@clear-capabilities/agentic-security-scanner 0.77.0 → 0.78.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (83) hide show
  1. package/bin/.agentic-security/findings.json +1907 -0
  2. package/bin/.agentic-security/last-scan.json +1907 -0
  3. package/bin/.agentic-security/last-scan.json.sig +1 -0
  4. package/bin/.agentic-security/scan-history.json +115 -0
  5. package/bin/.agentic-security/streak.json +20 -0
  6. package/bin/agentic-security.js +33 -2
  7. package/dist/178.index.js +1 -1
  8. package/dist/384.index.js +1 -1
  9. package/dist/637.index.js +1 -1
  10. package/dist/718.index.js +106 -0
  11. package/dist/824.index.js +126 -0
  12. package/dist/838.index.js +1 -1
  13. package/dist/agentic-security.mjs +32 -32
  14. package/dist/agentic-security.mjs.sha256 +1 -1
  15. package/package.json +3 -3
  16. package/src/.agentic-security/findings.json +82642 -0
  17. package/src/.agentic-security/last-scan.json +82642 -0
  18. package/src/.agentic-security/last-scan.json.sig +1 -0
  19. package/src/.agentic-security/scan-history.json +10054 -0
  20. package/src/.agentic-security/streak.json +21 -0
  21. package/src/dataflow/.agentic-security/findings.json +3515 -0
  22. package/src/dataflow/.agentic-security/last-scan.json +3515 -0
  23. package/src/dataflow/.agentic-security/last-scan.json.sig +1 -0
  24. package/src/dataflow/.agentic-security/scan-history.json +702 -0
  25. package/src/dataflow/.agentic-security/streak.json +22 -0
  26. package/src/dataflow/async-sequencing.js +16 -7
  27. package/src/dataflow/builtin-summaries.js +131 -0
  28. package/src/dataflow/catalog.js +107 -0
  29. package/src/dataflow/cross-repo.js +75 -1
  30. package/src/dataflow/engine.js +129 -0
  31. package/src/dataflow/implicit-flow.js +24 -6
  32. package/src/dataflow/stub-aware-filter.js +69 -11
  33. package/src/dataflow/summaries.js +28 -3
  34. package/src/engine-parallel.js +70 -0
  35. package/src/engine.js +165 -15
  36. package/src/ir/.agentic-security/findings.json +3777 -0
  37. package/src/ir/.agentic-security/last-scan.json +3777 -0
  38. package/src/ir/.agentic-security/last-scan.json.sig +1 -0
  39. package/src/ir/.agentic-security/scan-history.json +771 -0
  40. package/src/ir/.agentic-security/streak.json +21 -0
  41. package/src/ir/index.js +22 -1
  42. package/src/ir/parser-go.js +403 -0
  43. package/src/ir/parser-js.js +2 -0
  44. package/src/ir/parser-php.js +330 -0
  45. package/src/ir/parser-py.helper.py +137 -11
  46. package/src/ir/parser-rb.js +309 -0
  47. package/src/posture/.agentic-security/findings.json +51562 -0
  48. package/src/posture/.agentic-security/last-scan.json +51562 -0
  49. package/src/posture/.agentic-security/last-scan.json.sig +1 -0
  50. package/src/posture/.agentic-security/scan-history.json +650 -0
  51. package/src/posture/.agentic-security/streak.json +20 -0
  52. package/src/posture/calibration.js +14 -0
  53. package/src/posture/triage.js +13 -0
  54. package/src/report/.agentic-security/findings.json +80 -0
  55. package/src/report/.agentic-security/last-scan.json +80 -0
  56. package/src/report/.agentic-security/last-scan.json.sig +1 -0
  57. package/src/report/.agentic-security/scan-history.json +35 -0
  58. package/src/report/.agentic-security/streak.json +22 -0
  59. package/src/report/index.js +23 -2
  60. package/src/sast/.agentic-security/findings.json +5190 -0
  61. package/src/sast/.agentic-security/last-scan.json +5190 -0
  62. package/src/sast/.agentic-security/last-scan.json.sig +1 -0
  63. package/src/sast/.agentic-security/scan-history.json +408 -0
  64. package/src/sast/.agentic-security/streak.json +20 -0
  65. package/src/sast/cache-poisoning.js +77 -0
  66. package/src/sast/comparison-safety.js +73 -0
  67. package/src/sast/db-taint.js +54 -0
  68. package/src/sast/graphql.js +127 -0
  69. package/src/sast/llm-stored-prompt.js +57 -0
  70. package/src/sast/mutation-xss.js +43 -0
  71. package/src/sast/nosql-injection.js +5 -0
  72. package/src/sast/null-byte-injection.js +76 -0
  73. package/src/sast/redos-nfa.js +338 -0
  74. package/src/sast/sensitive-data-logging.js +73 -0
  75. package/src/sast/weak-password-hash.js +77 -0
  76. package/src/sast/weak-randomness.js +100 -0
  77. package/src/sca/.agentic-security/findings.json +1587 -0
  78. package/src/sca/.agentic-security/last-scan.json +1587 -0
  79. package/src/sca/.agentic-security/last-scan.json.sig +1 -0
  80. package/src/sca/.agentic-security/scan-history.json +36 -0
  81. package/src/sca/.agentic-security/streak.json +21 -0
  82. package/src/sca/llm-function-extract.js +107 -0
  83. package/src/sca/vendor-detect.js +91 -0
package/src/ir/.agentic-security/findings.json ADDED
@@ -0,0 +1,3777 @@
1
+ {
2
+ "scanId": "1a8e7623-7074-46ec-9fe6-a8a0d25ee3c6",
3
+ "startedAt": "2026-05-27T02:22:41.834Z",
4
+ "durationMs": 363,
5
+ "scanned": {
6
+ "files": 15,
7
+ "lines": 0
8
+ },
9
+ "findings": [
10
+ {
11
+ "id": "struct:parser-cs.js:208:Mass_Assignment_(req.body_Direct_to_Model)",
12
+ "kind": "sast",
13
+ "severity": "high",
14
+ "vuln": "Mass Assignment (req.body Direct to Model)",
15
+ "cwe": "CWE-915",
16
+ "owaspLlm": null,
17
+ "stride": "Tampering",
18
+ "file": "parser-cs.js",
19
+ "line": 208,
20
+ "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
21
+ "fix": null,
22
+ "reachable": false,
23
+ "triage": 39,
24
+ "dataClasses": [],
25
+ "chain": null,
26
+ "confidence": 0.314,
27
+ "toxicity": 35,
28
+ "toxicityFactors": [
29
+ "high-severity",
30
+ "http-facing"
31
+ ],
32
+ "toxicityLabel": "Medium",
33
+ "sources": null,
34
+ "epssScore": null,
35
+ "epssPercentile": null,
36
+ "epssCve": null,
37
+ "exploitedNow": false,
38
+ "tags": null,
39
+ "blastRadius": {
40
+ "scope": "all-users",
41
+ "dataAtRisk": [
42
+ "config"
43
+ ],
44
+ "userCount": 50,
45
+ "industry": "generic",
46
+ "jurisdictions": [],
47
+ "controlsApplied": [],
48
+ "dollarBest": 23250,
49
+ "dollarLikely": 136250,
50
+ "dollarWorst": 775000,
51
+ "dollarLow": 23250,
52
+ "dollarHigh": 775000,
53
+ "components": {
54
+ "incidentResponse": {
55
+ "low": 8000,
56
+ "likely": 50000,
57
+ "high": 250000
58
+ },
59
+ "legal": {
60
+ "low": 10000,
61
+ "likely": 75000,
62
+ "high": 500000
63
+ },
64
+ "crisisPR": {
65
+ "low": 0,
66
+ "likely": 0,
67
+ "high": 0
68
+ },
69
+ "notification": {
70
+ "low": 5000,
71
+ "likely": 10000,
72
+ "high": 15000
73
+ },
74
+ "creditMonitoring": {
75
+ "low": 0,
76
+ "likely": 0,
77
+ "high": 0
78
+ },
79
+ "regulatoryFines": {
80
+ "low": 0,
81
+ "likely": 0,
82
+ "high": 0
83
+ },
84
+ "directDamage": {
85
+ "low": 250,
86
+ "likely": 1250,
87
+ "high": 10000
88
+ },
89
+ "classAction": {
90
+ "low": 0,
91
+ "likely": 0,
92
+ "high": 0
93
+ },
94
+ "lostBusiness": {
95
+ "low": 0,
96
+ "likely": 0,
97
+ "high": 0
98
+ }
99
+ },
100
+ "dominantDriver": "legal counsel",
101
+ "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
102
+ "confidence": "low",
103
+ "narrative": "Mass Assignment (req.body Direct to Model) on `parser-cs.js:208` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
104
+ },
105
+ "stableId": "1881a55e55ca05ef",
106
+ "confidenceTier": "low",
107
+ "exploitability": 0.45,
108
+ "exploitabilityTier": "medium",
109
+ "exploitabilityFactors": [
110
+ "sev:high",
111
+ "unreachable"
112
+ ],
113
+ "clusterSize": null,
114
+ "unreachable": false,
115
+ "validator_verdict": "unvalidated",
116
+ "llm_confidence": null,
117
+ "unvalidated": true,
118
+ "cross_language": false,
119
+ "family": "mass-assignment",
120
+ "parser": "STRUCTURAL",
121
+ "_unsigned": false,
122
+ "_passThroughSigning": false,
123
+ "signatureStatus": "verified",
124
+ "regression_test": null,
125
+ "poc": null,
126
+ "calibrated_confidence": null,
127
+ "calibrated_confidence_ci": null,
128
+ "calibrated_n": 5,
129
+ "calibration_reason": "insufficient-samples",
130
+ "verifier_verdict": "cannot-verify",
131
+ "verifier_reason": "no-poc-no-sanitizer-rule",
132
+ "verifier_runner": null,
133
+ "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-cs.js:?. Severity: high. Review the remediation field for class-specific guidance.",
134
+ "mitigationVerdict": "unreachable-in-prod",
135
+ "mitigationsApplied": [],
136
+ "mitigatedByWaf": false,
137
+ "wafRuleId": null,
138
+ "mitigatedByAuth": false,
139
+ "authMechanism": null,
140
+ "mitigatedByNetwork": false,
141
+ "networkExposure": null,
142
+ "featureFlag": null,
143
+ "featureFlagState": null,
144
+ "featureFlagRollout": null,
145
+ "exposedInProd": false,
146
+ "unreachableInProd": true,
147
+ "coldPath": false,
148
+ "hotPath": false,
149
+ "prodRequestCount": null,
150
+ "crownJewelScore": 0.15,
151
+ "crownJewelTier": "low-value",
152
+ "crownJewelFactors": [
153
+ "shell-execution"
154
+ ],
155
+ "cloneClusterId": "a0c829a31c63bf1a",
156
+ "cloneClusterSize": 5,
157
+ "provenance": "human-likely",
158
+ "provenanceScore": 0.08,
159
+ "typeNarrowed": null,
160
+ "strideCategory": null,
161
+ "personaScores": {
162
+ "script-kiddie": {
163
+ "score": 0.65,
164
+ "tier": "high",
165
+ "factors": [
166
+ "sev:high"
167
+ ]
168
+ },
169
+ "opportunistic-criminal": {
170
+ "score": 0.85,
171
+ "tier": "critical",
172
+ "factors": [
173
+ "sev:high",
174
+ "bias:mass-assignment+0.20"
175
+ ]
176
+ },
177
+ "apt-nation-state": {
178
+ "score": 0.65,
179
+ "tier": "high",
180
+ "factors": [
181
+ "sev:high"
182
+ ]
183
+ },
184
+ "supply-chain-attacker": {
185
+ "score": 0.65,
186
+ "tier": "high",
187
+ "factors": [
188
+ "sev:high"
189
+ ]
190
+ },
191
+ "malicious-insider": {
192
+ "score": 1,
193
+ "tier": "critical",
194
+ "factors": [
195
+ "sev:high",
196
+ "bias:mass-assignment+0.25",
197
+ "authz-bypass-favored"
198
+ ]
199
+ }
200
+ },
201
+ "personaTopTwo": [
202
+ "malicious-insider",
203
+ "opportunistic-criminal"
204
+ ],
205
+ "personaMaxName": "malicious-insider",
206
+ "personaMaxScore": 1,
207
+ "reverseExposure": null,
208
+ "specMined": null,
209
+ "whyFired": {
210
+ "detector": "sast/mass-assignment",
211
+ "ruleId": "CWE-915",
212
+ "parser": "STRUCTURAL",
213
+ "evidence": {
214
+ "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
215
+ "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
216
+ "pathSteps": [],
217
+ "sanitizers": [],
218
+ "guards": []
219
+ },
220
+ "considered": {
221
+ "suppressionsApplied": [],
222
+ "suppressionsSkipped": [],
223
+ "reachabilityFilter": "unaffected",
224
+ "clusterCollapsed": false,
225
+ "typeNarrowed": false,
226
+ "crownJewelTier": "low-value",
227
+ "mitigationVerdict": "unreachable-in-prod"
228
+ },
229
+ "scanner": {
230
+ "rulesetVersion": null,
231
+ "packHash": null,
232
+ "modelId": null
233
+ }
234
+ },
235
+ "adversaryTranscript": null,
236
+ "predictedBountyUsd": {
237
+ "low": 50,
238
+ "likely": 200,
239
+ "high": 600,
240
+ "program": "web2"
241
+ },
242
+ "bountyConfidence": "medium",
243
+ "attackPlaybook": {
244
+ "cwe": "CWE-915",
245
+ "kind": "curl",
246
+ "title": "Mass assignment — privilege escalation probe",
247
+ "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
248
+ "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
249
+ "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
250
+ }
251
+ },
252
+ {
253
+ "id": "struct:parser-go.js:253:Mass_Assignment_(req.body_Direct_to_Model)",
254
+ "kind": "sast",
255
+ "severity": "high",
256
+ "vuln": "Mass Assignment (req.body Direct to Model)",
257
+ "cwe": "CWE-915",
258
+ "owaspLlm": null,
259
+ "stride": "Tampering",
260
+ "file": "parser-go.js",
261
+ "line": 253,
262
+ "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
263
+ "fix": null,
264
+ "reachable": false,
265
+ "triage": 39,
266
+ "dataClasses": [],
267
+ "chain": null,
268
+ "confidence": 0.314,
269
+ "toxicity": 35,
270
+ "toxicityFactors": [
271
+ "high-severity",
272
+ "http-facing"
273
+ ],
274
+ "toxicityLabel": "Medium",
275
+ "sources": null,
276
+ "epssScore": null,
277
+ "epssPercentile": null,
278
+ "epssCve": null,
279
+ "exploitedNow": false,
280
+ "tags": null,
281
+ "blastRadius": {
282
+ "scope": "all-users",
283
+ "dataAtRisk": [
284
+ "config"
285
+ ],
286
+ "userCount": 50,
287
+ "industry": "generic",
288
+ "jurisdictions": [],
289
+ "controlsApplied": [],
290
+ "dollarBest": 23250,
291
+ "dollarLikely": 136250,
292
+ "dollarWorst": 775000,
293
+ "dollarLow": 23250,
294
+ "dollarHigh": 775000,
295
+ "components": {
296
+ "incidentResponse": {
297
+ "low": 8000,
298
+ "likely": 50000,
299
+ "high": 250000
300
+ },
301
+ "legal": {
302
+ "low": 10000,
303
+ "likely": 75000,
304
+ "high": 500000
305
+ },
306
+ "crisisPR": {
307
+ "low": 0,
308
+ "likely": 0,
309
+ "high": 0
310
+ },
311
+ "notification": {
312
+ "low": 5000,
313
+ "likely": 10000,
314
+ "high": 15000
315
+ },
316
+ "creditMonitoring": {
317
+ "low": 0,
318
+ "likely": 0,
319
+ "high": 0
320
+ },
321
+ "regulatoryFines": {
322
+ "low": 0,
323
+ "likely": 0,
324
+ "high": 0
325
+ },
326
+ "directDamage": {
327
+ "low": 250,
328
+ "likely": 1250,
329
+ "high": 10000
330
+ },
331
+ "classAction": {
332
+ "low": 0,
