@clear-capabilities/agentic-security-scanner 0.75.0 → 0.77.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/CHANGELOG.md +57 -0
  2. package/bin/agentic-security.js +2 -2
  3. package/dist/838.index.js +152 -0
  4. package/dist/{634.index.js → 985.index.js} +21 -144
  5. package/dist/agentic-security.mjs +8 -8
  6. package/dist/agentic-security.mjs.sha256 +1 -1
  7. package/package.json +6 -6
  8. package/src/mcp/tools.js +17 -2
  9. package/src/sca/base-images.json +1 -1
  10. package/bin/.agentic-security/findings.json +0 -1596
  11. package/bin/.agentic-security/last-scan.json +0 -1596
  12. package/bin/.agentic-security/last-scan.json.sig +0 -1
  13. package/bin/.agentic-security/scan-history.json +0 -470
  14. package/bin/.agentic-security/streak.json +0 -25
  15. package/dist/218.index.js +0 -793
  16. package/dist/601.index.js +0 -1038
  17. package/src/.agentic-security/findings.json +0 -80844
  18. package/src/.agentic-security/last-scan.json +0 -80844
  19. package/src/.agentic-security/last-scan.json.sig +0 -1
  20. package/src/.agentic-security/scan-history.json +0 -8408
  21. package/src/.agentic-security/streak.json +0 -26
  22. package/src/dataflow/.agentic-security/findings.json +0 -3487
  23. package/src/dataflow/.agentic-security/last-scan.json +0 -3487
  24. package/src/dataflow/.agentic-security/last-scan.json.sig +0 -1
  25. package/src/dataflow/.agentic-security/scan-history.json +0 -735
  26. package/src/dataflow/.agentic-security/streak.json +0 -24
  27. package/src/integrations/.agentic-security/findings.json +0 -1504
  28. package/src/integrations/.agentic-security/last-scan.json +0 -1504
  29. package/src/integrations/.agentic-security/scan-history.json +0 -40
  30. package/src/integrations/.agentic-security/streak.json +0 -21
  31. package/src/ir/.agentic-security/findings.json +0 -3036
  32. package/src/ir/.agentic-security/last-scan.json +0 -3036
  33. package/src/ir/.agentic-security/last-scan.json.sig +0 -1
  34. package/src/ir/.agentic-security/scan-history.json +0 -364
  35. package/src/ir/.agentic-security/streak.json +0 -23
  36. package/src/llm-validator/.agentic-security/findings.json +0 -1891
  37. package/src/llm-validator/.agentic-security/last-scan.json +0 -1891
  38. package/src/llm-validator/.agentic-security/last-scan.json.sig +0 -1
  39. package/src/llm-validator/.agentic-security/scan-history.json +0 -168
  40. package/src/llm-validator/.agentic-security/streak.json +0 -20
  41. package/src/lsp/.agentic-security/findings.json +0 -28
  42. package/src/lsp/.agentic-security/last-scan.json +0 -28
  43. package/src/lsp/.agentic-security/scan-history.json +0 -79
  44. package/src/lsp/.agentic-security/streak.json +0 -22
  45. package/src/mcp/.agentic-security/findings.json +0 -8358
  46. package/src/mcp/.agentic-security/last-scan.json +0 -8358
  47. package/src/mcp/.agentic-security/last-scan.json.sig +0 -1
  48. package/src/mcp/.agentic-security/scan-history.json +0 -1125
  49. package/src/mcp/.agentic-security/streak.json +0 -22
  50. package/src/posture/.agentic-security/findings.json +0 -51239
  51. package/src/posture/.agentic-security/last-scan.json +0 -51239
  52. package/src/posture/.agentic-security/last-scan.json.sig +0 -1
  53. package/src/posture/.agentic-security/scan-history.json +0 -5557
  54. package/src/posture/.agentic-security/streak.json +0 -24
  55. package/src/report/.agentic-security/findings.json +0 -79
  56. package/src/report/.agentic-security/last-scan.json +0 -79
  57. package/src/report/.agentic-security/last-scan.json.sig +0 -1
  58. package/src/report/.agentic-security/scan-history.json +0 -332
  59. package/src/report/.agentic-security/streak.json +0 -23
  60. package/src/sast/.agentic-security/findings.json +0 -5051
  61. package/src/sast/.agentic-security/last-scan.json +0 -5051
  62. package/src/sast/.agentic-security/last-scan.json.sig +0 -1
  63. package/src/sast/.agentic-security/scan-history.json +0 -788
  64. package/src/sast/.agentic-security/streak.json +0 -23
  65. package/src/sast/bench-shape/.agentic-security/findings.json +0 -28
  66. package/src/sast/bench-shape/.agentic-security/last-scan.json +0 -28
  67. package/src/sast/bench-shape/.agentic-security/scan-history.json +0 -24
  68. package/src/sast/bench-shape/.agentic-security/streak.json +0 -22
package/src/llm-validator/.agentic-security/findings.json DELETED
@@ -1,1891 +0,0 @@
1
- {
2
- "scanId": "e4d8ca5c-18e9-436d-8778-68c3e6feb632",
3
- "startedAt": "2026-05-20T12:29:43.643Z",
4
- "durationMs": 133,
5
- "scanned": {
6
- "files": 2,
7
- "lines": 0
8
- },
9
- "findings": [
10
- {
11
- "id": "prompt-tpl:index.js:57:Prompt_Template__user_input_interpolated_into_prompt_string_",
12
- "kind": "sast",
13
- "severity": "high",
14
- "vuln": "Prompt Template: user input interpolated into prompt string without isolation",
15
- "cwe": "CWE-1336",
16
- "owaspLlm": null,
17
- "stride": "Spoofing",
18
- "file": "index.js",
19
- "line": 57,
20
- "snippet": "const PROMPT_TEMPLATE = `You are a senior application security engineer reviewing a candidate finding from a static analysis tool.",
21
- "fix": {
22
- "description": "Prefer the messages array form: `messages=[{\"role\":\"system\",\"content\":SYS},{\"role\":\"user\",\"content\":user_input}]`. Or wrap interpolations with isolation markers and instruct the model to treat content inside them as data only.",
23
- "code": ""
24
- },
25
- "reachable": false,
26
- "triage": 39,
27
- "dataClasses": [],
28
- "chain": null,
29
- "confidence": 0.314,
30
- "toxicity": 15,
31
- "toxicityFactors": [
32
- "high-severity"
33
- ],
34
- "toxicityLabel": "Low",
35
- "sources": null,
36
- "epssScore": null,
37
- "epssPercentile": null,
38
- "epssCve": null,
39
- "exploitedNow": false,
40
- "tags": null,
41
- "blastRadius": {
42
- "scope": "all-users",
43
- "dataAtRisk": [
44
- "config"
45
- ],
46
- "userCount": 50,
47
- "industry": "generic",
48
- "jurisdictions": [],
49
- "controlsApplied": [],
50
- "dollarBest": 23250,
51
- "dollarLikely": 136250,
52
- "dollarWorst": 775000,
53
- "dollarLow": 23250,
54
- "dollarHigh": 775000,
55
- "components": {
56
- "incidentResponse": {
57
- "low": 8000,
58
- "likely": 50000,
59
- "high": 250000
60
- },
61
- "legal": {
62
- "low": 10000,
63
- "likely": 75000,
64
- "high": 500000
65
- },
66
- "crisisPR": {
67
- "low": 0,
68
- "likely": 0,
69
- "high": 0
70
- },
71
- "notification": {
72
- "low": 5000,
73
- "likely": 10000,
74
- "high": 15000
75
- },
76
- "creditMonitoring": {
77
- "low": 0,
78
- "likely": 0,
79
- "high": 0
80
- },
81
- "regulatoryFines": {
82
- "low": 0,
83
- "likely": 0,
84
- "high": 0
85
- },
86
- "directDamage": {
87
- "low": 250,
88
- "likely": 1250,
89
- "high": 10000
90
- },
91
- "classAction": {
92
- "low": 0,
93
- "likely": 0,
94
- "high": 0
95
- },
96
- "lostBusiness": {
97
- "low": 0,
98
- "likely": 0,
99
- "high": 0
100
- }
101
- },
102
- "dominantDriver": "legal counsel",
103
- "comparable": "Server-side template injection (Pug/Jinja2/Twig) → routine path to RCE",
104
- "confidence": "low",
105
- "narrative": "Prompt Template: user input interpolated into prompt string without isolation on `index.js:57` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Server-side template injection (Pug/Jinja2/Twig) → routine path to RCE."
