@clear-capabilities/agentic-security-scanner 0.76.1 → 0.78.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (108) hide show
  1. package/bin/.agentic-security/findings.json +320 -9
  2. package/bin/.agentic-security/last-scan.json +320 -9
  3. package/bin/.agentic-security/last-scan.json.sig +1 -1
  4. package/bin/.agentic-security/scan-history.json +17 -377
  5. package/bin/.agentic-security/streak.json +11 -16
  6. package/bin/agentic-security.js +33 -2
  7. package/dist/178.index.js +1 -1
  8. package/dist/384.index.js +1 -1
  9. package/dist/637.index.js +1 -1
  10. package/dist/718.index.js +106 -0
  11. package/dist/824.index.js +126 -0
  12. package/dist/838.index.js +1 -1
  13. package/dist/agentic-security.mjs +32 -32
  14. package/dist/agentic-security.mjs.sha256 +1 -1
  15. package/package.json +7 -7
  16. package/src/.agentic-security/findings.json +5731 -3933
  17. package/src/.agentic-security/last-scan.json +5731 -3933
  18. package/src/.agentic-security/last-scan.json.sig +1 -1
  19. package/src/.agentic-security/scan-history.json +2533 -887
  20. package/src/.agentic-security/streak.json +11 -16
  21. package/src/dataflow/.agentic-security/findings.json +52 -24
  22. package/src/dataflow/.agentic-security/last-scan.json +52 -24
  23. package/src/dataflow/.agentic-security/last-scan.json.sig +1 -1
  24. package/src/dataflow/.agentic-security/scan-history.json +101 -134
  25. package/src/dataflow/.agentic-security/streak.json +8 -10
  26. package/src/dataflow/async-sequencing.js +16 -7
  27. package/src/dataflow/builtin-summaries.js +131 -0
  28. package/src/dataflow/catalog.js +107 -0
  29. package/src/dataflow/cross-repo.js +75 -1
  30. package/src/dataflow/engine.js +129 -0
  31. package/src/dataflow/implicit-flow.js +24 -6
  32. package/src/dataflow/stub-aware-filter.js +69 -11
  33. package/src/dataflow/summaries.js +28 -3
  34. package/src/engine-parallel.js +70 -0
  35. package/src/engine.js +165 -15
  36. package/src/ir/.agentic-security/findings.json +757 -16
  37. package/src/ir/.agentic-security/last-scan.json +757 -16
  38. package/src/ir/.agentic-security/last-scan.json.sig +1 -1
  39. package/src/ir/.agentic-security/scan-history.json +545 -138
  40. package/src/ir/.agentic-security/streak.json +11 -13
  41. package/src/ir/index.js +22 -1
  42. package/src/ir/parser-go.js +403 -0
  43. package/src/ir/parser-js.js +2 -0
  44. package/src/ir/parser-php.js +330 -0
  45. package/src/ir/parser-py.helper.py +137 -11
  46. package/src/ir/parser-rb.js +309 -0
  47. package/src/posture/.agentic-security/findings.json +407 -84
  48. package/src/posture/.agentic-security/last-scan.json +407 -84
  49. package/src/posture/.agentic-security/last-scan.json.sig +1 -1
  50. package/src/posture/.agentic-security/scan-history.json +16 -4923
  51. package/src/posture/.agentic-security/streak.json +10 -14
  52. package/src/posture/calibration.js +14 -0
  53. package/src/posture/triage.js +13 -0
  54. package/src/report/.agentic-security/findings.json +6 -5
  55. package/src/report/.agentic-security/last-scan.json +6 -5
  56. package/src/report/.agentic-security/last-scan.json.sig +1 -1
  57. package/src/report/.agentic-security/scan-history.json +3 -300
  58. package/src/report/.agentic-security/streak.json +7 -8
  59. package/src/report/index.js +23 -2
  60. package/src/sast/.agentic-security/findings.json +195 -56
  61. package/src/sast/.agentic-security/last-scan.json +195 -56
  62. package/src/sast/.agentic-security/last-scan.json.sig +1 -1
  63. package/src/sast/.agentic-security/scan-history.json +14 -394
  64. package/src/sast/.agentic-security/streak.json +10 -13
  65. package/src/sast/cache-poisoning.js +77 -0
  66. package/src/sast/comparison-safety.js +73 -0
  67. package/src/sast/db-taint.js +54 -0
  68. package/src/sast/graphql.js +127 -0
  69. package/src/sast/llm-stored-prompt.js +57 -0
  70. package/src/sast/mutation-xss.js +43 -0
  71. package/src/sast/nosql-injection.js +5 -0
  72. package/src/sast/null-byte-injection.js +76 -0
  73. package/src/sast/redos-nfa.js +338 -0
  74. package/src/sast/sensitive-data-logging.js +73 -0
  75. package/src/sast/weak-password-hash.js +77 -0
  76. package/src/sast/weak-randomness.js +100 -0
  77. package/src/sca/.agentic-security/findings.json +502 -11
  78. package/src/sca/.agentic-security/last-scan.json +502 -11
  79. package/src/sca/.agentic-security/last-scan.json.sig +1 -1
  80. package/src/sca/.agentic-security/scan-history.json +19 -1
  81. package/src/sca/.agentic-security/streak.json +6 -6
  82. package/src/sca/llm-function-extract.js +107 -0
  83. package/src/sca/vendor-detect.js +91 -0
  84. package/dist/218.index.js +0 -793
  85. package/dist/601.index.js +0 -1038
  86. package/dist/634.index.js +0 -1892
  87. package/src/integrations/.agentic-security/findings.json +0 -1504
  88. package/src/integrations/.agentic-security/last-scan.json +0 -1504
  89. package/src/integrations/.agentic-security/scan-history.json +0 -40
  90. package/src/integrations/.agentic-security/streak.json +0 -21
  91. package/src/llm-validator/.agentic-security/findings.json +0 -1891
  92. package/src/llm-validator/.agentic-security/last-scan.json +0 -1891
  93. package/src/llm-validator/.agentic-security/last-scan.json.sig +0 -1
  94. package/src/llm-validator/.agentic-security/scan-history.json +0 -168
  95. package/src/llm-validator/.agentic-security/streak.json +0 -20
  96. package/src/lsp/.agentic-security/findings.json +0 -28
  97. package/src/lsp/.agentic-security/last-scan.json +0 -28
  98. package/src/lsp/.agentic-security/scan-history.json +0 -79
  99. package/src/lsp/.agentic-security/streak.json +0 -22
  100. package/src/mcp/.agentic-security/findings.json +0 -8403
  101. package/src/mcp/.agentic-security/last-scan.json +0 -8403
  102. package/src/mcp/.agentic-security/last-scan.json.sig +0 -1
  103. package/src/mcp/.agentic-security/scan-history.json +0 -1182
  104. package/src/mcp/.agentic-security/streak.json +0 -22
  105. package/src/sast/bench-shape/.agentic-security/findings.json +0 -28
  106. package/src/sast/bench-shape/.agentic-security/last-scan.json +0 -28
  107. package/src/sast/bench-shape/.agentic-security/scan-history.json +0 -24
  108. package/src/sast/bench-shape/.agentic-security/streak.json +0 -22
package/src/llm-validator/.agentic-security/findings.json DELETED
@@ -1,1891 +0,0 @@
1
- {
2
- "scanId": "e4d8ca5c-18e9-436d-8778-68c3e6feb632",
3
- "startedAt": "2026-05-20T12:29:43.643Z",
4
- "durationMs": 133,
5
- "scanned": {
6
- "files": 2,
7
- "lines": 0
8
- },
9
- "findings": [
10
- {
11
- "id": "prompt-tpl:index.js:57:Prompt_Template__user_input_interpolated_into_prompt_string_",
12
- "kind": "sast",
13
- "severity": "high",
14
- "vuln": "Prompt Template: user input interpolated into prompt string without isolation",
15
- "cwe": "CWE-1336",
16
- "owaspLlm": null,
17
- "stride": "Spoofing",
18
- "file": "index.js",
19
- "line": 57,
20
- "snippet": "const PROMPT_TEMPLATE = `You are a senior application security engineer reviewing a candidate finding from a static analysis tool.",
21
- "fix": {
22
- "description": "Prefer the messages array form: `messages=[{\"role\":\"system\",\"content\":SYS},{\"role\":\"user\",\"content\":user_input}]`. Or wrap interpolations with isolation markers and instruct the model to treat content inside them as data only.",
23
- "code": ""
24
- },
25
- "reachable": false,
26
- "triage": 39,
27
- "dataClasses": [],
28
- "chain": null,
29
- "confidence": 0.314,
30
- "toxicity": 15,
31
- "toxicityFactors": [
32
- "high-severity"
33
- ],
34
- "toxicityLabel": "Low",
35
- "sources": null,
36
- "epssScore": null,
37
- "epssPercentile": null,
38
- "epssCve": null,
39
- "exploitedNow": false,
40
- "tags": null,
41
- "blastRadius": {
42
- "scope": "all-users",
43
- "dataAtRisk": [
44
- "config"
45
- ],
46
- "userCount": 50,
47
- "industry": "generic",
48
- "jurisdictions": [],
49
- "controlsApplied": [],
50
- "dollarBest": 23250,
51
- "dollarLikely": 136250,
52
- "dollarWorst": 775000,
53
- "dollarLow": 23250,
54
- "dollarHigh": 775000,
55
- "components": {
56
- "incidentResponse": {
57
- "low": 8000,
58
- "likely": 50000,
59
- "high": 250000
60
- },
61
- "legal": {
62
- "low": 10000,
63
- "likely": 75000,
64
- "high": 500000
65
- },
66
- "crisisPR": {
67
- "low": 0,
68
- "likely": 0,
69
- "high": 0
70
- },
71
- "notification": {
72
- "low": 5000,
73
- "likely": 10000,
74
- "high": 15000
75
- },
76
- "creditMonitoring": {
77
- "low": 0,
78
- "likely": 0,
79
- "high": 0
80
- },
81
- "regulatoryFines": {
82
- "low": 0,
83
- "likely": 0,
84
- "high": 0
85
- },
86
- "directDamage": {
87
- "low": 250,
88
- "likely": 1250,
89
- "high": 10000
90
- },
91
- "classAction": {
92
- "low": 0,
93
- "likely": 0,
94
- "high": 0
95
- },
96
- "lostBusiness": {
97
- "low": 0,
98
- "likely": 0,
99
- "high": 0
100
- }
101
- },
102
- "dominantDriver": "legal counsel",
103
- "comparable": "Server-side template injection (Pug/Jinja2/Twig) → routine path to RCE",
104
- "confidence": "low",
105
- "narrative": "Prompt Template: user input interpolated into prompt string without isolation on `index.js:57` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Server-side template injection (Pug/Jinja2/Twig) → routine path to RCE."
