@clear-capabilities/agentic-security-scanner 0.78.0 → 0.79.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (76) hide show
  1. package/bin/.agentic-security/findings.json +16 -16
  2. package/bin/.agentic-security/last-scan.json +16 -16
  3. package/bin/.agentic-security/last-scan.json.sig +1 -1
  4. package/bin/.agentic-security/scan-history.json +51 -0
  5. package/bin/.agentic-security/streak.json +5 -5
  6. package/bin/agentic-security.js +22 -7
  7. package/dist/178.index.js +1 -1
  8. package/dist/384.index.js +1 -1
  9. package/dist/476.index.js +5 -5
  10. package/dist/637.index.js +1 -1
  11. package/dist/700.index.js +138 -0
  12. package/dist/718.index.js +53 -0
  13. package/dist/838.index.js +1 -1
  14. package/dist/985.index.js +5 -0
  15. package/dist/agentic-security.mjs +1 -1
  16. package/dist/agentic-security.mjs.sha256 +1 -1
  17. package/package.json +2 -2
  18. package/src/dataflow/engine.js +52 -8
  19. package/src/engine.js +107 -6
  20. package/src/integrations/index.js +2 -1
  21. package/src/ir/callgraph.js +27 -7
  22. package/src/llm-validator/index.js +7 -5
  23. package/src/mcp/audit.js +5 -0
  24. package/src/posture/calibration-drift.js +2 -1
  25. package/src/posture/calibration.js +3 -2
  26. package/src/posture/fix-history.js +8 -2
  27. package/src/posture/profile.js +4 -5
  28. package/src/posture/rule-overrides.js +2 -3
  29. package/src/posture/rule-pack-signing.js +2 -3
  30. package/src/posture/rule-synthesis.js +5 -6
  31. package/src/posture/security-trend.js +4 -7
  32. package/src/posture/state-dir.js +124 -0
  33. package/src/posture/streak.js +3 -0
  34. package/src/posture/suppressions.js +5 -8
  35. package/src/posture/triage.js +3 -5
  36. package/src/posture/validator-metrics.js +3 -6
  37. package/src/sast/db-taint.js +24 -0
  38. package/src/sast/rust.js +26 -0
  39. package/src/sca/binary-metadata.js +124 -0
  40. package/src/sca/py-package-functions.js +118 -0
  41. package/src/sca/vendor-detect.js +53 -0
  42. package/src/.agentic-security/findings.json +0 -82642
  43. package/src/.agentic-security/last-scan.json +0 -82642
  44. package/src/.agentic-security/last-scan.json.sig +0 -1
  45. package/src/.agentic-security/scan-history.json +0 -10054
  46. package/src/.agentic-security/streak.json +0 -21
  47. package/src/dataflow/.agentic-security/findings.json +0 -3515
  48. package/src/dataflow/.agentic-security/last-scan.json +0 -3515
  49. package/src/dataflow/.agentic-security/last-scan.json.sig +0 -1
  50. package/src/dataflow/.agentic-security/scan-history.json +0 -702
  51. package/src/dataflow/.agentic-security/streak.json +0 -22
  52. package/src/ir/.agentic-security/findings.json +0 -3777
  53. package/src/ir/.agentic-security/last-scan.json +0 -3777
  54. package/src/ir/.agentic-security/last-scan.json.sig +0 -1
  55. package/src/ir/.agentic-security/scan-history.json +0 -771
  56. package/src/ir/.agentic-security/streak.json +0 -21
  57. package/src/posture/.agentic-security/findings.json +0 -51562
  58. package/src/posture/.agentic-security/last-scan.json +0 -51562
  59. package/src/posture/.agentic-security/last-scan.json.sig +0 -1
  60. package/src/posture/.agentic-security/scan-history.json +0 -650
  61. package/src/posture/.agentic-security/streak.json +0 -20
  62. package/src/report/.agentic-security/findings.json +0 -80
  63. package/src/report/.agentic-security/last-scan.json +0 -80
  64. package/src/report/.agentic-security/last-scan.json.sig +0 -1
  65. package/src/report/.agentic-security/scan-history.json +0 -35
  66. package/src/report/.agentic-security/streak.json +0 -22
  67. package/src/sast/.agentic-security/findings.json +0 -5190
  68. package/src/sast/.agentic-security/last-scan.json +0 -5190
  69. package/src/sast/.agentic-security/last-scan.json.sig +0 -1
  70. package/src/sast/.agentic-security/scan-history.json +0 -408
  71. package/src/sast/.agentic-security/streak.json +0 -20
  72. package/src/sca/.agentic-security/findings.json +0 -1587
  73. package/src/sca/.agentic-security/last-scan.json +0 -1587
  74. package/src/sca/.agentic-security/last-scan.json.sig +0 -1
  75. package/src/sca/.agentic-security/scan-history.json +0 -36
  76. package/src/sca/.agentic-security/streak.json +0 -21
package/src/dataflow/.agentic-security/findings.json DELETED
@@ -1,3515 +0,0 @@
1
- {
2
- "scanId": "e19aeff8-8736-4df3-9d8d-a4d227edb6b1",
3
- "startedAt": "2026-05-27T09:30:01.863Z",
4
- "durationMs": 501,
5
- "scanned": {
6
- "files": 28,
7
- "lines": 0
8
- },
9
- "findings": [
10
- {
11
- "id": "struct:incremental.js:50:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
12
- "kind": "sast",
13
- "severity": "medium",
14
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
15
- "cwe": "CWE-400",
16
- "owaspLlm": null,
17
- "stride": "Denial of Service",
18
- "file": "incremental.js",
19
- "line": 50,
20
- "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
21
- "fix": null,
22
- "reachable": false,
23
- "triage": 22,
24
- "dataClasses": [],
25
- "chain": null,
26
- "confidence": 0.212,
27
- "toxicity": 28,
28
- "toxicityFactors": [
29
- "http-facing"
30
- ],
31
- "toxicityLabel": "Medium",
32
- "sources": null,
33
- "epssScore": null,
34
- "epssPercentile": null,
35
- "epssCve": null,
36
- "exploitedNow": false,
37
- "tags": null,
38
- "blastRadius": {
39
- "scope": "all-users",
40
- "dataAtRisk": [
41
- "config"
42
- ],
43
- "userCount": 50,
44
- "industry": "generic",
45
- "jurisdictions": [],
46
- "controlsApplied": [],
47
- "dollarBest": 23250,
48
- "dollarLikely": 136250,
49
- "dollarWorst": 775000,
50
- "dollarLow": 23250,
51
- "dollarHigh": 775000,
52
- "components": {
53
- "incidentResponse": {
54
- "low": 8000,
55
- "likely": 50000,
56
- "high": 250000
57
- },
58
- "legal": {
59
- "low": 10000,
60
- "likely": 75000,
61
- "high": 500000
62
- },
63
- "crisisPR": {
64
- "low": 0,
65
- "likely": 0,
66
- "high": 0
67
- },
68
- "notification": {
69
- "low": 5000,
70
- "likely": 10000,
71
- "high": 15000
72
- },
73
- "creditMonitoring": {
74
- "low": 0,
75
- "likely": 0,
76
- "high": 0
77
- },
78
- "regulatoryFines": {
79
- "low": 0,
80
- "likely": 0,
81
- "high": 0
82
- },
83
- "directDamage": {
84
- "low": 250,
85
- "likely": 1250,
86
- "high": 10000
87
- },
88
- "classAction": {
89
- "low": 0,
90
- "likely": 0,
91
- "high": 0
92
- },
93
- "lostBusiness": {
94
- "low": 0,
95
- "likely": 0,
96
- "high": 0
97
- }
98
- },
99
- "dominantDriver": "legal counsel",
100
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
101
- "confidence": "low",
102
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
103
- },
104
- "stableId": "7e2db52a92ce3811",
105
- "confidenceTier": "very-low",
106
- "exploitability": 0.2,
107
- "exploitabilityTier": "low",
108
- "exploitabilityFactors": [
109
- "sev:medium",
110
- "unreachable"
111
- ],
112
- "clusterSize": null,
113
- "unreachable": false,
114
- "validator_verdict": "unvalidated",
115
- "llm_confidence": null,
116
- "unvalidated": true,
117
- "cross_language": false,
118
- "family": "dos-sync-io",
119
- "parser": "STRUCTURAL",
120
- "_unsigned": false,
121
- "_passThroughSigning": false,
122
- "signatureStatus": "verified",
123
- "regression_test": null,
124
- "poc": null,
125
- "calibrated_confidence": null,
126
- "calibrated_confidence_ci": null,
127
- "calibrated_n": 0,
128
- "calibration_reason": "no-history",
129
- "verifier_verdict": "cannot-verify",
130
- "verifier_reason": "no-poc-no-sanitizer-rule",
131
- "verifier_runner": null,
132
- "narration": null,
133
- "mitigationVerdict": "unreachable-in-prod",
134
- "mitigationsApplied": [],
135
- "mitigatedByWaf": false,
136
- "wafRuleId": null,
137
- "mitigatedByAuth": false,
138
- "authMechanism": null,
139
- "mitigatedByNetwork": false,
140
- "networkExposure": null,
141
- "featureFlag": null,
142
- "featureFlagState": null,
143
- "featureFlagRollout": null,
144
- "exposedInProd": false,
145
- "unreachableInProd": true,
146
- "coldPath": false,
147
- "hotPath": false,
148
- "prodRequestCount": null,
149
- "crownJewelScore": 0,
150
- "crownJewelTier": "unknown",
151
- "crownJewelFactors": [],
152
- "cloneClusterId": "bf9643a065f64945",
153
- "cloneClusterSize": 2,
154
- "provenance": "human-likely",
155
- "provenanceScore": 0.22,
156
- "typeNarrowed": null,
157
- "strideCategory": "denialOfService",
158
- "personaScores": {
159
- "script-kiddie": {
160
- "score": 0.4,
161
- "tier": "medium",
162
- "factors": [
163
- "sev:medium"
164
- ]
165
- },
166
- "opportunistic-criminal": {
167
- "score": 0.4,
168
- "tier": "medium",
169
- "factors": [
170
- "sev:medium"
171
- ]
172
- },
173
- "apt-nation-state": {
174
- "score": 0.4,
175
- "tier": "medium",
176
- "factors": [
177
- "sev:medium"
178
- ]
179
- },
180
- "supply-chain-attacker": {
181
- "score": 0.4,
182
- "tier": "medium",
183
- "factors": [
184
- "sev:medium"
185
- ]
186
- },
187
- "malicious-insider": {
188
- "score": 0.4,
189
- "tier": "medium",
190
- "factors": [
191
- "sev:medium"
192
- ]
193
- }
194
- },
195
- "personaTopTwo": [
196
- "script-kiddie",
197
- "opportunistic-criminal"
198
- ],
199
- "personaMaxName": "script-kiddie",
200
- "personaMaxScore": 0.4,
201
- "reverseExposure": null,
202
- "specMined": null,
203
- "whyFired": {
204
- "detector": "sast/dos-sync-io",
205
- "ruleId": "CWE-400",
206
- "parser": "STRUCTURAL",
207
- "evidence": {
208
- "sinkSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
209
- "sourceSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
210
- "pathSteps": [],
211
- "sanitizers": [],
212
- "guards": []
213
- },
214
- "considered": {
215
- "suppressionsApplied": [],
216
- "suppressionsSkipped": [],
217
- "reachabilityFilter": "unaffected",
218
- "clusterCollapsed": false,
219
- "typeNarrowed": false,
220
- "crownJewelTier": "unknown",
221
- "mitigationVerdict": "unreachable-in-prod"
222
- },
223
- "scanner": {
224
- "rulesetVersion": null,
225
- "packHash": null,
226
- "modelId": null
227
- }
228
- },
229
- "adversaryTranscript": null,
230
- "predictedBountyUsd": {
231
- "low": 10,
232
- "likely": 40,
233
- "high": 120,
234
- "program": "web2"
235
- },
236
- "bountyConfidence": "high",
237
- "attackPlaybook": null
238
- },
239
- {
240
- "id": "struct:incremental.js:51:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
241
- "kind": "sast",
242
- "severity": "medium",
243
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
244
- "cwe": "CWE-400",
245
- "owaspLlm": null,
246
- "stride": "Denial of Service",
247
- "file": "incremental.js",
248
- "line": 51,
249
- "snippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
250
- "fix": null,
251
- "reachable": false,
252
- "triage": 22,
253
- "dataClasses": [],
254
- "chain": null,
255
- "confidence": 0.212,
256
- "toxicity": 28,
257
- "toxicityFactors": [
258
- "http-facing"
259
- ],
260
- "toxicityLabel": "Medium",
261
- "sources": null,
262
- "epssScore": null,
263
- "epssPercentile": null,
264
- "epssCve": null,
265
- "exploitedNow": false,
266
- "tags": null,
267
- "blastRadius": {
268
- "scope": "all-users",
269
- "dataAtRisk": [
270
- "config"
271
- ],
272
- "userCount": 50,
273
- "industry": "generic",
274
- "jurisdictions": [],
275
- "controlsApplied": [],
276
- "dollarBest": 23250,
277
- "dollarLikely": 136250,
278
- "dollarWorst": 775000,
279
- "dollarLow": 23250,
280
- "dollarHigh": 775000,
281
- "components": {
282
- "incidentResponse": {
283
- "low": 8000,
284
- "likely": 50000,
285
- "high": 250000
286
- },
287
- "legal": {
288
- "low": 10000,
289
- "likely": 75000,
290
- "high": 500000
291
- },
292
- "crisisPR": {
293
- "low": 0,
294
- "likely": 0,
295
- "high": 0
296
- },
297
- "notification": {
298
- "low": 5000,
299
- "likely": 10000,
300
- "high": 15000
301
- },
302
- "creditMonitoring": {
303
- "low": 0,
304
- "likely": 0,
305
- "high": 0
306
- },
307
- "regulatoryFines": {
308
- "low": 0,
309
- "likely": 0,
310
- "high": 0
311
- },
312
- "directDamage": {
313
- "low": 250,
314
- "likely": 1250,
315
- "high": 10000
316
- },
317
- "classAction": {
318
- "low": 0,
319