333
+ "likely": 0,
334
+ "high": 0
335
+ },
336
+ "lostBusiness": {
337
+ "low": 0,
338
+ "likely": 0,
339
+ "high": 0
340
+ }
341
+ },
342
+ "dominantDriver": "legal counsel",
343
+ "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
344
+ "confidence": "low",
345
+ "narrative": "Mass Assignment (req.body Direct to Model) on `parser-go.js:253` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
346
+ },
347
+ "stableId": "a28da8de4671367b",
348
+ "confidenceTier": "low",
349
+ "exploitability": 0.45,
350
+ "exploitabilityTier": "medium",
351
+ "exploitabilityFactors": [
352
+ "sev:high",
353
+ "unreachable"
354
+ ],
355
+ "clusterSize": null,
356
+ "unreachable": false,
357
+ "validator_verdict": "unvalidated",
358
+ "llm_confidence": null,
359
+ "unvalidated": true,
360
+ "cross_language": false,
361
+ "family": "mass-assignment",
362
+ "parser": "STRUCTURAL",
363
+ "_unsigned": false,
364
+ "_passThroughSigning": false,
365
+ "signatureStatus": "verified",
366
+ "regression_test": null,
367
+ "poc": null,
368
+ "calibrated_confidence": null,
369
+ "calibrated_confidence_ci": null,
370
+ "calibrated_n": 5,
371
+ "calibration_reason": "insufficient-samples",
372
+ "verifier_verdict": "cannot-verify",
373
+ "verifier_reason": "no-poc-no-sanitizer-rule",
374
+ "verifier_runner": null,
375
+ "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-go.js:?. Severity: high. Review the remediation field for class-specific guidance.",
376
+ "mitigationVerdict": "unreachable-in-prod",
377
+ "mitigationsApplied": [],
378
+ "mitigatedByWaf": false,
379
+ "wafRuleId": null,
380
+ "mitigatedByAuth": false,
381
+ "authMechanism": null,
382
+ "mitigatedByNetwork": false,
383
+ "networkExposure": null,
384
+ "featureFlag": null,
385
+ "featureFlagState": null,
386
+ "featureFlagRollout": null,
387
+ "exposedInProd": false,
388
+ "unreachableInProd": true,
389
+ "coldPath": false,
390
+ "hotPath": false,
391
+ "prodRequestCount": null,
392
+ "crownJewelScore": 0.15,
393
+ "crownJewelTier": "low-value",
394
+ "crownJewelFactors": [
395
+ "shell-execution"
396
+ ],
397
+ "cloneClusterId": "a0c829a31c63bf1a",
398
+ "cloneClusterSize": 5,
399
+ "provenance": "human-likely",
400
+ "provenanceScore": 0,
401
+ "typeNarrowed": null,
402
+ "strideCategory": null,
403
+ "personaScores": {
404
+ "script-kiddie": {
405
+ "score": 0.65,
406
+ "tier": "high",
407
+ "factors": [
408
+ "sev:high"
409
+ ]
410
+ },
411
+ "opportunistic-criminal": {
412
+ "score": 0.85,
413
+ "tier": "critical",
414
+ "factors": [
415
+ "sev:high",
416
+ "bias:mass-assignment+0.20"
417
+ ]
418
+ },
419
+ "apt-nation-state": {
420
+ "score": 0.65,
421
+ "tier": "high",
422
+ "factors": [
423
+ "sev:high"
424
+ ]
425
+ },
426
+ "supply-chain-attacker": {
427
+ "score": 0.65,
428
+ "tier": "high",
429
+ "factors": [
430
+ "sev:high"
431
+ ]
432
+ },
433
+ "malicious-insider": {
434
+ "score": 1,
435
+ "tier": "critical",
436
+ "factors": [
437
+ "sev:high",
438
+ "bias:mass-assignment+0.25",
439
+ "authz-bypass-favored"
440
+ ]
441
+ }
442
+ },
443
+ "personaTopTwo": [
444
+ "malicious-insider",
445
+ "opportunistic-criminal"
446
+ ],
447
+ "personaMaxName": "malicious-insider",
448
+ "personaMaxScore": 1,
449
+ "reverseExposure": null,
450
+ "specMined": null,
451
+ "whyFired": {
452
+ "detector": "sast/mass-assignment",
453
+ "ruleId": "CWE-915",
454
+ "parser": "STRUCTURAL",
455
+ "evidence": {
456
+ "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
457
+ "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
458
+ "pathSteps": [],
459
+ "sanitizers": [],
460
+ "guards": []
461
+ },
462
+ "considered": {
463
+ "suppressionsApplied": [],
464
+ "suppressionsSkipped": [],
465
+ "reachabilityFilter": "unaffected",
466
+ "clusterCollapsed": false,
467
+ "typeNarrowed": false,
468
+ "crownJewelTier": "low-value",
469
+ "mitigationVerdict": "unreachable-in-prod"
470
+ },
471
+ "scanner": {
472
+ "rulesetVersion": null,
473
+ "packHash": null,
474
+ "modelId": null
475
+ }
476
+ },
477
+ "adversaryTranscript": null,
478
+ "predictedBountyUsd": {
479
+ "low": 50,
480
+ "likely": 200,
481
+ "high": 600,
482
+ "program": "web2"
483
+ },
484
+ "bountyConfidence": "medium",
485
+ "attackPlaybook": {
486
+ "cwe": "CWE-915",
487
+ "kind": "curl",
488
+ "title": "Mass assignment — privilege escalation probe",
489
+ "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
490
+ "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
491
+ "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
492
+ }
493
+ },
494
+ {
495
+ "id": "struct:parser-kt.js:207:Mass_Assignment_(req.body_Direct_to_Model)",
496
+ "kind": "sast",
497
+ "severity": "high",
498
+ "vuln": "Mass Assignment (req.body Direct to Model)",
499
+ "cwe": "CWE-915",
500
+ "owaspLlm": null,
501
+ "stride": "Tampering",
502
+ "file": "parser-kt.js",
503
+ "line": 207,
504
+ "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
505
+ "fix": null,
506
+ "reachable": false,
507
+ "triage": 39,
508
+ "dataClasses": [],
509
+ "chain": null,
510
+ "confidence": 0.314,
511
+ "toxicity": 35,
512
+ "toxicityFactors": [
513
+ "high-severity",
514
+ "http-facing"
515
+ ],
516
+ "toxicityLabel": "Medium",
517
+ "sources": null,
518
+ "epssScore": null,
519
+ "epssPercentile": null,
520
+ "epssCve": null,
521
+ "exploitedNow": false,
522
+ "tags": null,
523
+ "blastRadius": {
524
+ "scope": "all-users",
525
+ "dataAtRisk": [
526
+ "config"
527
+ ],
528
+ "userCount": 50,
529
+ "industry": "generic",
530
+ "jurisdictions": [],
531
+ "controlsApplied": [],
532
+ "dollarBest": 23250,
533
+ "dollarLikely": 136250,
534
+ "dollarWorst": 775000,
535
+ "dollarLow": 23250,
536
+ "dollarHigh": 775000,
537
+ "components": {
538
+ "incidentResponse": {
539
+ "low": 8000,
540
+ "likely": 50000,
541
+ "high": 250000
542
+ },
543
+ "legal": {
544
+ "low": 10000,
545
+ "likely": 75000,
546
+ "high": 500000
547
+ },
548
+ "crisisPR": {
549
+ "low": 0,
550
+ "likely": 0,
551
+ "high": 0
552
+ },
553
+ "notification": {
554
+ "low": 5000,
555
+ "likely": 10000,
556
+ "high": 15000
557
+ },
558
+ "creditMonitoring": {
559
+ "low": 0,
560
+ "likely": 0,
561
+ "high": 0
562
+ },
563
+ "regulatoryFines": {
564
+ "low": 0,
565
+ "likely": 0,
566
+ "high": 0
567
+ },
568
+ "directDamage": {
569
+ "low": 250,
570
+ "likely": 1250,
571
+ "high": 10000
572
+ },
573
+ "classAction": {
574
+ "low": 0,
575
+ "likely": 0,
576
+ "high": 0
577
+ },
578
+ "lostBusiness": {
579
+ "low": 0,
580
+ "likely": 0,
581
+ "high": 0
582
+ }
583
+ },
584
+ "dominantDriver": "legal counsel",
585
+ "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
586
+ "confidence": "low",
587
+ "narrative": "Mass Assignment (req.body Direct to Model) on `parser-kt.js:207` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
588
+ },
589
+ "stableId": "2fc3bac9558c1472",
590
+ "confidenceTier": "low",
591
+ "exploitability": 0.45,
592
+ "exploitabilityTier": "medium",
593
+ "exploitabilityFactors": [
594
+ "sev:high",
595
+ "unreachable"
596
+ ],
597
+ "clusterSize": null,
598
+ "unreachable": false,
599
+ "validator_verdict": "unvalidated",
600
+ "llm_confidence": null,
601
+ "unvalidated": true,
602
+ "cross_language": false,
603
+ "family": "mass-assignment",
604
+ "parser": "STRUCTURAL",
605
+ "_unsigned": false,
606
+ "_passThroughSigning": false,
607
+ "signatureStatus": "verified",
608
+ "regression_test": null,
609
+ "poc": null,
610
+ "calibrated_confidence": null,
611
+ "calibrated_confidence_ci": null,
612
+ "calibrated_n": 5,
613
+ "calibration_reason": "insufficient-samples",
614
+ "verifier_verdict": "cannot-verify",
615
+ "verifier_reason": "no-poc-no-sanitizer-rule",
616
+ "verifier_runner": null,
617
+ "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-kt.js:?. Severity: high. Review the remediation field for class-specific guidance.",
618
+ "mitigationVerdict": "unreachable-in-prod",
619
+ "mitigationsApplied": [],
620
+ "mitigatedByWaf": false,
621
+ "wafRuleId": null,
622
+ "mitigatedByAuth": false,
623
+ "authMechanism": null,
624
+ "mitigatedByNetwork": false,
625
+ "networkExposure": null,
626
+ "featureFlag": null,
627
+ "featureFlagState": null,
628
+ "featureFlagRollout": null,
629
+ "exposedInProd": false,
630
+ "unreachableInProd": true,
631
+ "coldPath": false,
632
+ "hotPath": false,
633
+ "prodRequestCount": null,
634
+ "crownJewelScore": 0.15,
635
+ "crownJewelTier": "low-value",
636
+ "crownJewelFactors": [
637
+ "shell-execution"
638
+ ],
639
+ "cloneClusterId": "a0c829a31c63bf1a",
640
+ "cloneClusterSize": 5,
641
+ "provenance": "human-likely",
642
+ "provenanceScore": 0,
643
+ "typeNarrowed": null,
644
+ "strideCategory": null,
645
+ "personaScores": {
646
+ "script-kiddie": {
647
+ "score": 0.65,
648
+ "tier": "high",
649
+ "factors": [
650
+ "sev:high"
651
+ ]
652
+ },
653
+ "opportunistic-criminal": {
654
+ "score": 0.85,
655
+ "tier": "critical",
656
+ "factors": [
657
+ "sev:high",
658
+ "bias:mass-assignment+0.20"
659
+ ]
660
+ },
661
+ "apt-nation-state": {
662
+ "score": 0.65,
663
+ "tier": "high",
664
+ "factors": [
665
+ "sev:high"
666
+ ]
667
+ },
668
+ "supply-chain-attacker": {
669
+ "score": 0.65,
670
+ "tier": "high",
671
+ "factors": [
672
+ "sev:high"
673
+ ]
674
+ },
675
+ "malicious-insider": {
676
+ "score": 1,
677
+ "tier": "critical",
678
+ "factors": [
679
+ "sev:high",
680
+ "bias:mass-assignment+0.25",
681
+ "authz-bypass-favored"
682
+ ]
683
+ }
684
+ },
685
+ "personaTopTwo": [
686
+ "malicious-insider",
687
+ "opportunistic-criminal"
688
+ ],
689
+ "personaMaxName": "malicious-insider",
690
+ "personaMaxScore": 1,
691
+ "reverseExposure": null,
692
+ "specMined": null,
693
+ "whyFired": {
694
+ "detector": "sast/mass-assignment",
695
+ "ruleId": "CWE-915",
696
+ "parser": "STRUCTURAL",
697
+ "evidence": {
698
+ "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
699
+ "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
700
+ "pathSteps": [],
701
+ "sanitizers": [],
702
+ "guards": []
703
+ },
704
+ "considered": {
705
+ "suppressionsApplied": [],
706
+ "suppressionsSkipped": [],
707
+ "reachabilityFilter": "unaffected",
708
+ "clusterCollapsed": false,
709
+ "typeNarrowed": false,
710
+ "crownJewelTier": "low-value",
711
+ "mitigationVerdict": "unreachable-in-prod"
712
+ },
713
+ "scanner": {
714
+ "rulesetVersion": null,
715
+ "packHash": null,
716
+ "modelId": null
717
+ }
718
+ },
719
+ "adversaryTranscript": null,
720
+ "predictedBountyUsd": {
721
+ "low": 50,
722
+ "likely": 200,
723
+ "high": 600,
724
+ "program": "web2"
725
+ },
726
+ "bountyConfidence": "medium",
727
+ "attackPlaybook": {
728
+ "cwe": "CWE-915",
729
+ "kind": "curl",
730
+ "title": "Mass assignment — privilege escalation probe",
731
+ "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
732
+ "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
733
+ "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
734
+ }
735
+ },
736
+ {
737
+ "id": "struct:parser-php.js:209:Mass_Assignment_(req.body_Direct_to_Model)",
738
+ "kind": "sast",
739
+ "severity": "high",
740
+ "vuln": "Mass Assignment (req.body Direct to Model)",
741
+ "cwe": "CWE-915",
742
+ "owaspLlm": null,
743
+ "stride": "Tampering",
744
+ "file": "parser-php.js",
745
+ "line": 209,
746
+ "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
747
+ "fix": null,
748
+ "reachable": false,
749
+ "triage": 39,
750
+ "dataClasses": [],
751
+ "chain": null,
752
+ "confidence": 0.314,
753
+ "toxicity": 35,
754
+ "toxicityFactors": [
755
+ "high-severity",
756
+ "http-facing"
757
+ ],
758
+ "toxicityLabel": "Medium",
759
+ "sources": null,
760
+ "epssScore": null,
761
+ "epssPercentile": null,
762
+ "epssCve": null,
763
+ "exploitedNow": false,
764
+ "tags": null,
765
+ "blastRadius": {
766
+ "scope": "all-users",
767
+ "dataAtRisk": [
768
+ "config"
769
+ ],
770
+ "userCount": 50,
771
+ "industry": "generic",
772
+ "jurisdictions": [],
773
+ "controlsApplied": [],
774
+ "dollarBest": 23250,
775
+ "dollarLikely": 136250,
776
+ "dollarWorst": 775000,
777
+ "dollarLow": 23250,
778
+ "dollarHigh": 775000,
779
+ "components": {
780
+ "incidentResponse": {
781
+ "low": 8000,
782
+ "likely": 50000,
783
+ "high": 250000
784
+ },
785
+ "legal": {
786
+ "low": 10000,
787
+ "likely": 75000,
788
+ "high": 500000
789
+ },
790
+ "crisisPR": {
791
+ "low": 0,
792
+ "likely": 0,
793
+ "high": 0
794
+ },
795
+ "notification": {
796
+ "low": 5000,
797
+ "likely": 10000,
798
+ "high": 15000
799
+ },
800
+ "creditMonitoring": {
801
+ "low": 0,
802
+ "likely": 0,
803
+ "high": 0
804
+ },
805
+ "regulatoryFines": {
806
+ "low": 0,
807
+ "likely": 0,
808
+ "high": 0
809
+ },
810
+ "directDamage": {
811
+ "low": 250,
812
+ "likely": 1250,
813
+ "high": 10000
814
+ },
815
+ "classAction": {
816
+ "low": 0,
817
+ "likely": 0,
818
+ "high": 0
819
+ },
820
+ "lostBusiness": {
821
+ "low": 0,
822
+ "likely": 0,
823
+ "high": 0
824
+ }
825
+ },
826
+ "dominantDriver": "legal counsel",
827
+ "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
828
+ "confidence": "low",
829
