": null,
373
+ "exposedInProd": false,
374
+ "unreachableInProd": true,
375
+ "coldPath": false,
376
+ "hotPath": false,
377
+ "prodRequestCount": null,
378
+ "crownJewelScore": 0,
379
+ "crownJewelTier": "unknown",
380
+ "crownJewelFactors": [],
381
+ "cloneClusterId": "8b60c3f57d48c622",
382
+ "cloneClusterSize": 1,
383
+ "provenance": "human-likely",
384
+ "provenanceScore": 0,
385
+ "typeNarrowed": null,
386
+ "strideCategory": "denialOfService",
387
+ "personaScores": {
388
+ "script-kiddie": {
389
+ "score": 0.4,
390
+ "tier": "medium",
391
+ "factors": [
392
+ "sev:medium"
393
+ ]
394
+ },
395
+ "opportunistic-criminal": {
396
+ "score": 0.4,
397
+ "tier": "medium",
398
+ "factors": [
399
+ "sev:medium"
400
+ ]
401
+ },
402
+ "apt-nation-state": {
403
+ "score": 0.4,
404
+ "tier": "medium",
405
+ "factors": [
406
+ "sev:medium"
407
+ ]
408
+ },
409
+ "supply-chain-attacker": {
410
+ "score": 0.4,
411
+ "tier": "medium",
412
+ "factors": [
413
+ "sev:medium"
414
+ ]
415
+ },
416
+ "malicious-insider": {
417
+ "score": 0.4,
418
+ "tier": "medium",
419
+ "factors": [
420
+ "sev:medium"
421
+ ]
422
+ }
423
+ },
424
+ "personaTopTwo": [
425
+ "script-kiddie",
426
+ "opportunistic-criminal"
427
+ ],
428
+ "personaMaxName": "script-kiddie",
429
+ "personaMaxScore": 0.4,
430
+ "reverseExposure": null,
431
+ "specMined": null,
432
+ "whyFired": {
433
+ "detector": "sast/dos-sync-io",
434
+ "ruleId": "CWE-400",
435
+ "parser": "STRUCTURAL",
436
+ "evidence": {
437
+ "sinkSnippet": "const doc = yaml.load(fs.readFileSync(p, 'utf8'));",
438
+ "sourceSnippet": "const doc = yaml.load(fs.readFileSync(p, 'utf8'));",
439
+ "pathSteps": [],
440
+ "sanitizers": [],
441
+ "guards": []
442
+ },
443
+ "considered": {
444
+ "suppressionsApplied": [],
445
+ "suppressionsSkipped": [],
446
+ "reachabilityFilter": "unaffected",
447
+ "clusterCollapsed": false,
448
+ "typeNarrowed": false,
449
+ "crownJewelTier": "unknown",
450
+ "mitigationVerdict": "unreachable-in-prod"
451
+ },
452
+ "scanner": {
453
+ "rulesetVersion": null,
454
+ "packHash": null,
455
+ "modelId": null
456
+ }
457
+ },
458
+ "adversaryTranscript": null,
459
+ "predictedBountyUsd": {
460
+ "low": 10,
461
+ "likely": 40,
462
+ "high": 120,
463
+ "program": "web2"
464
+ },
465
+ "bountyConfidence": "high",
466
+ "attackPlaybook": null
467
+ },
468
+ {
469
+ "id": "struct:sarif-ingest.js:112:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
470
+ "kind": "sast",
471
+ "severity": "medium",
472
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
473
+ "cwe": "CWE-400",
474
+ "owaspLlm": null,
475
+ "stride": "Denial of Service",
476
+ "file": "sarif-ingest.js",
477
+ "line": 112,
478
+ "snippet": "try { raw = fs.readFileSync(filePath, 'utf8'); }",
479
+ "fix": null,
480
+ "reachable": false,
481
+ "triage": 22,
482
+ "dataClasses": [],
483
+ "chain": null,
484
+ "confidence": 0.212,
485
+ "toxicity": 28,
486
+ "toxicityFactors": [
487
+ "http-facing"
488
+ ],
489
+ "toxicityLabel": "Medium",
490
+ "sources": null,
491
+ "epssScore": null,
