@clear-capabilities/agentic-security-scanner 0.75.0 → 0.77.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/CHANGELOG.md +57 -0
  2. package/bin/agentic-security.js +2 -2
  3. package/dist/838.index.js +152 -0
  4. package/dist/{634.index.js → 985.index.js} +21 -144
  5. package/dist/agentic-security.mjs +8 -8
  6. package/dist/agentic-security.mjs.sha256 +1 -1
  7. package/package.json +6 -6
  8. package/src/mcp/tools.js +17 -2
  9. package/src/sca/base-images.json +1 -1
  10. package/bin/.agentic-security/findings.json +0 -1596
  11. package/bin/.agentic-security/last-scan.json +0 -1596
  12. package/bin/.agentic-security/last-scan.json.sig +0 -1
  13. package/bin/.agentic-security/scan-history.json +0 -470
  14. package/bin/.agentic-security/streak.json +0 -25
  15. package/dist/218.index.js +0 -793
  16. package/dist/601.index.js +0 -1038
  17. package/src/.agentic-security/findings.json +0 -80844
  18. package/src/.agentic-security/last-scan.json +0 -80844
  19. package/src/.agentic-security/last-scan.json.sig +0 -1
  20. package/src/.agentic-security/scan-history.json +0 -8408
  21. package/src/.agentic-security/streak.json +0 -26
  22. package/src/dataflow/.agentic-security/findings.json +0 -3487
  23. package/src/dataflow/.agentic-security/last-scan.json +0 -3487
  24. package/src/dataflow/.agentic-security/last-scan.json.sig +0 -1
  25. package/src/dataflow/.agentic-security/scan-history.json +0 -735
  26. package/src/dataflow/.agentic-security/streak.json +0 -24
  27. package/src/integrations/.agentic-security/findings.json +0 -1504
  28. package/src/integrations/.agentic-security/last-scan.json +0 -1504
  29. package/src/integrations/.agentic-security/scan-history.json +0 -40
  30. package/src/integrations/.agentic-security/streak.json +0 -21
  31. package/src/ir/.agentic-security/findings.json +0 -3036
  32. package/src/ir/.agentic-security/last-scan.json +0 -3036
  33. package/src/ir/.agentic-security/last-scan.json.sig +0 -1
  34. package/src/ir/.agentic-security/scan-history.json +0 -364
  35. package/src/ir/.agentic-security/streak.json +0 -23
  36. package/src/llm-validator/.agentic-security/findings.json +0 -1891
  37. package/src/llm-validator/.agentic-security/last-scan.json +0 -1891
  38. package/src/llm-validator/.agentic-security/last-scan.json.sig +0 -1
  39. package/src/llm-validator/.agentic-security/scan-history.json +0 -168
  40. package/src/llm-validator/.agentic-security/streak.json +0 -20
  41. package/src/lsp/.agentic-security/findings.json +0 -28
  42. package/src/lsp/.agentic-security/last-scan.json +0 -28
  43. package/src/lsp/.agentic-security/scan-history.json +0 -79
  44. package/src/lsp/.agentic-security/streak.json +0 -22
  45. package/src/mcp/.agentic-security/findings.json +0 -8358
  46. package/src/mcp/.agentic-security/last-scan.json +0 -8358
  47. package/src/mcp/.agentic-security/last-scan.json.sig +0 -1
  48. package/src/mcp/.agentic-security/scan-history.json +0 -1125
  49. package/src/mcp/.agentic-security/streak.json +0 -22
  50. package/src/posture/.agentic-security/findings.json +0 -51239
  51. package/src/posture/.agentic-security/last-scan.json +0 -51239
  52. package/src/posture/.agentic-security/last-scan.json.sig +0 -1
  53. package/src/posture/.agentic-security/scan-history.json +0 -5557
  54. package/src/posture/.agentic-security/streak.json +0 -24
  55. package/src/report/.agentic-security/findings.json +0 -79
  56. package/src/report/.agentic-security/last-scan.json +0 -79
  57. package/src/report/.agentic-security/last-scan.json.sig +0 -1
  58. package/src/report/.agentic-security/scan-history.json +0 -332
  59. package/src/report/.agentic-security/streak.json +0 -23
  60. package/src/sast/.agentic-security/findings.json +0 -5051
  61. package/src/sast/.agentic-security/last-scan.json +0 -5051
  62. package/src/sast/.agentic-security/last-scan.json.sig +0 -1
  63. package/src/sast/.agentic-security/scan-history.json +0 -788
  64. package/src/sast/.agentic-security/streak.json +0 -23
  65. package/src/sast/bench-shape/.agentic-security/findings.json +0 -28
  66. package/src/sast/bench-shape/.agentic-security/last-scan.json +0 -28
  67. package/src/sast/bench-shape/.agentic-security/scan-history.json +0 -24
  68. package/src/sast/bench-shape/.agentic-security/streak.json +0 -22
package/bin/.agentic-security/findings.json DELETED
@@ -1,1596 +0,0 @@
1
- {
2
- "scanId": "8f54c078-a0c8-41d7-8100-62ec5a527f14",
3
- "startedAt": "2026-05-21T15:57:04.526Z",
4
- "durationMs": 282,
5
- "scanned": {
6
- "files": 7,
7
- "lines": 0
8
- },
9
- "findings": [
10
- {
11
- "id": "8ec5768f893c53c3",
12
- "kind": "logic",
13
- "severity": "high",
14
- "vuln": "Sensitive Directory Path Construction",
15
- "cwe": "CWE-22",
16
- "stride": "Information Disclosure",
17
- "file": "agentic-security-audit.js",
18
- "line": 51,
19
- "snippet": "function _logPath(root) { return path.join(root, '.agentic-security', 'mcp-audit.log'); }",
20
- "fix": {
21
- "description": "Restrict file paths to a specific allowed directory; reject '..' and absolute paths.",
22
- "code": "const safe = path.resolve('./uploads', file);\nif (!safe.startsWith(path.resolve('./uploads'))) throw 403;"
23
- },
24
- "blastRadius": {
25
- "scope": "all-users",
26
- "dataAtRisk": [
27
- "config"
28
- ],
29
- "userCount": 50,
30
- "industry": "generic",
31
- "jurisdictions": [],
32
- "controlsApplied": [],
33
- "dollarBest": 23250,
34
- "dollarLikely": 136250,
35
- "dollarWorst": 775000,
36
- "dollarLow": 23250,
37
- "dollarHigh": 775000,
38
- "components": {
39
- "incidentResponse": {
40
- "low": 8000,
41
- "likely": 50000,
42
- "high": 250000
43
- },
44
- "legal": {
45
- "low": 10000,
46
- "likely": 75000,
47
- "high": 500000
48
- },
49
- "crisisPR": {
50
- "low": 0,
51
- "likely": 0,
52
- "high": 0
53
- },
54
- "notification": {
55
- "low": 5000,
56
- "likely": 10000,
57
- "high": 15000
58
- },
59
- "creditMonitoring": {
60
- "low": 0,
61
- "likely": 0,
62
- "high": 0
63
- },
64
- "regulatoryFines": {
65
- "low": 0,
66
- "likely": 0,
67
- "high": 0
68
- },
69
- "directDamage": {
70
- "low": 250,
71
- "likely": 1250,
72
- "high": 10000
73
- },
74
- "classAction": {
75
- "low": 0,
76
- "likely": 0,
77
- "high": 0
78
- },
79
- "lostBusiness": {
80
- "low": 0,
81
- "likely": 0,
82
- "high": 0
83
- }
84
- },
85
- "dominantDriver": "legal counsel",
86
- "comparable": "Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil",
87
- "confidence": "low",
88
- "narrative": "Sensitive Directory Path Construction on `agentic-security-audit.js:51` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Snyk 2022 path-traversal disclosure → CDN cache poisoning + .env exfil."
