@clear-capabilities/agentic-security-scanner 0.77.0 → 0.78.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (83) hide show
  1. package/bin/.agentic-security/findings.json +1907 -0
  2. package/bin/.agentic-security/last-scan.json +1907 -0
  3. package/bin/.agentic-security/last-scan.json.sig +1 -0
  4. package/bin/.agentic-security/scan-history.json +115 -0
  5. package/bin/.agentic-security/streak.json +20 -0
  6. package/bin/agentic-security.js +33 -2
  7. package/dist/178.index.js +1 -1
  8. package/dist/384.index.js +1 -1
  9. package/dist/637.index.js +1 -1
  10. package/dist/718.index.js +106 -0
  11. package/dist/824.index.js +126 -0
  12. package/dist/838.index.js +1 -1
  13. package/dist/agentic-security.mjs +32 -32
  14. package/dist/agentic-security.mjs.sha256 +1 -1
  15. package/package.json +3 -3
  16. package/src/.agentic-security/findings.json +82642 -0
  17. package/src/.agentic-security/last-scan.json +82642 -0
  18. package/src/.agentic-security/last-scan.json.sig +1 -0
  19. package/src/.agentic-security/scan-history.json +10054 -0
  20. package/src/.agentic-security/streak.json +21 -0
  21. package/src/dataflow/.agentic-security/findings.json +3515 -0
  22. package/src/dataflow/.agentic-security/last-scan.json +3515 -0
  23. package/src/dataflow/.agentic-security/last-scan.json.sig +1 -0
  24. package/src/dataflow/.agentic-security/scan-history.json +702 -0
  25. package/src/dataflow/.agentic-security/streak.json +22 -0
  26. package/src/dataflow/async-sequencing.js +16 -7
  27. package/src/dataflow/builtin-summaries.js +131 -0
  28. package/src/dataflow/catalog.js +107 -0
  29. package/src/dataflow/cross-repo.js +75 -1
  30. package/src/dataflow/engine.js +129 -0
  31. package/src/dataflow/implicit-flow.js +24 -6
  32. package/src/dataflow/stub-aware-filter.js +69 -11
  33. package/src/dataflow/summaries.js +28 -3
  34. package/src/engine-parallel.js +70 -0
  35. package/src/engine.js +165 -15
  36. package/src/ir/.agentic-security/findings.json +3777 -0
  37. package/src/ir/.agentic-security/last-scan.json +3777 -0
  38. package/src/ir/.agentic-security/last-scan.json.sig +1 -0
  39. package/src/ir/.agentic-security/scan-history.json +771 -0
  40. package/src/ir/.agentic-security/streak.json +21 -0
  41. package/src/ir/index.js +22 -1
  42. package/src/ir/parser-go.js +403 -0
  43. package/src/ir/parser-js.js +2 -0
  44. package/src/ir/parser-php.js +330 -0
  45. package/src/ir/parser-py.helper.py +137 -11
  46. package/src/ir/parser-rb.js +309 -0
  47. package/src/posture/.agentic-security/findings.json +51562 -0
  48. package/src/posture/.agentic-security/last-scan.json +51562 -0
  49. package/src/posture/.agentic-security/last-scan.json.sig +1 -0
  50. package/src/posture/.agentic-security/scan-history.json +650 -0
  51. package/src/posture/.agentic-security/streak.json +20 -0
  52. package/src/posture/calibration.js +14 -0
  53. package/src/posture/triage.js +13 -0
  54. package/src/report/.agentic-security/findings.json +80 -0
  55. package/src/report/.agentic-security/last-scan.json +80 -0
  56. package/src/report/.agentic-security/last-scan.json.sig +1 -0
  57. package/src/report/.agentic-security/scan-history.json +35 -0
  58. package/src/report/.agentic-security/streak.json +22 -0
  59. package/src/report/index.js +23 -2
  60. package/src/sast/.agentic-security/findings.json +5190 -0
  61. package/src/sast/.agentic-security/last-scan.json +5190 -0
  62. package/src/sast/.agentic-security/last-scan.json.sig +1 -0
  63. package/src/sast/.agentic-security/scan-history.json +408 -0
  64. package/src/sast/.agentic-security/streak.json +20 -0
  65. package/src/sast/cache-poisoning.js +77 -0
  66. package/src/sast/comparison-safety.js +73 -0
  67. package/src/sast/db-taint.js +54 -0
  68. package/src/sast/graphql.js +127 -0
  69. package/src/sast/llm-stored-prompt.js +57 -0
  70. package/src/sast/mutation-xss.js +43 -0
  71. package/src/sast/nosql-injection.js +5 -0
  72. package/src/sast/null-byte-injection.js +76 -0
  73. package/src/sast/redos-nfa.js +338 -0
  74. package/src/sast/sensitive-data-logging.js +73 -0
  75. package/src/sast/weak-password-hash.js +77 -0
  76. package/src/sast/weak-randomness.js +100 -0
  77. package/src/sca/.agentic-security/findings.json +1587 -0
  78. package/src/sca/.agentic-security/last-scan.json +1587 -0
  79. package/src/sca/.agentic-security/last-scan.json.sig +1 -0
  80. package/src/sca/.agentic-security/scan-history.json +36 -0
  81. package/src/sca/.agentic-security/streak.json +21 -0
  82. package/src/sca/llm-function-extract.js +107 -0
  83. package/src/sca/vendor-detect.js +91 -0
package/src/sca/.agentic-security/findings.json ADDED
@@ -0,0 +1,1587 @@
1
+ {
2
+ "scanId": "c0d36b32-79df-4614-9dd6-475907a34882",
3
+ "startedAt": "2026-05-27T13:30:13.810Z",
4
+ "durationMs": 185,
5
+ "scanned": {
6
+ "files": 6,
7
+ "lines": 0
8
+ },
9
+ "findings": [
10
+ {
11
+ "id": "struct:dep-confusion.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
12
+ "kind": "sast",
13
+ "severity": "medium",
14
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
15
+ "cwe": "CWE-400",
16
+ "owaspLlm": null,
17
+ "stride": "Denial of Service",
18
+ "file": "dep-confusion.js",
19
+ "line": 56,
20
+ "snippet": "if (!fs.existsSync(p)) continue;",
21
+ "fix": null,
22
+ "reachable": false,
23
+ "triage": 22,
24
+ "dataClasses": [],
25
+ "chain": null,
26
+ "confidence": 0.212,
27
+ "toxicity": 28,
28
+ "toxicityFactors": [
29
+ "http-facing"
30
+ ],
31
+ "toxicityLabel": "Medium",
32
+ "sources": null,
33
+ "epssScore": null,
34
+ "epssPercentile": null,
35
+ "epssCve": null,
36
+ "exploitedNow": false,
37
+ "tags": null,
38
+ "blastRadius": {
39
