@clear-capabilities/agentic-security-scanner 0.78.0 → 0.79.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (76) hide show
  1. package/bin/.agentic-security/findings.json +16 -16
  2. package/bin/.agentic-security/last-scan.json +16 -16
  3. package/bin/.agentic-security/last-scan.json.sig +1 -1
  4. package/bin/.agentic-security/scan-history.json +51 -0
  5. package/bin/.agentic-security/streak.json +5 -5
  6. package/bin/agentic-security.js +22 -7
  7. package/dist/178.index.js +1 -1
  8. package/dist/384.index.js +1 -1
  9. package/dist/476.index.js +5 -5
  10. package/dist/637.index.js +1 -1
  11. package/dist/700.index.js +138 -0
  12. package/dist/718.index.js +53 -0
  13. package/dist/838.index.js +1 -1
  14. package/dist/985.index.js +5 -0
  15. package/dist/agentic-security.mjs +1 -1
  16. package/dist/agentic-security.mjs.sha256 +1 -1
  17. package/package.json +2 -2
  18. package/src/dataflow/engine.js +52 -8
  19. package/src/engine.js +107 -6
  20. package/src/integrations/index.js +2 -1
  21. package/src/ir/callgraph.js +27 -7
  22. package/src/llm-validator/index.js +7 -5
  23. package/src/mcp/audit.js +5 -0
  24. package/src/posture/calibration-drift.js +2 -1
  25. package/src/posture/calibration.js +3 -2
  26. package/src/posture/fix-history.js +8 -2
  27. package/src/posture/profile.js +4 -5
  28. package/src/posture/rule-overrides.js +2 -3
  29. package/src/posture/rule-pack-signing.js +2 -3
  30. package/src/posture/rule-synthesis.js +5 -6
  31. package/src/posture/security-trend.js +4 -7
  32. package/src/posture/state-dir.js +124 -0
  33. package/src/posture/streak.js +3 -0
  34. package/src/posture/suppressions.js +5 -8
  35. package/src/posture/triage.js +3 -5
  36. package/src/posture/validator-metrics.js +3 -6
  37. package/src/sast/db-taint.js +24 -0
  38. package/src/sast/rust.js +26 -0
  39. package/src/sca/binary-metadata.js +124 -0
  40. package/src/sca/py-package-functions.js +118 -0
  41. package/src/sca/vendor-detect.js +53 -0
  42. package/src/.agentic-security/findings.json +0 -82642
  43. package/src/.agentic-security/last-scan.json +0 -82642
  44. package/src/.agentic-security/last-scan.json.sig +0 -1
  45. package/src/.agentic-security/scan-history.json +0 -10054
  46. package/src/.agentic-security/streak.json +0 -21
  47. package/src/dataflow/.agentic-security/findings.json +0 -3515
  48. package/src/dataflow/.agentic-security/last-scan.json +0 -3515
  49. package/src/dataflow/.agentic-security/last-scan.json.sig +0 -1
  50. package/src/dataflow/.agentic-security/scan-history.json +0 -702
  51. package/src/dataflow/.agentic-security/streak.json +0 -22
  52. package/src/ir/.agentic-security/findings.json +0 -3777
  53. package/src/ir/.agentic-security/last-scan.json +0 -3777
  54. package/src/ir/.agentic-security/last-scan.json.sig +0 -1
  55. package/src/ir/.agentic-security/scan-history.json +0 -771
  56. package/src/ir/.agentic-security/streak.json +0 -21
  57. package/src/posture/.agentic-security/findings.json +0 -51562
  58. package/src/posture/.agentic-security/last-scan.json +0 -51562
  59. package/src/posture/.agentic-security/last-scan.json.sig +0 -1
  60. package/src/posture/.agentic-security/scan-history.json +0 -650
  61. package/src/posture/.agentic-security/streak.json +0 -20
  62. package/src/report/.agentic-security/findings.json +0 -80
  63. package/src/report/.agentic-security/last-scan.json +0 -80
  64. package/src/report/.agentic-security/last-scan.json.sig +0 -1
  65. package/src/report/.agentic-security/scan-history.json +0 -35
  66. package/src/report/.agentic-security/streak.json +0 -22
  67. package/src/sast/.agentic-security/findings.json +0 -5190
  68. package/src/sast/.agentic-security/last-scan.json +0 -5190
  69. package/src/sast/.agentic-security/last-scan.json.sig +0 -1
  70. package/src/sast/.agentic-security/scan-history.json +0 -408
  71. package/src/sast/.agentic-security/streak.json +0 -20
  72. package/src/sca/.agentic-security/findings.json +0 -1587
  73. package/src/sca/.agentic-security/last-scan.json +0 -1587
  74. package/src/sca/.agentic-security/last-scan.json.sig +0 -1
  75. package/src/sca/.agentic-security/scan-history.json +0 -36
  76. package/src/sca/.agentic-security/streak.json +0 -21
package/src/sca/.agentic-security/last-scan.json DELETED
@@ -1,1587 +0,0 @@
1
- {
2
- "scanId": "c0d36b32-79df-4614-9dd6-475907a34882",
3
- "startedAt": "2026-05-27T13:30:13.810Z",
4
- "durationMs": 185,
5
- "scanned": {
6
- "files": 6,
7
- "lines": 0
8
- },
9
- "findings": [
10
- {
11
- "id": "struct:dep-confusion.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
12
- "kind": "sast",
13
- "severity": "medium",
14
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
15
- "cwe": "CWE-400",
16
- "owaspLlm": null,
17
- "stride": "Denial of Service",
18
- "file": "dep-confusion.js",
19
- "line": 56,
20
- "snippet": "if (!fs.existsSync(p)) continue;",
21
- "fix": null,
22
- "reachable": false,
23
- "triage": 22,
24
- "dataClasses": [],
25
- "chain": null,
26
- "confidence": 0.212,
27
- "toxicity": 28,
28
- "toxicityFactors": [
29
- "http-facing"
30
- ],
31
- "toxicityLabel": "Medium",
32
- "sources": null,
33
- "epssScore": null,
34
- "epssPercentile": null,
35
- "epssCve": null,
36
- "exploitedNow": false,
37
- "tags": null,
38
- "blastRadius": {
39
- "scope": "all-users",
40
- "dataAtRisk": [
41
- "config"
42
- ],
43
- "userCount": 50,
44
- "industry": "generic",
45
- "jurisdictions": [],
46
- "controlsApplied": [],
47
- "dollarBest": 23250,
48
- "dollarLikely": 136250,
49
- "dollarWorst": 775000,
50
- "dollarLow": 23250,
51
- "dollarHigh": 775000,
52
- "components": {
53
