@clear-capabilities/agentic-security-scanner 0.76.1 → 0.77.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/dist/agentic-security.mjs +8 -8
  2. package/dist/agentic-security.mjs.sha256 +1 -1
  3. package/package.json +5 -5
  4. package/bin/.agentic-security/findings.json +0 -1596
  5. package/bin/.agentic-security/last-scan.json +0 -1596
  6. package/bin/.agentic-security/last-scan.json.sig +0 -1
  7. package/bin/.agentic-security/scan-history.json +0 -475
  8. package/bin/.agentic-security/streak.json +0 -25
  9. package/dist/218.index.js +0 -793
  10. package/dist/601.index.js +0 -1038
  11. package/dist/634.index.js +0 -1892
  12. package/src/.agentic-security/findings.json +0 -80844
  13. package/src/.agentic-security/last-scan.json +0 -80844
  14. package/src/.agentic-security/last-scan.json.sig +0 -1
  15. package/src/.agentic-security/scan-history.json +0 -8408
  16. package/src/.agentic-security/streak.json +0 -26
  17. package/src/dataflow/.agentic-security/findings.json +0 -3487
  18. package/src/dataflow/.agentic-security/last-scan.json +0 -3487
  19. package/src/dataflow/.agentic-security/last-scan.json.sig +0 -1
  20. package/src/dataflow/.agentic-security/scan-history.json +0 -735
  21. package/src/dataflow/.agentic-security/streak.json +0 -24
  22. package/src/integrations/.agentic-security/findings.json +0 -1504
  23. package/src/integrations/.agentic-security/last-scan.json +0 -1504
  24. package/src/integrations/.agentic-security/scan-history.json +0 -40
  25. package/src/integrations/.agentic-security/streak.json +0 -21
  26. package/src/ir/.agentic-security/findings.json +0 -3036
  27. package/src/ir/.agentic-security/last-scan.json +0 -3036
  28. package/src/ir/.agentic-security/last-scan.json.sig +0 -1
  29. package/src/ir/.agentic-security/scan-history.json +0 -364
  30. package/src/ir/.agentic-security/streak.json +0 -23
  31. package/src/llm-validator/.agentic-security/findings.json +0 -1891
  32. package/src/llm-validator/.agentic-security/last-scan.json +0 -1891
  33. package/src/llm-validator/.agentic-security/last-scan.json.sig +0 -1
  34. package/src/llm-validator/.agentic-security/scan-history.json +0 -168
  35. package/src/llm-validator/.agentic-security/streak.json +0 -20
  36. package/src/lsp/.agentic-security/findings.json +0 -28
  37. package/src/lsp/.agentic-security/last-scan.json +0 -28
  38. package/src/lsp/.agentic-security/scan-history.json +0 -79
  39. package/src/lsp/.agentic-security/streak.json +0 -22
  40. package/src/mcp/.agentic-security/findings.json +0 -8403
  41. package/src/mcp/.agentic-security/last-scan.json +0 -8403
  42. package/src/mcp/.agentic-security/last-scan.json.sig +0 -1
  43. package/src/mcp/.agentic-security/scan-history.json +0 -1182
  44. package/src/mcp/.agentic-security/streak.json +0 -22
  45. package/src/posture/.agentic-security/findings.json +0 -51239
  46. package/src/posture/.agentic-security/last-scan.json +0 -51239
  47. package/src/posture/.agentic-security/last-scan.json.sig +0 -1
  48. package/src/posture/.agentic-security/scan-history.json +0 -5557
  49. package/src/posture/.agentic-security/streak.json +0 -24
  50. package/src/report/.agentic-security/findings.json +0 -79
  51. package/src/report/.agentic-security/last-scan.json +0 -79
  52. package/src/report/.agentic-security/last-scan.json.sig +0 -1
  53. package/src/report/.agentic-security/scan-history.json +0 -332
  54. package/src/report/.agentic-security/streak.json +0 -23
  55. package/src/sast/.agentic-security/findings.json +0 -5051
  56. package/src/sast/.agentic-security/last-scan.json +0 -5051
  57. package/src/sast/.agentic-security/last-scan.json.sig +0 -1
  58. package/src/sast/.agentic-security/scan-history.json +0 -788
  59. package/src/sast/.agentic-security/streak.json +0 -23
  60. package/src/sast/bench-shape/.agentic-security/findings.json +0 -28
  61. package/src/sast/bench-shape/.agentic-security/last-scan.json +0 -28
  62. package/src/sast/bench-shape/.agentic-security/scan-history.json +0 -24
  63. package/src/sast/bench-shape/.agentic-security/streak.json +0 -22
  64. package/src/sca/.agentic-security/findings.json +0 -1096
  65. package/src/sca/.agentic-security/last-scan.json +0 -1096
  66. package/src/sca/.agentic-security/last-scan.json.sig +0 -1
  67. package/src/sca/.agentic-security/scan-history.json +0 -18
  68. package/src/sca/.agentic-security/streak.json +0 -21
package/src/dataflow/.agentic-security/last-scan.json DELETED
@@ -1,3487 +0,0 @@
1
- {
2
- "scanId": "c0ec088f-7109-4755-b599-aa770643cf19",
3
- "startedAt": "2026-05-20T21:19:04.813Z",
4
- "durationMs": 486,
5
- "scanned": {
6
- "files": 27,
7
- "lines": 0
8
- },
9
- "findings": [
10
- {
11
- "id": "struct:incremental.js:50:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
12
- "kind": "sast",
13
- "severity": "medium",
14
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
15
- "cwe": "CWE-400",
16
- "owaspLlm": null,
17
- "stride": "Denial of Service",
18
- "file": "incremental.js",
19
- "line": 50,
20
- "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
21
- "fix": null,
22
- "reachable": false,
23
- "triage": 22,
24
- "dataClasses": [],
25
- "chain": null,
26
- "confidence": 0.212,
27
- "toxicity": 28,
28
- "toxicityFactors": [
29
- "http-facing"
30
- ],
31
- "toxicityLabel": "Medium",
32
- "sources": null,
33
- "epssScore": null,
34
- "epssPercentile": null,
35
- "epssCve": null,
36
- "exploitedNow": false,
37
- "tags": null,
38
- "blastRadius": {
39
- "scope": "all-users",
40
- "dataAtRisk": [
41
- "config"
42
- ],
43
- "userCount": 50,
44
- "industry": "generic",
45
- "jurisdictions": [],
46
- "controlsApplied": [],
47
- "dollarBest": 23250,
48
- "dollarLikely": 136250,
49
- "dollarWorst": 775000,
50
- "dollarLow": 23250,
51
- "dollarHigh": 775000,
52
- "components": {
53
- "incidentResponse": {
54
- "low": 8000,
55
- "likely": 50000,
56
- "high": 250000
57
- },
58
- "legal": {
59
- "low": 10000,
60
- "likely": 75000,
61
- "high": 500000
62
- },
63
- "crisisPR": {
64
- "low": 0,
65
- "likely": 0,
66
- "high": 0
67
- },
68
- "notification": {
69
- "low": 5000,
70
- "likely": 10000,
71
- "high": 15000
72
- },
73
- "creditMonitoring": {
74
- "low": 0,
75
- "likely": 0,
76
- "high": 0
77
- },
78
- "regulatoryFines": {
79
- "low": 0,
80
- "likely": 0,
81
- "high": 0
82
- },
83
- "directDamage": {
84
- "low": 250,
85
- "likely": 1250,
86
- "high": 10000
87
- },
88
- "classAction": {
89
- "low": 0,
90
- "likely": 0,
91
- "high": 0
92
- },
93
- "lostBusiness": {
94
- "low": 0,
95
- "likely": 0,
96
- "high": 0
97
- }
98
- },
99
- "dominantDriver": "legal counsel",
100
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
101
- "confidence": "low",
102
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
103
- },
104
- "stableId": "7e2db52a92ce3811",
105
- "confidenceTier": "very-low",
106
- "exploitability": 0.2,
107
- "exploitabilityTier": "low",
108
- "exploitabilityFactors": [
109
- "sev:medium",
110
- "unreachable"
111
- ],
112
- "clusterSize": null,
113
- "unreachable": false,
114
- "validator_verdict": "unvalidated",
115
- "llm_confidence": null,
116
- "unvalidated": true,
117
- "cross_language": false,
118
- "family": "dos-sync-io",
119
- "_unsigned": false,
120
- "_passThroughSigning": false,
121
- "signatureStatus": "verified",
122
- "regression_test": null,
123
- "poc": null,
124
- "calibrated_confidence": null,
125
- "calibrated_confidence_ci": null,
126
- "calibrated_n": 0,
127
- "calibration_reason": "no-history",
128
- "verifier_verdict": "cannot-verify",
129
- "verifier_reason": "no-poc-no-sanitizer-rule",
130
- "verifier_runner": null,
131
- "narration": null,
132
- "mitigationVerdict": "unreachable-in-prod",
133
- "mitigationsApplied": [],
134
- "mitigatedByWaf": false,
135
- "wafRuleId": null,
136
- "mitigatedByAuth": false,
137
- "authMechanism": null,
138
- "mitigatedByNetwork": false,
139
- "networkExposure": null,
140
- "featureFlag": null,
141
- "featureFlagState": null,
142
- "featureFlagRollout": null,
143
- "exposedInProd": false,
144
- "unreachableInProd": true,
145
- "coldPath": false,
146
- "hotPath": false,
147
- "prodRequestCount": null,
148
- "crownJewelScore": 0,
149
- "crownJewelTier": "unknown",
150
- "crownJewelFactors": [],
151
- "cloneClusterId": "bf9643a065f64945",
152
- "cloneClusterSize": 2,
153
- "provenance": "human-likely",
154
- "provenanceScore": 0.22,
155
- "typeNarrowed": null,
156
- "strideCategory": "denialOfService",
157
- "personaScores": {
158
- "script-kiddie": {
159
- "score": 0.4,
160
- "tier": "medium",
161
- "factors": [
162
- "sev:medium"
163
- ]
164
- },
165
- "opportunistic-criminal": {
166
- "score": 0.4,
167
- "tier": "medium",
168
- "factors": [
169
- "sev:medium"
170
- ]
171
- },
172
- "apt-nation-state": {
173
- "score": 0.4,
174
- "tier": "medium",
175
- "factors": [
176
- "sev:medium"
177
- ]
178
- },
179
- "supply-chain-attacker": {
180
- "score": 0.4,
181
- "tier": "medium",
182
- "factors": [
183
- "sev:medium"
184
- ]
185
- },
186
- "malicious-insider": {
187
- "score": 0.4,
188
- "tier": "medium",
189
- "factors": [
190
- "sev:medium"
191
- ]
192
- }
193
- },
194
- "personaTopTwo": [
195
- "script-kiddie",
196
- "opportunistic-criminal"
197
- ],
198
- "personaMaxName": "script-kiddie",
199
- "personaMaxScore": 0.4,
200
- "reverseExposure": null,
201
- "specMined": null,
202
- "whyFired": {
203
- "detector": "sast/dos-sync-io",
204
- "ruleId": "CWE-400",
205
- "parser": "STRUCTURAL",
206
- "evidence": {
207
- "sinkSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
208
- "sourceSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
209
- "pathSteps": [],
210
- "sanitizers": [],
211
- "guards": []
212
- },
213
- "considered": {
214
- "suppressionsApplied": [],
215
- "suppressionsSkipped": [],
216
- "reachabilityFilter": "unaffected",
217
- "clusterCollapsed": false,
218
- "typeNarrowed": false,
219
- "crownJewelTier": "unknown",
220
- "mitigationVerdict": "unreachable-in-prod"
221
- },
222
- "scanner": {
223
- "rulesetVersion": null,
224
- "packHash": null,
225
- "modelId": null
226
- }
227
- },
228
- "adversaryTranscript": null,
229
- "predictedBountyUsd": {
230
- "low": 10,
231
- "likely": 40,
232
- "high": 120,
233
- "program": "web2"
234
- },
235
- "bountyConfidence": "high",
236
- "attackPlaybook": null
237
- },
238
- {
239
- "id": "struct:incremental.js:51:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
240
- "kind": "sast",
241
- "severity": "medium",
242
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
243
- "cwe": "CWE-400",
244
- "owaspLlm": null,
245
- "stride": "Denial of Service",
246
- "file": "incremental.js",
247
- "line": 51,
248
- "snippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
249
- "fix": null,
250
- "reachable": false,
251
- "triage": 22,
252
- "dataClasses": [],
253
- "chain": null,
254
- "confidence": 0.212,
255
- "toxicity": 28,
256
- "toxicityFactors": [
257
- "http-facing"
258
- ],
259
- "toxicityLabel": "Medium",
260
- "sources": null,
261
- "epssScore": null,
262
- "epssPercentile": null,
263
- "epssCve": null,
264
- "exploitedNow": false,
265
- "tags": null,
266
- "blastRadius": {
267
- "scope": "all-users",
268
- "dataAtRisk": [
269
- "config"
270
- ],
271
- "userCount": 50,
272
- "industry": "generic",
273
- "jurisdictions": [],
274
- "controlsApplied": [],
275
- "dollarBest": 23250,
276
- "dollarLikely": 136250,
277
- "dollarWorst": 775000,
278
- "dollarLow": 23250,
279
- "dollarHigh": 775000,
280
- "components": {
281
- "incidentResponse": {
282
- "low": 8000,
283
- "likely": 50000,
284
- "high": 250000
285
- },
286
- "legal": {
287
- "low": 10000,
288
- "likely": 75000,
289
- "high": 500000
290
- },
291
- "crisisPR": {
292
- "low": 0,
293
- "likely": 0,
294
- "high": 0
295
- },
296
- "notification": {
297
- "low": 5000,
298
- "likely": 10000,
299
- "high": 15000
300
- },
301
- "creditMonitoring": {
302
- "low": 0,
303
- "likely": 0,
304
- "high": 0
305
- },
306
- "regulatoryFines": {
307
- "low": 0,