+ "scope": "all-users",
40
+ "dataAtRisk": [
41
+ "config"
42
+ ],
43
+ "userCount": 50,
44
+ "industry": "generic",
45
+ "jurisdictions": [],
46
+ "controlsApplied": [],
47
+ "dollarBest": 23250,
48
+ "dollarLikely": 136250,
49
+ "dollarWorst": 775000,
50
+ "dollarLow": 23250,
51
+ "dollarHigh": 775000,
52
+ "components": {
53
+ "incidentResponse": {
54
+ "low": 8000,
55
+ "likely": 50000,
56
+ "high": 250000
57
+ },
58
+ "legal": {
59
+ "low": 10000,
60
+ "likely": 75000,
61
+ "high": 500000
62
+ },
63
+ "crisisPR": {
64
+ "low": 0,
65
+ "likely": 0,
66
+ "high": 0
67
+ },
68
+ "notification": {
69
+ "low": 5000,
70
+ "likely": 10000,
71
+ "high": 15000
72
+ },
73
+ "creditMonitoring": {
74
+ "low": 0,
75
+ "likely": 0,
76
+ "high": 0
77
+ },
78
+ "regulatoryFines": {
79
+ "low": 0,
80
+ "likely": 0,
81
+ "high": 0
82
+ },
83
+ "directDamage": {
84
+ "low": 250,
85
+ "likely": 1250,
86
+ "high": 10000
87
+ },
88
+ "classAction": {
89
+ "low": 0,
90
+ "likely": 0,
91
+ "high": 0
92
+ },
93
+ "lostBusiness": {
94
+ "low": 0,
95
+ "likely": 0,
96
+ "high": 0
97
+ }
98
+ },
99
+ "dominantDriver": "legal counsel",
100
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
101
+ "confidence": "low",
102
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `dep-confusion.js:56` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
103
+ },
104
+ "stableId": "bfbb208a409e9dd2",
105
+ "confidenceTier": "very-low",
106
+ "exploitability": 0.2,
107
+ "exploitabilityTier": "low",
108
+ "exploitabilityFactors": [
109
+ "sev:medium",
110
+ "unreachable"
111
+ ],
112
+ "clusterSize": null,
113
+ "unreachable": false,
114
+ "validator_verdict": "unvalidated",
115
+ "llm_confidence": null,
116
+ "unvalidated": true,
117
+ "cross_language": false,
118
+ "family": "dos-sync-io",
119
+ "parser": "STRUCTURAL",
120
+ "_unsigned": false,
121
+ "_passThroughSigning": false,
122
+ "signatureStatus": "verified",
123
+ "regression_test": null,
124
+ "poc": null,
125
+ "calibrated_confidence": null,
126
+ "calibrated_confidence_ci": null,
127
+ "calibrated_n": 0,
128
+ "calibration_reason": "no-history",
129
+ "verifier_verdict": "cannot-verify",
130
+ "verifier_reason": "no-poc-no-sanitizer-rule",
131
+ "verifier_runner": null,
132
+ "narration": null,
133
+ "mitigationVerdict": "unreachable-in-prod",
134
+ "mitigationsApplied": [],
135
+ "mitigatedByWaf": false,
136
+ "wafRuleId": null,
137
+ "mitigatedByAuth": false,
138
+ "authMechanism": null,
139
+ "mitigatedByNetwork": false,
140
+ "networkExposure": null,
141
+ "featureFlag": null,
142
+ "featureFlagState": null,
143
+ "featureFlagRollout": null,
144
+ "exposedInProd": false,
145
+ "unreachableInProd": true,
146
+ "coldPath": false,
147
+ "hotPath": false,
148
+ "prodRequestCount": null,
149
+ "crownJewelScore": 0,
150
+ "crownJewelTier": "unknown",
151
+ "crownJewelFactors": [],
152
+ "cloneClusterId": "eed315f4ee037434",
153
+ "cloneClusterSize": 2,
154
+ "provenance": "human-likely",
155
+ "provenanceScore": 0,
156
+ "typeNarrowed": null,
157
+ "strideCategory": "denialOfService",
158
+ "personaScores": {
159
+ "script-kiddie": {
160
+ "score": 0.4,
161
+ "tier": "medium",
162
+ "factors": [
163
+ "sev:medium"
164
+ ]
165
+ },
166
+ "opportunistic-criminal": {
167
+ "score": 0.4,
168
+ "tier": "medium",
169
+ "factors": [
170
+ "sev:medium"
171
+ ]
172
+ },
173
+ "apt-nation-state": {
174
+ "score": 0.4,
175
+ "tier": "medium",
176
+ "factors": [
177
+ "sev:medium"
178
+ ]
179
+ },
180
+ "supply-chain-attacker": {
181
+ "score": 0.4,
182
+ "tier": "medium",
183
+ "factors": [
184
+ "sev:medium"
185
+ ]
186
+ },
187
+ "malicious-insider": {
188
+ "score": 0.4,
189
+ "tier": "medium",
190
+ "factors": [
191
+ "sev:medium"
192
+ ]
193
+ }
194
+ },
195
+ "personaTopTwo": [
196
+ "script-kiddie",
197
+ "opportunistic-criminal"
198
+ ],
199
+ "personaMaxName": "script-kiddie",
200
+ "personaMaxScore": 0.4,
201
+ "reverseExposure": null,
202
+ "specMined": null,
203
+ "whyFired": {
204
+ "detector": "sast/dos-sync-io",
205
+ "ruleId": "CWE-400",
206
+ "parser": "STRUCTURAL",
207
+ "evidence": {
208
+ "sinkSnippet": "if (!fs.existsSync(p)) continue;",
209
+ "sourceSnippet": "if (!fs.existsSync(p)) continue;",
210
+ "pathSteps": [],
211
+ "sanitizers": [],
212
+ "guards": []
213
+ },
214
+ "considered": {
215
+ "suppressionsApplied": [],
216
+ "suppressionsSkipped": [],
217
+ "reachabilityFilter": "unaffected",
218
+ "clusterCollapsed": false,
219
+ "typeNarrowed": false,
220
+ "crownJewelTier": "unknown",
221
+ "mitigationVerdict": "unreachable-in-prod"
222
+ },
223
+ "scanner": {
224
+ "rulesetVersion": null,
225
+ "packHash": null,
226
+ "modelId": null
227
+ }
228
+ },
229
+ "adversaryTranscript": null,
230
+ "predictedBountyUsd": {
231
+ "low": 10,
232
+ "likely": 40,
233
+ "high": 120,
234
+ "program": "web2"
235
+ },
236
+ "bountyConfidence": "high",
237
+ "attackPlaybook": null
238
+ },
239
+ {
240
+ "id": "struct:dep-confusion.js:58:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
241
+ "kind": "sast",
242
+ "severity": "medium",
243
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
244
+ "cwe": "CWE-400",
245
+ "owaspLlm": null,
246
+ "stride": "Denial of Service",
247
+ "file": "dep-confusion.js",
248
+ "line": 58,
249
+ "snippet": "const doc = yaml.load(fs.readFileSync(p, 'utf8'));",
250
+ "fix": null,
251
+ "reachable": false,
252
+ "triage": 22,
253
+ "dataClasses": [],
254
+ "chain": null,
255
+ "confidence": 0.212,
256
+ "toxicity": 28,
257
+ "toxicityFactors": [
258
+ "http-facing"
259
+ ],
260
+ "toxicityLabel": "Medium",
261
+ "sources": null,
262
+ "epssScore": null,
263
+ "epssPercentile": null,
264
+ "epssCve": null,
265
+ "exploitedNow": false,
266