+ "narrative": "Mass Assignment (req.body Direct to Model) on `parser-php.js:209` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
830
+ },
831
+ "stableId": "b73364b3c23bcce8",
832
+ "confidenceTier": "low",
833
+ "exploitability": 0.45,
834
+ "exploitabilityTier": "medium",
835
+ "exploitabilityFactors": [
836
+ "sev:high",
837
+ "unreachable"
838
+ ],
839
+ "clusterSize": null,
840
+ "unreachable": false,
841
+ "validator_verdict": "unvalidated",
842
+ "llm_confidence": null,
843
+ "unvalidated": true,
844
+ "cross_language": false,
845
+ "family": "mass-assignment",
846
+ "parser": "STRUCTURAL",
847
+ "_unsigned": false,
848
+ "_passThroughSigning": false,
849
+ "signatureStatus": "verified",
850
+ "regression_test": null,
851
+ "poc": null,
852
+ "calibrated_confidence": null,
853
+ "calibrated_confidence_ci": null,
854
+ "calibrated_n": 5,
855
+ "calibration_reason": "insufficient-samples",
856
+ "verifier_verdict": "cannot-verify",
857
+ "verifier_reason": "no-poc-no-sanitizer-rule",
858
+ "verifier_runner": null,
859
+ "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-php.js:?. Severity: high. Review the remediation field for class-specific guidance.",
860
+ "mitigationVerdict": "unreachable-in-prod",
861
+ "mitigationsApplied": [],
862
+ "mitigatedByWaf": false,
863
+ "wafRuleId": null,
864
+ "mitigatedByAuth": false,
865
+ "authMechanism": null,
866
+ "mitigatedByNetwork": false,
867
+ "networkExposure": null,
868
+ "featureFlag": null,
869
+ "featureFlagState": null,
870
+ "featureFlagRollout": null,
871
+ "exposedInProd": false,
872
+ "unreachableInProd": true,
873
+ "coldPath": false,
874
+ "hotPath": false,
875
+ "prodRequestCount": null,
876
+ "crownJewelScore": 0.15,
877
+ "crownJewelTier": "low-value",
878
+ "crownJewelFactors": [
879
+ "shell-execution"
880
+ ],
881
+ "cloneClusterId": "a0c829a31c63bf1a",
882
+ "cloneClusterSize": 5,
883
+ "provenance": "human-likely",
884
+ "provenanceScore": 0,
885
+ "typeNarrowed": null,
886
+ "strideCategory": null,
887
+ "personaScores": {
888
+ "script-kiddie": {
889
+ "score": 0.65,
890
+ "tier": "high",
891
+ "factors": [
892
+ "sev:high"
893
+ ]
894
+ },
895
+ "opportunistic-criminal": {
896
+ "score": 0.85,
897
+ "tier": "critical",
898
+ "factors": [
899
+ "sev:high",
900
+ "bias:mass-assignment+0.20"
901
+ ]
902
+ },
903
+ "apt-nation-state": {
904
+ "score": 0.65,
905
+ "tier": "high",
906
+ "factors": [
907
+ "sev:high"
908
+ ]
909
+ },
910
+ "supply-chain-attacker": {
911
+ "score": 0.65,
912
+ "tier": "high",
913
+ "factors": [
914
+ "sev:high"
915
+ ]
916
+ },
917
+ "malicious-insider": {
918
+ "score": 1,
919
+ "tier": "critical",
920
+ "factors": [
921
+ "sev:high",
922
+ "bias:mass-assignment+0.25",
923
+ "authz-bypass-favored"
924
+ ]
925
+ }
926
+ },
927
+ "personaTopTwo": [
928
+ "malicious-insider",
929
+ "opportunistic-criminal"
930
+ ],
931
+ "personaMaxName": "malicious-insider",
932
+ "personaMaxScore": 1,
933
+ "reverseExposure": null,
934
+ "specMined": null,
935
+ "whyFired": {
936
+ "detector": "sast/mass-assignment",
937
+ "ruleId": "CWE-915",
938
+ "parser": "STRUCTURAL",
939
+ "evidence": {
940
+ "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
941
+ "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
942
+ "pathSteps": [],
943
+ "sanitizers": [],
944
+ "guards": []
945
+ },
946
+ "considered": {
947
+ "suppressionsApplied": [],
948
+ "suppressionsSkipped": [],
949
+ "reachabilityFilter": "unaffected",
950
+ "clusterCollapsed": false,
951
+ "typeNarrowed": false,
952
+ "crownJewelTier": "low-value",
953
+ "mitigationVerdict": "unreachable-in-prod"
954
+ },
955
+ "scanner": {
956
+ "rulesetVersion": null,
957
+ "packHash": null,
958
+ "modelId": null
959
+ }
960
+ },
961
+ "adversaryTranscript": null,
962
+ "predictedBountyUsd": {
963
+ "low": 50,
964
+ "likely": 200,
965
+ "high": 600,
966
+ "program": "web2"
967
+ },
968
+ "bountyConfidence": "medium",
969
+ "attackPlaybook": {
970
+ "cwe": "CWE-915",
971
+ "kind": "curl",
972
+ "title": "Mass assignment — privilege escalation probe",
973
+ "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
974
+ "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
975
+ "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
976
+ }
977
+ },
978
+ {
979
+ "id": "struct:parser-rb.js:201:Mass_Assignment_(req.body_Direct_to_Model)",
980
+ "kind": "sast",
981
+ "severity": "high",
982
+ "vuln": "Mass Assignment (req.body Direct to Model)",
983
+ "cwe": "CWE-915",
984
+ "owaspLlm": null,
985
+ "stride": "Tampering",
986
+ "file": "parser-rb.js",
987
+ "line": 201,
988
+ "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
989
+ "fix": null,
990
+ "reachable": false,
991
+ "triage": 39,
992
+ "dataClasses": [],
993
+ "chain": null,
994
+ "confidence": 0.314,
995
+ "toxicity": 35,
996
+ "toxicityFactors": [
997
+ "high-severity",
998
+ "http-facing"
999
+ ],
1000
+ "toxicityLabel": "Medium",
1001
+ "sources": null,
1002
+ "epssScore": null,
1003
+ "epssPercentile": null,
1004
+ "epssCve": null,
1005
+ "exploitedNow": false,
1006
+ "tags": null,
1007
+ "blastRadius": {
1008
+ "scope": "all-users",
1009
+ "dataAtRisk": [
1010
+ "config"
1011
+ ],
1012
+ "userCount": 50,
1013
+ "industry": "generic",
1014
+ "jurisdictions": [],
1015
+ "controlsApplied": [],
1016
+ "dollarBest": 23250,
1017
+ "dollarLikely": 136250,
1018
+ "dollarWorst": 775000,
1019
+ "dollarLow": 23250,
1020
+ "dollarHigh": 775000,
1021
+ "components": {
1022
+ "incidentResponse": {
1023
+ "low": 8000,
1024
+ "likely": 50000,
1025
+ "high": 250000
1026
+ },
1027
+ "legal": {
1028
+ "low": 10000,
1029
+ "likely": 75000,
1030
+ "high": 500000
1031
+ },
1032
+ "crisisPR": {
1033
+ "low": 0,
1034
+ "likely": 0,
1035
+ "high": 0
1036
+ },
1037
+ "notification": {
1038
+ "low": 5000,
1039
+ "likely": 10000,
1040
+ "high": 15000
1041
+ },
1042
+ "creditMonitoring": {
1043
+ "low": 0,
1044
+ "likely": 0,
1045
+ "high": 0
1046
+ },
1047
+ "regulatoryFines": {
1048
+ "low": 0,
1049
+ "likely": 0,
1050
+ "high": 0
1051
+ },
1052
+ "directDamage": {
1053
+ "low": 250,
1054
+ "likely": 1250,
1055
+ "high": 10000
1056
+ },
1057
+ "classAction": {
1058
+ "low": 0,
1059
+ "likely": 0,
1060
+ "high": 0
1061
+ },
1062
+ "lostBusiness": {
1063
+ "low": 0,
1064
+ "likely": 0,
1065
+ "high": 0
1066
+ }
1067
+ },
1068
+ "dominantDriver": "legal counsel",
1069
+ "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
1070
+ "confidence": "low",
1071
+ "narrative": "Mass Assignment (req.body Direct to Model) on `parser-rb.js:201` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
1072
+ },
1073
+ "stableId": "1889976dc0f1120c",
1074
+ "confidenceTier": "low",
1075
+ "exploitability": 0.45,
1076
+ "exploitabilityTier": "medium",
1077
+ "exploitabilityFactors": [
1078
+ "sev:high",
1079
+ "unreachable"
1080
+ ],
1081
+ "clusterSize": null,
1082
+ "unreachable": false,
1083
+ "validator_verdict": "unvalidated",
1084
+ "llm_confidence": null,
1085
+ "unvalidated": true,
1086
+ "cross_language": false,
1087
+ "family": "mass-assignment",
1088
+ "parser": "STRUCTURAL",
1089
+ "_unsigned": false,
1090
+ "_passThroughSigning": false,
1091
+ "signatureStatus": "verified",
1092
+ "regression_test": null,
1093
+ "poc": null,
1094
+ "calibrated_confidence": null,
1095
+ "calibrated_confidence_ci": null,
1096
+ "calibrated_n": 5,
1097
+ "calibration_reason": "insufficient-samples",
1098
+ "verifier_verdict": "cannot-verify",
1099
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1100
+ "verifier_runner": null,
1101
+ "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-rb.js:?. Severity: high. Review the remediation field for class-specific guidance.",
1102
+ "mitigationVerdict": "unreachable-in-prod",
1103
+ "mitigationsApplied": [],
1104
+ "mitigatedByWaf": false,
1105
+ "wafRuleId": null,
1106
+ "mitigatedByAuth": false,
1107
+ "authMechanism": null,
1108
+ "mitigatedByNetwork": false,
1109
+ "networkExposure": null,
1110
+ "featureFlag": null,
1111
+ "featureFlagState": null,
1112
+ "featureFlagRollout": null,
1113
+ "exposedInProd": false,
1114
+ "unreachableInProd": true,
1115
+ "coldPath": false,
1116
+ "hotPath": false,
1117
+ "prodRequestCount": null,
1118
+ "crownJewelScore": 0.15,
1119
+ "crownJewelTier": "low-value",
1120
+ "crownJewelFactors": [
1121
+ "shell-execution"
1122
+ ],
1123
+ "cloneClusterId": "a0c829a31c63bf1a",
1124
+ "cloneClusterSize": 5,
1125
+ "provenance": "human-likely",
1126
+ "provenanceScore": 0,
1127
+ "typeNarrowed": null,
1128
+ "strideCategory": null,
1129
+ "personaScores": {
1130
+ "script-kiddie": {
1131
+ "score": 0.65,
1132
+ "tier": "high",
1133
+ "factors": [
1134
+ "sev:high"
1135
+ ]
1136
+ },
1137
+ "opportunistic-criminal": {
1138
+ "score": 0.85,
1139
+ "tier": "critical",
1140
+ "factors": [
1141
+ "sev:high",
1142
+ "bias:mass-assignment+0.20"
1143
+ ]
1144
+ },
1145
+ "apt-nation-state": {
1146
+ "score": 0.65,
1147
+ "tier": "high",
1148
+ "factors": [
1149
+ "sev:high"
1150
+ ]
1151
+ },
1152
+ "supply-chain-attacker": {
1153
+ "score": 0.65,
1154
+ "tier": "high",
1155
+ "factors": [
1156
+ "sev:high"
1157
+ ]
1158
+ },
1159
+ "malicious-insider": {
1160
+ "score": 1,
1161
+ "tier": "critical",
1162
+ "factors": [
1163
+ "sev:high",
1164
+ "bias:mass-assignment+0.25",
1165
+ "authz-bypass-favored"
1166
+ ]
1167
+ }
1168
+ },
1169
+ "personaTopTwo": [
1170
+ "malicious-insider",
1171
+ "opportunistic-criminal"
1172
+ ],
1173
+ "personaMaxName": "malicious-insider",
1174
+ "personaMaxScore": 1,
1175
+ "reverseExposure": null,
1176
+ "specMined": null,
1177
+ "whyFired": {
1178
+ "detector": "sast/mass-assignment",
1179
+ "ruleId": "CWE-915",
1180
+ "parser": "STRUCTURAL",
1181
+ "evidence": {
1182
+ "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
1183
+ "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
1184
+ "pathSteps": [],
1185
+ "sanitizers": [],
1186
+ "guards": []
1187
+ },
1188
+ "considered": {
1189
+ "suppressionsApplied": [],
1190
+ "suppressionsSkipped": [],
1191
+ "reachabilityFilter": "unaffected",
1192
+ "clusterCollapsed": false,
1193
+ "typeNarrowed": false,
1194
+ "crownJewelTier": "low-value",
1195
+ "mitigationVerdict": "unreachable-in-prod"
1196
+ },
1197
+ "scanner": {
1198
+ "rulesetVersion": null,
1199
+ "packHash": null,
1200
+ "modelId": null
1201
+ }
1202
+ },
1203
+ "adversaryTranscript": null,
1204
+ "predictedBountyUsd": {
1205
+ "low": 50,
1206
+ "likely": 200,
1207
+ "high": 600,
1208
+ "program": "web2"
1209
+ },
1210
+ "bountyConfidence": "medium",
1211
+ "attackPlaybook": {
1212
+ "cwe": "CWE-915",
1213
+ "kind": "curl",
1214
+ "title": "Mass assignment — privilege escalation probe",
1215
+ "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
1216
+ "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
1217
+ "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
1218
+ }
1219
+ },
1220
+ {
1221
+ "id": "struct:type-stubs.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1222
+ "kind": "sast",
1223
+ "severity": "medium",
1224
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1225
+ "cwe": "CWE-400",
1226
+ "owaspLlm": null,
1227
+ "stride": "Denial of Service",
1228
+ "file": "type-stubs.js",
1229
+ "line": 48,
1230
+ "snippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
1231
+ "fix": null,
1232
+ "reachable": false,
1233
+ "triage": 22,
1234
+ "dataClasses": [],
1235
+ "chain": null,
1236
+ "confidence": 0.212,
1237
+ "toxicity": 28,
1238
+ "toxicityFactors": [
1239
+ "http-facing"
1240
+ ],
1241
+ "toxicityLabel": "Medium",
1242
+ "sources": null,
1243
+ "epssScore": null,
1244
+ "epssPercentile": null,
1245
+ "epssCve": null,
1246
+ "exploitedNow": false,
1247
+ "tags": null,
1248
+ "blastRadius": {
1249
+ "scope": "all-users",
1250
+ "dataAtRisk": [
1251
+ "config"
1252
+ ],
1253
+ "userCount": 50,
1254
+ "industry": "generic",
1255
+ "jurisdictions": [],
1256
+ "controlsApplied": [],
1257
+ "dollarBest": 23250,
1258
+ "dollarLikely": 136250,
1259
+ "dollarWorst": 775000,
1260
+ "dollarLow": 23250,
1261
+ "dollarHigh": 775000,
1262
+ "components": {
1263
+ "incidentResponse": {
1264
+ "low": 8000,
1265
+ "likely": 50000,
1266
+ "high": 250000
1267
+ },
1268
+ "legal": {
1269
+ "low": 10000,
1270
+ "likely": 75000,
1271
+ "high": 500000
1272
+ },
1273
+ "crisisPR": {
1274
+ "low": 0,
1275
+ "likely": 0,
1276
+ "high": 0
1277
+ },
1278
+ "notification": {
1279
+ "low": 5000,
1280
+ "likely": 10000,
1281
+ "high": 15000
1282
+ },
1283
+ "creditMonitoring": {
1284
+ "low": 0,
1285
+ "likely": 0,
1286
+ "high": 0
1287
+ },
1288
+ "regulatoryFines": {
1289
+ "low": 0,
1290
+ "likely": 0,
1291
+ "high": 0
1292
+ },
1293
+ "directDamage": {
1294
+ "low": 250,
1295
+ "likely": 1250,
1296
+ "high": 10000
1297
+ },
1298
+ "classAction": {
1299
+ "low": 0,
1300
+ "likely": 0,
1301
+ "high": 0
1302
+ },
1303
+ "lostBusiness": {
1304
+ "low": 0,
1305
+ "likely": 0,
1306
+ "high": 0
1307
+ }
1308
+ },
1309
+ "dominantDriver": "legal counsel",
1310
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1311
+ "confidence": "low",
1312