308
- "likely": 0,
309
- "high": 0
310
- },
311
- "directDamage": {
312
- "low": 250,
313
- "likely": 1250,
314
- "high": 10000
315
- },
316
- "classAction": {
317
- "low": 0,
318
- "likely": 0,
319
- "high": 0
320
- },
321
- "lostBusiness": {
322
- "low": 0,
323
- "likely": 0,
324
- "high": 0
325
- }
326
- },
327
- "dominantDriver": "legal counsel",
328
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
329
- "confidence": "low",
330
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:51` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
331
- },
332
- "stableId": "333259288508799a",
333
- "confidenceTier": "very-low",
334
- "exploitability": 0.2,
335
- "exploitabilityTier": "low",
336
- "exploitabilityFactors": [
337
- "sev:medium",
338
- "unreachable"
339
- ],
340
- "clusterSize": null,
341
- "unreachable": false,
342
- "validator_verdict": "unvalidated",
343
- "llm_confidence": null,
344
- "unvalidated": true,
345
- "cross_language": false,
346
- "family": "dos-sync-io",
347
- "_unsigned": false,
348
- "_passThroughSigning": false,
349
- "signatureStatus": "verified",
350
- "regression_test": null,
351
- "poc": null,
352
- "calibrated_confidence": null,
353
- "calibrated_confidence_ci": null,
354
- "calibrated_n": 0,
355
- "calibration_reason": "no-history",
356
- "verifier_verdict": "cannot-verify",
357
- "verifier_reason": "no-poc-no-sanitizer-rule",
358
- "verifier_runner": null,
359
- "narration": null,
360
- "mitigationVerdict": "unreachable-in-prod",
361
- "mitigationsApplied": [],
362
- "mitigatedByWaf": false,
363
- "wafRuleId": null,
364
- "mitigatedByAuth": false,
365
- "authMechanism": null,
366
- "mitigatedByNetwork": false,
367
- "networkExposure": null,
368
- "featureFlag": null,
369
- "featureFlagState": null,
370
- "featureFlagRollout": null,
371
- "exposedInProd": false,
372
- "unreachableInProd": true,
373
- "coldPath": false,
374
- "hotPath": false,
375
- "prodRequestCount": null,
376
- "crownJewelScore": 0,
377
- "crownJewelTier": "unknown",
378
- "crownJewelFactors": [],
379
- "cloneClusterId": "8b60c3f57d48c622",
380
- "cloneClusterSize": 1,
381
- "provenance": "human-likely",
382
- "provenanceScore": 0.22,
383
- "typeNarrowed": null,
384
- "strideCategory": "denialOfService",
385
- "personaScores": {
386
- "script-kiddie": {
387
- "score": 0.4,
388
- "tier": "medium",
389
- "factors": [
390
- "sev:medium"
391
- ]
392
- },
393
- "opportunistic-criminal": {
394
- "score": 0.4,
395
- "tier": "medium",
396
- "factors": [
397
- "sev:medium"
398
- ]
399
- },
400
- "apt-nation-state": {
401
- "score": 0.4,
402
- "tier": "medium",
403
- "factors": [
404
- "sev:medium"
405
- ]
406
- },
407
- "supply-chain-attacker": {
408
- "score": 0.4,
409
- "tier": "medium",
410
- "factors": [
411
- "sev:medium"
412
- ]
413
- },
414
- "malicious-insider": {
415
- "score": 0.4,
416
- "tier": "medium",
417
- "factors": [
418
- "sev:medium"
419
- ]
420
- }
421
- },
422
- "personaTopTwo": [
423
- "script-kiddie",
424
- "opportunistic-criminal"
425
- ],
426
- "personaMaxName": "script-kiddie",
427
- "personaMaxScore": 0.4,
428
- "reverseExposure": null,
429
- "specMined": null,
430
- "whyFired": {
431
- "detector": "sast/dos-sync-io",
432
- "ruleId": "CWE-400",
433
- "parser": "STRUCTURAL",
434
- "evidence": {
435
- "sinkSnippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
436
- "sourceSnippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
437
- "pathSteps": [],
438
- "sanitizers": [],
439
- "guards": []
440
- },
441
- "considered": {
442
- "suppressionsApplied": [],
443
- "suppressionsSkipped": [],
444
- "reachabilityFilter": "unaffected",
445
- "clusterCollapsed": false,
446
- "typeNarrowed": false,
447
- "crownJewelTier": "unknown",
448
- "mitigationVerdict": "unreachable-in-prod"
449
- },
450
- "scanner": {
451
- "rulesetVersion": null,
452
- "packHash": null,
453
- "modelId": null
454
- }
455
- },
456
- "adversaryTranscript": null,
457
- "predictedBountyUsd": {
458
- "low": 10,
459
- "likely": 40,
460
- "high": 120,
461
- "program": "web2"
462
- },
463
- "bountyConfidence": "high",
464
- "attackPlaybook": null
465
- },
466
- {
467
- "id": "struct:incremental.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
468
- "kind": "sast",
469
- "severity": "medium",
470
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
471
- "cwe": "CWE-400",
472
- "owaspLlm": null,
473
- "stride": "Denial of Service",
474
- "file": "incremental.js",
475
- "line": 68,
476
- "snippet": "if (!fs.existsSync(fp)) return fallback;",
477
- "fix": null,
478
- "reachable": false,
479
- "triage": 22,
480
- "dataClasses": [],
481
- "chain": null,
482
- "confidence": 0.212,
483
- "toxicity": 28,
484
- "toxicityFactors": [
485
- "http-facing"
486
- ],
487
- "toxicityLabel": "Medium",
488
- "sources": null,
489
- "epssScore": null,
490
- "epssPercentile": null,
491
- "epssCve": null,
492
- "exploitedNow": false,
493
- "tags": null,
494
- "blastRadius": {
495
- "scope": "all-users",
496
- "dataAtRisk": [
497
- "config"
498
- ],
499
- "userCount": 50,
500
- "industry": "generic",
501
- "jurisdictions": [],
502
- "controlsApplied": [],
503
- "dollarBest": 23250,
504
- "dollarLikely": 136250,
505
- "dollarWorst": 775000,
506
- "dollarLow": 23250,
507
- "dollarHigh": 775000,
508
- "components": {
509
- "incidentResponse": {
510
- "low": 8000,
511
- "likely": 50000,
512
- "high": 250000
513
- },
514
- "legal": {
515
- "low": 10000,
516
- "likely": 75000,
517
- "high": 500000
518
- },
519
- "crisisPR": {
520
- "low": 0,
521
- "likely": 0,
522
- "high": 0
523
- },
524
- "notification": {
525
- "low": 5000,
526
- "likely": 10000,
527
- "high": 15000
528
- },
529
- "creditMonitoring": {
530
- "low": 0,
531
- "likely": 0,
532
- "high": 0
533
- },
534
- "regulatoryFines": {
535
- "low": 0,
536
- "likely": 0,
537
- "high": 0
538
- },
539
- "directDamage": {
540
- "low": 250,
541
- "likely": 1250,
542
- "high": 10000
543
- },
544
- "classAction": {
545
- "low": 0,
546
- "likely": 0,
547
- "high": 0
548
- },
549
- "lostBusiness": {
550
- "low": 0,
551
- "likely": 0,
552
- "high": 0
553
- }
554
- },
555
- "dominantDriver": "legal counsel",
556
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
557
- "confidence": "low",
558
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
559
- },
560
- "stableId": "6862d6baf0b923f7",
561
- "confidenceTier": "very-low",
562
- "exploitability": 0.2,
563
- "exploitabilityTier": "low",
564
- "exploitabilityFactors": [
565
- "sev:medium",
566
- "unreachable"
567
- ],
568
- "clusterSize": null,
569
- "unreachable": false,
570
- "validator_verdict": "unvalidated",
571
- "llm_confidence": null,
572
- "unvalidated": true,
573
- "cross_language": false,
574
- "family": "dos-sync-io",
575
- "_unsigned": false,
576
- "_passThroughSigning": false,
577
- "signatureStatus": "verified",
578
- "regression_test": null,
579
- "poc": null,
580
- "calibrated_confidence": null,
581
- "calibrated_confidence_ci": null,
582
- "calibrated_n": 0,
583
- "calibration_reason": "no-history",
584
- "verifier_verdict": "cannot-verify",
585
- "verifier_reason": "no-poc-no-sanitizer-rule",
586
- "verifier_runner": null,
587
- "narration": null,
588
- "mitigationVerdict": "unreachable-in-prod",
589
- "mitigationsApplied": [],
590
- "mitigatedByWaf": false,
591
- "wafRuleId": null,
592
- "mitigatedByAuth": false,
593
- "authMechanism": null,
594
- "mitigatedByNetwork": false,
595
- "networkExposure": null,
596
- "featureFlag": null,
597
- "featureFlagState": null,
598
- "featureFlagRollout": null,
599
- "exposedInProd": false,
600
- "unreachableInProd": true,
601
- "coldPath": false,
602
- "hotPath": false,
603
- "prodRequestCount": null,
604
- "crownJewelScore": 0,
605
- "crownJewelTier": "unknown",
606
- "crownJewelFactors": [],
607
- "cloneClusterId": "39f1d6db55cace1d",
608
- "cloneClusterSize": 2,
609
- "provenance": "human-likely",
610
- "provenanceScore": 0.22,
611
- "typeNarrowed": null,
612
- "strideCategory": "denialOfService",
613
- "personaScores": {
614
- "script-kiddie": {
615
- "score": 0.4,
616
- "tier": "medium",
617
- "factors": [
618
- "sev:medium"
619
- ]
620
- },
621
- "opportunistic-criminal": {
622
- "score": 0.4,
623
- "tier": "medium",
624
- "factors": [
625
- "sev:medium"
626
- ]
627
- },
628
- "apt-nation-state": {
629
- "score": 0.4,
630
- "tier": "medium",
631
- "factors": [
632
- "sev:medium"
633
- ]
634
- },
635
- "supply-chain-attacker": {
636
- "score": 0.4,
637
- "tier": "medium",
638
- "factors": [
639
- "sev:medium"
640
- ]
641
- },
642
- "malicious-insider": {
643
- "score": 0.4,
644
- "tier": "medium",
645
- "factors": [
646
- "sev:medium"
647
- ]
648
- }
649
- },
650
- "personaTopTwo": [
651
- "script-kiddie",
652
- "opportunistic-criminal"
653
- ],
654
- "personaMaxName": "script-kiddie",
655
- "personaMaxScore": 0.4,
656
- "reverseExposure": null,
657
- "specMined": null,
658
- "whyFired": {
659
- "detector": "sast/dos-sync-io",
660
- "ruleId": "CWE-400",
661
- "parser": "STRUCTURAL",
662
- "evidence": {
663
- "sinkSnippet": "if (!fs.existsSync(fp)) return fallback;",
664
- "sourceSnippet": "if (!fs.existsSync(fp)) return fallback;",
665
- "pathSteps": [],
666
- "sanitizers": [],
667
- "guards": []
668
- },
669
- "considered": {
670
- "suppressionsApplied": [],
671
- "suppressionsSkipped": [],
672
- "reachabilityFilter": "unaffected",
673
- "clusterCollapsed": false,
674
- "typeNarrowed": false,
675
- "crownJewelTier": "unknown",
676
- "mitigationVerdict": "unreachable-in-prod"
677
- },
678
- "scanner": {
679
- "rulesetVersion": null,
680
- "packHash": null,
681
- "modelId": null
682
- }
683
- },
684
- "adversaryTranscript": null,
685
- "predictedBountyUsd": {
686
- "low": 10,
687
- "likely": 40,
688
- "high": 120,
689
- "program": "web2"
690
- },
691
- "bountyConfidence": "high",
692
- "attackPlaybook": null
693
- },
694
- {
695
- "id": "struct:incremental.js:69:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
696
- "kind": "sast",
697
- "severity": "medium",
698
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
699
- "cwe": "CWE-400",
700
- "owaspLlm": null,
701
- "stride": "Denial of Service",
702
- "file": "incremental.js",
703
- "line": 69,
704
- "snippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
705
- "fix": null,
706
- "reachable": false,
707
- "triage": 22,
708
- "dataClasses": [],
709
- "chain": null,
710
- "confidence": 0.212,
711
- "toxicity": 28,
712
- "toxicityFactors": [
713
- "http-facing"
714
- ],
715
- "toxicityLabel": "Medium",
716
- "sources": null,
717
- "epssScore": null,
718
- "epssPercentile": null,
719
- "epssCve": null,
720
- "exploitedNow": false,
721
- "tags": null,
722
- "blastRadius": {
723
- "scope": "all-users",
724
- "dataAtRisk": [
725
- "config"
726
- ],
727
- "userCount": 50,
728
- "industry": "generic",
729
- "jurisdictions": [],
730
- "controlsApplied": [],
731
- "dollarBest": 23250,
732
- "dollarLikely": 136250,
733
- "dollarWorst": 775000,
734
- "dollarLow": 23250,
735
- "dollarHigh": 775000,
736
- "components": {
737
- "incidentResponse": {
738
- "low": 8000,
739
- "likely": 50000,
740
- "high": 250000
741
- },
742
- "legal": {
743
- "low": 10000,
744
- "likely": 75000,
745
- "high": 500000
746
- },
747
- "crisisPR": {
748
- "low": 0,
749
- "likely": 0,
750
- "high": 0
751
- },
752
- "notification": {
753
- "low": 5000,
754
- "likely": 10000,
755
- "high": 15000
756
- },
757
- "creditMonitoring": {
758
- "low": 0,
759
- "likely": 0,
760
- "high": 0
761
- },
762
- "regulatoryFines": {
763
- "low": 0,
764
- "likely": 0,
765
- "high": 0
766
- },
767
- "directDamage": {
768
- "low": 250,
769
- "likely": 1250,
770
- "high": 10000
771
- },
772
- "classAction": {
773
- "low": 0,
774
- "likely": 0,
775
- "high": 0
776
- },
777
- "lostBusiness": {
778
- "low": 0,
779
- "likely": 0,
780
- "high": 0
781
- }
782
- },
783
- "dominantDriver": "legal counsel",
784
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
785
- "confidence": "low",
786