- "likely": 0,
320
- "high": 0
321
- },
322
- "lostBusiness": {
323
- "low": 0,
324
- "likely": 0,
325
- "high": 0
326
- }
327
- },
328
- "dominantDriver": "legal counsel",
329
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
330
- "confidence": "low",
331
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:51` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
332
- },
333
- "stableId": "333259288508799a",
334
- "confidenceTier": "very-low",
335
- "exploitability": 0.2,
336
- "exploitabilityTier": "low",
337
- "exploitabilityFactors": [
338
- "sev:medium",
339
- "unreachable"
340
- ],
341
- "clusterSize": null,
342
- "unreachable": false,
343
- "validator_verdict": "unvalidated",
344
- "llm_confidence": null,
345
- "unvalidated": true,
346
- "cross_language": false,
347
- "family": "dos-sync-io",
348
- "parser": "STRUCTURAL",
349
- "_unsigned": false,
350
- "_passThroughSigning": false,
351
- "signatureStatus": "verified",
352
- "regression_test": null,
353
- "poc": null,
354
- "calibrated_confidence": null,
355
- "calibrated_confidence_ci": null,
356
- "calibrated_n": 0,
357
- "calibration_reason": "no-history",
358
- "verifier_verdict": "cannot-verify",
359
- "verifier_reason": "no-poc-no-sanitizer-rule",
360
- "verifier_runner": null,
361
- "narration": null,
362
- "mitigationVerdict": "unreachable-in-prod",
363
- "mitigationsApplied": [],
364
- "mitigatedByWaf": false,
365
- "wafRuleId": null,
366
- "mitigatedByAuth": false,
367
- "authMechanism": null,
368
- "mitigatedByNetwork": false,
369
- "networkExposure": null,
370
- "featureFlag": null,
371
- "featureFlagState": null,
372
- "featureFlagRollout": null,
373
- "exposedInProd": false,
374
- "unreachableInProd": true,
375
- "coldPath": false,
376
- "hotPath": false,
377
- "prodRequestCount": null,
378
- "crownJewelScore": 0,
379
- "crownJewelTier": "unknown",
380
- "crownJewelFactors": [],
381
- "cloneClusterId": "8b60c3f57d48c622",
382
- "cloneClusterSize": 1,
383
- "provenance": "human-likely",
384
- "provenanceScore": 0.22,
385
- "typeNarrowed": null,
386
- "strideCategory": "denialOfService",
387
- "personaScores": {
388
- "script-kiddie": {
389
- "score": 0.4,
390
- "tier": "medium",
391
- "factors": [
392
- "sev:medium"
393
- ]
394
- },
395
- "opportunistic-criminal": {
396
- "score": 0.4,
397
- "tier": "medium",
398
- "factors": [
399
- "sev:medium"
400
- ]
401
- },
402
- "apt-nation-state": {
403
- "score": 0.4,
404
- "tier": "medium",
405
- "factors": [
406
- "sev:medium"
407
- ]
408
- },
409
- "supply-chain-attacker": {
410
- "score": 0.4,
411
- "tier": "medium",
412
- "factors": [
413
- "sev:medium"
414
- ]
415
- },
416
- "malicious-insider": {
417
- "score": 0.4,
418
- "tier": "medium",
419
- "factors": [
420
- "sev:medium"
421
- ]
422
- }
423
- },
424
- "personaTopTwo": [
425
- "script-kiddie",
426
- "opportunistic-criminal"
427
- ],
428
- "personaMaxName": "script-kiddie",
429
- "personaMaxScore": 0.4,
430
- "reverseExposure": null,
431
- "specMined": null,
432
- "whyFired": {
433
- "detector": "sast/dos-sync-io",
434
- "ruleId": "CWE-400",
435
- "parser": "STRUCTURAL",
436
- "evidence": {
437
- "sinkSnippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
438
- "sourceSnippet": "const v = JSON.parse(fs.readFileSync(versionFp, 'utf8'));",
439
- "pathSteps": [],
440
- "sanitizers": [],
441
- "guards": []
442
- },
443
- "considered": {
444
- "suppressionsApplied": [],
445
- "suppressionsSkipped": [],
446
- "reachabilityFilter": "unaffected",
447
- "clusterCollapsed": false,
448
- "typeNarrowed": false,
449
- "crownJewelTier": "unknown",
450
- "mitigationVerdict": "unreachable-in-prod"
451
- },
452
- "scanner": {
453
- "rulesetVersion": null,
454
- "packHash": null,
455
- "modelId": null
456
- }
457
- },
458
- "adversaryTranscript": null,
459
- "predictedBountyUsd": {
460
- "low": 10,
461
- "likely": 40,
462
- "high": 120,
463
- "program": "web2"
464
- },
465
- "bountyConfidence": "high",
466
- "attackPlaybook": null
467
- },
468
- {
469
- "id": "struct:incremental.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
470
- "kind": "sast",
471
- "severity": "medium",
472
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
473
- "cwe": "CWE-400",
474
- "owaspLlm": null,
475
- "stride": "Denial of Service",
476
- "file": "incremental.js",
477
- "line": 68,
478
- "snippet": "if (!fs.existsSync(fp)) return fallback;",
479
- "fix": null,
480
- "reachable": false,
481
- "triage": 22,
482
- "dataClasses": [],
483
- "chain": null,
484
- "confidence": 0.212,
485
- "toxicity": 28,
486
- "toxicityFactors": [
487
- "http-facing"
488
- ],
489
- "toxicityLabel": "Medium",
490
- "sources": null,
491
- "epssScore": null,
492
- "epssPercentile": null,
493
- "epssCve": null,
494
- "exploitedNow": false,
495
- "tags": null,
496
- "blastRadius": {
497
- "scope": "all-users",
498
- "dataAtRisk": [
499
- "config"
500
- ],
501
- "userCount": 50,
502
- "industry": "generic",
503
- "jurisdictions": [],
504
- "controlsApplied": [],
505
- "dollarBest": 23250,
506
- "dollarLikely": 136250,
507
- "dollarWorst": 775000,
508
- "dollarLow": 23250,
509
- "dollarHigh": 775000,
510
- "components": {
511
- "incidentResponse": {
512
- "low": 8000,
513
- "likely": 50000,
514
- "high": 250000
515
- },
516
- "legal": {
517
- "low": 10000,
518
- "likely": 75000,
519
- "high": 500000
520
- },
521
- "crisisPR": {
522
- "low": 0,
523
- "likely": 0,
524
- "high": 0
525
- },
526
- "notification": {
527
- "low": 5000,
528
- "likely": 10000,
529
- "high": 15000
530
- },
531
- "creditMonitoring": {
532
- "low": 0,
533
- "likely": 0,
534
- "high": 0
535
- },
536
- "regulatoryFines": {
537
- "low": 0,
538
- "likely": 0,
539
- "high": 0
540
- },
541
- "directDamage": {
542
- "low": 250,
543
- "likely": 1250,
544
- "high": 10000
545
- },
546
- "classAction": {
547
- "low": 0,
548
- "likely": 0,
549
- "high": 0
550
- },
551
- "lostBusiness": {
552
- "low": 0,
553
- "likely": 0,
554
- "high": 0
555
- }
556
- },
557
- "dominantDriver": "legal counsel",
558
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
559
- "confidence": "low",
560
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
561
- },
562
- "stableId": "6862d6baf0b923f7",
563
- "confidenceTier": "very-low",
564
- "exploitability": 0.2,
565
- "exploitabilityTier": "low",
566
- "exploitabilityFactors": [
567
- "sev:medium",
568
- "unreachable"
569
- ],
570
- "clusterSize": null,
571
- "unreachable": false,
572
- "validator_verdict": "unvalidated",
573
- "llm_confidence": null,
574
- "unvalidated": true,
575
- "cross_language": false,
576
- "family": "dos-sync-io",
577
- "parser": "STRUCTURAL",
578
- "_unsigned": false,
579
- "_passThroughSigning": false,
580
- "signatureStatus": "verified",
581
- "regression_test": null,
582
- "poc": null,
583
- "calibrated_confidence": null,
584
- "calibrated_confidence_ci": null,
585
- "calibrated_n": 0,
586
- "calibration_reason": "no-history",
587
- "verifier_verdict": "cannot-verify",
588
- "verifier_reason": "no-poc-no-sanitizer-rule",
589
- "verifier_runner": null,
590
- "narration": null,
591
- "mitigationVerdict": "unreachable-in-prod",
592
- "mitigationsApplied": [],
593
- "mitigatedByWaf": false,
594
- "wafRuleId": null,
595
- "mitigatedByAuth": false,
596
- "authMechanism": null,
597
- "mitigatedByNetwork": false,
598
- "networkExposure": null,
599
- "featureFlag": null,
600
- "featureFlagState": null,
601
- "featureFlagRollout": null,
602
- "exposedInProd": false,
603
- "unreachableInProd": true,
604
- "coldPath": false,
605
- "hotPath": false,
606
- "prodRequestCount": null,
607
- "crownJewelScore": 0,
608
- "crownJewelTier": "unknown",
609
- "crownJewelFactors": [],
610
- "cloneClusterId": "39f1d6db55cace1d",
611
- "cloneClusterSize": 2,
612
- "provenance": "human-likely",
613
- "provenanceScore": 0.22,
614
- "typeNarrowed": null,
615
- "strideCategory": "denialOfService",
616
- "personaScores": {
617
- "script-kiddie": {
618
- "score": 0.4,
619
- "tier": "medium",
620
- "factors": [
621
- "sev:medium"
622
- ]
623
- },
624
- "opportunistic-criminal": {
625
- "score": 0.4,
626
- "tier": "medium",
627
- "factors": [
628
- "sev:medium"
629
- ]
630
- },
631
- "apt-nation-state": {
632
- "score": 0.4,
633
- "tier": "medium",
634
- "factors": [
635
- "sev:medium"
636
- ]
637
- },
638
- "supply-chain-attacker": {
639
- "score": 0.4,
640
- "tier": "medium",
641
- "factors": [
642
- "sev:medium"
643
- ]
644
- },
645
- "malicious-insider": {
646
- "score": 0.4,
647
- "tier": "medium",
648
- "factors": [
649
- "sev:medium"
650
- ]
651
- }
652
- },
653
- "personaTopTwo": [
654
- "script-kiddie",
655
- "opportunistic-criminal"
656
- ],
657
- "personaMaxName": "script-kiddie",
658
- "personaMaxScore": 0.4,
659
- "reverseExposure": null,
660
- "specMined": null,
661
- "whyFired": {
662
- "detector": "sast/dos-sync-io",
663
- "ruleId": "CWE-400",
664
- "parser": "STRUCTURAL",
665
- "evidence": {
666
- "sinkSnippet": "if (!fs.existsSync(fp)) return fallback;",
667
- "sourceSnippet": "if (!fs.existsSync(fp)) return fallback;",
668
- "pathSteps": [],
669
- "sanitizers": [],
670
- "guards": []
671
- },
672
- "considered": {
673
- "suppressionsApplied": [],
674
- "suppressionsSkipped": [],
675
- "reachabilityFilter": "unaffected",
676
- "clusterCollapsed": false,
677
- "typeNarrowed": false,
678
- "crownJewelTier": "unknown",
679
- "mitigationVerdict": "unreachable-in-prod"
680
- },
681
- "scanner": {
682
- "rulesetVersion": null,
683
- "packHash": null,
684
- "modelId": null
685
- }
686
- },
687
- "adversaryTranscript": null,
688
- "predictedBountyUsd": {
689
- "low": 10,
690
- "likely": 40,
691
- "high": 120,
692
- "program": "web2"
693
- },
694
- "bountyConfidence": "high",
695
- "attackPlaybook": null
696
- },
697
- {
698
- "id": "struct:incremental.js:69:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
699
- "kind": "sast",
700
- "severity": "medium",
701
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
702
- "cwe": "CWE-400",
703
- "owaspLlm": null,
704
- "stride": "Denial of Service",
705
- "file": "incremental.js",
706
- "line": 69,
707
- "snippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
708
- "fix": null,
709
- "reachable": false,
710
- "triage": 22,
711
- "dataClasses": [],
712
- "chain": null,
713
- "confidence": 0.212,
714
- "toxicity": 28,
715
- "toxicityFactors": [
716
- "http-facing"
717
- ],
718
- "toxicityLabel": "Medium",
719
- "sources": null,
720
- "epssScore": null,
721
- "epssPercentile": null,
722
- "epssCve": null,
723
- "exploitedNow": false,
724
- "tags": null,
725
- "blastRadius": {
726
- "scope": "all-users",
727
- "dataAtRisk": [
728
- "config"
729
- ],
730
- "userCount": 50,
731
- "industry": "generic",
732
- "jurisdictions": [],
733
- "controlsApplied": [],
734
- "dollarBest": 23250,
735
- "dollarLikely": 136250,
736
- "dollarWorst": 775000,
737
- "dollarLow": 23250,
738
- "dollarHigh": 775000,
739
- "components": {
740
- "incidentResponse": {
741
- "low": 8000,
742
- "likely": 50000,
743
- "high": 250000
744
- },
745
- "legal": {
746
- "low": 10000,
747
- "likely": 75000,
748
- "high": 500000
749
- },
750
- "crisisPR": {
751
- "low": 0,
752
- "likely": 0,
753
- "high": 0
754
- },
755
- "notification": {
756
- "low": 5000,
757
- "likely": 10000,
758
- "high": 15000
759
- },
760
- "creditMonitoring": {
761
- "low": 0,
762
- "likely": 0,
763
- "high": 0
764
- },
765
- "regulatoryFines": {
766
- "low": 0,
767
- "likely": 0,
768
- "high": 0
769
- },
770
- "directDamage": {
771
- "low": 250,
772
- "likely": 1250,
773
- "high": 10000
774
- },
775
- "classAction": {
776
- "low": 0,
777
- "likely": 0,
778
- "high": 0
779
- },
780
- "lostBusiness": {
781
- "low": 0,
782
- "likely": 0,
783
- "high": 0
784
- }
785
- },
786
- "dominantDriver": "legal counsel",
787
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
788
- "confidence": "low",
789
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:69` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
790
- },
791
- "stableId": "7314934acc70477c",
792
- "confidenceTier": "very-low",
793
- "exploitability": 0.2,