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:48` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1313
+ },
1314
+ "stableId": "de7f5b06a0db0ac9",
1315
+ "confidenceTier": "very-low",
1316
+ "exploitability": 0.2,
1317
+ "exploitabilityTier": "low",
1318
+ "exploitabilityFactors": [
1319
+ "sev:medium",
1320
+ "unreachable"
1321
+ ],
1322
+ "clusterSize": null,
1323
+ "unreachable": false,
1324
+ "validator_verdict": "unvalidated",
1325
+ "llm_confidence": null,
1326
+ "unvalidated": true,
1327
+ "cross_language": false,
1328
+ "family": "dos-sync-io",
1329
+ "parser": "STRUCTURAL",
1330
+ "_unsigned": false,
1331
+ "_passThroughSigning": false,
1332
+ "signatureStatus": "verified",
1333
+ "regression_test": null,
1334
+ "poc": null,
1335
+ "calibrated_confidence": null,
1336
+ "calibrated_confidence_ci": null,
1337
+ "calibrated_n": 0,
1338
+ "calibration_reason": "no-history",
1339
+ "verifier_verdict": "cannot-verify",
1340
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1341
+ "verifier_runner": null,
1342
+ "narration": null,
1343
+ "mitigationVerdict": "unreachable-in-prod",
1344
+ "mitigationsApplied": [],
1345
+ "mitigatedByWaf": false,
1346
+ "wafRuleId": null,
1347
+ "mitigatedByAuth": false,
1348
+ "authMechanism": null,
1349
+ "mitigatedByNetwork": false,
1350
+ "networkExposure": null,
1351
+ "featureFlag": null,
1352
+ "featureFlagState": null,
1353
+ "featureFlagRollout": null,
1354
+ "exposedInProd": false,
1355
+ "unreachableInProd": true,
1356
+ "coldPath": false,
1357
+ "hotPath": false,
1358
+ "prodRequestCount": null,
1359
+ "crownJewelScore": 0.15,
1360
+ "crownJewelTier": "low-value",
1361
+ "crownJewelFactors": [
1362
+ "shell-execution"
1363
+ ],
1364
+ "cloneClusterId": "1ca765ccc2c8227c",
1365
+ "cloneClusterSize": 2,
1366
+ "provenance": "human-likely",
1367
+ "provenanceScore": 0.12,
1368
+ "typeNarrowed": null,
1369
+ "strideCategory": "denialOfService",
1370
+ "personaScores": {
1371
+ "script-kiddie": {
1372
+ "score": 0.4,
1373
+ "tier": "medium",
1374
+ "factors": [
1375
+ "sev:medium"
1376
+ ]
1377
+ },
1378
+ "opportunistic-criminal": {
1379
+ "score": 0.4,
1380
+ "tier": "medium",
1381
+ "factors": [
1382
+ "sev:medium"
1383
+ ]
1384
+ },
1385
+ "apt-nation-state": {
1386
+ "score": 0.4,
1387
+ "tier": "medium",
1388
+ "factors": [
1389
+ "sev:medium"
1390
+ ]
1391
+ },
1392
+ "supply-chain-attacker": {
1393
+ "score": 0.4,
1394
+ "tier": "medium",
1395
+ "factors": [
1396
+ "sev:medium"
1397
+ ]
1398
+ },
1399
+ "malicious-insider": {
1400
+ "score": 0.4,
1401
+ "tier": "medium",
1402
+ "factors": [
1403
+ "sev:medium"
1404
+ ]
1405
+ }
1406
+ },
1407
+ "personaTopTwo": [
1408
+ "script-kiddie",
1409
+ "opportunistic-criminal"
1410
+ ],
1411
+ "personaMaxName": "script-kiddie",
1412
+ "personaMaxScore": 0.4,
1413
+ "reverseExposure": null,
1414
+ "specMined": null,
1415
+ "whyFired": {
1416
+ "detector": "sast/dos-sync-io",
1417
+ "ruleId": "CWE-400",
1418
+ "parser": "STRUCTURAL",
1419
+ "evidence": {
1420
+ "sinkSnippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
1421
+ "sourceSnippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
1422
+ "pathSteps": [],
1423
+ "sanitizers": [],
1424
+ "guards": []
1425
+ },
1426
+ "considered": {
1427
+ "suppressionsApplied": [],
1428
+ "suppressionsSkipped": [],
1429
+ "reachabilityFilter": "unaffected",
1430
+ "clusterCollapsed": false,
1431
+ "typeNarrowed": false,
1432
+ "crownJewelTier": "low-value",
1433
+ "mitigationVerdict": "unreachable-in-prod"
1434
+ },
1435
+ "scanner": {
1436
+ "rulesetVersion": null,
1437
+ "packHash": null,
1438
+ "modelId": null
1439
+ }
1440
+ },
1441
+ "adversaryTranscript": null,
1442
+ "predictedBountyUsd": {
1443
+ "low": 10,
1444
+ "likely": 40,
1445
+ "high": 120,
1446
+ "program": "web2"
1447
+ },
1448
+ "bountyConfidence": "high",
1449
+ "attackPlaybook": null
1450
+ },
1451
+ {
1452
+ "id": "struct:type-stubs.js:57:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1453
+ "kind": "sast",
1454
+ "severity": "medium",
1455
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1456
+ "cwe": "CWE-400",
1457
+ "owaspLlm": null,
1458
+ "stride": "Denial of Service",
1459
+ "file": "type-stubs.js",
1460
+ "line": 57,
1461
+ "snippet": "if (!fs.existsSync(fp)) return null;",
1462
+ "fix": null,
1463
+ "reachable": false,
1464
+ "triage": 22,
1465
+ "dataClasses": [],
1466
+ "chain": null,
1467
+ "confidence": 0.212,
1468
+ "toxicity": 28,
1469
+ "toxicityFactors": [
1470
+ "http-facing"
1471
+ ],
1472
+ "toxicityLabel": "Medium",
1473
+ "sources": null,
1474
+ "epssScore": null,
1475
+ "epssPercentile": null,
1476
+ "epssCve": null,
1477
+ "exploitedNow": false,
1478
+ "tags": null,
1479
+ "blastRadius": {
1480
+ "scope": "all-users",
1481
+ "dataAtRisk": [
1482
+ "config"
1483
+ ],
1484
+ "userCount": 50,
1485
+ "industry": "generic",
1486
+ "jurisdictions": [],
1487
+ "controlsApplied": [],
1488
+ "dollarBest": 23250,
1489
+ "dollarLikely": 136250,
1490
+ "dollarWorst": 775000,
1491
+ "dollarLow": 23250,
1492
+ "dollarHigh": 775000,
1493
+ "components": {
1494
+ "incidentResponse": {
1495
+ "low": 8000,
1496
+ "likely": 50000,
1497
+ "high": 250000
1498
+ },
1499
+ "legal": {
1500
+ "low": 10000,
1501
+ "likely": 75000,
1502
+ "high": 500000
1503
+ },
1504
+ "crisisPR": {
1505
+ "low": 0,
1506
+ "likely": 0,
1507
+ "high": 0
1508
+ },
1509
+ "notification": {
1510
+ "low": 5000,
1511
+ "likely": 10000,
1512
+ "high": 15000
1513
+ },
1514
+ "creditMonitoring": {
1515
+ "low": 0,
1516
+ "likely": 0,
1517
+ "high": 0
1518
+ },
1519
+ "regulatoryFines": {
1520
+ "low": 0,
1521
+ "likely": 0,
1522
+ "high": 0
1523
+ },
1524
+ "directDamage": {
1525
+ "low": 250,
1526
+ "likely": 1250,
1527
+ "high": 10000
1528
+ },
1529
+ "classAction": {
1530
+ "low": 0,
1531
+ "likely": 0,
1532
+ "high": 0
1533
+ },
1534
+ "lostBusiness": {
1535
+ "low": 0,
1536
+ "likely": 0,
1537
+ "high": 0
1538
+ }
1539
+ },
1540
+ "dominantDriver": "legal counsel",
1541
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1542
+ "confidence": "low",
1543
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:57` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1544
+ },
1545
+ "stableId": "256de17293c86e74",
1546
+ "confidenceTier": "very-low",
1547
+ "exploitability": 0.2,
1548
+ "exploitabilityTier": "low",
1549
+ "exploitabilityFactors": [
1550
+ "sev:medium",
1551
+ "unreachable"
1552
+ ],
1553
+ "clusterSize": null,
1554
+ "unreachable": false,
1555
+ "validator_verdict": "unvalidated",
1556
+ "llm_confidence": null,
1557
+ "unvalidated": true,
1558
+ "cross_language": false,
1559
+ "family": "dos-sync-io",
1560
+ "parser": "STRUCTURAL",
1561
+ "_unsigned": false,
1562
+ "_passThroughSigning": false,
1563
+ "signatureStatus": "verified",
1564
+ "regression_test": null,
1565
+ "poc": null,
1566
+ "calibrated_confidence": null,
1567
+ "calibrated_confidence_ci": null,
1568
+ "calibrated_n": 0,
1569
+ "calibration_reason": "no-history",
1570
+ "verifier_verdict": "cannot-verify",
1571
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1572
+ "verifier_runner": null,
1573
+ "narration": null,
1574
+ "mitigationVerdict": "unreachable-in-prod",
1575
+ "mitigationsApplied": [],
1576
+ "mitigatedByWaf": false,
1577
+ "wafRuleId": null,
1578
+ "mitigatedByAuth": false,
1579
+ "authMechanism": null,
1580
+ "mitigatedByNetwork": false,
1581
+ "networkExposure": null,
1582
+ "featureFlag": null,
1583
+ "featureFlagState": null,
1584
+ "featureFlagRollout": null,
1585
+ "exposedInProd": false,
1586
+ "unreachableInProd": true,
1587
+ "coldPath": false,
1588
+ "hotPath": false,
1589
+ "prodRequestCount": null,
1590
+ "crownJewelScore": 0.15,
1591
+ "crownJewelTier": "low-value",
1592
+ "crownJewelFactors": [
1593
+ "shell-execution"
1594
+ ],
1595
+ "cloneClusterId": "66b8a8c25816e7f9",
1596
+ "cloneClusterSize": 2,
1597
+ "provenance": "human-likely",
1598
+ "provenanceScore": 0.12,
1599
+ "typeNarrowed": null,
1600
+ "strideCategory": "denialOfService",
1601
+ "personaScores": {
1602
+ "script-kiddie": {
1603
+ "score": 0.4,
1604
+ "tier": "medium",
1605
+ "factors": [
1606
+ "sev:medium"
1607
+ ]
1608
+ },
1609
+ "opportunistic-criminal": {
1610
+ "score": 0.4,
1611
+ "tier": "medium",
1612
+ "factors": [
1613
+ "sev:medium"
1614
+ ]
1615
+ },
1616
+ "apt-nation-state": {
1617
+ "score": 0.4,
1618
+ "tier": "medium",
1619
+ "factors": [
1620
+ "sev:medium"
1621
+ ]
1622
+ },
1623
+ "supply-chain-attacker": {
1624
+ "score": 0.4,
1625
+ "tier": "medium",
1626
+ "factors": [
1627
+ "sev:medium"
1628
+ ]
1629
+ },
1630
+ "malicious-insider": {
1631
+ "score": 0.4,
1632
+ "tier": "medium",
1633
+ "factors": [
1634
+ "sev:medium"
1635
+ ]
1636
+ }
1637
+ },
1638
+ "personaTopTwo": [
1639
+ "script-kiddie",
1640
+ "opportunistic-criminal"
1641
+ ],
1642
+ "personaMaxName": "script-kiddie",
1643
+ "personaMaxScore": 0.4,
1644
+ "reverseExposure": null,
1645
+ "specMined": null,
1646
+ "whyFired": {
1647
+ "detector": "sast/dos-sync-io",
1648
+ "ruleId": "CWE-400",
1649
+ "parser": "STRUCTURAL",
1650
+ "evidence": {
1651
+ "sinkSnippet": "if (!fs.existsSync(fp)) return null;",
1652
+ "sourceSnippet": "if (!fs.existsSync(fp)) return null;",
1653
+ "pathSteps": [],
1654
+ "sanitizers": [],
1655
+ "guards": []
1656
+ },
1657
+ "considered": {
1658
+ "suppressionsApplied": [],
1659
+ "suppressionsSkipped": [],
1660
+ "reachabilityFilter": "unaffected",
1661
+ "clusterCollapsed": false,
1662
+ "typeNarrowed": false,
1663
+ "crownJewelTier": "low-value",
1664
+ "mitigationVerdict": "unreachable-in-prod"
1665
+ },
1666
+ "scanner": {
1667
+ "rulesetVersion": null,
1668
+ "packHash": null,
1669
+ "modelId": null
1670
+ }
1671
+ },
1672
+ "adversaryTranscript": null,
1673
+ "predictedBountyUsd": {
1674
+ "low": 10,
1675
+ "likely": 40,
1676
+ "high": 120,
1677
+ "program": "web2"
1678
+ },
1679
+ "bountyConfidence": "high",
1680
+ "attackPlaybook": null
1681
+ },
1682
+ {
1683
+ "id": "struct:type-stubs.js:58:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1684
+ "kind": "sast",
1685
+ "severity": "medium",
1686
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1687
+ "cwe": "CWE-400",
1688
+ "owaspLlm": null,
1689
+ "stride": "Denial of Service",
1690
+ "file": "type-stubs.js",
1691
+ "line": 58,
1692
+ "snippet": "const obj = JSON.parse(fs.readFileSync(fp, 'utf8'));",
1693
+ "fix": null,
1694
+ "reachable": false,
1695
+ "triage": 22,
1696
+ "dataClasses": [],
1697
+ "chain": null,
1698
+ "confidence": 0.212,
1699
+ "toxicity": 28,
1700
+ "toxicityFactors": [
1701
+ "http-facing"
1702
+ ],
1703
+ "toxicityLabel": "Medium",
1704
+ "sources": null,
1705
+ "epssScore": null,
1706
+ "epssPercentile": null,
1707
+ "epssCve": null,
1708
+ "exploitedNow": false,
1709
+ "tags": null,
1710
+ "blastRadius": {
1711
+ "scope": "all-users",
1712
+ "dataAtRisk": [
1713
+ "config"
1714
+ ],
1715
+ "userCount": 50,
1716
+ "industry": "generic",
1717
+ "jurisdictions": [],
1718
+ "controlsApplied": [],
1719
+ "dollarBest": 23250,
1720
+ "dollarLikely": 136250,
1721
+ "dollarWorst": 775000,
1722
+ "dollarLow": 23250,
1723
+ "dollarHigh": 775000,
1724
+ "components": {
1725
+ "incidentResponse": {
1726
+ "low": 8000,
1727
+ "likely": 50000,
1728
+ "high": 250000
1729
+ },
1730
+ "legal": {
1731
+ "low": 10000,
1732
+ "likely": 75000,
1733
+ "high": 500000
1734
+ },
1735
+ "crisisPR": {
1736
+ "low": 0,
1737
+ "likely": 0,
1738
+ "high": 0
1739
+ },
1740
+ "notification": {
1741
+ "low": 5000,
1742
+ "likely": 10000,
1743
+ "high": 15000
1744
+ },
1745
+ "creditMonitoring": {
1746
+ "low": 0,
1747
+ "likely": 0,
1748
+ "high": 0
1749
+ },
1750
+ "regulatoryFines": {
1751
+ "low": 0,
1752
+ "likely": 0,
1753
+ "high": 0
1754
+ },
1755
+ "directDamage": {
1756
+ "low": 250,
1757
+ "likely": 1250,
1758
+ "high": 10000
1759
+ },
1760
+ "classAction": {
1761
+ "low": 0,
1762
+ "likely": 0,
1763
+ "high": 0
1764
+ },
1765
+ "lostBusiness": {
1766
+ "low": 0,
1767
+ "likely": 0,
1768
+ "high": 0
1769
+ }
1770
+ },
1771
+ "dominantDriver": "legal counsel",
1772
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1773
+ "confidence": "low",
1774
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:58` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1775
+ },
1776
+ "stableId": "4f8d060ad72a925a",
1777
+ "confidenceTier": "very-low",
1778
+ "exploitability": 0.2,
1779
+ "exploitabilityTier": "low",
1780
+ "exploitabilityFactors": [
1781
+ "sev:medium",
1782
+ "unreachable"
1783
+ ],
1784
+ "clusterSize": null,
1785
+ "unreachable": false,
1786
+ "validator_verdict": "unvalidated",
1787
+ "llm_confidence": null,
1788
+ "unvalidated": true,
1789
+ "cross_language": false,
1790
+ "family": "dos-sync-io",
1791
+ "parser": "STRUCTURAL",
1792
+ "_unsigned": false,
1793
+ "_passThroughSigning": false,
1794
+ "signatureStatus": "verified",
1795
+ "regression_test": null,
1796
+ "poc": null,
1797
+ "calibrated_confidence": null,
1798
+ "calibrated_confidence_ci": null,
1799
+ "calibrated_n": 0,
1800
+ "calibration_reason": "no-history",
1801