89
- },
90
- "parser": "LOGIC",
91
- "family": null
92
- },
93
- {
94
- "id": "toctou-fs:agentic-security-audit.js:55",
95
- "kind": "sast",
96
- "severity": "medium",
97
- "vuln": "TOCTOU: file existence/permission check before open",
98
- "cwe": "CWE-367",
99
- "owaspLlm": null,
100
- "stride": "Tampering",
101
- "file": "agentic-security-audit.js",
102
- "line": 55,
103
- "snippet": "if (!fs.existsSync(fp)) return [];",
104
- "fix": null,
105
- "reachable": false,
106
- "triage": 22,
107
- "dataClasses": [],
108
- "chain": null,
109
- "confidence": 0.7,
110
- "toxicity": 8,
111
- "toxicityFactors": [],
112
- "toxicityLabel": "Low",
113
- "sources": null,
114
- "epssScore": null,
115
- "epssPercentile": null,
116
- "epssCve": null,
117
- "exploitedNow": false,
118
- "tags": null,
119
- "blastRadius": {
120
- "scope": "all-users",
121
- "dataAtRisk": [
122
- "config"
123
- ],
124
- "userCount": 50,
125
- "industry": "generic",
126
- "jurisdictions": [],
127
- "controlsApplied": [],
128
- "dollarBest": 23250,
129
- "dollarLikely": 136250,
130
- "dollarWorst": 775000,
131
- "dollarLow": 23250,
132
- "dollarHigh": 775000,
133
- "components": {
134
- "incidentResponse": {
135
- "low": 8000,
136
- "likely": 50000,
137
- "high": 250000
138
- },
139
- "legal": {
140
- "low": 10000,
141
- "likely": 75000,
142
- "high": 500000
143
- },
144
- "crisisPR": {
145
- "low": 0,
146
- "likely": 0,
147
- "high": 0
148
- },
149
- "notification": {
150
- "low": 5000,
151
- "likely": 10000,
152
- "high": 15000
153
- },
154
- "creditMonitoring": {
155
- "low": 0,
156
- "likely": 0,
157
- "high": 0
158
- },
159
- "regulatoryFines": {
160
- "low": 0,
161
- "likely": 0,
162
- "high": 0
163
- },
164
- "directDamage": {
165
- "low": 250,
166
- "likely": 1250,
167
- "high": 10000
168
- },
169
- "classAction": {
170
- "low": 0,
171
- "likely": 0,
172
- "high": 0
173
- },
174
- "lostBusiness": {
175
- "low": 0,
176
- "likely": 0,
177
- "high": 0
178
- }
179
- },
180
- "dominantDriver": "legal counsel",
181
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
182
- "confidence": "low",
183
- "narrative": "TOCTOU: file existence/permission check before open on `agentic-security-audit.js:55` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
184
- },
185
- "stableId": "1e3825344bf7fde1",
186
- "confidenceTier": "medium",
187
- "exploitability": 0.2,
188
- "exploitabilityTier": "low",
189
- "exploitabilityFactors": [
190
- "sev:medium",
191
- "unreachable"
192
- ],
193
- "clusterSize": null,
194
- "unreachable": false,
195
- "validator_verdict": "unvalidated",
196
- "llm_confidence": null,
197
- "unvalidated": true,
198
- "cross_language": false,
199
- "family": "toctou-file-existence-permission-check-b",
200
- "parser": "TOCTOU",
201
- "_unsigned": false,
202
- "_passThroughSigning": false,
203
- "signatureStatus": "verified",
204
- "regression_test": null,
205
- "poc": null,
206
- "calibrated_confidence": null,
207
- "calibrated_confidence_ci": null,
208
- "calibrated_n": 0,
209
- "calibration_reason": "no-history",
210
- "verifier_verdict": "cannot-verify",
211
- "verifier_reason": "no-poc-no-sanitizer-rule",
212
- "verifier_runner": null,
213
- "narration": null,
214
- "mitigationVerdict": "unreachable-in-prod",
215
- "mitigationsApplied": [],
216
- "mitigatedByWaf": false,
217
- "wafRuleId": null,
218
- "mitigatedByAuth": false,
219
- "authMechanism": null,
220
- "mitigatedByNetwork": false,
221
- "networkExposure": null,
222
- "featureFlag": null,
223
- "featureFlagState": null,
224
- "featureFlagRollout": null,
225
- "exposedInProd": false,
226
- "unreachableInProd": true,
227
- "coldPath": false,
228
- "hotPath": false,
229
- "prodRequestCount": null,
230
- "crownJewelScore": 0.15,
231
- "crownJewelTier": "low-value",
232
- "crownJewelFactors": [
233
- "shell-execution"
234
- ],
235
- "cloneClusterId": "9c2182a3d2005edb",
236
- "cloneClusterSize": 1,
237
- "provenance": "human-likely",
238
- "provenanceScore": 0,
239
- "typeNarrowed": null,
240
- "strideCategory": "tampering",
241
- "personaScores": {
242
- "script-kiddie": {
243
- "score": 0.4,
244
- "tier": "medium",
245
- "factors": [
246
- "sev:medium"
247
- ]
248
- },
249
- "opportunistic-criminal": {
250
- "score": 0.4,
251
- "tier": "medium",
252
- "factors": [
253
- "sev:medium"
254
- ]
255
- },
256
- "apt-nation-state": {
257
- "score": 0.4,
258
- "tier": "medium",
259
- "factors": [
260
- "sev:medium"
261
- ]
262
- },
263
- "supply-chain-attacker": {
264
- "score": 0.4,
265
- "tier": "medium",
266
- "factors": [
267
- "sev:medium"
268
- ]
269
- },
270
- "malicious-insider": {
271
- "score": 0.4,
272
- "tier": "medium",
273
- "factors": [
274
- "sev:medium"
275
- ]
276
- }
277
- },
278
- "personaTopTwo": [
279
- "script-kiddie",
280
- "opportunistic-criminal"
281
- ],
282
- "personaMaxName": "script-kiddie",
283
- "personaMaxScore": 0.4,
284
- "reverseExposure": null,
285
- "specMined": null,
286
- "whyFired": {
287
- "detector": "sast/toctou-file-existence-permission-check-b",
288
- "ruleId": "CWE-367",
289
- "parser": "TOCTOU",
290
- "evidence": {
291
- "sinkSnippet": "if (!fs.existsSync(fp)) return [];",
292
- "sourceSnippet": null,
293
- "pathSteps": [],
294
- "sanitizers": [],
295
- "guards": []
296
- },
297
- "considered": {
298
- "suppressionsApplied": [],
299
- "suppressionsSkipped": [],
300
- "reachabilityFilter": "unaffected",
301
- "clusterCollapsed": false,
302
- "typeNarrowed": false,
303
- "crownJewelTier": "low-value",
304
- "mitigationVerdict": "unreachable-in-prod"
305
- },
306
- "scanner": {
307
- "rulesetVersion": null,