+ "tags": null,
267
+ "blastRadius": {
268
+ "scope": "all-users",
269
+ "dataAtRisk": [
270
+ "config"
271
+ ],
272
+ "userCount": 50,
273
+ "industry": "generic",
274
+ "jurisdictions": [],
275
+ "controlsApplied": [],
276
+ "dollarBest": 23250,
277
+ "dollarLikely": 136250,
278
+ "dollarWorst": 775000,
279
+ "dollarLow": 23250,
280
+ "dollarHigh": 775000,
281
+ "components": {
282
+ "incidentResponse": {
283
+ "low": 8000,
284
+ "likely": 50000,
285
+ "high": 250000
286
+ },
287
+ "legal": {
288
+ "low": 10000,
289
+ "likely": 75000,
290
+ "high": 500000
291
+ },
292
+ "crisisPR": {
293
+ "low": 0,
294
+ "likely": 0,
295
+ "high": 0
296
+ },
297
+ "notification": {
298
+ "low": 5000,
299
+ "likely": 10000,
300
+ "high": 15000
301
+ },
302
+ "creditMonitoring": {
303
+ "low": 0,
304
+ "likely": 0,
305
+ "high": 0
306
+ },
307
+ "regulatoryFines": {
308
+ "low": 0,
309
+ "likely": 0,
310
+ "high": 0
311
+ },
312
+ "directDamage": {
313
+ "low": 250,
314
+ "likely": 1250,
315
+ "high": 10000
316
+ },
317
+ "classAction": {
318
+ "low": 0,
319
+ "likely": 0,
320
+ "high": 0
321
+ },
322
+ "lostBusiness": {
323
+ "low": 0,
324
+ "likely": 0,
325
+ "high": 0
326
+ }
327
+ },
328
+ "dominantDriver": "legal counsel",
329
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
330
+ "confidence": "low",
331
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `dep-confusion.js:58` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
332
+ },
333
+ "stableId": "85a3f4d03fefd43d",
334
+ "confidenceTier": "very-low",
335
+ "exploitability": 0.2,
336
+ "exploitabilityTier": "low",
337
+ "exploitabilityFactors": [
338
+ "sev:medium",
339
+ "unreachable"
340
+ ],
341
+ "clusterSize": null,
342
+ "unreachable": false,
343
+ "validator_verdict": "unvalidated",
344
+ "llm_confidence": null,
345
+ "unvalidated": true,
346
+ "cross_language": false,
347
+ "family": "dos-sync-io",
348
+ "parser": "STRUCTURAL",
349
+ "_unsigned": false,
350
+ "_passThroughSigning": false,
351
+ "signatureStatus": "verified",
352
+ "regression_test": null,
353
+ "poc": null,
354
+ "calibrated_confidence": null,
355
+ "calibrated_confidence_ci": null,
356
+ "calibrated_n": 0,
357
+ "calibration_reason": "no-history",
358
+ "verifier_verdict": "cannot-verify",
359
+ "verifier_reason": "no-poc-no-sanitizer-rule",
360
+ "verifier_runner": null,
361
+ "narration": null,
362
+ "mitigationVerdict": "unreachable-in-prod",
363
+ "mitigationsApplied": [],
364
+ "mitigatedByWaf": false,
365
+ "wafRuleId": null,
366
+ "mitigatedByAuth": false,
367
+ "authMechanism": null,
368
+ "mitigatedByNetwork": false,
369
+ "networkExposure": null,
370
+ "featureFlag": null,
371
+ "featureFlagState": null,
372
+ "featureFlagRollout": null,
373
+ "exposedInProd": false,
374
+ "unreachableInProd": true,
375
+ "coldPath": false,
376
+ "hotPath": false,
377
+ "prodRequestCount": null,
378
+ "crownJewelScore": 0,
379
+ "crownJewelTier": "unknown",
380
+ "crownJewelFactors": [],
381
+ "cloneClusterId": "8b60c3f57d48c622",
382
+ "cloneClusterSize": 1,
383
+ "provenance": "human-likely",
384
+ "provenanceScore": 0,
385
+ "typeNarrowed": null,
386
+ "strideCategory": "denialOfService",
387
+ "personaScores": {
388
+ "script-kiddie": {
389
+ "score": 0.4,
390
+ "tier": "medium",
391
+ "factors": [
392
+ "sev:medium"
393
+ ]
394
+ },
395
+ "opportunistic-criminal": {
396
+ "score": 0.4,
397
+ "tier": "medium",
398
+ "factors": [
399
+ "sev:medium"
400
+ ]
401
+ },
402
+ "apt-nation-state": {
403
+ "score": 0.4,
404
+ "tier": "medium",
405
+ "factors": [
406
+ "sev:medium"
407
+ ]
408
+ },
409
+ "supply-chain-attacker": {
410
+ "score": 0.4,
411
+ "tier": "medium",
412
+ "factors": [
413
+ "sev:medium"
414
+ ]
415
+ },
416
+ "malicious-insider": {
417
+ "score": 0.4,
418
+ "tier": "medium",
419
+ "factors": [
420
+ "sev:medium"
421
+ ]
422
+ }
423
+ },
424
+ "personaTopTwo": [
425
+ "script-kiddie",
426
+ "opportunistic-criminal"
427
+ ],
428
+ "personaMaxName": "script-kiddie",
429
+ "personaMaxScore": 0.4,
430
+ "reverseExposure": null,
431
+ "specMined": null,
432
+ "whyFired": {
433
+ "detector": "sast/dos-sync-io",
434
+ "ruleId": "CWE-400",
435
+ "parser": "STRUCTURAL",
436
+ "evidence": {
437
+ "sinkSnippet": "const doc = yaml.load(fs.readFileSync(p, 'utf8'));",
438
+ "sourceSnippet": "const doc = yaml.load(fs.readFileSync(p, 'utf8'));",
439
+ "pathSteps": [],
440
+ "sanitizers": [],
441
+ "guards": []
442
+ },
443
+ "considered": {
444
+ "suppressionsApplied": [],
445
+ "suppressionsSkipped": [],
446
+ "reachabilityFilter": "unaffected",
447
+ "clusterCollapsed": false,
448
+ "typeNarrowed": false,
449
+ "crownJewelTier": "unknown",
450
+ "mitigationVerdict": "unreachable-in-prod"
451
+ },
452
+ "scanner": {
453
+ "rulesetVersion": null,
454
+ "packHash": null,
455
+ "modelId": null
456
+ }
457
+ },
458
+ "adversaryTranscript": null,
459
+ "predictedBountyUsd": {
460
+ "low": 10,
461
+ "likely": 40,
462
+ "high": 120,
463
+ "program": "web2"
464
+ },
465
+ "bountyConfidence": "high",
466
+ "attackPlaybook": null
467
+ },
468
+ {
469
+ "id": "struct:llm-function-extract.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
470
+ "kind": "sast",
471
+ "severity": "medium",
472
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
473
+ "cwe": "CWE-400",
474
+ "owaspLlm": null,
475
+ "stride": "Denial of Service",
476
+ "file": "llm-function-extract.js",
477
+ "line": 24,
478
+ "snippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
479
+ "fix": null,
480
+ "reachable": false,
481
+ "triage": 22,
482
+ "dataClasses": [],
483
+ "chain": null,
484
+ "confidence": 0.212,
485
+ "toxicity": 28,
486
+ "toxicityFactors": [
487
+ "http-facing"
488
+ ],
489
+ "toxicityLabel": "Medium",