+ "verifier_verdict": "cannot-verify",
1802
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1803
+ "verifier_runner": null,
1804
+ "narration": null,
1805
+ "mitigationVerdict": "unreachable-in-prod",
1806
+ "mitigationsApplied": [],
1807
+ "mitigatedByWaf": false,
1808
+ "wafRuleId": null,
1809
+ "mitigatedByAuth": false,
1810
+ "authMechanism": null,
1811
+ "mitigatedByNetwork": false,
1812
+ "networkExposure": null,
1813
+ "featureFlag": null,
1814
+ "featureFlagState": null,
1815
+ "featureFlagRollout": null,
1816
+ "exposedInProd": false,
1817
+ "unreachableInProd": true,
1818
+ "coldPath": false,
1819
+ "hotPath": false,
1820
+ "prodRequestCount": null,
1821
+ "crownJewelScore": 0.15,
1822
+ "crownJewelTier": "low-value",
1823
+ "crownJewelFactors": [
1824
+ "shell-execution"
1825
+ ],
1826
+ "cloneClusterId": "8b60c3f57d48c622",
1827
+ "cloneClusterSize": 1,
1828
+ "provenance": "human-likely",
1829
+ "provenanceScore": 0.12,
1830
+ "typeNarrowed": null,
1831
+ "strideCategory": "denialOfService",
1832
+ "personaScores": {
1833
+ "script-kiddie": {
1834
+ "score": 0.4,
1835
+ "tier": "medium",
1836
+ "factors": [
1837
+ "sev:medium"
1838
+ ]
1839
+ },
1840
+ "opportunistic-criminal": {
1841
+ "score": 0.4,
1842
+ "tier": "medium",
1843
+ "factors": [
1844
+ "sev:medium"
1845
+ ]
1846
+ },
1847
+ "apt-nation-state": {
1848
+ "score": 0.4,
1849
+ "tier": "medium",
1850
+ "factors": [
1851
+ "sev:medium"
1852
+ ]
1853
+ },
1854
+ "supply-chain-attacker": {
1855
+ "score": 0.4,
1856
+ "tier": "medium",
1857
+ "factors": [
1858
+ "sev:medium"
1859
+ ]
1860
+ },
1861
+ "malicious-insider": {
1862
+ "score": 0.4,
1863
+ "tier": "medium",
1864
+ "factors": [
1865
+ "sev:medium"
1866
+ ]
1867
+ }
1868
+ },
1869
+ "personaTopTwo": [
1870
+ "script-kiddie",
1871
+ "opportunistic-criminal"
1872
+ ],
1873
+ "personaMaxName": "script-kiddie",
1874
+ "personaMaxScore": 0.4,
1875
+ "reverseExposure": null,
1876
+ "specMined": null,
1877
+ "whyFired": {
1878
+ "detector": "sast/dos-sync-io",
1879
+ "ruleId": "CWE-400",
1880
+ "parser": "STRUCTURAL",
1881
+ "evidence": {
1882
+ "sinkSnippet": "const obj = JSON.parse(fs.readFileSync(fp, 'utf8'));",
1883
+ "sourceSnippet": "const obj = JSON.parse(fs.readFileSync(fp, 'utf8'));",
1884
+ "pathSteps": [],
1885
+ "sanitizers": [],
1886
+ "guards": []
1887
+ },
1888
+ "considered": {
1889
+ "suppressionsApplied": [],
1890
+ "suppressionsSkipped": [],
1891
+ "reachabilityFilter": "unaffected",
1892
+ "clusterCollapsed": false,
1893
+ "typeNarrowed": false,
1894
+ "crownJewelTier": "low-value",
1895
+ "mitigationVerdict": "unreachable-in-prod"
1896
+ },
1897
+ "scanner": {
1898
+ "rulesetVersion": null,
1899
+ "packHash": null,
1900
+ "modelId": null
1901
+ }
1902
+ },
1903
+ "adversaryTranscript": null,
1904
+ "predictedBountyUsd": {
1905
+ "low": 10,
1906
+ "likely": 40,
1907
+ "high": 120,
1908
+ "program": "web2"
1909
+ },
1910
+ "bountyConfidence": "high",
1911
+ "attackPlaybook": null
1912
+ },
1913
+ {
1914
+ "id": "struct:type-stubs.js:79:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1915
+ "kind": "sast",
1916
+ "severity": "medium",
1917
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1918
+ "cwe": "CWE-400",
1919
+ "owaspLlm": null,
1920
+ "stride": "Denial of Service",
1921
+ "file": "type-stubs.js",
1922
+ "line": 79,
1923
+ "snippet": "try { fs.writeFileSync(fp, JSON.stringify(obj)); } catch {}",
1924
+ "fix": null,
1925
+ "reachable": false,
1926
+ "triage": 22,
1927
+ "dataClasses": [],
1928
+ "chain": null,
1929
+ "confidence": 0.212,
1930
+ "toxicity": 28,
1931
+ "toxicityFactors": [
1932
+ "http-facing"
1933
+ ],
1934
+ "toxicityLabel": "Medium",
1935
+ "sources": null,
1936
+ "epssScore": null,
1937
+ "epssPercentile": null,
1938
+ "epssCve": null,
1939
+ "exploitedNow": false,
1940
+ "tags": null,
1941
+ "blastRadius": {
1942
+ "scope": "all-users",
1943
+ "dataAtRisk": [
1944
+ "config"
1945
+ ],
1946
+ "userCount": 50,
1947
+ "industry": "generic",
1948
+ "jurisdictions": [],
1949
+ "controlsApplied": [],
1950
+ "dollarBest": 23250,
1951
+ "dollarLikely": 136250,
1952
+ "dollarWorst": 775000,
1953
+ "dollarLow": 23250,
1954
+ "dollarHigh": 775000,
1955
+ "components": {
1956
+ "incidentResponse": {
1957
+ "low": 8000,
1958
+ "likely": 50000,
1959
+ "high": 250000
1960
+ },
1961
+ "legal": {
1962
+ "low": 10000,
1963
+ "likely": 75000,
1964
+ "high": 500000
1965
+ },
1966
+ "crisisPR": {
1967
+ "low": 0,
1968
+ "likely": 0,
1969
+ "high": 0
1970
+ },
1971
+ "notification": {
1972
+ "low": 5000,
1973
+ "likely": 10000,
1974
+ "high": 15000
1975
+ },
1976
+ "creditMonitoring": {
1977
+ "low": 0,
1978
+ "likely": 0,
1979
+ "high": 0
1980
+ },
1981
+ "regulatoryFines": {
1982
+ "low": 0,
1983
+ "likely": 0,
1984
+ "high": 0
1985
+ },
1986
+ "directDamage": {
1987
+ "low": 250,
1988
+ "likely": 1250,
1989
+ "high": 10000
1990
+ },
1991
+ "classAction": {
1992
+ "low": 0,
1993
+ "likely": 0,
1994
+ "high": 0
1995
+ },
1996
+ "lostBusiness": {
1997
+ "low": 0,
1998
+ "likely": 0,
1999
+ "high": 0
2000
+ }
2001
+ },
2002
+ "dominantDriver": "legal counsel",
2003
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
2004
+ "confidence": "low",
2005
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:79` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
2006
+ },
2007
+ "stableId": "e7a40ff787e8c228",
2008
+ "confidenceTier": "very-low",
2009
+ "exploitability": 0.2,
2010
+ "exploitabilityTier": "low",
2011
+ "exploitabilityFactors": [
2012
+ "sev:medium",
2013
+ "unreachable"
2014
+ ],
2015
+ "clusterSize": null,
2016
+ "unreachable": false,
2017
+ "validator_verdict": "unvalidated",
2018
+ "llm_confidence": null,
2019
+ "unvalidated": true,
2020
+ "cross_language": false,
2021
+ "family": "dos-sync-io",
2022
+ "parser": "STRUCTURAL",
2023
+ "_unsigned": false,
2024
+ "_passThroughSigning": false,
2025
+ "signatureStatus": "verified",
2026
+ "regression_test": null,
2027
+ "poc": null,
2028
+ "calibrated_confidence": null,
2029
+ "calibrated_confidence_ci": null,
2030
+ "calibrated_n": 0,
2031
+ "calibration_reason": "no-history",
2032
+ "verifier_verdict": "cannot-verify",
2033
+ "verifier_reason": "no-poc-no-sanitizer-rule",
2034
+ "verifier_runner": null,
2035
+ "narration": null,
2036
+ "mitigationVerdict": "unreachable-in-prod",
2037
+ "mitigationsApplied": [],
2038
+ "mitigatedByWaf": false,
2039
+ "wafRuleId": null,
2040
+ "mitigatedByAuth": false,
2041
+ "authMechanism": null,
2042
+ "mitigatedByNetwork": false,
2043
+ "networkExposure": null,
2044
+ "featureFlag": null,
2045
+ "featureFlagState": null,
2046
+ "featureFlagRollout": null,
2047
+ "exposedInProd": false,
2048
+ "unreachableInProd": true,
2049
+ "coldPath": false,
2050
+ "hotPath": false,
2051
+ "prodRequestCount": null,
2052
+ "crownJewelScore": 0.15,
2053
+ "crownJewelTier": "low-value",
2054
+ "crownJewelFactors": [
2055
+ "shell-execution"
2056
+ ],
2057
+ "cloneClusterId": "d2ce1948de2c53fb",
2058
+ "cloneClusterSize": 1,
2059
+ "provenance": "human-likely",
2060
+ "provenanceScore": 0.12,
2061
+ "typeNarrowed": null,
2062
+ "strideCategory": "denialOfService",
2063
+ "personaScores": {
2064
+ "script-kiddie": {
2065
+ "score": 0.4,
2066
+ "tier": "medium",
2067
+ "factors": [
2068
+ "sev:medium"
2069
+ ]
2070
+ },
2071
+ "opportunistic-criminal": {
2072
+ "score": 0.4,
2073
+ "tier": "medium",
2074
+ "factors": [
2075
+ "sev:medium"
2076
+ ]
2077
+ },
2078
+ "apt-nation-state": {
2079
+ "score": 0.4,
2080
+ "tier": "medium",
2081
+ "factors": [
2082
+ "sev:medium"
2083
+ ]
2084
+ },
2085
+ "supply-chain-attacker": {
2086
+ "score": 0.4,
2087
+ "tier": "medium",
2088
+ "factors": [
2089
+ "sev:medium"
2090
+ ]
2091
+ },
2092
+ "malicious-insider": {
2093
+ "score": 0.4,
2094
+ "tier": "medium",
2095
+ "factors": [
2096
+ "sev:medium"
2097
+ ]
2098
+ }
2099
+ },
2100
+ "personaTopTwo": [
2101
+ "script-kiddie",
2102
+ "opportunistic-criminal"
2103
+ ],
2104
+ "personaMaxName": "script-kiddie",
2105
+ "personaMaxScore": 0.4,
2106
+ "reverseExposure": null,
2107
+ "specMined": null,
2108
+ "whyFired": {
2109
+ "detector": "sast/dos-sync-io",
2110
+ "ruleId": "CWE-400",
2111
+ "parser": "STRUCTURAL",
2112
+ "evidence": {
2113
+ "sinkSnippet": "try { fs.writeFileSync(fp, JSON.stringify(obj)); } catch {}",
2114
+ "sourceSnippet": "try { fs.writeFileSync(fp, JSON.stringify(obj)); } catch {}",
2115
+ "pathSteps": [],
2116
+ "sanitizers": [],
2117
+ "guards": []
2118
+ },
2119
+ "considered": {
2120
+ "suppressionsApplied": [],
2121
+ "suppressionsSkipped": [],
2122
+ "reachabilityFilter": "unaffected",
2123
+ "clusterCollapsed": false,
2124
+ "typeNarrowed": false,
2125
+ "crownJewelTier": "low-value",
2126
+ "mitigationVerdict": "unreachable-in-prod"
2127
+ },
2128
+ "scanner": {
2129
+ "rulesetVersion": null,
2130
+ "packHash": null,
2131
+ "modelId": null
2132
+ }
2133
+ },
2134
+ "adversaryTranscript": null,
2135
+ "predictedBountyUsd": {
2136
+ "low": 10,
2137
+ "likely": 40,
2138
+ "high": 120,
2139
+ "program": "web2"
2140
+ },
2141
+ "bountyConfidence": "high",
2142
+ "attackPlaybook": null
2143
+ },
2144
+ {
2145
+ "id": "struct:type-stubs.js:190:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
2146
+ "kind": "sast",
2147
+ "severity": "medium",
2148
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
2149
+ "cwe": "CWE-400",
2150
+ "owaspLlm": null,
2151
+ "stride": "Denial of Service",
2152
+ "file": "type-stubs.js",
2153
+ "line": 190,
2154
+ "snippet": "try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }",
2155
+ "fix": null,
2156
+ "reachable": false,
2157
+ "triage": 22,
2158
+ "dataClasses": [],
2159
+ "chain": null,
2160
+ "confidence": 0.212,
2161
+ "toxicity": 28,
2162
+ "toxicityFactors": [
2163
+ "http-facing"
2164
+ ],
2165
+ "toxicityLabel": "Medium",
2166
+ "sources": null,
2167
+ "epssScore": null,
2168
+ "epssPercentile": null,
2169
+ "epssCve": null,
2170
+ "exploitedNow": false,
2171
+ "tags": null,
2172
+ "blastRadius": {
2173
+ "scope": "all-users",
2174
+ "dataAtRisk": [
2175
+ "config"
2176
+ ],
2177
+ "userCount": 50,
2178
+ "industry": "generic",
2179
+ "jurisdictions": [],
2180
+ "controlsApplied": [],
2181
+ "dollarBest": 23250,
2182
+ "dollarLikely": 136250,
2183
+ "dollarWorst": 775000,
2184
+ "dollarLow": 23250,
2185
+ "dollarHigh": 775000,
2186
+ "components": {
2187
+ "incidentResponse": {
2188
+ "low": 8000,
2189
+ "likely": 50000,
2190
+ "high": 250000
2191
+ },
2192
+ "legal": {
2193
+ "low": 10000,
2194
+ "likely": 75000,
2195
+ "high": 500000
2196
+ },
2197
+ "crisisPR": {
2198
+ "low": 0,
2199
+ "likely": 0,
2200
+ "high": 0
2201
+ },
2202
+ "notification": {
2203
+ "low": 5000,
2204
+ "likely": 10000,
2205
+ "high": 15000
2206
+ },
2207
+ "creditMonitoring": {
2208
+ "low": 0,
2209
+ "likely": 0,
2210
+ "high": 0
2211
+ },
2212
+ "regulatoryFines": {
2213
+ "low": 0,
2214
+ "likely": 0,
2215
+ "high": 0
2216
+ },
2217
+ "directDamage": {
2218
+ "low": 250,
2219
+ "likely": 1250,
2220
+ "high": 10000
2221
+ },
2222
+ "classAction": {
2223
+ "low": 0,
2224
+ "likely": 0,
2225
+ "high": 0
2226
+ },
2227
+ "lostBusiness": {
2228
+ "low": 0,
2229
+ "likely": 0,
2230
+ "high": 0
2231
+ }
2232
+ },
2233
+ "dominantDriver": "legal counsel",
2234
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
2235
+ "confidence": "low",
2236
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:190` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
2237
+ },
2238
+ "stableId": "db5b5598e24d7b37",
2239
+ "confidenceTier": "very-low",
2240
+ "exploitability": 0.2,
2241
+ "exploitabilityTier": "low",
2242
+ "exploitabilityFactors": [
2243
+ "sev:medium",
2244
+ "unreachable"
2245
+ ],
2246
+ "clusterSize": null,
2247
+ "unreachable": false,
2248
+ "validator_verdict": "unvalidated",
2249
+ "llm_confidence": null,
2250
+ "unvalidated": true,
2251
+ "cross_language": false,
2252
+ "family": "dos-sync-io",
2253
+ "parser": "STRUCTURAL",
2254
+ "_unsigned": false,
2255
+ "_passThroughSigning": false,
2256
+ "signatureStatus": "verified",
2257
+ "regression_test": null,
2258
+ "poc": null,
2259
+ "calibrated_confidence": null,
2260
+ "calibrated_confidence_ci": null,
2261
+ "calibrated_n": 0,
2262
+ "calibration_reason": "no-history",
2263
+ "verifier_verdict": "cannot-verify",
2264
+ "verifier_reason": "no-poc-no-sanitizer-rule",
2265
+ "verifier_runner": null,
2266
+ "narration": null,
2267
+ "mitigationVerdict": "unreachable-in-prod",
2268
+ "mitigationsApplied": [],
2269
+ "mitigatedByWaf": false,
2270
+ "wafRuleId": null,
2271
+ "mitigatedByAuth": false,
2272
+ "authMechanism": null,
2273
+ "mitigatedByNetwork": false,
2274
+ "networkExposure": null,
2275
+ "featureFlag": null,
2276
+ "featureFlagState": null,
2277
+ "featureFlagRollout": null,
2278
+ "exposedInProd": false,
2279
+ "unreachableInProd": true,
2280
+ "coldPath": false,
2281
+ "hotPath": false,
2282
+ "prodRequestCount": null,
2283
+ "crownJewelScore": 0.15,
2284
+ "crownJewelTier": "low-value",
2285
+ "crownJewelFactors": [
2286
+ "shell-execution"
2287
+ ],
2288
