@clear-capabilities/agentic-security-scanner 0.79.0 → 0.84.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (122) hide show
  1. package/dist/178.index.js +1 -1
  2. package/dist/333.index.js +283 -0
  3. package/dist/384.index.js +1 -1
  4. package/dist/637.index.js +1 -1
  5. package/dist/838.index.js +1 -1
  6. package/dist/839.index.js +170 -0
  7. package/dist/985.index.js +140 -1
  8. package/dist/agentic-security.mjs +10 -10
  9. package/dist/agentic-security.mjs.sha256 +1 -1
  10. package/package.json +7 -5
  11. package/src/.agentic-security/findings.json +117732 -0
  12. package/src/.agentic-security/last-scan.json +117732 -0
  13. package/src/.agentic-security/last-scan.json.sig +1 -0
  14. package/src/.agentic-security/scan-history.json +12946 -0
  15. package/src/.agentic-security/streak.json +21 -0
  16. package/src/dataflow/.agentic-security/findings.json +6086 -0
  17. package/src/dataflow/.agentic-security/last-scan.json +6086 -0
  18. package/src/dataflow/.agentic-security/last-scan.json.sig +1 -0
  19. package/src/dataflow/.agentic-security/scan-history.json +250 -0
  20. package/src/dataflow/.agentic-security/streak.json +21 -0
  21. package/src/dataflow/cross-service-taint.js +201 -0
  22. package/src/dataflow/formal-verify.js +204 -0
  23. package/src/dataflow/ifds-precise.js +222 -0
  24. package/src/dataflow/k2-summary-cache.js +153 -0
  25. package/src/dataflow/lib-taint-summaries.js +198 -0
  26. package/src/dataflow/privacy-taint.js +205 -0
  27. package/src/dataflow/smt-feasibility.js +189 -0
  28. package/src/engine.js +825 -127
  29. package/src/ir/.agentic-security/findings.json +4011 -0
  30. package/src/ir/.agentic-security/last-scan.json +4011 -0
  31. package/src/ir/.agentic-security/last-scan.json.sig +1 -0
  32. package/src/ir/.agentic-security/scan-history.json +193 -0
  33. package/src/ir/.agentic-security/streak.json +20 -0
  34. package/src/ir/cpp-preprocessor.js +142 -0
  35. package/src/ir/csharp-ir.js +604 -0
  36. package/src/ir/universal-ir.js +403 -0
  37. package/src/mcp/.agentic-security/findings.json +8632 -0
  38. package/src/mcp/.agentic-security/last-scan.json +8632 -0
  39. package/src/mcp/.agentic-security/last-scan.json.sig +1 -0
  40. package/src/mcp/.agentic-security/scan-history.json +331 -0
  41. package/src/mcp/.agentic-security/streak.json +20 -0
  42. package/src/mcp/tools.js +140 -1
  43. package/src/posture/.agentic-security/findings.json +77181 -0
  44. package/src/posture/.agentic-security/last-scan.json +77181 -0
  45. package/src/posture/.agentic-security/last-scan.json.sig +1 -0
  46. package/src/posture/.agentic-security/scan-history.json +8904 -0
  47. package/src/posture/.agentic-security/streak.json +21 -0
  48. package/src/posture/api-contract.js +193 -0
  49. package/src/posture/attack-taxonomy.js +227 -0
  50. package/src/posture/auditor-walkthrough.js +252 -0
  51. package/src/posture/claude-authorship.js +197 -0
  52. package/src/posture/compliance-frameworks/.agentic-security/findings.json +80 -0
  53. package/src/posture/compliance-frameworks/.agentic-security/last-scan.json +80 -0
  54. package/src/posture/compliance-frameworks/.agentic-security/last-scan.json.sig +1 -0