308
- "packHash": null,
309
- "modelId": null
310
- }
311
- },
312
- "adversaryTranscript": null,
313
- "predictedBountyUsd": null,
314
- "bountyConfidence": null,
315
- "attackPlaybook": null
316
- },
317
- {
318
- "id": "toctou-fs:agentic-security-consistency.js:44",
319
- "kind": "sast",
320
- "severity": "medium",
321
- "vuln": "TOCTOU: file existence/permission check before open",
322
- "cwe": "CWE-367",
323
- "owaspLlm": null,
324
- "stride": "Tampering",
325
- "file": "agentic-security-consistency.js",
326
- "line": 44,
327
- "snippet": "if (!fs.existsSync(scanFile)) {",
328
- "fix": null,
329
- "reachable": false,
330
- "triage": 22,
331
- "dataClasses": [],
332
- "chain": null,
333
- "confidence": 0.7,
334
- "toxicity": 8,
335
- "toxicityFactors": [],
336
- "toxicityLabel": "Low",
337
- "sources": null,
338
- "epssScore": null,
339
- "epssPercentile": null,
340
- "epssCve": null,
341
- "exploitedNow": false,
342
- "tags": null,
343
- "blastRadius": {
344
- "scope": "all-users",
345
- "dataAtRisk": [
346
- "config"
347
- ],
348
- "userCount": 50,
349
- "industry": "generic",
350
- "jurisdictions": [],
351
- "controlsApplied": [],
352
- "dollarBest": 23250,
353
- "dollarLikely": 136250,
354
- "dollarWorst": 775000,
355
- "dollarLow": 23250,
356
- "dollarHigh": 775000,
357
- "components": {
358
- "incidentResponse": {
359
- "low": 8000,
360
- "likely": 50000,
361
- "high": 250000
362
- },
363
- "legal": {
364
- "low": 10000,
365
- "likely": 75000,
366
- "high": 500000
367
- },
368
- "crisisPR": {
369
- "low": 0,
370
- "likely": 0,
371
- "high": 0
372
- },
373
- "notification": {
374
- "low": 5000,
375
- "likely": 10000,
376
- "high": 15000
377
- },
378
- "creditMonitoring": {
379
- "low": 0,
380
- "likely": 0,
381
- "high": 0
382
- },
383
- "regulatoryFines": {
384
- "low": 0,
385
- "likely": 0,
386
- "high": 0
387
- },
388
- "directDamage": {
389
- "low": 250,
390
- "likely": 1250,
391
- "high": 10000
392
- },
393
- "classAction": {
394
- "low": 0,
395
- "likely": 0,
396
- "high": 0
397
- },
398
- "lostBusiness": {
399
- "low": 0,
400
- "likely": 0,
401
- "high": 0
402
- }
403
- },
404
- "dominantDriver": "legal counsel",
405
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
406
- "confidence": "low",
407
- "narrative": "TOCTOU: file existence/permission check before open on `agentic-security-consistency.js:44` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
408
- },
409
- "stableId": "7244448882e8be9f",
410
- "confidenceTier": "medium",
411
- "exploitability": 0.2,
412
- "exploitabilityTier": "low",
413
- "exploitabilityFactors": [
414
- "sev:medium",
415
- "unreachable"
416
- ],
417
- "clusterSize": null,
418
- "unreachable": false,
419
- "validator_verdict": "unvalidated",
420
- "llm_confidence": null,
421
- "unvalidated": true,
422
- "cross_language": false,
423
- "family": "toctou-file-existence-permission-check-b",
424
- "parser": "TOCTOU",
425
- "_unsigned": false,
426
- "_passThroughSigning": false,
427
- "signatureStatus": "verified",
428
- "regression_test": null,
429
- "poc": null,
430
- "calibrated_confidence": null,
431
- "calibrated_confidence_ci": null,
432
- "calibrated_n": 0,
433
- "calibration_reason": "no-history",
434
- "verifier_verdict": "cannot-verify",
435
- "verifier_reason": "no-poc-no-sanitizer-rule",
436
- "verifier_runner": null,
437
- "narration": null,
438
- "mitigationVerdict": "unreachable-in-prod",
439
- "mitigationsApplied": [],
440
- "mitigatedByWaf": false,
441
- "wafRuleId": null,
442
- "mitigatedByAuth": false,
443
- "authMechanism": null,
444
- "mitigatedByNetwork": false,
445
- "networkExposure": null,
446
- "featureFlag": null,
447
- "featureFlagState": null,
448
- "featureFlagRollout": null,
449
- "exposedInProd": false,
450
- "unreachableInProd": true,
451
- "coldPath": false,
452
- "hotPath": false,
453
- "prodRequestCount": null,
454
- "crownJewelScore": 0,
455
- "crownJewelTier": "unknown",
456
- "crownJewelFactors": [],
457
- "cloneClusterId": "7451b9ab4bcfdaf0",
458
- "cloneClusterSize": 1,
459
- "provenance": "human-likely",
460
- "provenanceScore": 0.22,
461
- "typeNarrowed": null,
462
- "strideCategory": "tampering",
463
- "personaScores": {
464
- "script-kiddie": {
465
- "score": 0.4,
466
- "tier": "medium",
467
- "factors": [
468
- "sev:medium"
469
- ]
470
- },
471
- "opportunistic-criminal": {
472
- "score": 0.4,
473
- "tier": "medium",
474
- "factors": [
475
- "sev:medium"
476
- ]
477
- },
478
- "apt-nation-state": {
479
- "score": 0.4,
480
- "tier": "medium",
481
- "factors": [
482
- "sev:medium"
483
- ]
484
- },
485
- "supply-chain-attacker": {
486
- "score": 0.4,
487
- "tier": "medium",
488
- "factors": [
489
- "sev:medium"
490
- ]
491
- },
492
- "malicious-insider": {
493
- "score": 0.4,
494
- "tier": "medium",
495
- "factors": [
496
- "sev:medium"
497
- ]
498
- }
499
- },
500
- "personaTopTwo": [
501
- "script-kiddie",
502
- "opportunistic-criminal"
503
- ],
504
- "personaMaxName": "script-kiddie",
505
- "personaMaxScore": 0.4,
506
- "reverseExposure": null,
507
- "specMined": null,
508
- "whyFired": {
509
- "detector": "sast/toctou-file-existence-permission-check-b",
510
- "ruleId": "CWE-367",
511
- "parser": "TOCTOU",
512
- "evidence": {
513
- "sinkSnippet": "if (!fs.existsSync(scanFile)) {",
514
- "sourceSnippet": null,
515
- "pathSteps": [],
516
- "sanitizers": [],
517
- "guards": []
518
- },
519
- "considered": {
520
- "suppressionsApplied": [],
521
- "suppressionsSkipped": [],
522
- "reachabilityFilter": "unaffected",
523
- "clusterCollapsed": false,
524
- "typeNarrowed": false,