794
- "exploitabilityTier": "low",
795
- "exploitabilityFactors": [
796
- "sev:medium",
797
- "unreachable"
798
- ],
799
- "clusterSize": null,
800
- "unreachable": false,
801
- "validator_verdict": "unvalidated",
802
- "llm_confidence": null,
803
- "unvalidated": true,
804
- "cross_language": false,
805
- "family": "dos-sync-io",
806
- "parser": "STRUCTURAL",
807
- "_unsigned": false,
808
- "_passThroughSigning": false,
809
- "signatureStatus": "verified",
810
- "regression_test": null,
811
- "poc": null,
812
- "calibrated_confidence": null,
813
- "calibrated_confidence_ci": null,
814
- "calibrated_n": 0,
815
- "calibration_reason": "no-history",
816
- "verifier_verdict": "cannot-verify",
817
- "verifier_reason": "no-poc-no-sanitizer-rule",
818
- "verifier_runner": null,
819
- "narration": null,
820
- "mitigationVerdict": "unreachable-in-prod",
821
- "mitigationsApplied": [],
822
- "mitigatedByWaf": false,
823
- "wafRuleId": null,
824
- "mitigatedByAuth": false,
825
- "authMechanism": null,
826
- "mitigatedByNetwork": false,
827
- "networkExposure": null,
828
- "featureFlag": null,
829
- "featureFlagState": null,
830
- "featureFlagRollout": null,
831
- "exposedInProd": false,
832
- "unreachableInProd": true,
833
- "coldPath": false,
834
- "hotPath": false,
835
- "prodRequestCount": null,
836
- "crownJewelScore": 0,
837
- "crownJewelTier": "unknown",
838
- "crownJewelFactors": [],
839
- "cloneClusterId": "b8a597058e30c50c",
840
- "cloneClusterSize": 1,
841
- "provenance": "human-likely",
842
- "provenanceScore": 0.22,
843
- "typeNarrowed": null,
844
- "strideCategory": "denialOfService",
845
- "personaScores": {
846
- "script-kiddie": {
847
- "score": 0.4,
848
- "tier": "medium",
849
- "factors": [
850
- "sev:medium"
851
- ]
852
- },
853
- "opportunistic-criminal": {
854
- "score": 0.4,
855
- "tier": "medium",
856
- "factors": [
857
- "sev:medium"
858
- ]
859
- },
860
- "apt-nation-state": {
861
- "score": 0.4,
862
- "tier": "medium",
863
- "factors": [
864
- "sev:medium"
865
- ]
866
- },
867
- "supply-chain-attacker": {
868
- "score": 0.4,
869
- "tier": "medium",
870
- "factors": [
871
- "sev:medium"
872
- ]
873
- },
874
- "malicious-insider": {
875
- "score": 0.4,
876
- "tier": "medium",
877
- "factors": [
878
- "sev:medium"
879
- ]
880
- }
881
- },
882
- "personaTopTwo": [
883
- "script-kiddie",
884
- "opportunistic-criminal"
885
- ],
886
- "personaMaxName": "script-kiddie",
887
- "personaMaxScore": 0.4,
888
- "reverseExposure": null,
889
- "specMined": null,
890
- "whyFired": {
891
- "detector": "sast/dos-sync-io",
892
- "ruleId": "CWE-400",
893
- "parser": "STRUCTURAL",
894
- "evidence": {
895
- "sinkSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
896
- "sourceSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
897
- "pathSteps": [],
898
- "sanitizers": [],
899
- "guards": []
900
- },
901
- "considered": {
902
- "suppressionsApplied": [],
903
- "suppressionsSkipped": [],
904
- "reachabilityFilter": "unaffected",
905
- "clusterCollapsed": false,
906
- "typeNarrowed": false,
907
- "crownJewelTier": "unknown",
908
- "mitigationVerdict": "unreachable-in-prod"
909
- },
910
- "scanner": {
911
- "rulesetVersion": null,
912
- "packHash": null,
913
- "modelId": null
914
- }
915
- },
916
- "adversaryTranscript": null,
917
- "predictedBountyUsd": {
918
- "low": 10,
919
- "likely": 40,
920
- "high": 120,
921
- "program": "web2"
922
- },
923
- "bountyConfidence": "high",
924
- "attackPlaybook": null
925
- },
926
- {
927
- "id": "struct:incremental.js:203:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
928
- "kind": "sast",
929
- "severity": "medium",
930
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
931
- "cwe": "CWE-400",
932
- "owaspLlm": null,
933
- "stride": "Denial of Service",
934
- "file": "incremental.js",
935
- "line": 203,
936
- "snippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
937
- "fix": null,
938
- "reachable": false,
939
- "triage": 22,
940
- "dataClasses": [],
941
- "chain": null,
942
- "confidence": 0.212,
943
- "toxicity": 28,
944
- "toxicityFactors": [
945
- "http-facing"
946
- ],
947
- "toxicityLabel": "Medium",
948
- "sources": null,
949
- "epssScore": null,
950
- "epssPercentile": null,
951
- "epssCve": null,
952
- "exploitedNow": false,
953
- "tags": null,
954
- "blastRadius": {
955
- "scope": "all-users",
956
- "dataAtRisk": [
957
- "config"
958
- ],
959
- "userCount": 50,
960
- "industry": "generic",
961
- "jurisdictions": [],
962
- "controlsApplied": [],
963
- "dollarBest": 23250,
964
- "dollarLikely": 136250,
965
- "dollarWorst": 775000,
966
- "dollarLow": 23250,
967
- "dollarHigh": 775000,
968
- "components": {
969
- "incidentResponse": {
970
- "low": 8000,
971
- "likely": 50000,
972
- "high": 250000
973
- },
974
- "legal": {
975
- "low": 10000,
976
- "likely": 75000,
977
- "high": 500000
978
- },
979
- "crisisPR": {
980
- "low": 0,
981
- "likely": 0,
982
- "high": 0
983
- },
984
- "notification": {
985
- "low": 5000,
986
- "likely": 10000,
987
- "high": 15000
988
- },
989
- "creditMonitoring": {
990
- "low": 0,
991
- "likely": 0,
992
- "high": 0
993
- },
994
- "regulatoryFines": {
995
- "low": 0,
996
- "likely": 0,
997
- "high": 0
998
- },
999
- "directDamage": {
1000
- "low": 250,
1001
- "likely": 1250,
1002
- "high": 10000
1003
- },
1004
- "classAction": {
1005
- "low": 0,
1006
- "likely": 0,
1007
- "high": 0
1008
- },
1009
- "lostBusiness": {
1010
- "low": 0,
1011
- "likely": 0,
1012
- "high": 0
1013
- }
1014
- },
1015
- "dominantDriver": "legal counsel",
1016
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1017
- "confidence": "low",
1018
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:203` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1019
- },
1020
- "stableId": "71f79aead6c815a7",
1021
- "confidenceTier": "very-low",
1022
- "exploitability": 0.2,
1023
- "exploitabilityTier": "low",
1024
- "exploitabilityFactors": [
1025
- "sev:medium",
1026
- "unreachable"
1027
- ],
1028
- "clusterSize": null,
1029
- "unreachable": false,
1030
- "validator_verdict": "unvalidated",
1031
- "llm_confidence": null,
1032
- "unvalidated": true,
1033
- "cross_language": false,
1034
- "family": "dos-sync-io",
1035
- "parser": "STRUCTURAL",
1036
- "_unsigned": false,
1037
- "_passThroughSigning": false,
1038
- "signatureStatus": "verified",
1039
- "regression_test": null,
1040
- "poc": null,
1041
- "calibrated_confidence": null,
1042
- "calibrated_confidence_ci": null,
1043
- "calibrated_n": 0,
1044
- "calibration_reason": "no-history",
1045
- "verifier_verdict": "cannot-verify",
1046
- "verifier_reason": "no-poc-no-sanitizer-rule",
1047
- "verifier_runner": null,
1048
- "narration": null,
1049
- "mitigationVerdict": "unreachable-in-prod",
1050
- "mitigationsApplied": [],
1051
- "mitigatedByWaf": false,
1052
- "wafRuleId": null,
1053
- "mitigatedByAuth": false,
1054
- "authMechanism": null,
1055
- "mitigatedByNetwork": false,
1056
- "networkExposure": null,
1057
- "featureFlag": null,
1058
- "featureFlagState": null,
1059
- "featureFlagRollout": null,
1060
- "exposedInProd": false,
1061
- "unreachableInProd": true,
1062
- "coldPath": false,
1063
- "hotPath": false,
1064
- "prodRequestCount": null,
1065
- "crownJewelScore": 0,
1066
- "crownJewelTier": "unknown",
1067
- "crownJewelFactors": [],
1068
- "cloneClusterId": "347295aac188671b",
1069
- "cloneClusterSize": 1,
1070
- "provenance": "human-likely",
1071
- "provenanceScore": 0.22,
1072
- "typeNarrowed": null,
1073
- "strideCategory": "denialOfService",
1074
- "personaScores": {
1075
- "script-kiddie": {
1076
- "score": 0.4,
1077
- "tier": "medium",
1078
- "factors": [
1079
- "sev:medium"
1080
- ]
1081
- },
1082
- "opportunistic-criminal": {
1083
- "score": 0.4,
1084
- "tier": "medium",
1085
- "factors": [
1086
- "sev:medium"
1087
- ]
1088
- },
1089
- "apt-nation-state": {
1090
- "score": 0.4,
1091
- "tier": "medium",
1092
- "factors": [
1093
- "sev:medium"
1094
- ]
1095
- },
1096
- "supply-chain-attacker": {
1097
- "score": 0.4,
1098
- "tier": "medium",
1099
- "factors": [
1100
- "sev:medium"
1101
- ]
1102
- },
1103
- "malicious-insider": {
1104
- "score": 0.4,
1105
- "tier": "medium",
1106
- "factors": [
1107
- "sev:medium"
1108
- ]
1109
- }
1110
- },
1111
- "personaTopTwo": [
1112
- "script-kiddie",
1113
- "opportunistic-criminal"
1114
- ],
1115
- "personaMaxName": "script-kiddie",
1116
- "personaMaxScore": 0.4,
1117
- "reverseExposure": null,
1118
- "specMined": null,
1119
- "whyFired": {
1120
- "detector": "sast/dos-sync-io",
1121
- "ruleId": "CWE-400",
1122
- "parser": "STRUCTURAL",
1123
- "evidence": {
1124
- "sinkSnippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
1125
- "sourceSnippet": "fs.writeFileSync(path.join(dir, VERSION_PATH), JSON.stringify(currentVersion, null, 2));",
1126
- "pathSteps": [],
1127
- "sanitizers": [],
1128
- "guards": []
1129
- },
1130
- "considered": {
1131
- "suppressionsApplied": [],
1132
- "suppressionsSkipped": [],
1133
- "reachabilityFilter": "unaffected",
1134
- "clusterCollapsed": false,
1135
- "typeNarrowed": false,
1136
- "crownJewelTier": "unknown",
1137
- "mitigationVerdict": "unreachable-in-prod"
1138
- },
1139
- "scanner": {
1140
- "rulesetVersion": null,
1141
- "packHash": null,
1142
- "modelId": null
1143
- }
1144
- },
1145
- "adversaryTranscript": null,
1146
- "predictedBountyUsd": {
1147
- "low": 10,
1148
- "likely": 40,
1149
- "high": 120,
1150
- "program": "web2"
1151
- },
1152
- "bountyConfidence": "high",
1153
- "attackPlaybook": null
1154
- },
1155
- {
1156
- "id": "struct:incremental.js:204:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1157
- "kind": "sast",
1158
- "severity": "medium",
1159
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1160
- "cwe": "CWE-400",
1161
- "owaspLlm": null,
1162
- "stride": "Denial of Service",
1163
- "file": "incremental.js",
1164
- "line": 204,
1165
- "snippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
1166
- "fix": null,
1167
- "reachable": false,
1168
- "triage": 22,
1169
- "dataClasses": [],
1170
- "chain": null,
1171
- "confidence": 0.212,
1172
- "toxicity": 28,
1173
- "toxicityFactors": [
1174
- "http-facing"
1175
- ],
1176
- "toxicityLabel": "Medium",
1177
- "sources": null,
1178
- "epssScore": null,
1179
- "epssPercentile": null,
1180
- "epssCve": null,
1181
- "exploitedNow": false,
1182
- "tags": null,
1183
- "blastRadius": {
1184
- "scope": "all-users",
1185
- "dataAtRisk": [
1186
- "config"
1187
- ],
1188
- "userCount": 50,
1189
- "industry": "generic",
1190
- "jurisdictions": [],
1191
- "controlsApplied": [],
1192
- "dollarBest": 23250,
1193
- "dollarLikely": 136250,
1194
- "dollarWorst": 775000,
1195
- "dollarLow": 23250,
1196
- "dollarHigh": 775000,
1197
- "components": {
1198
- "incidentResponse": {
1199
- "low": 8000,
1200
- "likely": 50000,
1201
- "high": 250000
1202
- },
1203
- "legal": {
1204
- "low": 10000,
1205
- "likely": 75000,
1206
- "high": 500000
1207
- },
1208
- "crisisPR": {
1209
- "low": 0,
1210
- "likely": 0,
1211
- "high": 0
1212
- },
1213
- "notification": {
1214
- "low": 5000,
1215
- "likely": 10000,
1216
- "high": 15000
1217
- },
1218
- "creditMonitoring": {
1219
- "low": 0,
1220
- "likely": 0,
1221
- "high": 0
1222
- },
1223
- "regulatoryFines": {
1224
- "low": 0,
1225
- "likely": 0,
1226
- "high": 0
1227
- },
1228
- "directDamage": {
1229
- "low": 250,
1230
- "likely": 1250,
1231
- "high": 10000
1232
- },
1233
- "classAction": {
1234
- "low": 0,
1235
- "likely": 0,
1236
- "high": 0
1237
- },
1238
- "lostBusiness": {
1239
- "low": 0,
1240
- "likely": 0,
1241
- "high": 0
1242
- }
1243
- },
1244
- "dominantDriver": "legal counsel",
1245
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1246
- "confidence": "low",
1247
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:204` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1248
- },
1249
- "stableId": "16f0befb55d2a11a",
1250
- "confidenceTier": "very-low",
1251
- "exploitability": 0.2,
1252
- "exploitabilityTier": "low",
1253
- "exploitabilityFactors": [
1254
- "sev:medium",
1255
- "unreachable"
1256