490
+ "sources": null,
491
+ "epssScore": null,
492
+ "epssPercentile": null,
493
+ "epssCve": null,
494
+ "exploitedNow": false,
495
+ "tags": null,
496
+ "blastRadius": {
497
+ "scope": "all-users",
498
+ "dataAtRisk": [
499
+ "config"
500
+ ],
501
+ "userCount": 50,
502
+ "industry": "generic",
503
+ "jurisdictions": [],
504
+ "controlsApplied": [],
505
+ "dollarBest": 23250,
506
+ "dollarLikely": 136250,
507
+ "dollarWorst": 775000,
508
+ "dollarLow": 23250,
509
+ "dollarHigh": 775000,
510
+ "components": {
511
+ "incidentResponse": {
512
+ "low": 8000,
513
+ "likely": 50000,
514
+ "high": 250000
515
+ },
516
+ "legal": {
517
+ "low": 10000,
518
+ "likely": 75000,
519
+ "high": 500000
520
+ },
521
+ "crisisPR": {
522
+ "low": 0,
523
+ "likely": 0,
524
+ "high": 0
525
+ },
526
+ "notification": {
527
+ "low": 5000,
528
+ "likely": 10000,
529
+ "high": 15000
530
+ },
531
+ "creditMonitoring": {
532
+ "low": 0,
533
+ "likely": 0,
534
+ "high": 0
535
+ },
536
+ "regulatoryFines": {
537
+ "low": 0,
538
+ "likely": 0,
539
+ "high": 0
540
+ },
541
+ "directDamage": {
542
+ "low": 250,
543
+ "likely": 1250,
544
+ "high": 10000
545
+ },
546
+ "classAction": {
547
+ "low": 0,
548
+ "likely": 0,
549
+ "high": 0
550
+ },
551
+ "lostBusiness": {
552
+ "low": 0,
553
+ "likely": 0,
554
+ "high": 0
555
+ }
556
+ },
557
+ "dominantDriver": "legal counsel",
558
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
559
+ "confidence": "low",
560
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `llm-function-extract.js:24` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
561
+ },
562
+ "stableId": "0c8c5b613b013dda",
563
+ "confidenceTier": "very-low",
564
+ "exploitability": 0.2,
565
+ "exploitabilityTier": "low",
566
+ "exploitabilityFactors": [
567
+ "sev:medium",
568
+ "unreachable"
569
+ ],
570
+ "clusterSize": null,
571
+ "unreachable": false,
572
+ "validator_verdict": "unvalidated",
573
+ "llm_confidence": null,
574
+ "unvalidated": true,
575
+ "cross_language": false,
576
+ "family": "dos-sync-io",
577
+ "parser": "STRUCTURAL",
578
+ "_unsigned": false,
579
+ "_passThroughSigning": false,
580
+ "signatureStatus": "verified",
581
+ "regression_test": null,
582
+ "poc": null,
583
+ "calibrated_confidence": null,
584
+ "calibrated_confidence_ci": null,
585
+ "calibrated_n": 0,
586
+ "calibration_reason": "no-history",
587
+ "verifier_verdict": "cannot-verify",
588
+ "verifier_reason": "no-poc-no-sanitizer-rule",
589
+ "verifier_runner": null,
590
+ "narration": null,
591
+ "mitigationVerdict": "unreachable-in-prod",
592
+ "mitigationsApplied": [],
593
+ "mitigatedByWaf": false,
594
+ "wafRuleId": null,
595
+ "mitigatedByAuth": false,
596
+ "authMechanism": null,
597
+ "mitigatedByNetwork": false,
598
+ "networkExposure": null,
599
+ "featureFlag": null,
600
+ "featureFlagState": null,
601
+ "featureFlagRollout": null,
602
+ "exposedInProd": false,
603
+ "unreachableInProd": true,
604
+ "coldPath": false,
605
+ "hotPath": false,
606
+ "prodRequestCount": null,
607
+ "crownJewelScore": 0.1,
608
+ "crownJewelTier": "low-value",
609
+ "crownJewelFactors": [
610
+ "reads-secret-env"
611
+ ],
612
+ "cloneClusterId": "b8a597058e30c50c",
613
+ "cloneClusterSize": 1,
614
+ "provenance": "human-likely",
615
+ "provenanceScore": 0.04,
616
+ "typeNarrowed": null,
617
+ "strideCategory": "denialOfService",
618
+ "personaScores": {
619
+ "script-kiddie": {
620
+ "score": 0.4,
621
+ "tier": "medium",
622
+ "factors": [
623
+ "sev:medium"
624
+ ]
625
+ },
626
+ "opportunistic-criminal": {
627
+ "score": 0.4,
628
+ "tier": "medium",
629
+ "factors": [
630
+ "sev:medium"
631
+ ]
632
+ },
633
+ "apt-nation-state": {
634
+ "score": 0.4,
635
+ "tier": "medium",
636
+ "factors": [
637
+ "sev:medium"
638
+ ]
639
+ },
640
+ "supply-chain-attacker": {
641
+ "score": 0.4,
642
+ "tier": "medium",
643
+ "factors": [
644
+ "sev:medium"
645
+ ]
646
+ },
647
+ "malicious-insider": {
648
+ "score": 0.4,
649
+ "tier": "medium",
650
+ "factors": [
651
+ "sev:medium"
652
+ ]
653
+ }
654
+ },
655
+ "personaTopTwo": [
656
+ "script-kiddie",
657
+ "opportunistic-criminal"
658
+ ],
659
+ "personaMaxName": "script-kiddie",
660
+ "personaMaxScore": 0.4,
661
+ "reverseExposure": null,
662
+ "specMined": null,
663
+ "whyFired": {
664
+ "detector": "sast/dos-sync-io",
665
+ "ruleId": "CWE-400",
666
+ "parser": "STRUCTURAL",
667
+ "evidence": {
668
+ "sinkSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
669
+ "sourceSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
670
+ "pathSteps": [],
671
+ "sanitizers": [],
672
+ "guards": []
673
+ },
674
+ "considered": {
675
+ "suppressionsApplied": [],
676
+ "suppressionsSkipped": [],
677
+ "reachabilityFilter": "unaffected",
678
+ "clusterCollapsed": false,
679
+ "typeNarrowed": false,
680
+ "crownJewelTier": "low-value",
681
+ "mitigationVerdict": "unreachable-in-prod"
682
+ },
683
+ "scanner": {
684
+ "rulesetVersion": null,
685
+ "packHash": null,
686
+ "modelId": null
687
+ }
688
+ },
689
+ "adversaryTranscript": null,
690
+ "predictedBountyUsd": {
691
+ "low": 10,
692
+ "likely": 40,
693
+ "high": 120,
694
+ "program": "web2"
695
+ },
696
+ "bountyConfidence": "high",
697
+ "attackPlaybook": null
698
+ },
699
+ {
700
+ "id": "struct:llm-function-extract.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
701
+ "kind": "sast",
702
+ "severity": "medium",
703
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
704
+ "cwe": "CWE-400",
705
+ "owaspLlm": null,
706
+ "stride": "Denial of Service",
707
+ "file": "llm-function-extract.js",
708
+ "line": 31,
709
+ "snippet": "fs.writeFileSync(path.join(CACHE_DIR, _cacheKey(osvId) + '.json'), JSON.stringify(data));",
710
+ "fix": null,