492
+ "epssPercentile": null,
493
+ "epssCve": null,
494
+ "exploitedNow": false,
495
+ "tags": null,
496
+ "blastRadius": {
497
+ "scope": "all-users",
498
+ "dataAtRisk": [
499
+ "config"
500
+ ],
501
+ "userCount": 50,
502
+ "industry": "generic",
503
+ "jurisdictions": [],
504
+ "controlsApplied": [],
505
+ "dollarBest": 23250,
506
+ "dollarLikely": 136250,
507
+ "dollarWorst": 775000,
508
+ "dollarLow": 23250,
509
+ "dollarHigh": 775000,
510
+ "components": {
511
+ "incidentResponse": {
512
+ "low": 8000,
513
+ "likely": 50000,
514
+ "high": 250000
515
+ },
516
+ "legal": {
517
+ "low": 10000,
518
+ "likely": 75000,
519
+ "high": 500000
520
+ },
521
+ "crisisPR": {
522
+ "low": 0,
523
+ "likely": 0,
524
+ "high": 0
525
+ },
526
+ "notification": {
527
+ "low": 5000,
528
+ "likely": 10000,
529
+ "high": 15000
530
+ },
531
+ "creditMonitoring": {
532
+ "low": 0,
533
+ "likely": 0,
534
+ "high": 0
535
+ },
536
+ "regulatoryFines": {
537
+ "low": 0,
538
+ "likely": 0,
539
+ "high": 0
540
+ },
541
+ "directDamage": {
542
+ "low": 250,
543
+ "likely": 1250,
544
+ "high": 10000
545
+ },
546
+ "classAction": {
547
+ "low": 0,
548
+ "likely": 0,
549
+ "high": 0
550
+ },
551
+ "lostBusiness": {
552
+ "low": 0,
553
+ "likely": 0,
554
+ "high": 0
555
+ }
556
+ },
557
+ "dominantDriver": "legal counsel",
558
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
559
+ "confidence": "low",
560
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `sarif-ingest.js:112` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
561
+ },
562
+ "stableId": "67c20060ced40339",
563
+ "confidenceTier": "very-low",
564
+ "exploitability": 0.2,
565
+ "exploitabilityTier": "low",
566
+ "exploitabilityFactors": [
567
+ "sev:medium",
568
+ "unreachable"
569
+ ],
570
+ "clusterSize": null,
571
+ "unreachable": false,
572
+ "validator_verdict": "unvalidated",
573
+ "llm_confidence": null,
574
+ "unvalidated": true,
575
+ "cross_language": false,
576
+ "family": "dos-sync-io",
577
+ "parser": "STRUCTURAL",
578
+ "_unsigned": false,
579
+ "_passThroughSigning": false,
580
+ "signatureStatus": "verified",
581
+ "regression_test": null,
582
+ "poc": null,
583
+ "calibrated_confidence": null,
584
+ "calibrated_confidence_ci": null,
585
+ "calibrated_n": 0,
586
+ "calibration_reason": "no-history",
587
+ "verifier_verdict": "cannot-verify",
588
+ "verifier_reason": "no-poc-no-sanitizer-rule",
589
+ "verifier_runner": null,
590
+ "narration": null,
591
+ "mitigationVerdict": "unreachable-in-prod",
592
+ "mitigationsApplied": [],
593
+ "mitigatedByWaf": false,
594
+ "wafRuleId": null,
595
+ "mitigatedByAuth": false,
596
+ "authMechanism": null,
597
+ "mitigatedByNetwork": false,
598
+ "networkExposure": null,
599
+ "featureFlag": null,
600
+ "featureFlagState": null,
601
+ "featureFlagRollout": null,
602
+ "exposedInProd": false,
603
+ "unreachableInProd": true,
604
+ "coldPath": false,
605
+ "hotPath": false,
606
+ "prodRequestCount": null,
607
+ "crownJewelScore": 0,
608
+ "crownJewelTier": "unknown",
609