- "incidentResponse": {
54
- "low": 8000,
55
- "likely": 50000,
56
- "high": 250000
57
- },
58
- "legal": {
59
- "low": 10000,
60
- "likely": 75000,
61
- "high": 500000
62
- },
63
- "crisisPR": {
64
- "low": 0,
65
- "likely": 0,
66
- "high": 0
67
- },
68
- "notification": {
69
- "low": 5000,
70
- "likely": 10000,
71
- "high": 15000
72
- },
73
- "creditMonitoring": {
74
- "low": 0,
75
- "likely": 0,
76
- "high": 0
77
- },
78
- "regulatoryFines": {
79
- "low": 0,
80
- "likely": 0,
81
- "high": 0
82
- },
83
- "directDamage": {
84
- "low": 250,
85
- "likely": 1250,
86
- "high": 10000
87
- },
88
- "classAction": {
89
- "low": 0,
90
- "likely": 0,
91
- "high": 0
92
- },
93
- "lostBusiness": {
94
- "low": 0,
95
- "likely": 0,
96
- "high": 0
97
- }
98
- },
99
- "dominantDriver": "legal counsel",
100
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
101
- "confidence": "low",
102
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `dep-confusion.js:56` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
103
- },
104
- "stableId": "bfbb208a409e9dd2",
105
- "confidenceTier": "very-low",
106
- "exploitability": 0.2,
107
- "exploitabilityTier": "low",
108
- "exploitabilityFactors": [
109
- "sev:medium",
110
- "unreachable"
111
- ],
112
- "clusterSize": null,
113
- "unreachable": false,
114
- "validator_verdict": "unvalidated",
115
- "llm_confidence": null,
116
- "unvalidated": true,
117
- "cross_language": false,
118
- "family": "dos-sync-io",
119
- "parser": "STRUCTURAL",
120
- "_unsigned": false,
121
- "_passThroughSigning": false,
122
- "signatureStatus": "verified",
123
- "regression_test": null,
124
- "poc": null,
125
- "calibrated_confidence": null,
126
- "calibrated_confidence_ci": null,
127
- "calibrated_n": 0,
128
- "calibration_reason": "no-history",
129
- "verifier_verdict": "cannot-verify",
130
- "verifier_reason": "no-poc-no-sanitizer-rule",
131
- "verifier_runner": null,
132
- "narration": null,
133
- "mitigationVerdict": "unreachable-in-prod",
134
- "mitigationsApplied": [],
135
- "mitigatedByWaf": false,
136
- "wafRuleId": null,
137
- "mitigatedByAuth": false,
138
- "authMechanism": null,
139
- "mitigatedByNetwork": false,
140
- "networkExposure": null,
141
- "featureFlag": null,
142
- "featureFlagState": null,
143
- "featureFlagRollout": null,
144
- "exposedInProd": false,
145
- "unreachableInProd": true,
146
- "coldPath": false,
147
- "hotPath": false,
148
- "prodRequestCount": null,
149
- "crownJewelScore": 0,
150
- "crownJewelTier": "unknown",
151
- "crownJewelFactors": [],
152
- "cloneClusterId": "eed315f4ee037434",
153
- "cloneClusterSize": 2,
154
- "provenance": "human-likely",
155
- "provenanceScore": 0,
156
- "typeNarrowed": null,
157
- "strideCategory": "denialOfService",
158
- "personaScores": {
159
- "script-kiddie": {
160
- "score": 0.4,
161
- "tier": "medium",
162
- "factors": [
163
- "sev:medium"
164
- ]
165
- },
166
- "opportunistic-criminal": {
167
- "score": 0.4,
168
- "tier": "medium",
169
- "factors": [
170
- "sev:medium"
171
- ]
172
- },
173
- "apt-nation-state": {
174
- "score": 0.4,
175
- "tier": "medium",
176
- "factors": [
177
- "sev:medium"
178
- ]
179
- },
180
- "supply-chain-attacker": {
181
- "score": 0.4,
182
- "tier": "medium",
183
- "factors": [
184
- "sev:medium"
185
- ]
186
- },
187
- "malicious-insider": {
188
- "score": 0.4,
189
- "tier": "medium",
190
- "factors": [
191
- "sev:medium"
192
- ]
193
- }
194
- },
195
- "personaTopTwo": [
196
- "script-kiddie",
197
- "opportunistic-criminal"
198
- ],
199
- "personaMaxName": "script-kiddie",
200
- "personaMaxScore": 0.4,
201
- "reverseExposure": null,
202
- "specMined": null,
203
- "whyFired": {
204
- "detector": "sast/dos-sync-io",
205
- "ruleId": "CWE-400",
206
- "parser": "STRUCTURAL",
207
- "evidence": {
208
- "sinkSnippet": "if (!fs.existsSync(p)) continue;",
209
- "sourceSnippet": "if (!fs.existsSync(p)) continue;",
210
- "pathSteps": [],
211
- "sanitizers": [],
212
- "guards": []
213
- },
214
- "considered": {
215
- "suppressionsApplied": [],
216
- "suppressionsSkipped": [],
217
- "reachabilityFilter": "unaffected",
218
- "clusterCollapsed": false,
219
- "typeNarrowed": false,
220
- "crownJewelTier": "unknown",
221
- "mitigationVerdict": "unreachable-in-prod"
222
- },
223
- "scanner": {
224
- "rulesetVersion": null,
225
- "packHash": null,
226
- "modelId": null
227
- }
228
- },
229
- "adversaryTranscript": null,
230
- "predictedBountyUsd": {
231
- "low": 10,
232
- "likely": 40,
233
- "high": 120,
234
- "program": "web2"
235
- },
236
- "bountyConfidence": "high",
237
- "attackPlaybook": null
238
- },
239
- {
240
- "id": "struct:dep-confusion.js:58:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
241
- "kind": "sast",
242
- "severity": "medium",
243
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
244
- "cwe": "CWE-400",
245
- "owaspLlm": null,
246
- "stride": "Denial of Service",
247
- "file": "dep-confusion.js",
248
- "line": 58,
249
- "snippet": "const doc = yaml.load(fs.readFileSync(p, 'utf8'));",
250
- "fix": null,
251
- "reachable": false,
252
- "triage": 22,
253
- "dataClasses": [],
254
- "chain": null,
255
- "confidence": 0.212,
256
- "toxicity": 28,
257
- "toxicityFactors": [
258
- "http-facing"
259
- ],
260
- "toxicityLabel": "Medium",
261
- "sources": null,
262
- "epssScore": null,
263
- "epssPercentile": null,
264
- "epssCve": null,
265
- "exploitedNow": false,
266
- "tags": null,
267
- "blastRadius": {
268
- "scope": "all-users",
269
- "dataAtRisk": [
270
- "config"
271
- ],
272
- "userCount": 50,
273
- "industry": "generic",
274
- "jurisdictions": [],
275
- "controlsApplied": [],
276
- "dollarBest": 23250,
277
- "dollarLikely": 136250,
278