106
- },
107
- "stableId": "36003f350e48e148",
108
- "confidenceTier": "low",
109
- "exploitability": 0.45,
110
- "exploitabilityTier": "medium",
111
- "exploitabilityFactors": [
112
- "sev:high",
113
- "unreachable"
114
- ],
115
- "clusterSize": null,
116
- "unreachable": false,
117
- "validator_verdict": "unvalidated",
118
- "llm_confidence": null,
119
- "unvalidated": true,
120
- "cross_language": false,
121
- "family": "prompt-template-user-input-interpolated-",
122
- "_unsigned": false,
123
- "_passThroughSigning": false,
124
- "signatureStatus": "verified",
125
- "regression_test": null,
126
- "poc": null,
127
- "calibrated_confidence": null,
128
- "calibrated_confidence_ci": null,
129
- "calibrated_n": 0,
130
- "calibration_reason": "no-history",
131
- "verifier_verdict": "cannot-verify",
132
- "verifier_reason": "no-poc-no-sanitizer-rule",
133
- "verifier_runner": null,
134
- "narration": "A finding of type \"Prompt Template: user input interpolated into prompt string without isolation\" at index.js:57. Severity: high. Review the remediation field for class-specific guidance.",
135
- "mitigationVerdict": "unreachable-in-prod",
136
- "mitigationsApplied": [],
137
- "mitigatedByWaf": false,
138
- "wafRuleId": null,
139
- "mitigatedByAuth": false,
140
- "authMechanism": null,
141
- "mitigatedByNetwork": false,
142
- "networkExposure": null,
143
- "featureFlag": null,
144
- "featureFlagState": null,
145
- "featureFlagRollout": null,
146
- "exposedInProd": false,
147
- "unreachableInProd": true,
148
- "coldPath": false,
149
- "hotPath": false,
150
- "prodRequestCount": null,
151
- "crownJewelScore": 0.1,
152
- "crownJewelTier": "low-value",
153
- "crownJewelFactors": [
154
- "reads-secret-env"
155
- ],
156
- "cloneClusterId": "fae27b06c71c94a9",
157
- "cloneClusterSize": 1,
158
- "provenance": "human-likely",
159
- "provenanceScore": 0.18,
160
- "typeNarrowed": null,
161
- "strideCategory": null,
162
- "personaScores": {
163
- "script-kiddie": {
164
- "score": 0.65,
165
- "tier": "high",
166
- "factors": [
167
- "sev:high"
168
- ]
169
- },
170
- "opportunistic-criminal": {
171
- "score": 0.65,
172
- "tier": "high",
173
- "factors": [
174
- "sev:high"
175
- ]
176
- },
177
- "apt-nation-state": {
178
- "score": 0.65,
179
- "tier": "high",
180
- "factors": [
181
- "sev:high"
182
- ]
183
- },
184
- "supply-chain-attacker": {
185
- "score": 0.65,
186
- "tier": "high",
187
- "factors": [
188
- "sev:high"
189
- ]
190
- },
191
- "malicious-insider": {
192
- "score": 0.65,
193
- "tier": "high",
194
- "factors": [
195
- "sev:high"
196
- ]
197
- }
198
- },
199
- "personaTopTwo": [
200
- "script-kiddie",
201
- "opportunistic-criminal"
202
- ],
203
- "personaMaxName": "script-kiddie",
204
- "personaMaxScore": 0.65,
205
- "reverseExposure": null,
206
- "specMined": null,
207
- "whyFired": {
208
- "detector": "sast/prompt-template-user-input-interpolated-",
209
- "ruleId": "CWE-1336",
210
- "parser": "pattern",
211
- "evidence": {
212
- "sinkSnippet": "const PROMPT_TEMPLATE = `You are a senior application security engineer reviewing a candidate finding from a static analysis tool.",
213
- "sourceSnippet": null,
214
- "pathSteps": [],
215
- "sanitizers": [],
216
- "guards": []
217
- },
218
- "considered": {
219
- "suppressionsApplied": [],
220
- "suppressionsSkipped": [],
221
- "reachabilityFilter": "unaffected",
222
- "clusterCollapsed": false,
223
- "typeNarrowed": false,
224
- "crownJewelTier": "low-value",
225
- "mitigationVerdict": "unreachable-in-prod"
226
- },
227
- "scanner": {
228
- "rulesetVersion": null,
229
- "packHash": null,
230
- "modelId": null
231
- }
232
- },
233
- "adversaryTranscript": null,
234
- "predictedBountyUsd": null,
235
- "bountyConfidence": null,
236
- "attackPlaybook": null
237
- },
238
- {
239
- "id": "struct:consistency.js:66:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
240
- "kind": "sast",
241
- "severity": "medium",
242
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
243
- "cwe": "CWE-400",
244
- "owaspLlm": null,
245
- "stride": "Denial of Service",
246
- "file": "consistency.js",
247
- "line": 66,
248
- "snippet": "if (fs.existsSync(cacheDir)) {",
249
- "fix": null,
250
- "reachable": false,
251
- "triage": 22,
252
- "dataClasses": [],
253
- "chain": null,
254
- "confidence": 0.212,
255
- "toxicity": 28,
256
- "toxicityFactors": [
257
- "http-facing"
258
- ],
259
- "toxicityLabel": "Medium",
260
- "sources": null,
261
- "epssScore": null,
262
- "epssPercentile": null,
263
- "epssCve": null,
264
- "exploitedNow": false,
265
- "tags": null,
266
- "blastRadius": {
267
- "scope": "all-users",
268
- "dataAtRisk": [
269
- "config"
270
- ],
271
- "userCount": 50,
272
- "industry": "generic",
273
- "jurisdictions": [],
274
- "controlsApplied": [],
275
- "dollarBest": 23250,
276
- "dollarLikely": 136250,
277
- "dollarWorst": 775000,
278
- "dollarLow": 23250,
279
- "dollarHigh": 775000,
280
- "components": {
281
- "incidentResponse": {
282
- "low": 8000,
283
- "likely": 50000,
284
- "high": 250000
285
- },
286
- "legal": {
287
- "low": 10000,
288
- "likely": 75000,
289
- "high": 500000
290
- },
291
- "crisisPR": {
292
- "low": 0,
293
- "likely": 0,
294
- "high": 0
295
- },
296
- "notification": {
297
- "low": 5000,
298
- "likely": 10000,
299
- "high": 15000
300
- },
301
- "creditMonitoring": {
302
- "low": 0,
303
- "likely": 0,
304
- "high": 0
305
- },
306
- "regulatoryFines": {
307
- "low": 0,
308
- "likely": 0,
309
- "high": 0
310
- },
311
- "directDamage": {
312
- "low": 250,
313
- "likely": 1250,
314
- "high": 10000
315
- },
316
- "classAction": {
317
- "low": 0,
318
- "likely": 0,
319
- "high": 0
320
- },
321
- "lostBusiness": {
322
- "low": 0,
323
- "likely": 0,
324
- "high": 0
325
- }
326
- },
327
- "dominantDriver": "legal counsel",
328
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
329
- "confidence": "low",
330
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `consistency.js:66` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
331
- },
332
- "stableId": "cd1c964ce2e49d49",
333
- "confidenceTier": "very-low",
334
- "exploitability": 0.2,
335
- "exploitabilityTier": "low",
336
- "exploitabilityFactors": [
337
- "sev:medium",
338
- "unreachable"
339
- ],
340
- "clusterSize": null,
341
- "unreachable": false,
342
- "validator_verdict": "unvalidated",
343
- "llm_confidence": null,
344
- "unvalidated": true,
345
- "cross_language": false,
346
- "family": "dos-sync-io",
347
- "_unsigned": false,
348
- "_passThroughSigning": false,
349
- "signatureStatus": "verified",
350
- "regression_test": null,
351
- "poc": null,
352
- "calibrated_confidence": null,
353
- "calibrated_confidence_ci": null,
354
- "calibrated_n": 0,