+ "crownJewelFactors": [],
610
+ "cloneClusterId": "c5704ff81dc82f80",
611
+ "cloneClusterSize": 1,
612
+ "provenance": "human-likely",
613
+ "provenanceScore": 0.04,
614
+ "typeNarrowed": null,
615
+ "strideCategory": "denialOfService",
616
+ "personaScores": {
617
+ "script-kiddie": {
618
+ "score": 0.4,
619
+ "tier": "medium",
620
+ "factors": [
621
+ "sev:medium"
622
+ ]
623
+ },
624
+ "opportunistic-criminal": {
625
+ "score": 0.4,
626
+ "tier": "medium",
627
+ "factors": [
628
+ "sev:medium"
629
+ ]
630
+ },
631
+ "apt-nation-state": {
632
+ "score": 0.4,
633
+ "tier": "medium",
634
+ "factors": [
635
+ "sev:medium"
636
+ ]
637
+ },
638
+ "supply-chain-attacker": {
639
+ "score": 0.4,
640
+ "tier": "medium",
641
+ "factors": [
642
+ "sev:medium"
643
+ ]
644
+ },
645
+ "malicious-insider": {
646
+ "score": 0.4,
647
+ "tier": "medium",
648
+ "factors": [
649
+ "sev:medium"
650
+ ]
651
+ }
652
+ },
653
+ "personaTopTwo": [
654
+ "script-kiddie",
655
+ "opportunistic-criminal"
656
+ ],
657
+ "personaMaxName": "script-kiddie",
658
+ "personaMaxScore": 0.4,
659
+ "reverseExposure": null,
660
+ "specMined": null,
661
+ "whyFired": {
662
+ "detector": "sast/dos-sync-io",
663
+ "ruleId": "CWE-400",
664
+ "parser": "STRUCTURAL",
665
+ "evidence": {
666
+ "sinkSnippet": "try { raw = fs.readFileSync(filePath, 'utf8'); }",
667
+ "sourceSnippet": "try { raw = fs.readFileSync(filePath, 'utf8'); }",
668
+ "pathSteps": [],
669
+ "sanitizers": [],
670
+ "guards": []
671
+ },
672
+ "considered": {
673
+ "suppressionsApplied": [],
674
+ "suppressionsSkipped": [],
675
+ "reachabilityFilter": "unaffected",
676
+ "clusterCollapsed": false,
677
+ "typeNarrowed": false,
678
+ "crownJewelTier": "unknown",
679
+ "mitigationVerdict": "unreachable-in-prod"
680
+ },
681
+ "scanner": {
682
+ "rulesetVersion": null,
683
+ "packHash": null,
684
+ "modelId": null
685
+ }
686
+ },
687
+ "adversaryTranscript": null,
688
+ "predictedBountyUsd": {
689
+ "low": 10,
690
+ "likely": 40,
691
+ "high": 120,
692
+ "program": "web2"
693
+ },
694
+ "bountyConfidence": "high",
695
+ "attackPlaybook": null
696
+ },
697
+ {
698
+ "id": "toctou-fs:dep-confusion.js:56",
699
+ "kind": "sast",
700
+ "severity": "medium",
701
+ "vuln": "TOCTOU: file existence/permission check before open",
702
+ "cwe": "CWE-367",
703
+ "owaspLlm": null,
704
+ "stride": "Tampering",
705
+ "file": "dep-confusion.js",
706
+ "line": 56,
707
+ "snippet": "if (!fs.existsSync(p)) continue;",
708
+ "fix": null,
709
+ "reachable": false,
710
+ "triage": 22,
711
+ "dataClasses": [],
712
+ "chain": null,
713
+ "confidence": 0.7,
714
+ "toxicity": 8,
715
+ "toxicityFactors": [],
716
+ "toxicityLabel": "Low",
717
+ "sources": null,
718
+ "epssScore": null,
719
+ "epssPercentile": null,
720
+ "epssCve": null,
721
+ "exploitedNow": false,
722
+ "tags": null,
723
+ "blastRadius": {
724
+ "scope": "all-users",
725
+ "dataAtRisk": [
726
+ "config"
727
+ ],
728
+ "userCount": 50,
729
+ "industry": "generic",
730
+ "jurisdictions": [],
731
+ "controlsApplied": [],
732
+ "dollarBest": 23250,