525
- "crownJewelTier": "unknown",
526
- "mitigationVerdict": "unreachable-in-prod"
527
- },
528
- "scanner": {
529
- "rulesetVersion": null,
530
- "packHash": null,
531
- "modelId": null
532
- }
533
- },
534
- "adversaryTranscript": null,
535
- "predictedBountyUsd": null,
536
- "bountyConfidence": null,
537
- "attackPlaybook": null
538
- },
539
- {
540
- "id": "toctou-fs:agentic-security-consistency.js:66",
541
- "kind": "sast",
542
- "severity": "medium",
543
- "vuln": "TOCTOU: file existence/permission check before open",
544
- "cwe": "CWE-367",
545
- "owaspLlm": null,
546
- "stride": "Tampering",
547
- "file": "agentic-security-consistency.js",
548
- "line": 66,
549
- "snippet": "if (fs.existsSync(fp)) fileContents[f.file] = fs.readFileSync(fp, 'utf8');",
550
- "fix": null,
551
- "reachable": false,
552
- "triage": 22,
553
- "dataClasses": [],
554
- "chain": null,
555
- "confidence": 0.7,
556
- "toxicity": 8,
557
- "toxicityFactors": [],
558
- "toxicityLabel": "Low",
559
- "sources": null,
560
- "epssScore": null,
561
- "epssPercentile": null,
562
- "epssCve": null,
563
- "exploitedNow": false,
564
- "tags": null,
565
- "blastRadius": {
566
- "scope": "all-users",
567
- "dataAtRisk": [
568
- "config"
569
- ],
570
- "userCount": 50,
571
- "industry": "generic",
572
- "jurisdictions": [],
573
- "controlsApplied": [],
574
- "dollarBest": 23250,
575
- "dollarLikely": 136250,
576
- "dollarWorst": 775000,
577
- "dollarLow": 23250,
578
- "dollarHigh": 775000,
579
- "components": {
580
- "incidentResponse": {
581
- "low": 8000,
582
- "likely": 50000,
583
- "high": 250000
584
- },
585
- "legal": {
586
- "low": 10000,
587
- "likely": 75000,
588
- "high": 500000
589
- },
590
- "crisisPR": {
591
- "low": 0,
592
- "likely": 0,
593
- "high": 0
594
- },
595
- "notification": {
596
- "low": 5000,
597
- "likely": 10000,
598
- "high": 15000
599
- },
600
- "creditMonitoring": {
601
- "low": 0,
602
- "likely": 0,
603
- "high": 0
604
- },
605
- "regulatoryFines": {
606
- "low": 0,
607
- "likely": 0,
608
- "high": 0
609
- },
610
- "directDamage": {
611
- "low": 250,
612
- "likely": 1250,
613
- "high": 10000
614
- },
615
- "classAction": {
616
- "low": 0,
617
- "likely": 0,
618
- "high": 0
619
- },
620
- "lostBusiness": {
621
- "low": 0,
622
- "likely": 0,
623
- "high": 0
624
- }
625
- },
626
- "dominantDriver": "legal counsel",
627
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
628
- "confidence": "low",
629
- "narrative": "TOCTOU: file existence/permission check before open on `agentic-security-consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
630
- },
631
- "stableId": "17c7a9503b897ade",
632
- "confidenceTier": "medium",
633
- "exploitability": 0.2,
634
- "exploitabilityTier": "low",
635
- "exploitabilityFactors": [
636
- "sev:medium",
637
- "unreachable"
638
- ],
639
- "clusterSize": null,
640
- "unreachable": false,
641
- "validator_verdict": "unvalidated",
642
- "llm_confidence": null,
643
- "unvalidated": true,
644
- "cross_language": false,
645
- "family": "toctou-file-existence-permission-check-b",
646
- "parser": "TOCTOU",
647
- "_unsigned": false,
648
- "_passThroughSigning": false,
649
- "signatureStatus": "verified",
650
- "regression_test": null,
651
- "poc": null,
652
- "calibrated_confidence": null,
653
- "calibrated_confidence_ci": null,
654
- "calibrated_n": 0,
655
- "calibration_reason": "no-history",
656
- "verifier_verdict": "cannot-verify",
657
- "verifier_reason": "no-poc-no-sanitizer-rule",
658
- "verifier_runner": null,
659
- "narration": null,
660
- "mitigationVerdict": "unreachable-in-prod",
661
- "mitigationsApplied": [],
662
- "mitigatedByWaf": false,
663
- "wafRuleId": null,
664
- "mitigatedByAuth": false,
665
- "authMechanism": null,
666
- "mitigatedByNetwork": false,
667
- "networkExposure": null,
668
- "featureFlag": null,
669
- "featureFlagState": null,
670
- "featureFlagRollout": null,
671
- "exposedInProd": false,
672
- "unreachableInProd": true,
673
- "coldPath": false,
674
- "hotPath": false,
675
- "prodRequestCount": null,
676
- "crownJewelScore": 0,
677
- "crownJewelTier": "unknown",
678
- "crownJewelFactors": [],
679
- "cloneClusterId": "71b3a66f0700d3d0",
680
- "cloneClusterSize": 1,
681
- "provenance": "human-likely",
682
- "provenanceScore": 0.22,
683
- "typeNarrowed": null,
684
- "strideCategory": "tampering",
685
- "personaScores": {
686
- "script-kiddie": {
687
- "score": 0.4,
688
- "tier": "medium",
689
- "factors": [
690
- "sev:medium"
691
- ]
692
- },
693
- "opportunistic-criminal": {
694
- "score": 0.4,
695
- "tier": "medium",
696
- "factors": [
697
- "sev:medium"
698
- ]
699
- },
700
- "apt-nation-state": {
701
- "score": 0.4,
702
- "tier": "medium",
703
- "factors": [
704
- "sev:medium"
705
- ]
706
- },
707
- "supply-chain-attacker": {
708
- "score": 0.4,
709
- "tier": "medium",
710
- "factors": [
711
- "sev:medium"
712
- ]
713
- },
714
- "malicious-insider": {
715
- "score": 0.4,
716
- "tier": "medium",
717
- "factors": [
718
- "sev:medium"
719
- ]
720
- }
721
- },
722
- "personaTopTwo": [
723
- "script-kiddie",
724
- "opportunistic-criminal"
725
- ],
726
- "personaMaxName": "script-kiddie",
727
- "personaMaxScore": 0.4,
728
- "reverseExposure": null,
729
- "specMined": null,
730
- "whyFired": {
731
- "detector": "sast/toctou-file-existence-permission-check-b",
732
- "ruleId": "CWE-367",
733
- "parser": "TOCTOU",
734
- "evidence": {
735
- "sinkSnippet": "if (fs.existsSync(fp)) fileContents[f.file] = fs.readFileSync(fp, 'utf8');",
736
- "sourceSnippet": null,
737
- "pathSteps": [],
738
- "sanitizers": [],
739