355
- "calibration_reason": "no-history",
356
- "verifier_verdict": "cannot-verify",
357
- "verifier_reason": "no-poc-no-sanitizer-rule",
358
- "verifier_runner": null,
359
- "narration": null,
360
- "mitigationVerdict": "unreachable-in-prod",
361
- "mitigationsApplied": [],
362
- "mitigatedByWaf": false,
363
- "wafRuleId": null,
364
- "mitigatedByAuth": false,
365
- "authMechanism": null,
366
- "mitigatedByNetwork": false,
367
- "networkExposure": null,
368
- "featureFlag": null,
369
- "featureFlagState": null,
370
- "featureFlagRollout": null,
371
- "exposedInProd": false,
372
- "unreachableInProd": true,
373
- "coldPath": false,
374
- "hotPath": false,
375
- "prodRequestCount": null,
376
- "crownJewelScore": 0,
377
- "crownJewelTier": "unknown",
378
- "crownJewelFactors": [],
379
- "cloneClusterId": "31e29761689a4980",
380
- "cloneClusterSize": 1,
381
- "provenance": "human-likely",
382
- "provenanceScore": 0.22,
383
- "typeNarrowed": null,
384
- "strideCategory": "denialOfService",
385
- "personaScores": {
386
- "script-kiddie": {
387
- "score": 0.4,
388
- "tier": "medium",
389
- "factors": [
390
- "sev:medium"
391
- ]
392
- },
393
- "opportunistic-criminal": {
394
- "score": 0.4,
395
- "tier": "medium",
396
- "factors": [
397
- "sev:medium"
398
- ]
399
- },
400
- "apt-nation-state": {
401
- "score": 0.4,
402
- "tier": "medium",
403
- "factors": [
404
- "sev:medium"
405
- ]
406
- },
407
- "supply-chain-attacker": {
408
- "score": 0.4,
409
- "tier": "medium",
410
- "factors": [
411
- "sev:medium"
412
- ]
413
- },
414
- "malicious-insider": {
415
- "score": 0.4,
416
- "tier": "medium",
417
- "factors": [
418
- "sev:medium"
419
- ]
420
- }
421
- },
422
- "personaTopTwo": [
423
- "script-kiddie",
424
- "opportunistic-criminal"
425
- ],
426
- "personaMaxName": "script-kiddie",
427
- "personaMaxScore": 0.4,
428
- "reverseExposure": null,
429
- "specMined": null,
430
- "whyFired": {
431
- "detector": "sast/dos-sync-io",
432
- "ruleId": "CWE-400",
433
- "parser": "STRUCTURAL",
434
- "evidence": {
435
- "sinkSnippet": "if (fs.existsSync(cacheDir)) {",
436
- "sourceSnippet": "if (fs.existsSync(cacheDir)) {",
437
- "pathSteps": [],
438
- "sanitizers": [],
439
- "guards": []
440
- },
441
- "considered": {
442
- "suppressionsApplied": [],
443
- "suppressionsSkipped": [],
444
- "reachabilityFilter": "unaffected",
445
- "clusterCollapsed": false,
446
- "typeNarrowed": false,
447
- "crownJewelTier": "unknown",
448
- "mitigationVerdict": "unreachable-in-prod"
449
- },
450
- "scanner": {
451
- "rulesetVersion": null,
452
- "packHash": null,
453
- "modelId": null
454
- }
455
- },
456
- "adversaryTranscript": null,
457
- "predictedBountyUsd": {
458
- "low": 10,
459
- "likely": 40,
460
- "high": 120,
461
- "program": "web2"
462
- },
463
- "bountyConfidence": "high",
464
- "attackPlaybook": null
465
- },
466
- {
467
- "id": "struct:consistency.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
468
- "kind": "sast",
469
- "severity": "medium",
470
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
471
- "cwe": "CWE-400",
472
- "owaspLlm": null,
473
- "stride": "Denial of Service",
474
- "file": "consistency.js",
475
- "line": 67,
476
- "snippet": "for (const e of fs.readdirSync(cacheDir)) fs.unlinkSync(path.join(cacheDir, e));",
477
- "fix": null,
478
- "reachable": false,
479
- "triage": 22,
480
- "dataClasses": [],
481
- "chain": null,
482
- "confidence": 0.212,
483
- "toxicity": 28,
484
- "toxicityFactors": [
485
- "http-facing"
486
- ],
487
- "toxicityLabel": "Medium",
488
- "sources": null,
489
- "epssScore": null,
490
- "epssPercentile": null,
491
- "epssCve": null,
492
- "exploitedNow": false,
493
- "tags": null,
494
- "blastRadius": {
495
- "scope": "all-users",
496
- "dataAtRisk": [
497
- "config"
498
- ],
499
- "userCount": 50,
500
- "industry": "generic",
501
- "jurisdictions": [],
502
- "controlsApplied": [],
503
- "dollarBest": 23250,
504
- "dollarLikely": 136250,
505
- "dollarWorst": 775000,
506
- "dollarLow": 23250,
507
- "dollarHigh": 775000,
508
- "components": {
509
- "incidentResponse": {
510
- "low": 8000,
511
- "likely": 50000,
512
- "high": 250000
513
- },
514
- "legal": {
515
- "low": 10000,
516
- "likely": 75000,
517
- "high": 500000
518
- },
519
- "crisisPR": {
520
- "low": 0,
521
- "likely": 0,
522
- "high": 0
523
- },
524
- "notification": {
525
- "low": 5000,
526
- "likely": 10000,
527
- "high": 15000
528
- },
529
- "creditMonitoring": {
530
- "low": 0,
531
- "likely": 0,
532
- "high": 0
533
- },
534
- "regulatoryFines": {
535
- "low": 0,
536
- "likely": 0,
537
- "high": 0
538
- },
539
- "directDamage": {
540
- "low": 250,
541
- "likely": 1250,
542
- "high": 10000
543
- },
544
- "classAction": {
545
- "low": 0,
546
- "likely": 0,
547
- "high": 0
548
- },
549
- "lostBusiness": {
550
- "low": 0,
551
- "likely": 0,
552
- "high": 0
553
- }
554
- },
555
- "dominantDriver": "legal counsel",
556
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
557
- "confidence": "low",
558
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `consistency.js:67` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
559
- },
560
- "stableId": "60e3b2db8a750099",
561
- "confidenceTier": "very-low",
562
- "exploitability": 0.2,
563
- "exploitabilityTier": "low",
564
- "exploitabilityFactors": [
565
- "sev:medium",
566
- "unreachable"
567
- ],
568
- "clusterSize": null,
569
- "unreachable": false,
570
- "validator_verdict": "unvalidated",
571
- "llm_confidence": null,
572
- "unvalidated": true,
573
- "cross_language": false,
574
- "family": "dos-sync-io",
575
- "_unsigned": false,
576
- "_passThroughSigning": false,
577
- "signatureStatus": "verified",
578
- "regression_test": null,
579
- "poc": null,
580
- "calibrated_confidence": null,
581
- "calibrated_confidence_ci": null,
582
- "calibrated_n": 0,
583
- "calibration_reason": "no-history",
584
- "verifier_verdict": "cannot-verify",
585
- "verifier_reason": "no-poc-no-sanitizer-rule",
586
- "verifier_runner": null,
587
- "narration": null,
588
- "mitigationVerdict": "unreachable-in-prod",
589
- "mitigationsApplied": [],
590
- "mitigatedByWaf": false,
591
- "wafRuleId": null,
592
- "mitigatedByAuth": false,
593
- "authMechanism": null,
594
- "mitigatedByNetwork": false,
595
- "networkExposure": null,
596
- "featureFlag": null,
597
- "featureFlagState": null,
598
- "featureFlagRollout": null,
599
- "exposedInProd": false,
600
- "unreachableInProd": true,
601
- "coldPath": false,
602
- "hotPath": false,
603
- "prodRequestCount": null,
604
- "crownJewelScore": 0,
605
- "crownJewelTier": "unknown",
606
- "crownJewelFactors": [],
607
- "cloneClusterId": "88afe4820dcb8a38",
608
- "cloneClusterSize": 1,
609