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:69` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
787
- },
788
- "stableId": "7314934acc70477c",
789
- "confidenceTier": "very-low",
790
- "exploitability": 0.2,
791
- "exploitabilityTier": "low",
792
- "exploitabilityFactors": [
793
- "sev:medium",
794
- "unreachable"
795
- ],
796
- "clusterSize": null,
797
- "unreachable": false,
798
- "validator_verdict": "unvalidated",
799
- "llm_confidence": null,
800
- "unvalidated": true,
801
- "cross_language": false,
802
- "family": "dos-sync-io",
803
- "_unsigned": false,
804
- "_passThroughSigning": false,
805
- "signatureStatus": "verified",
806
- "regression_test": null,
807
- "poc": null,
808
- "calibrated_confidence": null,
809
- "calibrated_confidence_ci": null,
810
- "calibrated_n": 0,
811
- "calibration_reason": "no-history",
812
- "verifier_verdict": "cannot-verify",
813
- "verifier_reason": "no-poc-no-sanitizer-rule",
814
- "verifier_runner": null,
815
- "narration": null,
816
- "mitigationVerdict": "unreachable-in-prod",
817
- "mitigationsApplied": [],
818
- "mitigatedByWaf": false,
819
- "wafRuleId": null,
820
- "mitigatedByAuth": false,
821
- "authMechanism": null,
822
- "mitigatedByNetwork": false,
823
- "networkExposure": null,
824
- "featureFlag": null,
825
- "featureFlagState": null,
826
- "featureFlagRollout": null,
827
- "exposedInProd": false,
828
- "unreachableInProd": true,
829
- "coldPath": false,
830
- "hotPath": false,
831
- "prodRequestCount": null,
832
- "crownJewelScore": 0,
833
- "crownJewelTier": "unknown",
834
- "crownJewelFactors": [],
835
- "cloneClusterId": "b8a597058e30c50c",
836
- "cloneClusterSize": 1,
837
- "provenance": "human-likely",
838
- "provenanceScore": 0.22,
839
- "typeNarrowed": null,
840
- "strideCategory": "denialOfService",
841
- "personaScores": {
842
- "script-kiddie": {
843
- "score": 0.4,
844
- "tier": "medium",
845
- "factors": [
846
- "sev:medium"
847
- ]
848
- },
849
- "opportunistic-criminal": {
850
- "score": 0.4,
851
- "tier": "medium",
852
- "factors": [
853
- "sev:medium"
854
- ]
855
- },
856
- "apt-nation-state": {
857
- "score": 0.4,
858
- "tier": "medium",
859
- "factors": [
860
- "sev:medium"
861
- ]
862
- },
863
- "supply-chain-attacker": {
864
- "score": 0.4,
865
- "tier": "medium",
866
- "factors": [
867
- "sev:medium"
868
- ]
869
- },
870
- "malicious-insider": {
871
- "score": 0.4,
872
- "tier": "medium",
873
- "factors": [
874
- "sev:medium"
875
- ]
876
- }
877
- },
878
- "personaTopTwo": [
879
- "script-kiddie",
880
- "opportunistic-criminal"
881
- ],
882
- "personaMaxName": "script-kiddie",
883
- "personaMaxScore": 0.4,
884
- "reverseExposure": null,
885
- "specMined": null,
886
- "whyFired": {
887
- "detector": "sast/dos-sync-io",
888
- "ruleId": "CWE-400",
889
- "parser": "STRUCTURAL",
890
- "evidence": {
891
- "sinkSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
892
- "sourceSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
893
- "pathSteps": [],
894
- "sanitizers": [],
895
- "guards": []
896
- },
897
- "considered": {
898
- "suppressionsApplied": [],
899
- "suppressionsSkipped": [],
900
- "reachabilityFilter": "unaffected",
901
- "clusterCollapsed": false,
902
- "typeNarrowed": false,
903
- "crownJewelTier": "unknown",
904
- "mitigationVerdict": "unreachable-in-prod"
905
- },
906
- "scanner": {
907
- "rulesetVersion": null,
908
- "packHash": null,
909
- "modelId": null
910
- }
911
- },
912
- "adversaryTranscript": null,
913
- "predictedBountyUsd": {
914
- "low": 10,
915
- "likely": 40,
916
- "high": 120,
917
- "program": "web2"
918
- },
919
- "bountyConfidence": "high",
920
- "attackPlaybook": null
921
- },
922
- {
923
- "id": "struct:incremental.js:203:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
924
- "kind": "sast",
925
- "severity": "medium",
926
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
927
- "cwe": "CWE-400",
928
- "owaspLlm": null,
929
- "stride": "Denial of Service",
930
- "file": "incremental.js",
931
- "line": 203,
932
- "snippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
933
- "fix": null,
934
- "reachable": false,
935
- "triage": 22,
936
- "dataClasses": [],
937
- "chain": null,
938
- "confidence": 0.212,
939
- "toxicity": 28,
940
- "toxicityFactors": [
941
- "http-facing"
942
- ],
943
- "toxicityLabel": "Medium",
944
- "sources": null,
945
- "epssScore": null,
946
- "epssPercentile": null,
947
- "epssCve": null,
948
- "exploitedNow": false,
949
- "tags": null,
950
- "blastRadius": {
951
- "scope": "all-users",
952
- "dataAtRisk": [
953
- "config"
954
- ],
955
- "userCount": 50,
956
- "industry": "generic",
957
- "jurisdictions": [],
958
- "controlsApplied": [],
959
- "dollarBest": 23250,
960
- "dollarLikely": 136250,
961
- "dollarWorst": 775000,
962
- "dollarLow": 23250,
963
- "dollarHigh": 775000,
964
- "components": {
965
- "incidentResponse": {
966
- "low": 8000,
967
- "likely": 50000,
968
- "high": 250000
969
- },
970
- "legal": {
971
- "low": 10000,
972
- "likely": 75000,
973
- "high": 500000
974
- },
975
- "crisisPR": {
976
- "low": 0,
977
- "likely": 0,
978
- "high": 0
979
- },
980
- "notification": {
981
- "low": 5000,
982
- "likely": 10000,
983
- "high": 15000
984
- },
985
- "creditMonitoring": {
986
- "low": 0,
987
- "likely": 0,
988
- "high": 0
989
- },
990
- "regulatoryFines": {
991
- "low": 0,
992
- "likely": 0,
993
- "high": 0
994
- },
995
- "directDamage": {
996
- "low": 250,
997
- "likely": 1250,
998
- "high": 10000
999
- },
1000
- "classAction": {
1001
- "low": 0,
1002
- "likely": 0,
1003
- "high": 0
1004
- },
1005
- "lostBusiness": {
1006
- "low": 0,
1007
- "likely": 0,
1008
- "high": 0
1009
- }
1010
- },
1011
- "dominantDriver": "legal counsel",
1012
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1013
- "confidence": "low",
1014
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:203` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1015
- },
1016
- "stableId": "71f79aead6c815a7",
1017
- "confidenceTier": "very-low",
1018
- "exploitability": 0.2,
1019
- "exploitabilityTier": "low",
1020
- "exploitabilityFactors": [
1021
- "sev:medium",
1022
- "unreachable"
1023
- ],
1024
- "clusterSize": null,
1025
- "unreachable": false,
1026
- "validator_verdict": "unvalidated",
1027
- "llm_confidence": null,
1028
- "unvalidated": true,
1029
- "cross_language": false,
1030
- "family": "dos-sync-io",
1031
- "_unsigned": false,
1032
- "_passThroughSigning": false,
1033
- "signatureStatus": "verified",
1034
- "regression_test": null,
1035
- "poc": null,
1036
- "calibrated_confidence": null,
1037
- "calibrated_confidence_ci": null,
1038
- "calibrated_n": 0,
1039
- "calibration_reason": "no-history",
1040
- "verifier_verdict": "cannot-verify",
1041
- "verifier_reason": "no-poc-no-sanitizer-rule",
1042
- "verifier_runner": null,
1043
- "narration": null,
1044
- "mitigationVerdict": "unreachable-in-prod",
1045
- "mitigationsApplied": [],
1046
- "mitigatedByWaf": false,
1047
- "wafRuleId": null,
1048
- "mitigatedByAuth": false,
1049
- "authMechanism": null,
1050
- "mitigatedByNetwork": false,
1051
- "networkExposure": null,
1052
- "featureFlag": null,
1053
- "featureFlagState": null,
1054
- "featureFlagRollout": null,
1055
- "exposedInProd": false,
1056
- "unreachableInProd": true,
1057
- "coldPath": false,
1058
- "hotPath": false,
1059
- "prodRequestCount": null,
1060
- "crownJewelScore": 0,
1061
- "crownJewelTier": "unknown",
1062
- "crownJewelFactors": [],
1063
- "cloneClusterId": "347295aac188671b",
1064
- "cloneClusterSize": 1,
1065
- "provenance": "human-likely",
1066
- "provenanceScore": 0.22,
1067
- "typeNarrowed": null,
1068
- "strideCategory": "denialOfService",
1069
- "personaScores": {
1070
- "script-kiddie": {
1071
- "score": 0.4,
1072
- "tier": "medium",
1073
- "factors": [
1074
- "sev:medium"
1075
- ]
1076
- },
1077
- "opportunistic-criminal": {
1078
- "score": 0.4,
1079
- "tier": "medium",
1080
- "factors": [
1081
- "sev:medium"
1082
- ]
1083
- },
1084
- "apt-nation-state": {
1085
- "score": 0.4,
1086
- "tier": "medium",
1087
- "factors": [
1088
- "sev:medium"
1089
- ]
1090
- },
1091
- "supply-chain-attacker": {
1092
- "score": 0.4,
1093
- "tier": "medium",
1094
- "factors": [
1095
- "sev:medium"
1096
- ]
1097
- },
1098
- "malicious-insider": {
1099
- "score": 0.4,
1100
- "tier": "medium",
1101
- "factors": [
1102
- "sev:medium"
1103
- ]
1104
- }
1105
- },
1106
- "personaTopTwo": [
1107
- "script-kiddie",
1108
- "opportunistic-criminal"
1109
- ],
1110
- "personaMaxName": "script-kiddie",
1111
- "personaMaxScore": 0.4,
1112
- "reverseExposure": null,
1113
- "specMined": null,
1114
- "whyFired": {
1115
- "detector": "sast/dos-sync-io",
1116
- "ruleId": "CWE-400",
1117
- "parser": "STRUCTURAL",
1118
- "evidence": {
1119
- "sinkSnippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
1120
- "sourceSnippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
1121
- "pathSteps": [],
1122
- "sanitizers": [],
1123
- "guards": []
1124
- },
1125
- "considered": {
1126
- "suppressionsApplied": [],
1127
- "suppressionsSkipped": [],
1128
- "reachabilityFilter": "unaffected",
1129
- "clusterCollapsed": false,
1130
- "typeNarrowed": false,
1131
- "crownJewelTier": "unknown",
1132
- "mitigationVerdict": "unreachable-in-prod"
1133
- },
1134
- "scanner": {
1135
- "rulesetVersion": null,
1136
- "packHash": null,
1137
- "modelId": null
1138
- }
1139
- },
1140
- "adversaryTranscript": null,
1141
- "predictedBountyUsd": {
1142
- "low": 10,
1143
- "likely": 40,
1144
- "high": 120,
1145
- "program": "web2"
1146
- },
1147
- "bountyConfidence": "high",
1148
- "attackPlaybook": null
1149
- },
1150
- {
1151
- "id": "struct:incremental.js:204:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1152
- "kind": "sast",
1153
- "severity": "medium",
1154
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1155
- "cwe": "CWE-400",
1156
- "owaspLlm": null,
1157
- "stride": "Denial of Service",
1158
- "file": "incremental.js",
1159
- "line": 204,
1160
- "snippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
1161
- "fix": null,
1162
- "reachable": false,
1163
- "triage": 22,
1164
- "dataClasses": [],
1165
- "chain": null,
1166
- "confidence": 0.212,
1167
- "toxicity": 28,
1168
- "toxicityFactors": [
1169
- "http-facing"
1170
- ],
1171
- "toxicityLabel": "Medium",
1172
- "sources": null,
1173
- "epssScore": null,
1174
- "epssPercentile": null,
1175
- "epssCve": null,
1176
- "exploitedNow": false,
1177
- "tags": null,
1178
- "blastRadius": {
1179
- "scope": "all-users",
1180
- "dataAtRisk": [
1181
- "config"
1182
- ],
1183
- "userCount": 50,
1184
- "industry": "generic",
1185
- "jurisdictions": [],
1186
- "controlsApplied": [],
1187
- "dollarBest": 23250,
1188
- "dollarLikely": 136250,
1189
- "dollarWorst": 775000,
1190
- "dollarLow": 23250,
1191
- "dollarHigh": 775000,
1192
- "components": {
1193
- "incidentResponse": {
1194
- "low": 8000,
1195
- "likely": 50000,
1196
- "high": 250000
1197
- },
1198
- "legal": {
1199
- "low": 10000,
1200
- "likely": 75000,
1201
- "high": 500000
1202
- },
1203
- "crisisPR": {
1204
- "low": 0,
1205
- "likely": 0,
1206
- "high": 0
1207
- },
1208
- "notification": {
1209
- "low": 5000,
1210
- "likely": 10000,
1211
- "high": 15000
1212
- },
1213
- "creditMonitoring": {
1214
- "low": 0,
1215
- "likely": 0,
1216
- "high": 0
1217
- },
1218
- "regulatoryFines": {
1219
- "low": 0,
1220
- "likely": 0,
1221
- "high": 0
1222
- },
1223
- "directDamage": {
1224
- "low": 250,
1225
- "likely": 1250,
1226
- "high": 10000
1227
- },
1228
- "classAction": {
1229
- "low": 0,
1230
- "likely": 0,
1231
- "high": 0
1232
- },
1233
- "lostBusiness": {
1234
- "low": 0,
1235
- "likely": 0,
1236
- "high": 0
1237
- }
1238
- },
1239
- "dominantDriver": "legal counsel",
1240
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1241
- "confidence": "low",
1242
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:204` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1243
- },
1244
- "stableId": "16f0befb55d2a11a",
1245
- "confidenceTier": "very-low",
1246
- "exploitability": 0.2,
1247