  55. package/src/posture/compliance-frameworks/.agentic-security/scan-history.json +90 -0
  56. package/src/posture/compliance-frameworks/.agentic-security/streak.json +22 -0
  57. package/src/posture/compliance-frameworks/ccpa.json +32 -0
  58. package/src/posture/compliance-frameworks/eu-ai-act.json +51 -0
  59. package/src/posture/compliance-frameworks/gdpr.json +45 -0
  60. package/src/posture/compliance-frameworks/hipaa-security-rule.json +56 -0
  61. package/src/posture/compliance-frameworks/nist-ai-600-1.json +51 -0
  62. package/src/posture/compliance-frameworks/nist-csf-2.json +73 -0
  63. package/src/posture/compliance-frameworks/owasp-asvs-5.json +79 -0
  64. package/src/posture/compliance-frameworks/owasp-llm-top-10.json +69 -0
  65. package/src/posture/compliance-policy.js +218 -0
  66. package/src/posture/composite-risk.js +122 -0
  67. package/src/posture/cross-repo-memory.js +180 -0
  68. package/src/posture/csharp-analysis.js +330 -0
  69. package/src/posture/dep-add-guard.js +197 -0
  70. package/src/posture/exploit-bundle.js +210 -0
  71. package/src/posture/federated-learning.js +172 -0
  72. package/src/posture/findings-memory.js +152 -0
  73. package/src/posture/fix-style-mirror.js +118 -0
  74. package/src/posture/git-history.js +141 -0
  75. package/src/posture/intent-context.js +175 -0
  76. package/src/posture/license-attributions.js +94 -0
  77. package/src/posture/license-graph.js +238 -0
  78. package/src/posture/model-rescan.js +76 -0
  79. package/src/posture/pattern-propagation.js +39 -0
  80. package/src/posture/pqc-migration-plan.js +158 -0
  81. package/src/posture/pr-augment.js +234 -0
  82. package/src/posture/reachability-filter.js +33 -2
  83. package/src/posture/realtime-cve-monitor.js +214 -0
  84. package/src/posture/risk-dollars.js +158 -0
  85. package/src/posture/runtime-correlation.js +174 -0
  86. package/src/posture/sbom-diff.js +171 -0
  87. package/src/posture/sca-policy.js +235 -0
  88. package/src/posture/sca-upgrade.js +259 -0
  89. package/src/posture/threat-model-auto.js +268 -0
  90. package/src/posture/threat-model-grounding.js +169 -0
  91. package/src/posture/time-to-fix.js +129 -0
  92. package/src/posture/triage-learning.js +170 -0
  93. package/src/posture/triage-memory.js +151 -0
  94. package/src/posture/triage.js +40 -1
  95. package/src/posture/watch-mode.js +171 -0
  96. package/src/posture/workflow-installer.js +231 -0
  97. package/src/sast/.agentic-security/findings.json +6154 -0
  98. package/src/sast/.agentic-security/last-scan.json +6154 -0
  99. package/src/sast/.agentic-security/last-scan.json.sig +1 -0
  100. package/src/sast/.agentic-security/scan-history.json +941 -0
  101. package/src/sast/.agentic-security/streak.json +22 -0
  102. package/src/sast/_secret-entropy.js +145 -0
  103. package/src/sast/cloud-iam.js +312 -0
  104. package/src/sast/cpp.js +138 -4
  105. package/src/sast/crypto-protocol.js +388 -0
  106. package/src/sast/csharp-tokenizer.js +392 -0
  107. package/src/sast/csharp.js +924 -138
  108. package/src/sast/dapp-frontend.js +200 -0
  109. package/src/sast/k8s-admission.js +271 -0
  110. package/src/sast/llm-app.js +272 -0