- "provenance": "human-likely",
610
- "provenanceScore": 0.22,
611
- "typeNarrowed": null,
612
- "strideCategory": "denialOfService",
613
- "personaScores": {
614
- "script-kiddie": {
615
- "score": 0.4,
616
- "tier": "medium",
617
- "factors": [
618
- "sev:medium"
619
- ]
620
- },
621
- "opportunistic-criminal": {
622
- "score": 0.4,
623
- "tier": "medium",
624
- "factors": [
625
- "sev:medium"
626
- ]
627
- },
628
- "apt-nation-state": {
629
- "score": 0.4,
630
- "tier": "medium",
631
- "factors": [
632
- "sev:medium"
633
- ]
634
- },
635
- "supply-chain-attacker": {
636
- "score": 0.4,
637
- "tier": "medium",
638
- "factors": [
639
- "sev:medium"
640
- ]
641
- },
642
- "malicious-insider": {
643
- "score": 0.4,
644
- "tier": "medium",
645
- "factors": [
646
- "sev:medium"
647
- ]
648
- }
649
- },
650
- "personaTopTwo": [
651
- "script-kiddie",
652
- "opportunistic-criminal"
653
- ],
654
- "personaMaxName": "script-kiddie",
655
- "personaMaxScore": 0.4,
656
- "reverseExposure": null,
657
- "specMined": null,
658
- "whyFired": {
659
- "detector": "sast/dos-sync-io",
660
- "ruleId": "CWE-400",
661
- "parser": "STRUCTURAL",
662
- "evidence": {
663
- "sinkSnippet": "for (const e of fs.readdirSync(cacheDir)) fs.unlinkSync(path.join(cacheDir, e));",
664
- "sourceSnippet": "for (const e of fs.readdirSync(cacheDir)) fs.unlinkSync(path.join(cacheDir, e));",
665
- "pathSteps": [],
666
- "sanitizers": [],
667
- "guards": []
668
- },
669
- "considered": {
670
- "suppressionsApplied": [],
671
- "suppressionsSkipped": [],
672
- "reachabilityFilter": "unaffected",
673
- "clusterCollapsed": false,
674
- "typeNarrowed": false,
675
- "crownJewelTier": "unknown",
676
- "mitigationVerdict": "unreachable-in-prod"
677
- },
678
- "scanner": {
679
- "rulesetVersion": null,
680
- "packHash": null,
681
- "modelId": null
682
- }
683
- },
684
- "adversaryTranscript": null,
685
- "predictedBountyUsd": {
686
- "low": 10,
687
- "likely": 40,
688
- "high": 120,
689
- "program": "web2"
690
- },
691
- "bountyConfidence": "high",
692
- "attackPlaybook": null
693
- },
694
- {
695
- "id": "struct:index.js:116:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
696
- "kind": "sast",
697
- "severity": "medium",
698
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
699
- "cwe": "CWE-400",
700
- "owaspLlm": null,
701
- "stride": "Denial of Service",
702
- "file": "index.js",
703
- "line": 116,
704
- "snippet": "if (!fs.existsSync(fp)) return null;",
705
- "fix": null,
706
- "reachable": false,
707
- "triage": 22,
708
- "dataClasses": [],
709
- "chain": null,
710
- "confidence": 0.212,
711
- "toxicity": 28,
712
- "toxicityFactors": [
713
- "http-facing"
714
- ],
715
- "toxicityLabel": "Medium",
716
- "sources": null,
717
- "epssScore": null,
718
- "epssPercentile": null,
719
- "epssCve": null,
720
- "exploitedNow": false,
721
- "tags": null,
722
- "blastRadius": {
723
- "scope": "all-users",
724
- "dataAtRisk": [
725
- "config"
726
- ],
727
- "userCount": 50,
728
- "industry": "generic",
729
- "jurisdictions": [],
730
- "controlsApplied": [],
731
- "dollarBest": 23250,
732
- "dollarLikely": 136250,
733
- "dollarWorst": 775000,
734
- "dollarLow": 23250,
735
- "dollarHigh": 775000,
736
- "components": {
737
- "incidentResponse": {
738
- "low": 8000,
739
- "likely": 50000,
740
- "high": 250000
741
- },
742
- "legal": {
743
- "low": 10000,
744
- "likely": 75000,
745
- "high": 500000
746
- },
747
- "crisisPR": {
748
- "low": 0,
749
- "likely": 0,
750
- "high": 0
751
- },
752
- "notification": {
753
- "low": 5000,
754
- "likely": 10000,
755
- "high": 15000
756
- },
757
- "creditMonitoring": {
758
- "low": 0,
759
- "likely": 0,
760
- "high": 0
761
- },
762
- "regulatoryFines": {
763
- "low": 0,
764
- "likely": 0,
765
- "high": 0
766
- },
767
- "directDamage": {
768
- "low": 250,
769
- "likely": 1250,
770
- "high": 10000
771
- },
772
- "classAction": {
773
- "low": 0,
774
- "likely": 0,
775
- "high": 0
776
- },
777
- "lostBusiness": {
778
- "low": 0,
779
- "likely": 0,
780
- "high": 0
781
- }
782
- },
783
- "dominantDriver": "legal counsel",
784
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
785
- "confidence": "low",
786
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `index.js:116` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
787
- },
788
- "stableId": "91cf2e9bd1fe407b",
789
- "confidenceTier": "very-low",
790
- "exploitability": 0.2,
791
- "exploitabilityTier": "low",
792
- "exploitabilityFactors": [
793
- "sev:medium",
794
- "unreachable"
795
- ],
796
- "clusterSize": null,
797
- "unreachable": false,
798
- "validator_verdict": "unvalidated",
799
- "llm_confidence": null,
800
- "unvalidated": true,
801
- "cross_language": false,
802
- "family": "dos-sync-io",
803
- "_unsigned": false,
804
- "_passThroughSigning": false,
805
- "signatureStatus": "verified",
806
- "regression_test": null,
807
- "poc": null,
808
- "calibrated_confidence": null,
809
- "calibrated_confidence_ci": null,
810
- "calibrated_n": 0,
811
- "calibration_reason": "no-history",
812
- "verifier_verdict": "cannot-verify",
813
- "verifier_reason": "no-poc-no-sanitizer-rule",
814
- "verifier_runner": null,
815
- "narration": null,
816
- "mitigationVerdict": "unreachable-in-prod",
817
- "mitigationsApplied": [],
818
- "mitigatedByWaf": false,
819
- "wafRuleId": null,
820
- "mitigatedByAuth": false,
821
- "authMechanism": null,
822
- "mitigatedByNetwork": false,
823
- "networkExposure": null,
824
- "featureFlag": null,
825
- "featureFlagState": null,
826
- "featureFlagRollout": null,
827
- "exposedInProd": false,
828
- "unreachableInProd": true,
829
- "coldPath": false,
830
- "hotPath": false,
831
- "prodRequestCount": null,
832
- "crownJewelScore": 0.1,
833
- "crownJewelTier": "low-value",
834
- "crownJewelFactors": [
835
- "reads-secret-env"
836
- ],
837
- "cloneClusterId": "66b8a8c25816e7f9",
838
- "cloneClusterSize": 2,
839
- "provenance": "human-likely",
840
- "provenanceScore": 0.18,
841
- "typeNarrowed": null,
842
- "strideCategory": "denialOfService",
843
- "personaScores": {
844
- "script-kiddie": {
845
- "score": 0.4,
846
- "tier": "medium",
847
- "factors": [
848
- "sev:medium"
849
- ]
850
- },
851
- "opportunistic-criminal": {
852
- "score": 0.4,
853
- "tier": "medium",
854
- "factors": [
855
- "sev:medium"
856
- ]
857
- },
858
- "apt-nation-state": {
859
- "score": 0.4,
860
- "tier": "medium",
861
- "factors": [
862
- "sev:medium"
863
- ]
864
- },
865
- "supply-chain-attacker": {
866
- "score": 0.4,
867
- "tier": "medium",
868
- "factors": [
869
- "sev:medium"
870
- ]
871
- },
872
- "malicious-insider": {
873
- "score": 0.4,
874
- "tier": "medium",
875
- "factors": [
876
- "sev:medium"
877
- ]
878
- }
879
- },
880