- ],
1257
- "clusterSize": null,
1258
- "unreachable": false,
1259
- "validator_verdict": "unvalidated",
1260
- "llm_confidence": null,
1261
- "unvalidated": true,
1262
- "cross_language": false,
1263
- "family": "dos-sync-io",
1264
- "parser": "STRUCTURAL",
1265
- "_unsigned": false,
1266
- "_passThroughSigning": false,
1267
- "signatureStatus": "verified",
1268
- "regression_test": null,
1269
- "poc": null,
1270
- "calibrated_confidence": null,
1271
- "calibrated_confidence_ci": null,
1272
- "calibrated_n": 0,
1273
- "calibration_reason": "no-history",
1274
- "verifier_verdict": "cannot-verify",
1275
- "verifier_reason": "no-poc-no-sanitizer-rule",
1276
- "verifier_runner": null,
1277
- "narration": null,
1278
- "mitigationVerdict": "unreachable-in-prod",
1279
- "mitigationsApplied": [],
1280
- "mitigatedByWaf": false,
1281
- "wafRuleId": null,
1282
- "mitigatedByAuth": false,
1283
- "authMechanism": null,
1284
- "mitigatedByNetwork": false,
1285
- "networkExposure": null,
1286
- "featureFlag": null,
1287
- "featureFlagState": null,
1288
- "featureFlagRollout": null,
1289
- "exposedInProd": false,
1290
- "unreachableInProd": true,
1291
- "coldPath": false,
1292
- "hotPath": false,
1293
- "prodRequestCount": null,
1294
- "crownJewelScore": 0,
1295
- "crownJewelTier": "unknown",
1296
- "crownJewelFactors": [],
1297
- "cloneClusterId": "cd20f49000f1b531",
1298
- "cloneClusterSize": 1,
1299
- "provenance": "human-likely",
1300
- "provenanceScore": 0.22,
1301
- "typeNarrowed": null,
1302
- "strideCategory": "denialOfService",
1303
- "personaScores": {
1304
- "script-kiddie": {
1305
- "score": 0.4,
1306
- "tier": "medium",
1307
- "factors": [
1308
- "sev:medium"
1309
- ]
1310
- },
1311
- "opportunistic-criminal": {
1312
- "score": 0.4,
1313
- "tier": "medium",
1314
- "factors": [
1315
- "sev:medium"
1316
- ]
1317
- },
1318
- "apt-nation-state": {
1319
- "score": 0.4,
1320
- "tier": "medium",
1321
- "factors": [
1322
- "sev:medium"
1323
- ]
1324
- },
1325
- "supply-chain-attacker": {
1326
- "score": 0.4,
1327
- "tier": "medium",
1328
- "factors": [
1329
- "sev:medium"
1330
- ]
1331
- },
1332
- "malicious-insider": {
1333
- "score": 0.4,
1334
- "tier": "medium",
1335
- "factors": [
1336
- "sev:medium"
1337
- ]
1338
- }
1339
- },
1340
- "personaTopTwo": [
1341
- "script-kiddie",
1342
- "opportunistic-criminal"
1343
- ],
1344
- "personaMaxName": "script-kiddie",
1345
- "personaMaxScore": 0.4,
1346
- "reverseExposure": null,
1347
- "specMined": null,
1348
- "whyFired": {
1349
- "detector": "sast/dos-sync-io",
1350
- "ruleId": "CWE-400",
1351
- "parser": "STRUCTURAL",
1352
- "evidence": {
1353
- "sinkSnippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
1354
- "sourceSnippet": "fs.writeFileSync(path.join(dir, FILES_PATH), JSON.stringify(state.files || {}, null, 2));",
1355
- "pathSteps": [],
1356
- "sanitizers": [],
1357
- "guards": []
1358
- },
1359
- "considered": {
1360
- "suppressionsApplied": [],
1361
- "suppressionsSkipped": [],
1362
- "reachabilityFilter": "unaffected",
1363
- "clusterCollapsed": false,
1364
- "typeNarrowed": false,
1365
- "crownJewelTier": "unknown",
1366
- "mitigationVerdict": "unreachable-in-prod"
1367
- },
1368
- "scanner": {
1369
- "rulesetVersion": null,
1370
- "packHash": null,
1371
- "modelId": null
1372
- }
1373
- },
1374
- "adversaryTranscript": null,
1375
- "predictedBountyUsd": {
1376
- "low": 10,
1377
- "likely": 40,
1378
- "high": 120,
1379
- "program": "web2"
1380
- },
1381
- "bountyConfidence": "high",
1382
- "attackPlaybook": null
1383
- },
1384
- {
1385
- "id": "struct:incremental.js:209:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1386
- "kind": "sast",
1387
- "severity": "medium",
1388
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1389
- "cwe": "CWE-400",
1390
- "owaspLlm": null,
1391
- "stride": "Denial of Service",
1392
- "file": "incremental.js",
1393
- "line": 209,
1394
- "snippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
1395
- "fix": null,
1396
- "reachable": false,
1397
- "triage": 22,
1398
- "dataClasses": [],
1399
- "chain": null,
1400
- "confidence": 0.212,
1401
- "toxicity": 28,
1402
- "toxicityFactors": [
1403
- "http-facing"
1404
- ],
1405
- "toxicityLabel": "Medium",
1406
- "sources": null,
1407
- "epssScore": null,
1408
- "epssPercentile": null,
1409
- "epssCve": null,
1410
- "exploitedNow": false,
1411
- "tags": null,
1412
- "blastRadius": {
1413
- "scope": "all-users",
1414
- "dataAtRisk": [
1415
- "config"
1416
- ],
1417
- "userCount": 50,
1418
- "industry": "generic",
1419
- "jurisdictions": [],
1420
- "controlsApplied": [],
1421
- "dollarBest": 23250,
1422
- "dollarLikely": 136250,
1423
- "dollarWorst": 775000,
1424
- "dollarLow": 23250,
1425
- "dollarHigh": 775000,
1426
- "components": {
1427
- "incidentResponse": {
1428
- "low": 8000,
1429
- "likely": 50000,
1430
- "high": 250000
1431
- },
1432
- "legal": {
1433
- "low": 10000,
1434
- "likely": 75000,
1435
- "high": 500000
1436
- },
1437
- "crisisPR": {
1438
- "low": 0,
1439
- "likely": 0,
1440
- "high": 0
1441
- },
1442
- "notification": {
1443
- "low": 5000,
1444
- "likely": 10000,
1445
- "high": 15000
1446
- },
1447
- "creditMonitoring": {
1448
- "low": 0,
1449
- "likely": 0,
1450
- "high": 0
1451
- },
1452
- "regulatoryFines": {
1453
- "low": 0,
1454
- "likely": 0,
1455
- "high": 0
1456
- },
1457
- "directDamage": {
1458
- "low": 250,
1459
- "likely": 1250,
1460
- "high": 10000
1461
- },
1462
- "classAction": {
1463
- "low": 0,
1464
- "likely": 0,
1465
- "high": 0
1466
- },
1467
- "lostBusiness": {
1468
- "low": 0,
1469
- "likely": 0,
1470
- "high": 0
1471
- }
1472
- },
1473
- "dominantDriver": "legal counsel",
1474
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1475
- "confidence": "low",
1476
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:209` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1477
- },
1478
- "stableId": "b6ab9f0eaa3c75e0",
1479
- "confidenceTier": "very-low",
1480
- "exploitability": 0.2,
1481
- "exploitabilityTier": "low",
1482
- "exploitabilityFactors": [
1483
- "sev:medium",
1484
- "unreachable"
1485
- ],
1486
- "clusterSize": null,
1487
- "unreachable": false,
1488
- "validator_verdict": "unvalidated",
1489
- "llm_confidence": null,
1490
- "unvalidated": true,
1491
- "cross_language": false,
1492
- "family": "dos-sync-io",
1493
- "parser": "STRUCTURAL",
1494
- "_unsigned": false,
1495
- "_passThroughSigning": false,
1496
- "signatureStatus": "verified",
1497
- "regression_test": null,
1498
- "poc": null,
1499
- "calibrated_confidence": null,
1500
- "calibrated_confidence_ci": null,
1501
- "calibrated_n": 0,
1502
- "calibration_reason": "no-history",
1503
- "verifier_verdict": "cannot-verify",
1504
- "verifier_reason": "no-poc-no-sanitizer-rule",
1505
- "verifier_runner": null,
1506
- "narration": null,
1507
- "mitigationVerdict": "unreachable-in-prod",
1508
- "mitigationsApplied": [],
1509
- "mitigatedByWaf": false,
1510
- "wafRuleId": null,
1511
- "mitigatedByAuth": false,
1512
- "authMechanism": null,
1513
- "mitigatedByNetwork": false,
1514
- "networkExposure": null,
1515
- "featureFlag": null,
1516
- "featureFlagState": null,
1517
- "featureFlagRollout": null,
1518
- "exposedInProd": false,
1519
- "unreachableInProd": true,
1520
- "coldPath": false,
1521
- "hotPath": false,
1522
- "prodRequestCount": null,
1523
- "crownJewelScore": 0,
1524
- "crownJewelTier": "unknown",
1525
- "crownJewelFactors": [],
1526
- "cloneClusterId": "4a06d0af981828b5",
1527
- "cloneClusterSize": 1,
1528
- "provenance": "human-likely",
1529
- "provenanceScore": 0.22,
1530
- "typeNarrowed": null,
1531
- "strideCategory": "denialOfService",
1532
- "personaScores": {
1533
- "script-kiddie": {
1534
- "score": 0.4,
1535
- "tier": "medium",
1536
- "factors": [
1537
- "sev:medium"
1538
- ]
1539
- },
1540
- "opportunistic-criminal": {
1541
- "score": 0.4,
1542
- "tier": "medium",
1543
- "factors": [
1544
- "sev:medium"
1545
- ]
1546
- },
1547
- "apt-nation-state": {
1548
- "score": 0.4,
1549
- "tier": "medium",
1550
- "factors": [
1551
- "sev:medium"
1552
- ]
1553
- },
1554
- "supply-chain-attacker": {
1555
- "score": 0.4,
1556
- "tier": "medium",
1557
- "factors": [
1558
- "sev:medium"
1559
- ]
1560
- },
1561
- "malicious-insider": {
1562
- "score": 0.4,
1563
- "tier": "medium",
1564
- "factors": [
1565
- "sev:medium"
1566
- ]
1567
- }
1568
- },
1569
- "personaTopTwo": [
1570
- "script-kiddie",
1571
- "opportunistic-criminal"
1572
- ],
1573
- "personaMaxName": "script-kiddie",
1574
- "personaMaxScore": 0.4,
1575
- "reverseExposure": null,
1576
- "specMined": null,
1577
- "whyFired": {
1578
- "detector": "sast/dos-sync-io",
1579
- "ruleId": "CWE-400",
1580
- "parser": "STRUCTURAL",
1581
- "evidence": {
1582
- "sinkSnippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
1583
- "sourceSnippet": "fs.writeFileSync(path.join(dir, SUMMARIES_PATH), JSON.stringify(payload));",
1584
- "pathSteps": [],
1585
- "sanitizers": [],
1586
- "guards": []
1587
- },
1588
- "considered": {
1589
- "suppressionsApplied": [],
1590
- "suppressionsSkipped": [],
1591
- "reachabilityFilter": "unaffected",
1592
- "clusterCollapsed": false,
1593
- "typeNarrowed": false,
1594
- "crownJewelTier": "unknown",
1595
- "mitigationVerdict": "unreachable-in-prod"
1596
- },
1597
- "scanner": {
1598
- "rulesetVersion": null,
1599
- "packHash": null,
1600
- "modelId": null
1601
- }
1602
- },
1603
- "adversaryTranscript": null,
1604
- "predictedBountyUsd": {
1605
- "low": 10,
1606
- "likely": 40,
1607
- "high": 120,
1608
- "program": "web2"
1609
- },
1610
- "bountyConfidence": "high",
1611
- "attackPlaybook": null
1612
- },
1613
- {
1614
- "id": "struct:incremental.js:220:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1615
- "kind": "sast",
1616
- "severity": "medium",
1617
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1618
- "cwe": "CWE-400",
1619
- "owaspLlm": null,
1620
- "stride": "Denial of Service",
1621
- "file": "incremental.js",
1622
- "line": 220,
1623
- "snippet": "if (!fs.existsSync(dir)) return true;",
1624
- "fix": null,
1625
- "reachable": false,
1626
- "triage": 22,
1627
- "dataClasses": [],
1628
- "chain": null,
1629
- "confidence": 0.212,
1630
- "toxicity": 28,
1631
- "toxicityFactors": [
1632
- "http-facing"
1633
- ],
1634
- "toxicityLabel": "Medium",
1635
- "sources": null,
1636
- "epssScore": null,
1637
- "epssPercentile": null,
1638
- "epssCve": null,
1639
- "exploitedNow": false,
1640
- "tags": null,
1641
- "blastRadius": {
1642
- "scope": "all-users",
1643
- "dataAtRisk": [
1644
- "config"
1645
- ],
1646
- "userCount": 50,
1647
- "industry": "generic",
1648
- "jurisdictions": [],
1649
- "controlsApplied": [],
1650
- "dollarBest": 23250,
1651
- "dollarLikely": 136250,
1652
- "dollarWorst": 775000,
1653
- "dollarLow": 23250,
1654
- "dollarHigh": 775000,
1655
- "components": {
1656
- "incidentResponse": {
1657
- "low": 8000,
1658
- "likely": 50000,
1659
- "high": 250000
1660
- },
1661
- "legal": {
1662
- "low": 10000,
1663
- "likely": 75000,
1664
- "high": 500000
1665
- },
1666
- "crisisPR": {
1667
- "low": 0,
1668
- "likely": 0,
1669
- "high": 0
1670
- },
1671
- "notification": {
1672
- "low": 5000,
1673
- "likely": 10000,
1674
- "high": 15000
1675
- },
1676
- "creditMonitoring": {
1677
- "low": 0,
1678
- "likely": 0,
1679
- "high": 0
1680
- },
1681
- "regulatoryFines": {
1682
- "low": 0,
1683
- "likely": 0,
1684
- "high": 0
1685
- },
1686
- "directDamage": {
1687
- "low": 250,
1688
- "likely": 1250,
1689
- "high": 10000
1690
- },
1691
- "classAction": {
1692
- "low": 0,
1693
- "likely": 0,
1694
- "high": 0
1695
- },
1696
- "lostBusiness": {
1697
- "low": 0,
1698
- "likely": 0,
1699
- "high": 0
1700
- }
1701
- },
1702
- "dominantDriver": "legal counsel",
1703
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1704
- "confidence": "low",
1705
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:220` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1706
- },
1707
- "stableId": "0276003493008082",
1708
- "confidenceTier": "very-low",
1709
- "exploitability": 0.2,
1710