733
+ "dollarLikely": 136250,
734
+ "dollarWorst": 775000,
735
+ "dollarLow": 23250,
736
+ "dollarHigh": 775000,
737
+ "components": {
738
+ "incidentResponse": {
739
+ "low": 8000,
740
+ "likely": 50000,
741
+ "high": 250000
742
+ },
743
+ "legal": {
744
+ "low": 10000,
745
+ "likely": 75000,
746
+ "high": 500000
747
+ },
748
+ "crisisPR": {
749
+ "low": 0,
750
+ "likely": 0,
751
+ "high": 0
752
+ },
753
+ "notification": {
754
+ "low": 5000,
755
+ "likely": 10000,
756
+ "high": 15000
757
+ },
758
+ "creditMonitoring": {
759
+ "low": 0,
760
+ "likely": 0,
761
+ "high": 0
762
+ },
763
+ "regulatoryFines": {
764
+ "low": 0,
765
+ "likely": 0,
766
+ "high": 0
767
+ },
768
+ "directDamage": {
769
+ "low": 250,
770
+ "likely": 1250,
771
+ "high": 10000
772
+ },
773
+ "classAction": {
774
+ "low": 0,
775
+ "likely": 0,
776
+ "high": 0
777
+ },
778
+ "lostBusiness": {
779
+ "low": 0,
780
+ "likely": 0,
781
+ "high": 0
782
+ }
783
+ },
784
+ "dominantDriver": "legal counsel",
785
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
786
+ "confidence": "low",
787
+ "narrative": "TOCTOU: file existence/permission check before open on `dep-confusion.js:56` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
788
+ },
789
+ "stableId": "3beec8624848d7de",
790
+ "confidenceTier": "medium",
791
+ "exploitability": 0.2,
792
+ "exploitabilityTier": "low",
793
+ "exploitabilityFactors": [
794
+ "sev:medium",
795
+ "unreachable"
796
+ ],
797
+ "clusterSize": null,
798
+ "unreachable": false,
799
+ "validator_verdict": "unvalidated",
800
+ "llm_confidence": null,
801
+ "unvalidated": true,
802
+ "cross_language": false,
803
+ "family": "toctou-file-existence-permission-check-b",
804
+ "parser": "TOCTOU",
805
+ "_unsigned": false,
806
+ "_passThroughSigning": false,
807
+ "signatureStatus": "verified",
808
+ "regression_test": null,
809
+ "poc": null,
810
+ "calibrated_confidence": null,
811
+ "calibrated_confidence_ci": null,
812
+ "calibrated_n": 0,
813
+ "calibration_reason": "no-history",
814
+ "verifier_verdict": "cannot-verify",
815
+ "verifier_reason": "no-poc-no-sanitizer-rule",
816
+ "verifier_runner": null,
817
+ "narration": null,
818
+ "mitigationVerdict": "unreachable-in-prod",
819
+ "mitigationsApplied": [],
820
+ "mitigatedByWaf": false,
821
+ "wafRuleId": null,
822
+ "mitigatedByAuth": false,
823
+ "authMechanism": null,
824
+ "mitigatedByNetwork": false,
825
+ "networkExposure": null,
826
+ "featureFlag": null,
827
+ "featureFlagState": null,
828
+ "featureFlagRollout": null,
829
+ "exposedInProd": false,
830
+ "unreachableInProd": true,
831
+ "coldPath": false,
832
+ "hotPath": false,
833
+ "prodRequestCount": null,
834
+ "crownJewelScore": 0,
835
+ "crownJewelTier": "unknown",
836
+ "crownJewelFactors": [],
837
+ "cloneClusterId": "eed315f4ee037434",
838
+ "cloneClusterSize": 2,
839
+ "provenance": "human-likely",
840
+ "provenanceScore": 0,
841
+ "typeNarrowed": null,
842
+ "strideCategory": "tampering",
843
+ "personaScores": {
844
+ "script-kiddie": {
845
+ "score": 0.4,