  111. package/src/sast/ml-supply-chain.js +259 -0
  112. package/src/sast/mobile.js +224 -0
  113. package/src/sast/post-quantum-crypto.js +348 -0
  114. package/src/sast/web3-advanced.js +375 -0
  115. package/src/sca/.agentic-security/findings.json +7460 -0
  116. package/src/sca/.agentic-security/last-scan.json +7460 -0
  117. package/src/sca/.agentic-security/last-scan.json.sig +1 -0
  118. package/src/sca/.agentic-security/scan-history.json +113 -0
  119. package/src/sca/.agentic-security/streak.json +21 -0
  120. package/src/sca/CLAUDE.md +161 -0
  121. package/src/sca/binary-metadata.js +37 -15
  122. package/src/sca/sigstore-verify.js +215 -0
package/src/ir/.agentic-security/last-scan.json ADDED
@@ -0,0 +1,4011 @@
1
+ {
2
+ "scanId": "dab30d60-68ee-499a-a5a0-9a73b9fc15de",
3
+ "startedAt": "2026-05-29T06:24:38.089Z",
4
+ "durationMs": 435,
5
+ "scanned": {
6
+ "files": 18,
7
+ "lines": 0
8
+ },
9
+ "findings": [
10
+ {
11
+ "id": "struct:parser-cs.js:208:Mass_Assignment_(req.body_Direct_to_Model)",
12
+ "kind": "sast",
13
+ "severity": "high",
14
+ "vuln": "Mass Assignment (req.body Direct to Model)",
15
+ "cwe": "CWE-915",
16
+ "owaspLlm": null,
17
+ "stride": "Tampering",
18
+ "file": "parser-cs.js",
19
+ "line": 208,
20
+ "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
21
+ "fix": null,
22
+ "reachable": false,
23
+ "triage": 39,
24
+ "dataClasses": [],
25
+ "chain": null,
26
+ "confidence": 0.314,
27
+ "toxicity": 35,
28
+ "toxicityFactors": [
29
+ "high-severity",
30
+ "http-facing"
31
+ ],
32
+ "toxicityLabel": "Medium",
33
+ "sources": null,
34
+ "epssScore": null,
35
+ "epssPercentile": null,
36
+ "epssCve": null,
37
+ "exploitedNow": false,
38
+ "tags": null,
39
+ "blastRadius": {
40
+ "scope": "all-users",
41
+ "dataAtRisk": [
42
+ "config"
43
+ ],
44
+ "userCount": 50,
45
+ "industry": "generic",
46
+ "jurisdictions": [],
47
+ "controlsApplied": [],
48
+ "dollarBest": 23250,
49
+ "dollarLikely": 136250,
50
+ "dollarWorst": 775000,
51
+ "dollarLow": 23250,
52
+ "dollarHigh": 775000,
53
+ "components": {
54
+ "incidentResponse": {
55
+ "low": 8000,
56
+ "likely": 50000,
57
+ "high": 250000
58
+ },
59
+ "legal": {
60
+ "low": 10000,
61
+ "likely": 75000,
62
+ "high": 500000
63
+ },
64
+ "crisisPR": {
65
+ "low": 0,
66
+ "likely": 0,
67
+ "high": 0
68
+ },
69
+ "notification": {
70
+ "low": 5000,
71
+ "likely": 10000,
72
+ "high": 15000
73
+ },
74
+ "creditMonitoring": {
75
+ "low": 0,
76
+ "likely": 0,
77
+ "high": 0
78
+ },
79
+ "regulatoryFines": {
80
+ "low": 0,
81
+ "likely": 0,
82
+ "high": 0
83
+ },
84
+ "directDamage": {
85
+ "low": 250,
86
+ "likely": 1250,
87
+ "high": 10000
88
+ },
89
+ "classAction": {
90
+ "low": 0,
91
+ "likely": 0,
92
+ "high": 0
93
+ },
94
+ "lostBusiness": {
95
+ "low": 0,
96
+ "likely": 0,
97
+ "high": 0
98
+ }
99
+ },
100
+ "dominantDriver": "legal counsel",
101
+ "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
102
+ "confidence": "low",
103
+ "narrative": "Mass Assignment (req.body Direct to Model) on `parser-cs.js:208` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
104
+ },
105
+ "stableId": "1881a55e55ca05ef",
106
+ "confidenceTier": "low",
107