+ "cloneClusterId": "b093e72efde4b555",
2289
+ "cloneClusterSize": 1,
2290
+ "provenance": "human-likely",
2291
+ "provenanceScore": 0.12,
2292
+ "typeNarrowed": null,
2293
+ "strideCategory": "denialOfService",
2294
+ "personaScores": {
2295
+ "script-kiddie": {
2296
+ "score": 0.4,
2297
+ "tier": "medium",
2298
+ "factors": [
2299
+ "sev:medium"
2300
+ ]
2301
+ },
2302
+ "opportunistic-criminal": {
2303
+ "score": 0.4,
2304
+ "tier": "medium",
2305
+ "factors": [
2306
+ "sev:medium"
2307
+ ]
2308
+ },
2309
+ "apt-nation-state": {
2310
+ "score": 0.4,
2311
+ "tier": "medium",
2312
+ "factors": [
2313
+ "sev:medium"
2314
+ ]
2315
+ },
2316
+ "supply-chain-attacker": {
2317
+ "score": 0.4,
2318
+ "tier": "medium",
2319
+ "factors": [
2320
+ "sev:medium"
2321
+ ]
2322
+ },
2323
+ "malicious-insider": {
2324
+ "score": 0.4,
2325
+ "tier": "medium",
2326
+ "factors": [
2327
+ "sev:medium"
2328
+ ]
2329
+ }
2330
+ },
2331
+ "personaTopTwo": [
2332
+ "script-kiddie",
2333
+ "opportunistic-criminal"
2334
+ ],
2335
+ "personaMaxName": "script-kiddie",
2336
+ "personaMaxScore": 0.4,
2337
+ "reverseExposure": null,
2338
+ "specMined": null,
2339
+ "whyFired": {
2340
+ "detector": "sast/dos-sync-io",
2341
+ "ruleId": "CWE-400",
2342
+ "parser": "STRUCTURAL",
2343
+ "evidence": {
2344
+ "sinkSnippet": "try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }",
2345
+ "sourceSnippet": "try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }",
2346
+ "pathSteps": [],
2347
+ "sanitizers": [],
2348
+ "guards": []
2349
+ },
2350
+ "considered": {
2351
+ "suppressionsApplied": [],
2352
+ "suppressionsSkipped": [],
2353
+ "reachabilityFilter": "unaffected",
2354
+ "clusterCollapsed": false,
2355
+ "typeNarrowed": false,
2356
+ "crownJewelTier": "low-value",
2357
+ "mitigationVerdict": "unreachable-in-prod"
2358
+ },
2359
+ "scanner": {
2360
+ "rulesetVersion": null,
2361
+ "packHash": null,
2362
+ "modelId": null
2363
+ }
2364
+ },
2365
+ "adversaryTranscript": null,
2366
+ "predictedBountyUsd": {
2367
+ "low": 10,
2368
+ "likely": 40,
2369
+ "high": 120,
2370
+ "program": "web2"
2371
+ },
2372
+ "bountyConfidence": "high",
2373
+ "attackPlaybook": null
2374
+ },
2375
+ {
2376
+ "id": "struct:type-stubs.js:198:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
2377
+ "kind": "sast",
2378
+ "severity": "medium",
2379
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
2380
+ "cwe": "CWE-400",
2381
+ "owaspLlm": null,
2382
+ "stride": "Denial of Service",
2383
+ "file": "type-stubs.js",
2384
+ "line": 198,
2385
+ "snippet": "if (fs.existsSync(tdir)) walk(tdir, depth + 1);",
2386
+ "fix": null,
2387
+ "reachable": false,
2388
+ "triage": 22,
2389
+ "dataClasses": [],
2390
+ "chain": null,
2391
+ "confidence": 0.212,
2392
+ "toxicity": 28,
2393
+ "toxicityFactors": [
2394
+ "http-facing"
2395
+ ],
2396
+ "toxicityLabel": "Medium",
2397
+ "sources": null,
2398
+ "epssScore": null,
2399
+ "epssPercentile": null,
2400
+ "epssCve": null,
2401
+ "exploitedNow": false,
2402
+ "tags": null,
2403
+ "blastRadius": {
2404
+ "scope": "all-users",
2405
+ "dataAtRisk": [
2406
+ "config"
2407
+ ],
2408
+ "userCount": 50,
2409
+ "industry": "generic",
2410
+ "jurisdictions": [],
2411
+ "controlsApplied": [],
2412
+ "dollarBest": 23250,
2413
+ "dollarLikely": 136250,
2414
+ "dollarWorst": 775000,
2415
+ "dollarLow": 23250,
2416
+ "dollarHigh": 775000,
2417
+ "components": {
2418
+ "incidentResponse": {
2419
+ "low": 8000,
2420
+ "likely": 50000,
2421
+ "high": 250000
2422
+ },
2423
+ "legal": {
2424
+ "low": 10000,
2425
+ "likely": 75000,
2426
+ "high": 500000
2427
+ },
2428
+ "crisisPR": {
2429
+ "low": 0,
2430
+ "likely": 0,
2431
+ "high": 0
2432
+ },
2433
+ "notification": {
2434
+ "low": 5000,
2435
+ "likely": 10000,
2436
+ "high": 15000
2437
+ },
2438
+ "creditMonitoring": {
2439
+ "low": 0,
2440
+ "likely": 0,
2441
+ "high": 0
2442
+ },
2443
+ "regulatoryFines": {
2444
+ "low": 0,
2445
+ "likely": 0,
2446
+ "high": 0
2447
+ },
2448
+ "directDamage": {
2449
+ "low": 250,
2450
+ "likely": 1250,
2451
+ "high": 10000
2452
+ },
2453
+ "classAction": {
2454
+ "low": 0,
2455
+ "likely": 0,
2456
+ "high": 0
2457
+ },
2458
+ "lostBusiness": {
2459
+ "low": 0,
2460
+ "likely": 0,
2461
+ "high": 0
2462
+ }
2463
+ },
2464
+ "dominantDriver": "legal counsel",
2465
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
2466
+ "confidence": "low",
2467
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:198` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
2468
+ },
2469
+ "stableId": "da0930b64e53120b",
2470
+ "confidenceTier": "very-low",
2471
+ "exploitability": 0.2,
2472
+ "exploitabilityTier": "low",
2473
+ "exploitabilityFactors": [
2474
+ "sev:medium",
2475
+ "unreachable"
2476
+ ],
2477
+ "clusterSize": null,
2478
+ "unreachable": false,
2479
+ "validator_verdict": "unvalidated",
2480
+ "llm_confidence": null,
2481
+ "unvalidated": true,
2482
+ "cross_language": false,
2483
+ "family": "dos-sync-io",
2484
+ "parser": "STRUCTURAL",
2485
+ "_unsigned": false,
2486
+ "_passThroughSigning": false,
2487
+ "signatureStatus": "verified",
2488
+ "regression_test": null,
2489
+ "poc": null,
2490
+ "calibrated_confidence": null,
2491
+ "calibrated_confidence_ci": null,
2492
+ "calibrated_n": 0,
2493
+ "calibration_reason": "no-history",
2494
+ "verifier_verdict": "cannot-verify",
2495
+ "verifier_reason": "no-poc-no-sanitizer-rule",
2496
+ "verifier_runner": null,
2497
+ "narration": null,
2498
+ "mitigationVerdict": "unreachable-in-prod",
2499
+ "mitigationsApplied": [],
2500
+ "mitigatedByWaf": false,
2501
+ "wafRuleId": null,
2502
+ "mitigatedByAuth": false,
2503
+ "authMechanism": null,
2504
+ "mitigatedByNetwork": false,
2505
+ "networkExposure": null,
2506
+ "featureFlag": null,
2507
+ "featureFlagState": null,
2508
+ "featureFlagRollout": null,
2509
+ "exposedInProd": false,
2510
+ "unreachableInProd": true,
2511
+ "coldPath": false,
2512
+ "hotPath": false,
2513
+ "prodRequestCount": null,
2514
+ "crownJewelScore": 0.15,
2515
+ "crownJewelTier": "low-value",
2516
+ "crownJewelFactors": [
2517
+ "shell-execution"
2518
+ ],
2519
+ "cloneClusterId": "5e5357c1989b7538",
2520
+ "cloneClusterSize": 1,
2521
+ "provenance": "human-likely",
2522
+ "provenanceScore": 0.12,
2523
+ "typeNarrowed": null,
2524
+ "strideCategory": "denialOfService",
2525
+ "personaScores": {
2526
+ "script-kiddie": {
2527
+ "score": 0.4,
2528
+ "tier": "medium",
2529
+ "factors": [
2530
+ "sev:medium"
2531
+ ]
2532
+ },
2533
+ "opportunistic-criminal": {
2534
+ "score": 0.4,
2535
+ "tier": "medium",
2536
+ "factors": [
2537
+ "sev:medium"
2538
+ ]
2539
+ },
2540
+ "apt-nation-state": {
2541
+ "score": 0.4,
2542
+ "tier": "medium",
2543
+ "factors": [
2544
+ "sev:medium"
2545
+ ]
2546
+ },
2547
+ "supply-chain-attacker": {
2548
+ "score": 0.4,
2549
+ "tier": "medium",
2550
+ "factors": [
2551
+ "sev:medium"
2552
+ ]
2553
+ },
2554
+ "malicious-insider": {
2555
+ "score": 0.4,
2556
+ "tier": "medium",
2557
+ "factors": [
2558
+ "sev:medium"
2559
+ ]
2560
+ }
2561
+ },
2562
+ "personaTopTwo": [
2563
+ "script-kiddie",
2564
+ "opportunistic-criminal"
2565
+ ],
2566
+ "personaMaxName": "script-kiddie",
2567
+ "personaMaxScore": 0.4,
2568
+ "reverseExposure": null,
2569
+ "specMined": null,
2570
+ "whyFired": {
2571
+ "detector": "sast/dos-sync-io",
2572
+ "ruleId": "CWE-400",
2573
+ "parser": "STRUCTURAL",
2574
+ "evidence": {
2575
+ "sinkSnippet": "if (fs.existsSync(tdir)) walk(tdir, depth + 1);",
2576
+ "sourceSnippet": "if (fs.existsSync(tdir)) walk(tdir, depth + 1);",
2577
+ "pathSteps": [],
2578
+ "sanitizers": [],
2579
+ "guards": []
2580
+ },
2581
+ "considered": {
2582
+ "suppressionsApplied": [],
2583
+ "suppressionsSkipped": [],
2584
+ "reachabilityFilter": "unaffected",
2585
+ "clusterCollapsed": false,
2586
+ "typeNarrowed": false,
2587
+ "crownJewelTier": "low-value",
2588
+ "mitigationVerdict": "unreachable-in-prod"
2589
+ },
2590
+ "scanner": {
2591
+ "rulesetVersion": null,
2592
+ "packHash": null,
2593
+ "modelId": null
2594
+ }
2595
+ },
2596
+ "adversaryTranscript": null,
2597
+ "predictedBountyUsd": {
2598
+ "low": 10,
2599
+ "likely": 40,
2600
+ "high": 120,
2601
+ "program": "web2"
2602
+ },
2603
+ "bountyConfidence": "high",
2604
+ "attackPlaybook": null
2605
+ },
2606
+ {
2607
+ "id": "struct:type-stubs.js:216:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
2608
+ "kind": "sast",
2609
+ "severity": "medium",
2610
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
2611
+ "cwe": "CWE-400",
2612
+ "owaspLlm": null,
2613
+ "stride": "Denial of Service",
2614
+ "file": "type-stubs.js",
2615
+ "line": 216,
2616
+ "snippet": "const pkg = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8'));",
2617
+ "fix": null,
2618
+ "reachable": false,
2619
+ "triage": 22,
2620
+ "dataClasses": [],
2621
+ "chain": null,
2622
+ "confidence": 0.212,
2623
+ "toxicity": 28,
2624
+ "toxicityFactors": [
2625
+ "http-facing"
2626
+ ],
2627
+ "toxicityLabel": "Medium",
2628
+ "sources": null,
2629
+ "epssScore": null,
2630
+ "epssPercentile": null,
2631
+ "epssCve": null,
2632
+ "exploitedNow": false,
2633
+ "tags": null,
2634
+ "blastRadius": {
2635
+ "scope": "all-users",
2636
+ "dataAtRisk": [
2637
+ "config"
2638
+ ],
2639
+ "userCount": 50,
2640
+ "industry": "generic",
2641
+ "jurisdictions": [],
2642
+ "controlsApplied": [],
2643
+ "dollarBest": 23250,
2644
+ "dollarLikely": 136250,
2645
+ "dollarWorst": 775000,
2646
+ "dollarLow": 23250,
2647
+ "dollarHigh": 775000,
2648
+ "components": {
2649
+ "incidentResponse": {
2650
+ "low": 8000,
2651
+ "likely": 50000,
2652
+ "high": 250000
2653
+ },
2654
+ "legal": {
2655
+ "low": 10000,
2656
+ "likely": 75000,
2657
+ "high": 500000
2658
+ },
2659
+ "crisisPR": {
2660
+ "low": 0,
2661
+ "likely": 0,
2662
+ "high": 0
2663
+ },
2664
+ "notification": {
2665
+ "low": 5000,
2666
+ "likely": 10000,
2667
+ "high": 15000
2668
+ },
2669
+ "creditMonitoring": {
2670
+ "low": 0,
2671
+ "likely": 0,
2672
+ "high": 0
2673
+ },
2674
+ "regulatoryFines": {
2675
+ "low": 0,
2676
+ "likely": 0,
2677
+ "high": 0
2678
+ },
2679
+ "directDamage": {
2680
+ "low": 250,
2681
+ "likely": 1250,
2682
+ "high": 10000
2683
+ },
2684
+ "classAction": {
2685
+ "low": 0,
2686
+ "likely": 0,
2687
+ "high": 0
2688
+ },
2689
+ "lostBusiness": {
2690
+ "low": 0,
2691
+ "likely": 0,
2692
+ "high": 0
2693
+ }
2694
+ },
2695
+ "dominantDriver": "legal counsel",
2696
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
2697
+ "confidence": "low",
2698
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:216` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
2699
+ },
2700
+ "stableId": "9f54fa968991f0c8",
2701
+ "confidenceTier": "very-low",
2702
+ "exploitability": 0.2,
2703
+ "exploitabilityTier": "low",
2704
+ "exploitabilityFactors": [
2705
+ "sev:medium",
2706
+ "unreachable"
2707
+ ],
2708
+ "clusterSize": null,
2709
+ "unreachable": false,
2710
+ "validator_verdict": "unvalidated",
2711
+ "llm_confidence": null,
2712
+ "unvalidated": true,
2713
+ "cross_language": false,
2714
+ "family": "dos-sync-io",
2715
+ "parser": "STRUCTURAL",
2716
+ "_unsigned": false,
2717
+ "_passThroughSigning": false,
2718
+ "signatureStatus": "verified",
2719
+ "regression_test": null,
2720
+ "poc": null,
2721
+ "calibrated_confidence": null,
2722
+ "calibrated_confidence_ci": null,
2723
+ "calibrated_n": 0,
2724
+ "calibration_reason": "no-history",
2725
+ "verifier_verdict": "cannot-verify",
2726
+ "verifier_reason": "no-poc-no-sanitizer-rule",
2727
+ "verifier_runner": null,
2728
+ "narration": null,
2729
+ "mitigationVerdict": "unreachable-in-prod",
2730
+ "mitigationsApplied": [],
2731
+ "mitigatedByWaf": false,
2732
+ "wafRuleId": null,
2733
+ "mitigatedByAuth": false,
2734
+ "authMechanism": null,
2735
+ "mitigatedByNetwork": false,
2736
+ "networkExposure": null,
2737
+ "featureFlag": null,
2738
+ "featureFlagState": null,
2739
+ "featureFlagRollout": null,
2740
+ "exposedInProd": false,
2741
+ "unreachableInProd": true,
2742
+ "coldPath": false,
2743
+ "hotPath": false,
2744
+ "prodRequestCount": null,
2745
+ "crownJewelScore": 0.15,
2746
+ "crownJewelTier": "low-value",
2747
+ "crownJewelFactors": [
2748
+ "shell-execution"
2749
+ ],
2750
+ "cloneClusterId": "f686c808d16515e4",
2751
+ "cloneClusterSize": 1,
2752
+ "provenance": "human-likely",
2753
+ "provenanceScore": 0.12,
2754
+ "typeNarrowed": null,
2755
+ "strideCategory": "denialOfService",
2756
+ "personaScores": {
2757
+ "script-kiddie": {
2758
+ "score": 0.4,
2759
+ "tier": "medium",
2760
+ "factors": [
2761
+ "sev:medium"
2762
+ ]
2763
+ },
2764
+ "opportunistic-criminal": {
2765
+ "score": 0.4,
2766
+ "tier": "medium",
2767
+ "factors": [
2768
+ "sev:medium"
2769
+ ]
2770
+ },
2771
+ "apt-nation-state": {
2772
+ "score": 0.4,
2773
+ "tier": "medium",
2774
+ "factors": [
2775
+ "sev:medium"
2776
+ ]
2777
+ },
2778
+ "supply-chain-attacker": {
2779
+ "score": 0.4,
2780
+ "tier": "medium",
2781
+ "factors": [
2782
+ "sev:medium"
2783
+ ]
2784
+ },
2785
+ "malicious-insider": {
2786