- "personaTopTwo": [
881
- "script-kiddie",
882
- "opportunistic-criminal"
883
- ],
884
- "personaMaxName": "script-kiddie",
885
- "personaMaxScore": 0.4,
886
- "reverseExposure": null,
887
- "specMined": null,
888
- "whyFired": {
889
- "detector": "sast/dos-sync-io",
890
- "ruleId": "CWE-400",
891
- "parser": "STRUCTURAL",
892
- "evidence": {
893
- "sinkSnippet": "if (!fs.existsSync(fp)) return null;",
894
- "sourceSnippet": "if (!fs.existsSync(fp)) return null;",
895
- "pathSteps": [],
896
- "sanitizers": [],
897
- "guards": []
898
- },
899
- "considered": {
900
- "suppressionsApplied": [],
901
- "suppressionsSkipped": [],
902
- "reachabilityFilter": "unaffected",
903
- "clusterCollapsed": false,
904
- "typeNarrowed": false,
905
- "crownJewelTier": "low-value",
906
- "mitigationVerdict": "unreachable-in-prod"
907
- },
908
- "scanner": {
909
- "rulesetVersion": null,
910
- "packHash": null,
911
- "modelId": null
912
- }
913
- },
914
- "adversaryTranscript": null,
915
- "predictedBountyUsd": {
916
- "low": 10,
917
- "likely": 40,
918
- "high": 120,
919
- "program": "web2"
920
- },
921
- "bountyConfidence": "high",
922
- "attackPlaybook": null
923
- },
924
- {
925
- "id": "struct:index.js:117:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
926
- "kind": "sast",
927
- "severity": "medium",
928
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
929
- "cwe": "CWE-400",
930
- "owaspLlm": null,
931
- "stride": "Denial of Service",
932
- "file": "index.js",
933
- "line": 117,
934
- "snippet": "try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }",
935
- "fix": null,
936
- "reachable": false,
937
- "triage": 22,
938
- "dataClasses": [],
939
- "chain": null,
940
- "confidence": 0.212,
941
- "toxicity": 28,
942
- "toxicityFactors": [
943
- "http-facing"
944
- ],
945
- "toxicityLabel": "Medium",
946
- "sources": null,
947
- "epssScore": null,
948
- "epssPercentile": null,
949
- "epssCve": null,
950
- "exploitedNow": false,
951
- "tags": null,
952
- "blastRadius": {
953
- "scope": "all-users",
954
- "dataAtRisk": [
955
- "config"
956
- ],
957
- "userCount": 50,
958
- "industry": "generic",
959
- "jurisdictions": [],
960
- "controlsApplied": [],
961
- "dollarBest": 23250,
962
- "dollarLikely": 136250,
963
- "dollarWorst": 775000,
964
- "dollarLow": 23250,
965
- "dollarHigh": 775000,
966
- "components": {
967
- "incidentResponse": {
968
- "low": 8000,
969
- "likely": 50000,
970
- "high": 250000
971
- },
972
- "legal": {
973
- "low": 10000,
974
- "likely": 75000,
975
- "high": 500000
976
- },
977
- "crisisPR": {
978
- "low": 0,
979
- "likely": 0,
980
- "high": 0
981
- },
982
- "notification": {
983
- "low": 5000,
984
- "likely": 10000,
985
- "high": 15000
986
- },
987
- "creditMonitoring": {
988
- "low": 0,
989
- "likely": 0,
990
- "high": 0
991
- },
992
- "regulatoryFines": {
993
- "low": 0,
994
- "likely": 0,
995
- "high": 0
996
- },
997
- "directDamage": {
998
- "low": 250,
999
- "likely": 1250,
1000
- "high": 10000
1001
- },
1002
- "classAction": {
1003
- "low": 0,
1004
- "likely": 0,
1005
- "high": 0
1006
- },
1007
- "lostBusiness": {
1008
- "low": 0,
1009
- "likely": 0,
1010
- "high": 0
1011
- }
1012
- },
1013
- "dominantDriver": "legal counsel",
1014
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1015
- "confidence": "low",
1016
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `index.js:117` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1017
- },
1018
- "stableId": "b3bc63cb273757a2",
1019
- "confidenceTier": "very-low",
1020
- "exploitability": 0.2,
1021
- "exploitabilityTier": "low",
1022
- "exploitabilityFactors": [
1023
- "sev:medium",
1024
- "unreachable"
1025
- ],
1026
- "clusterSize": null,
1027
- "unreachable": false,
1028
- "validator_verdict": "unvalidated",
1029
- "llm_confidence": null,
1030
- "unvalidated": true,
1031
- "cross_language": false,
1032
- "family": "dos-sync-io",
1033
- "_unsigned": false,
1034
- "_passThroughSigning": false,
1035
- "signatureStatus": "verified",
1036
- "regression_test": null,
1037
- "poc": null,
1038
- "calibrated_confidence": null,
1039
- "calibrated_confidence_ci": null,
1040
- "calibrated_n": 0,
1041
- "calibration_reason": "no-history",
1042
- "verifier_verdict": "cannot-verify",
1043
- "verifier_reason": "no-poc-no-sanitizer-rule",
1044
- "verifier_runner": null,
1045
- "narration": null,
1046
- "mitigationVerdict": "unreachable-in-prod",
1047
- "mitigationsApplied": [],
1048
- "mitigatedByWaf": false,
1049
- "wafRuleId": null,
1050
- "mitigatedByAuth": false,
1051
- "authMechanism": null,
1052
- "mitigatedByNetwork": false,
1053
- "networkExposure": null,
1054
- "featureFlag": null,
1055
- "featureFlagState": null,
1056
- "featureFlagRollout": null,
1057
- "exposedInProd": false,
1058
- "unreachableInProd": true,
1059
- "coldPath": false,
1060
- "hotPath": false,
1061
- "prodRequestCount": null,
1062
- "crownJewelScore": 0.1,
1063
- "crownJewelTier": "low-value",
1064
- "crownJewelFactors": [
1065
- "reads-secret-env"
1066
- ],
1067
- "cloneClusterId": "29d998f79544cba7",
1068
- "cloneClusterSize": 1,
1069
- "provenance": "human-likely",
1070
- "provenanceScore": 0.18,
1071
- "typeNarrowed": null,
1072
- "strideCategory": "denialOfService",
1073
- "personaScores": {
1074
- "script-kiddie": {
1075
- "score": 0.4,
1076
- "tier": "medium",
1077
- "factors": [
1078
- "sev:medium"
1079
- ]
1080
- },
1081
- "opportunistic-criminal": {
1082
- "score": 0.4,
1083
- "tier": "medium",
1084
- "factors": [
1085
- "sev:medium"
1086
- ]
1087
- },
1088
- "apt-nation-state": {
1089
- "score": 0.4,
1090
- "tier": "medium",
1091
- "factors": [
1092
- "sev:medium"
1093
- ]
1094
- },
1095
- "supply-chain-attacker": {
1096
- "score": 0.4,
1097
- "tier": "medium",
1098
- "factors": [
1099
- "sev:medium"
1100
- ]
1101
- },
1102
- "malicious-insider": {
1103
- "score": 0.4,
1104
- "tier": "medium",
1105
- "factors": [
1106
- "sev:medium"
1107
- ]
1108
- }
1109
- },
1110
- "personaTopTwo": [
1111
- "script-kiddie",
1112
- "opportunistic-criminal"
1113
- ],
1114
- "personaMaxName": "script-kiddie",
1115
- "personaMaxScore": 0.4,
1116
- "reverseExposure": null,
1117
- "specMined": null,
1118
- "whyFired": {
1119
- "detector": "sast/dos-sync-io",
1120
- "ruleId": "CWE-400",
1121
- "parser": "STRUCTURAL",
1122
- "evidence": {
1123
- "sinkSnippet": "try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }",
1124
- "sourceSnippet": "try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }",
1125
- "pathSteps": [],
1126
- "sanitizers": [],
1127
- "guards": []
1128
- },
1129
- "considered": {
1130
- "suppressionsApplied": [],
1131
- "suppressionsSkipped": [],
1132
- "reachabilityFilter": "unaffected",
1133