106
- },
107
- "stableId": "36003f350e48e148",
108
- "confidenceTier": "low",
109
- "exploitability": 0.45,
110
- "exploitabilityTier": "medium",
111
- "exploitabilityFactors": [
112
- "sev:high",
113
- "unreachable"
114
- ],
115
- "clusterSize": null,
116
- "unreachable": false,
117
- "validator_verdict": "unvalidated",
118
- "llm_confidence": null,
119
- "unvalidated": true,
120
- "cross_language": false,
121
- "family": "prompt-template-user-input-interpolated-",
122
- "_unsigned": false,
123
- "_passThroughSigning": false,
124
- "signatureStatus": "verified",
125
- "regression_test": null,
126
- "poc": null,
127
- "calibrated_confidence": null,
128
- "calibrated_confidence_ci": null,
129
- "calibrated_n": 0,
130
- "calibration_reason": "no-history",
131
- "verifier_verdict": "cannot-verify",
132
- "verifier_reason": "no-poc-no-sanitizer-rule",
133
- "verifier_runner": null,
134
- "narration": "A finding of type \"Prompt Template: user input interpolated into prompt string without isolation\" at index.js:57. Severity: high. Review the remediation field for class-specific guidance.",
135
- "mitigationVerdict": "unreachable-in-prod",
136
- "mitigationsApplied": [],
137
- "mitigatedByWaf": false,
138
- "wafRuleId": null,
139
- "mitigatedByAuth": false,
140
- "authMechanism": null,
141
- "mitigatedByNetwork": false,
142
- "networkExposure": null,
143
- "featureFlag": null,
144
- "featureFlagState": null,
145
- "featureFlagRollout": null,
146
- "exposedInProd": false,
147
- "unreachableInProd": true,
148
- "coldPath": false,
149
- "hotPath": false,
150
- "prodRequestCount": null,
151
- "crownJewelScore": 0.1,
152
- "crownJewelTier": "low-value",
153
- "crownJewelFactors": [
154
- "reads-secret-env"
155
- ],
156
- "cloneClusterId": "fae27b06c71c94a9",
157
- "cloneClusterSize": 1,
158
- "provenance": "human-likely",
159
- "provenanceScore": 0.18,
160
- "typeNarrowed": null,
161
- "strideCategory": null,
162
- "personaScores": {
163
- "script-kiddie": {
164
- "score": 0.65,
165
- "tier": "high",
166
- "factors": [
167
- "sev:high"
168
- ]
169
- },
170
- "opportunistic-criminal": {
171
- "score": 0.65,
172
- "tier": "high",
173
- "factors": [
174
- "sev:high"
175
- ]
176
- },
177
- "apt-nation-state": {
178
- "score": 0.65,
179
- "tier": "high",
180
- "factors": [
181
- "sev:high"
182
- ]
183
- },
184
- "supply-chain-attacker": {
185
- "score": 0.65,
186
- "tier": "high",
187
- "factors": [
188
- "sev:high"
189
- ]
190
- },
191
- "malicious-insider": {
192
- "score": 0.65,
193
- "tier": "high",
194
- "factors": [
195
- "sev:high"
196
- ]
197
- }
198
- },
199
- "personaTopTwo": [
200
- "script-kiddie",
201
- "opportunistic-criminal"
202
- ],
203
- "personaMaxName": "script-kiddie",
204
- "personaMaxScore": 0.65,
205
- "reverseExposure": null,
206
- "specMined": null,
207
- "whyFired": {
208
- "detector": "sast/prompt-template-user-input-interpolated-",
209
- "ruleId": "CWE-1336",
210
- "parser": "pattern",
211
- "evidence": {
212
- "sinkSnippet": "const PROMPT_TEMPLATE = `You are a senior application security engineer reviewing a candidate finding from a static analysis tool.",
213
- "sourceSnippet": null,
214
- "pathSteps": [],
215
- "sanitizers": [],
216
- "guards": []
217
- },
218
- "considered": {
219
- "suppressionsApplied": [],
220
- "suppressionsSkipped": [],
221
- "reachabilityFilter": "unaffected",
222
- "clusterCollapsed": false,
223
- "typeNarrowed": false,
224
- "crownJewelTier": "low-value",
225
- "mitigationVerdict": "unreachable-in-prod"
226
- },
227
- "scanner": {
228
- "rulesetVersion": null,
229
- "packHash": null,
230
- "modelId": null
231
- }
232
- },
233
- "adversaryTranscript": null,
234
- "predictedBountyUsd": null,
235
- "bountyConfidence": null,
236
- "attackPlaybook": null
237
- },
238
- {
239
- "id": "struct:consistency.js:66:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
240
- "kind": "sast",
241
- "severity": "medium",
242
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
243
- "cwe": "CWE-400",
244
- "owaspLlm": null,
245
- "stride": "Denial of Service",
246
- "file": "consistency.js",
247
- "line": 66,
248
- "snippet": "if (fs.existsSync(cacheDir)) {",
249
- "fix": null,
250
- "reachable": false,
251
- "triage": 22,
252
- "dataClasses": [],
253
- "chain": null,
254
- "confidence": 0.212,
255
- "toxicity": 28,
256
- "toxicityFactors": [
257
- "http-facing"
258
- ],
259
- "toxicityLabel": "Medium",
260
- "sources": null,
261
- "epssScore": null,
262
- "epssPercentile": null,
263
- "epssCve": null,
264
- "exploitedNow": false,
265
- "tags": null,
266
- "blastRadius": {
267
- "scope": "all-users",
268
- "dataAtRisk": [
269
- "config"
270
- ],
271
- "userCount": 50,
272
- "industry": "generic",
273
- "jurisdictions": [],
274
- "controlsApplied": [],
275
- "dollarBest": 23250,
276
- "dollarLikely": 136250,
277
- "dollarWorst": 775000,
278
- "dollarLow": 23250,
279
- "dollarHigh": 775000,
280
- "components": {
281
- "incidentResponse": {
282
- "low": 8000,
283
- "likely": 50000,
284
- "high": 250000
285
- },
286
- "legal": {
287
- "low": 10000,
288
- "likely": 75000,
289
- "high": 500000
290
- },
291
- "crisisPR": {
292
- "low": 0,
293
- "likely": 0,
294
- "high": 0
295
- },
296
- "notification": {
297
- "low": 5000,
298
- "likely": 10000,
299
- "high": 15000
300
- },
301
- "creditMonitoring": {
302
- "low": 0,
303
- "likely": 0,
304
- "high": 0
305
- },
306
- "regulatoryFines": {
307
- "low": 0,
308
- "likely": 0,
309
- "high": 0
310
- },
311
- "directDamage": {
312
- "low": 250,
313
- "likely": 1250,
314
- "high": 10000
315
- },
316
- "classAction": {
317
- "low": 0,
318
- "likely": 0,
319
- "high": 0
320
- },
321
- "lostBusiness": {
322
- "low": 0,
323
- "likely": 0,
324
- "high": 0
325
- }
326
- },
327
- "dominantDriver": "legal counsel",
328
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
329
- "confidence": "low",
330
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
331
- },
332
- "stableId": "cd1c964ce2e49d49",
333
- "confidenceTier": "very-low",
334
- "exploitability": 0.2,
335
- "exploitabilityTier": "low",
336
- "exploitabilityFactors": [
337
- "sev:medium",
338
- "unreachable"
339
- ],
340
- "clusterSize": null,
341
- "unreachable": false,
342
- "validator_verdict": "unvalidated",
343
- "llm_confidence": null,
344
- "unvalidated": true,
345
- "cross_language": false,
346
- "family": "dos-sync-io",
347
- "_unsigned": false,
348
- "_passThroughSigning": false,
349
- "signatureStatus": "verified",
350
- "regression_test": null,
351
- "poc": null,
352
- "calibrated_confidence": null,
353
- "calibrated_confidence_ci": null,
354
- "calibrated_n": 0,
355
- "calibration_reason": "no-history",
356