- "exploitabilityTier": "low",
1711
- "exploitabilityFactors": [
1712
- "sev:medium",
1713
- "unreachable"
1714
- ],
1715
- "clusterSize": null,
1716
- "unreachable": false,
1717
- "validator_verdict": "unvalidated",
1718
- "llm_confidence": null,
1719
- "unvalidated": true,
1720
- "cross_language": false,
1721
- "family": "dos-sync-io",
1722
- "parser": "STRUCTURAL",
1723
- "_unsigned": false,
1724
- "_passThroughSigning": false,
1725
- "signatureStatus": "verified",
1726
- "regression_test": null,
1727
- "poc": null,
1728
- "calibrated_confidence": null,
1729
- "calibrated_confidence_ci": null,
1730
- "calibrated_n": 0,
1731
- "calibration_reason": "no-history",
1732
- "verifier_verdict": "cannot-verify",
1733
- "verifier_reason": "no-poc-no-sanitizer-rule",
1734
- "verifier_runner": null,
1735
- "narration": null,
1736
- "mitigationVerdict": "unreachable-in-prod",
1737
- "mitigationsApplied": [],
1738
- "mitigatedByWaf": false,
1739
- "wafRuleId": null,
1740
- "mitigatedByAuth": false,
1741
- "authMechanism": null,
1742
- "mitigatedByNetwork": false,
1743
- "networkExposure": null,
1744
- "featureFlag": null,
1745
- "featureFlagState": null,
1746
- "featureFlagRollout": null,
1747
- "exposedInProd": false,
1748
- "unreachableInProd": true,
1749
- "coldPath": false,
1750
- "hotPath": false,
1751
- "prodRequestCount": null,
1752
- "crownJewelScore": 0,
1753
- "crownJewelTier": "unknown",
1754
- "crownJewelFactors": [],
1755
- "cloneClusterId": "b7114d1d9de39865",
1756
- "cloneClusterSize": 1,
1757
- "provenance": "human-likely",
1758
- "provenanceScore": 0.22,
1759
- "typeNarrowed": null,
1760
- "strideCategory": "denialOfService",
1761
- "personaScores": {
1762
- "script-kiddie": {
1763
- "score": 0.4,
1764
- "tier": "medium",
1765
- "factors": [
1766
- "sev:medium"
1767
- ]
1768
- },
1769
- "opportunistic-criminal": {
1770
- "score": 0.4,
1771
- "tier": "medium",
1772
- "factors": [
1773
- "sev:medium"
1774
- ]
1775
- },
1776
- "apt-nation-state": {
1777
- "score": 0.4,
1778
- "tier": "medium",
1779
- "factors": [
1780
- "sev:medium"
1781
- ]
1782
- },
1783
- "supply-chain-attacker": {
1784
- "score": 0.4,
1785
- "tier": "medium",
1786
- "factors": [
1787
- "sev:medium"
1788
- ]
1789
- },
1790
- "malicious-insider": {
1791
- "score": 0.4,
1792
- "tier": "medium",
1793
- "factors": [
1794
- "sev:medium"
1795
- ]
1796
- }
1797
- },
1798
- "personaTopTwo": [
1799
- "script-kiddie",
1800
- "opportunistic-criminal"
1801
- ],
1802
- "personaMaxName": "script-kiddie",
1803
- "personaMaxScore": 0.4,
1804
- "reverseExposure": null,
1805
- "specMined": null,
1806
- "whyFired": {
1807
- "detector": "sast/dos-sync-io",
1808
- "ruleId": "CWE-400",
1809
- "parser": "STRUCTURAL",
1810
- "evidence": {
1811
- "sinkSnippet": "if (!fs.existsSync(dir)) return true;",
1812
- "sourceSnippet": "if (!fs.existsSync(dir)) return true;",
1813
- "pathSteps": [],
1814
- "sanitizers": [],
1815
- "guards": []
1816
- },
1817
- "considered": {
1818
- "suppressionsApplied": [],
1819
- "suppressionsSkipped": [],
1820
- "reachabilityFilter": "unaffected",
1821
- "clusterCollapsed": false,
1822
- "typeNarrowed": false,
1823
- "crownJewelTier": "unknown",
1824
- "mitigationVerdict": "unreachable-in-prod"
1825
- },
1826
- "scanner": {
1827
- "rulesetVersion": null,
1828
- "packHash": null,
1829
- "modelId": null
1830
- }
1831
- },
1832
- "adversaryTranscript": null,
1833
- "predictedBountyUsd": {
1834
- "low": 10,
1835
- "likely": 40,
1836
- "high": 120,
1837
- "program": "web2"
1838
- },
1839
- "bountyConfidence": "high",
1840
- "attackPlaybook": null
1841
- },
1842
- {
1843
- "id": "struct:incremental.js:223:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1844
- "kind": "sast",
1845
- "severity": "medium",
1846
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1847
- "cwe": "CWE-400",
1848
- "owaspLlm": null,
1849
- "stride": "Denial of Service",
1850
- "file": "incremental.js",
1851
- "line": 223,
1852
- "snippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
1853
- "fix": null,
1854
- "reachable": false,
1855
- "triage": 22,
1856
- "dataClasses": [],
1857
- "chain": null,
1858
- "confidence": 0.212,
1859
- "toxicity": 28,
1860
- "toxicityFactors": [
1861
- "http-facing"
1862
- ],
1863
- "toxicityLabel": "Medium",
1864
- "sources": null,
1865
- "epssScore": null,
1866
- "epssPercentile": null,
1867
- "epssCve": null,
1868
- "exploitedNow": false,
1869
- "tags": null,
1870
- "blastRadius": {
1871
- "scope": "all-users",
1872
- "dataAtRisk": [
1873
- "config"
1874
- ],
1875
- "userCount": 50,
1876
- "industry": "generic",
1877
- "jurisdictions": [],
1878
- "controlsApplied": [],
1879
- "dollarBest": 23250,
1880
- "dollarLikely": 136250,
1881
- "dollarWorst": 775000,
1882
- "dollarLow": 23250,
1883
- "dollarHigh": 775000,
1884
- "components": {
1885
- "incidentResponse": {
1886
- "low": 8000,
1887
- "likely": 50000,
1888
- "high": 250000
1889
- },
1890
- "legal": {
1891
- "low": 10000,
1892
- "likely": 75000,
1893
- "high": 500000
1894
- },
1895
- "crisisPR": {
1896
- "low": 0,
1897
- "likely": 0,
1898
- "high": 0
1899
- },
1900
- "notification": {
1901
- "low": 5000,
1902
- "likely": 10000,
1903
- "high": 15000
1904
- },
1905
- "creditMonitoring": {
1906
- "low": 0,
1907
- "likely": 0,
1908
- "high": 0
1909
- },
1910
- "regulatoryFines": {
1911
- "low": 0,
1912
- "likely": 0,
1913
- "high": 0
1914
- },
1915
- "directDamage": {
1916
- "low": 250,
1917
- "likely": 1250,
1918
- "high": 10000
1919
- },
1920
- "classAction": {
1921
- "low": 0,
1922
- "likely": 0,
1923
- "high": 0
1924
- },
1925
- "lostBusiness": {
1926
- "low": 0,
1927
- "likely": 0,
1928
- "high": 0
1929
- }
1930
- },
1931
- "dominantDriver": "legal counsel",
1932
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1933
- "confidence": "low",
1934
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `incremental.js:223` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1935
- },
1936
- "stableId": "15ad072cb77cdfe4",
1937
- "confidenceTier": "very-low",
1938
- "exploitability": 0.2,
1939
- "exploitabilityTier": "low",
1940
- "exploitabilityFactors": [
1941
- "sev:medium",
1942
- "unreachable"
1943
- ],
1944
- "clusterSize": null,
1945
- "unreachable": false,
1946
- "validator_verdict": "unvalidated",
1947
- "llm_confidence": null,
1948
- "unvalidated": true,
1949
- "cross_language": false,
1950
- "family": "dos-sync-io",
1951
- "parser": "STRUCTURAL",
1952
- "_unsigned": false,
1953
- "_passThroughSigning": false,
1954
- "signatureStatus": "verified",
1955
- "regression_test": null,
1956
- "poc": null,
1957
- "calibrated_confidence": null,
1958
- "calibrated_confidence_ci": null,
1959
- "calibrated_n": 0,
1960
- "calibration_reason": "no-history",
1961
- "verifier_verdict": "cannot-verify",
1962
- "verifier_reason": "no-poc-no-sanitizer-rule",
1963
- "verifier_runner": null,
1964
- "narration": null,
1965
- "mitigationVerdict": "unreachable-in-prod",
1966
- "mitigationsApplied": [],
1967
- "mitigatedByWaf": false,
1968
- "wafRuleId": null,
1969
- "mitigatedByAuth": false,
1970
- "authMechanism": null,
1971
- "mitigatedByNetwork": false,
1972
- "networkExposure": null,
1973
- "featureFlag": null,
1974
- "featureFlagState": null,
1975
- "featureFlagRollout": null,
1976
- "exposedInProd": false,
1977
- "unreachableInProd": true,
1978
- "coldPath": false,
1979
- "hotPath": false,
1980
- "prodRequestCount": null,
1981
- "crownJewelScore": 0,
1982
- "crownJewelTier": "unknown",
1983
- "crownJewelFactors": [],
1984
- "cloneClusterId": "07f8fac8b280cc73",
1985
- "cloneClusterSize": 1,
1986
- "provenance": "human-likely",
1987
- "provenanceScore": 0.22,
1988
- "typeNarrowed": null,
1989
- "strideCategory": "denialOfService",
1990
- "personaScores": {
1991
- "script-kiddie": {
1992
- "score": 0.4,
1993
- "tier": "medium",
1994
- "factors": [
1995
- "sev:medium"
1996
- ]
1997
- },
1998
- "opportunistic-criminal": {
1999
- "score": 0.4,
2000
- "tier": "medium",
2001
- "factors": [
2002
- "sev:medium"
2003
- ]
2004
- },
2005
- "apt-nation-state": {
2006
- "score": 0.4,
2007
- "tier": "medium",
2008
- "factors": [
2009
- "sev:medium"
2010
- ]
2011
- },
2012
- "supply-chain-attacker": {
2013
- "score": 0.4,
2014
- "tier": "medium",
2015
- "factors": [
2016
- "sev:medium"
2017
- ]
2018
- },
2019
- "malicious-insider": {
2020
- "score": 0.4,
2021
- "tier": "medium",
2022
- "factors": [
2023
- "sev:medium"
2024
- ]
2025
- }
2026
- },
2027
- "personaTopTwo": [
2028
- "script-kiddie",
2029
- "opportunistic-criminal"
2030
- ],
2031
- "personaMaxName": "script-kiddie",
2032
- "personaMaxScore": 0.4,
2033
- "reverseExposure": null,
2034
- "specMined": null,
2035
- "whyFired": {
2036
- "detector": "sast/dos-sync-io",
2037
- "ruleId": "CWE-400",
2038
- "parser": "STRUCTURAL",
2039
- "evidence": {
2040
- "sinkSnippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
2041
- "sourceSnippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
2042
- "pathSteps": [],
2043
- "sanitizers": [],
2044
- "guards": []
2045
- },
2046
- "considered": {
2047
- "suppressionsApplied": [],
2048
- "suppressionsSkipped": [],
2049
- "reachabilityFilter": "unaffected",
2050
- "clusterCollapsed": false,
2051
- "typeNarrowed": false,
2052
- "crownJewelTier": "unknown",
2053
- "mitigationVerdict": "unreachable-in-prod"
2054
- },
2055
- "scanner": {
2056
- "rulesetVersion": null,
2057
- "packHash": null,
2058
- "modelId": null
2059
- }
2060
- },
2061
- "adversaryTranscript": null,
2062
- "predictedBountyUsd": {
2063
- "low": 10,
2064
- "likely": 40,
2065
- "high": 120,
2066
- "program": "web2"
2067
- },
2068
- "bountyConfidence": "high",
2069
- "attackPlaybook": null
2070
- },
2071
- {
2072
- "id": "ssrf-meta-hardcoded:catalog.js:538",
2073
- "kind": "sast",
2074
- "severity": "medium",
2075
- "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
2076
- "cwe": "CWE-918",
2077
- "owaspLlm": null,
2078
- "stride": "Information Disclosure",
2079
- "file": "catalog.js",
2080
- "line": 538,
2081
- "snippet": "remediation: 'Resolve the host first, reject 169.254.169.254 / RFC1918 / localhost; or proxy through a server-side allow-list.' } },",
2082
- "fix": null,
2083
- "reachable": false,
2084
- "triage": 22,
2085
- "dataClasses": [],
2086
- "chain": null,
2087
- "confidence": 0.7,
2088
- "toxicity": 8,
2089
- "toxicityFactors": [],
2090
- "toxicityLabel": "Low",
2091
- "sources": null,
2092
- "epssScore": null,
2093
- "epssPercentile": null,
2094
- "epssCve": null,
2095
- "exploitedNow": false,
2096
- "tags": null,
2097
- "blastRadius": {
2098
- "scope": "all-users",
2099
- "dataAtRisk": [
2100
- "credentials"
2101
- ],
2102
- "userCount": 50,
2103
- "industry": "generic",
2104
- "jurisdictions": [],
2105
- "controlsApplied": [],
2106
- "dollarBest": 24000,
2107
- "dollarLikely": 138000,
2108
- "dollarWorst": 777500,
2109
- "dollarLow": 24000,
2110
- "dollarHigh": 777500,
2111
- "components": {
2112
- "incidentResponse": {
2113
- "low": 8000,
2114
- "likely": 50000,
2115
- "high": 250000
2116
- },
2117
- "legal": {
2118
- "low": 10000,
2119
- "likely": 75000,
2120
- "high": 500000
2121
- },
2122
- "crisisPR": {
2123
- "low": 0,
2124
- "likely": 0,
2125
- "high": 0
2126
- },
2127
- "notification": {
2128
- "low": 5000,
2129
- "likely": 10000,
2130
- "high": 15000
2131
- },
2132
- "creditMonitoring": {
2133
- "low": 0,
2134
- "likely": 0,
2135
- "high": 0
2136
- },
2137
- "regulatoryFines": {
2138
- "low": 0,
2139
- "likely": 0,
2140
- "high": 0
2141
- },
2142
- "directDamage": {
2143
- "low": 1000,
2144
- "likely": 3000,
2145
- "high": 12500
2146
- },
2147
- "classAction": {
2148
- "low": 0,
2149
- "likely": 0,
2150
- "high": 0
2151
- },
2152
- "lostBusiness": {
2153
- "low": 0,
2154
- "likely": 0,
2155
- "high": 0
2156
- }
2157
- },
2158
- "dominantDriver": "legal counsel",
2159
- "comparable": "Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)",
2160
- "confidence": "low",
2161
- "narrative": "SSRF: explicit reference to cloud instance-metadata endpoint on `catalog.js:538` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)."