- "guards": []
740
- },
741
- "considered": {
742
- "suppressionsApplied": [],
743
- "suppressionsSkipped": [],
744
- "reachabilityFilter": "unaffected",
745
- "clusterCollapsed": false,
746
- "typeNarrowed": false,
747
- "crownJewelTier": "unknown",
748
- "mitigationVerdict": "unreachable-in-prod"
749
- },
750
- "scanner": {
751
- "rulesetVersion": null,
752
- "packHash": null,
753
- "modelId": null
754
- }
755
- },
756
- "adversaryTranscript": null,
757
- "predictedBountyUsd": null,
758
- "bountyConfidence": null,
759
- "attackPlaybook": null
760
- },
761
- {
762
- "id": "toctou-fs:agentic-security.js:1105",
763
- "kind": "sast",
764
- "severity": "medium",
765
- "vuln": "TOCTOU: file existence/permission check before open",
766
- "cwe": "CWE-367",
767
- "owaspLlm": null,
768
- "stride": "Tampering",
769
- "file": "agentic-security.js",
770
- "line": 1105,
771
- "snippet": "const st = fs.statSync(abs);",
772
- "fix": null,
773
- "reachable": false,
774
- "triage": 22,
775
- "dataClasses": [],
776
- "chain": null,
777
- "confidence": 0.7,
778
- "toxicity": 8,
779
- "toxicityFactors": [],
780
- "toxicityLabel": "Low",
781
- "sources": null,
782
- "epssScore": null,
783
- "epssPercentile": null,
784
- "epssCve": null,
785
- "exploitedNow": false,
786
- "tags": null,
787
- "blastRadius": {
788
- "scope": "all-users",
789
- "dataAtRisk": [
790
- "config"
791
- ],
792
- "userCount": 50,
793
- "industry": "generic",
794
- "jurisdictions": [],
795
- "controlsApplied": [],
796
- "dollarBest": 23250,
797
- "dollarLikely": 136250,
798
- "dollarWorst": 775000,
799
- "dollarLow": 23250,
800
- "dollarHigh": 775000,
801
- "components": {
802
- "incidentResponse": {
803
- "low": 8000,
804
- "likely": 50000,
805
- "high": 250000
806
- },
807
- "legal": {
808
- "low": 10000,
809
- "likely": 75000,
810
- "high": 500000
811
- },
812
- "crisisPR": {
813
- "low": 0,
814
- "likely": 0,
815
- "high": 0
816
- },
817
- "notification": {
818
- "low": 5000,
819
- "likely": 10000,
820
- "high": 15000
821
- },
822
- "creditMonitoring": {
823
- "low": 0,
824
- "likely": 0,
825
- "high": 0
826
- },
827
- "regulatoryFines": {
828
- "low": 0,
829
- "likely": 0,
830
- "high": 0
831
- },
832
- "directDamage": {
833
- "low": 250,
834
- "likely": 1250,
835
- "high": 10000
836
- },
837
- "classAction": {
838
- "low": 0,
839
- "likely": 0,
840
- "high": 0
841
- },
842
- "lostBusiness": {
843
- "low": 0,
844
- "likely": 0,
845
- "high": 0
846
- }
847
- },
848
- "dominantDriver": "legal counsel",
849
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
850
- "confidence": "low",
851
- "narrative": "TOCTOU: file existence/permission check before open on `agentic-security.js:1105` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
852
- },
853
- "stableId": "17f63a600e3a68b4",
854
- "confidenceTier": "medium",
855
- "exploitability": 0.2,
856
- "exploitabilityTier": "low",
857
- "exploitabilityFactors": [
858
- "sev:medium",
859
- "unreachable"
860
- ],
861
- "clusterSize": null,
862
- "unreachable": false,
863
- "validator_verdict": "unvalidated",
864
- "llm_confidence": null,
865
- "unvalidated": true,
866
- "cross_language": false,
867
- "family": "toctou-file-existence-permission-check-b",
868
- "parser": "TOCTOU",
869
- "_unsigned": false,
870
- "_passThroughSigning": false,
871
- "signatureStatus": "verified",
872
- "regression_test": null,
873
- "poc": null,
874
- "calibrated_confidence": null,
875
- "calibrated_confidence_ci": null,
876
- "calibrated_n": 0,
877
- "calibration_reason": "no-history",
878
- "verifier_verdict": "cannot-verify",
879
- "verifier_reason": "no-poc-no-sanitizer-rule",
880
- "verifier_runner": null,
881
- "narration": null,
882
- "mitigationVerdict": "unreachable-in-prod",
883
- "mitigationsApplied": [],
884
- "mitigatedByWaf": false,
885
- "wafRuleId": null,
886
- "mitigatedByAuth": false,
887
- "authMechanism": null,
888
- "mitigatedByNetwork": false,
889
- "networkExposure": null,
890
- "featureFlag": null,
891
- "featureFlagState": null,
892
- "featureFlagRollout": null,
893
- "exposedInProd": false,
894
- "unreachableInProd": true,
895
- "coldPath": false,
896
- "hotPath": false,
897
- "prodRequestCount": null,
898
- "crownJewelScore": 0,
899
- "crownJewelTier": "unknown",
900
- "crownJewelFactors": [],
901
- "cloneClusterId": "69ff35f4d54a4549",
902
- "cloneClusterSize": 1,
903
- "provenance": "human-likely",
904
- "provenanceScore": 0.04,
905
- "typeNarrowed": null,
906
- "strideCategory": "tampering",
907
- "personaScores": {
908
- "script-kiddie": {
909
- "score": 0.4,
910
- "tier": "medium",
911
- "factors": [
912
- "sev:medium"
913
- ]
914
- },
915
- "opportunistic-criminal": {
916
- "score": 0.4,
917
- "tier": "medium",
918
- "factors": [
919
- "sev:medium"
920
- ]
921
- },
922
- "apt-nation-state": {
923
- "score": 0.4,
924
- "tier": "medium",
925
- "factors": [
926
- "sev:medium"
927
- ]
928
- },
929
- "supply-chain-attacker": {
930
- "score": 0.4,
931
- "tier": "medium",
932
- "factors": [
933
- "sev:medium"
934
- ]
935
- },
936
- "malicious-insider": {
937
- "score": 0.4,
938
- "tier": "medium",
939
- "factors": [
940
- "sev:medium"
941
- ]
942
- }
943
- },
944
- "personaTopTwo": [
945
- "script-kiddie",
946
- "opportunistic-criminal"
947
- ],
948
- "personaMaxName": "script-kiddie",
949
- "personaMaxScore": 0.4,
950
- "reverseExposure": null,
951
- "specMined": null,
952
- "whyFired": {
953
- "detector": "sast/toctou-file-existence-permission-check-b",
954
- "ruleId": "CWE-367",
955
- "parser": "TOCTOU",
956
- "evidence": {
957
- "sinkSnippet": "const st = fs.statSync(abs);",