711
+ "reachable": false,
712
+ "triage": 22,
713
+ "dataClasses": [],
714
+ "chain": null,
715
+ "confidence": 0.212,
716
+ "toxicity": 28,
717
+ "toxicityFactors": [
718
+ "http-facing"
719
+ ],
720
+ "toxicityLabel": "Medium",
721
+ "sources": null,
722
+ "epssScore": null,
723
+ "epssPercentile": null,
724
+ "epssCve": null,
725
+ "exploitedNow": false,
726
+ "tags": null,
727
+ "blastRadius": {
728
+ "scope": "all-users",
729
+ "dataAtRisk": [
730
+ "config"
731
+ ],
732
+ "userCount": 50,
733
+ "industry": "generic",
734
+ "jurisdictions": [],
735
+ "controlsApplied": [],
736
+ "dollarBest": 23250,
737
+ "dollarLikely": 136250,
738
+ "dollarWorst": 775000,
739
+ "dollarLow": 23250,
740
+ "dollarHigh": 775000,
741
+ "components": {
742
+ "incidentResponse": {
743
+ "low": 8000,
744
+ "likely": 50000,
745
+ "high": 250000
746
+ },
747
+ "legal": {
748
+ "low": 10000,
749
+ "likely": 75000,
750
+ "high": 500000
751
+ },
752
+ "crisisPR": {
753
+ "low": 0,
754
+ "likely": 0,
755
+ "high": 0
756
+ },
757
+ "notification": {
758
+ "low": 5000,
759
+ "likely": 10000,
760
+ "high": 15000
761
+ },
762
+ "creditMonitoring": {
763
+ "low": 0,
764
+ "likely": 0,
765
+ "high": 0
766
+ },
767
+ "regulatoryFines": {
768
+ "low": 0,
769
+ "likely": 0,
770
+ "high": 0
771
+ },
772
+ "directDamage": {
773
+ "low": 250,
774
+ "likely": 1250,
775
+ "high": 10000
776
+ },
777
+ "classAction": {
778
+ "low": 0,
779
+ "likely": 0,
780
+ "high": 0
781
+ },
782
+ "lostBusiness": {
783
+ "low": 0,
784
+ "likely": 0,
785
+ "high": 0
786
+ }
787
+ },
788
+ "dominantDriver": "legal counsel",
789
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
790
+ "confidence": "low",
791
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `llm-function-extract.js:31` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
792
+ },
793
+ "stableId": "9c296e2c3069fe33",
794
+ "confidenceTier": "very-low",
795
+ "exploitability": 0.2,
796
+ "exploitabilityTier": "low",
797
+ "exploitabilityFactors": [
798
+ "sev:medium",
799
+ "unreachable"
800
+ ],
801
+ "clusterSize": null,
802
+ "unreachable": false,
803
+ "validator_verdict": "unvalidated",
804
+ "llm_confidence": null,
805
+ "unvalidated": true,
806
+ "cross_language": false,
807
+ "family": "dos-sync-io",
808
+ "parser": "STRUCTURAL",
809
+ "_unsigned": false,
810
+ "_passThroughSigning": false,
811
+ "signatureStatus": "verified",
812
+ "regression_test": null,
813
+ "poc": null,
814
+ "calibrated_confidence": null,
815
+ "calibrated_confidence_ci": null,
816
+ "calibrated_n": 0,
817
+ "calibration_reason": "no-history",
818
+ "verifier_verdict": "cannot-verify",
819
+ "verifier_reason": "no-poc-no-sanitizer-rule",
820
+ "verifier_runner": null,
821
+ "narration": null,
822
+ "mitigationVerdict": "unreachable-in-prod",
823
+ "mitigationsApplied": [],
824
+ "mitigatedByWaf": false,
825
+ "wafRuleId": null,
826
+ "mitigatedByAuth": false,
827
+ "authMechanism": null,
828
+ "mitigatedByNetwork": false,
829
+ "networkExposure": null,
830
+ "featureFlag": null,
831
+ "featureFlagState": null,
832
+ "featureFlagRollout": null,
833
+ "exposedInProd": false,
834
+ "unreachableInProd": true,
835
+ "coldPath": false,
836
+ "hotPath": false,
837
+ "prodRequestCount": null,
838
+ "crownJewelScore": 0.1,
839
+ "crownJewelTier": "low-value",
840
+ "crownJewelFactors": [
841
+ "reads-secret-env"
842
+ ],
843
+ "cloneClusterId": "f4d8f5169ad2f78e",
844
+ "cloneClusterSize": 1,
845
+ "provenance": "human-likely",
846
+ "provenanceScore": 0.04,
847
+ "typeNarrowed": null,
848
+ "strideCategory": "denialOfService",
849
+ "personaScores": {
850
+ "script-kiddie": {
851
+ "score": 0.4,
852
+ "tier": "medium",
853
+ "factors": [
854
+ "sev:medium"
855
+ ]
856
+ },
857
+ "opportunistic-criminal": {
858
+ "score": 0.4,
859
+ "tier": "medium",
860
+ "factors": [
861
+ "sev:medium"
862
+ ]
863
+ },
864
+ "apt-nation-state": {
865
+ "score": 0.4,
866
+ "tier": "medium",
867
+ "factors": [
868
+ "sev:medium"
869
+ ]
870
+ },
871
+ "supply-chain-attacker": {
872
+ "score": 0.4,
873
+ "tier": "medium",
874
+ "factors": [
875
+ "sev:medium"
876
+ ]
877
+ },
878
+ "malicious-insider": {
879
+ "score": 0.4,
880
+ "tier": "medium",
881
+ "factors": [
882
+ "sev:medium"
883
+ ]
884
+ }
885
+ },
886
+ "personaTopTwo": [
887
+ "script-kiddie",
888
+ "opportunistic-criminal"
889
+ ],
890
+ "personaMaxName": "script-kiddie",
891
+ "personaMaxScore": 0.4,
892
+ "reverseExposure": null,
893
+ "specMined": null,
894
+ "whyFired": {
895
+ "detector": "sast/dos-sync-io",
896
+ "ruleId": "CWE-400",
897
+ "parser": "STRUCTURAL",
898
+ "evidence": {
899
+ "sinkSnippet": "fs.writeFileSync(path.join(CACHE_DIR, _cacheKey(osvId) + '.json'), JSON.stringify(data));",
900
+ "sourceSnippet": "fs.writeFileSync(path.join(CACHE_DIR, _cacheKey(osvId) + '.json'), JSON.stringify(data));",
901
+ "pathSteps": [],
902
+ "sanitizers": [],
903
+ "guards": []
904
+ },
905
+ "considered": {
906
+ "suppressionsApplied": [],
907
+ "suppressionsSkipped": [],
908
+ "reachabilityFilter": "unaffected",
909
+ "clusterCollapsed": false,
910
+ "typeNarrowed": false,
911
+ "crownJewelTier": "low-value",
912
+ "mitigationVerdict": "unreachable-in-prod"
913
+ },
914
+ "scanner": {
915
+ "rulesetVersion": null,
916
+ "packHash": null,
917
+ "modelId": null
918
+ }
919
+ },
920
+ "adversaryTranscript": null,
921
+ "predictedBountyUsd": {
922
+ "low": 10,
923
+ "likely": 40,
924
+ "high": 120,
925
+ "program": "web2"
926
+ },
927
+ "bountyConfidence": "high",
928
+ "attackPlaybook": null
929
+ },
930
+ {
931
+ "id": "struct:sarif-ingest.js:112:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
932
+ "kind": "sast",
933
+ "severity": "medium",
934