- "dollarWorst": 775000,
279
- "dollarLow": 23250,
280
- "dollarHigh": 775000,
281
- "components": {
282
- "incidentResponse": {
283
- "low": 8000,
284
- "likely": 50000,
285
- "high": 250000
286
- },
287
- "legal": {
288
- "low": 10000,
289
- "likely": 75000,
290
- "high": 500000
291
- },
292
- "crisisPR": {
293
- "low": 0,
294
- "likely": 0,
295
- "high": 0
296
- },
297
- "notification": {
298
- "low": 5000,
299
- "likely": 10000,
300
- "high": 15000
301
- },
302
- "creditMonitoring": {
303
- "low": 0,
304
- "likely": 0,
305
- "high": 0
306
- },
307
- "regulatoryFines": {
308
- "low": 0,
309
- "likely": 0,
310
- "high": 0
311
- },
312
- "directDamage": {
313
- "low": 250,
314
- "likely": 1250,
315
- "high": 10000
316
- },
317
- "classAction": {
318
- "low": 0,
319
- "likely": 0,
320
- "high": 0
321
- },
322
- "lostBusiness": {
323
- "low": 0,
324
- "likely": 0,
325
- "high": 0
326
- }
327
- },
328
- "dominantDriver": "legal counsel",
329
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
330
- "confidence": "low",
331
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `dep-confusion.js:58` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
332
- },
333
- "stableId": "85a3f4d03fefd43d",
334
- "confidenceTier": "very-low",
335
- "exploitability": 0.2,
336
- "exploitabilityTier": "low",
337
- "exploitabilityFactors": [
338
- "sev:medium",
339
- "unreachable"
340
- ],
341
- "clusterSize": null,
342
- "unreachable": false,
343
- "validator_verdict": "unvalidated",
344
- "llm_confidence": null,
345
- "unvalidated": true,
346
- "cross_language": false,
347
- "family": "dos-sync-io",
348
- "parser": "STRUCTURAL",
349
- "_unsigned": false,
350
- "_passThroughSigning": false,
351
- "signatureStatus": "verified",
352
- "regression_test": null,
353
- "poc": null,
354
- "calibrated_confidence": null,
355
- "calibrated_confidence_ci": null,
356
- "calibrated_n": 0,
357
- "calibration_reason": "no-history",
358
- "verifier_verdict": "cannot-verify",
359
- "verifier_reason": "no-poc-no-sanitizer-rule",
360
- "verifier_runner": null,
361
- "narration": null,
362
- "mitigationVerdict": "unreachable-in-prod",
363
- "mitigationsApplied": [],
364
- "mitigatedByWaf": false,
365
- "wafRuleId": null,
366
- "mitigatedByAuth": false,
367
- "authMechanism": null,
368
- "mitigatedByNetwork": false,
369
- "networkExposure": null,
370
- "featureFlag": null,
371
- "featureFlagState": null,
372
- "featureFlagRollout": null,
373
- "exposedInProd": false,
374
- "unreachableInProd": true,
375
- "coldPath": false,
376
- "hotPath": false,
377
- "prodRequestCount": null,
378
- "crownJewelScore": 0,
379
- "crownJewelTier": "unknown",
380
- "crownJewelFactors": [],
381
- "cloneClusterId": "8b60c3f57d48c622",
382
- "cloneClusterSize": 1,
383
- "provenance": "human-likely",
384
- "provenanceScore": 0,
385
- "typeNarrowed": null,
386
- "strideCategory": "denialOfService",
387
- "personaScores": {
388
- "script-kiddie": {
389
- "score": 0.4,
390
- "tier": "medium",
391
- "factors": [
392
- "sev:medium"
393
- ]
394
- },
395
- "opportunistic-criminal": {
396
- "score": 0.4,
397
- "tier": "medium",
398
- "factors": [
399
- "sev:medium"
400
- ]
401
- },
402
- "apt-nation-state": {
403
- "score": 0.4,
404
- "tier": "medium",
405
- "factors": [
406
- "sev:medium"
407
- ]
408
- },
409
- "supply-chain-attacker": {
410
- "score": 0.4,
411
- "tier": "medium",
412
- "factors": [
413
- "sev:medium"
414
- ]
415
- },
416
- "malicious-insider": {
417
- "score": 0.4,
418
- "tier": "medium",
419
- "factors": [
420
- "sev:medium"
421
- ]
422
- }
423
- },
424
- "personaTopTwo": [
425
- "script-kiddie",
426
- "opportunistic-criminal"
427
- ],
428
- "personaMaxName": "script-kiddie",
429
- "personaMaxScore": 0.4,
430
- "reverseExposure": null,
431
- "specMined": null,
432
- "whyFired": {
433
- "detector": "sast/dos-sync-io",
434
- "ruleId": "CWE-400",
435
- "parser": "STRUCTURAL",
436
- "evidence": {
437
- "sinkSnippet": "const doc = yaml.load(fs.readFileSync(p, 'utf8'));",
438
- "sourceSnippet": "const doc = yaml.load(fs.readFileSync(p, 'utf8'));",
439
- "pathSteps": [],
440
- "sanitizers": [],
441
- "guards": []
442
- },
443
- "considered": {
444
- "suppressionsApplied": [],
445
- "suppressionsSkipped": [],
446
- "reachabilityFilter": "unaffected",
447
- "clusterCollapsed": false,
448
- "typeNarrowed": false,
449
- "crownJewelTier": "unknown",
450
- "mitigationVerdict": "unreachable-in-prod"
451
- },
452
- "scanner": {
453
- "rulesetVersion": null,
454
- "packHash": null,
455
- "modelId": null
456
- }
457
- },
458
- "adversaryTranscript": null,
459
- "predictedBountyUsd": {
460
- "low": 10,
461
- "likely": 40,
462
- "high": 120,
463
- "program": "web2"
464
- },
465
- "bountyConfidence": "high",
466
- "attackPlaybook": null
467
- },
468
- {
469
- "id": "struct:llm-function-extract.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
470
- "kind": "sast",
471
- "severity": "medium",
472
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
473
- "cwe": "CWE-400",
474
- "owaspLlm": null,
475
- "stride": "Denial of Service",
476
- "file": "llm-function-extract.js",
477
- "line": 24,
478
- "snippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
479
- "fix": null,
480
- "reachable": false,
481
- "triage": 22,
482
- "dataClasses": [],
483
- "chain": null,
484
- "confidence": 0.212,
485
- "toxicity": 28,
486
- "toxicityFactors": [
487
- "http-facing"
488
- ],
489
- "toxicityLabel": "Medium",
490
- "sources": null,
491
- "epssScore": null,
492
- "epssPercentile": null,
493
- "epssCve": null,
494
- "exploitedNow": false,
495
- "tags": null,
496
- "blastRadius": {
497
- "scope": "all-users",
498
- "dataAtRisk": [
499