958
- "sourceSnippet": null,
959
- "pathSteps": [],
960
- "sanitizers": [],
961
- "guards": []
962
- },
963
- "considered": {
964
- "suppressionsApplied": [],
965
- "suppressionsSkipped": [],
966
- "reachabilityFilter": "unaffected",
967
- "clusterCollapsed": false,
968
- "typeNarrowed": false,
969
- "crownJewelTier": "unknown",
970
- "mitigationVerdict": "unreachable-in-prod"
971
- },
972
- "scanner": {
973
- "rulesetVersion": null,
974
- "packHash": null,
975
- "modelId": null
976
- }
977
- },
978
- "adversaryTranscript": null,
979
- "predictedBountyUsd": null,
980
- "bountyConfidence": null,
981
- "attackPlaybook": null
982
- },
983
- {
984
- "id": "40a1d57f1e523620",
985
- "kind": "logic",
986
- "severity": "medium",
987
- "vuln": "Missing Unsigned Numeric Validation",
988
- "cwe": "CWE-20",
989
- "stride": "Tampering",
990
- "file": "agentic-security-audit.js",
991
- "line": 131,
992
- "snippet": "const rejRate = c.total > 0 ? (c.rejected || 0) / c.total : 0;",
993
- "fix": {
994
- "description": "Validate that numeric inputs are positive integers server-side before processing.",
995
- "code": "// BEFORE\nawait BasketItem.update({ quantity: req.body.quantity });\n\n// AFTER\nif (!Number.isInteger(req.body.quantity) || req.body.quantity < 1)\n return res.status(400).json({ error: 'Invalid quantity' });"
996
- },
997
- "blastRadius": {
998
- "scope": "all-users",
999
- "dataAtRisk": [
1000
- "config"
1001
- ],
1002
- "userCount": 50,
1003
- "industry": "generic",
1004
- "jurisdictions": [],
1005
- "controlsApplied": [],
1006
- "dollarBest": 23250,
1007
- "dollarLikely": 136250,
1008
- "dollarWorst": 775000,
1009
- "dollarLow": 23250,
1010
- "dollarHigh": 775000,
1011
- "components": {
1012
- "incidentResponse": {
1013
- "low": 8000,
1014
- "likely": 50000,
1015
- "high": 250000
1016
- },
1017
- "legal": {
1018
- "low": 10000,
1019
- "likely": 75000,
1020
- "high": 500000
1021
- },
1022
- "crisisPR": {
1023
- "low": 0,
1024
- "likely": 0,
1025
- "high": 0
1026
- },
1027
- "notification": {
1028
- "low": 5000,
1029
- "likely": 10000,
1030
- "high": 15000
1031
- },
1032
- "creditMonitoring": {
1033
- "low": 0,
1034
- "likely": 0,
1035
- "high": 0
1036
- },
1037
- "regulatoryFines": {
1038
- "low": 0,
1039
- "likely": 0,
1040
- "high": 0
1041
- },
1042
- "directDamage": {
1043
- "low": 250,
1044
- "likely": 1250,
1045
- "high": 10000
1046
- },
1047
- "classAction": {
1048
- "low": 0,
1049
- "likely": 0,
1050
- "high": 0
1051
- },
1052
- "lostBusiness": {
1053
- "low": 0,
1054
- "likely": 0,
1055
- "high": 0
1056
- }
1057
- },
1058
- "dominantDriver": "legal counsel",
1059
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1060
- "confidence": "low",
1061
- "narrative": "Missing Unsigned Numeric Validation on `agentic-security-audit.js:131` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1062
- },
1063
- "parser": "LOGIC",
1064
- "family": null
1065
- },
1066
- {
1067
- "id": "logic:agentic-security-audit.js:55:TOCTOU:_existsSync_followed_by_file_op",
1068
- "kind": "logic",
1069
- "severity": "medium",
1070
- "vuln": "TOCTOU: existsSync followed by file op",
1071
- "cwe": "CWE-367",
1072
- "stride": "Tampering",
1073
- "file": "agentic-security-audit.js",
1074
- "line": 55,
1075
- "snippet": "if (!fs.existsSync(fp)) return [];",
1076
- "fix": {
1077
- "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
1078
- "code": ""
1079
- },
1080
- "blastRadius": {
1081
- "scope": "all-users",
1082
- "dataAtRisk": [
1083
- "config"
1084
- ],
1085
- "userCount": 50,
1086
- "industry": "generic",
1087
- "jurisdictions": [],
1088
- "controlsApplied": [],
1089
- "dollarBest": 23250,
1090
- "dollarLikely": 136250,
1091
- "dollarWorst": 775000,
1092
- "dollarLow": 23250,
1093
- "dollarHigh": 775000,
1094
- "components": {
1095
- "incidentResponse": {
1096
- "low": 8000,
1097
- "likely": 50000,
1098
- "high": 250000
1099
- },
1100
- "legal": {
1101
- "low": 10000,
1102
- "likely": 75000,
1103
- "high": 500000
1104
- },
1105
- "crisisPR": {
1106
- "low": 0,
1107
- "likely": 0,
1108
- "high": 0
1109
- },
1110
- "notification": {
1111
- "low": 5000,
1112
- "likely": 10000,
1113
- "high": 15000
1114
- },
1115
- "creditMonitoring": {
1116
- "low": 0,
1117
- "likely": 0,
1118
- "high": 0
1119
- },
1120
- "regulatoryFines": {
1121
- "low": 0,
1122
- "likely": 0,
1123
- "high": 0
1124
- },
1125
- "directDamage": {
1126
- "low": 250,
1127
- "likely": 1250,
1128
- "high": 10000
1129
- },
1130
- "classAction": {
1131
- "low": 0,
1132
- "likely": 0,
1133
- "high": 0
1134
- },
1135
- "lostBusiness": {
1136
- "low": 0,
1137
- "likely": 0,
1138
- "high": 0
1139
- }
1140
- },
1141
- "dominantDriver": "legal counsel",
1142
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1143
- "confidence": "low",
1144
- "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-audit.js:55` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1145
- },
1146
- "parser": "LOGIC",
1147
- "family": null
1148
- },
1149
- {
1150
- "id": "e2445e40b5e43c01",
1151
- "kind": "logic",
1152
- "severity": "medium",
1153
- "vuln": "Race Condition (TOCTOU)",
1154
- "cwe": "CWE-367",
1155
- "stride": "Tampering",
1156
- "file": "agentic-security-consistency.js",
1157
- "line": 66,
1158
- "snippet": "if (fs.existsSync(fp)) fileContents[f.file] = fs.readFileSync(fp, 'utf8');",
1159
- "fix": {
1160
- "description": "Use atomic operations instead of check-then-act patterns.",
1161
- "code": "// BEFORE\nif (fs.existsSync(p)) fs.unlinkSync(p);\n\n// AFTER\ntry { fs.unlinkSync(p); } catch(e) { if(e.code!=='ENOENT') throw e; }"
