@clear-capabilities/agentic-security-scanner 0.77.0 → 0.78.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (83) hide show
  1. package/bin/.agentic-security/findings.json +1907 -0
  2. package/bin/.agentic-security/last-scan.json +1907 -0
  3. package/bin/.agentic-security/last-scan.json.sig +1 -0
  4. package/bin/.agentic-security/scan-history.json +115 -0
  5. package/bin/.agentic-security/streak.json +20 -0
  6. package/bin/agentic-security.js +33 -2
  7. package/dist/178.index.js +1 -1
  8. package/dist/384.index.js +1 -1
  9. package/dist/637.index.js +1 -1
  10. package/dist/718.index.js +106 -0
  11. package/dist/824.index.js +126 -0
  12. package/dist/838.index.js +1 -1
  13. package/dist/agentic-security.mjs +32 -32
  14. package/dist/agentic-security.mjs.sha256 +1 -1
  15. package/package.json +3 -3
  16. package/src/.agentic-security/findings.json +82642 -0
  17. package/src/.agentic-security/last-scan.json +82642 -0
  18. package/src/.agentic-security/last-scan.json.sig +1 -0
  19. package/src/.agentic-security/scan-history.json +10054 -0
  20. package/src/.agentic-security/streak.json +21 -0
  21. package/src/dataflow/.agentic-security/findings.json +3515 -0
  22. package/src/dataflow/.agentic-security/last-scan.json +3515 -0
  23. package/src/dataflow/.agentic-security/last-scan.json.sig +1 -0
  24. package/src/dataflow/.agentic-security/scan-history.json +702 -0
  25. package/src/dataflow/.agentic-security/streak.json +22 -0
  26. package/src/dataflow/async-sequencing.js +16 -7
  27. package/src/dataflow/builtin-summaries.js +131 -0
  28. package/src/dataflow/catalog.js +107 -0
  29. package/src/dataflow/cross-repo.js +75 -1
  30. package/src/dataflow/engine.js +129 -0
  31. package/src/dataflow/implicit-flow.js +24 -6
  32. package/src/dataflow/stub-aware-filter.js +69 -11
  33. package/src/dataflow/summaries.js +28 -3
  34. package/src/engine-parallel.js +70 -0
  35. package/src/engine.js +165 -15
  36. package/src/ir/.agentic-security/findings.json +3777 -0
  37. package/src/ir/.agentic-security/last-scan.json +3777 -0
  38. package/src/ir/.agentic-security/last-scan.json.sig +1 -0
  39. package/src/ir/.agentic-security/scan-history.json +771 -0
  40. package/src/ir/.agentic-security/streak.json +21 -0
  41. package/src/ir/index.js +22 -1
  42. package/src/ir/parser-go.js +403 -0
  43. package/src/ir/parser-js.js +2 -0
  44. package/src/ir/parser-php.js +330 -0
  45. package/src/ir/parser-py.helper.py +137 -11
  46. package/src/ir/parser-rb.js +309 -0
  47. package/src/posture/.agentic-security/findings.json +51562 -0
  48. package/src/posture/.agentic-security/last-scan.json +51562 -0
  49. package/src/posture/.agentic-security/last-scan.json.sig +1 -0
  50. package/src/posture/.agentic-security/scan-history.json +650 -0
  51. package/src/posture/.agentic-security/streak.json +20 -0
  52. package/src/posture/calibration.js +14 -0
  53. package/src/posture/triage.js +13 -0
  54. package/src/report/.agentic-security/findings.json +80 -0
  55. package/src/report/.agentic-security/last-scan.json +80 -0
  56. package/src/report/.agentic-security/last-scan.json.sig +1 -0
  57. package/src/report/.agentic-security/scan-history.json +35 -0
  58. package/src/report/.agentic-security/streak.json +22 -0
  59. package/src/report/index.js +23 -2
  60. package/src/sast/.agentic-security/findings.json +5190 -0
  61. package/src/sast/.agentic-security/last-scan.json +5190 -0
  62. package/src/sast/.agentic-security/last-scan.json.sig +1 -0
  63. package/src/sast/.agentic-security/scan-history.json +408 -0
  64. package/src/sast/.agentic-security/streak.json +20 -0
  65. package/src/sast/cache-poisoning.js +77 -0
  66. package/src/sast/comparison-safety.js +73 -0
  67. package/src/sast/db-taint.js +54 -0
  68. package/src/sast/graphql.js +127 -0
  69. package/src/sast/llm-stored-prompt.js +57 -0
  70. package/src/sast/mutation-xss.js +43 -0
  71. package/src/sast/nosql-injection.js +5 -0
  72. package/src/sast/null-byte-injection.js +76 -0
  73. package/src/sast/redos-nfa.js +338 -0
  74. package/src/sast/sensitive-data-logging.js +73 -0
  75. package/src/sast/weak-password-hash.js +77 -0
  76. package/src/sast/weak-randomness.js +100 -0
  77. package/src/sca/.agentic-security/findings.json +1587 -0
  78. package/src/sca/.agentic-security/last-scan.json +1587 -0
  79. package/src/sca/.agentic-security/last-scan.json.sig +1 -0
  80. package/src/sca/.agentic-security/scan-history.json +36 -0
  81. package/src/sca/.agentic-security/streak.json +21 -0
  82. package/src/sca/llm-function-extract.js +107 -0
  83. package/src/sca/vendor-detect.js +91 -0
package/src/dataflow/.agentic-security/last-scan.json ADDED
@@ -0,0 +1,3515 @@
1
+ {
2
+ "scanId": "e19aeff8-8736-4df3-9d8d-a4d227edb6b1",
3
+ "startedAt": "2026-05-27T09:30:01.863Z",
4
+ "durationMs": 501,
5
+ "scanned": {
6
+ "files": 28,
7
+ "lines": 0
8
+ },
9
+ "findings": [
10
+ {
11
+ "id": "struct:incremental.js:50:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
12
+ "kind": "sast",
13
+ "severity": "medium",
14
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
15
+ "cwe": "CWE-400",
16
+ "owaspLlm": null,
17
+ "stride": "Denial of Service",
18
+ "file": "incremental.js",
19
+ "line": 50,
20
+ "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
21
+ "fix": null,
22
+ "reachable": false,
23
+ "triage": 22,
24
+ "dataClasses": [],
25
+ "chain": null,
26
+ "confidence": 0.212,
27
+ "toxicity": 28,
28
+ "toxicityFactors": [
29
+ "http-facing"
30
+ ],
31
+ "toxicityLabel": "Medium",
32
+ "sources": null,
33
+ "epssScore": null,
34
+ "epssPercentile": null,
35
+ "epssCve": null,
36
+ "exploitedNow": false,
37
+ "tags": null,
38
+ "blastRadius": {
39
+ "scope": "all-users",
40
+ "dataAtRisk": [
41
+ "config"
42
+ ],
43
+ "userCount": 50,
44
+ "industry": "generic",
45
+ "jurisdictions": [],
46
+ "controlsApplied": [],
47
+ "dollarBest": 23250,
48
+ "dollarLikely": 136250,
49
+ "dollarWorst": 775000,
50
+ "dollarLow": 23250,
51
+ "dollarHigh": 775000,
52
+ "components": {
53
+ "incidentResponse": {
54
+ "low": 8000,
55
+ "likely": 50000,
56
+ "high": 250000
57
+ },
58
+ "legal": {
59
+ "low": 10000,
60
+ "likely": 75000,
61
+ "high": 500000
62
+ },
63
+ "crisisPR": {
64
+ "low": 0,
65
+ "likely": 0,
66
+ "high": 0
67
+ },
68
+ "notification": {
69
+ "low": 5000,
70
+ "likely": 10000,
71
+ "high": 15000
72
+ },
73
+ "creditMonitoring": {
74
+ "low": 0,
75
+ "likely": 0,
76
+ "high": 0
77
+ },
78
+ "regulatoryFines": {
79
+ "low": 0,
80
+ "likely": 0,
81
+ "high": 0
82
+ },
83
+ "directDamage": {
84
+ "low": 250,
85
+ "likely": 1250,
86
+ "high": 10000
87
+ },
88
+ "classAction": {
89
+ "low": 0,
90
+ "likely": 0,
91
+ "high": 0
92
+ },
93
+ "lostBusiness": {
94
+ "low": 0,
95
+ "likely": 0,
96
+ "high": 0
97
+ }
98
+ },
99
+ "dominantDriver": "legal counsel",
100
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
101
+ "confidence": "low",
102
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
103
+ },
104
+ "stableId": "7e2db52a92ce3811",
105
+ "confidenceTier": "very-low",
106
+ "exploitability": 0.2,
107
+ "exploitabilityTier": "low",
108
+ "exploitabilityFactors": [
109
+ "sev:medium",
110
+ "unreachable"
111
+ ],
112
+ "clusterSize": null,
113
+ "unreachable": false,
114
+ "validator_verdict": "unvalidated",
115
+ "llm_confidence": null,
116
+ "unvalidated": true,
117
+ "cross_language": false,
118
+ "family": "dos-sync-io",
119
+ "parser": "STRUCTURAL",
120
+ "_unsigned": false,
121
+ "_passThroughSigning": false,
122
+ "signatureStatus": "verified",
123
+ "regression_test": null,
124
+ "poc": null,
125
+ "calibrated_confidence": null,
126
+ "calibrated_confidence_ci": null,
127
+ "calibrated_n": 0,
128
+ "calibration_reason": "no-history",
129
+ "verifier_verdict": "cannot-verify",
130
+ "verifier_reason": "no-poc-no-sanitizer-rule",
131
+ "verifier_runner": null,
132
+ "narration": null,
133
+ "mitigationVerdict": "unreachable-in-prod",
134
+ "mitigationsApplied": [],
135
+ "mitigatedByWaf": false,
136
+ "wafRuleId": null,
137
+ "mitigatedByAuth": false,
138
+ "authMechanism": null,
139
+ "mitigatedByNetwork": false,
140
+ "networkExposure": null,
141
+ "featureFlag": null,
142
+ "featureFlagState": null,
143
+ "featureFlagRollout": null,
144
+ "exposedInProd": false,
145
+ "unreachableInProd": true,
146
+ "coldPath": false,
147
+ "hotPath": false,
148
+ "prodRequestCount": null,
149
+ "crownJewelScore": 0,
150
+ "crownJewelTier": "unknown",
151
+ "crownJewelFactors": [],
152
+ "cloneClusterId": "bf9643a065f64945",
153
+ "cloneClusterSize": 2,
154
+ "provenance": "human-likely",
155
+ "provenanceScore": 0.22,
156
+ "typeNarrowed": null,
157
+ "strideCategory": "denialOfService",
158
+ "personaScores": {
159
+ "script-kiddie": {
160
+ "score": 0.4,
161
+ "tier": "medium",
162
+ "factors": [
163
+ "sev:medium"
164
+ ]
165
+ },
166
+ "opportunistic-criminal": {
167
+ "score": 0.4,
168
+ "tier": "medium",
169
+ "factors": [
170
+ "sev:medium"
171
+ ]
172
+ },
173
+ "apt-nation-state": {
174
+ "score": 0.4,
175
+ "tier": "medium",
176
+ "factors": [
177
+ "sev:medium"
178
+ ]
179
+ },
180
+ "supply-chain-attacker": {
181
+ "score": 0.4,
182
+ "tier": "medium",
183
+ "factors": [
184
+ "sev:medium"
185
+ ]
186
+ },
187
+ "malicious-insider": {
188
+ "score": 0.4,
189
+ "tier": "medium",
190
+ "factors": [
191
+ "sev:medium"
192
+ ]
193
+ }
194
+ },
195
+ "personaTopTwo": [
196
+ "script-kiddie",
197
+ "opportunistic-criminal"
198
+ ],
199
+ "personaMaxName": "script-kiddie",
200
+ "personaMaxScore": 0.4,
201
+ "reverseExposure": null,
202
+ "specMined": null,
203
+ "whyFired": {
204
+ "detector": "sast/dos-sync-io",
205
+ "ruleId": "CWE-400",
206
+ "parser": "STRUCTURAL",
207
+ "evidence": {
208
+ "sinkSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
209
+ "sourceSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
210
+ "pathSteps": [],
211
+ "sanitizers": [],
212
+ "guards": []
213
+ },
214
+ "considered": {
215
+ "suppressionsApplied": [],
216
+ "suppressionsSkipped": [],
217
+ "reachabilityFilter": "unaffected",
218
+ "clusterCollapsed": false,
219
+ "typeNarrowed": false,
220
+ "crownJewelTier": "unknown",
221
+ "mitigationVerdict": "unreachable-in-prod"
222
+ },
223
+ "scanner": {
224
+ "rulesetVersion": null,
225
+ "packHash": null,
226
+ "modelId": null
227
+ }
228
+ },
229
+ "adversaryTranscript": null,
230
+ "predictedBountyUsd": {
231
+ "low": 10,
232
+ "likely": 40,
233
+ "high": 120,
234
+ "program": "web2"
235
+ },
236
+ "bountyConfidence": "high",
237
+ "attackPlaybook": null
238
+ },
239
+ {
240
+ "id": "struct:incremental.js:51:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
241
+ "kind": "sast",
242
+ "severity": "medium",
243
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
244
+ "cwe": "CWE-400",
245
+ "owaspLlm": null,
246
+ "stride": "Denial of Service",
247
+ "file": "incremental.js",
248
+ "line": 51,
249
+ "snippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
250
+ "fix": null,
251
+ "reachable": false,
252
+ "triage": 22,
253
+ "dataClasses": [],
254
+ "chain": null,
255
+ "confidence": 0.212,
256
+ "toxicity": 28,
257
+ "toxicityFactors": [
258
+ "http-facing"
259
+ ],
260
+ "toxicityLabel": "Medium",
261
+ "sources": null,
262
+ "epssScore": null,
263
+ "epssPercentile": null,
264
+ "epssCve": null,
265
+ "exploitedNow": false,
266
+ "tags": null,
267
+ "blastRadius": {
268
+ "scope": "all-users",
269
+ "dataAtRisk": [
270
+ "config"
271
+ ],
272
+ "userCount": 50,
273
+ "industry": "generic",
274
+ "jurisdictions": [],
275
+ "controlsApplied": [],
276
+ "dollarBest": 23250,
277
+ "dollarLikely": 136250,
278
+ "dollarWorst": 775000,
279
+ "dollarLow": 23250,
280
+ "dollarHigh": 775000,
281
+ "components": {
282
+ "incidentResponse": {
283
+ "low": 8000,
284
+ "likely": 50000,
285
+ "high": 250000
286
+ },
287
+ "legal": {
288
+ "low": 10000,
289
+ "likely": 75000,
290
+ "high": 500000
291
+ },
292
+ "crisisPR": {
293
+ "low": 0,
294
+ "likely": 0,
295
+ "high": 0
296
+ },
297
+ "notification": {
298
+ "low": 5000,
299
+ "likely": 10000,
300