- "config"
500
- ],
501
- "userCount": 50,
502
- "industry": "generic",
503
- "jurisdictions": [],
504
- "controlsApplied": [],
505
- "dollarBest": 23250,
506
- "dollarLikely": 136250,
507
- "dollarWorst": 775000,
508
- "dollarLow": 23250,
509
- "dollarHigh": 775000,
510
- "components": {
511
- "incidentResponse": {
512
- "low": 8000,
513
- "likely": 50000,
514
- "high": 250000
515
- },
516
- "legal": {
517
- "low": 10000,
518
- "likely": 75000,
519
- "high": 500000
520
- },
521
- "crisisPR": {
522
- "low": 0,
523
- "likely": 0,
524
- "high": 0
525
- },
526
- "notification": {
527
- "low": 5000,
528
- "likely": 10000,
529
- "high": 15000
530
- },
531
- "creditMonitoring": {
532
- "low": 0,
533
- "likely": 0,
534
- "high": 0
535
- },
536
- "regulatoryFines": {
537
- "low": 0,
538
- "likely": 0,
539
- "high": 0
540
- },
541
- "directDamage": {
542
- "low": 250,
543
- "likely": 1250,
544
- "high": 10000
545
- },
546
- "classAction": {
547
- "low": 0,
548
- "likely": 0,
549
- "high": 0
550
- },
551
- "lostBusiness": {
552
- "low": 0,
553
- "likely": 0,
554
- "high": 0
555
- }
556
- },
557
- "dominantDriver": "legal counsel",
558
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
559
- "confidence": "low",
560
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `llm-function-extract.js:24` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
561
- },
562
- "stableId": "0c8c5b613b013dda",
563
- "confidenceTier": "very-low",
564
- "exploitability": 0.2,
565
- "exploitabilityTier": "low",
566
- "exploitabilityFactors": [
567
- "sev:medium",
568
- "unreachable"
569
- ],
570
- "clusterSize": null,
571
- "unreachable": false,
572
- "validator_verdict": "unvalidated",
573
- "llm_confidence": null,
574
- "unvalidated": true,
575
- "cross_language": false,
576
- "family": "dos-sync-io",
577
- "parser": "STRUCTURAL",
578
- "_unsigned": false,
579
- "_passThroughSigning": false,
580
- "signatureStatus": "verified",
581
- "regression_test": null,
582
- "poc": null,
583
- "calibrated_confidence": null,
584
- "calibrated_confidence_ci": null,
585
- "calibrated_n": 0,
586
- "calibration_reason": "no-history",
587
- "verifier_verdict": "cannot-verify",
588
- "verifier_reason": "no-poc-no-sanitizer-rule",
589
- "verifier_runner": null,
590
- "narration": null,
591
- "mitigationVerdict": "unreachable-in-prod",
592
- "mitigationsApplied": [],
593
- "mitigatedByWaf": false,
594
- "wafRuleId": null,
595
- "mitigatedByAuth": false,
596
- "authMechanism": null,
597
- "mitigatedByNetwork": false,
598
- "networkExposure": null,
599
- "featureFlag": null,
600
- "featureFlagState": null,
601
- "featureFlagRollout": null,
602
- "exposedInProd": false,
603
- "unreachableInProd": true,
604
- "coldPath": false,
605
- "hotPath": false,
606
- "prodRequestCount": null,
607
- "crownJewelScore": 0.1,
608
- "crownJewelTier": "low-value",
609
- "crownJewelFactors": [
610
- "reads-secret-env"
611
- ],
612
- "cloneClusterId": "b8a597058e30c50c",
613
- "cloneClusterSize": 1,
614
- "provenance": "human-likely",
615
- "provenanceScore": 0.04,
616
- "typeNarrowed": null,
617
- "strideCategory": "denialOfService",
618
- "personaScores": {
619
- "script-kiddie": {
620
- "score": 0.4,
621
- "tier": "medium",
622
- "factors": [
623
- "sev:medium"
624
- ]
625
- },
626
- "opportunistic-criminal": {
627
- "score": 0.4,
628
- "tier": "medium",
629
- "factors": [
630
- "sev:medium"
631
- ]
632
- },
633
- "apt-nation-state": {
634
- "score": 0.4,
635
- "tier": "medium",
636
- "factors": [
637
- "sev:medium"
638
- ]
639
- },
640
- "supply-chain-attacker": {
641
- "score": 0.4,
642
- "tier": "medium",
643
- "factors": [
644
- "sev:medium"
645
- ]
646
- },
647
- "malicious-insider": {
648
- "score": 0.4,
649
- "tier": "medium",
650
- "factors": [
651
- "sev:medium"
652
- ]
653
- }
654
- },
655
- "personaTopTwo": [
656
- "script-kiddie",
657
- "opportunistic-criminal"
658
- ],
659
- "personaMaxName": "script-kiddie",
660
- "personaMaxScore": 0.4,
661
- "reverseExposure": null,
662
- "specMined": null,
663
- "whyFired": {
664
- "detector": "sast/dos-sync-io",
665
- "ruleId": "CWE-400",
666
- "parser": "STRUCTURAL",
667
- "evidence": {
668
- "sinkSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
669
- "sourceSnippet": "return JSON.parse(fs.readFileSync(fp, 'utf8'));",
670
- "pathSteps": [],
671
- "sanitizers": [],
672
- "guards": []
673
- },
674
- "considered": {
675
- "suppressionsApplied": [],
676
- "suppressionsSkipped": [],
677
- "reachabilityFilter": "unaffected",
678
- "clusterCollapsed": false,
679
- "typeNarrowed": false,
680
- "crownJewelTier": "low-value",
681
- "mitigationVerdict": "unreachable-in-prod"
682
- },
683
- "scanner": {
684
- "rulesetVersion": null,
685
- "packHash": null,
686
- "modelId": null
687
- }
688
- },
689
- "adversaryTranscript": null,
690
- "predictedBountyUsd": {
691
- "low": 10,
692
- "likely": 40,
693
- "high": 120,
694
- "program": "web2"
695
- },
696
- "bountyConfidence": "high",
697
- "attackPlaybook": null
698
- },
699
- {
700
- "id": "struct:llm-function-extract.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
701
- "kind": "sast",
702
- "severity": "medium",
703
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
704
- "cwe": "CWE-400",
705
- "owaspLlm": null,
706
- "stride": "Denial of Service",
707
- "file": "llm-function-extract.js",
708
- "line": 31,
709
- "snippet": "fs.writeFileSync(path.join(CACHE_DIR, _cacheKey(osvId) + '.json'), JSON.stringify(data));",
710
- "fix": null,
711
- "reachable": false,
712
- "triage": 22,
713
- "dataClasses": [],
714
- "chain": null,
715
- "confidence": 0.212,
716
- "toxicity": 28,
717
- "toxicityFactors": [
718
- "http-facing"
719