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
935
+ "cwe": "CWE-400",
936
+ "owaspLlm": null,
937
+ "stride": "Denial of Service",
938
+ "file": "sarif-ingest.js",
939
+ "line": 112,
940
+ "snippet": "try { raw = fs.readFileSync(filePath, 'utf8'); }",
941
+ "fix": null,
942
+ "reachable": false,
943
+ "triage": 22,
944
+ "dataClasses": [],
945
+ "chain": null,
946
+ "confidence": 0.212,
947
+ "toxicity": 28,
948
+ "toxicityFactors": [
949
+ "http-facing"
950
+ ],
951
+ "toxicityLabel": "Medium",
952
+ "sources": null,
953
+ "epssScore": null,
954
+ "epssPercentile": null,
955
+ "epssCve": null,
956
+ "exploitedNow": false,
957
+ "tags": null,
958
+ "blastRadius": {
959
+ "scope": "all-users",
960
+ "dataAtRisk": [
961
+ "config"
962
+ ],
963
+ "userCount": 50,
964
+ "industry": "generic",
965
+ "jurisdictions": [],
966
+ "controlsApplied": [],
967
+ "dollarBest": 23250,
968
+ "dollarLikely": 136250,
969
+ "dollarWorst": 775000,
970
+ "dollarLow": 23250,
971
+ "dollarHigh": 775000,
972
+ "components": {
973
+ "incidentResponse": {
974
+ "low": 8000,
975
+ "likely": 50000,
976
+ "high": 250000
977
+ },
978
+ "legal": {
979
+ "low": 10000,
980
+ "likely": 75000,
981
+ "high": 500000
982
+ },
983
+ "crisisPR": {
984
+ "low": 0,
985
+ "likely": 0,
986
+ "high": 0
987
+ },
988
+ "notification": {
989
+ "low": 5000,
990
+ "likely": 10000,
991
+ "high": 15000
992
+ },
993
+ "creditMonitoring": {
994
+ "low": 0,
995
+ "likely": 0,
996
+ "high": 0
997
+ },
998
+ "regulatoryFines": {
999
+ "low": 0,
1000
+ "likely": 0,
1001
+ "high": 0
1002
+ },
1003
+ "directDamage": {
1004
+ "low": 250,
1005
+ "likely": 1250,
1006
+ "high": 10000
1007
+ },
1008
+ "classAction": {
1009
+ "low": 0,
1010
+ "likely": 0,
1011
+ "high": 0
1012
+ },
1013
+ "lostBusiness": {
1014
+ "low": 0,
1015
+ "likely": 0,
1016
+ "high": 0
1017
+ }
1018
+ },
1019
+ "dominantDriver": "legal counsel",
1020
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1021
+ "confidence": "low",
1022
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `sarif-ingest.js:112` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1023
+ },
1024
+ "stableId": "67c20060ced40339",
1025
+ "confidenceTier": "very-low",
1026
+ "exploitability": 0.2,
1027
+ "exploitabilityTier": "low",
1028
+ "exploitabilityFactors": [
1029
+ "sev:medium",
1030
+ "unreachable"
1031
+ ],
1032
+ "clusterSize": null,
1033
+ "unreachable": false,
1034
+ "validator_verdict": "unvalidated",
1035
+ "llm_confidence": null,
1036
+ "unvalidated": true,
1037
+ "cross_language": false,
1038
+ "family": "dos-sync-io",
1039
+ "parser": "STRUCTURAL",
1040
+ "_unsigned": false,
1041
+ "_passThroughSigning": false,
1042
+ "signatureStatus": "verified",
1043
+ "regression_test": null,
1044
+ "poc": null,
1045
+ "calibrated_confidence": null,
1046
+ "calibrated_confidence_ci": null,
1047
+ "calibrated_n": 0,
1048
+ "calibration_reason": "no-history",
1049
+ "verifier_verdict": "cannot-verify",
1050
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1051
+ "verifier_runner": null,
1052
+ "narration": null,
1053
+ "mitigationVerdict": "unreachable-in-prod",
1054
+ "mitigationsApplied": [],
1055
+ "mitigatedByWaf": false,
1056
+ "wafRuleId": null,
1057
+ "mitigatedByAuth": false,
1058
+ "authMechanism": null,
1059
+ "mitigatedByNetwork": false,
1060
+ "networkExposure": null,
1061
+ "featureFlag": null,
1062
+ "featureFlagState": null,
1063
+ "featureFlagRollout": null,
1064
+ "exposedInProd": false,
1065
+ "unreachableInProd": true,
1066
+ "coldPath": false,
1067
+ "hotPath": false,
1068
+ "prodRequestCount": null,
1069
+ "crownJewelScore": 0,
1070
+ "crownJewelTier": "unknown",
1071
+ "crownJewelFactors": [],
1072
+ "cloneClusterId": "c5704ff81dc82f80",
1073
+ "cloneClusterSize": 1,
1074
+ "provenance": "human-likely",
1075
+ "provenanceScore": 0.04,
1076
+ "typeNarrowed": null,
1077
+ "strideCategory": "denialOfService",
1078
+ "personaScores": {
1079
+ "script-kiddie": {
1080
+ "score": 0.4,
1081
+ "tier": "medium",
1082
+ "factors": [
1083
+ "sev:medium"
1084
+ ]
1085
+ },
1086
+ "opportunistic-criminal": {
1087
+ "score": 0.4,
1088
+ "tier": "medium",
1089
+ "factors": [
1090
+ "sev:medium"
1091
+ ]
1092
+ },
1093
+ "apt-nation-state": {
1094
+ "score": 0.4,
1095
+ "tier": "medium",
1096
+ "factors": [
1097
+ "sev:medium"
1098
+ ]
1099
+ },
1100
+ "supply-chain-attacker": {
1101
+ "score": 0.4,
1102
+ "tier": "medium",
1103
+ "factors": [
1104
+ "sev:medium"
1105
+ ]
1106
+ },
1107
+ "malicious-insider": {
1108
+ "score": 0.4,
1109
+ "tier": "medium",
1110
+ "factors": [
1111
+ "sev:medium"
1112
+ ]
1113
+ }
1114
+ },
1115
+ "personaTopTwo": [
1116
+ "script-kiddie",
1117
+ "opportunistic-criminal"
1118
+ ],
1119
+ "personaMaxName": "script-kiddie",
1120
+ "personaMaxScore": 0.4,
1121
+ "reverseExposure": null,
1122
+ "specMined": null,
1123
+ "whyFired": {
1124
+ "detector": "sast/dos-sync-io",
1125
+ "ruleId": "CWE-400",
1126
+ "parser": "STRUCTURAL",
1127
+ "evidence": {
1128
+ "sinkSnippet": "try { raw = fs.readFileSync(filePath, 'utf8'); }",
1129
+ "sourceSnippet": "try { raw = fs.readFileSync(filePath, 'utf8'); }",
1130
+ "pathSteps": [],
1131
+ "sanitizers": [],
1132
+ "guards": []
1133
+ },
1134
+ "considered": {
1135
+ "suppressionsApplied": [],
1136
+ "suppressionsSkipped": [],
1137
+ "reachabilityFilter": "unaffected",
1138
+ "clusterCollapsed": false,
1139
+ "typeNarrowed": false,
1140
+ "crownJewelTier": "unknown",
1141
+ "mitigationVerdict": "unreachable-in-prod"
1142
+ },
1143
+ "scanner": {
1144
+ "rulesetVersion": null,
1145
+ "packHash": null,
1146
+ "modelId": null
1147
+ }
1148
+ },
1149
+ "adversaryTranscript": null,
1150
+ "predictedBountyUsd": {
1151
+ "low": 10,
1152
+ "likely": 40,