+ "high": 15000
301
+ },
302
+ "creditMonitoring": {
303
+ "low": 0,
304
+ "likely": 0,
305
+ "high": 0
306
+ },
307
+ "regulatoryFines": {
308
+ "low": 0,
309
+ "likely": 0,
310
+ "high": 0
311
+ },
312
+ "directDamage": {
313
+ "low": 250,
314
+ "likely": 1250,
315
+ "high": 10000
316
+ },
317
+ "classAction": {
318
+ "low": 0,
319
+ "likely": 0,
320
+ "high": 0
321
+ },
322
+ "lostBusiness": {
323
+ "low": 0,
324
+ "likely": 0,
325
+ "high": 0
326
+ }
327
+ },
328
+ "dominantDriver": "legal counsel",
329
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
330
+ "confidence": "low",
331
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:51` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
332
+ },
333
+ "stableId": "333259288508799a",
334
+ "confidenceTier": "very-low",
335
+ "exploitability": 0.2,
336
+ "exploitabilityTier": "low",
337
+ "exploitabilityFactors": [
338
+ "sev:medium",
339
+ "unreachable"
340
+ ],
341
+ "clusterSize": null,
342
+ "unreachable": false,
343
+ "validator_verdict": "unvalidated",
344
+ "llm_confidence": null,
345
+ "unvalidated": true,
346
+ "cross_language": false,
347
+ "family": "dos-sync-io",
348
+ "parser": "STRUCTURAL",
349
+ "_unsigned": false,
350
+ "_passThroughSigning": false,
351
+ "signatureStatus": "verified",
352
+ "regression_test": null,
353
+ "poc": null,
354
+ "calibrated_confidence": null,
355
+ "calibrated_confidence_ci": null,
356
+ "calibrated_n": 0,
357
+ "calibration_reason": "no-history",
358
+ "verifier_verdict": "cannot-verify",
359
+ "verifier_reason": "no-poc-no-sanitizer-rule",
360
+ "verifier_runner": null,
361
+ "narration": null,
362
+ "mitigationVerdict": "unreachable-in-prod",
363
+ "mitigationsApplied": [],
364
+ "mitigatedByWaf": false,
365
+ "wafRuleId": null,
366
+ "mitigatedByAuth": false,
367
+ "authMechanism": null,
368
+ "mitigatedByNetwork": false,
369
+ "networkExposure": null,
370
+ "featureFlag": null,
371
+ "featureFlagState": null,
372
+ "featureFlagRollout": null,
373
+ "exposedInProd": false,
374
+ "unreachableInProd": true,
375
+ "coldPath": false,
376
+ "hotPath": false,
377
+ "prodRequestCount": null,
378
+ "crownJewelScore": 0,
379
+ "crownJewelTier": "unknown",
380
+ "crownJewelFactors": [],
381
+ "cloneClusterId": "8b60c3f57d48c622",
382
+ "cloneClusterSize": 1,
383
+ "provenance": "human-likely",
384
+ "provenanceScore": 0.22,
385
+ "typeNarrowed": null,
386
+ "strideCategory": "denialOfService",
387
+ "personaScores": {
388
+ "script-kiddie": {
389
+ "score": 0.4,
390
+ "tier": "medium",
391
+ "factors": [
392
+ "sev:medium"
393
+ ]
394
+ },
395
+ "opportunistic-criminal": {
396
+ "score": 0.4,
397
+ "tier": "medium",
398
+ "factors": [
399
+ "sev:medium"
400
+ ]
401
+ },
402
+ "apt-nation-state": {
403
+ "score": 0.4,
404
+ "tier": "medium",
405
+ "factors": [
406
+ "sev:medium"
407
+ ]
408
+ },
409
+ "supply-chain-attacker": {
410
+ "score": 0.4,
411
+ "tier": "medium",
412
+ "factors": [
413
+ "sev:medium"
414
+ ]
415
+ },
416
+ "malicious-insider": {
417
+ "score": 0.4,
418
+ "tier": "medium",
419
+ "factors": [
420
+ "sev:medium"
421
+ ]
422
+ }
423
+ },
424
+ "personaTopTwo": [
425
+ "script-kiddie",
426
+ "opportunistic-criminal"
427
+ ],
428
+ "personaMaxName": "script-kiddie",
429
+ "personaMaxScore": 0.4,
430
+ "reverseExposure": null,
431
+ "specMined": null,
432
+ "whyFired": {
433
+ "detector": "sast/dos-sync-io",
434
+ "ruleId": "CWE-400",
435
+ "parser": "STRUCTURAL",
436
+ "evidence": {
437
+ "sinkSnippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
438
+ "sourceSnippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
439
+ "pathSteps": [],
440
+ "sanitizers": [],
441
+ "guards": []
442
+ },
443
+ "considered": {
444
+ "suppressionsApplied": [],
445
+ "suppressionsSkipped": [],
446
+ "reachabilityFilter": "unaffected",
447
+ "clusterCollapsed": false,
448
+ "typeNarrowed": false,
449
+ "crownJewelTier": "unknown",
450
+ "mitigationVerdict": "unreachable-in-prod"
451
+ },
452
+ "scanner": {
453
+ "rulesetVersion": null,
454
+ "packHash": null,
455
+ "modelId": null
456
+ }
457
+ },
458
+ "adversaryTranscript": null,
459
+ "predictedBountyUsd": {
460
+ "low": 10,
461
+ "likely": 40,
462
+ "high": 120,
463
+ "program": "web2"
464
+ },
465
+ "bountyConfidence": "high",
466
+ "attackPlaybook": null
467
+ },
468
+ {
469
+ "id": "struct:incremental.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
470
+ "kind": "sast",
471
+ "severity": "medium",
472
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
473
+ "cwe": "CWE-400",
474
+ "owaspLlm": null,
475
+ "stride": "Denial of Service",
476
+ "file": "incremental.js",
477
+ "line": 68,
478
+ "snippet": "if (!fs.existsSync(fp)) return fallback;",
479
+ "fix": null,
480
+ "reachable": false,
481
+ "triage": 22,
482
+ "dataClasses": [],
483
+ "chain": null,
484
+ "confidence": 0.212,
485
+ "toxicity": 28,
486
+ "toxicityFactors": [
487
+ "http-facing"
488
+ ],
489
+ "toxicityLabel": "Medium",
490
+ "sources": null,
491
+ "epssScore": null,
492
+ "epssPercentile": null,
493
+ "epssCve": null,
494
+ "exploitedNow": false,
495
+ "tags": null,
496
+ "blastRadius": {
497
+ "scope": "all-users",
498
+ "dataAtRisk": [
499
+ "config"
500
+ ],
501
+ "userCount": 50,
502
+ "industry": "generic",
503
+ "jurisdictions": [],
504
+ "controlsApplied": [],
505
+ "dollarBest": 23250,
506
+ "dollarLikely": 136250,
507
+ "dollarWorst": 775000,
508
+ "dollarLow": 23250,
509
+ "dollarHigh": 775000,
510
+ "components": {
511
+ "incidentResponse": {
512
+ "low": 8000,
513
+ "likely": 50000,
514
+ "high": 250000
515
+ },
516
+ "legal": {
517
+ "low": 10000,
518
+ "likely": 75000,
519
+ "high": 500000
520
+ },
521
+ "crisisPR": {
522
+ "low": 0,
523
+ "likely": 0,
524
+ "high": 0
525
+ },
526
+ "notification": {
527
+ "low": 5000,
528
+ "likely": 10000,
529
+ "high": 15000
530
+ },
531
+ "creditMonitoring": {
532
+ "low": 0,
533
+ "likely": 0,
534
+ "high": 0
535
+ },
536
+ "regulatoryFines": {
537
+ "low": 0,
538
+ "likely": 0,
539
+ "high": 0
540
+ },
541
+ "directDamage": {
542
+ "low": 250,
543
+ "likely": 1250,
544
+ "high": 10000
545
+ },
546
+ "classAction": {
547
+ "low": 0,
548
+ "likely": 0,
549
+ "high": 0
550
+ },
551
+ "lostBusiness": {
552
+ "low": 0,
553
+ "likely": 0,
554
+ "high": 0
555
+ }
556
+ },
557
+ "dominantDriver": "legal counsel",
558
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
559
+ "confidence": "low",
560
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
561
+ },
562
+ "stableId": "6862d6baf0b923f7",
563
+ "confidenceTier": "very-low",
564
+ "exploitability": 0.2,
565
+ "exploitabilityTier": "low",
566
+ "exploitabilityFactors": [
567
+ "sev:medium",
568
+ "unreachable"
569
+ ],
570
+ "clusterSize": null,
571
+ "unreachable": false,
572
+ "validator_verdict": "unvalidated",
573
+ "llm_confidence": null,
574
+ "unvalidated": true,
575
+ "cross_language": false,
576
+ "family": "dos-sync-io",
577
+ "parser": "STRUCTURAL",
578
+ "_unsigned": false,
579
+ "_passThroughSigning": false,
580
+ "signatureStatus": "verified",
581
+ "regression_test": null,
582
+ "poc": null,
583
+ "calibrated_confidence": null,
584
+ "calibrated_confidence_ci": null,
585
+ "calibrated_n": 0,
586
+ "calibration_reason": "no-history",
587
+ "verifier_verdict": "cannot-verify",
588
+ "verifier_reason": "no-poc-no-sanitizer-rule",
589
+ "verifier_runner": null,
590
+ "narration": null,
591
+ "mitigationVerdict": "unreachable-in-prod",
592
+ "mitigationsApplied": [],
593
+ "mitigatedByWaf": false,
594
+ "wafRuleId": null,
595
+ "mitigatedByAuth": false,
596
+ "authMechanism": null,
597
+ "mitigatedByNetwork": false,
598
+ "networkExposure": null,
599
+ "featureFlag": null,
600
+ "featureFlagState": null,
601
+ "featureFlagRollout": null,
602
+ "exposedInProd": false,
603
+ "unreachableInProd": true,
604
+ "coldPath": false,
605
+ "hotPath": false,
606
+ "prodRequestCount": null,
607
+ "crownJewelScore": 0,
608
+ "crownJewelTier": "unknown",
609
+ "crownJewelFactors": [],
610
+ "cloneClusterId": "39f1d6db55cace1d",
611
+ "cloneClusterSize": 2,
612
+ "provenance": "human-likely",
613
+ "provenanceScore": 0.22,
614
+ "typeNarrowed": null,
615
+ "strideCategory": "denialOfService",
616
+ "personaScores": {
617
+ "script-kiddie": {
618
+ "score": 0.4,
619
+ "tier": "medium",
620
+ "factors": [
621
+ "sev:medium"
622
+ ]
623
+ },
624
+ "opportunistic-criminal": {
625
+ "score": 0.4,
626
+ "tier": "medium",
627
+ "factors": [
628
+ "sev:medium"
629
+ ]
630
+ },
631
+ "apt-nation-state": {
632
+ "score": 0.4,
633
+ "tier": "medium",
634
+ "factors": [
635
+ "sev:medium"
636
+ ]
637
+ },
638
+ "supply-chain-attacker": {
639
+ "score": 0.4,
640
+ "tier": "medium",
641
+ "factors": [
642
+ "sev:medium"
643
+ ]
644
+ },
645
+ "malicious-insider": {
646
+ "score": 0.4,
647
+ "tier": "medium",
648
+ "factors": [
649
+ "sev:medium"
650
+ ]
651
+ }
652
+ },
653
+ "personaTopTwo": [
654
+ "script-kiddie",
655
+ "opportunistic-criminal"
656
+ ],
657
+ "personaMaxName": "script-kiddie",
658
+ "personaMaxScore": 0.4,
659
+ "reverseExposure": null,
660
+ "specMined": null,
661
+ "whyFired": {
662
+ "detector": "sast/dos-sync-io",
663
+ "ruleId": "CWE-400",
664
+ "parser": "STRUCTURAL",
665
+ "evidence": {
666
+ "sinkSnippet": "if (!fs.existsSync(fp)) return fallback;",
667
+ "sourceSnippet": "if (!fs.existsSync(fp)) return fallback;",
668
+ "pathSteps": [],
669
+ "sanitizers": [],
670
+ "guards": []
671
+ },
672
+ "considered": {
673
+ "suppressionsApplied": [],
674
+ "suppressionsSkipped": [],
675
+ "reachabilityFilter": "unaffected",
676
+ "clusterCollapsed": false,
677
+ "typeNarrowed": false,
678
+ "crownJewelTier": "unknown",
679
+ "mitigationVerdict": "unreachable-in-prod"
680
+ },
681
+ "scanner": {
682
+ "rulesetVersion": null,
683
+ "packHash": null,
684
+ "modelId": null
685
+ }
686
+ },
687
+ "adversaryTranscript": null,
688
+ "predictedBountyUsd": {
689
+ "low": 10,
690
+ "likely": 40,
691
+ "high": 120,
692
+ "program": "web2"
693
+ },
694
+ "bountyConfidence": "high",
695
+ "attackPlaybook": null
696
+ },
697
+ {
698
+ "id": "struct:incremental.js:69:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
699
+ "kind": "sast",
700
+ "severity": "medium",
701
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
702
+ "cwe": "CWE-400",
703
+ "owaspLlm": null,
704
+ "stride": "Denial of Service",
705
+ "file": "incremental.js",
706
+ "line": 69,
707
+ "snippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
708
+ "fix": null,
709
+ "reachable": false,
710
+ "triage": 22,
711
+ "dataClasses": [],
712
+ "chain": null,
713
+ "confidence": 0.212,
714
+ "toxicity": 28,
715
+ "toxicityFactors": [
716
+ "http-facing"
717
+ ],
718
+ "toxicityLabel": "Medium",
719
+ "sources": null,
720
+ "epssScore": null,
721
+ "epssPercentile": null,
722
+ "epssCve": null,
723
+ "exploitedNow": false,
724
+ "tags": null,
725
+ "blastRadius": {
726
+ "scope": "all-users",
727
+ "dataAtRisk": [
728
+ "config"
729
+ ],
730
+ "userCount": 50,
731
+ "industry": "generic",
732
+ "jurisdictions": [],
733
+ "controlsApplied": [],
734
+ "dollarBest": 23250,
735
+ "dollarLikely": 136250,
736
+ "dollarWorst": 775000,
737
+ "dollarLow": 23250,
738
+ "dollarHigh": 775000,
739
+ "components": {
740
+ "incidentResponse": {
741
+ "low": 8000,
742
+ "likely": 50000,
743
+ "high": 250000
744
+ },
745
+ "legal": {
746
+ "low": 10000,
747
+ "likely": 75000,
748
+ "high": 500000
749
+ },
750
+ "crisisPR": {
751
+ "low": 0,
752
+ "likely": 0,
753
+ "high": 0
754
+ },
755
+ "notification": {
756
+ "low": 5000,
757
+ "likely": 10000,
758
+ "high": 15000
759
+ },
760
+ "creditMonitoring": {
761
+ "low": 0,
762
+ "likely": 0,
763
+ "high": 0
764
+ },
765
+ "regulatoryFines": {
766
+ "low": 0,
767
+ "likely": 0,
768
+ "high": 0
769
+ },
770
+ "directDamage": {
771
+ "low": 250,
772
+ "likely": 1250,
773
+ "high": 10000
774
+ },
775
+ "classAction": {
776
+ "low": 0,
777
+ "likely": 0,
778
+ "high": 0
779
+ },
780
+ "lostBusiness": {
781
+ "low": 0,
782
+ "likely": 0,
783
+ "high": 0
784
+ }
785
+ },
786
+ "dominantDriver": "legal counsel",
787
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