+ "exploitability": 0.45,
108
+ "exploitabilityTier": "medium",
109
+ "exploitabilityFactors": [
110
+ "sev:high",
111
+ "unreachable"
112
+ ],
113
+ "clusterSize": null,
114
+ "unreachable": false,
115
+ "validator_verdict": "unvalidated",
116
+ "llm_confidence": null,
117
+ "unvalidated": true,
118
+ "cross_language": false,
119
+ "family": "mass-assignment",
120
+ "parser": "STRUCTURAL",
121
+ "_unsigned": false,
122
+ "_passThroughSigning": false,
123
+ "signatureStatus": "verified",
124
+ "regression_test": null,
125
+ "poc": null,
126
+ "calibrated_confidence": null,
127
+ "calibrated_confidence_ci": null,
128
+ "calibrated_n": 5,
129
+ "calibration_reason": "insufficient-samples",
130
+ "verifier_verdict": "cannot-verify",
131
+ "verifier_reason": "no-poc-no-sanitizer-rule",
132
+ "verifier_runner": null,
133
+ "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-cs.js:?. Severity: high. Review the remediation field for class-specific guidance.",
134
+ "mitigationVerdict": "unreachable-in-prod",
135
+ "mitigationsApplied": [],
136
+ "mitigatedByWaf": false,
137
+ "wafRuleId": null,
138
+ "mitigatedByAuth": false,
139
+ "authMechanism": null,
140
+ "mitigatedByNetwork": false,
141
+ "networkExposure": null,
142
+ "featureFlag": null,
143
+ "featureFlagState": null,
144
+ "featureFlagRollout": null,
145
+ "exposedInProd": false,
146
+ "unreachableInProd": true,
147
+ "coldPath": false,
148
+ "hotPath": false,
149
+ "prodRequestCount": null,
150
+ "crownJewelScore": 0.15,
151
+ "crownJewelTier": "low-value",
152
+ "crownJewelFactors": [
153
+ "shell-execution"
154
+ ],
155
+ "cloneClusterId": "a0c829a31c63bf1a",
156
+ "cloneClusterSize": 5,
157
+ "provenance": "human-likely",
158
+ "provenanceScore": 0.08,
159
+ "typeNarrowed": null,
160
+ "strideCategory": null,
161
+ "personaScores": {
162
+ "script-kiddie": {
163
+ "score": 0.65,
164
+ "tier": "high",
165
+ "factors": [
166
+ "sev:high"
167
+ ]
168
+ },
169
+ "opportunistic-criminal": {
170
+ "score": 0.85,
171
+ "tier": "critical",
172
+ "factors": [
173
+ "sev:high",
174
+ "bias:mass-assignment+0.20"
175
+ ]
176
+ },
177
+ "apt-nation-state": {
178
+ "score": 0.65,
179
+ "tier": "high",
180
+ "factors": [
181
+ "sev:high"
182
+ ]
183
+ },
184
+ "supply-chain-attacker": {
185
+ "score": 0.65,
186
+ "tier": "high",
187
+ "factors": [
188
+ "sev:high"
189
+ ]
190
+ },
191
+ "malicious-insider": {
192
+ "score": 1,
193
+ "tier": "critical",
194
+ "factors": [
195
+ "sev:high",
196
+ "bias:mass-assignment+0.25",
197
+ "authz-bypass-favored"
198
+ ]
199
+ }
200
+ },
201
+ "personaTopTwo": [
202
+ "malicious-insider",
203
+ "opportunistic-criminal"
204
+ ],
205
+ "personaMaxName": "malicious-insider",
206
+ "personaMaxScore": 1,
207
+ "reverseExposure": null,
208
+ "specMined": null,
209
+ "whyFired": {
210
+ "detector": "sast/mass-assignment",
211
+ "ruleId": "CWE-915",
212
+ "parser": "STRUCTURAL",
213
+ "evidence": {
214
+ "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
215
+ "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
216
+ "pathSteps": [],
217
+ "sanitizers": [],
218
+ "guards": []
219
+ },
220
+ "considered": {
221
+ "suppressionsApplied": [],
222