1153
+ "high": 120,
1154
+ "program": "web2"
1155
+ },
1156
+ "bountyConfidence": "high",
1157
+ "attackPlaybook": null
1158
+ },
1159
+ {
1160
+ "id": "toctou-fs:dep-confusion.js:56",
1161
+ "kind": "sast",
1162
+ "severity": "medium",
1163
+ "vuln": "TOCTOU: file existence/permission check before open",
1164
+ "cwe": "CWE-367",
1165
+ "owaspLlm": null,
1166
+ "stride": "Tampering",
1167
+ "file": "dep-confusion.js",
1168
+ "line": 56,
1169
+ "snippet": "if (!fs.existsSync(p)) continue;",
1170
+ "fix": null,
1171
+ "reachable": false,
1172
+ "triage": 22,
1173
+ "dataClasses": [],
1174
+ "chain": null,
1175
+ "confidence": 0.7,
1176
+ "toxicity": 8,
1177
+ "toxicityFactors": [],
1178
+ "toxicityLabel": "Low",
1179
+ "sources": null,
1180
+ "epssScore": null,
1181
+ "epssPercentile": null,
1182
+ "epssCve": null,
1183
+ "exploitedNow": false,
1184
+ "tags": null,
1185
+ "blastRadius": {
1186
+ "scope": "all-users",
1187
+ "dataAtRisk": [
1188
+ "config"
1189
+ ],
1190
+ "userCount": 50,
1191
+ "industry": "generic",
1192
+ "jurisdictions": [],
1193
+ "controlsApplied": [],
1194
+ "dollarBest": 23250,
1195
+ "dollarLikely": 136250,
1196
+ "dollarWorst": 775000,
1197
+ "dollarLow": 23250,
1198
+ "dollarHigh": 775000,
1199
+ "components": {
1200
+ "incidentResponse": {
1201
+ "low": 8000,
1202
+ "likely": 50000,
1203
+ "high": 250000
1204
+ },
1205
+ "legal": {
1206
+ "low": 10000,
1207
+ "likely": 75000,
1208
+ "high": 500000
1209
+ },
1210
+ "crisisPR": {
1211
+ "low": 0,
1212
+ "likely": 0,
1213
+ "high": 0
1214
+ },
1215
+ "notification": {
1216
+ "low": 5000,
1217
+ "likely": 10000,
1218
+ "high": 15000
1219
+ },
1220
+ "creditMonitoring": {
1221
+ "low": 0,
1222
+ "likely": 0,
1223
+ "high": 0
1224
+ },
1225
+ "regulatoryFines": {
1226
+ "low": 0,
1227
+ "likely": 0,
1228
+ "high": 0
1229
+ },
1230
+ "directDamage": {
1231
+ "low": 250,
1232
+ "likely": 1250,
1233
+ "high": 10000
1234
+ },
1235
+ "classAction": {
1236
+ "low": 0,
1237
+ "likely": 0,
1238
+ "high": 0
1239
+ },
1240
+ "lostBusiness": {
1241
+ "low": 0,
1242
+ "likely": 0,
1243
+ "high": 0
1244
+ }
1245
+ },
1246
+ "dominantDriver": "legal counsel",
1247
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1248
+ "confidence": "low",
1249
+ "narrative": "TOCTOU: file existence/permission check before open on `dep-confusion.js:56` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1250
+ },
1251
+ "stableId": "3beec8624848d7de",
1252
+ "confidenceTier": "medium",
1253
+ "exploitability": 0.2,
1254
+ "exploitabilityTier": "low",
1255
+ "exploitabilityFactors": [
1256
+ "sev:medium",
1257
+ "unreachable"
1258
+ ],
1259
+ "clusterSize": null,
1260
+ "unreachable": false,
1261
+ "validator_verdict": "unvalidated",
1262
+ "llm_confidence": null,
1263
+ "unvalidated": true,
1264
+ "cross_language": false,
1265
+ "family": "toctou-file-existence-permission-check-b",
1266
+ "parser": "TOCTOU",
1267
+ "_unsigned": false,
1268
+ "_passThroughSigning": false,
1269
+ "signatureStatus": "verified",
1270
+ "regression_test": null,
1271
+ "poc": null,
1272
+ "calibrated_confidence": null,
1273
+ "calibrated_confidence_ci": null,
1274
+ "calibrated_n": 0,
1275
+ "calibration_reason": "no-history",
1276
+ "verifier_verdict": "cannot-verify",
1277
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1278
+ "verifier_runner": null,
1279
+ "narration": null,
1280
+ "mitigationVerdict": "unreachable-in-prod",
1281
+ "mitigationsApplied": [],
1282
+ "mitigatedByWaf": false,
1283
+ "wafRuleId": null,
1284
+ "mitigatedByAuth": false,
1285
+ "authMechanism": null,
1286
+ "mitigatedByNetwork": false,
1287
+ "networkExposure": null,
1288
+ "featureFlag": null,
1289
+ "featureFlagState": null,
1290
+ "featureFlagRollout": null,
1291
+ "exposedInProd": false,
1292
+ "unreachableInProd": true,
1293
+ "coldPath": false,
1294
+ "hotPath": false,
1295
+ "prodRequestCount": null,
1296
+ "crownJewelScore": 0,
1297
+ "crownJewelTier": "unknown",
1298
+ "crownJewelFactors": [],
1299
+ "cloneClusterId": "eed315f4ee037434",
1300
+ "cloneClusterSize": 2,
1301
+ "provenance": "human-likely",
1302
+ "provenanceScore": 0,
1303
+ "typeNarrowed": null,
1304
+ "strideCategory": "tampering",
1305
+ "personaScores": {
1306
+ "script-kiddie": {
1307
+ "score": 0.4,
1308
+ "tier": "medium",
1309
+ "factors": [
1310
+ "sev:medium"
1311
+ ]
1312
+ },
1313
+ "opportunistic-criminal": {
1314
+ "score": 0.4,
1315
+ "tier": "medium",
1316
+ "factors": [
1317
+ "sev:medium"
1318
+ ]
1319
+ },
1320
+ "apt-nation-state": {
1321
+ "score": 0.4,
1322
+ "tier": "medium",
1323
+ "factors": [
1324
+ "sev:medium"
1325
+ ]
1326
+ },
1327
+ "supply-chain-attacker": {
1328
+ "score": 0.4,
1329
+ "tier": "medium",
1330
+ "factors": [
1331
+ "sev:medium"
1332
+ ]
1333
+ },
1334
+ "malicious-insider": {
1335
+ "score": 0.4,
1336
+ "tier": "medium",
1337
+ "factors": [
1338
+ "sev:medium"
1339
+ ]
1340
+ }
1341
+ },
1342
+ "personaTopTwo": [
1343
+ "script-kiddie",
1344
+ "opportunistic-criminal"
1345
+ ],
1346
+ "personaMaxName": "script-kiddie",
1347
+ "personaMaxScore": 0.4,
1348
+ "reverseExposure": null,
1349
+ "specMined": null,
1350
+ "whyFired": {
1351
+ "detector": "sast/toctou-file-existence-permission-check-b",
1352
+ "ruleId": "CWE-367",
1353
+ "parser": "TOCTOU",
1354
+ "evidence": {
1355
+ "sinkSnippet": "if (!fs.existsSync(p)) continue;",
1356
+ "sourceSnippet": null,
1357
+ "pathSteps": [],
1358
+ "sanitizers": [],
1359
+ "guards": []
1360
+ },
1361
+ "considered": {
1362
+ "suppressionsApplied": [],
1363
+ "suppressionsSkipped": [],
1364
+ "reachabilityFilter": "unaffected",
1365
+ "clusterCollapsed": false,
1366
+ "typeNarrowed": false,
1367
+ "crownJewelTier": "unknown",
1368