1162
- },
1163
- "blastRadius": {
1164
- "scope": "all-users",
1165
- "dataAtRisk": [
1166
- "config"
1167
- ],
1168
- "userCount": 50,
1169
- "industry": "generic",
1170
- "jurisdictions": [],
1171
- "controlsApplied": [],
1172
- "dollarBest": 23250,
1173
- "dollarLikely": 136250,
1174
- "dollarWorst": 775000,
1175
- "dollarLow": 23250,
1176
- "dollarHigh": 775000,
1177
- "components": {
1178
- "incidentResponse": {
1179
- "low": 8000,
1180
- "likely": 50000,
1181
- "high": 250000
1182
- },
1183
- "legal": {
1184
- "low": 10000,
1185
- "likely": 75000,
1186
- "high": 500000
1187
- },
1188
- "crisisPR": {
1189
- "low": 0,
1190
- "likely": 0,
1191
- "high": 0
1192
- },
1193
- "notification": {
1194
- "low": 5000,
1195
- "likely": 10000,
1196
- "high": 15000
1197
- },
1198
- "creditMonitoring": {
1199
- "low": 0,
1200
- "likely": 0,
1201
- "high": 0
1202
- },
1203
- "regulatoryFines": {
1204
- "low": 0,
1205
- "likely": 0,
1206
- "high": 0
1207
- },
1208
- "directDamage": {
1209
- "low": 250,
1210
- "likely": 1250,
1211
- "high": 10000
1212
- },
1213
- "classAction": {
1214
- "low": 0,
1215
- "likely": 0,
1216
- "high": 0
1217
- },
1218
- "lostBusiness": {
1219
- "low": 0,
1220
- "likely": 0,
1221
- "high": 0
1222
- }
1223
- },
1224
- "dominantDriver": "legal counsel",
1225
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1226
- "confidence": "low",
1227
- "narrative": "Race Condition (TOCTOU) on `agentic-security-consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1228
- },
1229
- "parser": "LOGIC",
1230
- "family": null
1231
- },
1232
- {
1233
- "id": "logic:agentic-security-consistency.js:44:TOCTOU:_existsSync_followed_by_file_op",
1234
- "kind": "logic",
1235
- "severity": "medium",
1236
- "vuln": "TOCTOU: existsSync followed by file op",
1237
- "cwe": "CWE-367",
1238
- "stride": "Tampering",
1239
- "file": "agentic-security-consistency.js",
1240
- "line": 44,
1241
- "snippet": "if (!fs.existsSync(scanFile)) {",
1242
- "fix": {
1243
- "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
1244
- "code": ""
1245
- },
1246
- "blastRadius": {
1247
- "scope": "all-users",
1248
- "dataAtRisk": [
1249
- "config"
1250
- ],
1251
- "userCount": 50,
1252
- "industry": "generic",
1253
- "jurisdictions": [],
1254
- "controlsApplied": [],
1255
- "dollarBest": 23250,
1256
- "dollarLikely": 136250,
1257
- "dollarWorst": 775000,
1258
- "dollarLow": 23250,
1259
- "dollarHigh": 775000,
1260
- "components": {
1261
- "incidentResponse": {
1262
- "low": 8000,
1263
- "likely": 50000,
1264
- "high": 250000
1265
- },
1266
- "legal": {
1267
- "low": 10000,
1268
- "likely": 75000,
1269
- "high": 500000
1270
- },
1271
- "crisisPR": {
1272
- "low": 0,
1273
- "likely": 0,
1274
- "high": 0
1275
- },
1276
- "notification": {
1277
- "low": 5000,
1278
- "likely": 10000,
1279
- "high": 15000
1280
- },
1281
- "creditMonitoring": {
1282
- "low": 0,
1283
- "likely": 0,
1284
- "high": 0
1285
- },
1286
- "regulatoryFines": {
1287
- "low": 0,
1288
- "likely": 0,
1289
- "high": 0
1290
- },
1291
- "directDamage": {
1292
- "low": 250,
1293
- "likely": 1250,
1294
- "high": 10000
1295
- },
1296
- "classAction": {
1297
- "low": 0,
1298
- "likely": 0,
1299
- "high": 0
1300
- },
1301
- "lostBusiness": {
1302
- "low": 0,
1303
- "likely": 0,
1304
- "high": 0
1305
- }
1306
- },
1307
- "dominantDriver": "legal counsel",
1308
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1309
- "confidence": "low",
1310
- "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-consistency.js:44` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1311
- },
1312
- "parser": "LOGIC",
1313
- "family": null
1314
- },
1315
- {
1316
- "id": "logic:agentic-security-consistency.js:66:TOCTOU:_existsSync_followed_by_file_op",
1317
- "kind": "logic",
1318
- "severity": "medium",
1319
- "vuln": "TOCTOU: existsSync followed by file op",
1320
- "cwe": "CWE-367",
1321
- "stride": "Tampering",
1322
- "file": "agentic-security-consistency.js",
1323
- "line": 66,
1324
- "snippet": "if (fs.existsSync(fp)) fileContents[f.file] = fs.readFileSync(fp, 'utf8');",
1325
- "fix": {
1326
- "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
1327
- "code": ""
1328
- },
1329
- "blastRadius": {
1330
- "scope": "all-users",
1331
- "dataAtRisk": [
1332
- "config"
1333
- ],
1334
- "userCount": 50,
1335
- "industry": "generic",
1336
- "jurisdictions": [],
1337
- "controlsApplied": [],
1338
- "dollarBest": 23250,
1339
- "dollarLikely": 136250,
1340
- "dollarWorst": 775000,
1341
- "dollarLow": 23250,
1342
- "dollarHigh": 775000,
1343
- "components": {
1344
- "incidentResponse": {
1345
- "low": 8000,
1346
- "likely": 50000,
1347
- "high": 250000
1348
- },
1349
- "legal": {
1350
- "low": 10000,
1351
- "likely": 75000,
1352
- "high": 500000
1353
- },
1354
- "crisisPR": {
1355
- "low": 0,
1356
- "likely": 0,
1357
- "high": 0
1358
- },
1359
- "notification": {
1360
- "low": 5000,
1361
- "likely": 10000,
1362
- "high": 15000
1363
- },
1364
- "creditMonitoring": {
1365
- "low": 0,
1366
- "likely": 0,
1367
- "high": 0
1368
- },
1369
- "regulatoryFines": {
1370
- "low": 0,
1371
- "likely": 0,
1372
- "high": 0
1373
- },
1374
- "directDamage": {
1375
- "low": 250,
1376
- "likely": 1250,
1377
- "high": 10000
1378
- },
1379
- "classAction": {
1380
- "low": 0,
1381
- "likely": 0,
1382
- "high": 0
1383
- },
1384
- "lostBusiness": {
1385
- "low": 0,
1386
- "likely": 0,
1387
- "high": 0
1388
- }
1389
- },
1390
- "dominantDriver": "legal counsel",
1391
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1392
- "confidence": "low",
1393