846
+ "tier": "medium",
847
+ "factors": [
848
+ "sev:medium"
849
+ ]
850
+ },
851
+ "opportunistic-criminal": {
852
+ "score": 0.4,
853
+ "tier": "medium",
854
+ "factors": [
855
+ "sev:medium"
856
+ ]
857
+ },
858
+ "apt-nation-state": {
859
+ "score": 0.4,
860
+ "tier": "medium",
861
+ "factors": [
862
+ "sev:medium"
863
+ ]
864
+ },
865
+ "supply-chain-attacker": {
866
+ "score": 0.4,
867
+ "tier": "medium",
868
+ "factors": [
869
+ "sev:medium"
870
+ ]
871
+ },
872
+ "malicious-insider": {
873
+ "score": 0.4,
874
+ "tier": "medium",
875
+ "factors": [
876
+ "sev:medium"
877
+ ]
878
+ }
879
+ },
880
+ "personaTopTwo": [
881
+ "script-kiddie",
882
+ "opportunistic-criminal"
883
+ ],
884
+ "personaMaxName": "script-kiddie",
885
+ "personaMaxScore": 0.4,
886
+ "reverseExposure": null,
887
+ "specMined": null,
888
+ "whyFired": {
889
+ "detector": "sast/toctou-file-existence-permission-check-b",
890
+ "ruleId": "CWE-367",
891
+ "parser": "TOCTOU",
892
+ "evidence": {
893
+ "sinkSnippet": "if (!fs.existsSync(p)) continue;",
894
+ "sourceSnippet": null,
895
+ "pathSteps": [],
896
+ "sanitizers": [],
897
+ "guards": []
898
+ },
899
+ "considered": {
900
+ "suppressionsApplied": [],
901
+ "suppressionsSkipped": [],
902
+ "reachabilityFilter": "unaffected",
903
+ "clusterCollapsed": false,
904
+ "typeNarrowed": false,
905
+ "crownJewelTier": "unknown",
906
+ "mitigationVerdict": "unreachable-in-prod"
907
+ },
908
+ "scanner": {
909
+ "rulesetVersion": null,
910
+ "packHash": null,
911
+ "modelId": null
912
+ }
913
+ },
914
+ "adversaryTranscript": null,
915
+ "predictedBountyUsd": null,
916
+ "bountyConfidence": null,
917
+ "attackPlaybook": null
918
+ },
919
+ {
920
+ "id": "logic:dep-confusion.js:56:TOCTOU:_existsSync_followed_by_file_op",
921
+ "kind": "logic",
922
+ "severity": "medium",
923
+ "vuln": "TOCTOU: existsSync followed by file op",
924
+ "cwe": "CWE-367",
925
+ "stride": "Tampering",
926
+ "file": "dep-confusion.js",
927
+ "line": 56,
928
+ "snippet": "if (!fs.existsSync(p)) continue;",
929
+ "fix": {
930
+ "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
931
+ "code": ""
932
+ },
933
+ "blastRadius": {
934
+ "scope": "all-users",
935
+ "dataAtRisk": [
936
+ "config"
937
+ ],
938
+ "userCount": 50,
939
+ "industry": "generic",
940
+ "jurisdictions": [],
941
+ "controlsApplied": [],
942
+ "dollarBest": 23250,
943
+ "dollarLikely": 136250,
944
+ "dollarWorst": 775000,
945
+ "dollarLow": 23250,
946
+ "dollarHigh": 775000,
947
+ "components": {
948
+ "incidentResponse": {
949
+ "low": 8000,
950
+ "likely": 50000,
951
+ "high": 250000
952
+ },
953
+ "legal": {
954
+ "low": 10000,
955
+ "likely": 75000,
956
+ "high": 500000
957
+ },
958
+ "crisisPR": {
959
+ "low": 0,
960
+ "likely": 0,
961
+ "high": 0
962
+ },
963
+ "notification": {
964
+ "low": 5000,
965
+ "likely": 10000,
966
+ "high": 15000
967
+ },
968
+ "creditMonitoring": {
969
+ "low": 0,
970
+ "likely": 0,
971
+ "high": 0
972
+ },
973
+ "regulatoryFines": {
974
+ "low": 0,
975
+ "likely": 0,
976
+ "high": 0
977
+ },