- "verifier_verdict": "cannot-verify",
357
- "verifier_reason": "no-poc-no-sanitizer-rule",
358
- "verifier_runner": null,
359
- "narration": null,
360
- "mitigationVerdict": "unreachable-in-prod",
361
- "mitigationsApplied": [],
362
- "mitigatedByWaf": false,
363
- "wafRuleId": null,
364
- "mitigatedByAuth": false,
365
- "authMechanism": null,
366
- "mitigatedByNetwork": false,
367
- "networkExposure": null,
368
- "featureFlag": null,
369
- "featureFlagState": null,
370
- "featureFlagRollout": null,
371
- "exposedInProd": false,
372
- "unreachableInProd": true,
373
- "coldPath": false,
374
- "hotPath": false,
375
- "prodRequestCount": null,
376
- "crownJewelScore": 0,
377
- "crownJewelTier": "unknown",
378
- "crownJewelFactors": [],
379
- "cloneClusterId": "31e29761689a4980",
380
- "cloneClusterSize": 1,
381
- "provenance": "human-likely",
382
- "provenanceScore": 0.22,
383
- "typeNarrowed": null,
384
- "strideCategory": "denialOfService",
385
- "personaScores": {
386
- "script-kiddie": {
387
- "score": 0.4,
388
- "tier": "medium",
389
- "factors": [
390
- "sev:medium"
391
- ]
392
- },
393
- "opportunistic-criminal": {
394
- "score": 0.4,
395
- "tier": "medium",
396
- "factors": [
397
- "sev:medium"
398
- ]
399
- },
400
- "apt-nation-state": {
401
- "score": 0.4,
402
- "tier": "medium",
403
- "factors": [
404
- "sev:medium"
405
- ]
406
- },
407
- "supply-chain-attacker": {
408
- "score": 0.4,
409
- "tier": "medium",
410
- "factors": [
411
- "sev:medium"
412
- ]
413
- },
414
- "malicious-insider": {
415
- "score": 0.4,
416
- "tier": "medium",
417
- "factors": [
418
- "sev:medium"
419
- ]
420
- }
421
- },
422
- "personaTopTwo": [
423
- "script-kiddie",
424
- "opportunistic-criminal"
425
- ],
426
- "personaMaxName": "script-kiddie",
427
- "personaMaxScore": 0.4,
428
- "reverseExposure": null,
429
- "specMined": null,
430
- "whyFired": {
431
- "detector": "sast/dos-sync-io",
432
- "ruleId": "CWE-400",
433
- "parser": "STRUCTURAL",
434
- "evidence": {
435
- "sinkSnippet": "if (fs.existsSync(cacheDir)) {",
436
- "sourceSnippet": "if (fs.existsSync(cacheDir)) {",
437
- "pathSteps": [],
438
- "sanitizers": [],
439
- "guards": []
440
- },
441
- "considered": {
442
- "suppressionsApplied": [],
443
- "suppressionsSkipped": [],
444
- "reachabilityFilter": "unaffected",
445
- "clusterCollapsed": false,
446
- "typeNarrowed": false,
447
- "crownJewelTier": "unknown",
448
- "mitigationVerdict": "unreachable-in-prod"
449
- },
450
- "scanner": {
451
- "rulesetVersion": null,
452
- "packHash": null,
453
- "modelId": null
454
- }
455
- },
456
- "adversaryTranscript": null,
457
- "predictedBountyUsd": {
458
- "low": 10,
459
- "likely": 40,
460
- "high": 120,
461
- "program": "web2"
462
- },
463
- "bountyConfidence": "high",
464
- "attackPlaybook": null
465
- },
466
- {
467
- "id": "struct:consistency.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
468
- "kind": "sast",
469
- "severity": "medium",
470
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
471
- "cwe": "CWE-400",
472
- "owaspLlm": null,
473
- "stride": "Denial of Service",
474
- "file": "consistency.js",
475
- "line": 67,
476
- "snippet": "for (const e of fs.readdirSync(cacheDir)) fs.unlinkSync(path.join(cacheDir, e));",
477
- "fix": null,
478
- "reachable": false,
479
- "triage": 22,
480
- "dataClasses": [],
481
- "chain": null,
482
- "confidence": 0.212,
483
- "toxicity": 28,
484
- "toxicityFactors": [
485
- "http-facing"
486
- ],
487
- "toxicityLabel": "Medium",
488
- "sources": null,
489
- "epssScore": null,
490
- "epssPercentile": null,
491
- "epssCve": null,
492
- "exploitedNow": false,
493
- "tags": null,
494
- "blastRadius": {
495
- "scope": "all-users",
496
- "dataAtRisk": [
497
- "config"
498
- ],
499
- "userCount": 50,
500
- "industry": "generic",
501
- "jurisdictions": [],
502
- "controlsApplied": [],
503
- "dollarBest": 23250,
504
- "dollarLikely": 136250,
505
- "dollarWorst": 775000,
506
- "dollarLow": 23250,
507
- "dollarHigh": 775000,
508
- "components": {
509
- "incidentResponse": {
510
- "low": 8000,
511
- "likely": 50000,
512
- "high": 250000
513
- },
514
- "legal": {
515
- "low": 10000,
516
- "likely": 75000,
517
- "high": 500000
518
- },
519
- "crisisPR": {
520
- "low": 0,
521
- "likely": 0,
522
- "high": 0
523
- },
524
- "notification": {
525
- "low": 5000,
526
- "likely": 10000,
527
- "high": 15000
528
- },
529
- "creditMonitoring": {
530
- "low": 0,
531
- "likely": 0,
532
- "high": 0
533
- },
534
- "regulatoryFines": {
535
- "low": 0,
536
- "likely": 0,
537
- "high": 0
538
- },
539
- "directDamage": {
540
- "low": 250,
541
- "likely": 1250,
542
- "high": 10000
543
- },
544
- "classAction": {
545
- "low": 0,
546
- "likely": 0,
547
- "high": 0
548
- },
549
- "lostBusiness": {
550
- "low": 0,
551
- "likely": 0,
552
- "high": 0
553
- }
554
- },
555
- "dominantDriver": "legal counsel",
556
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
557
- "confidence": "low",
558
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `consistency.js:67` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
559
- },
560
- "stableId": "60e3b2db8a750099",
561
- "confidenceTier": "very-low",
562
- "exploitability": 0.2,
563
- "exploitabilityTier": "low",
564
- "exploitabilityFactors": [
565
- "sev:medium",
566
- "unreachable"
567
- ],
568
- "clusterSize": null,
569
- "unreachable": false,
570
- "validator_verdict": "unvalidated",
571
- "llm_confidence": null,
572
- "unvalidated": true,
573
- "cross_language": false,
574
- "family": "dos-sync-io",
575
- "_unsigned": false,
576
- "_passThroughSigning": false,
577
- "signatureStatus": "verified",
578
- "regression_test": null,
579
- "poc": null,
580
- "calibrated_confidence": null,
581
- "calibrated_confidence_ci": null,
582
- "calibrated_n": 0,
583
- "calibration_reason": "no-history",
584
- "verifier_verdict": "cannot-verify",
585
- "verifier_reason": "no-poc-no-sanitizer-rule",
586
- "verifier_runner": null,
587
- "narration": null,
588
- "mitigationVerdict": "unreachable-in-prod",
589
- "mitigationsApplied": [],
590
- "mitigatedByWaf": false,
591
- "wafRuleId": null,
592
- "mitigatedByAuth": false,
593
- "authMechanism": null,
594
- "mitigatedByNetwork": false,
595
- "networkExposure": null,
596
- "featureFlag": null,
597
- "featureFlagState": null,
598
- "featureFlagRollout": null,
599
- "exposedInProd": false,
600
- "unreachableInProd": true,
601
- "coldPath": false,
602
- "hotPath": false,
603
- "prodRequestCount": null,
604
- "crownJewelScore": 0,
605
- "crownJewelTier": "unknown",
606
- "crownJewelFactors": [],
607
- "cloneClusterId": "88afe4820dcb8a38",
608
- "cloneClusterSize": 1,
609
- "provenance": "human-likely",
610
- "provenanceScore": 0.22,