- "clusterCollapsed": false,
1134
- "typeNarrowed": false,
1135
- "crownJewelTier": "low-value",
1136
- "mitigationVerdict": "unreachable-in-prod"
1137
- },
1138
- "scanner": {
1139
- "rulesetVersion": null,
1140
- "packHash": null,
1141
- "modelId": null
1142
- }
1143
- },
1144
- "adversaryTranscript": null,
1145
- "predictedBountyUsd": {
1146
- "low": 10,
1147
- "likely": 40,
1148
- "high": 120,
1149
- "program": "web2"
1150
- },
1151
- "bountyConfidence": "high",
1152
- "attackPlaybook": null
1153
- },
1154
- {
1155
- "id": "struct:index.js:123:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1156
- "kind": "sast",
1157
- "severity": "medium",
1158
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1159
- "cwe": "CWE-400",
1160
- "owaspLlm": null,
1161
- "stride": "Denial of Service",
1162
- "file": "index.js",
1163
- "line": 123,
1164
- "snippet": "try { fs.writeFileSync(fp, JSON.stringify(value, null, 2)); } catch {}",
1165
- "fix": null,
1166
- "reachable": false,
1167
- "triage": 22,
1168
- "dataClasses": [],
1169
- "chain": null,
1170
- "confidence": 0.212,
1171
- "toxicity": 28,
1172
- "toxicityFactors": [
1173
- "http-facing"
1174
- ],
1175
- "toxicityLabel": "Medium",
1176
- "sources": null,
1177
- "epssScore": null,
1178
- "epssPercentile": null,
1179
- "epssCve": null,
1180
- "exploitedNow": false,
1181
- "tags": null,
1182
- "blastRadius": {
1183
- "scope": "all-users",
1184
- "dataAtRisk": [
1185
- "config"
1186
- ],
1187
- "userCount": 50,
1188
- "industry": "generic",
1189
- "jurisdictions": [],
1190
- "controlsApplied": [],
1191
- "dollarBest": 23250,
1192
- "dollarLikely": 136250,
1193
- "dollarWorst": 775000,
1194
- "dollarLow": 23250,
1195
- "dollarHigh": 775000,
1196
- "components": {
1197
- "incidentResponse": {
1198
- "low": 8000,
1199
- "likely": 50000,
1200
- "high": 250000
1201
- },
1202
- "legal": {
1203
- "low": 10000,
1204
- "likely": 75000,
1205
- "high": 500000
1206
- },
1207
- "crisisPR": {
1208
- "low": 0,
1209
- "likely": 0,
1210
- "high": 0
1211
- },
1212
- "notification": {
1213
- "low": 5000,
1214
- "likely": 10000,
1215
- "high": 15000
1216
- },
1217
- "creditMonitoring": {
1218
- "low": 0,
1219
- "likely": 0,
1220
- "high": 0
1221
- },
1222
- "regulatoryFines": {
1223
- "low": 0,
1224
- "likely": 0,
1225
- "high": 0
1226
- },
1227
- "directDamage": {
1228
- "low": 250,
1229
- "likely": 1250,
1230
- "high": 10000
1231
- },
1232
- "classAction": {
1233
- "low": 0,
1234
- "likely": 0,
1235
- "high": 0
1236
- },
1237
- "lostBusiness": {
1238
- "low": 0,
1239
- "likely": 0,
1240
- "high": 0
1241
- }
1242
- },
1243
- "dominantDriver": "legal counsel",
1244
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1245
- "confidence": "low",
1246
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `index.js:123` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1247
- },
1248
- "stableId": "f1bcad60f84cd7d8",
1249
- "confidenceTier": "very-low",
1250
- "exploitability": 0.2,
1251
- "exploitabilityTier": "low",
1252
- "exploitabilityFactors": [
1253
- "sev:medium",
1254
- "unreachable"
1255
- ],
1256
- "clusterSize": null,
1257
- "unreachable": false,
1258
- "validator_verdict": "unvalidated",
1259
- "llm_confidence": null,
1260
- "unvalidated": true,
1261
- "cross_language": false,
1262
- "family": "dos-sync-io",
1263
- "_unsigned": false,
1264
- "_passThroughSigning": false,
1265
- "signatureStatus": "verified",
1266
- "regression_test": null,
1267
- "poc": null,
1268
- "calibrated_confidence": null,
1269
- "calibrated_confidence_ci": null,
1270
- "calibrated_n": 0,
1271
- "calibration_reason": "no-history",
1272
- "verifier_verdict": "cannot-verify",
1273
- "verifier_reason": "no-poc-no-sanitizer-rule",
1274
- "verifier_runner": null,
1275
- "narration": null,
1276
- "mitigationVerdict": "unreachable-in-prod",
1277
- "mitigationsApplied": [],
1278
- "mitigatedByWaf": false,
1279
- "wafRuleId": null,
1280
- "mitigatedByAuth": false,
1281
- "authMechanism": null,
1282
- "mitigatedByNetwork": false,
1283
- "networkExposure": null,
1284
- "featureFlag": null,
1285
- "featureFlagState": null,
1286
- "featureFlagRollout": null,
1287
- "exposedInProd": false,
1288
- "unreachableInProd": true,
1289
- "coldPath": false,
1290
- "hotPath": false,
1291
- "prodRequestCount": null,
1292
- "crownJewelScore": 0.1,
1293
- "crownJewelTier": "low-value",
1294
- "crownJewelFactors": [
1295
- "reads-secret-env"
1296
- ],
1297
- "cloneClusterId": "55a282f0f3dd72ac",
1298
- "cloneClusterSize": 1,
1299
- "provenance": "human-likely",
1300
- "provenanceScore": 0.18,
1301
- "typeNarrowed": null,
1302
- "strideCategory": "denialOfService",
1303
- "personaScores": {
1304
- "script-kiddie": {
1305
- "score": 0.4,
1306
- "tier": "medium",
1307
- "factors": [
1308
- "sev:medium"
1309
- ]
1310
- },
1311
- "opportunistic-criminal": {
1312
- "score": 0.4,
1313
- "tier": "medium",
1314
- "factors": [
1315
- "sev:medium"
1316
- ]
1317
- },
1318
- "apt-nation-state": {
1319
- "score": 0.4,
1320
- "tier": "medium",
1321
- "factors": [
1322
- "sev:medium"
1323
- ]
1324
- },
1325
- "supply-chain-attacker": {
1326
- "score": 0.4,
1327
- "tier": "medium",
1328
- "factors": [
1329
- "sev:medium"
1330
- ]
1331
- },
1332
- "malicious-insider": {
1333
- "score": 0.4,
1334
- "tier": "medium",
1335
- "factors": [
1336
- "sev:medium"
1337
- ]
1338
- }
1339
- },
1340
- "personaTopTwo": [
1341
- "script-kiddie",
1342
- "opportunistic-criminal"
1343
- ],
1344
- "personaMaxName": "script-kiddie",
1345
- "personaMaxScore": 0.4,
1346
- "reverseExposure": null,
1347
- "specMined": null,
1348
- "whyFired": {
1349
- "detector": "sast/dos-sync-io",
1350
- "ruleId": "CWE-400",
1351
- "parser": "STRUCTURAL",
1352
- "evidence": {
1353
- "sinkSnippet": "try { fs.writeFileSync(fp, JSON.stringify(value, null, 2)); } catch {}",
1354
- "sourceSnippet": "try { fs.writeFileSync(fp, JSON.stringify(value, null, 2)); } catch {}",
1355
- "pathSteps": [],
1356
- "sanitizers": [],
1357
- "guards": []
1358
- },
1359
- "considered": {
1360
- "suppressionsApplied": [],
1361
- "suppressionsSkipped": [],
1362
- "reachabilityFilter": "unaffected",
1363
- "clusterCollapsed": false,
1364
- "typeNarrowed": false,
1365
- "crownJewelTier": "low-value",
1366
- "mitigationVerdict": "unreachable-in-prod"
1367
- },
1368
- "scanner": {
1369
- "rulesetVersion": null,
1370
- "packHash": null,
1371
- "modelId": null
1372
- }
1373
- },
1374
- "adversaryTranscript": null,
1375
- "predictedBountyUsd": {
1376
- "low": 10,
1377
- "likely": 40,
1378
- "high": 120,
1379
- "program": "web2"
1380
- },
1381
- "bountyConfidence": "high",
1382
- "attackPlaybook": null
1383
- },
1384
- {
1385
- "id": "toctou-fs:index.js:116",
1386