+ "score": 0.4,
2787
+ "tier": "medium",
2788
+ "factors": [
2789
+ "sev:medium"
2790
+ ]
2791
+ }
2792
+ },
2793
+ "personaTopTwo": [
2794
+ "script-kiddie",
2795
+ "opportunistic-criminal"
2796
+ ],
2797
+ "personaMaxName": "script-kiddie",
2798
+ "personaMaxScore": 0.4,
2799
+ "reverseExposure": null,
2800
+ "specMined": null,
2801
+ "whyFired": {
2802
+ "detector": "sast/dos-sync-io",
2803
+ "ruleId": "CWE-400",
2804
+ "parser": "STRUCTURAL",
2805
+ "evidence": {
2806
+ "sinkSnippet": "const pkg = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8'));",
2807
+ "sourceSnippet": "const pkg = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8'));",
2808
+ "pathSteps": [],
2809
+ "sanitizers": [],
2810
+ "guards": []
2811
+ },
2812
+ "considered": {
2813
+ "suppressionsApplied": [],
2814
+ "suppressionsSkipped": [],
2815
+ "reachabilityFilter": "unaffected",
2816
+ "clusterCollapsed": false,
2817
+ "typeNarrowed": false,
2818
+ "crownJewelTier": "low-value",
2819
+ "mitigationVerdict": "unreachable-in-prod"
2820
+ },
2821
+ "scanner": {
2822
+ "rulesetVersion": null,
2823
+ "packHash": null,
2824
+ "modelId": null
2825
+ }
2826
+ },
2827
+ "adversaryTranscript": null,
2828
+ "predictedBountyUsd": {
2829
+ "low": 10,
2830
+ "likely": 40,
2831
+ "high": 120,
2832
+ "program": "web2"
2833
+ },
2834
+ "bountyConfidence": "high",
2835
+ "attackPlaybook": null
2836
+ },
2837
+ {
2838
+ "id": "struct:type-stubs.js:245:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
2839
+ "kind": "sast",
2840
+ "severity": "medium",
2841
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
2842
+ "cwe": "CWE-400",
2843
+ "owaspLlm": null,
2844
+ "stride": "Denial of Service",
2845
+ "file": "type-stubs.js",
2846
+ "line": 245,
2847
+ "snippet": "try { body = fs.readFileSync(f.path, 'utf8'); } catch { continue; }",
2848
+ "fix": null,
2849
+ "reachable": false,
2850
+ "triage": 22,
2851
+ "dataClasses": [],
2852
+ "chain": null,
2853
+ "confidence": 0.212,
2854
+ "toxicity": 28,
2855
+ "toxicityFactors": [
2856
+ "http-facing"
2857
+ ],
2858
+ "toxicityLabel": "Medium",
2859
+ "sources": null,
2860
+ "epssScore": null,
2861
+ "epssPercentile": null,
2862
+ "epssCve": null,
2863
+ "exploitedNow": false,
2864
+ "tags": null,
2865
+ "blastRadius": {
2866
+ "scope": "all-users",
2867
+ "dataAtRisk": [
2868
+ "config"
2869
+ ],
2870
+ "userCount": 50,
2871
+ "industry": "generic",
2872
+ "jurisdictions": [],
2873
+ "controlsApplied": [],
2874
+ "dollarBest": 23250,
2875
+ "dollarLikely": 136250,
2876
+ "dollarWorst": 775000,
2877
+ "dollarLow": 23250,
2878
+ "dollarHigh": 775000,
2879
+ "components": {
2880
+ "incidentResponse": {
2881
+ "low": 8000,
2882
+ "likely": 50000,
2883
+ "high": 250000
2884
+ },
2885
+ "legal": {
2886
+ "low": 10000,
2887
+ "likely": 75000,
2888
+ "high": 500000
2889
+ },
2890
+ "crisisPR": {
2891
+ "low": 0,
2892
+ "likely": 0,
2893
+ "high": 0
2894
+ },
2895
+ "notification": {
2896
+ "low": 5000,
2897
+ "likely": 10000,
2898
+ "high": 15000
2899
+ },
2900
+ "creditMonitoring": {
2901
+ "low": 0,
2902
+ "likely": 0,
2903
+ "high": 0
2904
+ },
2905
+ "regulatoryFines": {
2906
+ "low": 0,
2907
+ "likely": 0,
2908
+ "high": 0
2909
+ },
2910
+ "directDamage": {
2911
+ "low": 250,
2912
+ "likely": 1250,
2913
+ "high": 10000
2914
+ },
2915
+ "classAction": {
2916
+ "low": 0,
2917
+ "likely": 0,
2918
+ "high": 0
2919
+ },
2920
+ "lostBusiness": {
2921
+ "low": 0,
2922
+ "likely": 0,
2923
+ "high": 0
2924
+ }
2925
+ },
2926
+ "dominantDriver": "legal counsel",
2927
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
2928
+ "confidence": "low",
2929
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:245` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
2930
+ },
2931
+ "stableId": "d7f878f4239f7f2f",
2932
+ "confidenceTier": "very-low",
2933
+ "exploitability": 0.2,
2934
+ "exploitabilityTier": "low",
2935
+ "exploitabilityFactors": [
2936
+ "sev:medium",
2937
+ "unreachable"
2938
+ ],
2939
+ "clusterSize": null,
2940
+ "unreachable": false,
2941
+ "validator_verdict": "unvalidated",
2942
+ "llm_confidence": null,
2943
+ "unvalidated": true,
2944
+ "cross_language": false,
2945
+ "family": "dos-sync-io",
2946
+ "parser": "STRUCTURAL",
2947
+ "_unsigned": false,
2948
+ "_passThroughSigning": false,
2949
+ "signatureStatus": "verified",
2950
+ "regression_test": null,
2951
+ "poc": null,
2952
+ "calibrated_confidence": null,
2953
+ "calibrated_confidence_ci": null,
2954
+ "calibrated_n": 0,
2955
+ "calibration_reason": "no-history",
2956
+ "verifier_verdict": "cannot-verify",
2957
+ "verifier_reason": "no-poc-no-sanitizer-rule",
2958
+ "verifier_runner": null,
2959
+ "narration": null,
2960
+ "mitigationVerdict": "unreachable-in-prod",
2961
+ "mitigationsApplied": [],
2962
+ "mitigatedByWaf": false,
2963
+ "wafRuleId": null,
2964
+ "mitigatedByAuth": false,
2965
+ "authMechanism": null,
2966
+ "mitigatedByNetwork": false,
2967
+ "networkExposure": null,
2968
+ "featureFlag": null,
2969
+ "featureFlagState": null,
2970
+ "featureFlagRollout": null,
2971
+ "exposedInProd": false,
2972
+ "unreachableInProd": true,
2973
+ "coldPath": false,
2974
+ "hotPath": false,
2975
+ "prodRequestCount": null,
2976
+ "crownJewelScore": 0.15,
2977
+ "crownJewelTier": "low-value",
2978
+ "crownJewelFactors": [
2979
+ "shell-execution"
2980
+ ],
2981
+ "cloneClusterId": "01bed4bbdd04761a",
2982
+ "cloneClusterSize": 1,
2983
+ "provenance": "human-likely",
2984
+ "provenanceScore": 0.12,
2985
+ "typeNarrowed": null,
2986
+ "strideCategory": "denialOfService",
2987
+ "personaScores": {
2988
+ "script-kiddie": {
2989
+ "score": 0.4,
2990
+ "tier": "medium",
2991
+ "factors": [
2992
+ "sev:medium"
2993
+ ]
2994
+ },
2995
+ "opportunistic-criminal": {
2996
+ "score": 0.4,
2997
+ "tier": "medium",
2998
+ "factors": [
2999
+ "sev:medium"
3000
+ ]
3001
+ },
3002
+ "apt-nation-state": {
3003
+ "score": 0.4,
3004
+ "tier": "medium",
3005
+ "factors": [
3006
+ "sev:medium"
3007
+ ]
3008
+ },
3009
+ "supply-chain-attacker": {
3010
+ "score": 0.4,
3011
+ "tier": "medium",
3012
+ "factors": [
3013
+ "sev:medium"
3014
+ ]
3015
+ },
3016
+ "malicious-insider": {
3017
+ "score": 0.4,
3018
+ "tier": "medium",
3019
+ "factors": [
3020
+ "sev:medium"
3021
+ ]
3022
+ }
3023
+ },
3024
+ "personaTopTwo": [
3025
+ "script-kiddie",
3026
+ "opportunistic-criminal"
3027
+ ],
3028
+ "personaMaxName": "script-kiddie",
3029
+ "personaMaxScore": 0.4,
3030
+ "reverseExposure": null,
3031
+ "specMined": null,
3032
+ "whyFired": {
3033
+ "detector": "sast/dos-sync-io",
3034
+ "ruleId": "CWE-400",
3035
+ "parser": "STRUCTURAL",
3036
+ "evidence": {
3037
+ "sinkSnippet": "try { body = fs.readFileSync(f.path, 'utf8'); } catch { continue; }",
3038
+ "sourceSnippet": "try { body = fs.readFileSync(f.path, 'utf8'); } catch { continue; }",
3039
+ "pathSteps": [],
3040
+ "sanitizers": [],
3041
+ "guards": []
3042
+ },
3043
+ "considered": {
3044
+ "suppressionsApplied": [],
3045
+ "suppressionsSkipped": [],
3046
+ "reachabilityFilter": "unaffected",
3047
+ "clusterCollapsed": false,
3048
+ "typeNarrowed": false,
3049
+ "crownJewelTier": "low-value",
3050
+ "mitigationVerdict": "unreachable-in-prod"
3051
+ },
3052
+ "scanner": {
3053
+ "rulesetVersion": null,
3054
+ "packHash": null,
3055
+ "modelId": null
3056
+ }
3057
+ },
3058
+ "adversaryTranscript": null,
3059
+ "predictedBountyUsd": {
3060
+ "low": 10,
3061
+ "likely": 40,
3062
+ "high": 120,
3063
+ "program": "web2"
3064
+ },
3065
+ "bountyConfidence": "high",
3066
+ "attackPlaybook": null
3067
+ },
3068
+ {
3069
+ "id": "struct:parser-py-cst.js:91:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
3070
+ "kind": "sast",
3071
+ "severity": "medium",
3072
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3073
+ "cwe": "CWE-400",
3074
+ "owaspLlm": null,
3075
+ "stride": "Denial of Service",
3076
+ "file": "parser-py-cst.js",
3077
+ "line": 91,
3078
+ "snippet": "if (!fs.existsSync(HELPER_PATH)) return null;",
3079
+ "fix": null,
3080
+ "reachable": false,
3081
+ "triage": 18,
3082
+ "dataClasses": [],
3083
+ "chain": null,
3084
+ "confidence": 0.161,
3085
+ "toxicity": 28,
3086
+ "toxicityFactors": [
3087
+ "http-facing"
3088
+ ],
3089
+ "toxicityLabel": "Medium",
3090
+ "sources": null,
3091
+ "epssScore": null,
3092
+ "epssPercentile": null,
3093
+ "epssCve": null,
3094
+ "exploitedNow": false,
3095
+ "tags": null,
3096
+ "blastRadius": {
3097
+ "scope": "all-users",
3098
+ "dataAtRisk": [
3099
+ "config"
3100
+ ],
3101
+ "userCount": 50,
3102
+ "industry": "generic",
3103
+ "jurisdictions": [],
3104
+ "controlsApplied": [],
3105
+ "dollarBest": 23250,
3106
+ "dollarLikely": 136250,
3107
+ "dollarWorst": 775000,
3108
+ "dollarLow": 23250,
3109
+ "dollarHigh": 775000,
3110
+ "components": {
3111
+ "incidentResponse": {
3112
+ "low": 8000,
3113
+ "likely": 50000,
3114
+ "high": 250000
3115
+ },
3116
+ "legal": {
3117
+ "low": 10000,
3118
+ "likely": 75000,
3119
+ "high": 500000
3120
+ },
3121
+ "crisisPR": {
3122
+ "low": 0,
3123
+ "likely": 0,
3124
+ "high": 0
3125
+ },
3126
+ "notification": {
3127
+ "low": 5000,
3128
+ "likely": 10000,
3129
+ "high": 15000
3130
+ },
3131
+ "creditMonitoring": {
3132
+ "low": 0,
3133
+ "likely": 0,
3134
+ "high": 0
3135
+ },
3136
+ "regulatoryFines": {
3137
+ "low": 0,
3138
+ "likely": 0,
3139
+ "high": 0
3140
+ },
3141
+ "directDamage": {
3142
+ "low": 250,
3143
+ "likely": 1250,
3144
+ "high": 10000
3145
+ },
3146
+ "classAction": {
3147
+ "low": 0,
3148
+ "likely": 0,
3149
+ "high": 0
3150
+ },
3151
+ "lostBusiness": {
3152
+ "low": 0,
3153
+ "likely": 0,
3154
+ "high": 0
3155
+ }
3156
+ },
3157
+ "dominantDriver": "legal counsel",
3158
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
3159
+ "confidence": "low",
3160
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `parser-py-cst.js:91` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
3161
+ },
3162
+ "stableId": "ca57234f46aecc6a",
3163
+ "confidenceTier": "very-low",
3164
+ "exploitability": 0.05,
3165
+ "exploitabilityTier": "low",
3166
+ "exploitabilityFactors": [
3167
+ "sev:medium",
3168
+ "unreachable",
3169
+ "guards:1"
3170
+ ],
3171
+ "clusterSize": null,
3172
+ "unreachable": false,
3173
+ "validator_verdict": "unvalidated",
3174
+ "llm_confidence": null,
3175
+ "unvalidated": true,
3176
+ "cross_language": false,
3177
+ "family": "dos-sync-io",
3178
+ "parser": "STRUCTURAL",
3179
+ "_unsigned": false,
3180
+ "_passThroughSigning": false,
3181
+ "signatureStatus": "verified",
3182
+ "regression_test": null,
3183
+ "poc": null,
3184
+ "calibrated_confidence": null,
3185
+ "calibrated_confidence_ci": null,
3186
+ "calibrated_n": 0,
3187
+ "calibration_reason": "no-history",
3188
+ "verifier_verdict": "cannot-verify",
3189
+ "verifier_reason": "no-poc-no-sanitizer-rule",
3190
+ "verifier_runner": null,
3191
+ "narration": null,
3192
+ "mitigationVerdict": "unreachable-in-prod",
3193
+ "mitigationsApplied": [],
3194
+ "mitigatedByWaf": false,
3195
+ "wafRuleId": null,
3196
+ "mitigatedByAuth": false,
3197
+ "authMechanism": null,
3198
+ "mitigatedByNetwork": false,
3199
+ "networkExposure": null,
3200
+ "featureFlag": null,
3201
+ "featureFlagState": null,
3202
+ "featureFlagRollout": null,
3203
+ "exposedInProd": false,
3204
+ "unreachableInProd": true,
3205
+ "coldPath": false,
3206
+ "hotPath": false,
3207
+ "prodRequestCount": null,
3208
+ "crownJewelScore": 0.15,
3209
+ "crownJewelTier": "low-value",
3210
+ "crownJewelFactors": [
3211
+ "shell-execution"
3212
+ ],
3213
+ "cloneClusterId": "66b8a8c25816e7f9",
3214
+ "cloneClusterSize": 2,
3215
+ "provenance": "mixed",
3216
+ "provenanceScore": 0.4,
3217
+ "typeNarrowed": null,
3218
+ "strideCategory": "denialOfService",
3219
+ "personaScores": {
3220
+ "script-kiddie": {
3221
+ "score": 0.2,
3222
+ "tier": "low",
3223
+ "factors": [
3224
+ "sev:medium",
3225
+ "auth-gated:1"
3226
+ ]
3227
+ },
3228
+ "opportunistic-criminal": {
3229
+ "score": 0.4,
3230
+ "tier": "medium",
3231
+ "factors": [
3232
+ "sev:medium"
3233
+ ]
3234
+ },
3235
+ "apt-nation-state": {
3236
+ "score": 0.35,
3237
+ "tier": "medium",
3238
+ "factors": [
3239
+ "sev:medium",
3240
+ "minor-auth-cost"
3241
+ ]
3242
+ },
3243
+ "supply-chain-attacker": {
3244
+ "score": 0.4,
3245
+ "tier": "medium",
3246
+ "factors": [
3247
+ "sev:medium"
3248
+ ]
3249
+ },
3250
+ "malicious-insider": {
3251
+ "score": 0.3,
3252
+ "tier": "low",
3253
+ "factors": [
3254
+ "sev:medium",
3255
+ "insider-bypasses-edge"
3256
+ ]
3257
+ }
3258
+ },
3259
+ "personaTopTwo": [
3260
+ "opportunistic-criminal",
3261
+ "supply-chain-attacker"
3262
+ ],
3263
+ "personaMaxName": "opportunistic-criminal",
3264
+ "personaMaxScore": 0.4,
3265
+ "reverseExposure": null,
3266
+ "specMined": null,
3267
+ "whyFired": {
3268
+ "detector": "sast/dos-sync-io",
3269
+ "ruleId": "CWE-400",
3270
+ "parser": "STRUCTURAL",
3271
+ "evidence": {
3272
+ "sinkSnippet": "if (!fs.existsSync(HELPER_PATH)) return null;",
3273
+ "sourceSnippet": "if (!fs.existsSync(HELPER_PATH)) return null;",
3274
+ "pathSteps": [],