611
- "typeNarrowed": null,
612
- "strideCategory": "denialOfService",
613
- "personaScores": {
614
- "script-kiddie": {
615
- "score": 0.4,
616
- "tier": "medium",
617
- "factors": [
618
- "sev:medium"
619
- ]
620
- },
621
- "opportunistic-criminal": {
622
- "score": 0.4,
623
- "tier": "medium",
624
- "factors": [
625
- "sev:medium"
626
- ]
627
- },
628
- "apt-nation-state": {
629
- "score": 0.4,
630
- "tier": "medium",
631
- "factors": [
632
- "sev:medium"
633
- ]
634
- },
635
- "supply-chain-attacker": {
636
- "score": 0.4,
637
- "tier": "medium",
638
- "factors": [
639
- "sev:medium"
640
- ]
641
- },
642
- "malicious-insider": {
643
- "score": 0.4,
644
- "tier": "medium",
645
- "factors": [
646
- "sev:medium"
647
- ]
648
- }
649
- },
650
- "personaTopTwo": [
651
- "script-kiddie",
652
- "opportunistic-criminal"
653
- ],
654
- "personaMaxName": "script-kiddie",
655
- "personaMaxScore": 0.4,
656
- "reverseExposure": null,
657
- "specMined": null,
658
- "whyFired": {
659
- "detector": "sast/dos-sync-io",
660
- "ruleId": "CWE-400",
661
- "parser": "STRUCTURAL",
662
- "evidence": {
663
- "sinkSnippet": "for (const e of fs.readdirSync(cacheDir)) fs.unlinkSync(path.join(cacheDir, e));",
664
- "sourceSnippet": "for (const e of fs.readdirSync(cacheDir)) fs.unlinkSync(path.join(cacheDir, e));",
665
- "pathSteps": [],
666
- "sanitizers": [],
667
- "guards": []
668
- },
669
- "considered": {
670
- "suppressionsApplied": [],
671
- "suppressionsSkipped": [],
672
- "reachabilityFilter": "unaffected",
673
- "clusterCollapsed": false,
674
- "typeNarrowed": false,
675
- "crownJewelTier": "unknown",
676
- "mitigationVerdict": "unreachable-in-prod"
677
- },
678
- "scanner": {
679
- "rulesetVersion": null,
680
- "packHash": null,
681
- "modelId": null
682
- }
683
- },
684
- "adversaryTranscript": null,
685
- "predictedBountyUsd": {
686
- "low": 10,
687
- "likely": 40,
688
- "high": 120,
689
- "program": "web2"
690
- },
691
- "bountyConfidence": "high",
692
- "attackPlaybook": null
693
- },
694
- {
695
- "id": "struct:index.js:116:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
696
- "kind": "sast",
697
- "severity": "medium",
698
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
699
- "cwe": "CWE-400",
700
- "owaspLlm": null,
701
- "stride": "Denial of Service",
702
- "file": "index.js",
703
- "line": 116,
704
- "snippet": "if (!fs.existsSync(fp)) return null;",
705
- "fix": null,
706
- "reachable": false,
707
- "triage": 22,
708
- "dataClasses": [],
709
- "chain": null,
710
- "confidence": 0.212,
711
- "toxicity": 28,
712
- "toxicityFactors": [
713
- "http-facing"
714
- ],
715
- "toxicityLabel": "Medium",
716
- "sources": null,
717
- "epssScore": null,
718
- "epssPercentile": null,
719
- "epssCve": null,
720
- "exploitedNow": false,
721
- "tags": null,
722
- "blastRadius": {
723
- "scope": "all-users",
724
- "dataAtRisk": [
725
- "config"
726
- ],
727
- "userCount": 50,
728
- "industry": "generic",
729
- "jurisdictions": [],
730
- "controlsApplied": [],
731
- "dollarBest": 23250,
732
- "dollarLikely": 136250,
733
- "dollarWorst": 775000,
734
- "dollarLow": 23250,
735
- "dollarHigh": 775000,
736
- "components": {
737
- "incidentResponse": {
738
- "low": 8000,
739
- "likely": 50000,
740
- "high": 250000
741
- },
742
- "legal": {
743
- "low": 10000,
744
- "likely": 75000,
745
- "high": 500000
746
- },
747
- "crisisPR": {
748
- "low": 0,
749
- "likely": 0,
750
- "high": 0
751
- },
752
- "notification": {
753
- "low": 5000,
754
- "likely": 10000,
755
- "high": 15000
756
- },
757
- "creditMonitoring": {
758
- "low": 0,
759
- "likely": 0,
760
- "high": 0
761
- },
762
- "regulatoryFines": {
763
- "low": 0,
764
- "likely": 0,
765
- "high": 0
766
- },
767
- "directDamage": {
768
- "low": 250,
769
- "likely": 1250,
770
- "high": 10000
771
- },
772
- "classAction": {
773
- "low": 0,
774
- "likely": 0,
775
- "high": 0
776
- },
777
- "lostBusiness": {
778
- "low": 0,
779
- "likely": 0,
780
- "high": 0
781
- }
782
- },
783
- "dominantDriver": "legal counsel",
784
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
785
- "confidence": "low",
786
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `index.js:116` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
787
- },
788
- "stableId": "91cf2e9bd1fe407b",
789
- "confidenceTier": "very-low",
790
- "exploitability": 0.2,
791
- "exploitabilityTier": "low",
792
- "exploitabilityFactors": [
793
- "sev:medium",
794
- "unreachable"
795
- ],
796
- "clusterSize": null,
797
- "unreachable": false,
798
- "validator_verdict": "unvalidated",
799
- "llm_confidence": null,
800
- "unvalidated": true,
801
- "cross_language": false,
802
- "family": "dos-sync-io",
803
- "_unsigned": false,
804
- "_passThroughSigning": false,
805
- "signatureStatus": "verified",
806
- "regression_test": null,
807
- "poc": null,
808
- "calibrated_confidence": null,
809
- "calibrated_confidence_ci": null,
810
- "calibrated_n": 0,
811
- "calibration_reason": "no-history",
812
- "verifier_verdict": "cannot-verify",
813
- "verifier_reason": "no-poc-no-sanitizer-rule",
814
- "verifier_runner": null,
815
- "narration": null,
816
- "mitigationVerdict": "unreachable-in-prod",
817
- "mitigationsApplied": [],
818
- "mitigatedByWaf": false,
819
- "wafRuleId": null,
820
- "mitigatedByAuth": false,
821
- "authMechanism": null,
822
- "mitigatedByNetwork": false,
823
- "networkExposure": null,
824
- "featureFlag": null,
825
- "featureFlagState": null,
826
- "featureFlagRollout": null,
827
- "exposedInProd": false,
828
- "unreachableInProd": true,
829
- "coldPath": false,
830
- "hotPath": false,
831
- "prodRequestCount": null,
832
- "crownJewelScore": 0.1,
833
- "crownJewelTier": "low-value",
834
- "crownJewelFactors": [
835
- "reads-secret-env"
836
- ],
837
- "cloneClusterId": "66b8a8c25816e7f9",
838
- "cloneClusterSize": 2,
839
- "provenance": "human-likely",
840
- "provenanceScore": 0.18,
841
- "typeNarrowed": null,
842
- "strideCategory": "denialOfService",
843
- "personaScores": {
844
- "script-kiddie": {
845
- "score": 0.4,
846
- "tier": "medium",
847
- "factors": [
848
- "sev:medium"
849
- ]
850
- },
851
- "opportunistic-criminal": {
852
- "score": 0.4,
853
- "tier": "medium",
854
- "factors": [
855
- "sev:medium"
856
- ]
857
- },
858
- "apt-nation-state": {
859
- "score": 0.4,
860
- "tier": "medium",
861
- "factors": [
862
- "sev:medium"
863
- ]
864
- },
865
- "supply-chain-attacker": {
866
- "score": 0.4,
867
- "tier": "medium",
868
- "factors": [
869
- "sev:medium"
870
- ]
871
- },
872
- "malicious-insider": {
873
- "score": 0.4,
874
- "tier": "medium",
875
- "factors": [
876
- "sev:medium"
877
- ]
878
- }
879
- },
880
- "personaTopTwo": [
881
- "script-kiddie",