- "kind": "sast",
1387
- "severity": "medium",
1388
- "vuln": "TOCTOU: file existence/permission check before open",
1389
- "cwe": "CWE-367",
1390
- "owaspLlm": null,
1391
- "stride": "Tampering",
1392
- "file": "index.js",
1393
- "line": 116,
1394
- "snippet": "if (!fs.existsSync(fp)) return null;",
1395
- "fix": null,
1396
- "reachable": false,
1397
- "triage": 22,
1398
- "dataClasses": [],
1399
- "chain": null,
1400
- "confidence": 0.7,
1401
- "toxicity": 8,
1402
- "toxicityFactors": [],
1403
- "toxicityLabel": "Low",
1404
- "sources": null,
1405
- "epssScore": null,
1406
- "epssPercentile": null,
1407
- "epssCve": null,
1408
- "exploitedNow": false,
1409
- "tags": null,
1410
- "blastRadius": {
1411
- "scope": "all-users",
1412
- "dataAtRisk": [
1413
- "config"
1414
- ],
1415
- "userCount": 50,
1416
- "industry": "generic",
1417
- "jurisdictions": [],
1418
- "controlsApplied": [],
1419
- "dollarBest": 23250,
1420
- "dollarLikely": 136250,
1421
- "dollarWorst": 775000,
1422
- "dollarLow": 23250,
1423
- "dollarHigh": 775000,
1424
- "components": {
1425
- "incidentResponse": {
1426
- "low": 8000,
1427
- "likely": 50000,
1428
- "high": 250000
1429
- },
1430
- "legal": {
1431
- "low": 10000,
1432
- "likely": 75000,
1433
- "high": 500000
1434
- },
1435
- "crisisPR": {
1436
- "low": 0,
1437
- "likely": 0,
1438
- "high": 0
1439
- },
1440
- "notification": {
1441
- "low": 5000,
1442
- "likely": 10000,
1443
- "high": 15000
1444
- },
1445
- "creditMonitoring": {
1446
- "low": 0,
1447
- "likely": 0,
1448
- "high": 0
1449
- },
1450
- "regulatoryFines": {
1451
- "low": 0,
1452
- "likely": 0,
1453
- "high": 0
1454
- },
1455
- "directDamage": {
1456
- "low": 250,
1457
- "likely": 1250,
1458
- "high": 10000
1459
- },
1460
- "classAction": {
1461
- "low": 0,
1462
- "likely": 0,
1463
- "high": 0
1464
- },
1465
- "lostBusiness": {
1466
- "low": 0,
1467
- "likely": 0,
1468
- "high": 0
1469
- }
1470
- },
1471
- "dominantDriver": "legal counsel",
1472
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1473
- "confidence": "low",
1474
- "narrative": "TOCTOU: file existence/permission check before open on `index.js:116` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1475
- },
1476
- "stableId": "e3ea9a39f5387898",
1477
- "confidenceTier": "medium",
1478
- "exploitability": 0.2,
1479
- "exploitabilityTier": "low",
1480
- "exploitabilityFactors": [
1481
- "sev:medium",
1482
- "unreachable"
1483
- ],
1484
- "clusterSize": null,
1485
- "unreachable": false,
1486
- "validator_verdict": "unvalidated",
1487
- "llm_confidence": null,
1488
- "unvalidated": true,
1489
- "cross_language": false,
1490
- "family": "toctou-file-existence-permission-check-b",
1491
- "_unsigned": false,
1492
- "_passThroughSigning": false,
1493
- "signatureStatus": "verified",
1494
- "regression_test": null,
1495
- "poc": null,
1496
- "calibrated_confidence": null,
1497
- "calibrated_confidence_ci": null,
1498
- "calibrated_n": 0,
1499
- "calibration_reason": "no-history",
1500
- "verifier_verdict": "cannot-verify",
1501
- "verifier_reason": "no-poc-no-sanitizer-rule",
1502
- "verifier_runner": null,
1503
- "narration": null,
1504
- "mitigationVerdict": "unreachable-in-prod",
1505
- "mitigationsApplied": [],
1506
- "mitigatedByWaf": false,
1507
- "wafRuleId": null,
1508
- "mitigatedByAuth": false,
1509
- "authMechanism": null,
1510
- "mitigatedByNetwork": false,
1511
- "networkExposure": null,
1512
- "featureFlag": null,
1513
- "featureFlagState": null,
1514
- "featureFlagRollout": null,
1515
- "exposedInProd": false,
1516
- "unreachableInProd": true,
1517
- "coldPath": false,
1518
- "hotPath": false,
1519
- "prodRequestCount": null,
1520
- "crownJewelScore": 0.1,
1521
- "crownJewelTier": "low-value",
1522
- "crownJewelFactors": [
1523
- "reads-secret-env"
1524
- ],
1525
- "cloneClusterId": "66b8a8c25816e7f9",
1526
- "cloneClusterSize": 2,
1527
- "provenance": "human-likely",
1528
- "provenanceScore": 0.18,
1529
- "typeNarrowed": null,
1530
- "strideCategory": "tampering",
1531
- "personaScores": {
1532
- "script-kiddie": {
1533
- "score": 0.4,
1534
- "tier": "medium",
1535
- "factors": [
1536
- "sev:medium"
1537
- ]
1538
- },
1539
- "opportunistic-criminal": {
1540
- "score": 0.4,
1541
- "tier": "medium",
1542
- "factors": [
1543
- "sev:medium"
1544
- ]
1545
- },
1546
- "apt-nation-state": {
1547
- "score": 0.4,
1548
- "tier": "medium",
1549
- "factors": [
1550
- "sev:medium"
1551
- ]
1552
- },
1553
- "supply-chain-attacker": {
1554
- "score": 0.4,
1555
- "tier": "medium",
1556
- "factors": [
1557
- "sev:medium"
1558
- ]
1559
- },
1560
- "malicious-insider": {
1561
- "score": 0.4,
1562
- "tier": "medium",
1563
- "factors": [
1564
- "sev:medium"
1565
- ]
1566
- }
1567
- },
1568
- "personaTopTwo": [
1569
- "script-kiddie",
1570
- "opportunistic-criminal"
1571
- ],
1572
- "personaMaxName": "script-kiddie",
1573
- "personaMaxScore": 0.4,
1574
- "reverseExposure": null,
1575
- "specMined": null,
1576
- "whyFired": {
1577
- "detector": "sast/toctou-file-existence-permission-check-b",
1578
- "ruleId": "CWE-367",
1579
- "parser": "TOCTOU",
1580
- "evidence": {
1581
- "sinkSnippet": "if (!fs.existsSync(fp)) return null;",
1582
- "sourceSnippet": null,
1583
- "pathSteps": [],
1584
- "sanitizers": [],
1585
- "guards": []
1586
- },
1587
- "considered": {
1588
- "suppressionsApplied": [],
1589
- "suppressionsSkipped": [],
1590
- "reachabilityFilter": "unaffected",
1591
- "clusterCollapsed": false,
1592
- "typeNarrowed": false,
1593
- "crownJewelTier": "low-value",
1594
- "mitigationVerdict": "unreachable-in-prod"
1595
- },
1596
- "scanner": {
1597
- "rulesetVersion": null,
1598
- "packHash": null,
1599
- "modelId": null
1600
- }
1601
- },
1602
- "adversaryTranscript": null,
1603
- "predictedBountyUsd": null,
1604
- "bountyConfidence": null,
1605
- "attackPlaybook": null
1606
- },
1607
- {
1608
- "id": "b73122a9107687a2",
1609
- "kind": "logic",
1610
- "severity": "medium",
1611
- "vuln": "Missing Timeout on Outbound HTTP Request (DoS)",
1612
- "cwe": "CWE-400",
1613
- "stride": "Denial of Service",
1614
- "file": "index.js",
1615
- "line": 185,
1616
- "snippet": "const r = await fetch(endpoint, { method: 'POST', headers, body: JSON.stringify(body) });",
1617
- "fix": {
1618
- "description": "Set a timeout on all outbound requests to prevent event-loop starvation from stalled upstreams.",
1619
- "code": "// fetch (Node 18+)\nconst resp = await fetch(url, { signal: AbortSignal.timeout(5000) });\n\n// axios\nawait axios.get(url, { timeout: 5000 });\n\n// node http\nconst req = http.get(url, cb);\nreq.setTimeout(5000, () => req.destroy());"
1620
- },
1621
- "blastRadius": {
1622
- "scope": "all-users",
1623
- "dataAtRisk": [
1624