+ "mitigationVerdict": "unreachable-in-prod"
1369
+ },
1370
+ "scanner": {
1371
+ "rulesetVersion": null,
1372
+ "packHash": null,
1373
+ "modelId": null
1374
+ }
1375
+ },
1376
+ "adversaryTranscript": null,
1377
+ "predictedBountyUsd": null,
1378
+ "bountyConfidence": null,
1379
+ "attackPlaybook": null
1380
+ },
1381
+ {
1382
+ "id": "logic:dep-confusion.js:56:TOCTOU:_existsSync_followed_by_file_op",
1383
+ "kind": "logic",
1384
+ "severity": "medium",
1385
+ "vuln": "TOCTOU: existsSync followed by file op",
1386
+ "cwe": "CWE-367",
1387
+ "stride": "Tampering",
1388
+ "file": "dep-confusion.js",
1389
+ "line": 56,
1390
+ "snippet": "if (!fs.existsSync(p)) continue;",
1391
+ "fix": {
1392
+ "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
1393
+ "code": ""
1394
+ },
1395
+ "blastRadius": {
1396
+ "scope": "all-users",
1397
+ "dataAtRisk": [
1398
+ "config"
1399
+ ],
1400
+ "userCount": 50,
1401
+ "industry": "generic",
1402
+ "jurisdictions": [],
1403
+ "controlsApplied": [],
1404
+ "dollarBest": 23250,
1405
+ "dollarLikely": 136250,
1406
+ "dollarWorst": 775000,
1407
+ "dollarLow": 23250,
1408
+ "dollarHigh": 775000,
1409
+ "components": {
1410
+ "incidentResponse": {
1411
+ "low": 8000,
1412
+ "likely": 50000,
1413
+ "high": 250000
1414
+ },
1415
+ "legal": {
1416
+ "low": 10000,
1417
+ "likely": 75000,
1418
+ "high": 500000
1419
+ },
1420
+ "crisisPR": {
1421
+ "low": 0,
1422
+ "likely": 0,
1423
+ "high": 0
1424
+ },
1425
+ "notification": {
1426
+ "low": 5000,
1427
+ "likely": 10000,
1428
+ "high": 15000
1429
+ },
1430
+ "creditMonitoring": {
1431
+ "low": 0,
1432
+ "likely": 0,
1433
+ "high": 0
1434
+ },
1435
+ "regulatoryFines": {
1436
+ "low": 0,
1437
+ "likely": 0,
1438
+ "high": 0
1439
+ },
1440
+ "directDamage": {
1441
+ "low": 250,
1442
+ "likely": 1250,
1443
+ "high": 10000
1444
+ },
1445
+ "classAction": {
1446
+ "low": 0,
1447
+ "likely": 0,
1448
+ "high": 0
1449
+ },
1450
+ "lostBusiness": {
1451
+ "low": 0,
1452
+ "likely": 0,
1453
+ "high": 0
1454
+ }
1455
+ },
1456
+ "dominantDriver": "legal counsel",
1457
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1458
+ "confidence": "low",
1459
+ "narrative": "TOCTOU: existsSync followed by file op on `dep-confusion.js:56` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1460
+ },
1461
+ "parser": "LOGIC",
1462
+ "family": null
1463
+ }
1464
+ ],
1465
+ "bundles": [],
1466
+ "routes": [],
1467
+ "components": [],
1468
+ "suppressedCount": 4,
1469
+ "blastRadiusSignals": {
1470
+ "industry": "generic",
1471
+ "industryConfidence": "low",
1472
+ "jurisdictions": [],
1473
+ "controls": [],
1474
+ "estimatedUsers": 50,
1475
+ "revenueIndicator": "pre-revenue",
1476
+ "hasStripe": false,
1477
+ "hasAuth": false,
1478
+ "hasUserTable": false,
1479
+ "hasPII": false,
1480
+ "hasPHI": false,
1481
+ "hasS3": false
1482
+ },
1483
+ "_v3": {
1484
+ "counterfactual": {
1485
+ "spofControls": [],
1486
+ "controlsDetected": 95
1487
+ },
1488
+ "threatModel": {
1489
+ "summary": {
1490
+ "assetCount": 1,
1491
+ "boundaryCount": 0,
1492
+ "strideCounts": {
1493
+ "spoofing": 0,
1494
+ "tampering": 1,
1495
+ "repudiation": 0,
1496
+ "informationDisclosure": 0,
1497
+ "denialOfService": 5,
1498
+ "elevationOfPrivilege": 0
1499
+ }
1500
+ },
1501
+ "assets": [
1502
+ {
1503
+ "name": "AGENTIC_SECURITY_LLM_API_KEY",
1504
+ "file": "llm-function-extract.js",
1505
+ "line": 41,
1506
+ "category": "secret",
1507
+ "exposure": "internal"
1508
+ }
1509
+ ],
1510
+ "trustBoundaries": [],
1511
+ "stride": {
1512
+ "spoofing": [],
1513
+ "tampering": [
1514
+ {
1515
+ "vuln": "TOCTOU: file existence/permission check before open",
1516
+ "file": "dep-confusion.js",
1517
+ "line": 56,
1518
+ "severity": "medium"
1519
+ }
1520
+ ],
1521
+ "repudiation": [],
1522
+ "informationDisclosure": [],
1523
+ "denialOfService": [
1524
+ {
1525
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1526
+ "file": "dep-confusion.js",
1527
+ "severity": "medium"
1528
+ },
1529
+ {
1530
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1531
+ "file": "dep-confusion.js",
1532
+ "severity": "medium"
1533
+ },
1534
+ {
1535
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1536
+ "file": "llm-function-extract.js",
1537
+ "severity": "medium"
1538
+ },
1539
+ {
1540
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1541
+ "file": "llm-function-extract.js",
1542
+ "severity": "medium"
1543
+ },
1544
+ {
1545
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1546
+ "file": "sarif-ingest.js",
1547
+ "severity": "medium"
1548
+ }
1549
+ ],
1550
+ "elevationOfPrivilege": []
1551
+ }
1552
+ },
1553
+ "trustBoundaryDiagram": {
1554
+ "mermaid": "flowchart LR\n INTERNET((Internet))\n APP[\"Application\"]\n asset_secret_AGENTIC_SECURITY_LLM_API_KEY[/\"secret: AGENTIC_SECURITY_LLM_API_KEY\"/]\n APP -->|asset| asset_secret_AGENTIC_SECURITY_LLM_API_KEY\n classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n classDef sev_medium fill:#fff3cd,stroke:#a80;\n classDef sev_low fill:#e8eaf6,stroke:#557;",
1555
+ "nodes": [
1556
+ {
1557
+ "id": "INTERNET",
1558
+ "kind": "external",
1559
+ "label": "Internet"
1560
+ },
1561
+ {
1562
+ "id": "APP",
1563
+ "kind": "app",
1564
+ "label": "Application"
1565
+ },
1566
+ {
1567
+ "id": "asset_secret_AGENTIC_SECURITY_LLM_API_KEY",
1568
+ "kind": "asset",
1569
+ "label": "secret: AGENTIC_SECURITY_LLM_API_KEY"
1570
+ }
1571
+ ],
1572
+ "edges": [
1573
+ {
1574
+ "from": "APP",
1575
+ "to": "asset_secret_AGENTIC_SECURITY_LLM_API_KEY",
1576
+ "kind": "asset"
1577
+ }
1578
+ ],
1579
+ "decorations": []
1580
+ },
1581
+ "calibrationDrift": {
1582
+ "alarms": [],
1583
+ "note": "no-feedback-data"
1584
+ }
1585
+ },
1586
+ "annotatorErrors": []
1587
+ }