+ "suppressionsSkipped": [],
223
+ "reachabilityFilter": "unaffected",
224
+ "clusterCollapsed": false,
225
+ "typeNarrowed": false,
226
+ "crownJewelTier": "low-value",
227
+ "mitigationVerdict": "unreachable-in-prod"
228
+ },
229
+ "scanner": {
230
+ "rulesetVersion": null,
231
+ "packHash": null,
232
+ "modelId": null
233
+ }
234
+ },
235
+ "adversaryTranscript": null,
236
+ "predictedBountyUsd": {
237
+ "low": 50,
238
+ "likely": 200,
239
+ "high": 600,
240
+ "program": "web2"
241
+ },
242
+ "bountyConfidence": "medium",
243
+ "attackPlaybook": {
244
+ "cwe": "CWE-915",
245
+ "kind": "curl",
246
+ "title": "Mass assignment — privilege escalation probe",
247
+ "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
248
+ "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
249
+ "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
250
+ }
251
+ },
252
+ {
253
+ "id": "struct:parser-go.js:253:Mass_Assignment_(req.body_Direct_to_Model)",
254
+ "kind": "sast",
255
+ "severity": "high",
256
+ "vuln": "Mass Assignment (req.body Direct to Model)",
257
+ "cwe": "CWE-915",
258
+ "owaspLlm": null,
259
+ "stride": "Tampering",
260
+ "file": "parser-go.js",
261
+ "line": 253,
262
+ "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
263
+ "fix": null,
264
+ "reachable": false,
265
+ "triage": 39,
266
+ "dataClasses": [],
267
+ "chain": null,
268
+ "confidence": 0.314,
269
+ "toxicity": 35,
270
+ "toxicityFactors": [
271
+ "high-severity",
272
+ "http-facing"
273
+ ],
274
+ "toxicityLabel": "Medium",
275
+ "sources": null,
276
+ "epssScore": null,
277
+ "epssPercentile": null,
278
+ "epssCve": null,
279
+ "exploitedNow": false,
280
+ "tags": null,
281
+ "blastRadius": {
282
+ "scope": "all-users",
283
+ "dataAtRisk": [
284
+ "config"
285
+ ],
286
+ "userCount": 50,
287
+ "industry": "generic",
288
+ "jurisdictions": [],
289
+ "controlsApplied": [],
290
+ "dollarBest": 23250,
291
+ "dollarLikely": 136250,
292
+ "dollarWorst": 775000,
293
+ "dollarLow": 23250,
294
+ "dollarHigh": 775000,
295
+ "components": {
296
+ "incidentResponse": {
297
+ "low": 8000,
298
+ "likely": 50000,
299
+ "high": 250000
300
+ },
301
+ "legal": {
302
+ "low": 10000,
303
+ "likely": 75000,
304
+ "high": 500000
305
+ },
306
+ "crisisPR": {
307
+ "low": 0,
308
+ "likely": 0,
309
+ "high": 0
310
+ },
311
+ "notification": {
312
+ "low": 5000,
313
+ "likely": 10000,
314
+ "high": 15000
315
+ },
316
+ "creditMonitoring": {
317
+ "low": 0,
318
+ "likely": 0,
319
+ "high": 0
320
+ },
321
+ "regulatoryFines": {
322
+ "low": 0,
323
+ "likely": 0,
324
+ "high": 0
325
+ },
326
+ "directDamage": {
327
+ "low": 250,
328
+ "likely": 1250,
329
+ "high": 10000
330
+ },
331
+ "classAction": {
332
+ "low": 0,
333
+ "likely": 0,
334
+ "high": 0
335
+ },
336
+ "lostBusiness": {
337
+ "low": 0,
338
+ "likely": 0,
339
+ "high": 0
340
+ }
341
+ },
342
+ "dominantDriver": "legal counsel",
343
+ "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
344
+ "confidence": "low",
345
+ "narrative": "Mass Assignment (req.body Direct to Model) on `parser-go.js:253` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
346
+ },
347
+ "stableId": "a28da8de4671367b",
348
+ "confidenceTier": "low",
349