- ],
720
- "toxicityLabel": "Medium",
721
- "sources": null,
722
- "epssScore": null,
723
- "epssPercentile": null,
724
- "epssCve": null,
725
- "exploitedNow": false,
726
- "tags": null,
727
- "blastRadius": {
728
- "scope": "all-users",
729
- "dataAtRisk": [
730
- "config"
731
- ],
732
- "userCount": 50,
733
- "industry": "generic",
734
- "jurisdictions": [],
735
- "controlsApplied": [],
736
- "dollarBest": 23250,
737
- "dollarLikely": 136250,
738
- "dollarWorst": 775000,
739
- "dollarLow": 23250,
740
- "dollarHigh": 775000,
741
- "components": {
742
- "incidentResponse": {
743
- "low": 8000,
744
- "likely": 50000,
745
- "high": 250000
746
- },
747
- "legal": {
748
- "low": 10000,
749
- "likely": 75000,
750
- "high": 500000
751
- },
752
- "crisisPR": {
753
- "low": 0,
754
- "likely": 0,
755
- "high": 0
756
- },
757
- "notification": {
758
- "low": 5000,
759
- "likely": 10000,
760
- "high": 15000
761
- },
762
- "creditMonitoring": {
763
- "low": 0,
764
- "likely": 0,
765
- "high": 0
766
- },
767
- "regulatoryFines": {
768
- "low": 0,
769
- "likely": 0,
770
- "high": 0
771
- },
772
- "directDamage": {
773
- "low": 250,
774
- "likely": 1250,
775
- "high": 10000
776
- },
777
- "classAction": {
778
- "low": 0,
779
- "likely": 0,
780
- "high": 0
781
- },
782
- "lostBusiness": {
783
- "low": 0,
784
- "likely": 0,
785
- "high": 0
786
- }
787
- },
788
- "dominantDriver": "legal counsel",
789
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
790
- "confidence": "low",
791
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `llm-function-extract.js:31` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
792
- },
793
- "stableId": "9c296e2c3069fe33",
794
- "confidenceTier": "very-low",
795
- "exploitability": 0.2,
796
- "exploitabilityTier": "low",
797
- "exploitabilityFactors": [
798
- "sev:medium",
799
- "unreachable"
800
- ],
801
- "clusterSize": null,
802
- "unreachable": false,
803
- "validator_verdict": "unvalidated",
804
- "llm_confidence": null,
805
- "unvalidated": true,
806
- "cross_language": false,
807
- "family": "dos-sync-io",
808
- "parser": "STRUCTURAL",
809
- "_unsigned": false,
810
- "_passThroughSigning": false,
811
- "signatureStatus": "verified",
812
- "regression_test": null,
813
- "poc": null,
814
- "calibrated_confidence": null,
815
- "calibrated_confidence_ci": null,
816
- "calibrated_n": 0,
817
- "calibration_reason": "no-history",
818
- "verifier_verdict": "cannot-verify",
819
- "verifier_reason": "no-poc-no-sanitizer-rule",
820
- "verifier_runner": null,
821
- "narration": null,
822
- "mitigationVerdict": "unreachable-in-prod",
823
- "mitigationsApplied": [],
824
- "mitigatedByWaf": false,
825
- "wafRuleId": null,
826
- "mitigatedByAuth": false,
827
- "authMechanism": null,
828
- "mitigatedByNetwork": false,
829
- "networkExposure": null,
830
- "featureFlag": null,
831
- "featureFlagState": null,
832
- "featureFlagRollout": null,
833
- "exposedInProd": false,
834
- "unreachableInProd": true,
835
- "coldPath": false,
836
- "hotPath": false,
837
- "prodRequestCount": null,
838
- "crownJewelScore": 0.1,
839
- "crownJewelTier": "low-value",
840
- "crownJewelFactors": [
841
- "reads-secret-env"
842
- ],
843
- "cloneClusterId": "f4d8f5169ad2f78e",
844
- "cloneClusterSize": 1,
845
- "provenance": "human-likely",
846
- "provenanceScore": 0.04,
847
- "typeNarrowed": null,
848
- "strideCategory": "denialOfService",
849
- "personaScores": {
850
- "script-kiddie": {
851
- "score": 0.4,
852
- "tier": "medium",
853
- "factors": [
854
- "sev:medium"
855
- ]
856
- },
857
- "opportunistic-criminal": {
858
- "score": 0.4,
859
- "tier": "medium",
860
- "factors": [
861
- "sev:medium"
862
- ]
863
- },
864
- "apt-nation-state": {
865
- "score": 0.4,
866
- "tier": "medium",
867
- "factors": [
868
- "sev:medium"
869
- ]
870
- },
871
- "supply-chain-attacker": {
872
- "score": 0.4,
873
- "tier": "medium",
874
- "factors": [
875
- "sev:medium"
876
- ]
877
- },
878
- "malicious-insider": {
879
- "score": 0.4,
880
- "tier": "medium",
881
- "factors": [
882
- "sev:medium"
883
- ]
884
- }
885
- },
886
- "personaTopTwo": [
887
- "script-kiddie",
888
- "opportunistic-criminal"
889
- ],
890
- "personaMaxName": "script-kiddie",
891
- "personaMaxScore": 0.4,
892
- "reverseExposure": null,
893
- "specMined": null,
894
- "whyFired": {
895
- "detector": "sast/dos-sync-io",
896
- "ruleId": "CWE-400",
897
- "parser": "STRUCTURAL",
898
- "evidence": {
899
- "sinkSnippet": "fs.writeFileSync(path.join(CACHE_DIR, _cacheKey(osvId) + '.json'), JSON.stringify(data));",
900
- "sourceSnippet": "fs.writeFileSync(path.join(CACHE_DIR, _cacheKey(osvId) + '.json'), JSON.stringify(data));",
901
- "pathSteps": [],
902
- "sanitizers": [],
903
- "guards": []
904
- },
905
- "considered": {
906
- "suppressionsApplied": [],
907
- "suppressionsSkipped": [],
908
- "reachabilityFilter": "unaffected",
909
- "clusterCollapsed": false,
910
- "typeNarrowed": false,
911
- "crownJewelTier": "low-value",
912
- "mitigationVerdict": "unreachable-in-prod"
913
- },
914
- "scanner": {
915
- "rulesetVersion": null,
916
- "packHash": null,
917
- "modelId": null
918
- }
919
- },
920
- "adversaryTranscript": null,
921
- "predictedBountyUsd": {
922
- "low": 10,
923
- "likely": 40,
924
- "high": 120,
925
- "program": "web2"
926
- },
927
- "bountyConfidence": "high",
928
- "attackPlaybook": null
929
- },
930
- {
931
- "id": "struct:sarif-ingest.js:112:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
932
- "kind": "sast",
933
- "severity": "medium",
934
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
935
- "cwe": "CWE-400",
936
- "owaspLlm": null,
937
- "stride": "Denial of Service",
938
- "file": "sarif-ingest.js",