- "exploitabilityTier": "low",
1248
- "exploitabilityFactors": [
1249
- "sev:medium",
1250
- "unreachable"
1251
- ],
1252
- "clusterSize": null,
1253
- "unreachable": false,
1254
- "validator_verdict": "unvalidated",
1255
- "llm_confidence": null,
1256
- "unvalidated": true,
1257
- "cross_language": false,
1258
- "family": "dos-sync-io",
1259
- "_unsigned": false,
1260
- "_passThroughSigning": false,
1261
- "signatureStatus": "verified",
1262
- "regression_test": null,
1263
- "poc": null,
1264
- "calibrated_confidence": null,
1265
- "calibrated_confidence_ci": null,
1266
- "calibrated_n": 0,
1267
- "calibration_reason": "no-history",
1268
- "verifier_verdict": "cannot-verify",
1269
- "verifier_reason": "no-poc-no-sanitizer-rule",
1270
- "verifier_runner": null,
1271
- "narration": null,
1272
- "mitigationVerdict": "unreachable-in-prod",
1273
- "mitigationsApplied": [],
1274
- "mitigatedByWaf": false,
1275
- "wafRuleId": null,
1276
- "mitigatedByAuth": false,
1277
- "authMechanism": null,
1278
- "mitigatedByNetwork": false,
1279
- "networkExposure": null,
1280
- "featureFlag": null,
1281
- "featureFlagState": null,
1282
- "featureFlagRollout": null,
1283
- "exposedInProd": false,
1284
- "unreachableInProd": true,
1285
- "coldPath": false,
1286
- "hotPath": false,
1287
- "prodRequestCount": null,
1288
- "crownJewelScore": 0,
1289
- "crownJewelTier": "unknown",
1290
- "crownJewelFactors": [],
1291
- "cloneClusterId": "cd20f49000f1b531",
1292
- "cloneClusterSize": 1,
1293
- "provenance": "human-likely",
1294
- "provenanceScore": 0.22,
1295
- "typeNarrowed": null,
1296
- "strideCategory": "denialOfService",
1297
- "personaScores": {
1298
- "script-kiddie": {
1299
- "score": 0.4,
1300
- "tier": "medium",
1301
- "factors": [
1302
- "sev:medium"
1303
- ]
1304
- },
1305
- "opportunistic-criminal": {
1306
- "score": 0.4,
1307
- "tier": "medium",
1308
- "factors": [
1309
- "sev:medium"
1310
- ]
1311
- },
1312
- "apt-nation-state": {
1313
- "score": 0.4,
1314
- "tier": "medium",
1315
- "factors": [
1316
- "sev:medium"
1317
- ]
1318
- },
1319
- "supply-chain-attacker": {
1320
- "score": 0.4,
1321
- "tier": "medium",
1322
- "factors": [
1323
- "sev:medium"
1324
- ]
1325
- },
1326
- "malicious-insider": {
1327
- "score": 0.4,
1328
- "tier": "medium",
1329
- "factors": [
1330
- "sev:medium"
1331
- ]
1332
- }
1333
- },
1334
- "personaTopTwo": [
1335
- "script-kiddie",
1336
- "opportunistic-criminal"
1337
- ],
1338
- "personaMaxName": "script-kiddie",
1339
- "personaMaxScore": 0.4,
1340
- "reverseExposure": null,
1341
- "specMined": null,
1342
- "whyFired": {
1343
- "detector": "sast/dos-sync-io",
1344
- "ruleId": "CWE-400",
1345
- "parser": "STRUCTURAL",
1346
- "evidence": {
1347
- "sinkSnippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
1348
- "sourceSnippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
1349
- "pathSteps": [],
1350
- "sanitizers": [],
1351
- "guards": []
1352
- },
1353
- "considered": {
1354
- "suppressionsApplied": [],
1355
- "suppressionsSkipped": [],
1356
- "reachabilityFilter": "unaffected",
1357
- "clusterCollapsed": false,
1358
- "typeNarrowed": false,
1359
- "crownJewelTier": "unknown",
1360
- "mitigationVerdict": "unreachable-in-prod"
1361
- },
1362
- "scanner": {
1363
- "rulesetVersion": null,
1364
- "packHash": null,
1365
- "modelId": null
1366
- }
1367
- },
1368
- "adversaryTranscript": null,
1369
- "predictedBountyUsd": {
1370
- "low": 10,
1371
- "likely": 40,
1372
- "high": 120,
1373
- "program": "web2"
1374
- },
1375
- "bountyConfidence": "high",
1376
- "attackPlaybook": null
1377
- },
1378
- {
1379
- "id": "struct:incremental.js:209:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1380
- "kind": "sast",
1381
- "severity": "medium",
1382
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1383
- "cwe": "CWE-400",
1384
- "owaspLlm": null,
1385
- "stride": "Denial of Service",
1386
- "file": "incremental.js",
1387
- "line": 209,
1388
- "snippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
1389
- "fix": null,
1390
- "reachable": false,
1391
- "triage": 22,
1392
- "dataClasses": [],
1393
- "chain": null,
1394
- "confidence": 0.212,
1395
- "toxicity": 28,
1396
- "toxicityFactors": [
1397
- "http-facing"
1398
- ],
1399
- "toxicityLabel": "Medium",
1400
- "sources": null,
1401
- "epssScore": null,
1402
- "epssPercentile": null,
1403
- "epssCve": null,
1404
- "exploitedNow": false,
1405
- "tags": null,
1406
- "blastRadius": {
1407
- "scope": "all-users",
1408
- "dataAtRisk": [
1409
- "config"
1410
- ],
1411
- "userCount": 50,
1412
- "industry": "generic",
1413
- "jurisdictions": [],
1414
- "controlsApplied": [],
1415
- "dollarBest": 23250,
1416
- "dollarLikely": 136250,
1417
- "dollarWorst": 775000,
1418
- "dollarLow": 23250,
1419
- "dollarHigh": 775000,
1420
- "components": {
1421
- "incidentResponse": {
1422
- "low": 8000,
1423
- "likely": 50000,
1424
- "high": 250000
1425
- },
1426
- "legal": {
1427
- "low": 10000,
1428
- "likely": 75000,
1429
- "high": 500000
1430
- },
1431
- "crisisPR": {
1432
- "low": 0,
1433
- "likely": 0,
1434
- "high": 0
1435
- },
1436
- "notification": {
1437
- "low": 5000,
1438
- "likely": 10000,
1439
- "high": 15000
1440
- },
1441
- "creditMonitoring": {
1442
- "low": 0,
1443
- "likely": 0,
1444
- "high": 0
1445
- },
1446
- "regulatoryFines": {
1447
- "low": 0,
1448
- "likely": 0,
1449
- "high": 0
1450
- },
1451
- "directDamage": {
1452
- "low": 250,
1453
- "likely": 1250,
1454
- "high": 10000
1455
- },
1456
- "classAction": {
1457
- "low": 0,
1458
- "likely": 0,
1459
- "high": 0
1460
- },
1461
- "lostBusiness": {
1462
- "low": 0,
1463
- "likely": 0,
1464
- "high": 0
1465
- }
1466
- },
1467
- "dominantDriver": "legal counsel",
1468
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1469
- "confidence": "low",
1470
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:209` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1471
- },
1472
- "stableId": "b6ab9f0eaa3c75e0",
1473
- "confidenceTier": "very-low",
1474
- "exploitability": 0.2,
1475
- "exploitabilityTier": "low",
1476
- "exploitabilityFactors": [
1477
- "sev:medium",
1478
- "unreachable"
1479
- ],
1480
- "clusterSize": null,
1481
- "unreachable": false,
1482
- "validator_verdict": "unvalidated",
1483
- "llm_confidence": null,
1484
- "unvalidated": true,
1485
- "cross_language": false,
1486
- "family": "dos-sync-io",
1487
- "_unsigned": false,
1488
- "_passThroughSigning": false,
1489
- "signatureStatus": "verified",
1490
- "regression_test": null,
1491
- "poc": null,
1492
- "calibrated_confidence": null,
1493
- "calibrated_confidence_ci": null,
1494
- "calibrated_n": 0,
1495
- "calibration_reason": "no-history",
1496
- "verifier_verdict": "cannot-verify",
1497
- "verifier_reason": "no-poc-no-sanitizer-rule",
1498
- "verifier_runner": null,
1499
- "narration": null,
1500
- "mitigationVerdict": "unreachable-in-prod",
1501
- "mitigationsApplied": [],
1502
- "mitigatedByWaf": false,
1503
- "wafRuleId": null,
1504
- "mitigatedByAuth": false,
1505
- "authMechanism": null,
1506
- "mitigatedByNetwork": false,
1507
- "networkExposure": null,
1508
- "featureFlag": null,
1509
- "featureFlagState": null,
1510
- "featureFlagRollout": null,
1511
- "exposedInProd": false,
1512
- "unreachableInProd": true,
1513
- "coldPath": false,
1514
- "hotPath": false,
1515
- "prodRequestCount": null,
1516
- "crownJewelScore": 0,
1517
- "crownJewelTier": "unknown",
1518
- "crownJewelFactors": [],
1519
- "cloneClusterId": "4a06d0af981828b5",
1520
- "cloneClusterSize": 1,
1521
- "provenance": "human-likely",
1522
- "provenanceScore": 0.22,
1523
- "typeNarrowed": null,
1524
- "strideCategory": "denialOfService",
1525
- "personaScores": {
1526
- "script-kiddie": {
1527
- "score": 0.4,
1528
- "tier": "medium",
1529
- "factors": [
1530
- "sev:medium"
1531
- ]
1532
- },
1533
- "opportunistic-criminal": {
1534
- "score": 0.4,
1535
- "tier": "medium",
1536
- "factors": [
1537
- "sev:medium"
1538
- ]
1539
- },
1540
- "apt-nation-state": {
1541
- "score": 0.4,
1542
- "tier": "medium",
1543
- "factors": [
1544
- "sev:medium"
1545
- ]
1546
- },
1547
- "supply-chain-attacker": {
1548
- "score": 0.4,
1549
- "tier": "medium",
1550
- "factors": [
1551
- "sev:medium"
1552
- ]
1553
- },
1554
- "malicious-insider": {
1555
- "score": 0.4,
1556
- "tier": "medium",
1557
- "factors": [
1558
- "sev:medium"
1559
- ]
1560
- }
1561
- },
1562
- "personaTopTwo": [
1563
- "script-kiddie",
1564
- "opportunistic-criminal"
1565
- ],
1566
- "personaMaxName": "script-kiddie",
1567
- "personaMaxScore": 0.4,
1568
- "reverseExposure": null,
1569
- "specMined": null,
1570
- "whyFired": {
1571
- "detector": "sast/dos-sync-io",
1572
- "ruleId": "CWE-400",
1573
- "parser": "STRUCTURAL",
1574
- "evidence": {
1575
- "sinkSnippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
1576
- "sourceSnippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
1577
- "pathSteps": [],
1578
- "sanitizers": [],
1579
- "guards": []
1580
- },
1581
- "considered": {
1582
- "suppressionsApplied": [],
1583
- "suppressionsSkipped": [],
1584
- "reachabilityFilter": "unaffected",
1585
- "clusterCollapsed": false,
1586
- "typeNarrowed": false,
1587
- "crownJewelTier": "unknown",
1588
- "mitigationVerdict": "unreachable-in-prod"
1589
- },
1590
- "scanner": {
1591
- "rulesetVersion": null,
1592
- "packHash": null,
1593
- "modelId": null
1594
- }
1595
- },
1596
- "adversaryTranscript": null,
1597
- "predictedBountyUsd": {
1598
- "low": 10,
1599
- "likely": 40,
1600
- "high": 120,
1601
- "program": "web2"
1602
- },
1603
- "bountyConfidence": "high",
1604
- "attackPlaybook": null
1605
- },
1606
- {
1607
- "id": "struct:incremental.js:220:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1608
- "kind": "sast",
1609
- "severity": "medium",
1610
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1611
- "cwe": "CWE-400",
1612
- "owaspLlm": null,
1613
- "stride": "Denial of Service",
1614
- "file": "incremental.js",
1615
- "line": 220,
1616
- "snippet": "if (!fs.existsSync(dir)) return true;",
1617
- "fix": null,
1618
- "reachable": false,
1619
- "triage": 22,
1620
- "dataClasses": [],
1621
- "chain": null,
1622
- "confidence": 0.212,
1623
- "toxicity": 28,
1624
- "toxicityFactors": [
1625
- "http-facing"
1626
- ],
1627
- "toxicityLabel": "Medium",
1628
- "sources": null,
1629
- "epssScore": null,
1630
- "epssPercentile": null,
1631
- "epssCve": null,
1632
- "exploitedNow": false,
1633
- "tags": null,
1634
- "blastRadius": {
1635
- "scope": "all-users",
1636
- "dataAtRisk": [
1637
- "config"
1638
- ],
1639
- "userCount": 50,
1640
- "industry": "generic",
1641
- "jurisdictions": [],
1642
- "controlsApplied": [],
1643
- "dollarBest": 23250,
1644
- "dollarLikely": 136250,
1645
- "dollarWorst": 775000,
1646
- "dollarLow": 23250,
1647
- "dollarHigh": 775000,
1648
- "components": {
1649
- "incidentResponse": {
1650
- "low": 8000,
1651
- "likely": 50000,
1652
- "high": 250000
1653
- },
1654
- "legal": {
1655
- "low": 10000,
1656
- "likely": 75000,
1657
- "high": 500000
1658
- },
1659
- "crisisPR": {
1660
- "low": 0,
1661
- "likely": 0,
1662
- "high": 0
1663
- },
1664
- "notification": {
1665
- "low": 5000,
1666
- "likely": 10000,
1667
- "high": 15000
1668
- },
1669
- "creditMonitoring": {
1670
- "low": 0,
1671
- "likely": 0,
1672
- "high": 0
1673
- },
1674
- "regulatoryFines": {
1675
- "low": 0,
1676
- "likely": 0,
1677
- "high": 0
1678
- },
1679
- "directDamage": {
1680
- "low": 250,
1681
- "likely": 1250,
1682
- "high": 10000
1683
- },
1684
- "classAction": {
1685
- "low": 0,
1686
- "likely": 0,
1687
- "high": 0
1688
- },
1689
- "lostBusiness": {
1690
- "low": 0,
1691
- "likely": 0,
1692
- "high": 0
1693
- }
1694
- },
1695
- "dominantDriver": "legal counsel",
1696
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1697
- "confidence": "low",
1698
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:220` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1699
- },
1700
- "stableId": "0276003493008082",
1701
- "confidenceTier": "very-low",
1702