+ "exploitability": 0.45,
350
+ "exploitabilityTier": "medium",
351
+ "exploitabilityFactors": [
352
+ "sev:high",
353
+ "unreachable"
354
+ ],
355
+ "clusterSize": null,
356
+ "unreachable": false,
357
+ "validator_verdict": "unvalidated",
358
+ "llm_confidence": null,
359
+ "unvalidated": true,
360
+ "cross_language": false,
361
+ "family": "mass-assignment",
362
+ "parser": "STRUCTURAL",
363
+ "_unsigned": false,
364
+ "_passThroughSigning": false,
365
+ "signatureStatus": "verified",
366
+ "regression_test": null,
367
+ "poc": null,
368
+ "calibrated_confidence": null,
369
+ "calibrated_confidence_ci": null,
370
+ "calibrated_n": 5,
371
+ "calibration_reason": "insufficient-samples",
372
+ "verifier_verdict": "cannot-verify",
373
+ "verifier_reason": "no-poc-no-sanitizer-rule",
374
+ "verifier_runner": null,
375
+ "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-go.js:?. Severity: high. Review the remediation field for class-specific guidance.",
376
+ "mitigationVerdict": "unreachable-in-prod",
377
+ "mitigationsApplied": [],
378
+ "mitigatedByWaf": false,
379
+ "wafRuleId": null,
380
+ "mitigatedByAuth": false,
381
+ "authMechanism": null,
382
+ "mitigatedByNetwork": false,
383
+ "networkExposure": null,
384
+ "featureFlag": null,
385
+ "featureFlagState": null,
386
+ "featureFlagRollout": null,
387
+ "exposedInProd": false,
388
+ "unreachableInProd": true,
389
+ "coldPath": false,
390
+ "hotPath": false,
391
+ "prodRequestCount": null,
392
+ "crownJewelScore": 0.15,
393
+ "crownJewelTier": "low-value",
394
+ "crownJewelFactors": [
395
+ "shell-execution"
396
+ ],
397
+ "cloneClusterId": "a0c829a31c63bf1a",
398
+ "cloneClusterSize": 5,
399
+ "provenance": "human-likely",
400
+ "provenanceScore": 0,
401
+ "typeNarrowed": null,
402
+ "strideCategory": null,
403
+ "personaScores": {
404
+ "script-kiddie": {
405
+ "score": 0.65,
406
+ "tier": "high",
407
+ "factors": [
408
+ "sev:high"
409
+ ]
410
+ },
411
+ "opportunistic-criminal": {
412
+ "score": 0.85,
413
+ "tier": "critical",
414
+ "factors": [
415
+ "sev:high",
416
+ "bias:mass-assignment+0.20"
417
+ ]
418
+ },
419
+ "apt-nation-state": {
420
+ "score": 0.65,
421
+ "tier": "high",
422
+ "factors": [
423
+ "sev:high"
424
+ ]
425
+ },
426
+ "supply-chain-attacker": {
427
+ "score": 0.65,
428
+ "tier": "high",
429
+ "factors": [
430
+ "sev:high"
431
+ ]
432
+ },
433
+ "malicious-insider": {
434
+ "score": 1,
435
+ "tier": "critical",
436
+ "factors": [
437
+ "sev:high",
438
+ "bias:mass-assignment+0.25",
439
+ "authz-bypass-favored"
440
+ ]
441
+ }
442
+ },
443
+ "personaTopTwo": [
444
+ "malicious-insider",
445
+ "opportunistic-criminal"
446
+ ],
447
+ "personaMaxName": "malicious-insider",
448
+ "personaMaxScore": 1,
449
+ "reverseExposure": null,
450
+ "specMined": null,
451
+ "whyFired": {
452
+ "detector": "sast/mass-assignment",
453
+ "ruleId": "CWE-915",
454
+ "parser": "STRUCTURAL",
455
+ "evidence": {
456
+ "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
457
+ "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
458
+ "pathSteps": [],
459
+ "sanitizers": [],
460
+ "guards": []
461
+ },
462
+ "considered": {
463
+ "suppressionsApplied": [],
464
+ "suppressionsSkipped": [],