3275
+ "sanitizers": [],
3276
+ "guards": [
3277
+ "type-check"
3278
+ ]
3279
+ },
3280
+ "considered": {
3281
+ "suppressionsApplied": [],
3282
+ "suppressionsSkipped": [],
3283
+ "reachabilityFilter": "unaffected",
3284
+ "clusterCollapsed": false,
3285
+ "typeNarrowed": false,
3286
+ "crownJewelTier": "low-value",
3287
+ "mitigationVerdict": "unreachable-in-prod"
3288
+ },
3289
+ "scanner": {
3290
+ "rulesetVersion": null,
3291
+ "packHash": null,
3292
+ "modelId": null
3293
+ }
3294
+ },
3295
+ "adversaryTranscript": null,
3296
+ "predictedBountyUsd": {
3297
+ "low": 10,
3298
+ "likely": 40,
3299
+ "high": 120,
3300
+ "program": "web2"
3301
+ },
3302
+ "bountyConfidence": "high",
3303
+ "attackPlaybook": null
3304
+ },
3305
+ {
3306
+ "id": "toctou-fs:type-stubs.js:48",
3307
+ "kind": "sast",
3308
+ "severity": "medium",
3309
+ "vuln": "TOCTOU: file existence/permission check before open",
3310
+ "cwe": "CWE-367",
3311
+ "owaspLlm": null,
3312
+ "stride": "Tampering",
3313
+ "file": "type-stubs.js",
3314
+ "line": 48,
3315
+ "snippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
3316
+ "fix": null,
3317
+ "reachable": false,
3318
+ "triage": 22,
3319
+ "dataClasses": [],
3320
+ "chain": null,
3321
+ "confidence": 0.7,
3322
+ "toxicity": 8,
3323
+ "toxicityFactors": [],
3324
+ "toxicityLabel": "Low",
3325
+ "sources": null,
3326
+ "epssScore": null,
3327
+ "epssPercentile": null,
3328
+ "epssCve": null,
3329
+ "exploitedNow": false,
3330
+ "tags": null,
3331
+ "blastRadius": {
3332
+ "scope": "all-users",
3333
+ "dataAtRisk": [
3334
+ "config"
3335
+ ],
3336
+ "userCount": 50,
3337
+ "industry": "generic",
3338
+ "jurisdictions": [],
3339
+ "controlsApplied": [],
3340
+ "dollarBest": 23250,
3341
+ "dollarLikely": 136250,
3342
+ "dollarWorst": 775000,
3343
+ "dollarLow": 23250,
3344
+ "dollarHigh": 775000,
3345
+ "components": {
3346
+ "incidentResponse": {
3347
+ "low": 8000,
3348
+ "likely": 50000,
3349
+ "high": 250000
3350
+ },
3351
+ "legal": {
3352
+ "low": 10000,
3353
+ "likely": 75000,
3354
+ "high": 500000
3355
+ },
3356
+ "crisisPR": {
3357
+ "low": 0,
3358
+ "likely": 0,
3359
+ "high": 0
3360
+ },
3361
+ "notification": {
3362
+ "low": 5000,
3363
+ "likely": 10000,
3364
+ "high": 15000
3365
+ },
3366
+ "creditMonitoring": {
3367
+ "low": 0,
3368
+ "likely": 0,
3369
+ "high": 0
3370
+ },
3371
+ "regulatoryFines": {
3372
+ "low": 0,
3373
+ "likely": 0,
3374
+ "high": 0
3375
+ },
3376
+ "directDamage": {
3377
+ "low": 250,
3378
+ "likely": 1250,
3379
+ "high": 10000
3380
+ },
3381
+ "classAction": {
3382
+ "low": 0,
3383
+ "likely": 0,
3384
+ "high": 0
3385
+ },
3386
+ "lostBusiness": {
3387
+ "low": 0,
3388
+ "likely": 0,
3389
+ "high": 0
3390
+ }
3391
+ },
3392
+ "dominantDriver": "legal counsel",
3393
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3394
+ "confidence": "low",
3395
+ "narrative": "TOCTOU: file existence/permission check before open on `type-stubs.js:48` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3396
+ },
3397
+ "stableId": "d72348aa62acffcb",
3398
+ "confidenceTier": "medium",
3399
+ "exploitability": 0.2,
3400
+ "exploitabilityTier": "low",
3401
+ "exploitabilityFactors": [
3402
+ "sev:medium",
3403
+ "unreachable"
3404
+ ],
3405
+ "clusterSize": null,
3406
+ "unreachable": false,
3407
+ "validator_verdict": "unvalidated",
3408
+ "llm_confidence": null,
3409
+ "unvalidated": true,
3410
+ "cross_language": false,
3411
+ "family": "toctou-file-existence-permission-check-b",
3412
+ "parser": "TOCTOU",
3413
+ "_unsigned": false,
3414
+ "_passThroughSigning": false,
3415
+ "signatureStatus": "verified",
3416
+ "regression_test": null,
3417
+ "poc": null,
3418
+ "calibrated_confidence": null,
3419
+ "calibrated_confidence_ci": null,
3420
+ "calibrated_n": 0,
3421
+ "calibration_reason": "no-history",
3422
+ "verifier_verdict": "cannot-verify",
3423
+ "verifier_reason": "no-poc-no-sanitizer-rule",
3424
+ "verifier_runner": null,
3425
+ "narration": null,
3426
+ "mitigationVerdict": "unreachable-in-prod",
3427
+ "mitigationsApplied": [],
3428
+ "mitigatedByWaf": false,
3429
+ "wafRuleId": null,
3430
+ "mitigatedByAuth": false,
3431
+ "authMechanism": null,
3432
+ "mitigatedByNetwork": false,
3433
+ "networkExposure": null,
3434
+ "featureFlag": null,
3435
+ "featureFlagState": null,
3436
+ "featureFlagRollout": null,
3437
+ "exposedInProd": false,
3438
+ "unreachableInProd": true,
3439
+ "coldPath": false,
3440
+ "hotPath": false,
3441
+ "prodRequestCount": null,
3442
+ "crownJewelScore": 0.15,
3443
+ "crownJewelTier": "low-value",
3444
+ "crownJewelFactors": [
3445
+ "shell-execution"
3446
+ ],
3447
+ "cloneClusterId": "1ca765ccc2c8227c",
3448
+ "cloneClusterSize": 2,
3449
+ "provenance": "human-likely",
3450
+ "provenanceScore": 0.12,
3451
+ "typeNarrowed": null,
3452
+ "strideCategory": "tampering",
3453
+ "personaScores": {
3454
+ "script-kiddie": {
3455
+ "score": 0.4,
3456
+ "tier": "medium",
3457
+ "factors": [
3458
+ "sev:medium"
3459
+ ]
3460
+ },
3461
+ "opportunistic-criminal": {
3462
+ "score": 0.4,
3463
+ "tier": "medium",
3464
+ "factors": [
3465
+ "sev:medium"
3466
+ ]
3467
+ },
3468
+ "apt-nation-state": {
3469
+ "score": 0.4,
3470
+ "tier": "medium",
3471
+ "factors": [
3472
+ "sev:medium"
3473
+ ]
3474
+ },
3475
+ "supply-chain-attacker": {
3476
+ "score": 0.4,
3477
+ "tier": "medium",
3478
+ "factors": [
3479
+ "sev:medium"
3480
+ ]
3481
+ },
3482
+ "malicious-insider": {
3483
+ "score": 0.4,
3484
+ "tier": "medium",
3485
+ "factors": [
3486
+ "sev:medium"
3487
+ ]
3488
+ }
3489
+ },
3490
+ "personaTopTwo": [
3491
+ "script-kiddie",
3492
+ "opportunistic-criminal"
3493
+ ],
3494
+ "personaMaxName": "script-kiddie",
3495
+ "personaMaxScore": 0.4,
3496
+ "reverseExposure": null,
3497
+ "specMined": null,
3498
+ "whyFired": {
3499
+ "detector": "sast/toctou-file-existence-permission-check-b",
3500
+ "ruleId": "CWE-367",
3501
+ "parser": "TOCTOU",
3502
+ "evidence": {
3503
+ "sinkSnippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
3504
+ "sourceSnippet": null,
3505
+ "pathSteps": [],
3506
+ "sanitizers": [],
3507
+ "guards": []
3508
+ },
3509
+ "considered": {
3510
+ "suppressionsApplied": [],
3511
+ "suppressionsSkipped": [],
3512
+ "reachabilityFilter": "unaffected",
3513
+ "clusterCollapsed": false,
3514
+ "typeNarrowed": false,
3515
+ "crownJewelTier": "low-value",
3516
+ "mitigationVerdict": "unreachable-in-prod"
3517
+ },
3518
+ "scanner": {
3519
+ "rulesetVersion": null,
3520
+ "packHash": null,
3521
+ "modelId": null
3522
+ }
3523
+ },
3524
+ "adversaryTranscript": null,
3525
+ "predictedBountyUsd": null,
3526
+ "bountyConfidence": null,
3527
+ "attackPlaybook": null
3528
+ },
3529
+ {
3530
+ "id": "logic:type-stubs.js:57:TOCTOU:_existsSync_followed_by_file_op",
3531
+ "kind": "logic",
3532
+ "severity": "medium",
3533
+ "vuln": "TOCTOU: existsSync followed by file op",
3534
+ "cwe": "CWE-367",
3535
+ "stride": "Tampering",
3536
+ "file": "type-stubs.js",
3537
+ "line": 57,
3538
+ "snippet": "if (!fs.existsSync(fp)) return null;",
3539
+ "fix": {
3540
+ "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
3541
+ "code": ""
3542
+ },
3543
+ "blastRadius": {
3544
+ "scope": "all-users",
3545
+ "dataAtRisk": [
3546
+ "config"
3547
+ ],
3548
+ "userCount": 50,
3549
+ "industry": "generic",
3550
+ "jurisdictions": [],
3551
+ "controlsApplied": [],
3552
+ "dollarBest": 23250,
3553
+ "dollarLikely": 136250,
3554
+ "dollarWorst": 775000,
3555
+ "dollarLow": 23250,
3556
+ "dollarHigh": 775000,
3557
+ "components": {
3558
+ "incidentResponse": {
3559
+ "low": 8000,
3560
+ "likely": 50000,
3561
+ "high": 250000
3562
+ },
3563
+ "legal": {
3564
+ "low": 10000,
3565
+ "likely": 75000,
3566
+ "high": 500000
3567
+ },
3568
+ "crisisPR": {
3569
+ "low": 0,
3570
+ "likely": 0,
3571
+ "high": 0
3572
+ },
3573
+ "notification": {
3574
+ "low": 5000,
3575
+ "likely": 10000,
3576
+ "high": 15000
3577
+ },
3578
+ "creditMonitoring": {
3579
+ "low": 0,
3580
+ "likely": 0,
3581
+ "high": 0
3582
+ },
3583
+ "regulatoryFines": {
3584
+ "low": 0,
3585
+ "likely": 0,
3586
+ "high": 0
3587
+ },
3588
+ "directDamage": {
3589
+ "low": 250,
3590
+ "likely": 1250,
3591
+ "high": 10000
3592
+ },
3593
+ "classAction": {
3594
+ "low": 0,
3595
+ "likely": 0,
3596
+ "high": 0
3597
+ },
3598
+ "lostBusiness": {
3599
+ "low": 0,
3600
+ "likely": 0,
3601
+ "high": 0
3602
+ }
3603
+ },
3604
+ "dominantDriver": "legal counsel",
3605
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3606
+ "confidence": "low",
3607
+ "narrative": "TOCTOU: existsSync followed by file op on `type-stubs.js:57` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3608
+ },
3609
+ "parser": "LOGIC",
3610
+ "family": null
3611
+ }
3612
+ ],
3613
+ "bundles": [],
3614
+ "routes": [],
3615
+ "components": [],
3616
+ "suppressedCount": 6,
3617
+ "blastRadiusSignals": {
3618
+ "industry": "generic",
3619
+ "industryConfidence": "low",
3620
+ "jurisdictions": [],
3621
+ "controls": [],
3622
+ "estimatedUsers": 50,
3623
+ "revenueIndicator": "pre-revenue",
3624
+ "hasStripe": false,
3625
+ "hasAuth": false,
3626
+ "hasUserTable": false,
3627
+ "hasPII": false,
3628
+ "hasPHI": false,
3629
+ "hasS3": false
3630
+ },
3631
+ "_v3": {
3632
+ "counterfactual": {
3633
+ "spofControls": [],
3634
+ "controlsDetected": 307
3635
+ },
3636
+ "threatModel": {
3637
+ "summary": {
3638
+ "assetCount": 0,
3639
+ "boundaryCount": 2,
3640
+ "strideCounts": {
3641
+ "spoofing": 0,
3642
+ "tampering": 1,
3643
+ "repudiation": 0,
3644
+ "informationDisclosure": 0,
3645
+ "denialOfService": 9,
3646
+ "elevationOfPrivilege": 0
3647
+ }
3648
+ },
3649
+ "assets": [],
3650
+ "trustBoundaries": [
3651
+ {
3652
+ "type": "db-edge",
3653
+ "file": "parser-py-cst.js",
3654
+ "line": 13,
3655
+ "label": null
3656
+ },
3657
+ {
3658
+ "type": "db-edge",
3659
+ "file": "parser-py.js",
3660
+ "line": 72,
3661
+ "label": null
3662
+ }
3663
+ ],
3664
+ "stride": {
3665
+ "spoofing": [],
3666
+ "tampering": [
3667
+ {
3668
+ "vuln": "TOCTOU: file existence/permission check before open",
3669
+ "file": "type-stubs.js",
3670
+ "line": 48,
3671
+ "severity": "medium"
3672
+ }
3673
+ ],
3674
+ "repudiation": [],
3675
+ "informationDisclosure": [],
3676
+ "denialOfService": [
3677
+ {
3678
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3679
+ "file": "type-stubs.js",
3680
+ "severity": "medium"
3681
+ },
3682
+ {
3683
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3684
+ "file": "type-stubs.js",
3685
+ "severity": "medium"
3686
+ },
3687
+ {
3688
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3689
+ "file": "type-stubs.js",
3690
+ "severity": "medium"
3691
+ },
3692
+ {
3693
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3694
+ "file": "type-stubs.js",
3695
+ "severity": "medium"
3696
+ },
3697
+ {
3698
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3699
+ "file": "type-stubs.js",
3700
+ "severity": "medium"
3701
+ },
3702
+ {
3703
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3704
+ "file": "type-stubs.js",
3705
+ "severity": "medium"
3706
+ },
3707
+ {
3708
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3709
+ "file": "type-stubs.js",
3710
+ "severity": "medium"
3711
+ },
3712
+ {
3713
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3714
+ "file": "type-stubs.js",
3715
+ "severity": "medium"
3716
+ },
3717
+ {
3718
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3719
+ "file": "parser-py-cst.js",
3720
+ "severity": "medium"
3721
+ }
3722
+ ],
3723
+ "elevationOfPrivilege": []
3724
+ }
3725
+ },
3726
+ "trustBoundaryDiagram": {
3727
+ "mermaid": "flowchart LR\n INTERNET((Internet))\n APP[\"Application\"]\n db_parser_py_cst_js_13[(\"db@parser-py-cst.js:13\")]\n db_parser_py_js_72[(\"db@parser-py.js:72\")]\n APP -->|db| db_parser_py_cst_js_13\n APP -->|db| db_parser_py_js_72\n class db_parser_py_cst_js_13 sev_medium;\n classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n classDef sev_medium fill:#fff3cd,stroke:#a80;\n classDef sev_low fill:#e8eaf6,stroke:#557;",
3728
+ "nodes": [
3729
+ {
3730
+ "id": "INTERNET",
3731
+ "kind": "external",
3732
+ "label": "Internet"
3733
+ },
3734
+ {
3735
+ "id": "APP",
3736
+ "kind": "app",
3737
+ "label": "Application"
3738
+ },
3739
+ {
3740
+ "kind": "db",
3741
+ "id": "db_parser_py_cst_js_13",
3742
+ "label": "db@parser-py-cst.js:13"
3743
+ },
3744
+ {
3745
+ "kind": "db",
3746
+ "id": "db_parser_py_js_72",
3747
+ "label": "db@parser-py.js:72"
3748
+ }
3749
+ ],
3750
+ "edges": [
3751
+ {
3752
+ "from": "APP",
3753
+ "to": "db_parser_py_cst_js_13",
3754
+ "kind": "db"
3755
+ },
3756
+ {
3757
+ "from": "APP",
3758
+ "to": "db_parser_py_js_72",
3759
+ "kind": "db"
3760
+ }
3761
+ ],
3762
+ "decorations": [
3763
+ {
3764
+ "nodeId": "db_parser_py_cst_js_13",
3765
+ "severity": "medium",
3766
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3767
+ "file": "parser-py-cst.js"
3768
+ }
3769
+ ]
3770
+ },
3771
+ "calibrationDrift": {
3772
+ "alarms": [],
3773
+ "note": "no-feedback-data"
3774
+ }
3775
+ },
3776
+ "annotatorErrors": []
3777
+ }