2162
- },
2163
- "stableId": "3dfe482b8d5e3a09",
2164
- "confidenceTier": "medium",
2165
- "exploitability": 0.2,
2166
- "exploitabilityTier": "low",
2167
- "exploitabilityFactors": [
2168
- "sev:medium",
2169
- "unreachable"
2170
- ],
2171
- "clusterSize": null,
2172
- "unreachable": false,
2173
- "validator_verdict": "unvalidated",
2174
- "llm_confidence": null,
2175
- "unvalidated": true,
2176
- "cross_language": false,
2177
- "family": "ssrf",
2178
- "parser": "SSRF-METADATA",
2179
- "_unsigned": false,
2180
- "_passThroughSigning": false,
2181
- "signatureStatus": "verified",
2182
- "regression_test": {
2183
- "lang": "node",
2184
- "framework": null,
2185
- "filename": null,
2186
- "runHint": null,
2187
- "code": null
2188
- },
2189
- "poc": {
2190
- "lang": "node",
2191
- "kind": "http-payload",
2192
- "cwe": "CWE-918",
2193
- "family": "ssrf",
2194
- "runHint": "node poc.mjs",
2195
- "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n",
2196
- "paramKey": null,
2197
- "paramKeyConfidence": "low",
2198
- "paramKeyInferred": false
2199
- },
2200
- "calibrated_confidence": null,
2201
- "calibrated_confidence_ci": null,
2202
- "calibrated_n": 24,
2203
- "calibration_reason": "insufficient-samples",
2204
- "verifier_verdict": "verified-sanitizer-absence",
2205
- "verifier_reason": "no-sanitizer-in-window",
2206
- "verifier_runner": null,
2207
- "narration": null,
2208
- "mitigationVerdict": "unreachable-in-prod",
2209
- "mitigationsApplied": [],
2210
- "mitigatedByWaf": false,
2211
- "wafRuleId": null,
2212
- "mitigatedByAuth": false,
2213
- "authMechanism": null,
2214
- "mitigatedByNetwork": false,
2215
- "networkExposure": null,
2216
- "featureFlag": null,
2217
- "featureFlagState": null,
2218
- "featureFlagRollout": null,
2219
- "exposedInProd": false,
2220
- "unreachableInProd": true,
2221
- "coldPath": false,
2222
- "hotPath": false,
2223
- "prodRequestCount": null,
2224
- "crownJewelScore": 0.15,
2225
- "crownJewelTier": "low-value",
2226
- "crownJewelFactors": [
2227
- "shell-execution"
2228
- ],
2229
- "cloneClusterId": null,
2230
- "cloneClusterSize": 1,
2231
- "provenance": "human-likely",
2232
- "provenanceScore": 0.26,
2233
- "typeNarrowed": null,
2234
- "strideCategory": "tampering",
2235
- "personaScores": {
2236
- "script-kiddie": {
2237
- "score": 0.4,
2238
- "tier": "medium",
2239
- "factors": [
2240
- "sev:medium"
2241
- ]
2242
- },
2243
- "opportunistic-criminal": {
2244
- "score": 0.6,
2245
- "tier": "high",
2246
- "factors": [
2247
- "sev:medium",
2248
- "bias:ssrf+0.20"
2249
- ]
2250
- },
2251
- "apt-nation-state": {
2252
- "score": 0.7,
2253
- "tier": "high",
2254
- "factors": [
2255
- "sev:medium",
2256
- "bias:ssrf+0.30"
2257
- ]
2258
- },
2259
- "supply-chain-attacker": {
2260
- "score": 0.4,
2261
- "tier": "medium",
2262
- "factors": [
2263
- "sev:medium"
2264
- ]
2265
- },
2266
- "malicious-insider": {
2267
- "score": 0.4,
2268
- "tier": "medium",
2269
- "factors": [
2270
- "sev:medium"
2271
- ]
2272
- }
2273
- },
2274
- "personaTopTwo": [
2275
- "apt-nation-state",
2276
- "opportunistic-criminal"
2277
- ],
2278
- "personaMaxName": "apt-nation-state",
2279
- "personaMaxScore": 0.7,
2280
- "reverseExposure": null,
2281
- "specMined": null,
2282
- "whyFired": {
2283
- "detector": "sast/ssrf",
2284
- "ruleId": "CWE-918",
2285
- "parser": "SSRF-METADATA",
2286
- "evidence": {
2287
- "sinkSnippet": "remediation: 'Resolve the host first, reject 169.254.169.254 / RFC1918 / localhost; or proxy through a server-side allow-list.' } },",
2288
- "sourceSnippet": null,
2289
- "pathSteps": [],
2290
- "sanitizers": [],
2291
- "guards": []
2292
- },
2293
- "considered": {
2294
- "suppressionsApplied": [],
2295
- "suppressionsSkipped": [],
2296
- "reachabilityFilter": "unaffected",
2297
- "clusterCollapsed": false,
2298
- "typeNarrowed": false,
2299
- "crownJewelTier": "low-value",
2300
- "mitigationVerdict": "unreachable-in-prod"
2301
- },
2302
- "scanner": {
2303
- "rulesetVersion": null,
2304
- "packHash": null,
2305
- "modelId": null
2306
- }
2307
- },
2308
- "adversaryTranscript": null,
2309
- "predictedBountyUsd": {
2310
- "low": 30,
2311
- "likely": 120,
2312
- "high": 350,
2313
- "program": "web2"
2314
- },
2315
- "bountyConfidence": "high",
2316
- "attackPlaybook": null
2317
- },
2318
- {
2319
- "id": "ssrf-meta-hardcoded:exploit-prover.js:33",
2320
- "kind": "sast",
2321
- "severity": "medium",
2322
- "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
2323
- "cwe": "CWE-918",
2324
- "owaspLlm": null,
2325
- "stride": "Information Disclosure",
2326
- "file": "exploit-prover.js",
2327
- "line": 33,
2328
- "snippet": "'CWE-918': `http://169.254.169.254/latest/meta-data/`, // SSRF",
2329
- "fix": null,
2330
- "reachable": false,
2331
- "triage": 22,
2332
- "dataClasses": [],
2333
- "chain": null,
2334
- "confidence": 0.7,
2335
- "toxicity": 8,
2336
- "toxicityFactors": [],
2337
- "toxicityLabel": "Low",
2338
- "sources": null,
2339
- "epssScore": null,
2340
- "epssPercentile": null,
2341
- "epssCve": null,
2342
- "exploitedNow": false,
2343
- "tags": null,
2344
- "blastRadius": {
2345
- "scope": "all-users",
2346
- "dataAtRisk": [
2347
- "credentials"
2348
- ],
2349
- "userCount": 50,
2350
- "industry": "generic",
2351
- "jurisdictions": [],
2352
- "controlsApplied": [],
2353
- "dollarBest": 24000,
2354
- "dollarLikely": 138000,
2355
- "dollarWorst": 777500,
2356
- "dollarLow": 24000,
2357
- "dollarHigh": 777500,
2358
- "components": {
2359
- "incidentResponse": {
2360
- "low": 8000,
2361
- "likely": 50000,
2362
- "high": 250000
2363
- },
2364
- "legal": {
2365
- "low": 10000,
2366
- "likely": 75000,
2367
- "high": 500000
2368
- },
2369
- "crisisPR": {
2370
- "low": 0,
2371
- "likely": 0,
2372
- "high": 0
2373
- },
2374
- "notification": {
2375
- "low": 5000,
2376
- "likely": 10000,
2377
- "high": 15000
2378
- },
2379
- "creditMonitoring": {
2380
- "low": 0,
2381
- "likely": 0,
2382
- "high": 0
2383
- },
2384
- "regulatoryFines": {
2385
- "low": 0,
2386
- "likely": 0,
2387
- "high": 0
2388
- },
2389
- "directDamage": {
2390
- "low": 1000,
2391
- "likely": 3000,
2392
- "high": 12500
2393
- },
2394
- "classAction": {
2395
- "low": 0,
2396
- "likely": 0,
2397
- "high": 0
2398
- },
2399
- "lostBusiness": {
2400
- "low": 0,
2401
- "likely": 0,
2402
- "high": 0
2403
- }
2404
- },
2405
- "dominantDriver": "legal counsel",
2406
- "comparable": "Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)",
2407
- "confidence": "low",
2408
- "narrative": "SSRF: explicit reference to cloud instance-metadata endpoint on `exploit-prover.js:33` could expose production credentials and API keys. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $24k · likely $138k · worst $778k. Dominant driver: legal counsel. Comparable: Capital One 2019 SSRF → $190M settlement (100M records, $1.90/rec)."
2409
- },
2410
- "stableId": "88ebc2728475812c",
2411
- "confidenceTier": "medium",
2412
- "exploitability": 0.2,
2413
- "exploitabilityTier": "low",
2414
- "exploitabilityFactors": [
2415
- "sev:medium",
2416
- "unreachable"
2417
- ],
2418
- "clusterSize": null,
2419
- "unreachable": false,
2420
- "validator_verdict": "unvalidated",
2421
- "llm_confidence": null,
2422
- "unvalidated": true,
2423
- "cross_language": false,
2424
- "family": "ssrf",
2425
- "parser": "SSRF-METADATA",
2426
- "_unsigned": false,
2427
- "_passThroughSigning": false,
2428
- "signatureStatus": "verified",
2429
- "regression_test": {
2430
- "lang": "node",
2431
- "framework": null,
2432
- "filename": null,
2433
- "runHint": null,
2434
- "code": null
2435
- },
2436
- "poc": {
2437
- "lang": "node",
2438
- "kind": "http-payload",
2439
- "cwe": "CWE-918",
2440
- "family": "ssrf",
2441
- "runHint": "node poc.mjs",
2442
- "code": "// Demonstrates SSRF by forcing the server to fetch a localhost sentinel URL.\n// Endpoint: POST http://localhost:3000/REPLACE-WITH-ENDPOINT\n// Payload: http://127.0.0.1:65533/poc-ssrf-sentinel\n// Expect: sentinel server logs a request from the target — proves the target made an outbound call we controlled\n// Run: node poc.mjs\n// Exit code: 0 = exploit demonstrated, 1 = not demonstrated, 2 = error\n\nconst URL_ = \"http://localhost:3000/REPLACE-WITH-ENDPOINT\";\nconst METHOD = \"POST\";\nconst PAYLOAD = `http://127.0.0.1:65533/poc-ssrf-sentinel`;\n\nconst body = METHOD === 'GET'\n ? null\n : JSON.stringify({ \"input\": PAYLOAD });\n\nconst headers = { 'Content-Type': 'application/json' };\n\nconst reqUrl = METHOD === 'GET'\n ? URL_ + (URL_.includes('?') ? '&' : '?') + \"input\" + '=' + encodeURIComponent(PAYLOAD)\n : URL_;\n\ntry {\n const r = await fetch(reqUrl, { method: METHOD, headers, body, redirect: 'follow' });\n const text = await r.text();\n const sig = (text.includes(\"http://127.0.0.1:65533/poc-ssrf-sentinel\") ? 'payload reflected' : '');\n if (sig) {\n process.stderr.write('PoC: exploit demonstrated — ' + sig + '\\n');\n process.exit(0);\n }\n process.stderr.write('PoC: payload sent (status ' + r.status + '), no exploit evidence in response\\n');\n process.exit(1);\n} catch (e) {\n process.stderr.write('PoC: error reaching target — ' + e.message + '\\n');\n process.exit(2);\n}\n",
2443
- "paramKey": null,
2444
- "paramKeyConfidence": "low",
2445
- "paramKeyInferred": false
2446
- },
2447
- "calibrated_confidence": null,
2448
- "calibrated_confidence_ci": null,
2449
- "calibrated_n": 24,
2450
- "calibration_reason": "insufficient-samples",
2451
- "verifier_verdict": "verified-sanitizer-absence",
2452
- "verifier_reason": "no-sanitizer-in-window",
2453
- "verifier_runner": null,
2454
- "narration": null,
2455
- "mitigationVerdict": "unreachable-in-prod",
2456
- "mitigationsApplied": [],
2457
- "mitigatedByWaf": false,
2458
- "wafRuleId": null,
2459
- "mitigatedByAuth": false,
2460
- "authMechanism": null,
2461
- "mitigatedByNetwork": false,
2462
- "networkExposure": null,
2463
- "featureFlag": null,
2464
- "featureFlagState": null,
2465
- "featureFlagRollout": null,
2466
- "exposedInProd": false,
2467
- "unreachableInProd": true,
2468
- "coldPath": false,
2469
- "hotPath": false,
2470
- "prodRequestCount": null,
2471
- "crownJewelScore": 0,
2472
- "crownJewelTier": "unknown",
2473
- "crownJewelFactors": [],
2474
- "cloneClusterId": null,
2475
- "cloneClusterSize": 1,
2476
- "provenance": "mixed",
2477
- "provenanceScore": 0.3,
2478
- "typeNarrowed": null,
2479
- "strideCategory": "tampering",
2480
- "personaScores": {
2481
- "script-kiddie": {
2482
- "score": 0.4,
2483
- "tier": "medium",
2484
- "factors": [
2485
- "sev:medium"
2486
- ]
2487
- },
2488
- "opportunistic-criminal": {
2489
- "score": 0.6,
2490
- "tier": "high",
2491
- "factors": [
2492
- "sev:medium",
2493
- "bias:ssrf+0.20"
2494
- ]
2495
- },
2496
- "apt-nation-state": {
2497
- "score": 0.7,
2498
- "tier": "high",
2499
- "factors": [
2500
- "sev:medium",
2501
- "bias:ssrf+0.30"
2502
- ]
2503
- },
2504
- "supply-chain-attacker": {
2505
- "score": 0.4,
2506
- "tier": "medium",
2507
- "factors": [
2508
- "sev:medium"
2509
- ]
2510
- },
2511
- "malicious-insider": {
2512
- "score": 0.4,
2513
- "tier": "medium",
2514
- "factors": [
2515
- "sev:medium"
2516
- ]
2517
- }
2518
- },
2519
- "personaTopTwo": [
2520
- "apt-nation-state",
2521
- "opportunistic-criminal"
2522
- ],
2523
- "personaMaxName": "apt-nation-state",
2524
- "personaMaxScore": 0.7,
2525
- "reverseExposure": null,
2526
- "specMined": null,
2527
- "whyFired": {
2528
- "detector": "sast/ssrf",
2529
- "ruleId": "CWE-918",
2530
- "parser": "SSRF-METADATA",
2531
- "evidence": {
2532
- "sinkSnippet": "'CWE-918': `http://169.254.169.254/latest/meta-data/`, // SSRF",
2533
- "sourceSnippet": null,
2534
- "pathSteps": [],
2535
- "sanitizers": [],
2536
- "guards": []
2537
- },
2538
- "considered": {
2539
- "suppressionsApplied": [],
2540
- "suppressionsSkipped": [],
2541
- "reachabilityFilter": "unaffected",
2542
- "clusterCollapsed": false,
2543
- "typeNarrowed": false,
2544
- "crownJewelTier": "unknown",
2545
- "mitigationVerdict": "unreachable-in-prod"
2546
- },
2547
- "scanner": {
2548
- "rulesetVersion": null,
2549
- "packHash": null,
2550
- "modelId": null
2551
- }
2552
- },
2553
- "adversaryTranscript": null,
2554
- "predictedBountyUsd": {
2555
- "low": 30,
2556
- "likely": 120,
2557
- "high": 350,
2558
- "program": "web2"
2559
- },
2560
- "bountyConfidence": "high",