939
- "line": 112,
940
- "snippet": "try { raw = fs.readFileSync(filePath, 'utf8'); }",
941
- "fix": null,
942
- "reachable": false,
943
- "triage": 22,
944
- "dataClasses": [],
945
- "chain": null,
946
- "confidence": 0.212,
947
- "toxicity": 28,
948
- "toxicityFactors": [
949
- "http-facing"
950
- ],
951
- "toxicityLabel": "Medium",
952
- "sources": null,
953
- "epssScore": null,
954
- "epssPercentile": null,
955
- "epssCve": null,
956
- "exploitedNow": false,
957
- "tags": null,
958
- "blastRadius": {
959
- "scope": "all-users",
960
- "dataAtRisk": [
961
- "config"
962
- ],
963
- "userCount": 50,
964
- "industry": "generic",
965
- "jurisdictions": [],
966
- "controlsApplied": [],
967
- "dollarBest": 23250,
968
- "dollarLikely": 136250,
969
- "dollarWorst": 775000,
970
- "dollarLow": 23250,
971
- "dollarHigh": 775000,
972
- "components": {
973
- "incidentResponse": {
974
- "low": 8000,
975
- "likely": 50000,
976
- "high": 250000
977
- },
978
- "legal": {
979
- "low": 10000,
980
- "likely": 75000,
981
- "high": 500000
982
- },
983
- "crisisPR": {
984
- "low": 0,
985
- "likely": 0,
986
- "high": 0
987
- },
988
- "notification": {
989
- "low": 5000,
990
- "likely": 10000,
991
- "high": 15000
992
- },
993
- "creditMonitoring": {
994
- "low": 0,
995
- "likely": 0,
996
- "high": 0
997
- },
998
- "regulatoryFines": {
999
- "low": 0,
1000
- "likely": 0,
1001
- "high": 0
1002
- },
1003
- "directDamage": {
1004
- "low": 250,
1005
- "likely": 1250,
1006
- "high": 10000
1007
- },
1008
- "classAction": {
1009
- "low": 0,
1010
- "likely": 0,
1011
- "high": 0
1012
- },
1013
- "lostBusiness": {
1014
- "low": 0,
1015
- "likely": 0,
1016
- "high": 0
1017
- }
1018
- },
1019
- "dominantDriver": "legal counsel",
1020
- "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1021
- "confidence": "low",
1022
- "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `sarif-ingest.js:112` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1023
- },
1024
- "stableId": "67c20060ced40339",
1025
- "confidenceTier": "very-low",
1026
- "exploitability": 0.2,
1027
- "exploitabilityTier": "low",
1028
- "exploitabilityFactors": [
1029
- "sev:medium",
1030
- "unreachable"
1031
- ],
1032
- "clusterSize": null,
1033
- "unreachable": false,
1034
- "validator_verdict": "unvalidated",
1035
- "llm_confidence": null,
1036
- "unvalidated": true,
1037
- "cross_language": false,
1038
- "family": "dos-sync-io",
1039
- "parser": "STRUCTURAL",
1040
- "_unsigned": false,
1041
- "_passThroughSigning": false,
1042
- "signatureStatus": "verified",
1043
- "regression_test": null,
1044
- "poc": null,
1045
- "calibrated_confidence": null,
1046
- "calibrated_confidence_ci": null,
1047
- "calibrated_n": 0,
1048
- "calibration_reason": "no-history",
1049
- "verifier_verdict": "cannot-verify",
1050
- "verifier_reason": "no-poc-no-sanitizer-rule",
1051
- "verifier_runner": null,
1052
- "narration": null,
1053
- "mitigationVerdict": "unreachable-in-prod",
1054
- "mitigationsApplied": [],
1055
- "mitigatedByWaf": false,
1056
- "wafRuleId": null,
1057
- "mitigatedByAuth": false,
1058
- "authMechanism": null,
1059
- "mitigatedByNetwork": false,
1060
- "networkExposure": null,
1061
- "featureFlag": null,
1062
- "featureFlagState": null,
1063
- "featureFlagRollout": null,
1064
- "exposedInProd": false,
1065
- "unreachableInProd": true,
1066
- "coldPath": false,
1067
- "hotPath": false,
1068
- "prodRequestCount": null,
1069
- "crownJewelScore": 0,
1070
- "crownJewelTier": "unknown",
1071
- "crownJewelFactors": [],
1072
- "cloneClusterId": "c5704ff81dc82f80",
1073
- "cloneClusterSize": 1,
1074
- "provenance": "human-likely",
1075
- "provenanceScore": 0.04,
1076
- "typeNarrowed": null,
1077
- "strideCategory": "denialOfService",
1078
- "personaScores": {
1079
- "script-kiddie": {
1080
- "score": 0.4,
1081
- "tier": "medium",
1082
- "factors": [
1083
- "sev:medium"
1084
- ]
1085
- },
1086
- "opportunistic-criminal": {
1087
- "score": 0.4,
1088
- "tier": "medium",
1089
- "factors": [
1090
- "sev:medium"
1091
- ]
1092
- },
1093
- "apt-nation-state": {
1094
- "score": 0.4,
1095
- "tier": "medium",
1096
- "factors": [
1097
- "sev:medium"
1098
- ]
1099
- },
1100
- "supply-chain-attacker": {
1101
- "score": 0.4,
1102
- "tier": "medium",
1103
- "factors": [
1104
- "sev:medium"
1105
- ]
1106
- },
1107
- "malicious-insider": {
1108
- "score": 0.4,
1109
- "tier": "medium",
1110
- "factors": [
1111
- "sev:medium"
1112
- ]
1113
- }
1114
- },
1115
- "personaTopTwo": [
1116
- "script-kiddie",
1117
- "opportunistic-criminal"
1118
- ],
1119
- "personaMaxName": "script-kiddie",
1120
- "personaMaxScore": 0.4,
1121
- "reverseExposure": null,
1122
- "specMined": null,
1123
- "whyFired": {
1124
- "detector": "sast/dos-sync-io",
1125
- "ruleId": "CWE-400",
1126
- "parser": "STRUCTURAL",
1127
- "evidence": {
1128
- "sinkSnippet": "try { raw = fs.readFileSync(filePath, 'utf8'); }",
1129
- "sourceSnippet": "try { raw = fs.readFileSync(filePath, 'utf8'); }",
1130
- "pathSteps": [],
1131
- "sanitizers": [],
1132
- "guards": []
1133
- },
1134
- "considered": {
1135
- "suppressionsApplied": [],
1136
- "suppressionsSkipped": [],
1137
- "reachabilityFilter": "unaffected",
1138
- "clusterCollapsed": false,
1139
- "typeNarrowed": false,
1140
- "crownJewelTier": "unknown",
1141
- "mitigationVerdict": "unreachable-in-prod"
1142
- },
1143
- "scanner": {
1144
- "rulesetVersion": null,
1145
- "packHash": null,
1146
- "modelId": null
1147
- }
1148
- },
1149
- "adversaryTranscript": null,
1150
- "predictedBountyUsd": {
1151
- "low": 10,
1152
- "likely": 40,
1153
- "high": 120,
1154
- "program": "web2"
1155
- },
1156
- "bountyConfidence": "high",
1157