882
- "opportunistic-criminal"
883
- ],
884
- "personaMaxName": "script-kiddie",
885
- "personaMaxScore": 0.4,
886
- "reverseExposure": null,
887
- "specMined": null,
888
- "whyFired": {
889
- "detector": "sast/dos-sync-io",
890
- "ruleId": "CWE-400",
891
- "parser": "STRUCTURAL",
892
- "evidence": {
893
- "sinkSnippet": "if (!fs.existsSync(fp)) return null;",
894
- "sourceSnippet": "if (!fs.existsSync(fp)) return null;",
895
- "pathSteps": [],
896
- "sanitizers": [],
897
- "guards": []
898
- },
899
- "considered": {
900
- "suppressionsApplied": [],
901
- "suppressionsSkipped": [],
902
- "reachabilityFilter": "unaffected",
903
- "clusterCollapsed": false,
904
- "typeNarrowed": false,
905
- "crownJewelTier": "low-value",
906
- "mitigationVerdict": "unreachable-in-prod"
907
- },
908
- "scanner": {
909
- "rulesetVersion": null,
910
- "packHash": null,
911
- "modelId": null
912
- }
913
- },
914
- "adversaryTranscript": null,
915
- "predictedBountyUsd": {
916
- "low": 10,
917
- "likely": 40,
918
- "high": 120,
919
- "program": "web2"
920
- },
921
- "bountyConfidence": "high",
922
- "attackPlaybook": null
923
- },
924
- {
925
- "id": "struct:index.js:117:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
926
- "kind": "sast",
927
- "severity": "medium",
928
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
929
- "cwe": "CWE-400",
930
- "owaspLlm": null,
931
- "stride": "Denial of Service",
932
- "file": "index.js",
933
- "line": 117,
934
- "snippet": "try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }",
935
- "fix": null,
936
- "reachable": false,
937
- "triage": 22,
938
- "dataClasses": [],
939
- "chain": null,
940
- "confidence": 0.212,
941
- "toxicity": 28,
942
- "toxicityFactors": [
943
- "http-facing"
944
- ],
945
- "toxicityLabel": "Medium",
946
- "sources": null,
947
- "epssScore": null,
948
- "epssPercentile": null,
949
- "epssCve": null,
950
- "exploitedNow": false,
951
- "tags": null,
952
- "blastRadius": {
953
- "scope": "all-users",
954
- "dataAtRisk": [
955
- "config"
956
- ],
957
- "userCount": 50,
958
- "industry": "generic",
959
- "jurisdictions": [],
960
- "controlsApplied": [],
961
- "dollarBest": 23250,
962
- "dollarLikely": 136250,
963
- "dollarWorst": 775000,
964
- "dollarLow": 23250,
965
- "dollarHigh": 775000,
966
- "components": {
967
- "incidentResponse": {
968
- "low": 8000,
969
- "likely": 50000,
970
- "high": 250000
971
- },
972
- "legal": {
973
- "low": 10000,
974
- "likely": 75000,
975
- "high": 500000
976
- },
977
- "crisisPR": {
978
- "low": 0,
979
- "likely": 0,
980
- "high": 0
981
- },
982
- "notification": {
983
- "low": 5000,
984
- "likely": 10000,
985
- "high": 15000
986
- },
987
- "creditMonitoring": {
988
- "low": 0,
989
- "likely": 0,
990
- "high": 0
991
- },
992
- "regulatoryFines": {
993
- "low": 0,
994
- "likely": 0,
995
- "high": 0
996
- },
997
- "directDamage": {
998
- "low": 250,
999
- "likely": 1250,
1000
- "high": 10000
1001
- },
1002
- "classAction": {
1003
- "low": 0,
1004
- "likely": 0,
1005
- "high": 0
1006
- },
1007
- "lostBusiness": {
1008
- "low": 0,
1009
- "likely": 0,
1010
- "high": 0
1011
- }
1012
- },
1013
- "dominantDriver": "legal counsel",
1014
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1015
- "confidence": "low",
1016
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `index.js:117` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1017
- },
1018
- "stableId": "b3bc63cb273757a2",
1019
- "confidenceTier": "very-low",
1020
- "exploitability": 0.2,
1021
- "exploitabilityTier": "low",
1022
- "exploitabilityFactors": [
1023
- "sev:medium",
1024
- "unreachable"
1025
- ],
1026
- "clusterSize": null,
1027
- "unreachable": false,
1028
- "validator_verdict": "unvalidated",
1029
- "llm_confidence": null,
1030
- "unvalidated": true,
1031
- "cross_language": false,
1032
- "family": "dos-sync-io",
1033
- "_unsigned": false,
1034
- "_passThroughSigning": false,
1035
- "signatureStatus": "verified",
1036
- "regression_test": null,
1037
- "poc": null,
1038
- "calibrated_confidence": null,
1039
- "calibrated_confidence_ci": null,
1040
- "calibrated_n": 0,
1041
- "calibration_reason": "no-history",
1042
- "verifier_verdict": "cannot-verify",
1043
- "verifier_reason": "no-poc-no-sanitizer-rule",
1044
- "verifier_runner": null,
1045
- "narration": null,
1046
- "mitigationVerdict": "unreachable-in-prod",
1047
- "mitigationsApplied": [],
1048
- "mitigatedByWaf": false,
1049
- "wafRuleId": null,
1050
- "mitigatedByAuth": false,
1051
- "authMechanism": null,
1052
- "mitigatedByNetwork": false,
1053
- "networkExposure": null,
1054
- "featureFlag": null,
1055
- "featureFlagState": null,
1056
- "featureFlagRollout": null,
1057
- "exposedInProd": false,
1058
- "unreachableInProd": true,
1059
- "coldPath": false,
1060
- "hotPath": false,
1061
- "prodRequestCount": null,
1062
- "crownJewelScore": 0.1,
1063
- "crownJewelTier": "low-value",
1064
- "crownJewelFactors": [
1065
- "reads-secret-env"
1066
- ],
1067
- "cloneClusterId": "29d998f79544cba7",
1068
- "cloneClusterSize": 1,
1069
- "provenance": "human-likely",
1070
- "provenanceScore": 0.18,
1071
- "typeNarrowed": null,
1072
- "strideCategory": "denialOfService",
1073
- "personaScores": {
1074
- "script-kiddie": {
1075
- "score": 0.4,
1076
- "tier": "medium",
1077
- "factors": [
1078
- "sev:medium"
1079
- ]
1080
- },
1081
- "opportunistic-criminal": {
1082
- "score": 0.4,
1083
- "tier": "medium",
1084
- "factors": [
1085
- "sev:medium"
1086
- ]
1087
- },
1088
- "apt-nation-state": {
1089
- "score": 0.4,
1090
- "tier": "medium",
1091
- "factors": [
1092
- "sev:medium"
1093
- ]
1094
- },
1095
- "supply-chain-attacker": {
1096
- "score": 0.4,
1097
- "tier": "medium",
1098
- "factors": [
1099
- "sev:medium"
1100
- ]
1101
- },
1102
- "malicious-insider": {
1103
- "score": 0.4,
1104
- "tier": "medium",
1105
- "factors": [
1106
- "sev:medium"
1107
- ]
1108
- }
1109
- },
1110
- "personaTopTwo": [
1111
- "script-kiddie",
1112
- "opportunistic-criminal"
1113
- ],
1114
- "personaMaxName": "script-kiddie",
1115
- "personaMaxScore": 0.4,
1116
- "reverseExposure": null,
1117
- "specMined": null,
1118
- "whyFired": {
1119
- "detector": "sast/dos-sync-io",
1120
- "ruleId": "CWE-400",
1121
- "parser": "STRUCTURAL",
1122
- "evidence": {
1123
- "sinkSnippet": "try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }",
1124
- "sourceSnippet": "try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }",
1125
- "pathSteps": [],
1126
- "sanitizers": [],
1127
- "guards": []
1128
- },
1129
- "considered": {
1130
- "suppressionsApplied": [],
1131
- "suppressionsSkipped": [],
1132
- "reachabilityFilter": "unaffected",
1133
- "clusterCollapsed": false,
1134