465
+ "reachabilityFilter": "unaffected",
466
+ "clusterCollapsed": false,
467
+ "typeNarrowed": false,
468
+ "crownJewelTier": "low-value",
469
+ "mitigationVerdict": "unreachable-in-prod"
470
+ },
471
+ "scanner": {
472
+ "rulesetVersion": null,
473
+ "packHash": null,
474
+ "modelId": null
475
+ }
476
+ },
477
+ "adversaryTranscript": null,
478
+ "predictedBountyUsd": {
479
+ "low": 50,
480
+ "likely": 200,
481
+ "high": 600,
482
+ "program": "web2"
483
+ },
484
+ "bountyConfidence": "medium",
485
+ "attackPlaybook": {
486
+ "cwe": "CWE-915",
487
+ "kind": "curl",
488
+ "title": "Mass assignment — privilege escalation probe",
489
+ "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
490
+ "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
491
+ "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
492
+ }
493
+ },
494
+ {
495
+ "id": "struct:parser-kt.js:207:Mass_Assignment_(req.body_Direct_to_Model)",
496
+ "kind": "sast",
497
+ "severity": "high",
498
+ "vuln": "Mass Assignment (req.body Direct to Model)",
499
+ "cwe": "CWE-915",
500
+ "owaspLlm": null,
501
+ "stride": "Tampering",
502
+ "file": "parser-kt.js",
503
+ "line": 207,
504
+ "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
505
+ "fix": null,
506
+ "reachable": false,
507
+ "triage": 39,
508
+ "dataClasses": [],
509
+ "chain": null,
510
+ "confidence": 0.314,
511
+ "toxicity": 35,
512
+ "toxicityFactors": [
513
+ "high-severity",
514
+ "http-facing"
515
+ ],
516
+ "toxicityLabel": "Medium",
517
+ "sources": null,
518
+ "epssScore": null,
519
+ "epssPercentile": null,
520
+ "epssCve": null,
521
+ "exploitedNow": false,
522
+ "tags": null,
523
+ "blastRadius": {
524
+ "scope": "all-users",
525
+ "dataAtRisk": [
526
+ "config"
527
+ ],
528
+ "userCount": 50,
529
+ "industry": "generic",
530
+ "jurisdictions": [],
531
+ "controlsApplied": [],
532
+ "dollarBest": 23250,
533
+ "dollarLikely": 136250,
534
+ "dollarWorst": 775000,
535
+ "dollarLow": 23250,
536
+ "dollarHigh": 775000,
537
+ "components": {
538
+ "incidentResponse": {
539
+ "low": 8000,
540
+ "likely": 50000,
541
+ "high": 250000
542
+ },
543
+ "legal": {
544
+ "low": 10000,
545
+ "likely": 75000,
546
+ "high": 500000
547
+ },
548
+ "crisisPR": {
549
+ "low": 0,
550
+ "likely": 0,
551
+ "high": 0
552
+ },
553
+ "notification": {
554
+ "low": 5000,
555
+ "likely": 10000,
556
+ "high": 15000
557
+ },
558
+ "creditMonitoring": {
559
+ "low": 0,
560
+ "likely": 0,
561
+ "high": 0
562
+ },
563
+ "regulatoryFines": {
564
+ "low": 0,
565
+ "likely": 0,
566
+ "high": 0
567
+ },
568
+ "directDamage": {
569
+ "low": 250,
570
+ "likely": 1250,
571
+ "high": 10000
572
+ },
573
+ "classAction": {
574
+ "low": 0,
575
+ "likely": 0,
576
+ "high": 0
577
+ },
578
+ "lostBusiness": {
579
+ "low": 0,
580
+ "likely": 0,
581
+ "high": 0
582
+ }
583
+ },
584
+ "dominantDriver": "legal counsel",
585
+ "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
586
+ "confidence": "low",
587
+ "narrative": "Mass Assignment (req.body Direct to Model) on `parser-kt.js:207` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
588
+ },
589
+ "stableId": "2fc3bac9558c1472",
590
+ "confidenceTier": "low",
591
+ "exploitability": 0.45,