788
+ "confidence": "low",
789
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:69` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
790
+ },
791
+ "stableId": "7314934acc70477c",
792
+ "confidenceTier": "very-low",
793
+ "exploitability": 0.2,
794
+ "exploitabilityTier": "low",
795
+ "exploitabilityFactors": [
796
+ "sev:medium",
797
+ "unreachable"
798
+ ],
799
+ "clusterSize": null,
800
+ "unreachable": false,
801
+ "validator_verdict": "unvalidated",
802
+ "llm_confidence": null,
803
+ "unvalidated": true,
804
+ "cross_language": false,
805
+ "family": "dos-sync-io",
806
+ "parser": "STRUCTURAL",
807
+ "_unsigned": false,
808
+ "_passThroughSigning": false,
809
+ "signatureStatus": "verified",
810
+ "regression_test": null,
811
+ "poc": null,
812
+ "calibrated_confidence": null,
813
+ "calibrated_confidence_ci": null,
814
+ "calibrated_n": 0,
815
+ "calibration_reason": "no-history",
816
+ "verifier_verdict": "cannot-verify",
817
+ "verifier_reason": "no-poc-no-sanitizer-rule",
818
+ "verifier_runner": null,
819
+ "narration": null,
820
+ "mitigationVerdict": "unreachable-in-prod",
821
+ "mitigationsApplied": [],
822
+ "mitigatedByWaf": false,
823
+ "wafRuleId": null,
824
+ "mitigatedByAuth": false,
825
+ "authMechanism": null,
826
+ "mitigatedByNetwork": false,
827
+ "networkExposure": null,
828
+ "featureFlag": null,
829
+ "featureFlagState": null,
830
+ "featureFlagRollout": null,
831
+ "exposedInProd": false,
832
+ "unreachableInProd": true,
833
+ "coldPath": false,
834
+ "hotPath": false,
835
+ "prodRequestCount": null,
836
+ "crownJewelScore": 0,
837
+ "crownJewelTier": "unknown",
838
+ "crownJewelFactors": [],
839
+ "cloneClusterId": "b8a597058e30c50c",
840
+ "cloneClusterSize": 1,
841
+ "provenance": "human-likely",
842
+ "provenanceScore": 0.22,
843
+ "typeNarrowed": null,
844
+ "strideCategory": "denialOfService",
845
+ "personaScores": {
846
+ "script-kiddie": {
847
+ "score": 0.4,
848
+ "tier": "medium",
849
+ "factors": [
850
+ "sev:medium"
851
+ ]
852
+ },
853
+ "opportunistic-criminal": {
854
+ "score": 0.4,
855
+ "tier": "medium",
856
+ "factors": [
857
+ "sev:medium"
858
+ ]
859
+ },
860
+ "apt-nation-state": {
861
+ "score": 0.4,
862
+ "tier": "medium",
863
+ "factors": [
864
+ "sev:medium"
865
+ ]
866
+ },
867
+ "supply-chain-attacker": {
868
+ "score": 0.4,
869
+ "tier": "medium",
870
+ "factors": [
871
+ "sev:medium"
872
+ ]
873
+ },
874
+ "malicious-insider": {
875
+ "score": 0.4,
876
+ "tier": "medium",
877
+ "factors": [
878
+ "sev:medium"
879
+ ]
880
+ }
881
+ },
882
+ "personaTopTwo": [
883
+ "script-kiddie",
884
+ "opportunistic-criminal"
885
+ ],
886
+ "personaMaxName": "script-kiddie",
887
+ "personaMaxScore": 0.4,
888
+ "reverseExposure": null,
889
+ "specMined": null,
890
+ "whyFired": {
891
+ "detector": "sast/dos-sync-io",
892
+ "ruleId": "CWE-400",
893
+ "parser": "STRUCTURAL",
894
+ "evidence": {
895
+ "sinkSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
896
+ "sourceSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
897
+ "pathSteps": [],
898
+ "sanitizers": [],
899
+ "guards": []
900
+ },
901
+ "considered": {
902
+ "suppressionsApplied": [],
903
+ "suppressionsSkipped": [],
904
+ "reachabilityFilter": "unaffected",
905
+ "clusterCollapsed": false,
906
+ "typeNarrowed": false,
907
+ "crownJewelTier": "unknown",
908
+ "mitigationVerdict": "unreachable-in-prod"
909
+ },
910
+ "scanner": {
911
+ "rulesetVersion": null,
912
+ "packHash": null,
913
+ "modelId": null
914
+ }
915
+ },
916
+ "adversaryTranscript": null,
917
+ "predictedBountyUsd": {
918
+ "low": 10,
919
+ "likely": 40,
920
+ "high": 120,
921
+ "program": "web2"
922
+ },
923
+ "bountyConfidence": "high",
924
+ "attackPlaybook": null
925
+ },
926
+ {
927
+ "id": "struct:incremental.js:203:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
928
+ "kind": "sast",
929
+ "severity": "medium",
930
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
931
+ "cwe": "CWE-400",
932
+ "owaspLlm": null,
933
+ "stride": "Denial of Service",
934
+ "file": "incremental.js",
935
+ "line": 203,
936
+ "snippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
937
+ "fix": null,
938
+ "reachable": false,
939
+ "triage": 22,
940
+ "dataClasses": [],
941
+ "chain": null,
942
+ "confidence": 0.212,
943
+ "toxicity": 28,
944
+ "toxicityFactors": [
945
+ "http-facing"
946
+ ],
947
+ "toxicityLabel": "Medium",
948
+ "sources": null,
949
+ "epssScore": null,
950
+ "epssPercentile": null,
951
+ "epssCve": null,
952
+ "exploitedNow": false,
953
+ "tags": null,
954
+ "blastRadius": {
955
+ "scope": "all-users",
956
+ "dataAtRisk": [
957
+ "config"
958
+ ],
959
+ "userCount": 50,
960
+ "industry": "generic",
961
+ "jurisdictions": [],
962
+ "controlsApplied": [],
963
+ "dollarBest": 23250,
964
+ "dollarLikely": 136250,
965
+ "dollarWorst": 775000,
966
+ "dollarLow": 23250,
967
+ "dollarHigh": 775000,
968
+ "components": {
969
+ "incidentResponse": {
970
+ "low": 8000,
971
+ "likely": 50000,
972
+ "high": 250000
973
+ },
974
+ "legal": {
975
+ "low": 10000,
976
+ "likely": 75000,
977
+ "high": 500000
978
+ },
979
+ "crisisPR": {
980
+ "low": 0,
981
+ "likely": 0,
982
+ "high": 0
983
+ },
984
+ "notification": {
985
+ "low": 5000,
986
+ "likely": 10000,
987
+ "high": 15000
988
+ },
989
+ "creditMonitoring": {
990
+ "low": 0,
991
+ "likely": 0,
992
+ "high": 0
993
+ },
994
+ "regulatoryFines": {
995
+ "low": 0,
996
+ "likely": 0,
997
+ "high": 0
998
+ },
999
+ "directDamage": {
1000
+ "low": 250,
1001
+ "likely": 1250,
1002
+ "high": 10000
1003
+ },
1004
+ "classAction": {
1005
+ "low": 0,
1006
+ "likely": 0,
1007
+ "high": 0
1008
+ },
1009
+ "lostBusiness": {
1010
+ "low": 0,
1011
+ "likely": 0,
1012
+ "high": 0
1013
+ }
1014
+ },
1015
+ "dominantDriver": "legal counsel",
1016
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1017
+ "confidence": "low",
1018
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:203` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1019
+ },
1020
+ "stableId": "71f79aead6c815a7",
1021
+ "confidenceTier": "very-low",
1022
+ "exploitability": 0.2,
1023
+ "exploitabilityTier": "low",
1024
+ "exploitabilityFactors": [
1025
+ "sev:medium",
1026
+ "unreachable"
1027
+ ],
1028
+ "clusterSize": null,
1029
+ "unreachable": false,
1030
+ "validator_verdict": "unvalidated",
1031
+ "llm_confidence": null,
1032
+ "unvalidated": true,
1033
+ "cross_language": false,
1034
+ "family": "dos-sync-io",
1035
+ "parser": "STRUCTURAL",
1036
+ "_unsigned": false,
1037
+ "_passThroughSigning": false,
1038
+ "signatureStatus": "verified",
1039
+ "regression_test": null,
1040
+ "poc": null,
1041
+ "calibrated_confidence": null,
1042
+ "calibrated_confidence_ci": null,
1043
+ "calibrated_n": 0,
1044
+ "calibration_reason": "no-history",
1045
+ "verifier_verdict": "cannot-verify",
1046
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1047
+ "verifier_runner": null,
1048
+ "narration": null,
1049
+ "mitigationVerdict": "unreachable-in-prod",
1050
+ "mitigationsApplied": [],
1051
+ "mitigatedByWaf": false,
1052
+ "wafRuleId": null,
1053
+ "mitigatedByAuth": false,
1054
+ "authMechanism": null,
1055
+ "mitigatedByNetwork": false,
1056
+ "networkExposure": null,
1057
+ "featureFlag": null,
1058
+ "featureFlagState": null,
1059
+ "featureFlagRollout": null,
1060
+ "exposedInProd": false,
1061
+ "unreachableInProd": true,
1062
+ "coldPath": false,
1063
+ "hotPath": false,
1064
+ "prodRequestCount": null,
1065
+ "crownJewelScore": 0,
1066
+ "crownJewelTier": "unknown",
1067
+ "crownJewelFactors": [],
1068
+ "cloneClusterId": "347295aac188671b",
1069
+ "cloneClusterSize": 1,
1070
+ "provenance": "human-likely",
1071
+ "provenanceScore": 0.22,
1072
+ "typeNarrowed": null,
1073
+ "strideCategory": "denialOfService",
1074
+ "personaScores": {
1075
+ "script-kiddie": {
1076
+ "score": 0.4,
1077
+ "tier": "medium",
1078
+ "factors": [
1079
+ "sev:medium"
1080
+ ]
1081
+ },
1082
+ "opportunistic-criminal": {
1083
+ "score": 0.4,
1084
+ "tier": "medium",
1085
+ "factors": [
1086
+ "sev:medium"
1087
+ ]
1088
+ },
1089
+ "apt-nation-state": {
1090
+ "score": 0.4,
1091
+ "tier": "medium",
1092
+ "factors": [
1093
+ "sev:medium"
1094
+ ]
1095
+ },
1096
+ "supply-chain-attacker": {
1097
+ "score": 0.4,
1098
+ "tier": "medium",
1099
+ "factors": [
1100
+ "sev:medium"
1101
+ ]
1102
+ },
1103
+ "malicious-insider": {
1104
+ "score": 0.4,
1105
+ "tier": "medium",
1106
+ "factors": [
1107
+ "sev:medium"
1108
+ ]
1109
+ }
1110
+ },
1111
+ "personaTopTwo": [
1112
+ "script-kiddie",
1113
+ "opportunistic-criminal"
1114
+ ],
1115
+ "personaMaxName": "script-kiddie",
1116
+ "personaMaxScore": 0.4,
1117
+ "reverseExposure": null,
1118
+ "specMined": null,
1119
+ "whyFired": {
1120
+ "detector": "sast/dos-sync-io",
1121
+ "ruleId": "CWE-400",
1122
+ "parser": "STRUCTURAL",
1123
+ "evidence": {
1124
+ "sinkSnippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
1125
+ "sourceSnippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
1126
+ "pathSteps": [],
1127
+ "sanitizers": [],
1128
+ "guards": []
1129
+ },
1130
+ "considered": {
1131
+ "suppressionsApplied": [],
1132
+ "suppressionsSkipped": [],
1133
+ "reachabilityFilter": "unaffected",
1134
+ "clusterCollapsed": false,
1135
+ "typeNarrowed": false,
1136
+ "crownJewelTier": "unknown",
1137
+ "mitigationVerdict": "unreachable-in-prod"
1138
+ },
1139
+ "scanner": {
1140
+ "rulesetVersion": null,
1141
+ "packHash": null,
1142
+ "modelId": null
1143
+ }
1144
+ },
1145
+ "adversaryTranscript": null,
1146
+ "predictedBountyUsd": {
1147
+ "low": 10,
1148
+ "likely": 40,
1149
+ "high": 120,
1150
+ "program": "web2"
1151
+ },
1152
+ "bountyConfidence": "high",
1153
+ "attackPlaybook": null
1154
+ },
1155
+ {
1156
+ "id": "struct:incremental.js:204:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1157
+ "kind": "sast",
1158
+ "severity": "medium",
1159
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1160
+ "cwe": "CWE-400",
1161
+ "owaspLlm": null,
1162
+ "stride": "Denial of Service",
1163
+ "file": "incremental.js",
1164
+ "line": 204,
1165
+ "snippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
1166
+ "fix": null,
1167
+ "reachable": false,
1168
+ "triage": 22,
1169
+ "dataClasses": [],
1170
+ "chain": null,
1171
+ "confidence": 0.212,
1172
+ "toxicity": 28,
1173
+ "toxicityFactors": [
1174
+ "http-facing"
1175
+ ],
1176
+ "toxicityLabel": "Medium",
1177
+ "sources": null,
1178
+ "epssScore": null,
1179
+ "epssPercentile": null,
1180
+ "epssCve": null,
1181
+ "exploitedNow": false,
1182
+ "tags": null,
1183
+ "blastRadius": {
1184
+ "scope": "all-users",
1185
+ "dataAtRisk": [
1186
+ "config"
1187
+ ],
1188
+ "userCount": 50,
1189
+ "industry": "generic",
1190
+ "jurisdictions": [],
1191
+ "controlsApplied": [],
1192
+ "dollarBest": 23250,
1193
+ "dollarLikely": 136250,
1194
+ "dollarWorst": 775000,
1195
+ "dollarLow": 23250,
1196
+ "dollarHigh": 775000,
1197
+ "components": {
1198
+ "incidentResponse": {
1199
+ "low": 8000,
1200
+ "likely": 50000,
1201
+ "high": 250000
1202
+ },
1203
+ "legal": {
1204
+ "low": 10000,
1205
+ "likely": 75000,
1206
+ "high": 500000
1207
+ },
1208
+ "crisisPR": {
1209
+ "low": 0,
1210
+ "likely": 0,
1211
+ "high": 0
1212
+ },
1213
+ "notification": {
1214
+ "low": 5000,
1215
+ "likely": 10000,
1216
+ "high": 15000
1217
+ },
1218
+ "creditMonitoring": {
1219
+ "low": 0,
1220
+ "likely": 0,
1221
+ "high": 0
1222
+ },
1223
+ "regulatoryFines": {
1224
+ "low": 0,
1225
+ "likely": 0,
1226
+ "high": 0
1227
+ },
1228
+ "directDamage": {
1229
+ "low": 250,
1230
+ "likely": 1250,
1231
+ "high": 10000
1232
+ },
1233
+ "classAction": {
1234
+ "low": 0,
1235
+ "likely": 0,
1236
+ "high": 0
1237
+ },
1238
+ "lostBusiness": {
1239
+ "low": 0,
1240
+ "likely": 0,
1241
+ "high": 0
1242
+ }
1243
+ },
1244
+ "dominantDriver": "legal counsel",
1245
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1246
+ "confidence": "low",
1247
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:204` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1248
+ },
1249
+ "stableId": "16f0befb55d2a11a",
1250