- "attackPlaybook": null
1158
- },
1159
- {
1160
- "id": "toctou-fs:dep-confusion.js:56",
1161
- "kind": "sast",
1162
- "severity": "medium",
1163
- "vuln": "TOCTOU: file existence/permission check before open",
1164
- "cwe": "CWE-367",
1165
- "owaspLlm": null,
1166
- "stride": "Tampering",
1167
- "file": "dep-confusion.js",
1168
- "line": 56,
1169
- "snippet": "if (!fs.existsSync(p)) continue;",
1170
- "fix": null,
1171
- "reachable": false,
1172
- "triage": 22,
1173
- "dataClasses": [],
1174
- "chain": null,
1175
- "confidence": 0.7,
1176
- "toxicity": 8,
1177
- "toxicityFactors": [],
1178
- "toxicityLabel": "Low",
1179
- "sources": null,
1180
- "epssScore": null,
1181
- "epssPercentile": null,
1182
- "epssCve": null,
1183
- "exploitedNow": false,
1184
- "tags": null,
1185
- "blastRadius": {
1186
- "scope": "all-users",
1187
- "dataAtRisk": [
1188
- "config"
1189
- ],
1190
- "userCount": 50,
1191
- "industry": "generic",
1192
- "jurisdictions": [],
1193
- "controlsApplied": [],
1194
- "dollarBest": 23250,
1195
- "dollarLikely": 136250,
1196
- "dollarWorst": 775000,
1197
- "dollarLow": 23250,
1198
- "dollarHigh": 775000,
1199
- "components": {
1200
- "incidentResponse": {
1201
- "low": 8000,
1202
- "likely": 50000,
1203
- "high": 250000
1204
- },
1205
- "legal": {
1206
- "low": 10000,
1207
- "likely": 75000,
1208
- "high": 500000
1209
- },
1210
- "crisisPR": {
1211
- "low": 0,
1212
- "likely": 0,
1213
- "high": 0
1214
- },
1215
- "notification": {
1216
- "low": 5000,
1217
- "likely": 10000,
1218
- "high": 15000
1219
- },
1220
- "creditMonitoring": {
1221
- "low": 0,
1222
- "likely": 0,
1223
- "high": 0
1224
- },
1225
- "regulatoryFines": {
1226
- "low": 0,
1227
- "likely": 0,
1228
- "high": 0
1229
- },
1230
- "directDamage": {
1231
- "low": 250,
1232
- "likely": 1250,
1233
- "high": 10000
1234
- },
1235
- "classAction": {
1236
- "low": 0,
1237
- "likely": 0,
1238
- "high": 0
1239
- },
1240
- "lostBusiness": {
1241
- "low": 0,
1242
- "likely": 0,
1243
- "high": 0
1244
- }
1245
- },
1246
- "dominantDriver": "legal counsel",
1247
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1248
- "confidence": "low",
1249
- "narrative": "TOCTOU: file existence/permission check before open on `dep-confusion.js:56` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1250
- },
1251
- "stableId": "3beec8624848d7de",
1252
- "confidenceTier": "medium",
1253
- "exploitability": 0.2,
1254
- "exploitabilityTier": "low",
1255
- "exploitabilityFactors": [
1256
- "sev:medium",
1257
- "unreachable"
1258
- ],
1259
- "clusterSize": null,
1260
- "unreachable": false,
1261
- "validator_verdict": "unvalidated",
1262
- "llm_confidence": null,
1263
- "unvalidated": true,
1264
- "cross_language": false,
1265
- "family": "toctou-file-existence-permission-check-b",
1266
- "parser": "TOCTOU",
1267
- "_unsigned": false,
1268
- "_passThroughSigning": false,
1269
- "signatureStatus": "verified",
1270
- "regression_test": null,
1271
- "poc": null,
1272
- "calibrated_confidence": null,
1273
- "calibrated_confidence_ci": null,
1274
- "calibrated_n": 0,
1275
- "calibration_reason": "no-history",
1276
- "verifier_verdict": "cannot-verify",
1277
- "verifier_reason": "no-poc-no-sanitizer-rule",
1278
- "verifier_runner": null,
1279
- "narration": null,
1280
- "mitigationVerdict": "unreachable-in-prod",
1281
- "mitigationsApplied": [],
1282
- "mitigatedByWaf": false,
1283
- "wafRuleId": null,
1284
- "mitigatedByAuth": false,
1285
- "authMechanism": null,
1286
- "mitigatedByNetwork": false,
1287
- "networkExposure": null,
1288
- "featureFlag": null,
1289
- "featureFlagState": null,
1290
- "featureFlagRollout": null,
1291
- "exposedInProd": false,
1292
- "unreachableInProd": true,
1293
- "coldPath": false,
1294
- "hotPath": false,
1295
- "prodRequestCount": null,
1296
- "crownJewelScore": 0,
1297
- "crownJewelTier": "unknown",
1298
- "crownJewelFactors": [],
1299
- "cloneClusterId": "eed315f4ee037434",
1300
- "cloneClusterSize": 2,
1301
- "provenance": "human-likely",
1302
- "provenanceScore": 0,
1303
- "typeNarrowed": null,
1304
- "strideCategory": "tampering",
1305
- "personaScores": {
1306
- "script-kiddie": {
1307
- "score": 0.4,
1308
- "tier": "medium",
1309
- "factors": [
1310
- "sev:medium"
1311
- ]
1312
- },
1313
- "opportunistic-criminal": {
1314
- "score": 0.4,
1315
- "tier": "medium",
1316
- "factors": [
1317
- "sev:medium"
1318
- ]
1319
- },
1320
- "apt-nation-state": {
1321
- "score": 0.4,
1322
- "tier": "medium",
1323
- "factors": [
1324
- "sev:medium"
1325
- ]
1326
- },
1327
- "supply-chain-attacker": {
1328
- "score": 0.4,
1329
- "tier": "medium",
1330
- "factors": [
1331
- "sev:medium"
1332
- ]
1333
- },
1334
- "malicious-insider": {
1335
- "score": 0.4,
1336
- "tier": "medium",
1337
- "factors": [
1338
- "sev:medium"
1339
- ]
1340
- }
1341
- },
1342
- "personaTopTwo": [
1343
- "script-kiddie",
1344
- "opportunistic-criminal"
1345
- ],
1346
- "personaMaxName": "script-kiddie",
1347
- "personaMaxScore": 0.4,
1348
- "reverseExposure": null,
1349
- "specMined": null,
1350
- "whyFired": {
1351
- "detector": "sast/toctou-file-existence-permission-check-b",
1352
- "ruleId": "CWE-367",
1353
- "parser": "TOCTOU",
1354
- "evidence": {
1355
- "sinkSnippet": "if (!fs.existsSync(p)) continue;",
1356
- "sourceSnippet": null,
1357
- "pathSteps": [],
1358
- "sanitizers": [],
1359
- "guards": []
1360
- },
1361
- "considered": {
1362
- "suppressionsApplied": [],
1363
- "suppressionsSkipped": [],
1364
- "reachabilityFilter": "unaffected",
1365
- "clusterCollapsed": false,
1366
- "typeNarrowed": false,
1367
- "crownJewelTier": "unknown",
1368
- "mitigationVerdict": "unreachable-in-prod"
1369
- },
1370