- "exploitability": 0.2,
1703
- "exploitabilityTier": "low",
1704
- "exploitabilityFactors": [
1705
- "sev:medium",
1706
- "unreachable"
1707
- ],
1708
- "clusterSize": null,
1709
- "unreachable": false,
1710
- "validator_verdict": "unvalidated",
1711
- "llm_confidence": null,
1712
- "unvalidated": true,
1713
- "cross_language": false,
1714
- "family": "dos-sync-io",
1715
- "_unsigned": false,
1716
- "_passThroughSigning": false,
1717
- "signatureStatus": "verified",
1718
- "regression_test": null,
1719
- "poc": null,
1720
- "calibrated_confidence": null,
1721
- "calibrated_confidence_ci": null,
1722
- "calibrated_n": 0,
1723
- "calibration_reason": "no-history",
1724
- "verifier_verdict": "cannot-verify",
1725
- "verifier_reason": "no-poc-no-sanitizer-rule",
1726
- "verifier_runner": null,
1727
- "narration": null,
1728
- "mitigationVerdict": "unreachable-in-prod",
1729
- "mitigationsApplied": [],
1730
- "mitigatedByWaf": false,
1731
- "wafRuleId": null,
1732
- "mitigatedByAuth": false,
1733
- "authMechanism": null,
1734
- "mitigatedByNetwork": false,
1735
- "networkExposure": null,
1736
- "featureFlag": null,
1737
- "featureFlagState": null,
1738
- "featureFlagRollout": null,
1739
- "exposedInProd": false,
1740
- "unreachableInProd": true,
1741
- "coldPath": false,
1742
- "hotPath": false,
1743
- "prodRequestCount": null,
1744
- "crownJewelScore": 0,
1745
- "crownJewelTier": "unknown",
1746
- "crownJewelFactors": [],
1747
- "cloneClusterId": "b7114d1d9de39865",
1748
- "cloneClusterSize": 1,
1749
- "provenance": "human-likely",
1750
- "provenanceScore": 0.22,
1751
- "typeNarrowed": null,
1752
- "strideCategory": "denialOfService",
1753
- "personaScores": {
1754
- "script-kiddie": {
1755
- "score": 0.4,
1756
- "tier": "medium",
1757
- "factors": [
1758
- "sev:medium"
1759
- ]
1760
- },
1761
- "opportunistic-criminal": {
1762
- "score": 0.4,
1763
- "tier": "medium",
1764
- "factors": [
1765
- "sev:medium"
1766
- ]
1767
- },
1768
- "apt-nation-state": {
1769
- "score": 0.4,
1770
- "tier": "medium",
1771
- "factors": [
1772
- "sev:medium"
1773
- ]
1774
- },
1775
- "supply-chain-attacker": {
1776
- "score": 0.4,
1777
- "tier": "medium",
1778
- "factors": [
1779
- "sev:medium"
1780
- ]
1781
- },
1782
- "malicious-insider": {
1783
- "score": 0.4,
1784
- "tier": "medium",
1785
- "factors": [
1786
- "sev:medium"
1787
- ]
1788
- }
1789
- },
1790
- "personaTopTwo": [
1791
- "script-kiddie",
1792
- "opportunistic-criminal"
1793
- ],
1794
- "personaMaxName": "script-kiddie",
1795
- "personaMaxScore": 0.4,
1796
- "reverseExposure": null,
1797
- "specMined": null,
1798
- "whyFired": {
1799
- "detector": "sast/dos-sync-io",
1800
- "ruleId": "CWE-400",
1801
- "parser": "STRUCTURAL",
1802
- "evidence": {
1803
- "sinkSnippet": "if (!fs.existsSync(dir)) return true;",
1804
- "sourceSnippet": "if (!fs.existsSync(dir)) return true;",
1805
- "pathSteps": [],
1806
- "sanitizers": [],
1807
- "guards": []
1808
- },
1809
- "considered": {
1810
- "suppressionsApplied": [],
1811
- "suppressionsSkipped": [],
1812
- "reachabilityFilter": "unaffected",
1813
- "clusterCollapsed": false,
1814
- "typeNarrowed": false,
1815
- "crownJewelTier": "unknown",
1816
- "mitigationVerdict": "unreachable-in-prod"
1817
- },
1818
- "scanner": {
1819
- "rulesetVersion": null,
1820
- "packHash": null,
1821
- "modelId": null
1822
- }
1823
- },
1824
- "adversaryTranscript": null,
1825
- "predictedBountyUsd": {
1826
- "low": 10,
1827
- "likely": 40,
1828
- "high": 120,
1829
- "program": "web2"
1830
- },
1831
- "bountyConfidence": "high",
1832
- "attackPlaybook": null
1833
- },
1834
- {
1835
- "id": "struct:incremental.js:223:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1836
- "kind": "sast",
1837
- "severity": "medium",
1838
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1839
- "cwe": "CWE-400",
1840
- "owaspLlm": null,
1841
- "stride": "Denial of Service",
1842
- "file": "incremental.js",
1843
- "line": 223,
1844
- "snippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
1845
- "fix": null,
1846
- "reachable": false,
1847
- "triage": 22,
1848
- "dataClasses": [],
1849
- "chain": null,
1850
- "confidence": 0.212,
1851
- "toxicity": 28,
1852
- "toxicityFactors": [
1853
- "http-facing"
1854
- ],
1855
- "toxicityLabel": "Medium",
1856
- "sources": null,
1857
- "epssScore": null,
1858
- "epssPercentile": null,
1859
- "epssCve": null,
1860
- "exploitedNow": false,
1861
- "tags": null,
1862
- "blastRadius": {
1863
- "scope": "all-users",
1864
- "dataAtRisk": [
1865
- "config"
1866
- ],
1867
- "userCount": 50,
1868
- "industry": "generic",
1869
- "jurisdictions": [],
1870
- "controlsApplied": [],
1871
- "dollarBest": 23250,
1872
- "dollarLikely": 136250,
1873
- "dollarWorst": 775000,
1874
- "dollarLow": 23250,
1875
- "dollarHigh": 775000,
1876
- "components": {
1877
- "incidentResponse": {
1878
- "low": 8000,
1879
- "likely": 50000,
1880
- "high": 250000
1881
- },
1882
- "legal": {
1883
- "low": 10000,
1884
- "likely": 75000,
1885
- "high": 500000
1886
- },
1887
- "crisisPR": {
1888
- "low": 0,
1889
- "likely": 0,
1890
- "high": 0
1891
- },
1892
- "notification": {
1893
- "low": 5000,
1894
- "likely": 10000,
1895
- "high": 15000
1896
- },
1897
- "creditMonitoring": {
1898
- "low": 0,
1899
- "likely": 0,
1900
- "high": 0
1901
- },
1902
- "regulatoryFines": {
1903
- "low": 0,
1904
- "likely": 0,
1905
- "high": 0
1906
- },
1907
- "directDamage": {
1908
- "low": 250,
1909
- "likely": 1250,
1910
- "high": 10000
1911
- },
1912
- "classAction": {
1913
- "low": 0,
1914
- "likely": 0,
1915
- "high": 0
1916
- },
1917
- "lostBusiness": {
1918
- "low": 0,
1919
- "likely": 0,
1920
- "high": 0
1921
- }
1922
- },
1923
- "dominantDriver": "legal counsel",
1924
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1925
- "confidence": "low",
1926
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:223` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1927
- },
1928
- "stableId": "15ad072cb77cdfe4",
1929
- "confidenceTier": "very-low",
1930
- "exploitability": 0.2,
1931
- "exploitabilityTier": "low",
1932
- "exploitabilityFactors": [
1933
- "sev:medium",
1934
- "unreachable"
1935
- ],
1936
- "clusterSize": null,
1937
- "unreachable": false,
1938
- "validator_verdict": "unvalidated",
1939
- "llm_confidence": null,
1940
- "unvalidated": true,
1941
- "cross_language": false,
1942
- "family": "dos-sync-io",
1943
- "_unsigned": false,
1944
- "_passThroughSigning": false,
1945
- "signatureStatus": "verified",
1946
- "regression_test": null,
1947
- "poc": null,
1948
- "calibrated_confidence": null,
1949
- "calibrated_confidence_ci": null,
1950
- "calibrated_n": 0,
1951
- "calibration_reason": "no-history",
1952
- "verifier_verdict": "cannot-verify",
1953
- "verifier_reason": "no-poc-no-sanitizer-rule",
1954
- "verifier_runner": null,
1955
- "narration": null,
1956
- "mitigationVerdict": "unreachable-in-prod",
1957
- "mitigationsApplied": [],
1958
- "mitigatedByWaf": false,
1959
- "wafRuleId": null,
1960
- "mitigatedByAuth": false,
1961
- "authMechanism": null,
1962
- "mitigatedByNetwork": false,
1963
- "networkExposure": null,
1964
- "featureFlag": null,
1965
- "featureFlagState": null,
1966
- "featureFlagRollout": null,
1967
- "exposedInProd": false,
1968
- "unreachableInProd": true,
1969
- "coldPath": false,
1970
- "hotPath": false,
1971
- "prodRequestCount": null,
1972
- "crownJewelScore": 0,
1973
- "crownJewelTier": "unknown",
1974
- "crownJewelFactors": [],
1975
- "cloneClusterId": "07f8fac8b280cc73",
1976
- "cloneClusterSize": 1,
1977
- "provenance": "human-likely",
1978
- "provenanceScore": 0.22,
1979
- "typeNarrowed": null,
1980
- "strideCategory": "denialOfService",
1981
- "personaScores": {
1982
- "script-kiddie": {
1983
- "score": 0.4,
1984
- "tier": "medium",
1985
- "factors": [
1986
- "sev:medium"
1987
- ]
1988
- },
1989
- "opportunistic-criminal": {
1990
- "score": 0.4,
1991
- "tier": "medium",
1992
- "factors": [
1993
- "sev:medium"
1994
- ]
1995
- },
1996
- "apt-nation-state": {
1997
- "score": 0.4,
1998
- "tier": "medium",
1999
- "factors": [
2000
- "sev:medium"
2001
- ]
2002
- },
2003
- "supply-chain-attacker": {
2004
- "score": 0.4,
2005
- "tier": "medium",
2006
- "factors": [
2007
- "sev:medium"
2008
- ]
2009
- },
2010
- "malicious-insider": {
2011
- "score": 0.4,
2012
- "tier": "medium",
2013
- "factors": [
2014
- "sev:medium"
2015
- ]
2016
- }
2017
- },
2018
- "personaTopTwo": [
2019
- "script-kiddie",
2020
- "opportunistic-criminal"
2021
- ],
2022
- "personaMaxName": "script-kiddie",
2023
- "personaMaxScore": 0.4,
2024
- "reverseExposure": null,
2025
- "specMined": null,
2026
- "whyFired": {
2027
- "detector": "sast/dos-sync-io",
2028
- "ruleId": "CWE-400",
2029
- "parser": "STRUCTURAL",
2030
- "evidence": {
2031
- "sinkSnippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
2032
- "sourceSnippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
2033
- "pathSteps": [],
2034
- "sanitizers": [],
2035
- "guards": []
2036
- },
2037
- "considered": {
2038
- "suppressionsApplied": [],
2039
- "suppressionsSkipped": [],
2040
- "reachabilityFilter": "unaffected",
2041
- "clusterCollapsed": false,
2042
- "typeNarrowed": false,
2043
- "crownJewelTier": "unknown",
2044
- "mitigationVerdict": "unreachable-in-prod"
2045
- },
2046
- "scanner": {
2047
- "rulesetVersion": null,
2048
- "packHash": null,
2049
- "modelId": null
2050
- }
2051
- },
2052
- "adversaryTranscript": null,
2053
- "predictedBountyUsd": {
2054
- "low": 10,
2055
- "likely": 40,
2056
- "high": 120,
2057
- "program": "web2"
2058
- },
2059
- "bountyConfidence": "high",
2060
- "attackPlaybook": null
2061
- },
2062
- {
2063
- "id": "ssrf-meta-hardcoded:catalog.js:431",
2064
- "kind": "sast",
2065
- "severity": "medium",
2066
- "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
2067
- "cwe": "CWE-918",
2068
- "owaspLlm": null,
2069
- "stride": "Information Disclosure",
2070
- "file": "catalog.js",
2071
- "line": 431,
2072
- "snippet": "remediation: 'Resolve the host first, reject 169.254.169.254 / RFC1918 / localhost; or proxy through a server-side allow-list.' } },",
2073
- "fix": null,
2074
- "reachable": false,
2075
- "triage": 22,
2076
- "dataClasses": [],
2077
- "chain": null,
2078
- "confidence": 0.7,
2079
- "toxicity": 8,
2080
- "toxicityFactors": [],
2081
- "toxicityLabel": "Low",
2082
- "sources": null,
2083
- "epssScore": null,
2084
- "epssPercentile": null,
2085
- "epssCve": null,
2086
- "exploitedNow": false,
2087
- "tags": null,
2088
- "blastRadius": {
2089
- "scope": "all-users",
2090
- "dataAtRisk": [
2091
- "credentials"
2092
- ],
2093
- "userCount": 50,
2094
- "industry": "generic",
2095
- "jurisdictions": [],
2096
- "controlsApplied": [],
2097
- "dollarBest": 24000,
2098
- "dollarLikely": 138000,
2099
- "dollarWorst": 777500,
2100
- "dollarLow": 24000,
2101
- "dollarHigh": 777500,
2102
- "components": {
2103
- "incidentResponse": {
2104
- "low": 8000,
2105
- "likely": 50000,
2106
- "high": 250000
2107
- },
2108
- "legal": {
2109
- "low": 10000,
2110
- "likely": 75000,
2111
- "high": 500000
2112
- },
2113
- "crisisPR": {
2114
- "low": 0,
2115
- "likely": 0,
2116
- "high": 0
2117
- },
2118
- "notification": {
2119
- "low": 5000,
2120
- "likely": 10000,
2121
- "high": 15000
2122
- },
2123
- "creditMonitoring": {
2124
- "low": 0,
2125
- "likely": 0,
2126
- "high": 0
2127
- },
2128
- "regulatoryFines": {
2129
- "low": 0,
2130
- "likely": 0,
2131
- "high": 0
2132
- },
2133
- "directDamage": {
2134
- "low": 1000,
2135
- "likely": 3000,
2136
- "high": 12500
2137
- },
2138
- "classAction": {
2139
- "low": 0,
2140
- "likely": 0,
2141
- "high": 0
2142
- },
2143
- "lostBusiness": {
2144
- "low": 0,
2145
- "likely": 0,
2146
- "high": 0
2147
- }
2148
- },
2149
- "dominantDriver": "legal counsel",
2150
- "comparable": "Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)",
2151
- "confidence": "low",
2152
- "narrative": "SSRF: explicit reference to cloud instance-metadata endpoint on `catalog.js:431` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)."