+ "confidenceTier": "very-low",
1251
+ "exploitability": 0.2,
1252
+ "exploitabilityTier": "low",
1253
+ "exploitabilityFactors": [
1254
+ "sev:medium",
1255
+ "unreachable"
1256
+ ],
1257
+ "clusterSize": null,
1258
+ "unreachable": false,
1259
+ "validator_verdict": "unvalidated",
1260
+ "llm_confidence": null,
1261
+ "unvalidated": true,
1262
+ "cross_language": false,
1263
+ "family": "dos-sync-io",
1264
+ "parser": "STRUCTURAL",
1265
+ "_unsigned": false,
1266
+ "_passThroughSigning": false,
1267
+ "signatureStatus": "verified",
1268
+ "regression_test": null,
1269
+ "poc": null,
1270
+ "calibrated_confidence": null,
1271
+ "calibrated_confidence_ci": null,
1272
+ "calibrated_n": 0,
1273
+ "calibration_reason": "no-history",
1274
+ "verifier_verdict": "cannot-verify",
1275
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1276
+ "verifier_runner": null,
1277
+ "narration": null,
1278
+ "mitigationVerdict": "unreachable-in-prod",
1279
+ "mitigationsApplied": [],
1280
+ "mitigatedByWaf": false,
1281
+ "wafRuleId": null,
1282
+ "mitigatedByAuth": false,
1283
+ "authMechanism": null,
1284
+ "mitigatedByNetwork": false,
1285
+ "networkExposure": null,
1286
+ "featureFlag": null,
1287
+ "featureFlagState": null,
1288
+ "featureFlagRollout": null,
1289
+ "exposedInProd": false,
1290
+ "unreachableInProd": true,
1291
+ "coldPath": false,
1292
+ "hotPath": false,
1293
+ "prodRequestCount": null,
1294
+ "crownJewelScore": 0,
1295
+ "crownJewelTier": "unknown",
1296
+ "crownJewelFactors": [],
1297
+ "cloneClusterId": "cd20f49000f1b531",
1298
+ "cloneClusterSize": 1,
1299
+ "provenance": "human-likely",
1300
+ "provenanceScore": 0.22,
1301
+ "typeNarrowed": null,
1302
+ "strideCategory": "denialOfService",
1303
+ "personaScores": {
1304
+ "script-kiddie": {
1305
+ "score": 0.4,
1306
+ "tier": "medium",
1307
+ "factors": [
1308
+ "sev:medium"
1309
+ ]
1310
+ },
1311
+ "opportunistic-criminal": {
1312
+ "score": 0.4,
1313
+ "tier": "medium",
1314
+ "factors": [
1315
+ "sev:medium"
1316
+ ]
1317
+ },
1318
+ "apt-nation-state": {
1319
+ "score": 0.4,
1320
+ "tier": "medium",
1321
+ "factors": [
1322
+ "sev:medium"
1323
+ ]
1324
+ },
1325
+ "supply-chain-attacker": {
1326
+ "score": 0.4,
1327
+ "tier": "medium",
1328
+ "factors": [
1329
+ "sev:medium"
1330
+ ]
1331
+ },
1332
+ "malicious-insider": {
1333
+ "score": 0.4,
1334
+ "tier": "medium",
1335
+ "factors": [
1336
+ "sev:medium"
1337
+ ]
1338
+ }
1339
+ },
1340
+ "personaTopTwo": [
1341
+ "script-kiddie",
1342
+ "opportunistic-criminal"
1343
+ ],
1344
+ "personaMaxName": "script-kiddie",
1345
+ "personaMaxScore": 0.4,
1346
+ "reverseExposure": null,
1347
+ "specMined": null,
1348
+ "whyFired": {
1349
+ "detector": "sast/dos-sync-io",
1350
+ "ruleId": "CWE-400",
1351
+ "parser": "STRUCTURAL",
1352
+ "evidence": {
1353
+ "sinkSnippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
1354
+ "sourceSnippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
1355
+ "pathSteps": [],
1356
+ "sanitizers": [],
1357
+ "guards": []
1358
+ },
1359
+ "considered": {
1360
+ "suppressionsApplied": [],
1361
+ "suppressionsSkipped": [],
1362
+ "reachabilityFilter": "unaffected",
1363
+ "clusterCollapsed": false,
1364
+ "typeNarrowed": false,
1365
+ "crownJewelTier": "unknown",
1366
+ "mitigationVerdict": "unreachable-in-prod"
1367
+ },
1368
+ "scanner": {
1369
+ "rulesetVersion": null,
1370
+ "packHash": null,
1371
+ "modelId": null
1372
+ }
1373
+ },
1374
+ "adversaryTranscript": null,
1375
+ "predictedBountyUsd": {
1376
+ "low": 10,
1377
+ "likely": 40,
1378
+ "high": 120,
1379
+ "program": "web2"
1380
+ },
1381
+ "bountyConfidence": "high",
1382
+ "attackPlaybook": null
1383
+ },
1384
+ {
1385
+ "id": "struct:incremental.js:209:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1386
+ "kind": "sast",
1387
+ "severity": "medium",
1388
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1389
+ "cwe": "CWE-400",
1390
+ "owaspLlm": null,
1391
+ "stride": "Denial of Service",
1392
+ "file": "incremental.js",
1393
+ "line": 209,
1394
+ "snippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
1395
+ "fix": null,
1396
+ "reachable": false,
1397
+ "triage": 22,
1398
+ "dataClasses": [],
1399
+ "chain": null,
1400
+ "confidence": 0.212,
1401
+ "toxicity": 28,
1402
+ "toxicityFactors": [
1403
+ "http-facing"
1404
+ ],
1405
+ "toxicityLabel": "Medium",
1406
+ "sources": null,
1407
+ "epssScore": null,
1408
+ "epssPercentile": null,
1409
+ "epssCve": null,
1410
+ "exploitedNow": false,
1411
+ "tags": null,
1412
+ "blastRadius": {
1413
+ "scope": "all-users",
1414
+ "dataAtRisk": [
1415
+ "config"
1416
+ ],
1417
+ "userCount": 50,
1418
+ "industry": "generic",
1419
+ "jurisdictions": [],
1420
+ "controlsApplied": [],
1421
+ "dollarBest": 23250,
1422
+ "dollarLikely": 136250,
1423
+ "dollarWorst": 775000,
1424
+ "dollarLow": 23250,
1425
+ "dollarHigh": 775000,
1426
+ "components": {
1427
+ "incidentResponse": {
1428
+ "low": 8000,
1429
+ "likely": 50000,
1430
+ "high": 250000
1431
+ },
1432
+ "legal": {
1433
+ "low": 10000,
1434
+ "likely": 75000,
1435
+ "high": 500000
1436
+ },
1437
+ "crisisPR": {
1438
+ "low": 0,
1439
+ "likely": 0,
1440
+ "high": 0
1441
+ },
1442
+ "notification": {
1443
+ "low": 5000,
1444
+ "likely": 10000,
1445
+ "high": 15000
1446
+ },
1447
+ "creditMonitoring": {
1448
+ "low": 0,
1449
+ "likely": 0,
1450
+ "high": 0
1451
+ },
1452
+ "regulatoryFines": {
1453
+ "low": 0,
1454
+ "likely": 0,
1455
+ "high": 0
1456
+ },
1457
+ "directDamage": {
1458
+ "low": 250,
1459
+ "likely": 1250,
1460
+ "high": 10000
1461
+ },
1462
+ "classAction": {
1463
+ "low": 0,
1464
+ "likely": 0,
1465
+ "high": 0
1466
+ },
1467
+ "lostBusiness": {
1468
+ "low": 0,
1469
+ "likely": 0,
1470
+ "high": 0
1471
+ }
1472
+ },
1473
+ "dominantDriver": "legal counsel",
1474
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1475
+ "confidence": "low",
1476
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:209` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1477
+ },
1478
+ "stableId": "b6ab9f0eaa3c75e0",
1479
+ "confidenceTier": "very-low",
1480
+ "exploitability": 0.2,
1481
+ "exploitabilityTier": "low",
1482
+ "exploitabilityFactors": [
1483
+ "sev:medium",
1484
+ "unreachable"
1485
+ ],
1486
+ "clusterSize": null,
1487
+ "unreachable": false,
1488
+ "validator_verdict": "unvalidated",
1489
+ "llm_confidence": null,
1490
+ "unvalidated": true,
1491
+ "cross_language": false,
1492
+ "family": "dos-sync-io",
1493
+ "parser": "STRUCTURAL",
1494
+ "_unsigned": false,
1495
+ "_passThroughSigning": false,
1496
+ "signatureStatus": "verified",
1497
+ "regression_test": null,
1498
+ "poc": null,
1499
+ "calibrated_confidence": null,
1500
+ "calibrated_confidence_ci": null,
1501
+ "calibrated_n": 0,
1502
+ "calibration_reason": "no-history",
1503
+ "verifier_verdict": "cannot-verify",
1504
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1505
+ "verifier_runner": null,
1506
+ "narration": null,
1507
+ "mitigationVerdict": "unreachable-in-prod",
1508
+ "mitigationsApplied": [],
1509
+ "mitigatedByWaf": false,
1510
+ "wafRuleId": null,
1511
+ "mitigatedByAuth": false,
1512
+ "authMechanism": null,
1513
+ "mitigatedByNetwork": false,
1514
+ "networkExposure": null,
1515
+ "featureFlag": null,
1516
+ "featureFlagState": null,
1517
+ "featureFlagRollout": null,
1518
+ "exposedInProd": false,
1519
+ "unreachableInProd": true,
1520
+ "coldPath": false,
1521
+ "hotPath": false,
1522
+ "prodRequestCount": null,
1523
+ "crownJewelScore": 0,
1524
+ "crownJewelTier": "unknown",
1525
+ "crownJewelFactors": [],
1526
+ "cloneClusterId": "4a06d0af981828b5",
1527
+ "cloneClusterSize": 1,
1528
+ "provenance": "human-likely",
1529
+ "provenanceScore": 0.22,
1530
+ "typeNarrowed": null,
1531
+ "strideCategory": "denialOfService",
1532
+ "personaScores": {
1533
+ "script-kiddie": {
1534
+ "score": 0.4,
1535
+ "tier": "medium",
1536
+ "factors": [
1537
+ "sev:medium"
1538
+ ]
1539
+ },
1540
+ "opportunistic-criminal": {
1541
+ "score": 0.4,
1542
+ "tier": "medium",
1543
+ "factors": [
1544
+ "sev:medium"
1545
+ ]
1546
+ },
1547
+ "apt-nation-state": {
1548
+ "score": 0.4,
1549
+ "tier": "medium",
1550
+ "factors": [
1551
+ "sev:medium"
1552
+ ]
1553
+ },
1554
+ "supply-chain-attacker": {
1555
+ "score": 0.4,
1556
+ "tier": "medium",
1557
+ "factors": [
1558
+ "sev:medium"
1559
+ ]
1560
+ },
1561
+ "malicious-insider": {
1562
+ "score": 0.4,
1563
+ "tier": "medium",
1564
+ "factors": [
1565
+ "sev:medium"
1566
+ ]
1567
+ }
1568
+ },
1569
+ "personaTopTwo": [
1570
+ "script-kiddie",
1571
+ "opportunistic-criminal"
1572
+ ],
1573
+ "personaMaxName": "script-kiddie",
1574
+ "personaMaxScore": 0.4,
1575
+ "reverseExposure": null,
1576
+ "specMined": null,
1577
+ "whyFired": {
1578
+ "detector": "sast/dos-sync-io",
1579
+ "ruleId": "CWE-400",
1580
+ "parser": "STRUCTURAL",
1581
+ "evidence": {
1582
+ "sinkSnippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
1583
+ "sourceSnippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
1584
+ "pathSteps": [],
1585
+ "sanitizers": [],
1586
+ "guards": []
1587
+ },
1588
+ "considered": {
1589
+ "suppressionsApplied": [],
1590
+ "suppressionsSkipped": [],
1591
+ "reachabilityFilter": "unaffected",
1592
+ "clusterCollapsed": false,
1593
+ "typeNarrowed": false,
1594
+ "crownJewelTier": "unknown",
1595
+ "mitigationVerdict": "unreachable-in-prod"
1596
+ },
1597
+ "scanner": {
1598
+ "rulesetVersion": null,
1599
+ "packHash": null,
1600
+ "modelId": null
1601
+ }
1602
+ },
1603
+ "adversaryTranscript": null,
1604
+ "predictedBountyUsd": {
1605
+ "low": 10,
1606
+ "likely": 40,
1607
+ "high": 120,
1608
+ "program": "web2"
1609
+ },
1610
+ "bountyConfidence": "high",
1611
+ "attackPlaybook": null
1612
+ },
1613
+ {
1614
+ "id": "struct:incremental.js:220:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1615
+ "kind": "sast",
1616
+ "severity": "medium",
1617
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1618
+ "cwe": "CWE-400",
1619
+ "owaspLlm": null,
1620
+ "stride": "Denial of Service",
1621
+ "file": "incremental.js",
1622
+ "line": 220,
1623
+ "snippet": "if (!fs.existsSync(dir)) return true;",
1624
+ "fix": null,
1625
+ "reachable": false,
1626
+ "triage": 22,
1627
+ "dataClasses": [],
1628
+ "chain": null,
1629
+ "confidence": 0.212,
1630
+ "toxicity": 28,
1631
+ "toxicityFactors": [
1632
+ "http-facing"
1633
+ ],
1634
+ "toxicityLabel": "Medium",
1635
+ "sources": null,
1636
+ "epssScore": null,
1637
+ "epssPercentile": null,
1638
+ "epssCve": null,
1639
+ "exploitedNow": false,
1640
+ "tags": null,
1641
+ "blastRadius": {
1642
+ "scope": "all-users",
1643
+ "dataAtRisk": [
1644
+ "config"
1645
+ ],
1646
+ "userCount": 50,
1647
+ "industry": "generic",
1648
+ "jurisdictions": [],
1649
+ "controlsApplied": [],
1650
+ "dollarBest": 23250,
1651
+ "dollarLikely": 136250,
1652
+ "dollarWorst": 775000,
1653
+ "dollarLow": 23250,
1654
+ "dollarHigh": 775000,
1655
+ "components": {
1656
+ "incidentResponse": {
1657
+ "low": 8000,
1658
+ "likely": 50000,
1659
+ "high": 250000
1660
+ },
1661
+ "legal": {
1662
+ "low": 10000,
1663
+ "likely": 75000,
1664
+ "high": 500000
1665
+ },
1666
+ "crisisPR": {
1667
+ "low": 0,
1668
+ "likely": 0,
1669
+ "high": 0
1670
+ },
1671
+ "notification": {
1672
+ "low": 5000,
1673
+ "likely": 10000,
1674
+ "high": 15000
1675
+ },
1676
+ "creditMonitoring": {
1677
+ "low": 0,
1678
+ "likely": 0,
1679
+ "high": 0
1680
+ },
1681
+ "regulatoryFines": {
1682
+ "low": 0,
1683
+ "likely": 0,
1684
+ "high": 0
1685
+ },
1686
+ "directDamage": {
1687
+ "low": 250,
1688
+ "likely": 1250,
1689
+ "high": 10000
1690
+ },
1691
+ "classAction": {
1692
+ "low": 0,
1693
+ "likely": 0,
1694
+ "high": 0
1695
+ },
1696
+ "lostBusiness": {
1697
+ "low": 0,
1698
+ "likely": 0,
1699
+ "high": 0
1700
+ }
1701
+ },
1702
+ "dominantDriver": "legal counsel",
1703
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1704
+ "confidence": "low",
1705
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:220` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1706
+ },
1707
+ "stableId": "0276003493008082",
1708