- "config"
1625
- ],
1626
- "userCount": 50,
1627
- "industry": "generic",
1628
- "jurisdictions": [],
1629
- "controlsApplied": [],
1630
- "dollarBest": 23250,
1631
- "dollarLikely": 136250,
1632
- "dollarWorst": 775000,
1633
- "dollarLow": 23250,
1634
- "dollarHigh": 775000,
1635
- "components": {
1636
- "incidentResponse": {
1637
- "low": 8000,
1638
- "likely": 50000,
1639
- "high": 250000
1640
- },
1641
- "legal": {
1642
- "low": 10000,
1643
- "likely": 75000,
1644
- "high": 500000
1645
- },
1646
- "crisisPR": {
1647
- "low": 0,
1648
- "likely": 0,
1649
- "high": 0
1650
- },
1651
- "notification": {
1652
- "low": 5000,
1653
- "likely": 10000,
1654
- "high": 15000
1655
- },
1656
- "creditMonitoring": {
1657
- "low": 0,
1658
- "likely": 0,
1659
- "high": 0
1660
- },
1661
- "regulatoryFines": {
1662
- "low": 0,
1663
- "likely": 0,
1664
- "high": 0
1665
- },
1666
- "directDamage": {
1667
- "low": 250,
1668
- "likely": 1250,
1669
- "high": 10000
1670
- },
1671
- "classAction": {
1672
- "low": 0,
1673
- "likely": 0,
1674
- "high": 0
1675
- },
1676
- "lostBusiness": {
1677
- "low": 0,
1678
- "likely": 0,
1679
- "high": 0
1680
- }
1681
- },
1682
- "dominantDriver": "legal counsel",
1683
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1684
- "confidence": "low",
1685
- "narrative": "Missing Timeout on Outbound HTTP Request (DoS) on `index.js:185` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1686
- }
1687
- },
1688
- {
1689
- "id": "logic:index.js:116:TOCTOU:_existsSync_followed_by_file_op",
1690
- "kind": "logic",
1691
- "severity": "medium",
1692
- "vuln": "TOCTOU: existsSync followed by file op",
1693
- "cwe": "CWE-367",
1694
- "stride": "Tampering",
1695
- "file": "index.js",
1696
- "line": 116,
1697
- "snippet": "if (!fs.existsSync(fp)) return null;",
1698
- "fix": {
1699
- "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
1700
- "code": ""
1701
- },
1702
- "blastRadius": {
1703
- "scope": "all-users",
1704
- "dataAtRisk": [
1705
- "config"
1706
- ],
1707
- "userCount": 50,
1708
- "industry": "generic",
1709
- "jurisdictions": [],
1710
- "controlsApplied": [],
1711
- "dollarBest": 23250,
1712
- "dollarLikely": 136250,
1713
- "dollarWorst": 775000,
1714
- "dollarLow": 23250,
1715
- "dollarHigh": 775000,
1716
- "components": {
1717
- "incidentResponse": {
1718
- "low": 8000,
1719
- "likely": 50000,
1720
- "high": 250000
1721
- },
1722
- "legal": {
1723
- "low": 10000,
1724
- "likely": 75000,
1725
- "high": 500000
1726
- },
1727
- "crisisPR": {
1728
- "low": 0,
1729
- "likely": 0,
1730
- "high": 0
1731
- },
1732
- "notification": {
1733
- "low": 5000,
1734
- "likely": 10000,
1735
- "high": 15000
1736
- },
1737
- "creditMonitoring": {
1738
- "low": 0,
1739
- "likely": 0,
1740
- "high": 0
1741
- },
1742
- "regulatoryFines": {
1743
- "low": 0,
1744
- "likely": 0,
1745
- "high": 0
1746
- },
1747
- "directDamage": {
1748
- "low": 250,
1749
- "likely": 1250,
1750
- "high": 10000
1751
- },
1752
- "classAction": {
1753
- "low": 0,
1754
- "likely": 0,
1755
- "high": 0
1756
- },
1757
- "lostBusiness": {
1758
- "low": 0,
1759
- "likely": 0,
1760
- "high": 0
1761
- }
1762
- },
1763
- "dominantDriver": "legal counsel",
1764
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1765
- "confidence": "low",
1766
- "narrative": "TOCTOU: existsSync followed by file op on `index.js:116` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1767
- }
1768
- }
1769
- ],
1770
- "bundles": [],
1771
- "routes": [],
1772
- "components": [],
1773
- "suppressedCount": 2,
1774
- "blastRadiusSignals": {
1775
- "industry": "generic",
1776
- "industryConfidence": "low",
1777
- "jurisdictions": [],
1778
- "controls": [],
1779
- "estimatedUsers": 50,
1780
- "revenueIndicator": "pre-revenue",
1781
- "hasStripe": false,
1782
- "hasAuth": false,
1783
- "hasUserTable": false,
1784
- "hasPII": false,
1785
- "hasPHI": false,
1786
- "hasS3": false
1787
- },
1788
- "_v3": {
1789
- "counterfactual": {
1790
- "spofControls": [],
1791
- "controlsDetected": 28
1792
- },
1793
- "threatModel": {
1794
- "summary": {
1795
- "assetCount": 1,
1796
- "boundaryCount": 0,
1797
- "strideCounts": {
1798
- "spoofing": 0,
1799
- "tampering": 1,
1800
- "repudiation": 0,
1801
- "informationDisclosure": 0,
1802
- "denialOfService": 5,
1803
- "elevationOfPrivilege": 0
1804
- }
1805
- },
1806
- "assets": [
1807
- {
1808
- "name": "AGENTIC_SECURITY_LLM_API_KEY",
1809
- "file": "index.js",
1810
- "line": 95,
1811
- "category": "secret",
1812
- "exposure": "internal"
1813
- }
1814
- ],
1815
- "trustBoundaries": [],
1816
- "stride": {
1817
- "spoofing": [],
1818
- "tampering": [
1819
- {
1820
- "vuln": "TOCTOU: file existence/permission check before open",
1821
- "file": "index.js",
1822
- "line": 116,
1823
- "severity": "medium"
1824
- }
1825
- ],
1826
- "repudiation": [],
1827
- "informationDisclosure": [],
1828
- "denialOfService": [
1829
- {
1830
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1831
- "file": "consistency.js",
1832
- "severity": "medium"
1833
- },
1834
- {
1835
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1836
- "file": "consistency.js",
1837
- "severity": "medium"
1838
- },
1839
- {
1840
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1841
- "file": "index.js",
1842
- "severity": "medium"
1843
- },
1844
- {
1845
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1846
- "file": "index.js",
1847
- "severity": "medium"
1848
- },
1849
- {
1850
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1851
- "file": "index.js",
1852
- "severity": "medium"
1853
- }
1854
- ],
1855
- "elevationOfPrivilege": []
1856
- }
1857
- },
1858
- "trustBoundaryDiagram": {
1859
- "mermaid": "flowchart LR\n INTERNET((Internet))\n APP[\"Application\"]\n asset_secret_AGENTIC_SECURITY_LLM_API_KEY[/\"secret: AGENTIC_SECURITY_LLM_API_KEY\"/]\n APP -->|asset| asset_secret_AGENTIC_SECURITY_LLM_API_KEY\n classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n classDef sev_medium fill:#fff3cd,stroke:#a80;\n classDef sev_low fill:#e8eaf6,stroke:#557;",
1860
- "nodes": [
1861
- {
1862
- "id": "INTERNET",
1863
- "kind": "external",
1864
- "label": "Internet"
1865
- },
1866
- {
1867
- "id": "APP",
1868
- "kind": "app",
1869
- "label": "Application"
1870
- },
1871
- {
1872
- "id": "asset_secret_AGENTIC_SECURITY_LLM_API_KEY",
1873
- "kind": "asset",
1874
- "label": "secret: AGENTIC_SECURITY_LLM_API_KEY"
1875
- }
1876
- ],
1877
- "edges": [
1878
- {
1879
- "from": "APP",
1880
- "to": "asset_secret_AGENTIC_SECURITY_LLM_API_KEY",
1881
- "kind": "asset"
1882
- }
1883
- ],
1884
- "decorations": []
1885
- },
1886
- "calibrationDrift": {
1887
- "alarms": [],
1888
- "note": "no-feedback-data"
1889
- }
1890
- }
1891
- }