- "scanner": {
1371
- "rulesetVersion": null,
1372
- "packHash": null,
1373
- "modelId": null
1374
- }
1375
- },
1376
- "adversaryTranscript": null,
1377
- "predictedBountyUsd": null,
1378
- "bountyConfidence": null,
1379
- "attackPlaybook": null
1380
- },
1381
- {
1382
- "id": "logic:dep-confusion.js:56:TOCTOU:_existsSync_followed_by_file_op",
1383
- "kind": "logic",
1384
- "severity": "medium",
1385
- "vuln": "TOCTOU: existsSync followed by file op",
1386
- "cwe": "CWE-367",
1387
- "stride": "Tampering",
1388
- "file": "dep-confusion.js",
1389
- "line": 56,
1390
- "snippet": "if (!fs.existsSync(p)) continue;",
1391
- "fix": {
1392
- "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
1393
- "code": ""
1394
- },
1395
- "blastRadius": {
1396
- "scope": "all-users",
1397
- "dataAtRisk": [
1398
- "config"
1399
- ],
1400
- "userCount": 50,
1401
- "industry": "generic",
1402
- "jurisdictions": [],
1403
- "controlsApplied": [],
1404
- "dollarBest": 23250,
1405
- "dollarLikely": 136250,
1406
- "dollarWorst": 775000,
1407
- "dollarLow": 23250,
1408
- "dollarHigh": 775000,
1409
- "components": {
1410
- "incidentResponse": {
1411
- "low": 8000,
1412
- "likely": 50000,
1413
- "high": 250000
1414
- },
1415
- "legal": {
1416
- "low": 10000,
1417
- "likely": 75000,
1418
- "high": 500000
1419
- },
1420
- "crisisPR": {
1421
- "low": 0,
1422
- "likely": 0,
1423
- "high": 0
1424
- },
1425
- "notification": {
1426
- "low": 5000,
1427
- "likely": 10000,
1428
- "high": 15000
1429
- },
1430
- "creditMonitoring": {
1431
- "low": 0,
1432
- "likely": 0,
1433
- "high": 0
1434
- },
1435
- "regulatoryFines": {
1436
- "low": 0,
1437
- "likely": 0,
1438
- "high": 0
1439
- },
1440
- "directDamage": {
1441
- "low": 250,
1442
- "likely": 1250,
1443
- "high": 10000
1444
- },
1445
- "classAction": {
1446
- "low": 0,
1447
- "likely": 0,
1448
- "high": 0
1449
- },
1450
- "lostBusiness": {
1451
- "low": 0,
1452
- "likely": 0,
1453
- "high": 0
1454
- }
1455
- },
1456
- "dominantDriver": "legal counsel",
1457
- "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
1458
- "confidence": "low",
1459
- "narrative": "TOCTOU: existsSync followed by file op on `dep-confusion.js:56` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
1460
- },
1461
- "parser": "LOGIC",
1462
- "family": null
1463
- }
1464
- ],
1465
- "bundles": [],
1466
- "routes": [],
1467
- "components": [],
1468
- "suppressedCount": 4,
1469
- "blastRadiusSignals": {
1470
- "industry": "generic",
1471
- "industryConfidence": "low",
1472
- "jurisdictions": [],
1473
- "controls": [],
1474
- "estimatedUsers": 50,
1475
- "revenueIndicator": "pre-revenue",
1476
- "hasStripe": false,
1477
- "hasAuth": false,
1478
- "hasUserTable": false,
1479
- "hasPII": false,
1480
- "hasPHI": false,
1481
- "hasS3": false
1482
- },
1483
- "_v3": {
1484
- "counterfactual": {
1485
- "spofControls": [],
1486
- "controlsDetected": 95
1487
- },
1488
- "threatModel": {
1489
- "summary": {
1490
- "assetCount": 1,
1491
- "boundaryCount": 0,
1492
- "strideCounts": {
1493
- "spoofing": 0,
1494
- "tampering": 1,
1495
- "repudiation": 0,
1496
- "informationDisclosure": 0,
1497
- "denialOfService": 5,
1498
- "elevationOfPrivilege": 0
1499
- }
1500
- },
1501
- "assets": [
1502
- {
1503
- "name": "AGENTIC_SECURITY_LLM_API_KEY",
1504
- "file": "llm-function-extract.js",
1505
- "line": 41,
1506
- "category": "secret",
1507
- "exposure": "internal"
1508
- }
1509
- ],
1510
- "trustBoundaries": [],
1511
- "stride": {
1512
- "spoofing": [],
1513
- "tampering": [
1514
- {
1515
- "vuln": "TOCTOU: file existence/permission check before open",
1516
- "file": "dep-confusion.js",
1517
- "line": 56,
1518
- "severity": "medium"
1519
- }
1520
- ],
1521
- "repudiation": [],
1522
- "informationDisclosure": [],
1523
- "denialOfService": [
1524
- {
1525
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1526
- "file": "dep-confusion.js",
1527
- "severity": "medium"
1528
- },
1529
- {
1530
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1531
- "file": "dep-confusion.js",
1532
- "severity": "medium"
1533
- },
1534
- {
1535
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1536
- "file": "llm-function-extract.js",
1537
- "severity": "medium"
1538
- },
1539
- {
1540
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1541
- "file": "llm-function-extract.js",
1542
- "severity": "medium"
1543
- },
1544
- {
1545
- "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1546
- "file": "sarif-ingest.js",
1547
- "severity": "medium"
1548
- }
1549
- ],
1550
- "elevationOfPrivilege": []
1551
- }
1552
- },
1553
- "trustBoundaryDiagram": {
1554
- "mermaid": "flowchart LR\n INTERNET((Internet))\n APP[\"Application\"]\n asset_secret_AGENTIC_SECURITY_LLM_API_KEY[/\"secret: AGENTIC_SECURITY_LLM_API_KEY\"/]\n APP -->|asset| asset_secret_AGENTIC_SECURITY_LLM_API_KEY\n classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n classDef sev_medium fill:#fff3cd,stroke:#a80;\n classDef sev_low fill:#e8eaf6,stroke:#557;",
1555
- "nodes": [
1556
- {
1557
- "id": "INTERNET",
1558
- "kind": "external",
1559
- "label": "Internet"
1560
- },
1561
- {
1562
- "id": "APP",
1563
- "kind": "app",
1564
- "label": "Application"
1565
- },
1566
- {
1567
- "id": "asset_secret_AGENTIC_SECURITY_LLM_API_KEY",
1568
- "kind": "asset",
1569
- "label": "secret: AGENTIC_SECURITY_LLM_API_KEY"
1570
- }
1571
- ],
1572
- "edges": [
1573
- {
1574
- "from": "APP",
1575
- "to": "asset_secret_AGENTIC_SECURITY_LLM_API_KEY",
1576
- "kind": "asset"
1577
- }
1578
- ],
1579
- "decorations": []
1580
- },
1581
- "calibrationDrift": {
1582
- "alarms": [],
1583
- "note": "no-feedback-data"
1584
- }
1585
- },
1586
- "annotatorErrors": []
1587
- }