+ "confidenceTier": "very-low",
1709
+ "exploitability": 0.2,
1710
+ "exploitabilityTier": "low",
1711
+ "exploitabilityFactors": [
1712
+ "sev:medium",
1713
+ "unreachable"
1714
+ ],
1715
+ "clusterSize": null,
1716
+ "unreachable": false,
1717
+ "validator_verdict": "unvalidated",
1718
+ "llm_confidence": null,
1719
+ "unvalidated": true,
1720
+ "cross_language": false,
1721
+ "family": "dos-sync-io",
1722
+ "parser": "STRUCTURAL",
1723
+ "_unsigned": false,
1724
+ "_passThroughSigning": false,
1725
+ "signatureStatus": "verified",
1726
+ "regression_test": null,
1727
+ "poc": null,
1728
+ "calibrated_confidence": null,
1729
+ "calibrated_confidence_ci": null,
1730
+ "calibrated_n": 0,
1731
+ "calibration_reason": "no-history",
1732
+ "verifier_verdict": "cannot-verify",
1733
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1734
+ "verifier_runner": null,
1735
+ "narration": null,
1736
+ "mitigationVerdict": "unreachable-in-prod",
1737
+ "mitigationsApplied": [],
1738
+ "mitigatedByWaf": false,
1739
+ "wafRuleId": null,
1740
+ "mitigatedByAuth": false,
1741
+ "authMechanism": null,
1742
+ "mitigatedByNetwork": false,
1743
+ "networkExposure": null,
1744
+ "featureFlag": null,
1745
+ "featureFlagState": null,
1746
+ "featureFlagRollout": null,
1747
+ "exposedInProd": false,
1748
+ "unreachableInProd": true,
1749
+ "coldPath": false,
1750
+ "hotPath": false,
1751
+ "prodRequestCount": null,
1752
+ "crownJewelScore": 0,
1753
+ "crownJewelTier": "unknown",
1754
+ "crownJewelFactors": [],
1755
+ "cloneClusterId": "b7114d1d9de39865",
1756
+ "cloneClusterSize": 1,
1757
+ "provenance": "human-likely",
1758
+ "provenanceScore": 0.22,
1759
+ "typeNarrowed": null,
1760
+ "strideCategory": "denialOfService",
1761
+ "personaScores": {
1762
+ "script-kiddie": {
1763
+ "score": 0.4,
1764
+ "tier": "medium",
1765
+ "factors": [
1766
+ "sev:medium"
1767
+ ]
1768
+ },
1769
+ "opportunistic-criminal": {
1770
+ "score": 0.4,
1771
+ "tier": "medium",
1772
+ "factors": [
1773
+ "sev:medium"
1774
+ ]
1775
+ },
1776
+ "apt-nation-state": {
1777
+ "score": 0.4,
1778
+ "tier": "medium",
1779
+ "factors": [
1780
+ "sev:medium"
1781
+ ]
1782
+ },
1783
+ "supply-chain-attacker": {
1784
+ "score": 0.4,
1785
+ "tier": "medium",
1786
+ "factors": [
1787
+ "sev:medium"
1788
+ ]
1789
+ },
1790
+ "malicious-insider": {
1791
+ "score": 0.4,
1792
+ "tier": "medium",
1793
+ "factors": [
1794
+ "sev:medium"
1795
+ ]
1796
+ }
1797
+ },
1798
+ "personaTopTwo": [
1799
+ "script-kiddie",
1800
+ "opportunistic-criminal"
1801
+ ],
1802
+ "personaMaxName": "script-kiddie",
1803
+ "personaMaxScore": 0.4,
1804
+ "reverseExposure": null,
1805
+ "specMined": null,
1806
+ "whyFired": {
1807
+ "detector": "sast/dos-sync-io",
1808
+ "ruleId": "CWE-400",
1809
+ "parser": "STRUCTURAL",
1810
+ "evidence": {
1811
+ "sinkSnippet": "if (!fs.existsSync(dir)) return true;",
1812
+ "sourceSnippet": "if (!fs.existsSync(dir)) return true;",
1813
+ "pathSteps": [],
1814
+ "sanitizers": [],
1815
+ "guards": []
1816
+ },
1817
+ "considered": {
1818
+ "suppressionsApplied": [],
1819
+ "suppressionsSkipped": [],
1820
+ "reachabilityFilter": "unaffected",
1821
+ "clusterCollapsed": false,
1822
+ "typeNarrowed": false,
1823
+ "crownJewelTier": "unknown",
1824
+ "mitigationVerdict": "unreachable-in-prod"
1825
+ },
1826
+ "scanner": {
1827
+ "rulesetVersion": null,
1828
+ "packHash": null,
1829
+ "modelId": null
1830
+ }
1831
+ },
1832
+ "adversaryTranscript": null,
1833
+ "predictedBountyUsd": {
1834
+ "low": 10,
1835
+ "likely": 40,
1836
+ "high": 120,
1837
+ "program": "web2"
1838
+ },
1839
+ "bountyConfidence": "high",
1840
+ "attackPlaybook": null
1841
+ },
1842
+ {
1843
+ "id": "struct:incremental.js:223:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1844
+ "kind": "sast",
1845
+ "severity": "medium",
1846
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1847
+ "cwe": "CWE-400",
1848
+ "owaspLlm": null,
1849
+ "stride": "Denial of Service",
1850
+ "file": "incremental.js",
1851
+ "line": 223,
1852
+ "snippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
1853
+ "fix": null,
1854
+ "reachable": false,
1855
+ "triage": 22,
1856
+ "dataClasses": [],
1857
+ "chain": null,
1858
+ "confidence": 0.212,
1859
+ "toxicity": 28,
1860
+ "toxicityFactors": [
1861
+ "http-facing"
1862
+ ],
1863
+ "toxicityLabel": "Medium",
1864
+ "sources": null,
1865
+ "epssScore": null,
1866
+ "epssPercentile": null,
1867
+ "epssCve": null,
1868
+ "exploitedNow": false,
1869
+ "tags": null,
1870
+ "blastRadius": {
1871
+ "scope": "all-users",
1872
+ "dataAtRisk": [
1873
+ "config"
1874
+ ],
1875
+ "userCount": 50,
1876
+ "industry": "generic",
1877
+ "jurisdictions": [],
1878
+ "controlsApplied": [],
1879
+ "dollarBest": 23250,
1880
+ "dollarLikely": 136250,
1881
+ "dollarWorst": 775000,
1882
+ "dollarLow": 23250,
1883
+ "dollarHigh": 775000,
1884
+ "components": {
1885
+ "incidentResponse": {
1886
+ "low": 8000,
1887
+ "likely": 50000,
1888
+ "high": 250000
1889
+ },
1890
+ "legal": {
1891
+ "low": 10000,
1892
+ "likely": 75000,
1893
+ "high": 500000
1894
+ },
1895
+ "crisisPR": {
1896
+ "low": 0,
1897
+ "likely": 0,
1898
+ "high": 0
1899
+ },
1900
+ "notification": {
1901
+ "low": 5000,
1902
+ "likely": 10000,
1903
+ "high": 15000
1904
+ },
1905
+ "creditMonitoring": {
1906
+ "low": 0,
1907
+ "likely": 0,
1908
+ "high": 0
1909
+ },
1910
+ "regulatoryFines": {
1911
+ "low": 0,
1912
+ "likely": 0,
1913
+ "high": 0
1914
+ },
1915
+ "directDamage": {
1916
+ "low": 250,
1917
+ "likely": 1250,
1918
+ "high": 10000
1919
+ },
1920
+ "classAction": {
1921
+ "low": 0,
1922
+ "likely": 0,
1923
+ "high": 0
1924
+ },
1925
+ "lostBusiness": {
1926
+ "low": 0,
1927
+ "likely": 0,
1928
+ "high": 0
1929
+ }
1930
+ },
1931
+ "dominantDriver": "legal counsel",
1932
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1933
+ "confidence": "low",
1934
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:223` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1935
+ },
1936
+ "stableId": "15ad072cb77cdfe4",
1937
+ "confidenceTier": "very-low",
1938
+ "exploitability": 0.2,
1939
+ "exploitabilityTier": "low",
1940
+ "exploitabilityFactors": [
1941
+ "sev:medium",
1942
+ "unreachable"
1943
+ ],
1944
+ "clusterSize": null,
1945
+ "unreachable": false,
1946
+ "validator_verdict": "unvalidated",
1947
+ "llm_confidence": null,
1948
+ "unvalidated": true,
1949
+ "cross_language": false,
1950
+ "family": "dos-sync-io",
1951
+ "parser": "STRUCTURAL",
1952
+ "_unsigned": false,
1953
+ "_passThroughSigning": false,
1954
+ "signatureStatus": "verified",
1955
+ "regression_test": null,
1956
+ "poc": null,
1957
+ "calibrated_confidence": null,
1958
+ "calibrated_confidence_ci": null,
1959
+ "calibrated_n": 0,
1960
+ "calibration_reason": "no-history",
1961
+ "verifier_verdict": "cannot-verify",
1962
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1963
+ "verifier_runner": null,
1964
+ "narration": null,
1965
+ "mitigationVerdict": "unreachable-in-prod",
1966
+ "mitigationsApplied": [],
1967
+ "mitigatedByWaf": false,
1968
+ "wafRuleId": null,
1969
+ "mitigatedByAuth": false,
1970
+ "authMechanism": null,
1971
+ "mitigatedByNetwork": false,
1972
+ "networkExposure": null,
1973
+ "featureFlag": null,
1974
+ "featureFlagState": null,
1975
+ "featureFlagRollout": null,
1976
+ "exposedInProd": false,
1977
+ "unreachableInProd": true,
1978
+ "coldPath": false,
1979
+ "hotPath": false,
1980
+ "prodRequestCount": null,
1981
+ "crownJewelScore": 0,
1982
+ "crownJewelTier": "unknown",
1983
+ "crownJewelFactors": [],
1984
+ "cloneClusterId": "07f8fac8b280cc73",
1985
+ "cloneClusterSize": 1,
1986
+ "provenance": "human-likely",
1987
+ "provenanceScore": 0.22,
1988
+ "typeNarrowed": null,
1989
+ "strideCategory": "denialOfService",
1990
+ "personaScores": {
1991
+ "script-kiddie": {
1992
+ "score": 0.4,
1993
+ "tier": "medium",
1994
+ "factors": [
1995
+ "sev:medium"
1996
+ ]
1997
+ },
1998
+ "opportunistic-criminal": {
1999
+ "score": 0.4,
2000
+ "tier": "medium",
2001
+ "factors": [
2002
+ "sev:medium"
2003
+ ]
2004
+ },
2005
+ "apt-nation-state": {
2006
+ "score": 0.4,
2007
+ "tier": "medium",
2008
+ "factors": [
2009
+ "sev:medium"
2010
+ ]
2011
+ },
2012
+ "supply-chain-attacker": {
2013
+ "score": 0.4,
2014
+ "tier": "medium",
2015
+ "factors": [
2016
+ "sev:medium"
2017
+ ]
2018
+ },
2019
+ "malicious-insider": {
2020
+ "score": 0.4,
2021
+ "tier": "medium",
2022
+ "factors": [
2023
+ "sev:medium"
2024
+ ]
2025
+ }
2026
+ },
2027
+ "personaTopTwo": [
2028
+ "script-kiddie",
2029
+ "opportunistic-criminal"
2030
+ ],
2031
+ "personaMaxName": "script-kiddie",
2032
+ "personaMaxScore": 0.4,
2033
+ "reverseExposure": null,
2034
+ "specMined": null,
2035
+ "whyFired": {
2036
+ "detector": "sast/dos-sync-io",
2037
+ "ruleId": "CWE-400",
2038
+ "parser": "STRUCTURAL",
2039
+ "evidence": {
2040
+ "sinkSnippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
2041
+ "sourceSnippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
2042
+ "pathSteps": [],
2043
+ "sanitizers": [],
2044
+ "guards": []
2045
+ },
2046
+ "considered": {
2047
+ "suppressionsApplied": [],
2048
+ "suppressionsSkipped": [],
2049
+ "reachabilityFilter": "unaffected",
2050
+ "clusterCollapsed": false,
2051
+ "typeNarrowed": false,
2052
+ "crownJewelTier": "unknown",
2053
+ "mitigationVerdict": "unreachable-in-prod"
2054
+ },
2055
+ "scanner": {
2056
+ "rulesetVersion": null,
2057
+ "packHash": null,
2058
+ "modelId": null
2059
+ }
2060
+ },
2061
+ "adversaryTranscript": null,
2062
+ "predictedBountyUsd": {
2063
+ "low": 10,
2064
+ "likely": 40,
2065
+ "high": 120,
2066
+ "program": "web2"
2067
+ },
2068
+ "bountyConfidence": "high",
2069
+ "attackPlaybook": null
2070
+ },
2071
+ {
2072
+ "id": "ssrf-meta-hardcoded:catalog.js:538",
2073
+ "kind": "sast",
2074
+ "severity": "medium",
2075
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
2076
+ "cwe": "CWE-918",
2077
+ "owaspLlm": null,
2078
+ "stride": "Information Disclosure",
2079
+ "file": "catalog.js",
2080
+ "line": 538,
2081
+ "snippet": "remediation: 'Resolve the host first, reject 169.254.169.254 / RFC1918 / localhost; or proxy through a server-side allow-list.' } },",
2082
+ "fix": null,
2083
+ "reachable": false,
2084
+ "triage": 22,
2085
+ "dataClasses": [],
2086
+ "chain": null,
2087
+ "confidence": 0.7,
2088
+ "toxicity": 8,
2089
+ "toxicityFactors": [],
2090
+ "toxicityLabel": "Low",
2091
+ "sources": null,
2092
+ "epssScore": null,
2093
+ "epssPercentile": null,
2094
+ "epssCve": null,
2095
+ "exploitedNow": false,
2096
+ "tags": null,
2097
+ "blastRadius": {
2098
+ "scope": "all-users",
2099
+ "dataAtRisk": [
2100
+ "credentials"
2101
+ ],
2102
+ "userCount": 50,
2103
+ "industry": "generic",
2104
+ "jurisdictions": [],
2105
+ "controlsApplied": [],
2106
+ "dollarBest": 24000,
2107
+ "dollarLikely": 138000,
2108
+ "dollarWorst": 777500,
2109
+ "dollarLow": 24000,
2110
+ "dollarHigh": 777500,
2111
+ "components": {
2112
+ "incidentResponse": {
2113
+ "low": 8000,
2114
+ "likely": 50000,
2115
+ "high": 250000
2116
+ },
2117
+ "legal": {
2118
+ "low": 10000,
2119
+ "likely": 75000,
2120
+ "high": 500000
2121
+ },
2122
+ "crisisPR": {
2123
+ "low": 0,
2124
+ "likely": 0,
2125
+ "high": 0
2126
+ },
2127
+ "notification": {
2128
+ "low": 5000,
2129
+ "likely": 10000,
2130
+ "high": 15000
2131
+ },
2132
+ "creditMonitoring": {
2133
+ "low": 0,
2134
+ "likely": 0,
2135
+ "high": 0
2136
+ },
2137
+ "regulatoryFines": {
2138
+ "low": 0,
2139
+ "likely": 0,
2140
+ "high": 0
2141
+ },
2142
+ "directDamage": {
2143
+ "low": 1000,
2144
+ "likely": 3000,
2145
+ "high": 12500
2146
+ },
2147
+ "classAction": {
2148
+ "low": 0,
2149
+ "likely": 0,
2150
+ "high": 0
2151
+ },
2152
+ "lostBusiness": {
2153
+ "low": 0,
2154
+ "likely": 0,
2155
+ "high": 0
2156
+ }
2157
+ },
2158
+ "dominantDriver": "legal counsel",
2159
+ "comparable": "Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)",
2160
+ "confidence": "low",
2161
+ "narrative": "SSRF: explicit reference to cloud instance-metadata endpoint on `catalog.js:538` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)."