2561
- "attackPlaybook": null
2562
- },
2563
- {
2564
- "id": "toctou-fs:incremental.js:50",
2565
- "kind": "sast",
2566
- "severity": "medium",
2567
- "vuln": "TOCTOU: file existence/permission check before open",
2568
- "cwe": "CWE-367",
2569
- "owaspLlm": null,
2570
- "stride": "Tampering",
2571
- "file": "incremental.js",
2572
- "line": 50,
2573
- "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
2574
- "fix": null,
2575
- "reachable": false,
2576
- "triage": 22,
2577
- "dataClasses": [],
2578
- "chain": null,
2579
- "confidence": 0.7,
2580
- "toxicity": 8,
2581
- "toxicityFactors": [],
2582
- "toxicityLabel": "Low",
2583
- "sources": null,
2584
- "epssScore": null,
2585
- "epssPercentile": null,
2586
- "epssCve": null,
2587
- "exploitedNow": false,
2588
- "tags": null,
2589
- "blastRadius": {
2590
- "scope": "all-users",
2591
- "dataAtRisk": [
2592
- "config"
2593
- ],
2594
- "userCount": 50,
2595
- "industry": "generic",
2596
- "jurisdictions": [],
2597
- "controlsApplied": [],
2598
- "dollarBest": 23250,
2599
- "dollarLikely": 136250,
2600
- "dollarWorst": 775000,
2601
- "dollarLow": 23250,
2602
- "dollarHigh": 775000,
2603
- "components": {
2604
- "incidentResponse": {
2605
- "low": 8000,
2606
- "likely": 50000,
2607
- "high": 250000
2608
- },
2609
- "legal": {
2610
- "low": 10000,
2611
- "likely": 75000,
2612
- "high": 500000
2613
- },
2614
- "crisisPR": {
2615
- "low": 0,
2616
- "likely": 0,
2617
- "high": 0
2618
- },
2619
- "notification": {
2620
- "low": 5000,
2621
- "likely": 10000,
2622
- "high": 15000
2623
- },
2624
- "creditMonitoring": {
2625
- "low": 0,
2626
- "likely": 0,
2627
- "high": 0
2628
- },
2629
- "regulatoryFines": {
2630
- "low": 0,
2631
- "likely": 0,
2632
- "high": 0
2633
- },
2634
- "directDamage": {
2635
- "low": 250,
2636
- "likely": 1250,
2637
- "high": 10000
2638
- },
2639
- "classAction": {
2640
- "low": 0,
2641
- "likely": 0,
2642
- "high": 0
2643
- },
2644
- "lostBusiness": {
2645
- "low": 0,
2646
- "likely": 0,
2647
- "high": 0
2648
- }
2649
- },
2650
- "dominantDriver": "legal counsel",
2651
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
2652
- "confidence": "low",
2653
- "narrative": "TOCTOU: file existence/permission check before open on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
2654
- },
2655
- "stableId": "3184d498fcca8634",
2656
- "confidenceTier": "medium",
2657
- "exploitability": 0.2,
2658
- "exploitabilityTier": "low",
2659
- "exploitabilityFactors": [
2660
- "sev:medium",
2661
- "unreachable"
2662
- ],
2663
- "clusterSize": null,
2664
- "unreachable": false,
2665
- "validator_verdict": "unvalidated",
2666
- "llm_confidence": null,
2667
- "unvalidated": true,
2668
- "cross_language": false,
2669
- "family": "toctou-file-existence-permission-check-b",
2670
- "parser": "TOCTOU",
2671
- "_unsigned": false,
2672
- "_passThroughSigning": false,
2673
- "signatureStatus": "verified",
2674
- "regression_test": null,
2675
- "poc": null,
2676
- "calibrated_confidence": null,
2677
- "calibrated_confidence_ci": null,
2678
- "calibrated_n": 0,
2679
- "calibration_reason": "no-history",
2680
- "verifier_verdict": "cannot-verify",
2681
- "verifier_reason": "no-poc-no-sanitizer-rule",
2682
- "verifier_runner": null,
2683
- "narration": null,
2684
- "mitigationVerdict": "unreachable-in-prod",
2685
- "mitigationsApplied": [],
2686
- "mitigatedByWaf": false,
2687
- "wafRuleId": null,
2688
- "mitigatedByAuth": false,
2689
- "authMechanism": null,
2690
- "mitigatedByNetwork": false,
2691
- "networkExposure": null,
2692
- "featureFlag": null,
2693
- "featureFlagState": null,
2694
- "featureFlagRollout": null,
2695
- "exposedInProd": false,
2696
- "unreachableInProd": true,
2697
- "coldPath": false,
2698
- "hotPath": false,
2699
- "prodRequestCount": null,
2700
- "crownJewelScore": 0,
2701
- "crownJewelTier": "unknown",
2702
- "crownJewelFactors": [],
2703
- "cloneClusterId": "bf9643a065f64945",
2704
- "cloneClusterSize": 2,
2705
- "provenance": "human-likely",
2706
- "provenanceScore": 0.22,
2707
- "typeNarrowed": null,
2708
- "strideCategory": "tampering",
2709
- "personaScores": {
2710
- "script-kiddie": {
2711
- "score": 0.4,
2712
- "tier": "medium",
2713
- "factors": [
2714
- "sev:medium"
2715
- ]
2716
- },
2717
- "opportunistic-criminal": {
2718
- "score": 0.4,
2719
- "tier": "medium",
2720
- "factors": [
2721
- "sev:medium"
2722
- ]
2723
- },
2724
- "apt-nation-state": {
2725
- "score": 0.4,
2726
- "tier": "medium",
2727
- "factors": [
2728
- "sev:medium"
2729
- ]
2730
- },
2731
- "supply-chain-attacker": {
2732
- "score": 0.4,
2733
- "tier": "medium",
2734
- "factors": [
2735
- "sev:medium"
2736
- ]
2737
- },
2738
- "malicious-insider": {
2739
- "score": 0.4,
2740
- "tier": "medium",
2741
- "factors": [
2742
- "sev:medium"
2743
- ]
2744
- }
2745
- },
2746
- "personaTopTwo": [
2747
- "script-kiddie",
2748
- "opportunistic-criminal"
2749
- ],
2750
- "personaMaxName": "script-kiddie",
2751
- "personaMaxScore": 0.4,
2752
- "reverseExposure": null,
2753
- "specMined": null,
2754
- "whyFired": {
2755
- "detector": "sast/toctou-file-existence-permission-check-b",
2756
- "ruleId": "CWE-367",
2757
- "parser": "TOCTOU",
2758
- "evidence": {
2759
- "sinkSnippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
2760
- "sourceSnippet": null,
2761
- "pathSteps": [],
2762
- "sanitizers": [],
2763
- "guards": []
2764
- },
2765
- "considered": {
2766
- "suppressionsApplied": [],
2767
- "suppressionsSkipped": [],
2768
- "reachabilityFilter": "unaffected",
2769
- "clusterCollapsed": false,
2770
- "typeNarrowed": false,
2771
- "crownJewelTier": "unknown",
2772
- "mitigationVerdict": "unreachable-in-prod"
2773
- },
2774
- "scanner": {
2775
- "rulesetVersion": null,
2776
- "packHash": null,
2777
- "modelId": null
2778
- }
2779
- },
2780
- "adversaryTranscript": null,
2781
- "predictedBountyUsd": null,
2782
- "bountyConfidence": null,
2783
- "attackPlaybook": null
2784
- },
2785
- {
2786
- "id": "toctou-fs:incremental.js:68",
2787
- "kind": "sast",
2788
- "severity": "medium",
2789
- "vuln": "TOCTOU: file existence/permission check before open",
2790
- "cwe": "CWE-367",
2791
- "owaspLlm": null,
2792
- "stride": "Tampering",
2793
- "file": "incremental.js",
2794
- "line": 68,
2795
- "snippet": "if (!fs.existsSync(fp)) return fallback;",
2796
- "fix": null,
2797
- "reachable": false,
2798
- "triage": 22,
2799
- "dataClasses": [],
2800
- "chain": null,
2801
- "confidence": 0.7,
2802
- "toxicity": 8,
2803
- "toxicityFactors": [],
2804
- "toxicityLabel": "Low",
2805
- "sources": null,
2806
- "epssScore": null,
2807
- "epssPercentile": null,
2808
- "epssCve": null,
2809
- "exploitedNow": false,
2810
- "tags": null,
2811
- "blastRadius": {
2812
- "scope": "all-users",
2813
- "dataAtRisk": [
2814
- "config"
2815
- ],
2816
- "userCount": 50,
2817
- "industry": "generic",
2818
- "jurisdictions": [],
2819
- "controlsApplied": [],
2820
- "dollarBest": 23250,
2821
- "dollarLikely": 136250,
2822
- "dollarWorst": 775000,
2823
- "dollarLow": 23250,
2824
- "dollarHigh": 775000,
2825
- "components": {
2826
- "incidentResponse": {
2827
- "low": 8000,
2828
- "likely": 50000,
2829
- "high": 250000
2830
- },
2831
- "legal": {
2832
- "low": 10000,
2833
- "likely": 75000,
2834
- "high": 500000
2835
- },
2836
- "crisisPR": {
2837
- "low": 0,
2838
- "likely": 0,
2839
- "high": 0
2840
- },
2841
- "notification": {
2842
- "low": 5000,
2843
- "likely": 10000,
2844
- "high": 15000
2845
- },
2846
- "creditMonitoring": {
2847
- "low": 0,
2848
- "likely": 0,
2849
- "high": 0
2850
- },
2851
- "regulatoryFines": {
2852
- "low": 0,
2853
- "likely": 0,
2854
- "high": 0
2855
- },
2856
- "directDamage": {
2857
- "low": 250,
2858
- "likely": 1250,
2859
- "high": 10000
2860
- },
2861
- "classAction": {
2862
- "low": 0,
2863
- "likely": 0,
2864
- "high": 0
2865
- },
2866
- "lostBusiness": {
2867
- "low": 0,
2868
- "likely": 0,
2869
- "high": 0
2870
- }
2871
- },
2872
- "dominantDriver": "legal counsel",
2873
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
2874
- "confidence": "low",
2875
- "narrative": "TOCTOU: file existence/permission check before open on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
2876
- },
2877
- "stableId": "ca2e725c38df4ef6",
2878
- "confidenceTier": "medium",
2879
- "exploitability": 0.2,
2880
- "exploitabilityTier": "low",
2881
- "exploitabilityFactors": [
2882
- "sev:medium",
2883
- "unreachable"
2884
- ],
2885
- "clusterSize": null,
2886
- "unreachable": false,
2887
- "validator_verdict": "unvalidated",
2888
- "llm_confidence": null,
2889
- "unvalidated": true,
2890
- "cross_language": false,
2891
- "family": "toctou-file-existence-permission-check-b",
2892
- "parser": "TOCTOU",
2893
- "_unsigned": false,
2894
- "_passThroughSigning": false,
2895
- "signatureStatus": "verified",
2896
- "regression_test": null,
2897
- "poc": null,
2898
- "calibrated_confidence": null,
2899
- "calibrated_confidence_ci": null,
2900
- "calibrated_n": 0,
2901
- "calibration_reason": "no-history",
2902
- "verifier_verdict": "cannot-verify",
2903
- "verifier_reason": "no-poc-no-sanitizer-rule",
2904
- "verifier_runner": null,
2905
- "narration": null,
2906
- "mitigationVerdict": "unreachable-in-prod",
2907
- "mitigationsApplied": [],
2908
- "mitigatedByWaf": false,
2909
- "wafRuleId": null,
2910
- "mitigatedByAuth": false,
2911
- "authMechanism": null,
2912
- "mitigatedByNetwork": false,
2913
- "networkExposure": null,
2914
- "featureFlag": null,
2915
- "featureFlagState": null,
2916
- "featureFlagRollout": null,
2917
- "exposedInProd": false,
2918
- "unreachableInProd": true,
2919
- "coldPath": false,
2920
- "hotPath": false,
2921
- "prodRequestCount": null,
2922
- "crownJewelScore": 0,
2923
- "crownJewelTier": "unknown",
2924
- "crownJewelFactors": [],
2925
- "cloneClusterId": "39f1d6db55cace1d",
2926
- "cloneClusterSize": 2,
2927
- "provenance": "human-likely",
2928
- "provenanceScore": 0.22,
2929
- "typeNarrowed": null,
2930
- "strideCategory": "tampering",
2931
- "personaScores": {
2932
- "script-kiddie": {
2933
- "score": 0.4,
2934
- "tier": "medium",
2935
- "factors": [
2936
- "sev:medium"
2937
- ]
2938
- },
2939
- "opportunistic-criminal": {
2940
- "score": 0.4,
2941
- "tier": "medium",
2942
- "factors": [
2943
- "sev:medium"
2944
- ]
2945
- },
2946
- "apt-nation-state": {
2947
- "score": 0.4,
2948
- "tier": "medium",
2949
- "factors": [
2950
- "sev:medium"
2951
- ]
2952
- },
2953
- "supply-chain-attacker": {
2954
- "score": 0.4,
2955
- "tier": "medium",
2956
- "factors": [
2957
- "sev:medium"
2958
- ]
2959
- },
2960
- "malicious-insider": {
2961
- "score": 0.4,
2962
- "tier": "medium",
2963
- "factors": [
2964
- "sev:medium"
2965
- ]
2966
- }
2967
- },
2968
- "personaTopTwo": [
2969
- "script-kiddie",
2970
- "opportunistic-criminal"
2971
- ],
2972
- "personaMaxName": "script-kiddie",
2973
- "personaMaxScore": 0.4,
2974
- "reverseExposure": null,
2975
- "specMined": null,
2976
- "whyFired": {
2977
- "detector": "sast/toctou-file-existence-permission-check-b",
2978
- "ruleId": "CWE-367",
2979
- "parser": "TOCTOU",
2980
- "evidence": {
2981
- "sinkSnippet": "if (!fs.existsSync(fp)) return fallback;",
2982
- "sourceSnippet": null,
2983
- "pathSteps": [],
2984
- "sanitizers": [],
2985
- "guards": []
2986
- },
2987
- "considered": {
2988
- "suppressionsApplied": [],
2989
- "suppressionsSkipped": [],
2990
- "reachabilityFilter": "unaffected",
2991
- "clusterCollapsed": false,
2992
- "typeNarrowed": false,
2993
- "crownJewelTier": "unknown",
2994
- "mitigationVerdict": "unreachable-in-prod"
2995
- },
2996
- "scanner": {
2997
- "rulesetVersion": null,
2998
- "packHash": null,
2999
- "modelId": null
3000
- }
3001
- },
3002
- "adversaryTranscript": null,
3003
- "predictedBountyUsd": null,
3004
- "bountyConfidence": null,
3005
- "attackPlaybook": null
3006
- },
3007
- {
3008
- "id": "77f1352c8462f8db",
3009
- "kind": "logic",
3010
- "severity": "medium",
3011
- "vuln": "Race Condition (TOCTOU)",
3012
- "cwe": "CWE-367",
3013
- "stride": "Tampering",
3014
- "file": "incremental.js",
3015
- "line": 223,
3016
- "snippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
3017
- "fix": {
3018
- "description": "Use atomic operations instead of check-then-act patterns.",
3019
- "code": "// BEFORE\nif (fs.existsSync(p)) fs.unlinkSync(p);\n\n// AFTER\ntry { fs.unlinkSync(p); } catch(e) { if(e.code!=='ENOENT') throw e; }"