2153
- },
2154
- "stableId": "3dfe482b8d5e3a09",
2155
- "confidenceTier": "medium",
2156
- "exploitability": 0.2,
2157
- "exploitabilityTier": "low",
2158
- "exploitabilityFactors": [
2159
- "sev:medium",
2160
- "unreachable"
2161
- ],
2162
- "clusterSize": null,
2163
- "unreachable": false,
2164
- "validator_verdict": "unvalidated",
2165
- "llm_confidence": null,
2166
- "unvalidated": true,
2167
- "cross_language": false,
2168
- "family": "ssrf",
2169
- "_unsigned": false,
2170
- "_passThroughSigning": false,
2171
- "signatureStatus": "verified",
2172
- "regression_test": {
2173
- "lang": "node",
2174
- "framework": "jest",
2175
- "filename": "security_3dfe482b8d5e3a09.test.mjs",
2176
- "runHint": "npx jest",
2177
- "code": "// Regression test for SSRF: explicit reference to cloud instance-metadata endpoint (CWE-918).\n// Auto-generated from P1.1 PoC; fails on vulnerable code, passes after the fix.\n\nimport { test, expect } from '@jest/globals';\n\ntest('SSRF: explicit reference to cloud instance-metadata endpoint', async () => {\n const URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\n const METHOD = \"POST\";\n const PAYLOAD = \"http://127.0.0.1:65533/poc-ssrf-sentinel\";\n const body = METHOD === 'GET' ? null : JSON.stringify({ input: PAYLOAD });\n const reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + 'input=' + encodeURIComponent(PAYLOAD)\n : URL_;\n const r = await fetch(reqUrl, { method: METHOD, headers: { 'Content-Type': 'application/json' }, body });\n const text = await r.text();\n // The assertion below is the \"exploit demonstrated\" signal — when this\n // test PASSES, the vuln is still present. After the fix, this assertion\n // SHOULD fail. Inverse the assertion in a green build.\n const demonstrated = text.includes('PoC') || /syntax error/i.test(text) || text.includes('<script>');\n expect(demonstrated).toBe(false);\n});\n"
2178
- },
2179
- "poc": {
2180
- "lang": "node",
2181
- "kind": "http-payload",
2182
- "cwe": "CWE-918",
2183
- "family": "ssrf",
2184
- "runHint": "node poc.mjs",
2185
- "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n"
2186
- },
2187
- "calibrated_confidence": null,
2188
- "calibrated_confidence_ci": null,
2189
- "calibrated_n": 24,
2190
- "calibration_reason": "insufficient-samples",
2191
- "verifier_verdict": "verified-sanitizer-absence",
2192
- "verifier_reason": "no-sanitizer-in-window",
2193
- "verifier_runner": null,
2194
- "narration": null,
2195
- "mitigationVerdict": "unreachable-in-prod",
2196
- "mitigationsApplied": [],
2197
- "mitigatedByWaf": false,
2198
- "wafRuleId": null,
2199
- "mitigatedByAuth": false,
2200
- "authMechanism": null,
2201
- "mitigatedByNetwork": false,
2202
- "networkExposure": null,
2203
- "featureFlag": null,
2204
- "featureFlagState": null,
2205
- "featureFlagRollout": null,
2206
- "exposedInProd": false,
2207
- "unreachableInProd": true,
2208
- "coldPath": false,
2209
- "hotPath": false,
2210
- "prodRequestCount": null,
2211
- "crownJewelScore": 0.15,
2212
- "crownJewelTier": "low-value",
2213
- "crownJewelFactors": [
2214
- "shell-execution"
2215
- ],
2216
- "cloneClusterId": null,
2217
- "cloneClusterSize": 1,
2218
- "provenance": "human-likely",
2219
- "provenanceScore": 0.26,
2220
- "typeNarrowed": null,
2221
- "strideCategory": "tampering",
2222
- "personaScores": {
2223
- "script-kiddie": {
2224
- "score": 0.4,
2225
- "tier": "medium",
2226
- "factors": [
2227
- "sev:medium"
2228
- ]
2229
- },
2230
- "opportunistic-criminal": {
2231
- "score": 0.6,
2232
- "tier": "high",
2233
- "factors": [
2234
- "sev:medium",
2235
- "bias:ssrf+0.20"
2236
- ]
2237
- },
2238
- "apt-nation-state": {
2239
- "score": 0.7,
2240
- "tier": "high",
2241
- "factors": [
2242
- "sev:medium",
2243
- "bias:ssrf+0.30"
2244
- ]
2245
- },
2246
- "supply-chain-attacker": {
2247
- "score": 0.4,
2248
- "tier": "medium",
2249
- "factors": [
2250
- "sev:medium"
2251
- ]
2252
- },
2253
- "malicious-insider": {
2254
- "score": 0.4,
2255
- "tier": "medium",
2256
- "factors": [
2257
- "sev:medium"
2258
- ]
2259
- }
2260
- },
2261
- "personaTopTwo": [
2262
- "apt-nation-state",
2263
- "opportunistic-criminal"
2264
- ],
2265
- "personaMaxName": "apt-nation-state",
2266
- "personaMaxScore": 0.7,
2267
- "reverseExposure": null,
2268
- "specMined": null,
2269
- "whyFired": {
2270
- "detector": "sast/ssrf",
2271
- "ruleId": "CWE-918",
2272
- "parser": "SSRF-METADATA",
2273
- "evidence": {
2274
- "sinkSnippet": "remediation: 'Resolve the host first, reject 169.254.169.254 / RFC1918 / localhost; or proxy through a server-side allow-list.' } },",
2275
- "sourceSnippet": null,
2276
- "pathSteps": [],
2277
- "sanitizers": [],
2278
- "guards": []
2279
- },
2280
- "considered": {
2281
- "suppressionsApplied": [],
2282
- "suppressionsSkipped": [],
2283
- "reachabilityFilter": "unaffected",
2284
- "clusterCollapsed": false,
2285
- "typeNarrowed": false,
2286
- "crownJewelTier": "low-value",
2287
- "mitigationVerdict": "unreachable-in-prod"
2288
- },
2289
- "scanner": {
2290
- "rulesetVersion": null,
2291
- "packHash": null,
2292
- "modelId": null
2293
- }
2294
- },
2295
- "adversaryTranscript": null,
2296
- "predictedBountyUsd": {
2297
- "low": 30,
2298
- "likely": 120,
2299
- "high": 350,
2300
- "program": "web2"
2301
- },
2302
- "bountyConfidence": "high",
2303
- "attackPlaybook": null
2304
- },
2305
- {
2306
- "id": "ssrf-meta-hardcoded:exploit-prover.js:33",
2307
- "kind": "sast",
2308
- "severity": "medium",
2309
- "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
2310
- "cwe": "CWE-918",
2311
- "owaspLlm": null,
2312
- "stride": "Information Disclosure",
2313
- "file": "exploit-prover.js",
2314
- "line": 33,
2315
- "snippet": "'CWE-918': `http://169.254.169.254/latest/meta-data/`, // SSRF",
2316
- "fix": null,
2317
- "reachable": false,
2318
- "triage": 22,
2319
- "dataClasses": [],
2320
- "chain": null,
2321
- "confidence": 0.7,
2322
- "toxicity": 8,
2323
- "toxicityFactors": [],
2324
- "toxicityLabel": "Low",
2325
- "sources": null,
2326
- "epssScore": null,
2327
- "epssPercentile": null,
2328
- "epssCve": null,
2329
- "exploitedNow": false,
2330
- "tags": null,
2331
- "blastRadius": {
2332
- "scope": "all-users",
2333
- "dataAtRisk": [
2334
- "credentials"
2335
- ],
2336
- "userCount": 50,
2337
- "industry": "generic",
2338
- "jurisdictions": [],
2339
- "controlsApplied": [],
2340
- "dollarBest": 24000,
2341
- "dollarLikely": 138000,
2342
- "dollarWorst": 777500,
2343
- "dollarLow": 24000,
2344
- "dollarHigh": 777500,
2345
- "components": {
2346
- "incidentResponse": {
2347
- "low": 8000,
2348
- "likely": 50000,
2349
- "high": 250000
2350
- },
2351
- "legal": {
2352
- "low": 10000,
2353
- "likely": 75000,
2354
- "high": 500000
2355
- },
2356
- "crisisPR": {
2357
- "low": 0,
2358
- "likely": 0,
2359
- "high": 0
2360
- },
2361
- "notification": {
2362
- "low": 5000,
2363
- "likely": 10000,
2364
- "high": 15000
2365
- },
2366
- "creditMonitoring": {
2367
- "low": 0,
2368
- "likely": 0,
2369
- "high": 0
2370
- },
2371
- "regulatoryFines": {
2372
- "low": 0,
2373
- "likely": 0,
2374
- "high": 0
2375
- },
2376
- "directDamage": {
2377
- "low": 1000,
2378
- "likely": 3000,
2379
- "high": 12500
2380
- },
2381
- "classAction": {
2382
- "low": 0,
2383
- "likely": 0,
2384
- "high": 0
2385
- },
2386
- "lostBusiness": {
2387
- "low": 0,
2388
- "likely": 0,
2389
- "high": 0
2390
- }
2391
- },
2392
- "dominantDriver": "legal counsel",
2393
- "comparable": "Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)",
2394
- "confidence": "low",
2395
- "narrative": "SSRF: explicit reference to cloud instance-metadata endpoint on `exploit-prover.js:33` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)."
2396
- },
2397
- "stableId": "88ebc2728475812c",
2398
- "confidenceTier": "medium",
2399
- "exploitability": 0.2,
2400
- "exploitabilityTier": "low",
2401
- "exploitabilityFactors": [
2402
- "sev:medium",
2403
- "unreachable"
2404
- ],
2405
- "clusterSize": null,
2406
- "unreachable": false,
2407
- "validator_verdict": "unvalidated",
2408
- "llm_confidence": null,
2409
- "unvalidated": true,
2410
- "cross_language": false,
2411
- "family": "ssrf",
2412
- "_unsigned": false,
2413
- "_passThroughSigning": false,
2414
- "signatureStatus": "verified",
2415
- "regression_test": {
2416
- "lang": "node",
2417
- "framework": "jest",
2418
- "filename": "security_88ebc2728475812c.test.mjs",
2419
- "runHint": "npx jest",
2420
- "code": "// Regression test for SSRF: explicit reference to cloud instance-metadata endpoint (CWE-918).\n// Auto-generated from P1.1 PoC; fails on vulnerable code, passes after the fix.\n\nimport { test, expect } from '@jest/globals';\n\ntest('SSRF: explicit reference to cloud instance-metadata endpoint', async () => {\n const URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\n const METHOD = \"POST\";\n const PAYLOAD = \"http://127.0.0.1:65533/poc-ssrf-sentinel\";\n const body = METHOD === 'GET' ? null : JSON.stringify({ input: PAYLOAD });\n const reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + 'input=' + encodeURIComponent(PAYLOAD)\n : URL_;\n const r = await fetch(reqUrl, { method: METHOD, headers: { 'Content-Type': 'application/json' }, body });\n const text = await r.text();\n // The assertion below is the \"exploit demonstrated\" signal — when this\n // test PASSES, the vuln is still present. After the fix, this assertion\n // SHOULD fail. Inverse the assertion in a green build.\n const demonstrated = text.includes('PoC') || /syntax error/i.test(text) || text.includes('<script>');\n expect(demonstrated).toBe(false);\n});\n"
2421
- },
2422
- "poc": {
2423
- "lang": "node",
2424
- "kind": "http-payload",
2425
- "cwe": "CWE-918",
2426
- "family": "ssrf",
2427
- "runHint": "node poc.mjs",
2428
- "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n"
2429
- },
2430
- "calibrated_confidence": null,
2431
- "calibrated_confidence_ci": null,
2432
- "calibrated_n": 24,
2433
- "calibration_reason": "insufficient-samples",
2434
- "verifier_verdict": "verified-sanitizer-absence",
2435
- "verifier_reason": "no-sanitizer-in-window",
2436
- "verifier_runner": null,
2437
- "narration": null,
2438
- "mitigationVerdict": "unreachable-in-prod",
2439
- "mitigationsApplied": [],
2440
- "mitigatedByWaf": false,
2441
- "wafRuleId": null,
2442
- "mitigatedByAuth": false,
2443
- "authMechanism": null,
2444
- "mitigatedByNetwork": false,
2445
- "networkExposure": null,
2446
- "featureFlag": null,
2447
- "featureFlagState": null,
2448
- "featureFlagRollout": null,
2449
- "exposedInProd": false,
2450
- "unreachableInProd": true,
2451
- "coldPath": false,
2452
- "hotPath": false,
2453
- "prodRequestCount": null,
2454
- "crownJewelScore": 0,
2455
- "crownJewelTier": "unknown",
2456
- "crownJewelFactors": [],
2457
- "cloneClusterId": null,
2458
- "cloneClusterSize": 1,
2459
- "provenance": "mixed",
2460
- "provenanceScore": 0.3,
2461
- "typeNarrowed": null,
2462
- "strideCategory": "tampering",
2463
- "personaScores": {
2464
- "script-kiddie": {
2465
- "score": 0.4,
2466
- "tier": "medium",
2467
- "factors": [
2468
- "sev:medium"
2469
- ]
2470
- },
2471
- "opportunistic-criminal": {
2472
- "score": 0.6,
2473
- "tier": "high",
2474
- "factors": [
2475
- "sev:medium",
2476
- "bias:ssrf+0.20"
2477
- ]
2478
- },
2479
- "apt-nation-state": {
2480
- "score": 0.7,
2481
- "tier": "high",
2482
- "factors": [
2483
- "sev:medium",
2484
- "bias:ssrf+0.30"
2485
- ]
2486
- },
2487
- "supply-chain-attacker": {
2488
- "score": 0.4,
2489
- "tier": "medium",
2490
- "factors": [
2491
- "sev:medium"
2492
- ]
2493
- },
2494
- "malicious-insider": {
2495
- "score": 0.4,
2496
- "tier": "medium",
2497
- "factors": [
2498
- "sev:medium"
2499
- ]
2500
- }
2501
- },
2502
- "personaTopTwo": [
2503
- "apt-nation-state",
2504
- "opportunistic-criminal"
2505
- ],
2506
- "personaMaxName": "apt-nation-state",
2507
- "personaMaxScore": 0.7,
2508
- "reverseExposure": null,
2509
- "specMined": null,
2510
- "whyFired": {
2511
- "detector": "sast/ssrf",
2512
- "ruleId": "CWE-918",
2513
- "parser": "SSRF-METADATA",
2514
- "evidence": {
2515
- "sinkSnippet": "'CWE-918': `http://169.254.169.254/latest/meta-data/`, // SSRF",
2516
- "sourceSnippet": null,
2517
- "pathSteps": [],
2518
- "sanitizers": [],
2519
- "guards": []
2520
- },
2521
- "considered": {
2522
- "suppressionsApplied": [],
2523
- "suppressionsSkipped": [],
2524