2162
+ },
2163
+ "stableId": "3dfe482b8d5e3a09",
2164
+ "confidenceTier": "medium",
2165
+ "exploitability": 0.2,
2166
+ "exploitabilityTier": "low",
2167
+ "exploitabilityFactors": [
2168
+ "sev:medium",
2169
+ "unreachable"
2170
+ ],
2171
+ "clusterSize": null,
2172
+ "unreachable": false,
2173
+ "validator_verdict": "unvalidated",
2174
+ "llm_confidence": null,
2175
+ "unvalidated": true,
2176
+ "cross_language": false,
2177
+ "family": "ssrf",
2178
+ "parser": "SSRF-METADATA",
2179
+ "_unsigned": false,
2180
+ "_passThroughSigning": false,
2181
+ "signatureStatus": "verified",
2182
+ "regression_test": {
2183
+ "lang": "node",
2184
+ "framework": null,
2185
+ "filename": null,
2186
+ "runHint": null,
2187
+ "code": null
2188
+ },
2189
+ "poc": {
2190
+ "lang": "node",
2191
+ "kind": "http-payload",
2192
+ "cwe": "CWE-918",
2193
+ "family": "ssrf",
2194
+ "runHint": "node poc.mjs",
2195
+ "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n",
2196
+ "paramKey": null,
2197
+ "paramKeyConfidence": "low",
2198
+ "paramKeyInferred": false
2199
+ },
2200
+ "calibrated_confidence": null,
2201
+ "calibrated_confidence_ci": null,
2202
+ "calibrated_n": 24,
2203
+ "calibration_reason": "insufficient-samples",
2204
+ "verifier_verdict": "verified-sanitizer-absence",
2205
+ "verifier_reason": "no-sanitizer-in-window",
2206
+ "verifier_runner": null,
2207
+ "narration": null,
2208
+ "mitigationVerdict": "unreachable-in-prod",
2209
+ "mitigationsApplied": [],
2210
+ "mitigatedByWaf": false,
2211
+ "wafRuleId": null,
2212
+ "mitigatedByAuth": false,
2213
+ "authMechanism": null,
2214
+ "mitigatedByNetwork": false,
2215
+ "networkExposure": null,
2216
+ "featureFlag": null,
2217
+ "featureFlagState": null,
2218
+ "featureFlagRollout": null,
2219
+ "exposedInProd": false,
2220
+ "unreachableInProd": true,
2221
+ "coldPath": false,
2222
+ "hotPath": false,
2223
+ "prodRequestCount": null,
2224
+ "crownJewelScore": 0.15,
2225
+ "crownJewelTier": "low-value",
2226
+ "crownJewelFactors": [
2227
+ "shell-execution"
2228
+ ],
2229
+ "cloneClusterId": null,
2230
+ "cloneClusterSize": 1,
2231
+ "provenance": "human-likely",
2232
+ "provenanceScore": 0.26,
2233
+ "typeNarrowed": null,
2234
+ "strideCategory": "tampering",
2235
+ "personaScores": {
2236
+ "script-kiddie": {
2237
+ "score": 0.4,
2238
+ "tier": "medium",
2239
+ "factors": [
2240
+ "sev:medium"
2241
+ ]
2242
+ },
2243
+ "opportunistic-criminal": {
2244
+ "score": 0.6,
2245
+ "tier": "high",
2246
+ "factors": [
2247
+ "sev:medium",
2248
+ "bias:ssrf+0.20"
2249
+ ]
2250
+ },
2251
+ "apt-nation-state": {
2252
+ "score": 0.7,
2253
+ "tier": "high",
2254
+ "factors": [
2255
+ "sev:medium",
2256
+ "bias:ssrf+0.30"
2257
+ ]
2258
+ },
2259
+ "supply-chain-attacker": {
2260
+ "score": 0.4,
2261
+ "tier": "medium",
2262
+ "factors": [
2263
+ "sev:medium"
2264
+ ]
2265
+ },
2266
+ "malicious-insider": {
2267
+ "score": 0.4,
2268
+ "tier": "medium",
2269
+ "factors": [
2270
+ "sev:medium"
2271
+ ]
2272
+ }
2273
+ },
2274
+ "personaTopTwo": [
2275
+ "apt-nation-state",
2276
+ "opportunistic-criminal"
2277
+ ],
2278
+ "personaMaxName": "apt-nation-state",
2279
+ "personaMaxScore": 0.7,
2280
+ "reverseExposure": null,
2281
+ "specMined": null,
2282
+ "whyFired": {
2283
+ "detector": "sast/ssrf",
2284
+ "ruleId": "CWE-918",
2285
+ "parser": "SSRF-METADATA",
2286
+ "evidence": {
2287
+ "sinkSnippet": "remediation: 'Resolve the host first, reject 169.254.169.254 / RFC1918 / localhost; or proxy through a server-side allow-list.' } },",
2288
+ "sourceSnippet": null,
2289
+ "pathSteps": [],
2290
+ "sanitizers": [],
2291
+ "guards": []
2292
+ },
2293
+ "considered": {
2294
+ "suppressionsApplied": [],
2295
+ "suppressionsSkipped": [],
2296
+ "reachabilityFilter": "unaffected",
2297
+ "clusterCollapsed": false,
2298
+ "typeNarrowed": false,
2299
+ "crownJewelTier": "low-value",
2300
+ "mitigationVerdict": "unreachable-in-prod"
2301
+ },
2302
+ "scanner": {
2303
+ "rulesetVersion": null,
2304
+ "packHash": null,
2305
+ "modelId": null
2306
+ }
2307
+ },
2308
+ "adversaryTranscript": null,
2309
+ "predictedBountyUsd": {
2310
+ "low": 30,
2311
+ "likely": 120,
2312
+ "high": 350,
2313
+ "program": "web2"
2314
+ },
2315
+ "bountyConfidence": "high",
2316
+ "attackPlaybook": null
2317
+ },
2318
+ {
2319
+ "id": "ssrf-meta-hardcoded:exploit-prover.js:33",
2320
+ "kind": "sast",
2321
+ "severity": "medium",
2322
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
2323
+ "cwe": "CWE-918",
2324
+ "owaspLlm": null,
2325
+ "stride": "Information Disclosure",
2326
+ "file": "exploit-prover.js",
2327
+ "line": 33,
2328
+ "snippet": "'CWE-918': `http://169.254.169.254/latest/meta-data/`, // SSRF",
2329
+ "fix": null,
2330
+ "reachable": false,
2331
+ "triage": 22,
2332
+ "dataClasses": [],
2333
+ "chain": null,
2334
+ "confidence": 0.7,
2335
+ "toxicity": 8,
2336
+ "toxicityFactors": [],
2337
+ "toxicityLabel": "Low",
2338
+ "sources": null,
2339
+ "epssScore": null,
2340
+ "epssPercentile": null,
2341
+ "epssCve": null,
2342
+ "exploitedNow": false,
2343
+ "tags": null,
2344
+ "blastRadius": {
2345
+ "scope": "all-users",
2346
+ "dataAtRisk": [
2347
+ "credentials"
2348
+ ],
2349
+ "userCount": 50,
2350
+ "industry": "generic",
2351
+ "jurisdictions": [],
2352
+ "controlsApplied": [],
2353
+ "dollarBest": 24000,
2354
+ "dollarLikely": 138000,
2355
+ "dollarWorst": 777500,
2356
+ "dollarLow": 24000,
2357
+ "dollarHigh": 777500,
2358
+ "components": {
2359
+ "incidentResponse": {
2360
+ "low": 8000,
2361
+ "likely": 50000,
2362
+ "high": 250000
2363
+ },
2364
+ "legal": {
2365
+ "low": 10000,
2366
+ "likely": 75000,
2367
+ "high": 500000
2368
+ },
2369
+ "crisisPR": {
2370
+ "low": 0,
2371
+ "likely": 0,
2372
+ "high": 0
2373
+ },
2374
+ "notification": {
2375
+ "low": 5000,
2376
+ "likely": 10000,
2377
+ "high": 15000
2378
+ },
2379
+ "creditMonitoring": {
2380
+ "low": 0,
2381
+ "likely": 0,
2382
+ "high": 0
2383
+ },
2384
+ "regulatoryFines": {
2385
+ "low": 0,
2386
+ "likely": 0,
2387
+ "high": 0
2388
+ },
2389
+ "directDamage": {
2390
+ "low": 1000,
2391
+ "likely": 3000,
2392
+ "high": 12500
2393
+ },
2394
+ "classAction": {
2395
+ "low": 0,
2396
+ "likely": 0,
2397
+ "high": 0
2398
+ },
2399
+ "lostBusiness": {
2400
+ "low": 0,
2401
+ "likely": 0,
2402
+ "high": 0
2403
+ }
2404
+ },
2405
+ "dominantDriver": "legal counsel",
2406
+ "comparable": "Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)",
2407
+ "confidence": "low",
2408
+ "narrative": "SSRF: explicit reference to cloud instance-metadata endpoint on `exploit-prover.js:33` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)."
2409
+ },
2410
+ "stableId": "88ebc2728475812c",
2411
+ "confidenceTier": "medium",
2412
+ "exploitability": 0.2,
2413
+ "exploitabilityTier": "low",
2414
+ "exploitabilityFactors": [
2415
+ "sev:medium",
2416
+ "unreachable"
2417
+ ],
2418
+ "clusterSize": null,
2419
+ "unreachable": false,
2420
+ "validator_verdict": "unvalidated",
2421
+ "llm_confidence": null,
2422
+ "unvalidated": true,
2423
+ "cross_language": false,
2424
+ "family": "ssrf",
2425
+ "parser": "SSRF-METADATA",
2426
+ "_unsigned": false,
2427
+ "_passThroughSigning": false,
2428
+ "signatureStatus": "verified",
2429
+ "regression_test": {
2430
+ "lang": "node",
2431
+ "framework": null,
2432
+ "filename": null,
2433
+ "runHint": null,
2434
+ "code": null
2435
+ },
2436
+ "poc": {
2437
+ "lang": "node",
2438
+ "kind": "http-payload",
2439
+ "cwe": "CWE-918",
2440
+ "family": "ssrf",
2441
+ "runHint": "node poc.mjs",
2442
+ "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n",
2443
+ "paramKey": null,
2444
+ "paramKeyConfidence": "low",
2445
+ "paramKeyInferred": false
2446
+ },
2447
+ "calibrated_confidence": null,
2448
+ "calibrated_confidence_ci": null,
2449
+ "calibrated_n": 24,
2450
+ "calibration_reason": "insufficient-samples",
2451
+ "verifier_verdict": "verified-sanitizer-absence",
2452
+ "verifier_reason": "no-sanitizer-in-window",
2453
+ "verifier_runner": null,
2454
+ "narration": null,
2455
+ "mitigationVerdict": "unreachable-in-prod",
2456
+ "mitigationsApplied": [],
2457
+ "mitigatedByWaf": false,
2458
+ "wafRuleId": null,
2459
+ "mitigatedByAuth": false,
2460
+ "authMechanism": null,
2461
+ "mitigatedByNetwork": false,
2462
+ "networkExposure": null,
2463
+ "featureFlag": null,
2464
+ "featureFlagState": null,
2465
+ "featureFlagRollout": null,
2466
+ "exposedInProd": false,
2467
+ "unreachableInProd": true,
2468
+ "coldPath": false,
2469
+ "hotPath": false,
2470
+ "prodRequestCount": null,
2471
+ "crownJewelScore": 0,
2472
+ "crownJewelTier": "unknown",
2473
+ "crownJewelFactors": [],
2474
+ "cloneClusterId": null,
2475
+ "cloneClusterSize": 1,
2476
+ "provenance": "mixed",
2477
+ "provenanceScore": 0.3,
2478
+ "typeNarrowed": null,
2479
+ "strideCategory": "tampering",
2480
+ "personaScores": {
2481
+ "script-kiddie": {
2482
+ "score": 0.4,
2483
+ "tier": "medium",
2484
+ "factors": [
2485
+ "sev:medium"
2486
+ ]
2487
+ },
2488
+ "opportunistic-criminal": {
2489
+ "score": 0.6,
2490
+ "tier": "high",
2491
+ "factors": [
2492
+ "sev:medium",
2493
+ "bias:ssrf+0.20"
2494
+ ]
2495
+ },
2496
+ "apt-nation-state": {
2497
+ "score": 0.7,
2498
+ "tier": "high",
2499
+ "factors": [
2500
+ "sev:medium",
2501
+ "bias:ssrf+0.30"
2502
+ ]
2503
+ },
2504
+ "supply-chain-attacker": {
2505
+ "score": 0.4,
2506
+ "tier": "medium",
2507
+ "factors": [
2508
+ "sev:medium"
2509
+ ]
2510
+ },
2511
+ "malicious-insider": {
2512
+ "score": 0.4,
2513
+ "tier": "medium",
2514
+ "factors": [
2515
+ "sev:medium"
2516
+ ]
2517
+ }
2518
+ },
2519
+ "personaTopTwo": [
2520
+ "apt-nation-state",
2521
+ "opportunistic-criminal"
2522
+ ],
2523
+ "personaMaxName": "apt-nation-state",
2524
+ "personaMaxScore": 0.7,
2525
+ "reverseExposure": null,
2526
+ "specMined": null,
2527
+ "whyFired": {
2528
+ "detector": "sast/ssrf",
2529
+ "ruleId": "CWE-918",
2530
+ "parser": "SSRF-METADATA",
2531
+ "evidence": {
2532
+ "sinkSnippet": "'CWE-918': `http://169.254.169.254/latest/meta-data/`, // SSRF",
2533
+ "sourceSnippet": null,
2534
+ "pathSteps": [],
2535
+ "sanitizers": [],
2536
+ "guards": []
2537
+ },
2538
+ "considered": {
2539
+ "suppressionsApplied": [],
2540
+ "suppressionsSkipped": [],
2541
+ "reachabilityFilter": "unaffected",
2542
+ "clusterCollapsed": false,
2543
+ "typeNarrowed": false,
2544
+ "crownJewelTier": "unknown",
2545
+ "mitigationVerdict": "unreachable-in-prod"
2546
+ },
2547
+ "scanner": {
2548
+ "rulesetVersion": null,
2549
+ "packHash": null,
2550
+ "modelId": null
2551
+ }
2552
+ },
2553
+ "adversaryTranscript": null,
2554
+ "predictedBountyUsd": {
2555
+ "low": 30,
2556
+ "likely": 120,
2557
+ "high": 350,
2558
+ "program": "web2"
2559
+ },
2560
+ "bountyConfidence": "high",
2561
+ "attackPlaybook": null
2562
+ },
2563
+ {
2564
+ "id": "toctou-fs:incremental.js:50",
2565
+ "kind": "sast",
2566
+ "severity": "medium",
2567
+ "vuln": "TOCTOU: file existence/permission check before open",
2568
+ "cwe": "CWE-367",
2569
+ "owaspLlm": null,
2570
+ "stride": "Tampering",
2571
+ "file": "incremental.js",
2572
+ "line": 50,
2573
+ "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
2574
+ "fix": null,
2575
+ "reachable": false,
2576
+ "triage": 22,
2577
+ "dataClasses": [],
2578
+ "chain": null,
2579
+ "confidence": 0.7,
2580
+ "toxicity": 8,
2581
+ "toxicityFactors": [],
2582
+ "toxicityLabel": "Low",
2583
+ "sources": null,
2584
+ "epssScore": null,
2585
+ "epssPercentile": null,
2586
+ "epssCve": null,
2587
+ "exploitedNow": false,
2588
+ "tags": null,
2589
+ "blastRadius": {
2590
+ "scope": "all-users",
2591
+ "dataAtRisk": [
2592
+ "config"
2593
+ ],
2594
+ "userCount": 50,
2595
+ "industry": "generic",
2596
+ "jurisdictions": [],
2597
+ "controlsApplied": [],
2598