3020
- },
3021
- "blastRadius": {
3022
- "scope": "all-users",
3023
- "dataAtRisk": [
3024
- "config"
3025
- ],
3026
- "userCount": 50,
3027
- "industry": "generic",
3028
- "jurisdictions": [],
3029
- "controlsApplied": [],
3030
- "dollarBest": 23250,
3031
- "dollarLikely": 136250,
3032
- "dollarWorst": 775000,
3033
- "dollarLow": 23250,
3034
- "dollarHigh": 775000,
3035
- "components": {
3036
- "incidentResponse": {
3037
- "low": 8000,
3038
- "likely": 50000,
3039
- "high": 250000
3040
- },
3041
- "legal": {
3042
- "low": 10000,
3043
- "likely": 75000,
3044
- "high": 500000
3045
- },
3046
- "crisisPR": {
3047
- "low": 0,
3048
- "likely": 0,
3049
- "high": 0
3050
- },
3051
- "notification": {
3052
- "low": 5000,
3053
- "likely": 10000,
3054
- "high": 15000
3055
- },
3056
- "creditMonitoring": {
3057
- "low": 0,
3058
- "likely": 0,
3059
- "high": 0
3060
- },
3061
- "regulatoryFines": {
3062
- "low": 0,
3063
- "likely": 0,
3064
- "high": 0
3065
- },
3066
- "directDamage": {
3067
- "low": 250,
3068
- "likely": 1250,
3069
- "high": 10000
3070
- },
3071
- "classAction": {
3072
- "low": 0,
3073
- "likely": 0,
3074
- "high": 0
3075
- },
3076
- "lostBusiness": {
3077
- "low": 0,
3078
- "likely": 0,
3079
- "high": 0
3080
- }
3081
- },
3082
- "dominantDriver": "legal counsel",
3083
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3084
- "confidence": "low",
3085
- "narrative": "Race Condition (TOCTOU) on `incremental.js:223` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3086
- },
3087
- "parser": "LOGIC",
3088
- "family": null
3089
- },
3090
- {
3091
- "id": "logic:incremental.js:50:TOCTOU:_existsSync_followed_by_file_op",
3092
- "kind": "logic",
3093
- "severity": "medium",
3094
- "vuln": "TOCTOU: existsSync followed by file op",
3095
- "cwe": "CWE-367",
3096
- "stride": "Tampering",
3097
- "file": "incremental.js",
3098
- "line": 50,
3099
- "snippet": "if (!fs.existsSync(versionFp)) return _emptyState();",
3100
- "fix": {
3101
- "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
3102
- "code": ""
3103
- },
3104
- "blastRadius": {
3105
- "scope": "all-users",
3106
- "dataAtRisk": [
3107
- "config"
3108
- ],
3109
- "userCount": 50,
3110
- "industry": "generic",
3111
- "jurisdictions": [],
3112
- "controlsApplied": [],
3113
- "dollarBest": 23250,
3114
- "dollarLikely": 136250,
3115
- "dollarWorst": 775000,
3116
- "dollarLow": 23250,
3117
- "dollarHigh": 775000,
3118
- "components": {
3119
- "incidentResponse": {
3120
- "low": 8000,
3121
- "likely": 50000,
3122
- "high": 250000
3123
- },
3124
- "legal": {
3125
- "low": 10000,
3126
- "likely": 75000,
3127
- "high": 500000
3128
- },
3129
- "crisisPR": {
3130
- "low": 0,
3131
- "likely": 0,
3132
- "high": 0
3133
- },
3134
- "notification": {
3135
- "low": 5000,
3136
- "likely": 10000,
3137
- "high": 15000
3138
- },
3139
- "creditMonitoring": {
3140
- "low": 0,
3141
- "likely": 0,
3142
- "high": 0
3143
- },
3144
- "regulatoryFines": {
3145
- "low": 0,
3146
- "likely": 0,
3147
- "high": 0
3148
- },
3149
- "directDamage": {
3150
- "low": 250,
3151
- "likely": 1250,
3152
- "high": 10000
3153
- },
3154
- "classAction": {
3155
- "low": 0,
3156
- "likely": 0,
3157
- "high": 0
3158
- },
3159
- "lostBusiness": {
3160
- "low": 0,
3161
- "likely": 0,
3162
- "high": 0
3163
- }
3164
- },
3165
- "dominantDriver": "legal counsel",
3166
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3167
- "confidence": "low",
3168
- "narrative": "TOCTOU: existsSync followed by file op on `incremental.js:50` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3169
- },
3170
- "parser": "LOGIC",
3171
- "family": null
3172
- },
3173
- {
3174
- "id": "logic:incremental.js:68:TOCTOU:_existsSync_followed_by_file_op",
3175
- "kind": "logic",
3176
- "severity": "medium",
3177
- "vuln": "TOCTOU: existsSync followed by file op",
3178
- "cwe": "CWE-367",
3179
- "stride": "Tampering",
3180
- "file": "incremental.js",
3181
- "line": 68,
3182
- "snippet": "if (!fs.existsSync(fp)) return fallback;",
3183
- "fix": {
3184
- "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
3185
- "code": ""
3186
- },
3187
- "blastRadius": {
3188
- "scope": "all-users",
3189
- "dataAtRisk": [
3190
- "config"
3191
- ],
3192
- "userCount": 50,
3193
- "industry": "generic",
3194
- "jurisdictions": [],
3195
- "controlsApplied": [],
3196
- "dollarBest": 23250,
3197
- "dollarLikely": 136250,
3198
- "dollarWorst": 775000,
3199
- "dollarLow": 23250,
3200
- "dollarHigh": 775000,
3201
- "components": {
3202
- "incidentResponse": {
3203
- "low": 8000,
3204
- "likely": 50000,
3205
- "high": 250000
3206
- },
3207
- "legal": {
3208
- "low": 10000,
3209
- "likely": 75000,
3210
- "high": 500000
3211
- },
3212
- "crisisPR": {
3213
- "low": 0,
3214
- "likely": 0,
3215
- "high": 0
3216
- },
3217
- "notification": {
3218
- "low": 5000,
3219
- "likely": 10000,
3220
- "high": 15000
3221
- },
3222
- "creditMonitoring": {
3223
- "low": 0,
3224
- "likely": 0,
3225
- "high": 0
3226
- },
3227
- "regulatoryFines": {
3228
- "low": 0,
3229
- "likely": 0,
3230
- "high": 0
3231
- },
3232
- "directDamage": {
3233
- "low": 250,
3234
- "likely": 1250,
3235
- "high": 10000
3236
- },
3237
- "classAction": {
3238
- "low": 0,
3239
- "likely": 0,
3240
- "high": 0
3241
- },
3242
- "lostBusiness": {
3243
- "low": 0,
3244
- "likely": 0,
3245
- "high": 0
3246
- }
3247
- },
3248
- "dominantDriver": "legal counsel",
3249
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3250
- "confidence": "low",
3251
- "narrative": "TOCTOU: existsSync followed by file op on `incremental.js:68` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3252
- },
3253
- "parser": "LOGIC",
3254
- "family": null
3255
- },
3256
- {
3257
- "id": "logic:incremental.js:223:TOCTOU:_existsSync_followed_by_file_op",
3258
- "kind": "logic",
3259
- "severity": "medium",
3260
- "vuln": "TOCTOU: existsSync followed by file op",
3261
- "cwe": "CWE-367",
3262
- "stride": "Tampering",
3263
- "file": "incremental.js",
3264
- "line": 223,
3265
- "snippet": "if (fs.existsSync(fp)) fs.unlinkSync(fp);",
3266
- "fix": {
3267
- "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
3268
- "code": ""
3269
- },
3270
- "blastRadius": {
3271
- "scope": "all-users",
3272
- "dataAtRisk": [
3273
- "config"
3274
- ],
3275
- "userCount": 50,
3276
- "industry": "generic",
3277
- "jurisdictions": [],
3278
- "controlsApplied": [],
3279
- "dollarBest": 23250,
3280
- "dollarLikely": 136250,
3281
- "dollarWorst": 775000,
3282
- "dollarLow": 23250,
3283
- "dollarHigh": 775000,
3284
- "components": {
3285
- "incidentResponse": {
3286
- "low": 8000,
3287
- "likely": 50000,
3288
- "high": 250000
3289
- },
3290
- "legal": {
3291
- "low": 10000,
3292
- "likely": 75000,
3293
- "high": 500000
3294
- },
3295
- "crisisPR": {
3296
- "low": 0,
3297
- "likely": 0,
3298
- "high": 0
3299
- },
3300
- "notification": {
3301
- "low": 5000,
3302
- "likely": 10000,
3303
- "high": 15000
3304
- },
3305
- "creditMonitoring": {
3306
- "low": 0,
3307
- "likely": 0,
3308
- "high": 0
3309
- },
3310
- "regulatoryFines": {
3311
- "low": 0,
3312
- "likely": 0,
3313
- "high": 0
3314
- },
3315
- "directDamage": {
3316
- "low": 250,
3317
- "likely": 1250,
3318
- "high": 10000
3319
- },
3320
- "classAction": {
3321
- "low": 0,
3322
- "likely": 0,
3323
- "high": 0
3324
- },
3325
- "lostBusiness": {
3326
- "low": 0,
3327
- "likely": 0,
3328
- "high": 0
3329
- }
3330
- },
3331
- "dominantDriver": "legal counsel",
3332
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3333
- "confidence": "low",
3334
- "narrative": "TOCTOU: existsSync followed by file op on `incremental.js:223` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3335
- },
3336
- "parser": "LOGIC",
3337
- "family": null
3338
- }
3339
- ],
3340
- "bundles": [],
3341
- "routes": [],
3342
- "components": [],
3343
- "suppressedCount": 12,
3344
- "blastRadiusSignals": {
3345
- "industry": "generic",
3346
- "industryConfidence": "low",
3347
- "jurisdictions": [],
3348
- "controls": [],
3349
- "estimatedUsers": 50,
3350
- "revenueIndicator": "pre-revenue",
3351
- "hasStripe": false,
3352
- "hasAuth": false,
3353
- "hasUserTable": false,
3354
- "hasPII": false,
3355
- "hasPHI": false,
3356
- "hasS3": false
3357
- },
3358
- "_v3": {
3359
- "counterfactual": {
3360
- "spofControls": [],
3361
- "controlsDetected": 219
3362
- },
3363
- "threatModel": {
3364
- "summary": {
3365
- "assetCount": 0,
3366
- "boundaryCount": 2,
3367
- "strideCounts": {
3368
- "spoofing": 0,
3369
- "tampering": 4,
3370
- "repudiation": 0,
3371
- "informationDisclosure": 0,
3372
- "denialOfService": 9,
3373
- "elevationOfPrivilege": 0
3374
- }
3375
- },
3376
- "assets": [],
3377
- "trustBoundaries": [
3378
- {
3379
- "type": "db-edge",
3380
- "file": "catalog.js",
3381
- "line": 52,
3382
- "label": null
3383
- },
3384
- {
3385
- "type": "db-edge",
3386
- "file": "catalog.js",
3387
- "line": 55,
3388
- "label": null
3389
- }
3390
- ],
3391
- "stride": {
3392
- "spoofing": [],
3393
- "tampering": [
3394
- {
3395
- "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
3396
- "file": "catalog.js",
3397
- "line": 538,
3398
- "severity": "medium"
3399
- },
3400
- {
3401
- "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
3402
- "file": "exploit-prover.js",
3403
- "line": 33,
3404
- "severity": "medium"
3405
- },
3406
- {
3407
- "vuln": "TOCTOU: file existence/permission check before open",
3408
- "file": "incremental.js",
3409
- "line": 50,
3410
- "severity": "medium"
3411
- },
3412
- {
3413
- "vuln": "TOCTOU: file existence/permission check before open",
3414
- "file": "incremental.js",
3415
- "line": 68,
3416
- "severity": "medium"
3417
- }
3418
- ],
3419
- "repudiation": [],
3420
- "informationDisclosure": [],
3421
- "denialOfService": [
3422
- {
3423
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3424
- "file": "incremental.js",
3425
- "severity": "medium"
3426
- },
3427
- {
3428
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3429
- "file": "incremental.js",
3430
- "severity": "medium"
3431
- },
3432
- {
3433
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3434
- "file": "incremental.js",
3435
- "severity": "medium"
3436
- },
3437
- {
3438
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3439
- "file": "incremental.js",
3440
- "severity": "medium"
3441
- },
3442
- {
3443
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3444
- "file": "incremental.js",
3445
- "severity": "medium"
3446
- },
3447
- {
3448
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3449
- "file": "incremental.js",
3450
- "severity": "medium"
3451
- },
3452
- {
3453
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3454
- "file": "incremental.js",
3455
- "severity": "medium"
3456
- },
3457
- {
3458
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3459
- "file": "incremental.js",
3460
- "severity": "medium"
3461
- },
3462
- {
3463
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3464
- "file": "incremental.js",
3465
- "severity": "medium"
3466
- }
3467
- ],
3468
- "elevationOfPrivilege": []
3469
- }
3470
- },
3471
- "trustBoundaryDiagram": {
3472
- "mermaid": "flowchart LR\n INTERNET((Internet))\n APP[\"Application\"]\n db_catalog_js_52[(\"db@catalog.js:52\")]\n db_catalog_js_55[(\"db@catalog.js:55\")]\n APP -->|db| db_catalog_js_52\n APP -->|db| db_catalog_js_55\n classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n classDef sev_medium fill:#fff3cd,stroke:#a80;\n classDef sev_low fill:#e8eaf6,stroke:#557;",
3473
- "nodes": [
3474
- {
3475
- "id": "INTERNET",
3476
- "kind": "external",
3477
- "label": "Internet"
3478
- },
3479
- {
3480
- "id": "APP",
3481
- "kind": "app",
3482
- "label": "Application"
3483
- },
3484
- {
3485
- "kind": "db",
3486
- "id": "db_catalog_js_52",
3487
- "label": "db@catalog.js:52"
3488
- },
3489
- {
3490
- "kind": "db",
3491
- "id": "db_catalog_js_55",
3492
- "label": "db@catalog.js:55"
3493
- }
3494
- ],
3495
- "edges": [
3496
- {
3497
- "from": "APP",
3498
- "to": "db_catalog_js_52",
3499
- "kind": "db"
3500
- },
3501
- {
3502
- "from": "APP",
3503
- "to": "db_catalog_js_55",
3504
- "kind": "db"
3505
- }
3506
- ],
3507
- "decorations": []
3508
- },
3509
- "calibrationDrift": {
3510
- "alarms": [],
3511
- "note": "no-feedback-data"
3512
- }
3513
- },
3514
- "annotatorErrors": []
3515
- }