978
+ "directDamage": {
979
+ "low": 250,
980
+ "likely": 1250,
981
+ "high": 10000
982
+ },
983
+ "classAction": {
984
+ "low": 0,
985
+ "likely": 0,
986
+ "high": 0
987
+ },
988
+ "lostBusiness": {
989
+ "low": 0,
990
+ "likely": 0,
991
+ "high": 0
992
+ }
993
+ },
994
+ "dominantDriver": "legal counsel",
995
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
996
+ "confidence": "low",
997
+ "narrative": "TOCTOU: existsSync followed by file op on `dep-confusion.js:56` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
998
+ },
999
+ "parser": "LOGIC",
1000
+ "family": null
1001
+ }
1002
+ ],
1003
+ "bundles": [],
1004
+ "routes": [],
1005
+ "components": [],
1006
+ "suppressedCount": 0,
1007
+ "blastRadiusSignals": {
1008
+ "industry": "generic",
1009
+ "industryConfidence": "low",
1010
+ "jurisdictions": [],
1011
+ "controls": [],
1012
+ "estimatedUsers": 50,
1013
+ "revenueIndicator": "pre-revenue",
1014
+ "hasStripe": false,
1015
+ "hasAuth": false,
1016
+ "hasUserTable": false,
1017
+ "hasPII": false,
1018
+ "hasPHI": false,
1019
+ "hasS3": false
1020
+ },
1021
+ "_v3": {
1022
+ "counterfactual": {
1023
+ "spofControls": [],
1024
+ "controlsDetected": 85
1025
+ },
1026
+ "threatModel": {
1027
+ "summary": {
1028
+ "assetCount": 0,
1029
+ "boundaryCount": 0,
1030
+ "strideCounts": {
1031
+ "spoofing": 0,
1032
+ "tampering": 1,
1033
+ "repudiation": 0,
1034
+ "informationDisclosure": 0,
1035
+ "denialOfService": 3,
1036
+ "elevationOfPrivilege": 0
1037
+ }
1038
+ },
1039
+ "assets": [],
1040
+ "trustBoundaries": [],
1041
+ "stride": {
1042
+ "spoofing": [],
1043
+ "tampering": [
1044
+ {
1045
+ "vuln": "TOCTOU: file existence/permission check before open",
1046
+ "file": "dep-confusion.js",
1047
+ "line": 56,
1048
+ "severity": "medium"
1049
+ }
1050
+ ],
1051
+ "repudiation": [],
1052
+ "informationDisclosure": [],
1053
+ "denialOfService": [
1054
+ {
1055
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1056
+ "file": "dep-confusion.js",
1057
+ "severity": "medium"
1058
+ },
1059
+ {
1060
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1061
+ "file": "dep-confusion.js",
1062
+ "severity": "medium"
1063
+ },
1064
+ {
1065
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1066
+ "file": "sarif-ingest.js",
1067
+ "severity": "medium"
1068
+ }
1069
+ ],
1070
+ "elevationOfPrivilege": []
1071
+ }
1072
+ },
1073
+ "trustBoundaryDiagram": {
1074
+ "mermaid": "flowchart LR\n INTERNET((Internet))\n APP[\"Application\"]\n classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n classDef sev_medium fill:#fff3cd,stroke:#a80;\n classDef sev_low fill:#e8eaf6,stroke:#557;",
1075
+ "nodes": [
1076
+ {
1077
+ "id": "INTERNET",
1078
+ "kind": "external",
1079
+ "label": "Internet"
1080
+ },
1081
+ {
1082
+ "id": "APP",
1083
+ "kind": "app",
1084
+ "label": "Application"
1085
+ }
1086
+ ],
1087
+ "edges": [],
1088
+ "decorations": []
1089
+ },
1090
+ "calibrationDrift": {
1091
+ "alarms": [],
1092
+ "note": "no-feedback-data"
1093
+ }
1094
+ },
1095
+ "annotatorErrors": []
1096
+ }