+ "dollarBest": 23250,
2599
+ "dollarLikely": 136250,
2600
+ "dollarWorst": 775000,
2601
+ "dollarLow": 23250,
2602
+ "dollarHigh": 775000,
2603
+ "components": {
2604
+ "incidentResponse": {
2605
+ "low": 8000,
2606
+ "likely": 50000,
2607
+ "high": 250000
2608
+ },
2609
+ "legal": {
2610
+ "low": 10000,
2611
+ "likely": 75000,
2612
+ "high": 500000
2613
+ },
2614
+ "crisisPR": {
2615
+ "low": 0,
2616
+ "likely": 0,
2617
+ "high": 0
2618
+ },
2619
+ "notification": {
2620
+ "low": 5000,
2621
+ "likely": 10000,
2622
+ "high": 15000
2623
+ },
2624
+ "creditMonitoring": {
2625
+ "low": 0,
2626
+ "likely": 0,
2627
+ "high": 0
2628
+ },
2629
+ "regulatoryFines": {
2630
+ "low": 0,
2631
+ "likely": 0,
2632
+ "high": 0
2633
+ },
2634
+ "directDamage": {
2635
+ "low": 250,
2636
+ "likely": 1250,
2637
+ "high": 10000
2638
+ },
2639
+ "classAction": {
2640
+ "low": 0,
2641
+ "likely": 0,
2642
+ "high": 0
2643
+ },
2644
+ "lostBusiness": {
2645
+ "low": 0,
2646
+ "likely": 0,
2647
+ "high": 0
2648
+ }
2649
+ },
2650
+ "dominantDriver": "legal counsel",
2651
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
2652
+ "confidence": "low",
2653
+ "narrative": "TOCTOU: file existence/permission check before open on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
2654
+ },
2655
+ "stableId": "3184d498fcca8634",
2656
+ "confidenceTier": "medium",
2657
+ "exploitability": 0.2,
2658
+ "exploitabilityTier": "low",
2659
+ "exploitabilityFactors": [
2660
+ "sev:medium",
2661
+ "unreachable"
2662
+ ],
2663
+ "clusterSize": null,
2664
+ "unreachable": false,
2665
+ "validator_verdict": "unvalidated",
2666
+ "llm_confidence": null,
2667
+ "unvalidated": true,
2668
+ "cross_language": false,
2669
+ "family": "toctou-file-existence-permission-check-b",
2670
+ "parser": "TOCTOU",
2671
+ "_unsigned": false,
2672
+ "_passThroughSigning": false,
2673
+ "signatureStatus": "verified",
2674
+ "regression_test": null,
2675
+ "poc": null,
2676
+ "calibrated_confidence": null,
2677
+ "calibrated_confidence_ci": null,
2678
+ "calibrated_n": 0,
2679
+ "calibration_reason": "no-history",
2680
+ "verifier_verdict": "cannot-verify",
2681
+ "verifier_reason": "no-poc-no-sanitizer-rule",
2682
+ "verifier_runner": null,
2683
+ "narration": null,
2684
+ "mitigationVerdict": "unreachable-in-prod",
2685
+ "mitigationsApplied": [],
2686
+ "mitigatedByWaf": false,
2687
+ "wafRuleId": null,
2688
+ "mitigatedByAuth": false,
2689
+ "authMechanism": null,
2690
+ "mitigatedByNetwork": false,
2691
+ "networkExposure": null,
2692
+ "featureFlag": null,
2693
+ "featureFlagState": null,
2694
+ "featureFlagRollout": null,
2695
+ "exposedInProd": false,
2696
+ "unreachableInProd": true,
2697
+ "coldPath": false,
2698
+ "hotPath": false,
2699
+ "prodRequestCount": null,
2700
+ "crownJewelScore": 0,
2701
+ "crownJewelTier": "unknown",
2702
+ "crownJewelFactors": [],
2703
+ "cloneClusterId": "bf9643a065f64945",
2704
+ "cloneClusterSize": 2,
2705
+ "provenance": "human-likely",
2706
+ "provenanceScore": 0.22,
2707
+ "typeNarrowed": null,
2708
+ "strideCategory": "tampering",
2709
+ "personaScores": {
2710
+ "script-kiddie": {
2711
+ "score": 0.4,
2712
+ "tier": "medium",
2713
+ "factors": [
2714
+ "sev:medium"
2715
+ ]
2716
+ },
2717
+ "opportunistic-criminal": {
2718
+ "score": 0.4,
2719
+ "tier": "medium",
2720
+ "factors": [
2721
+ "sev:medium"
2722
+ ]
2723
+ },
2724
+ "apt-nation-state": {
2725
+ "score": 0.4,
2726
+ "tier": "medium",
2727
+ "factors": [
2728
+ "sev:medium"
2729
+ ]
2730
+ },
2731
+ "supply-chain-attacker": {
2732
+ "score": 0.4,
2733
+ "tier": "medium",
2734
+ "factors": [
2735
+ "sev:medium"
2736
+ ]
2737
+ },
2738
+ "malicious-insider": {
2739
+ "score": 0.4,
2740
+ "tier": "medium",
2741
+ "factors": [
2742
+ "sev:medium"
2743
+ ]
2744
+ }
2745
+ },
2746
+ "personaTopTwo": [
2747
+ "script-kiddie",
2748
+ "opportunistic-criminal"
2749
+ ],
2750
+ "personaMaxName": "script-kiddie",
2751
+ "personaMaxScore": 0.4,
2752
+ "reverseExposure": null,
2753
+ "specMined": null,
2754
+ "whyFired": {
2755
+ "detector": "sast/toctou-file-existence-permission-check-b",
2756
+ "ruleId": "CWE-367",
2757
+ "parser": "TOCTOU",
2758
+ "evidence": {
2759
+ "sinkSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
2760
+ "sourceSnippet": null,
2761
+ "pathSteps": [],
2762
+ "sanitizers": [],
2763
+ "guards": []
2764
+ },
2765
+ "considered": {
2766
+ "suppressionsApplied": [],
2767
+ "suppressionsSkipped": [],
2768
+ "reachabilityFilter": "unaffected",
2769
+ "clusterCollapsed": false,
2770
+ "typeNarrowed": false,
2771
+ "crownJewelTier": "unknown",
2772
+ "mitigationVerdict": "unreachable-in-prod"
2773
+ },
2774
+ "scanner": {
2775
+ "rulesetVersion": null,
2776
+ "packHash": null,
2777
+ "modelId": null
2778
+ }
2779
+ },
2780
+ "adversaryTranscript": null,
2781
+ "predictedBountyUsd": null,
2782
+ "bountyConfidence": null,
2783
+ "attackPlaybook": null
2784
+ },
2785
+ {
2786
+ "id": "toctou-fs:incremental.js:68",
2787
+ "kind": "sast",
2788
+ "severity": "medium",
2789
+ "vuln": "TOCTOU: file existence/permission check before open",
2790
+ "cwe": "CWE-367",
2791
+ "owaspLlm": null,
2792
+ "stride": "Tampering",
2793
+ "file": "incremental.js",
2794
+ "line": 68,
2795
+ "snippet": "if (!fs.existsSync(fp)) return fallback;",
2796
+ "fix": null,
2797
+ "reachable": false,
2798
+ "triage": 22,
2799
+ "dataClasses": [],
2800
+ "chain": null,
2801
+ "confidence": 0.7,
2802
+ "toxicity": 8,
2803
+ "toxicityFactors": [],
2804
+ "toxicityLabel": "Low",
2805
+ "sources": null,
2806
+ "epssScore": null,
2807
+ "epssPercentile": null,
2808
+ "epssCve": null,
2809
+ "exploitedNow": false,
2810
+ "tags": null,
2811
+ "blastRadius": {
2812
+ "scope": "all-users",
2813
+ "dataAtRisk": [
2814
+ "config"
2815
+ ],
2816
+ "userCount": 50,
2817
+ "industry": "generic",
2818
+ "jurisdictions": [],
2819
+ "controlsApplied": [],
2820
+ "dollarBest": 23250,
2821
+ "dollarLikely": 136250,
2822
+ "dollarWorst": 775000,
2823
+ "dollarLow": 23250,
2824
+ "dollarHigh": 775000,
2825
+ "components": {
2826
+ "incidentResponse": {
2827
+ "low": 8000,
2828
+ "likely": 50000,
2829
+ "high": 250000
2830
+ },
2831
+ "legal": {
2832
+ "low": 10000,
2833
+ "likely": 75000,
2834
+ "high": 500000
2835
+ },
2836
+ "crisisPR": {
2837
+ "low": 0,
2838
+ "likely": 0,
2839
+ "high": 0
2840
+ },
2841
+ "notification": {
2842
+ "low": 5000,
2843
+ "likely": 10000,
2844
+ "high": 15000
2845
+ },
2846
+ "creditMonitoring": {
2847
+ "low": 0,
2848
+ "likely": 0,
2849
+ "high": 0
2850
+ },
2851
+ "regulatoryFines": {
2852
+ "low": 0,
2853
+ "likely": 0,
2854
+ "high": 0
2855
+ },
2856
+ "directDamage": {
2857
+ "low": 250,
2858
+ "likely": 1250,
2859
+ "high": 10000
2860
+ },
2861
+ "classAction": {
2862
+ "low": 0,
2863
+ "likely": 0,
2864
+ "high": 0
2865
+ },
2866
+ "lostBusiness": {
2867
+ "low": 0,
2868
+ "likely": 0,
2869
+ "high": 0
2870
+ }
2871
+ },
2872
+ "dominantDriver": "legal counsel",
2873
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
2874
+ "confidence": "low",
2875
+ "narrative": "TOCTOU: file existence/permission check before open on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
2876
+ },
2877
+ "stableId": "ca2e725c38df4ef6",
2878
+ "confidenceTier": "medium",
2879
+ "exploitability": 0.2,
2880
+ "exploitabilityTier": "low",
2881
+ "exploitabilityFactors": [
2882
+ "sev:medium",
2883
+ "unreachable"
2884
+ ],
2885
+ "clusterSize": null,
2886
+ "unreachable": false,
2887
+ "validator_verdict": "unvalidated",
2888
+ "llm_confidence": null,
2889
+ "unvalidated": true,
2890
+ "cross_language": false,
2891
+ "family": "toctou-file-existence-permission-check-b",
2892
+ "parser": "TOCTOU",
2893
+ "_unsigned": false,
2894
+ "_passThroughSigning": false,
2895
+ "signatureStatus": "verified",
2896
+ "regression_test": null,
2897
+ "poc": null,
2898
+ "calibrated_confidence": null,
2899
+ "calibrated_confidence_ci": null,
2900
+ "calibrated_n": 0,
2901
+ "calibration_reason": "no-history",
2902
+ "verifier_verdict": "cannot-verify",
2903
+ "verifier_reason": "no-poc-no-sanitizer-rule",
2904
+ "verifier_runner": null,
2905
+ "narration": null,
2906
+ "mitigationVerdict": "unreachable-in-prod",
2907
+ "mitigationsApplied": [],
2908
+ "mitigatedByWaf": false,
2909
+ "wafRuleId": null,
2910
+ "mitigatedByAuth": false,
2911
+ "authMechanism": null,
2912
+ "mitigatedByNetwork": false,
2913
+ "networkExposure": null,
2914
+ "featureFlag": null,
2915
+ "featureFlagState": null,
2916
+ "featureFlagRollout": null,
2917
+ "exposedInProd": false,
2918
+ "unreachableInProd": true,
2919
+ "coldPath": false,
2920
+ "hotPath": false,
2921
+ "prodRequestCount": null,
2922
+ "crownJewelScore": 0,
2923
+ "crownJewelTier": "unknown",
2924
+ "crownJewelFactors": [],
2925
+ "cloneClusterId": "39f1d6db55cace1d",
2926
+ "cloneClusterSize": 2,
2927
+ "provenance": "human-likely",
2928
+ "provenanceScore": 0.22,
2929
+ "typeNarrowed": null,
2930
+ "strideCategory": "tampering",
2931
+ "personaScores": {
2932
+ "script-kiddie": {
2933
+ "score": 0.4,
2934
+ "tier": "medium",
2935
+ "factors": [
2936
+ "sev:medium"
2937
+ ]
2938
+ },
2939
+ "opportunistic-criminal": {
2940
+ "score": 0.4,
2941
+ "tier": "medium",
2942
+ "factors": [
2943
+ "sev:medium"
2944
+ ]
2945
+ },
2946
+ "apt-nation-state": {
2947
+ "score": 0.4,
2948
+ "tier": "medium",
2949
+ "factors": [
2950
+ "sev:medium"
2951
+ ]
2952
+ },
2953
+ "supply-chain-attacker": {
2954
+ "score": 0.4,
2955
+ "tier": "medium",
2956
+ "factors": [
2957
+ "sev:medium"
2958
+ ]
2959
+ },
2960
+ "malicious-insider": {
2961
+ "score": 0.4,
2962
+ "tier": "medium",
2963
+ "factors": [
2964
+ "sev:medium"
2965
+ ]
2966
+ }
2967
+ },
2968
+ "personaTopTwo": [
2969
+ "script-kiddie",
2970
+ "opportunistic-criminal"
2971
+ ],
2972
+ "personaMaxName": "script-kiddie",
2973
+ "personaMaxScore": 0.4,
2974
+ "reverseExposure": null,
2975
+ "specMined": null,
2976
+ "whyFired": {
2977
+ "detector": "sast/toctou-file-existence-permission-check-b",
2978
+ "ruleId": "CWE-367",
2979
+ "parser": "TOCTOU",
2980
+ "evidence": {
2981
+ "sinkSnippet": "if (!fs.existsSync(fp)) return fallback;",
2982
+ "sourceSnippet": null,
2983
+ "pathSteps": [],
2984
+ "sanitizers": [],
2985
+ "guards": []
2986
+ },
2987
+ "considered": {
2988
+ "suppressionsApplied": [],
2989
+ "suppressionsSkipped": [],
2990
+ "reachabilityFilter": "unaffected",
2991
+ "clusterCollapsed": false,
2992
+ "typeNarrowed": false,
2993
+ "crownJewelTier": "unknown",
2994
+ "mitigationVerdict": "unreachable-in-prod"
2995
+ },
2996
+ "scanner": {
2997
+ "rulesetVersion": null,
2998
+ "packHash": null,
2999
+ "modelId": null
3000
+ }
3001
+ },
3002
+ "adversaryTranscript": null,
3003
+ "predictedBountyUsd": null,
3004
+ "bountyConfidence": null,
3005
+ "attackPlaybook": null
3006
+ },
3007
+ {
3008
+ "id": "77f1352c8462f8db",
3009
+ "kind": "logic",
3010
+ "severity": "medium",
3011
+ "vuln": "Race Condition (TOCTOU)",
3012
+ "cwe": "CWE-367",
3013
+ "stride": "Tampering",
3014
+ "file": "incremental.js",
3015
+ "line": 223,
3016
+ "snippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
3017
+ "fix": {
3018
+ "description": "Use atomic operations instead of check-then-act patterns.",
3019
+ "code": "// BEFORE\nif (fs.existsSync(p)) fs.unlinkSync(p);\n\n// AFTER\ntry { fs.unlinkSync(p); } catch(e) { if(e.code!=='ENOENT') throw e; }"
3020
+ },
3021
+ "blastRadius": {
3022
+ "scope": "all-users",
3023
+ "dataAtRisk": [
3024
+ "config"
3025
+ ],
3026
+ "userCount": 50,
3027
+ "industry": "generic",
3028
+ "jurisdictions": [],
3029
+ "controlsApplied": [],
3030
+ "dollarBest": 23250,
3031
+ "dollarLikely": 136250,
3032
+ "dollarWorst": 775000,
3033
+ "dollarLow": 23250,
3034
+ "dollarHigh": 775000,
3035
+ "components": {
3036
+ "incidentResponse": {
3037