- "typeNarrowed": false,
1135
- "crownJewelTier": "low-value",
1136
- "mitigationVerdict": "unreachable-in-prod"
1137
- },
1138
- "scanner": {
1139
- "rulesetVersion": null,
1140
- "packHash": null,
1141
- "modelId": null
1142
- }
1143
- },
1144
- "adversaryTranscript": null,
1145
- "predictedBountyUsd": {
1146
- "low": 10,
1147
- "likely": 40,
1148
- "high": 120,
1149
- "program": "web2"
1150
- },
1151
- "bountyConfidence": "high",
1152
- "attackPlaybook": null
1153
- },
1154
- {
1155
- "id": "struct:index.js:123:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1156
- "kind": "sast",
1157
- "severity": "medium",
1158
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1159
- "cwe": "CWE-400",
1160
- "owaspLlm": null,
1161
- "stride": "Denial of Service",
1162
- "file": "index.js",
1163
- "line": 123,
1164
- "snippet": "try { fs.writeFileSync(fp, JSON.stringify(value, null, 2)); } catch {}",
1165
- "fix": null,
1166
- "reachable": false,
1167
- "triage": 22,
1168
- "dataClasses": [],
1169
- "chain": null,
1170
- "confidence": 0.212,
1171
- "toxicity": 28,
1172
- "toxicityFactors": [
1173
- "http-facing"
1174
- ],
1175
- "toxicityLabel": "Medium",
1176
- "sources": null,
1177
- "epssScore": null,
1178
- "epssPercentile": null,
1179
- "epssCve": null,
1180
- "exploitedNow": false,
1181
- "tags": null,
1182
- "blastRadius": {
1183
- "scope": "all-users",
1184
- "dataAtRisk": [
1185
- "config"
1186
- ],
1187
- "userCount": 50,
1188
- "industry": "generic",
1189
- "jurisdictions": [],
1190
- "controlsApplied": [],
1191
- "dollarBest": 23250,
1192
- "dollarLikely": 136250,
1193
- "dollarWorst": 775000,
1194
- "dollarLow": 23250,
1195
- "dollarHigh": 775000,
1196
- "components": {
1197
- "incidentResponse": {
1198
- "low": 8000,
1199
- "likely": 50000,
1200
- "high": 250000
1201
- },
1202
- "legal": {
1203
- "low": 10000,
1204
- "likely": 75000,
1205
- "high": 500000
1206
- },
1207
- "crisisPR": {
1208
- "low": 0,
1209
- "likely": 0,
1210
- "high": 0
1211
- },
1212
- "notification": {
1213
- "low": 5000,
1214
- "likely": 10000,
1215
- "high": 15000
1216
- },
1217
- "creditMonitoring": {
1218
- "low": 0,
1219
- "likely": 0,
1220
- "high": 0
1221
- },
1222
- "regulatoryFines": {
1223
- "low": 0,
1224
- "likely": 0,
1225
- "high": 0
1226
- },
1227
- "directDamage": {
1228
- "low": 250,
1229
- "likely": 1250,
1230
- "high": 10000
1231
- },
1232
- "classAction": {
1233
- "low": 0,
1234
- "likely": 0,
1235
- "high": 0
1236
- },
1237
- "lostBusiness": {
1238
- "low": 0,
1239
- "likely": 0,
1240
- "high": 0
1241
- }
1242
- },
1243
- "dominantDriver": "legal counsel",
1244
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1245
- "confidence": "low",
1246
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `index.js:123` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1247
- },
1248
- "stableId": "f1bcad60f84cd7d8",
1249
- "confidenceTier": "very-low",
1250
- "exploitability": 0.2,
1251
- "exploitabilityTier": "low",
1252
- "exploitabilityFactors": [
1253
- "sev:medium",
1254
- "unreachable"
1255
- ],
1256
- "clusterSize": null,
1257
- "unreachable": false,
1258
- "validator_verdict": "unvalidated",
1259
- "llm_confidence": null,
1260
- "unvalidated": true,
1261
- "cross_language": false,
1262
- "family": "dos-sync-io",
1263
- "_unsigned": false,
1264
- "_passThroughSigning": false,
1265
- "signatureStatus": "verified",
1266
- "regression_test": null,
1267
- "poc": null,
1268
- "calibrated_confidence": null,
1269
- "calibrated_confidence_ci": null,
1270
- "calibrated_n": 0,
1271
- "calibration_reason": "no-history",
1272
- "verifier_verdict": "cannot-verify",
1273
- "verifier_reason": "no-poc-no-sanitizer-rule",
1274
- "verifier_runner": null,
1275
- "narration": null,
1276
- "mitigationVerdict": "unreachable-in-prod",
1277
- "mitigationsApplied": [],
1278
- "mitigatedByWaf": false,
1279
- "wafRuleId": null,
1280
- "mitigatedByAuth": false,
1281
- "authMechanism": null,
1282
- "mitigatedByNetwork": false,
1283
- "networkExposure": null,
1284
- "featureFlag": null,
1285
- "featureFlagState": null,
1286
- "featureFlagRollout": null,
1287
- "exposedInProd": false,
1288
- "unreachableInProd": true,
1289
- "coldPath": false,
1290
- "hotPath": false,
1291
- "prodRequestCount": null,
1292
- "crownJewelScore": 0.1,
1293
- "crownJewelTier": "low-value",
1294
- "crownJewelFactors": [
1295
- "reads-secret-env"
1296
- ],
1297
- "cloneClusterId": "55a282f0f3dd72ac",
1298
- "cloneClusterSize": 1,
1299
- "provenance": "human-likely",
1300
- "provenanceScore": 0.18,
1301
- "typeNarrowed": null,
1302
- "strideCategory": "denialOfService",
1303
- "personaScores": {
1304
- "script-kiddie": {
1305
- "score": 0.4,
1306
- "tier": "medium",
1307
- "factors": [
1308
- "sev:medium"
1309
- ]
1310
- },
1311
- "opportunistic-criminal": {
1312
- "score": 0.4,
1313
- "tier": "medium",
1314
- "factors": [
1315
- "sev:medium"
1316
- ]
1317
- },
1318
- "apt-nation-state": {
1319
- "score": 0.4,
1320
- "tier": "medium",
1321
- "factors": [
1322
- "sev:medium"
1323
- ]
1324
- },
1325
- "supply-chain-attacker": {
1326
- "score": 0.4,
1327
- "tier": "medium",
1328
- "factors": [
1329
- "sev:medium"
1330
- ]
1331
- },
1332
- "malicious-insider": {
1333
- "score": 0.4,
1334
- "tier": "medium",
1335
- "factors": [
1336
- "sev:medium"
1337
- ]
1338
- }
1339
- },
1340
- "personaTopTwo": [
1341
- "script-kiddie",
1342
- "opportunistic-criminal"
1343
- ],
1344
- "personaMaxName": "script-kiddie",
1345
- "personaMaxScore": 0.4,
1346
- "reverseExposure": null,
1347
- "specMined": null,
1348
- "whyFired": {
1349
- "detector": "sast/dos-sync-io",
1350
- "ruleId": "CWE-400",
1351
- "parser": "STRUCTURAL",
1352
- "evidence": {
1353
- "sinkSnippet": "try { fs.writeFileSync(fp, JSON.stringify(value, null, 2)); } catch {}",
1354
- "sourceSnippet": "try { fs.writeFileSync(fp, JSON.stringify(value, null, 2)); } catch {}",
1355
- "pathSteps": [],
1356
- "sanitizers": [],
1357
- "guards": []
1358
- },
1359
- "considered": {
1360
- "suppressionsApplied": [],
1361
- "suppressionsSkipped": [],
1362
- "reachabilityFilter": "unaffected",
1363
- "clusterCollapsed": false,
1364
- "typeNarrowed": false,
1365
- "crownJewelTier": "low-value",
1366
- "mitigationVerdict": "unreachable-in-prod"
1367
- },
1368
- "scanner": {
1369
- "rulesetVersion": null,
1370
- "packHash": null,
1371
- "modelId": null
1372
- }
1373
- },
1374
- "adversaryTranscript": null,
1375
- "predictedBountyUsd": {
1376
- "low": 10,
1377
- "likely": 40,
1378
- "high": 120,
1379
- "program": "web2"
1380
- },
1381
- "bountyConfidence": "high",
1382
- "attackPlaybook": null
1383
- },
1384
- {
1385
- "id": "toctou-fs:index.js:116",
1386
- "kind": "sast",