- "reachabilityFilter": "unaffected",
2525
- "clusterCollapsed": false,
2526
- "typeNarrowed": false,
2527
- "crownJewelTier": "unknown",
2528
- "mitigationVerdict": "unreachable-in-prod"
2529
- },
2530
- "scanner": {
2531
- "rulesetVersion": null,
2532
- "packHash": null,
2533
- "modelId": null
2534
- }
2535
- },
2536
- "adversaryTranscript": null,
2537
- "predictedBountyUsd": {
2538
- "low": 30,
2539
- "likely": 120,
2540
- "high": 350,
2541
- "program": "web2"
2542
- },
2543
- "bountyConfidence": "high",
2544
- "attackPlaybook": null
2545
- },
2546
- {
2547
- "id": "toctou-fs:incremental.js:50",
2548
- "kind": "sast",
2549
- "severity": "medium",
2550
- "vuln": "TOCTOU: file existence/permission check before open",
2551
- "cwe": "CWE-367",
2552
- "owaspLlm": null,
2553
- "stride": "Tampering",
2554
- "file": "incremental.js",
2555
- "line": 50,
2556
- "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
2557
- "fix": null,
2558
- "reachable": false,
2559
- "triage": 22,
2560
- "dataClasses": [],
2561
- "chain": null,
2562
- "confidence": 0.7,
2563
- "toxicity": 8,
2564
- "toxicityFactors": [],
2565
- "toxicityLabel": "Low",
2566
- "sources": null,
2567
- "epssScore": null,
2568
- "epssPercentile": null,
2569
- "epssCve": null,
2570
- "exploitedNow": false,
2571
- "tags": null,
2572
- "blastRadius": {
2573
- "scope": "all-users",
2574
- "dataAtRisk": [
2575
- "config"
2576
- ],
2577
- "userCount": 50,
2578
- "industry": "generic",
2579
- "jurisdictions": [],
2580
- "controlsApplied": [],
2581
- "dollarBest": 23250,
2582
- "dollarLikely": 136250,
2583
- "dollarWorst": 775000,
2584
- "dollarLow": 23250,
2585
- "dollarHigh": 775000,
2586
- "components": {
2587
- "incidentResponse": {
2588
- "low": 8000,
2589
- "likely": 50000,
2590
- "high": 250000
2591
- },
2592
- "legal": {
2593
- "low": 10000,
2594
- "likely": 75000,
2595
- "high": 500000
2596
- },
2597
- "crisisPR": {
2598
- "low": 0,
2599
- "likely": 0,
2600
- "high": 0
2601
- },
2602
- "notification": {
2603
- "low": 5000,
2604
- "likely": 10000,
2605
- "high": 15000
2606
- },
2607
- "creditMonitoring": {
2608
- "low": 0,
2609
- "likely": 0,
2610
- "high": 0
2611
- },
2612
- "regulatoryFines": {
2613
- "low": 0,
2614
- "likely": 0,
2615
- "high": 0
2616
- },
2617
- "directDamage": {
2618
- "low": 250,
2619
- "likely": 1250,
2620
- "high": 10000
2621
- },
2622
- "classAction": {
2623
- "low": 0,
2624
- "likely": 0,
2625
- "high": 0
2626
- },
2627
- "lostBusiness": {
2628
- "low": 0,
2629
- "likely": 0,
2630
- "high": 0
2631
- }
2632
- },
2633
- "dominantDriver": "legal counsel",
2634
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
2635
- "confidence": "low",
2636
- "narrative": "TOCTOU: file existence/permission check before open on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
2637
- },
2638
- "stableId": "3184d498fcca8634",
2639
- "confidenceTier": "medium",
2640
- "exploitability": 0.2,
2641
- "exploitabilityTier": "low",
2642
- "exploitabilityFactors": [
2643
- "sev:medium",
2644
- "unreachable"
2645
- ],
2646
- "clusterSize": null,
2647
- "unreachable": false,
2648
- "validator_verdict": "unvalidated",
2649
- "llm_confidence": null,
2650
- "unvalidated": true,
2651
- "cross_language": false,
2652
- "family": "toctou-file-existence-permission-check-b",
2653
- "_unsigned": false,
2654
- "_passThroughSigning": false,
2655
- "signatureStatus": "verified",
2656
- "regression_test": null,
2657
- "poc": null,
2658
- "calibrated_confidence": null,
2659
- "calibrated_confidence_ci": null,
2660
- "calibrated_n": 0,
2661
- "calibration_reason": "no-history",
2662
- "verifier_verdict": "cannot-verify",
2663
- "verifier_reason": "no-poc-no-sanitizer-rule",
2664
- "verifier_runner": null,
2665
- "narration": null,
2666
- "mitigationVerdict": "unreachable-in-prod",
2667
- "mitigationsApplied": [],
2668
- "mitigatedByWaf": false,
2669
- "wafRuleId": null,
2670
- "mitigatedByAuth": false,
2671
- "authMechanism": null,
2672
- "mitigatedByNetwork": false,
2673
- "networkExposure": null,
2674
- "featureFlag": null,
2675
- "featureFlagState": null,
2676
- "featureFlagRollout": null,
2677
- "exposedInProd": false,
2678
- "unreachableInProd": true,
2679
- "coldPath": false,
2680
- "hotPath": false,
2681
- "prodRequestCount": null,
2682
- "crownJewelScore": 0,
2683
- "crownJewelTier": "unknown",
2684
- "crownJewelFactors": [],
2685
- "cloneClusterId": "bf9643a065f64945",
2686
- "cloneClusterSize": 2,
2687
- "provenance": "human-likely",
2688
- "provenanceScore": 0.22,
2689
- "typeNarrowed": null,
2690
- "strideCategory": "tampering",
2691
- "personaScores": {
2692
- "script-kiddie": {
2693
- "score": 0.4,
2694
- "tier": "medium",
2695
- "factors": [
2696
- "sev:medium"
2697
- ]
2698
- },
2699
- "opportunistic-criminal": {
2700
- "score": 0.4,
2701
- "tier": "medium",
2702
- "factors": [
2703
- "sev:medium"
2704
- ]
2705
- },
2706
- "apt-nation-state": {
2707
- "score": 0.4,
2708
- "tier": "medium",
2709
- "factors": [
2710
- "sev:medium"
2711
- ]
2712
- },
2713
- "supply-chain-attacker": {
2714
- "score": 0.4,
2715
- "tier": "medium",
2716
- "factors": [
2717
- "sev:medium"
2718
- ]
2719
- },
2720
- "malicious-insider": {
2721
- "score": 0.4,
2722
- "tier": "medium",
2723
- "factors": [
2724
- "sev:medium"
2725
- ]
2726
- }
2727
- },
2728
- "personaTopTwo": [
2729
- "script-kiddie",
2730
- "opportunistic-criminal"
2731
- ],
2732
- "personaMaxName": "script-kiddie",
2733
- "personaMaxScore": 0.4,
2734
- "reverseExposure": null,
2735
- "specMined": null,
2736
- "whyFired": {
2737
- "detector": "sast/toctou-file-existence-permission-check-b",
2738
- "ruleId": "CWE-367",
2739
- "parser": "TOCTOU",
2740
- "evidence": {
2741
- "sinkSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
2742
- "sourceSnippet": null,
2743
- "pathSteps": [],
2744
- "sanitizers": [],
2745
- "guards": []
2746
- },
2747
- "considered": {
2748
- "suppressionsApplied": [],
2749
- "suppressionsSkipped": [],
2750
- "reachabilityFilter": "unaffected",
2751
- "clusterCollapsed": false,
2752
- "typeNarrowed": false,
2753
- "crownJewelTier": "unknown",
2754
- "mitigationVerdict": "unreachable-in-prod"
2755
- },
2756
- "scanner": {
2757
- "rulesetVersion": null,
2758
- "packHash": null,
2759
- "modelId": null
2760
- }
2761
- },
2762
- "adversaryTranscript": null,
2763
- "predictedBountyUsd": null,
2764
- "bountyConfidence": null,
2765
- "attackPlaybook": null
2766
- },
2767
- {
2768
- "id": "toctou-fs:incremental.js:68",
2769
- "kind": "sast",
2770
- "severity": "medium",
2771
- "vuln": "TOCTOU: file existence/permission check before open",
2772
- "cwe": "CWE-367",
2773
- "owaspLlm": null,
2774
- "stride": "Tampering",
2775
- "file": "incremental.js",
2776
- "line": 68,
2777
- "snippet": "if (!fs.existsSync(fp)) return fallback;",
2778
- "fix": null,
2779
- "reachable": false,
2780
- "triage": 22,
2781
- "dataClasses": [],
2782
- "chain": null,
2783
- "confidence": 0.7,
2784
- "toxicity": 8,
2785
- "toxicityFactors": [],
2786
- "toxicityLabel": "Low",
2787
- "sources": null,
2788
- "epssScore": null,
2789
- "epssPercentile": null,
2790
- "epssCve": null,
2791
- "exploitedNow": false,
2792
- "tags": null,
2793
- "blastRadius": {
2794
- "scope": "all-users",
2795
- "dataAtRisk": [
2796
- "config"
2797
- ],
2798
- "userCount": 50,
2799
- "industry": "generic",
2800
- "jurisdictions": [],
2801
- "controlsApplied": [],
2802
- "dollarBest": 23250,
2803
- "dollarLikely": 136250,
2804
- "dollarWorst": 775000,
2805
- "dollarLow": 23250,
2806
- "dollarHigh": 775000,
2807
- "components": {
2808
- "incidentResponse": {
2809
- "low": 8000,
2810
- "likely": 50000,
2811
- "high": 250000
2812
- },
2813
- "legal": {
2814
- "low": 10000,
2815
- "likely": 75000,
2816
- "high": 500000
2817
- },
2818
- "crisisPR": {
2819
- "low": 0,
2820
- "likely": 0,
2821
- "high": 0
2822
- },
2823
- "notification": {
2824
- "low": 5000,
2825
- "likely": 10000,
2826
- "high": 15000
2827
- },
2828
- "creditMonitoring": {
2829
- "low": 0,
2830
- "likely": 0,
2831
- "high": 0
2832
- },
2833
- "regulatoryFines": {
2834
- "low": 0,
2835
- "likely": 0,
2836
- "high": 0
2837
- },
2838
- "directDamage": {
2839
- "low": 250,
2840
- "likely": 1250,
2841
- "high": 10000
2842
- },
2843
- "classAction": {
2844
- "low": 0,
2845
- "likely": 0,
2846
- "high": 0
2847
- },
2848
- "lostBusiness": {
2849
- "low": 0,
2850
- "likely": 0,
2851
- "high": 0
2852
- }
2853
- },
2854
- "dominantDriver": "legal counsel",
2855
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
2856
- "confidence": "low",
2857
- "narrative": "TOCTOU: file existence/permission check before open on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
2858
- },
2859
- "stableId": "ca2e725c38df4ef6",
2860
- "confidenceTier": "medium",
2861
- "exploitability": 0.2,
2862
- "exploitabilityTier": "low",
2863
- "exploitabilityFactors": [
2864
- "sev:medium",
2865
- "unreachable"
2866
- ],
2867
- "clusterSize": null,
2868
- "unreachable": false,
2869
- "validator_verdict": "unvalidated",
2870
- "llm_confidence": null,
2871
- "unvalidated": true,
2872
- "cross_language": false,
2873
- "family": "toctou-file-existence-permission-check-b",
2874
- "_unsigned": false,
2875
- "_passThroughSigning": false,
2876
- "signatureStatus": "verified",
2877
- "regression_test": null,
2878
- "poc": null,
2879
- "calibrated_confidence": null,
2880
- "calibrated_confidence_ci": null,
2881
- "calibrated_n": 0,
2882
- "calibration_reason": "no-history",
2883
- "verifier_verdict": "cannot-verify",
2884
- "verifier_reason": "no-poc-no-sanitizer-rule",
2885
- "verifier_runner": null,
2886
- "narration": null,
2887
- "mitigationVerdict": "unreachable-in-prod",
2888
- "mitigationsApplied": [],
2889
- "mitigatedByWaf": false,
2890
- "wafRuleId": null,
2891
- "mitigatedByAuth": false,
2892
- "authMechanism": null,
2893
- "mitigatedByNetwork": false,
2894
- "networkExposure": null,
2895
- "featureFlag": null,
2896
- "featureFlagState": null,
2897
- "featureFlagRollout": null,
2898
- "exposedInProd": false,
2899
- "unreachableInProd": true,
2900
- "coldPath": false,
2901
- "hotPath": false,
2902
- "prodRequestCount": null,
2903
- "crownJewelScore": 0,
2904
- "crownJewelTier": "unknown",
2905
- "crownJewelFactors": [],
2906
- "cloneClusterId": "39f1d6db55cace1d",
2907
- "cloneClusterSize": 2,
2908
- "provenance": "human-likely",
2909
- "provenanceScore": 0.22,
2910
- "typeNarrowed": null,
2911
- "strideCategory": "tampering",
2912
- "personaScores": {
2913
- "script-kiddie": {
2914
- "score": 0.4,
2915
- "tier": "medium",
2916
- "factors": [
2917
- "sev:medium"
2918
- ]
2919
- },
2920
- "opportunistic-criminal": {
2921
- "score": 0.4,
2922
- "tier": "medium",
2923
- "factors": [
2924
- "sev:medium"
2925
- ]
2926
- },
2927
- "apt-nation-state": {
2928
- "score": 0.4,
2929
- "tier": "medium",
2930
- "factors": [
2931
- "sev:medium"
2932
- ]
2933
- },
2934
- "supply-chain-attacker": {
2935
- "score": 0.4,
2936
- "tier": "medium",
2937
- "factors": [
2938
- "sev:medium"
2939
- ]
2940
- },
2941
- "malicious-insider": {
2942
- "score": 0.4,
2943
- "tier": "medium",
2944
- "factors": [
2945
- "sev:medium"
2946
- ]
2947
- }
2948
- },
2949
- "personaTopTwo": [
2950
- "script-kiddie",
2951
- "opportunistic-criminal"
2952
- ],
2953
- "personaMaxName": "script-kiddie",
2954
- "personaMaxScore": 0.4,
2955
- "reverseExposure": null,
2956
- "specMined": null,
2957
- "whyFired": {
2958
- "detector": "sast/toctou-file-existence-permission-check-b",
2959
- "ruleId": "CWE-367",
2960
- "parser": "TOCTOU",
2961
- "evidence": {
2962
- "sinkSnippet": "if (!fs.existsSync(fp)) return fallback;",
2963
- "sourceSnippet": null,
2964
- "pathSteps": [],
2965
- "sanitizers": [],
2966
- "guards": []
2967
- },
2968
- "considered": {
2969
- "suppressionsApplied": [],
2970
- "suppressionsSkipped": [],
2971
- "reachabilityFilter": "unaffected",
2972
- "clusterCollapsed": false,
2973
- "typeNarrowed": false,
2974
- "crownJewelTier": "unknown",
2975
- "mitigationVerdict": "unreachable-in-prod"
2976
- },
2977
- "scanner": {
2978
- "rulesetVersion": null,
2979
- "packHash": null,
2980
- "modelId": null
2981
- }
2982
- },
2983
- "adversaryTranscript": null,
2984
- "predictedBountyUsd": null,
2985
- "bountyConfidence": null,
2986
- "attackPlaybook": null
2987
- },
2988
- {
2989
- "id": "77f1352c8462f8db",
2990
- "kind": "logic",
2991
- "severity": "medium",
2992
- "vuln": "Race Condition (TOCTOU)",
2993
- "cwe": "CWE-367",