- "narrative": "TOCTOU: existsSync followed by file op on `agentic-security-consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1394
- },
1395
- "parser": "LOGIC",
1396
- "family": null
1397
- },
1398
- {
1399
- "id": "49e1e00962a1950c",
1400
- "kind": "logic",
1401
- "severity": "medium",
1402
- "vuln": "Weak Randomness",
1403
- "cwe": "CWE-330",
1404
- "stride": "Spoofing",
1405
- "file": "agentic-security-rule.js",
1406
- "line": 98,
1407
- "snippet": "id: `key-${new Date().toISOString().slice(0, 10)}-${Math.random().toString(36).slice(2, 6)}`,",
1408
- "fix": {
1409
- "description": "Use crypto.randomBytes or crypto.randomUUID for security-sensitive values.",
1410
- "code": "// BEFORE\nconst token = Math.random().toString(36);\n\n// AFTER\nconst token = crypto.randomBytes(32).toString('hex');"
1411
- },
1412
- "blastRadius": {
1413
- "scope": "all-users",
1414
- "dataAtRisk": [
1415
- "config"
1416
- ],
1417
- "userCount": 50,
1418
- "industry": "generic",
1419
- "jurisdictions": [],
1420
- "controlsApplied": [],
1421
- "dollarBest": 23250,
1422
- "dollarLikely": 136250,
1423
- "dollarWorst": 775000,
1424
- "dollarLow": 23250,
1425
- "dollarHigh": 775000,
1426
- "components": {
1427
- "incidentResponse": {
1428
- "low": 8000,
1429
- "likely": 50000,
1430
- "high": 250000
1431
- },
1432
- "legal": {
1433
- "low": 10000,
1434
- "likely": 75000,
1435
- "high": 500000
1436
- },
1437
- "crisisPR": {
1438
- "low": 0,
1439
- "likely": 0,
1440
- "high": 0
1441
- },
1442
- "notification": {
1443
- "low": 5000,
1444
- "likely": 10000,
1445
- "high": 15000
1446
- },
1447
- "creditMonitoring": {
1448
- "low": 0,
1449
- "likely": 0,
1450
- "high": 0
1451
- },
1452
- "regulatoryFines": {
1453
- "low": 0,
1454
- "likely": 0,
1455
- "high": 0
1456
- },
1457
- "directDamage": {
1458
- "low": 250,
1459
- "likely": 1250,
1460
- "high": 10000
1461
- },
1462
- "classAction": {
1463
- "low": 0,
1464
- "likely": 0,
1465
- "high": 0
1466
- },
1467
- "lostBusiness": {
1468
- "low": 0,
1469
- "likely": 0,
1470
- "high": 0
1471
- }
1472
- },
1473
- "dominantDriver": "legal counsel",
1474
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1475
- "confidence": "low",
1476
- "narrative": "Weak Randomness on `agentic-security-rule.js:98` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1477
- },
1478
- "parser": "LOGIC",
1479
- "family": null
1480
- }
1481
- ],
1482
- "bundles": [],
1483
- "routes": [],
1484
- "components": [],
1485
- "suppressedCount": 38,
1486
- "blastRadiusSignals": {
1487
- "industry": "generic",
1488
- "industryConfidence": "low",
1489
- "jurisdictions": [],
1490
- "controls": [],
1491
- "estimatedUsers": 50,
1492
- "revenueIndicator": "pre-revenue",
1493
- "hasStripe": false,
1494
- "hasAuth": false,
1495
- "hasUserTable": false,
1496
- "hasPII": false,
1497
- "hasPHI": false,
1498
- "hasS3": false
1499
- },
1500
- "_v3": {
1501
- "counterfactual": {
1502
- "spofControls": [],
1503
- "controlsDetected": 118
1504
- },
1505
- "threatModel": {
1506
- "summary": {
1507
- "assetCount": 1,
1508
- "boundaryCount": 0,
1509
- "strideCounts": {
1510
- "spoofing": 0,
1511
- "tampering": 4,
1512
- "repudiation": 0,
1513
- "informationDisclosure": 0,
1514
- "denialOfService": 0,
1515
- "elevationOfPrivilege": 0
1516
- }
1517
- },
1518
- "assets": [
1519
- {
1520
- "name": "AGENTIC_SECURITY_PRIVATE_KEY",
1521
- "file": "agentic-security-rule.js",
1522
- "line": 121,
1523
- "category": "secret",
1524
- "exposure": "internal"
1525
- }
1526
- ],
1527
- "trustBoundaries": [],
1528
- "stride": {
1529
- "spoofing": [],
1530
- "tampering": [
1531
- {
1532
- "vuln": "TOCTOU: file existence/permission check before open",
1533
- "file": "agentic-security-audit.js",
1534
- "line": 55,
1535
- "severity": "medium"
1536
- },
1537
- {
1538
- "vuln": "TOCTOU: file existence/permission check before open",
1539
- "file": "agentic-security-consistency.js",
1540
- "line": 44,
1541
- "severity": "medium"
1542
- },
1543
- {
1544
- "vuln": "TOCTOU: file existence/permission check before open",
1545
- "file": "agentic-security-consistency.js",
1546
- "line": 66,
1547
- "severity": "medium"
1548
- },
1549
- {
1550
- "vuln": "TOCTOU: file existence/permission check before open",
1551
- "file": "agentic-security.js",
1552
- "line": 1105,
1553
- "severity": "medium"
1554
- }
1555
- ],
1556
- "repudiation": [],
1557
- "informationDisclosure": [],
1558
- "denialOfService": [],
1559
- "elevationOfPrivilege": []
1560
- }
1561
- },
1562
- "trustBoundaryDiagram": {
1563
- "mermaid": "flowchart LR\n INTERNET((Internet))\n APP[\"Application\"]\n asset_secret_AGENTIC_SECURITY_PRIVATE_KEY[/\"secret: AGENTIC_SECURITY_PRIVATE_KEY\"/]\n APP -->|asset| asset_secret_AGENTIC_SECURITY_PRIVATE_KEY\n classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n classDef sev_medium fill:#fff3cd,stroke:#a80;\n classDef sev_low fill:#e8eaf6,stroke:#557;",
1564
- "nodes": [
1565
- {
1566
- "id": "INTERNET",
1567
- "kind": "external",
1568
- "label": "Internet"
1569
- },
1570
- {
1571
- "id": "APP",
1572
- "kind": "app",
1573
- "label": "Application"
1574
- },
1575
- {
1576
- "id": "asset_secret_AGENTIC_SECURITY_PRIVATE_KEY",
1577
- "kind": "asset",
1578
- "label": "secret: AGENTIC_SECURITY_PRIVATE_KEY"
1579
- }
1580
- ],
1581
- "edges": [
1582
- {
1583
- "from": "APP",
1584
- "to": "asset_secret_AGENTIC_SECURITY_PRIVATE_KEY",
1585
- "kind": "asset"
1586
- }
1587
- ],
1588
- "decorations": []
1589
- },
1590
- "calibrationDrift": {
1591
- "alarms": [],
1592
- "note": "no-feedback-data"
1593
- }
1594
- },
1595
- "annotatorErrors": []
1596
- }