1387
- "severity": "medium",
1388
- "vuln": "TOCTOU: file existence/permission check before open",
1389
- "cwe": "CWE-367",
1390
- "owaspLlm": null,
1391
- "stride": "Tampering",
1392
- "file": "index.js",
1393
- "line": 116,
1394
- "snippet": "if (!fs.existsSync(fp)) return null;",
1395
- "fix": null,
1396
- "reachable": false,
1397
- "triage": 22,
1398
- "dataClasses": [],
1399
- "chain": null,
1400
- "confidence": 0.7,
1401
- "toxicity": 8,
1402
- "toxicityFactors": [],
1403
- "toxicityLabel": "Low",
1404
- "sources": null,
1405
- "epssScore": null,
1406
- "epssPercentile": null,
1407
- "epssCve": null,
1408
- "exploitedNow": false,
1409
- "tags": null,
1410
- "blastRadius": {
1411
- "scope": "all-users",
1412
- "dataAtRisk": [
1413
- "config"
1414
- ],
1415
- "userCount": 50,
1416
- "industry": "generic",
1417
- "jurisdictions": [],
1418
- "controlsApplied": [],
1419
- "dollarBest": 23250,
1420
- "dollarLikely": 136250,
1421
- "dollarWorst": 775000,
1422
- "dollarLow": 23250,
1423
- "dollarHigh": 775000,
1424
- "components": {
1425
- "incidentResponse": {
1426
- "low": 8000,
1427
- "likely": 50000,
1428
- "high": 250000
1429
- },
1430
- "legal": {
1431
- "low": 10000,
1432
- "likely": 75000,
1433
- "high": 500000
1434
- },
1435
- "crisisPR": {
1436
- "low": 0,
1437
- "likely": 0,
1438
- "high": 0
1439
- },
1440
- "notification": {
1441
- "low": 5000,
1442
- "likely": 10000,
1443
- "high": 15000
1444
- },
1445
- "creditMonitoring": {
1446
- "low": 0,
1447
- "likely": 0,
1448
- "high": 0
1449
- },
1450
- "regulatoryFines": {
1451
- "low": 0,
1452
- "likely": 0,
1453
- "high": 0
1454
- },
1455
- "directDamage": {
1456
- "low": 250,
1457
- "likely": 1250,
1458
- "high": 10000
1459
- },
1460
- "classAction": {
1461
- "low": 0,
1462
- "likely": 0,
1463
- "high": 0
1464
- },
1465
- "lostBusiness": {
1466
- "low": 0,
1467
- "likely": 0,
1468
- "high": 0
1469
- }
1470
- },
1471
- "dominantDriver": "legal counsel",
1472
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1473
- "confidence": "low",
1474
- "narrative": "TOCTOU: file existence/permission check before open on `index.js:116` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1475
- },
1476
- "stableId": "e3ea9a39f5387898",
1477
- "confidenceTier": "medium",
1478
- "exploitability": 0.2,
1479
- "exploitabilityTier": "low",
1480
- "exploitabilityFactors": [
1481
- "sev:medium",
1482
- "unreachable"
1483
- ],
1484
- "clusterSize": null,
1485
- "unreachable": false,
1486
- "validator_verdict": "unvalidated",
1487
- "llm_confidence": null,
1488
- "unvalidated": true,
1489
- "cross_language": false,
1490
- "family": "toctou-file-existence-permission-check-b",
1491
- "_unsigned": false,
1492
- "_passThroughSigning": false,
1493
- "signatureStatus": "verified",
1494
- "regression_test": null,
1495
- "poc": null,
1496
- "calibrated_confidence": null,
1497
- "calibrated_confidence_ci": null,
1498
- "calibrated_n": 0,
1499
- "calibration_reason": "no-history",
1500
- "verifier_verdict": "cannot-verify",
1501
- "verifier_reason": "no-poc-no-sanitizer-rule",
1502
- "verifier_runner": null,
1503
- "narration": null,
1504
- "mitigationVerdict": "unreachable-in-prod",
1505
- "mitigationsApplied": [],
1506
- "mitigatedByWaf": false,
1507
- "wafRuleId": null,
1508
- "mitigatedByAuth": false,
1509
- "authMechanism": null,
1510
- "mitigatedByNetwork": false,
1511
- "networkExposure": null,
1512
- "featureFlag": null,
1513
- "featureFlagState": null,
1514
- "featureFlagRollout": null,
1515
- "exposedInProd": false,
1516
- "unreachableInProd": true,
1517
- "coldPath": false,
1518
- "hotPath": false,
1519
- "prodRequestCount": null,
1520
- "crownJewelScore": 0.1,
1521
- "crownJewelTier": "low-value",
1522
- "crownJewelFactors": [
1523
- "reads-secret-env"
1524
- ],
1525
- "cloneClusterId": "66b8a8c25816e7f9",
1526
- "cloneClusterSize": 2,
1527
- "provenance": "human-likely",
1528
- "provenanceScore": 0.18,
1529
- "typeNarrowed": null,
1530
- "strideCategory": "tampering",
1531
- "personaScores": {
1532
- "script-kiddie": {
1533
- "score": 0.4,
1534
- "tier": "medium",
1535
- "factors": [
1536
- "sev:medium"
1537
- ]
1538
- },
1539
- "opportunistic-criminal": {
1540
- "score": 0.4,
1541
- "tier": "medium",
1542
- "factors": [
1543
- "sev:medium"
1544
- ]
1545
- },
1546
- "apt-nation-state": {
1547
- "score": 0.4,
1548
- "tier": "medium",
1549
- "factors": [
1550
- "sev:medium"
1551
- ]
1552
- },
1553
- "supply-chain-attacker": {
1554
- "score": 0.4,
1555
- "tier": "medium",
1556
- "factors": [
1557
- "sev:medium"
1558
- ]
1559
- },
1560
- "malicious-insider": {
1561
- "score": 0.4,
1562
- "tier": "medium",
1563
- "factors": [
1564
- "sev:medium"
1565
- ]
1566
- }
1567
- },
1568
- "personaTopTwo": [
1569
- "script-kiddie",
1570
- "opportunistic-criminal"
1571
- ],
1572
- "personaMaxName": "script-kiddie",
1573
- "personaMaxScore": 0.4,
1574
- "reverseExposure": null,
1575
- "specMined": null,
1576
- "whyFired": {
1577
- "detector": "sast/toctou-file-existence-permission-check-b",
1578
- "ruleId": "CWE-367",
1579
- "parser": "TOCTOU",
1580
- "evidence": {
1581
- "sinkSnippet": "if (!fs.existsSync(fp)) return null;",
1582
- "sourceSnippet": null,
1583
- "pathSteps": [],
1584
- "sanitizers": [],
1585
- "guards": []
1586
- },
1587
- "considered": {
1588
- "suppressionsApplied": [],
1589
- "suppressionsSkipped": [],
1590
- "reachabilityFilter": "unaffected",
1591
- "clusterCollapsed": false,
1592
- "typeNarrowed": false,
1593
- "crownJewelTier": "low-value",
1594
- "mitigationVerdict": "unreachable-in-prod"
1595
- },
1596
- "scanner": {
1597
- "rulesetVersion": null,
1598
- "packHash": null,
1599
- "modelId": null
1600
- }
1601
- },
1602
- "adversaryTranscript": null,
1603
- "predictedBountyUsd": null,
1604
- "bountyConfidence": null,
1605
- "attackPlaybook": null
1606
- },
1607
- {
1608
- "id": "b73122a9107687a2",
1609
- "kind": "logic",
1610
- "severity": "medium",
1611
- "vuln": "Missing Timeout on Outbound HTTP Request (DoS)",
1612
- "cwe": "CWE-400",
1613
- "stride": "Denial of Service",
1614
- "file": "index.js",
1615
- "line": 185,
1616
- "snippet": "const r = await fetch(endpoint, { method: 'POST', headers, body: JSON.stringify(body) });",
1617
- "fix": {
1618
- "description": "Set a timeout on all outbound requests to prevent event-loop starvation from stalled upstreams.",
1619
- "code": "// fetch (Node 18+)\nconst resp = await fetch(url, { signal: AbortSignal.timeout(5000) });\n\n// axios\nawait axios.get(url, { timeout: 5000 });\n\n// node http\nconst req = http.get(url, cb);\nreq.setTimeout(5000, () => req.destroy());"
1620
- },
1621
- "blastRadius": {
1622
- "scope": "all-users",
1623
- "dataAtRisk": [
1624