2994
- "stride": "Tampering",
2995
- "file": "incremental.js",
2996
- "line": 223,
2997
- "snippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
2998
- "fix": {
2999
- "description": "Use atomic operations instead of check-then-act patterns.",
3000
- "code": "// BEFORE\nif (fs.existsSync(p)) fs.unlinkSync(p);\n\n// AFTER\ntry { fs.unlinkSync(p); } catch(e) { if(e.code!=='ENOENT') throw e; }"
3001
- },
3002
- "blastRadius": {
3003
- "scope": "all-users",
3004
- "dataAtRisk": [
3005
- "config"
3006
- ],
3007
- "userCount": 50,
3008
- "industry": "generic",
3009
- "jurisdictions": [],
3010
- "controlsApplied": [],
3011
- "dollarBest": 23250,
3012
- "dollarLikely": 136250,
3013
- "dollarWorst": 775000,
3014
- "dollarLow": 23250,
3015
- "dollarHigh": 775000,
3016
- "components": {
3017
- "incidentResponse": {
3018
- "low": 8000,
3019
- "likely": 50000,
3020
- "high": 250000
3021
- },
3022
- "legal": {
3023
- "low": 10000,
3024
- "likely": 75000,
3025
- "high": 500000
3026
- },
3027
- "crisisPR": {
3028
- "low": 0,
3029
- "likely": 0,
3030
- "high": 0
3031
- },
3032
- "notification": {
3033
- "low": 5000,
3034
- "likely": 10000,
3035
- "high": 15000
3036
- },
3037
- "creditMonitoring": {
3038
- "low": 0,
3039
- "likely": 0,
3040
- "high": 0
3041
- },
3042
- "regulatoryFines": {
3043
- "low": 0,
3044
- "likely": 0,
3045
- "high": 0
3046
- },
3047
- "directDamage": {
3048
- "low": 250,
3049
- "likely": 1250,
3050
- "high": 10000
3051
- },
3052
- "classAction": {
3053
- "low": 0,
3054
- "likely": 0,
3055
- "high": 0
3056
- },
3057
- "lostBusiness": {
3058
- "low": 0,
3059
- "likely": 0,
3060
- "high": 0
3061
- }
3062
- },
3063
- "dominantDriver": "legal counsel",
3064
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3065
- "confidence": "low",
3066
- "narrative": "Race Condition (TOCTOU) on `incremental.js:223` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3067
- }
3068
- },
3069
- {
3070
- "id": "logic:incremental.js:50:TOCTOU:_existsSync_followed_by_file_op",
3071
- "kind": "logic",
3072
- "severity": "medium",
3073
- "vuln": "TOCTOU: existsSync followed by file op",
3074
- "cwe": "CWE-367",
3075
- "stride": "Tampering",
3076
- "file": "incremental.js",
3077
- "line": 50,
3078
- "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
3079
- "fix": {
3080
- "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
3081
- "code": ""
3082
- },
3083
- "blastRadius": {
3084
- "scope": "all-users",
3085
- "dataAtRisk": [
3086
- "config"
3087
- ],
3088
- "userCount": 50,
3089
- "industry": "generic",
3090
- "jurisdictions": [],
3091
- "controlsApplied": [],
3092
- "dollarBest": 23250,
3093
- "dollarLikely": 136250,
3094
- "dollarWorst": 775000,
3095
- "dollarLow": 23250,
3096
- "dollarHigh": 775000,
3097
- "components": {
3098
- "incidentResponse": {
3099
- "low": 8000,
3100
- "likely": 50000,
3101
- "high": 250000
3102
- },
3103
- "legal": {
3104
- "low": 10000,
3105
- "likely": 75000,
3106
- "high": 500000
3107
- },
3108
- "crisisPR": {
3109
- "low": 0,
3110
- "likely": 0,
3111
- "high": 0
3112
- },
3113
- "notification": {
3114
- "low": 5000,
3115
- "likely": 10000,
3116
- "high": 15000
3117
- },
3118
- "creditMonitoring": {
3119
- "low": 0,
3120
- "likely": 0,
3121
- "high": 0
3122
- },
3123
- "regulatoryFines": {
3124
- "low": 0,
3125
- "likely": 0,
3126
- "high": 0
3127
- },
3128
- "directDamage": {
3129
- "low": 250,
3130
- "likely": 1250,
3131
- "high": 10000
3132
- },
3133
- "classAction": {
3134
- "low": 0,
3135
- "likely": 0,
3136
- "high": 0
3137
- },
3138
- "lostBusiness": {
3139
- "low": 0,
3140
- "likely": 0,
3141
- "high": 0
3142
- }
3143
- },
3144
- "dominantDriver": "legal counsel",
3145
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3146
- "confidence": "low",
3147
- "narrative": "TOCTOU: existsSync followed by file op on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3148
- }
3149
- },
3150
- {
3151
- "id": "logic:incremental.js:68:TOCTOU:_existsSync_followed_by_file_op",
3152
- "kind": "logic",
3153
- "severity": "medium",
3154
- "vuln": "TOCTOU: existsSync followed by file op",
3155
- "cwe": "CWE-367",
3156
- "stride": "Tampering",
3157
- "file": "incremental.js",
3158
- "line": 68,
3159
- "snippet": "if (!fs.existsSync(fp)) return fallback;",
3160
- "fix": {
3161
- "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
3162
- "code": ""
3163
- },
3164
- "blastRadius": {
3165
- "scope": "all-users",
3166
- "dataAtRisk": [
3167
- "config"
3168
- ],
3169
- "userCount": 50,
3170
- "industry": "generic",
3171
- "jurisdictions": [],
3172
- "controlsApplied": [],
3173
- "dollarBest": 23250,
3174
- "dollarLikely": 136250,
3175
- "dollarWorst": 775000,
3176
- "dollarLow": 23250,
3177
- "dollarHigh": 775000,
3178
- "components": {
3179
- "incidentResponse": {
3180
- "low": 8000,
3181
- "likely": 50000,
3182
- "high": 250000
3183
- },
3184
- "legal": {
3185
- "low": 10000,
3186
- "likely": 75000,
3187
- "high": 500000
3188
- },
3189
- "crisisPR": {
3190
- "low": 0,
3191
- "likely": 0,
3192
- "high": 0
3193
- },
3194
- "notification": {
3195
- "low": 5000,
3196
- "likely": 10000,
3197
- "high": 15000
3198
- },
3199
- "creditMonitoring": {
3200
- "low": 0,
3201
- "likely": 0,
3202
- "high": 0
3203
- },
3204
- "regulatoryFines": {
3205
- "low": 0,
3206
- "likely": 0,
3207
- "high": 0
3208
- },
3209
- "directDamage": {
3210
- "low": 250,
3211
- "likely": 1250,
3212
- "high": 10000
3213
- },
3214
- "classAction": {
3215
- "low": 0,
3216
- "likely": 0,
3217
- "high": 0
3218
- },
3219
- "lostBusiness": {
3220
- "low": 0,
3221
- "likely": 0,
3222
- "high": 0
3223
- }
3224
- },
3225
- "dominantDriver": "legal counsel",
3226
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3227
- "confidence": "low",
3228
- "narrative": "TOCTOU: existsSync followed by file op on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3229
- }
3230
- },
3231
- {
3232
- "id": "logic:incremental.js:223:TOCTOU:_existsSync_followed_by_file_op",
3233
- "kind": "logic",
3234
- "severity": "medium",
3235
- "vuln": "TOCTOU: existsSync followed by file op",
3236
- "cwe": "CWE-367",
3237
- "stride": "Tampering",
3238
- "file": "incremental.js",
3239
- "line": 223,
3240
- "snippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
3241
- "fix": {
3242
- "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
3243
- "code": ""
3244
- },
3245
- "blastRadius": {
3246
- "scope": "all-users",
3247
- "dataAtRisk": [
3248
- "config"
3249
- ],
3250
- "userCount": 50,
3251
- "industry": "generic",
3252
- "jurisdictions": [],
3253
- "controlsApplied": [],
3254
- "dollarBest": 23250,
3255
- "dollarLikely": 136250,
3256
- "dollarWorst": 775000,
3257
- "dollarLow": 23250,
3258
- "dollarHigh": 775000,
3259
- "components": {
3260
- "incidentResponse": {
3261
- "low": 8000,
3262
- "likely": 50000,
3263
- "high": 250000
3264
- },
3265
- "legal": {
3266
- "low": 10000,
3267
- "likely": 75000,
3268
- "high": 500000
3269
- },
3270
- "crisisPR": {
3271
- "low": 0,
3272
- "likely": 0,
3273
- "high": 0
3274
- },
3275
- "notification": {
3276
- "low": 5000,
3277
- "likely": 10000,
3278
- "high": 15000
3279
- },
3280
- "creditMonitoring": {
3281
- "low": 0,
3282
- "likely": 0,
3283
- "high": 0
3284
- },
3285
- "regulatoryFines": {
3286
- "low": 0,
3287
- "likely": 0,
3288
- "high": 0
3289
- },
3290
- "directDamage": {
3291
- "low": 250,
3292
- "likely": 1250,
3293
- "high": 10000
3294
- },
3295
- "classAction": {
3296
- "low": 0,
3297
- "likely": 0,
3298
- "high": 0
3299
- },
3300
- "lostBusiness": {
3301
- "low": 0,
3302
- "likely": 0,
3303
- "high": 0
3304
- }
3305
- },
3306
- "dominantDriver": "legal counsel",
3307
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3308
- "confidence": "low",
3309
- "narrative": "TOCTOU: existsSync followed by file op on `incremental.js:223` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3310
- }
3311
- }
3312
- ],
3313
- "bundles": [],
3314
- "routes": [],
3315
- "components": [],
3316
- "suppressedCount": 12,
3317
- "blastRadiusSignals": {
3318
- "industry": "generic",
3319
- "industryConfidence": "low",
3320
- "jurisdictions": [],
3321
- "controls": [],
3322
- "estimatedUsers": 50,
3323
- "revenueIndicator": "pre-revenue",
3324
- "hasStripe": false,
3325
- "hasAuth": false,
3326
- "hasUserTable": false,
3327
- "hasPII": false,
3328
- "hasPHI": false,
3329
- "hasS3": false
3330
- },
3331
- "_v3": {
3332
- "counterfactual": {
3333
- "spofControls": [],
3334
- "controlsDetected": 195
3335
- },
3336
- "threatModel": {
3337
- "summary": {
3338
- "assetCount": 0,
3339
- "boundaryCount": 2,
3340
- "strideCounts": {
3341
- "spoofing": 0,
3342
- "tampering": 4,
3343
- "repudiation": 0,
3344
- "informationDisclosure": 0,
3345
- "denialOfService": 9,
3346
- "elevationOfPrivilege": 0
3347
- }
3348
- },
3349
- "assets": [],
3350
- "trustBoundaries": [
3351
- {
3352
- "type": "db-edge",
3353
- "file": "catalog.js",
3354
- "line": 52,
3355
- "label": null
3356
- },
3357
- {
3358
- "type": "db-edge",
3359
- "file": "catalog.js",
3360
- "line": 55,
3361
- "label": null
3362
- }
3363
- ],
3364
- "stride": {
3365
- "spoofing": [],
3366
- "tampering": [
3367
- {
3368
- "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
3369
- "file": "catalog.js",
3370
- "line": 431,
3371
- "severity": "medium"
3372
- },
3373
- {
3374
- "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
3375
- "file": "exploit-prover.js",
3376
- "line": 33,
3377
- "severity": "medium"
3378
- },
3379
- {
3380
- "vuln": "TOCTOU: file existence/permission check before open",
3381
- "file": "incremental.js",
3382
- "line": 50,
3383
- "severity": "medium"
3384
- },
3385
- {
3386
- "vuln": "TOCTOU: file existence/permission check before open",
3387
- "file": "incremental.js",
3388
- "line": 68,
3389
- "severity": "medium"
3390
- }
3391
- ],
3392
- "repudiation": [],
3393
- "informationDisclosure": [],
3394
- "denialOfService": [
3395
- {
3396
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3397
- "file": "incremental.js",
3398
- "severity": "medium"
3399
- },
3400
- {
3401
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3402
- "file": "incremental.js",
3403
- "severity": "medium"
3404
- },
3405
- {
3406
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3407
- "file": "incremental.js",
3408
- "severity": "medium"
3409
- },
3410
- {
3411
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3412
- "file": "incremental.js",
3413
- "severity": "medium"
3414
- },
3415
- {
3416
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3417
- "file": "incremental.js",
3418
- "severity": "medium"
3419
- },
3420
- {
3421
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3422
- "file": "incremental.js",
3423
- "severity": "medium"
3424
- },
3425
- {
3426
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3427
- "file": "incremental.js",
3428
- "severity": "medium"
3429
- },
3430
- {
3431
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3432
- "file": "incremental.js",
3433
- "severity": "medium"
3434
- },
3435
- {
3436
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3437
- "file": "incremental.js",
3438
- "severity": "medium"
3439
- }
3440
- ],
3441
- "elevationOfPrivilege": []
3442
- }
3443
- },
3444
- "trustBoundaryDiagram": {
3445
- "mermaid": "flowchart LR\n INTERNET((Internet))\n APP[\"Application\"]\n db_catalog_js_52[(\"db@catalog.js:52\")]\n db_catalog_js_55[(\"db@catalog.js:55\")]\n APP -->|db| db_catalog_js_52\n APP -->|db| db_catalog_js_55\n classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n classDef sev_medium fill:#fff3cd,stroke:#a80;\n classDef sev_low fill:#e8eaf6,stroke:#557;",
3446
- "nodes": [
3447
- {
3448
- "id": "INTERNET",
3449
- "kind": "external",
3450
- "label": "Internet"
3451
- },
3452
- {
3453
- "id": "APP",
3454
- "kind": "app",
3455
- "label": "Application"
3456
- },
3457
- {
3458
- "kind": "db",
3459
- "id": "db_catalog_js_52",
3460
- "label": "db@catalog.js:52"
3461
- },
3462
- {
3463
- "kind": "db",
3464
- "id": "db_catalog_js_55",
3465
- "label": "db@catalog.js:55"
3466
- }
3467
- ],
3468
- "edges": [
3469
- {
3470
- "from": "APP",
3471
- "to": "db_catalog_js_52",
3472
- "kind": "db"
3473
- },
3474
- {
3475
- "from": "APP",
3476
- "to": "db_catalog_js_55",
3477
- "kind": "db"
3478
- }
3479
- ],
3480
- "decorations": []
3481
- },
3482
- "calibrationDrift": {
3483
- "alarms": [],
3484
- "note": "no-feedback-data"
3485
- }
3486
- }
3487
- }