+ "low": 8000,
3038
+ "likely": 50000,
3039
+ "high": 250000
3040
+ },
3041
+ "legal": {
3042
+ "low": 10000,
3043
+ "likely": 75000,
3044
+ "high": 500000
3045
+ },
3046
+ "crisisPR": {
3047
+ "low": 0,
3048
+ "likely": 0,
3049
+ "high": 0
3050
+ },
3051
+ "notification": {
3052
+ "low": 5000,
3053
+ "likely": 10000,
3054
+ "high": 15000
3055
+ },
3056
+ "creditMonitoring": {
3057
+ "low": 0,
3058
+ "likely": 0,
3059
+ "high": 0
3060
+ },
3061
+ "regulatoryFines": {
3062
+ "low": 0,
3063
+ "likely": 0,
3064
+ "high": 0
3065
+ },
3066
+ "directDamage": {
3067
+ "low": 250,
3068
+ "likely": 1250,
3069
+ "high": 10000
3070
+ },
3071
+ "classAction": {
3072
+ "low": 0,
3073
+ "likely": 0,
3074
+ "high": 0
3075
+ },
3076
+ "lostBusiness": {
3077
+ "low": 0,
3078
+ "likely": 0,
3079
+ "high": 0
3080
+ }
3081
+ },
3082
+ "dominantDriver": "legal counsel",
3083
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3084
+ "confidence": "low",
3085
+ "narrative": "Race Condition (TOCTOU) on `incremental.js:223` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3086
+ },
3087
+ "parser": "LOGIC",
3088
+ "family": null
3089
+ },
3090
+ {
3091
+ "id": "logic:incremental.js:50:TOCTOU:_existsSync_followed_by_file_op",
3092
+ "kind": "logic",
3093
+ "severity": "medium",
3094
+ "vuln": "TOCTOU: existsSync followed by file op",
3095
+ "cwe": "CWE-367",
3096
+ "stride": "Tampering",
3097
+ "file": "incremental.js",
3098
+ "line": 50,
3099
+ "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
3100
+ "fix": {
3101
+ "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
3102
+ "code": ""
3103
+ },
3104
+ "blastRadius": {
3105
+ "scope": "all-users",
3106
+ "dataAtRisk": [
3107
+ "config"
3108
+ ],
3109
+ "userCount": 50,
3110
+ "industry": "generic",
3111
+ "jurisdictions": [],
3112
+ "controlsApplied": [],
3113
+ "dollarBest": 23250,
3114
+ "dollarLikely": 136250,
3115
+ "dollarWorst": 775000,
3116
+ "dollarLow": 23250,
3117
+ "dollarHigh": 775000,
3118
+ "components": {
3119
+ "incidentResponse": {
3120
+ "low": 8000,
3121
+ "likely": 50000,
3122
+ "high": 250000
3123
+ },
3124
+ "legal": {
3125
+ "low": 10000,
3126
+ "likely": 75000,
3127
+ "high": 500000
3128
+ },
3129
+ "crisisPR": {
3130
+ "low": 0,
3131
+ "likely": 0,
3132
+ "high": 0
3133
+ },
3134
+ "notification": {
3135
+ "low": 5000,
3136
+ "likely": 10000,
3137
+ "high": 15000
3138
+ },
3139
+ "creditMonitoring": {
3140
+ "low": 0,
3141
+ "likely": 0,
3142
+ "high": 0
3143
+ },
3144
+ "regulatoryFines": {
3145
+ "low": 0,
3146
+ "likely": 0,
3147
+ "high": 0
3148
+ },
3149
+ "directDamage": {
3150
+ "low": 250,
3151
+ "likely": 1250,
3152
+ "high": 10000
3153
+ },
3154
+ "classAction": {
3155
+ "low": 0,
3156
+ "likely": 0,
3157
+ "high": 0
3158
+ },
3159
+ "lostBusiness": {
3160
+ "low": 0,
3161
+ "likely": 0,
3162
+ "high": 0
3163
+ }
3164
+ },
3165
+ "dominantDriver": "legal counsel",
3166
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3167
+ "confidence": "low",
3168
+ "narrative": "TOCTOU: existsSync followed by file op on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3169
+ },
3170
+ "parser": "LOGIC",
3171
+ "family": null
3172
+ },
3173
+ {
3174
+ "id": "logic:incremental.js:68:TOCTOU:_existsSync_followed_by_file_op",
3175
+ "kind": "logic",
3176
+ "severity": "medium",
3177
+ "vuln": "TOCTOU: existsSync followed by file op",
3178
+ "cwe": "CWE-367",
3179
+ "stride": "Tampering",
3180
+ "file": "incremental.js",
3181
+ "line": 68,
3182
+ "snippet": "if (!fs.existsSync(fp)) return fallback;",
3183
+ "fix": {
3184
+ "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
3185
+ "code": ""
3186
+ },
3187
+ "blastRadius": {
3188
+ "scope": "all-users",
3189
+ "dataAtRisk": [
3190
+ "config"
3191
+ ],
3192
+ "userCount": 50,
3193
+ "industry": "generic",
3194
+ "jurisdictions": [],
3195
+ "controlsApplied": [],
3196
+ "dollarBest": 23250,
3197
+ "dollarLikely": 136250,
3198
+ "dollarWorst": 775000,
3199
+ "dollarLow": 23250,
3200
+ "dollarHigh": 775000,
3201
+ "components": {
3202
+ "incidentResponse": {
3203
+ "low": 8000,
3204
+ "likely": 50000,
3205
+ "high": 250000
3206
+ },
3207
+ "legal": {
3208
+ "low": 10000,
3209
+ "likely": 75000,
3210
+ "high": 500000
3211
+ },
3212
+ "crisisPR": {
3213
+ "low": 0,
3214
+ "likely": 0,
3215
+ "high": 0
3216
+ },
3217
+ "notification": {
3218
+ "low": 5000,
3219
+ "likely": 10000,
3220
+ "high": 15000
3221
+ },
3222
+ "creditMonitoring": {
3223
+ "low": 0,
3224
+ "likely": 0,
3225
+ "high": 0
3226
+ },
3227
+ "regulatoryFines": {
3228
+ "low": 0,
3229
+ "likely": 0,
3230
+ "high": 0
3231
+ },
3232
+ "directDamage": {
3233
+ "low": 250,
3234
+ "likely": 1250,
3235
+ "high": 10000
3236
+ },
3237
+ "classAction": {
3238
+ "low": 0,
3239
+ "likely": 0,
3240
+ "high": 0
3241
+ },
3242
+ "lostBusiness": {
3243
+ "low": 0,
3244
+ "likely": 0,
3245
+ "high": 0
3246
+ }
3247
+ },
3248
+ "dominantDriver": "legal counsel",
3249
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3250
+ "confidence": "low",
3251
+ "narrative": "TOCTOU: existsSync followed by file op on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3252
+ },
3253
+ "parser": "LOGIC",
3254
+ "family": null
3255
+ },
3256
+ {
3257
+ "id": "logic:incremental.js:223:TOCTOU:_existsSync_followed_by_file_op",
3258
+ "kind": "logic",
3259
+ "severity": "medium",
3260
+ "vuln": "TOCTOU: existsSync followed by file op",
3261
+ "cwe": "CWE-367",
3262
+ "stride": "Tampering",
3263
+ "file": "incremental.js",
3264
+ "line": 223,
3265
+ "snippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
3266
+ "fix": {
3267
+ "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
3268
+ "code": ""
3269
+ },
3270
+ "blastRadius": {
3271
+ "scope": "all-users",
3272
+ "dataAtRisk": [
3273
+ "config"
3274
+ ],
3275
+ "userCount": 50,
3276
+ "industry": "generic",
3277
+ "jurisdictions": [],
3278
+ "controlsApplied": [],
3279
+ "dollarBest": 23250,
3280
+ "dollarLikely": 136250,
3281
+ "dollarWorst": 775000,
3282
+ "dollarLow": 23250,
3283
+ "dollarHigh": 775000,
3284
+ "components": {
3285
+ "incidentResponse": {
3286
+ "low": 8000,
3287
+ "likely": 50000,
3288
+ "high": 250000
3289
+ },
3290
+ "legal": {
3291
+ "low": 10000,
3292
+ "likely": 75000,
3293
+ "high": 500000
3294
+ },
3295
+ "crisisPR": {
3296
+ "low": 0,
3297
+ "likely": 0,
3298
+ "high": 0
3299
+ },
3300
+ "notification": {
3301
+ "low": 5000,
3302
+ "likely": 10000,
3303
+ "high": 15000
3304
+ },
3305
+ "creditMonitoring": {
3306
+ "low": 0,
3307
+ "likely": 0,
3308
+ "high": 0
3309
+ },
3310
+ "regulatoryFines": {
3311
+ "low": 0,
3312
+ "likely": 0,
3313
+ "high": 0
3314
+ },
3315
+ "directDamage": {
3316
+ "low": 250,
3317
+ "likely": 1250,
3318
+ "high": 10000
3319
+ },
3320
+ "classAction": {
3321
+ "low": 0,
3322
+ "likely": 0,
3323
+ "high": 0
3324
+ },
3325
+ "lostBusiness": {
3326
+ "low": 0,
3327
+ "likely": 0,
3328
+ "high": 0
3329
+ }
3330
+ },
3331
+ "dominantDriver": "legal counsel",
3332
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3333
+ "confidence": "low",
3334
+ "narrative": "TOCTOU: existsSync followed by file op on `incremental.js:223` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3335
+ },
3336
+ "parser": "LOGIC",
3337
+ "family": null
3338
+ }
3339
+ ],
3340
+ "bundles": [],
3341
+ "routes": [],
3342
+ "components": [],
3343
+ "suppressedCount": 12,
3344
+ "blastRadiusSignals": {
3345
+ "industry": "generic",
3346
+ "industryConfidence": "low",
3347
+ "jurisdictions": [],
3348
+ "controls": [],
3349
+ "estimatedUsers": 50,
3350
+ "revenueIndicator": "pre-revenue",
3351
+ "hasStripe": false,
3352
+ "hasAuth": false,
3353
+ "hasUserTable": false,
3354
+ "hasPII": false,
3355
+ "hasPHI": false,
3356
+ "hasS3": false
3357
+ },
3358
+ "_v3": {
3359
+ "counterfactual": {
3360
+ "spofControls": [],
3361
+ "controlsDetected": 219
3362
+ },
3363
+ "threatModel": {
3364
+ "summary": {
3365
+ "assetCount": 0,
3366
+ "boundaryCount": 2,
3367
+ "strideCounts": {
3368
+ "spoofing": 0,
3369
+ "tampering": 4,
3370
+ "repudiation": 0,
3371
+ "informationDisclosure": 0,
3372
+ "denialOfService": 9,
3373
+ "elevationOfPrivilege": 0
3374
+ }
3375
+ },
3376
+ "assets": [],
3377
+ "trustBoundaries": [
3378
+ {
3379
+ "type": "db-edge",
3380
+ "file": "catalog.js",
3381
+ "line": 52,
3382
+ "label": null
3383
+ },
3384
+ {
3385
+ "type": "db-edge",
3386
+ "file": "catalog.js",
3387
+ "line": 55,
3388
+ "label": null
3389
+ }
3390
+ ],
3391
+ "stride": {
3392
+ "spoofing": [],
3393
+ "tampering": [
3394
+ {
3395
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
3396
+ "file": "catalog.js",
3397
+ "line": 538,
3398
+ "severity": "medium"
3399
+ },
3400
+ {
3401
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
3402
+ "file": "exploit-prover.js",
3403
+ "line": 33,
3404
+ "severity": "medium"
3405
+ },
3406
+ {
3407
+ "vuln": "TOCTOU: file existence/permission check before open",
3408
+ "file": "incremental.js",
3409
+ "line": 50,
3410
+ "severity": "medium"
3411
+ },
3412
+ {
3413
+ "vuln": "TOCTOU: file existence/permission check before open",
3414
+ "file": "incremental.js",
3415
+ "line": 68,
3416
+ "severity": "medium"
3417
+ }
3418
+ ],
3419
+ "repudiation": [],
3420
+ "informationDisclosure": [],
3421
+ "denialOfService": [
3422
+ {
3423
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3424
+ "file": "incremental.js",
3425
+ "severity": "medium"
3426
+ },
3427
+ {
3428
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3429
+ "file": "incremental.js",
3430
+ "severity": "medium"
3431
+ },
3432
+ {
3433
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3434
+ "file": "incremental.js",
3435
+ "severity": "medium"
3436
+ },
3437
+ {
3438
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3439
+ "file": "incremental.js",
3440
+ "severity": "medium"
3441
+ },
3442
+ {
3443
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3444
+ "file": "incremental.js",
3445
+ "severity": "medium"
3446
+ },
3447
+ {
3448
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3449
+ "file": "incremental.js",
3450
+ "severity": "medium"
3451
+ },
3452
+ {
3453
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3454
+ "file": "incremental.js",
3455
+ "severity": "medium"
3456
+ },
3457
+ {
3458
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3459
+ "file": "incremental.js",
3460
+ "severity": "medium"
3461
+ },
3462
+ {
3463
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3464
+ "file": "incremental.js",
3465
+ "severity": "medium"
3466
+ }
3467
+ ],
3468
+ "elevationOfPrivilege": []
3469
+ }
3470
+ },
3471
+ "trustBoundaryDiagram": {
3472
+ "mermaid": "flowchart LR\n INTERNET((Internet))\n APP[\"Application\"]\n db_catalog_js_52[(\"db@catalog.js:52\")]\n db_catalog_js_55[(\"db@catalog.js:55\")]\n APP -->|db| db_catalog_js_52\n APP -->|db| db_catalog_js_55\n classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n classDef sev_medium fill:#fff3cd,stroke:#a80;\n classDef sev_low fill:#e8eaf6,stroke:#557;",
3473
+ "nodes": [
3474
+ {
3475
+ "id": "INTERNET",
3476
+ "kind": "external",
3477
+ "label": "Internet"
3478
+ },
3479
+ {
3480
+ "id": "APP",
3481
+ "kind": "app",
3482
+ "label": "Application"
3483
+ },
3484
+ {
3485
+ "kind": "db",
3486
+ "id": "db_catalog_js_52",
3487
+ "label": "db@catalog.js:52"
3488
+ },
3489
+ {
3490
+ "kind": "db",
3491
+ "id": "db_catalog_js_55",
3492
+ "label": "db@catalog.js:55"
3493
+ }
3494
+ ],
3495
+ "edges": [
3496
+ {
3497
+ "from": "APP",
3498
+ "to": "db_catalog_js_52",
3499
+ "kind": "db"
3500
+ },
3501
+ {
3502
+ "from": "APP",
3503
+ "to": "db_catalog_js_55",
3504
+ "kind": "db"
3505
+ }
3506
+ ],
3507
+ "decorations": []
3508
+ },
3509
+ "calibrationDrift": {
3510
+ "alarms": [],
3511
+ "note": "no-feedback-data"
3512
+ }
3513
+ },
3514
+ "annotatorErrors": []
3515
+ }