- "config"
1625
- ],
1626
- "userCount": 50,
1627
- "industry": "generic",
1628
- "jurisdictions": [],
1629
- "controlsApplied": [],
1630
- "dollarBest": 23250,
1631
- "dollarLikely": 136250,
1632
- "dollarWorst": 775000,
1633
- "dollarLow": 23250,
1634
- "dollarHigh": 775000,
1635
- "components": {
1636
- "incidentResponse": {
1637
- "low": 8000,
1638
- "likely": 50000,
1639
- "high": 250000
1640
- },
1641
- "legal": {
1642
- "low": 10000,
1643
- "likely": 75000,
1644
- "high": 500000
1645
- },
1646
- "crisisPR": {
1647
- "low": 0,
1648
- "likely": 0,
1649
- "high": 0
1650
- },
1651
- "notification": {
1652
- "low": 5000,
1653
- "likely": 10000,
1654
- "high": 15000
1655
- },
1656
- "creditMonitoring": {
1657
- "low": 0,
1658
- "likely": 0,
1659
- "high": 0
1660
- },
1661
- "regulatoryFines": {
1662
- "low": 0,
1663
- "likely": 0,
1664
- "high": 0
1665
- },
1666
- "directDamage": {
1667
- "low": 250,
1668
- "likely": 1250,
1669
- "high": 10000
1670
- },
1671
- "classAction": {
1672
- "low": 0,
1673
- "likely": 0,
1674
- "high": 0
1675
- },
1676
- "lostBusiness": {
1677
- "low": 0,
1678
- "likely": 0,
1679
- "high": 0
1680
- }
1681
- },
1682
- "dominantDriver": "legal counsel",
1683
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1684
- "confidence": "low",
1685
- "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `index.js:185` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1686
- }
1687
- },
1688
- {
1689
- "id": "logic:index.js:116:TOCTOU:_existsSync_followed_by_file_op",
1690
- "kind": "logic",
1691
- "severity": "medium",
1692
- "vuln": "TOCTOU: existsSync followed by file op",
1693
- "cwe": "CWE-367",
1694
- "stride": "Tampering",
1695
- "file": "index.js",
1696
- "line": 116,
1697
- "snippet": "if (!fs.existsSync(fp)) return null;",
1698
- "fix": {
1699
- "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
1700
- "code": ""
1701
- },
1702
- "blastRadius": {
1703
- "scope": "all-users",
1704
- "dataAtRisk": [
1705
- "config"
1706
- ],
1707
- "userCount": 50,
1708
- "industry": "generic",
1709
- "jurisdictions": [],
1710
- "controlsApplied": [],
1711
- "dollarBest": 23250,
1712
- "dollarLikely": 136250,
1713
- "dollarWorst": 775000,
1714
- "dollarLow": 23250,
1715
- "dollarHigh": 775000,
1716
- "components": {
1717
- "incidentResponse": {
1718
- "low": 8000,
1719
- "likely": 50000,
1720
- "high": 250000
1721
- },
1722
- "legal": {
1723
- "low": 10000,
1724
- "likely": 75000,
1725
- "high": 500000
1726
- },
1727
- "crisisPR": {
1728
- "low": 0,
1729
- "likely": 0,
1730
- "high": 0
1731
- },
1732
- "notification": {
1733
- "low": 5000,
1734
- "likely": 10000,
1735
- "high": 15000
1736
- },
1737
- "creditMonitoring": {
1738
- "low": 0,
1739
- "likely": 0,
1740
- "high": 0
1741
- },
1742
- "regulatoryFines": {
1743
- "low": 0,
1744
- "likely": 0,
1745
- "high": 0
1746
- },
1747
- "directDamage": {
1748
- "low": 250,
1749
- "likely": 1250,
1750
- "high": 10000
1751
- },
1752
- "classAction": {
1753
- "low": 0,
1754
- "likely": 0,
1755
- "high": 0
1756
- },
1757
- "lostBusiness": {
1758
- "low": 0,
1759
- "likely": 0,
1760
- "high": 0
1761
- }
1762
- },
1763
- "dominantDriver": "legal counsel",
1764
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1765
- "confidence": "low",
1766
- "narrative": "TOCTOU: existsSync followed by file op on `index.js:116` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1767
- }
1768
- }
1769
- ],
1770
- "bundles": [],
1771
- "routes": [],
1772
- "components": [],
1773
- "suppressedCount": 2,
1774
- "blastRadiusSignals": {
1775
- "industry": "generic",
1776
- "industryConfidence": "low",
1777
- "jurisdictions": [],
1778
- "controls": [],
1779
- "estimatedUsers": 50,
1780
- "revenueIndicator": "pre-revenue",
1781
- "hasStripe": false,
1782
- "hasAuth": false,
1783
- "hasUserTable": false,
1784
- "hasPII": false,
1785
- "hasPHI": false,
1786
- "hasS3": false
1787
- },
1788
- "_v3": {
1789
- "counterfactual": {
1790
- "spofControls": [],
1791
- "controlsDetected": 28
1792
- },
1793
- "threatModel": {
1794
- "summary": {
1795
- "assetCount": 1,
1796
- "boundaryCount": 0,
1797
- "strideCounts": {
1798
- "spoofing": 0,
1799
- "tampering": 1,
1800
- "repudiation": 0,
1801
- "informationDisclosure": 0,
1802
- "denialOfService": 5,
1803
- "elevationOfPrivilege": 0
1804
- }
1805
- },
1806
- "assets": [
1807
- {
1808
- "name": "AGENTIC_SECURITY_LLM_API_KEY",
1809
- "file": "index.js",
1810
- "line": 95,
1811
- "category": "secret",
1812
- "exposure": "internal"
1813
- }
1814
- ],
1815
- "trustBoundaries": [],
1816
- "stride": {
1817
- "spoofing": [],
1818
- "tampering": [
1819
- {
1820
- "vuln": "TOCTOU: file existence/permission check before open",
1821
- "file": "index.js",
1822
- "line": 116,
1823
- "severity": "medium"
1824
- }
1825
- ],
1826
- "repudiation": [],
1827
- "informationDisclosure": [],
1828
- "denialOfService": [
1829
- {
1830
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1831
- "file": "consistency.js",
1832
- "severity": "medium"
1833
- },
1834
- {
1835
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1836
- "file": "consistency.js",
1837
- "severity": "medium"
1838
- },
1839
- {
1840
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1841
- "file": "index.js",
1842
- "severity": "medium"
1843
- },
1844
- {
1845
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1846
- "file": "index.js",
1847
- "severity": "medium"
1848
- },
1849
- {
1850
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1851
- "file": "index.js",
1852
- "severity": "medium"
1853
- }
1854
- ],
1855
- "elevationOfPrivilege": []
1856
- }
1857
- },
1858
- "trustBoundaryDiagram": {
1859
- "mermaid": "flowchart LR\n INTERNET((Internet))\n APP[\"Application\"]\n asset_secret_AGENTIC_SECURITY_LLM_API_KEY[/\"secret: AGENTIC_SECURITY_LLM_API_KEY\"/]\n APP -->|asset| asset_secret_AGENTIC_SECURITY_LLM_API_KEY\n classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n classDef sev_medium fill:#fff3cd,stroke:#a80;\n classDef sev_low fill:#e8eaf6,stroke:#557;",
1860
- "nodes": [
1861
- {
1862
- "id": "INTERNET",
1863
- "kind": "external",
1864
- "label": "Internet"
1865
- },
1866
- {
1867
- "id": "APP",
1868
- "kind": "app",
1869
- "label": "Application"
1870
- },
1871
- {
1872
- "id": "asset_secret_AGENTIC_SECURITY_LLM_API_KEY",
1873
- "kind": "asset",
1874
- "label": "secret: AGENTIC_SECURITY_LLM_API_KEY"
1875
- }
1876
- ],
1877
- "edges": [
1878
- {
1879
- "from": "APP",
1880
- "to": "asset_secret_AGENTIC_SECURITY_LLM_API_KEY",
1881
- "kind": "asset"
1882
- }
1883
- ],
1884
- "decorations": []
1885
- },
1886
- "calibrationDrift": {
1887
- "alarms": [],
1888
- "note": "no-feedback-data"
1889
- }
1890
- }
1891
- }