@clear-capabilities/agentic-security-scanner 0.76.1 → 0.78.0

package/bin/.agentic-security/last-scan.json

@@ -1,7 +1,7 @@
 {
-  "scanId": "d01219ed-b5bf-4fde-bf3c-4f31c0ceaa41",
-  "startedAt": "2026-05-21T16:13:40.849Z",
-  "durationMs": 281,
+  "scanId": "0c2c7713-e7de-4bc9-ab48-f6473ad81d9f",
+  "startedAt": "2026-05-27T11:23:10.965Z",
+  "durationMs": 278,
   "scanned": {
     "files": 7,
     "lines": 0
@@ -759,7 +759,7 @@
       "attackPlaybook": null
     },
     {
-      "id": "toctou-fs:agentic-security.js:1105",
+      "id": "toctou-fs:agentic-security.js:362",
       "kind": "sast",
       "severity": "medium",
       "vuln": "TOCTOU: file existence/permission check before open",
@@ -767,7 +767,229 @@
       "owaspLlm": null,
       "stride": "Tampering",
       "file": "agentic-security.js",
-      "line": 1105,
+      "line": 362,
+      "snippet": "if (args.flags['since-baseline'] && fs.existsSync(baselinePath)) {",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.7,
+      "toxicity": 8,
+      "toxicityFactors": [],
+      "toxicityLabel": "Low",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: file existence/permission check before open on `agentic-security.js:362` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      },
+      "stableId": "ba3080b44d262d10",
+      "confidenceTier": "medium",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "toctou-file-existence-permission-check-b",
+      "parser": "TOCTOU",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": "12b0776a772e2188",
+      "cloneClusterSize": 1,
+      "provenance": "human-likely",
+      "provenanceScore": 0.04,
+      "typeNarrowed": null,
+      "strideCategory": "tampering",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/toctou-file-existence-permission-check-b",
+        "ruleId": "CWE-367",
+        "parser": "TOCTOU",
+        "evidence": {
+          "sinkSnippet": "if (args.flags['since-baseline'] && fs.existsSync(baselinePath)) {",
+          "sourceSnippet": null,
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "unknown",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": null,
+      "bountyConfidence": null,
+      "attackPlaybook": null
+    },
+    {
+      "id": "toctou-fs:agentic-security.js:1136",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "TOCTOU: file existence/permission check before open",
+      "cwe": "CWE-367",
+      "owaspLlm": null,
+      "stride": "Tampering",
+      "file": "agentic-security.js",
+      "line": 1136,
       "snippet": "const st = fs.statSync(abs);",
       "fix": null,
       "reachable": false,
@@ -848,7 +1070,7 @@
         "dominantDriver": "legal counsel",
         "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
         "confidence": "low",
-        "narrative": "TOCTOU: file existence/permission check before open on `agentic-security.js:1105` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+        "narrative": "TOCTOU: file existence/permission check before open on `agentic-security.js:1136` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
       },
       "stableId": "17f63a600e3a68b4",
       "confidenceTier": "medium",
@@ -1477,12 +1699,95 @@
       },
       "parser": "LOGIC",
       "family": null
+    },
+    {
+      "id": "logic:agentic-security.js:362:TOCTOU:_existsSync_followed_by_file_op",
+      "kind": "logic",
+      "severity": "medium",
+      "vuln": "TOCTOU: existsSync followed by file op",
+      "cwe": "CWE-367",
+      "stride": "Tampering",
+      "file": "agentic-security.js",
+      "line": 362,
+      "snippet": "if (args.flags['since-baseline'] && fs.existsSync(baselinePath)) {",
+      "fix": {
+        "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
+        "code": ""
+      },
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
+        "confidence": "low",
+        "narrative": "TOCTOU: existsSync followed by file op on `agentic-security.js:362` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
+      },
+      "parser": "LOGIC",
+      "family": null
     }
   ],
   "bundles": [],
   "routes": [],
   "components": [],
-  "suppressedCount": 38,
+  "suppressedCount": 39,
   "blastRadiusSignals": {
     "industry": "generic",
     "industryConfidence": "low",
@@ -1508,7 +1813,7 @@
         "boundaryCount": 0,
         "strideCounts": {
           "spoofing": 0,
-          "tampering": 4,
+          "tampering": 5,
           "repudiation": 0,
           "informationDisclosure": 0,
           "denialOfService": 0,
@@ -1549,7 +1854,13 @@
           {
             "vuln": "TOCTOU: file existence/permission check before open",
             "file": "agentic-security.js",
-            "line": 1105,
+            "line": 362,
+            "severity": "medium"
+          },
+          {
+            "vuln": "TOCTOU: file existence/permission check before open",
+            "file": "agentic-security.js",
+            "line": 1136,
             "severity": "medium"
           }
         ],

package/bin/.agentic-security/last-scan.json.sig

@@ -1 +1 @@
-ec16cd87a90fed8ff54e93a2bc69d4e8053d22cd80ffc701a4668d3c3e929f7d
+1a7a7e91a1b09ea956d4e722c3d9df15e8c662dba64e487bdc6f8ba875fd48b9