592
+ "exploitabilityTier": "medium",
593
+ "exploitabilityFactors": [
594
+ "sev:high",
595
+ "unreachable"
596
+ ],
597
+ "clusterSize": null,
598
+ "unreachable": false,
599
+ "validator_verdict": "unvalidated",
600
+ "llm_confidence": null,
601
+ "unvalidated": true,
602
+ "cross_language": false,
603
+ "family": "mass-assignment",
604
+ "parser": "STRUCTURAL",
605
+ "_unsigned": false,
606
+ "_passThroughSigning": false,
607
+ "signatureStatus": "verified",
608
+ "regression_test": null,
609
+ "poc": null,
610
+ "calibrated_confidence": null,
611
+ "calibrated_confidence_ci": null,
612
+ "calibrated_n": 5,
613
+ "calibration_reason": "insufficient-samples",
614
+ "verifier_verdict": "cannot-verify",
615
+ "verifier_reason": "no-poc-no-sanitizer-rule",
616
+ "verifier_runner": null,
617
+ "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-kt.js:?. Severity: high. Review the remediation field for class-specific guidance.",
618
+ "mitigationVerdict": "unreachable-in-prod",
619
+ "mitigationsApplied": [],
620
+ "mitigatedByWaf": false,
621
+ "wafRuleId": null,
622
+ "mitigatedByAuth": false,
623
+ "authMechanism": null,
624
+ "mitigatedByNetwork": false,
625
+ "networkExposure": null,
626
+ "featureFlag": null,
627
+ "featureFlagState": null,
628
+ "featureFlagRollout": null,
629
+ "exposedInProd": false,
630
+ "unreachableInProd": true,
631
+ "coldPath": false,
632
+ "hotPath": false,
633
+ "prodRequestCount": null,
634
+ "crownJewelScore": 0.15,
635
+ "crownJewelTier": "low-value",
636
+ "crownJewelFactors": [
637
+ "shell-execution"
638
+ ],
639
+ "cloneClusterId": "a0c829a31c63bf1a",
640
+ "cloneClusterSize": 5,
641
+ "provenance": "human-likely",
642
+ "provenanceScore": 0,
643
+ "typeNarrowed": null,
644
+ "strideCategory": null,
645
+ "personaScores": {
646
+ "script-kiddie": {
647
+ "score": 0.65,
648
+ "tier": "high",
649
+ "factors": [
650
+ "sev:high"
651
+ ]
652
+ },
653
+ "opportunistic-criminal": {
654
+ "score": 0.85,
655
+ "tier": "critical",
656
+ "factors": [
657
+ "sev:high",
658
+ "bias:mass-assignment+0.20"
659
+ ]
660
+ },
661
+ "apt-nation-state": {
662
+ "score": 0.65,
663
+ "tier": "high",
664
+ "factors": [
665
+ "sev:high"
666
+ ]
667
+ },
668
+ "supply-chain-attacker": {
669
+ "score": 0.65,
670
+ "tier": "high",
671
+ "factors": [
672
+ "sev:high"
673
+ ]
674
+ },
675
+ "malicious-insider": {
676
+ "score": 1,
677
+ "tier": "critical",
678
+ "factors": [
679
+ "sev:high",
680
+ "bias:mass-assignment+0.25",
681
+ "authz-bypass-favored"
682
+ ]
683
+ }
684
+ },
685
+ "personaTopTwo": [
686
+ "malicious-insider",
687
+ "opportunistic-criminal"
688
+ ],
689
+ "personaMaxName": "malicious-insider",
690
+ "personaMaxScore": 1,
691
+ "reverseExposure": null,
692
+ "specMined": null,
693
+ "whyFired": {
694
+ "detector": "sast/mass-assignment",
695
+ "ruleId": "CWE-915",
696
+ "parser": "STRUCTURAL",
697
+ "evidence": {
698
+ "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
699
+ "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
700
+ "pathSteps": [],
701
+ "sanitizers": [],
702
+ "guards": []
703
+ },
704
+ "considered": {
705
+ "suppressionsApplied": [],
706
+ "suppressionsSkipped": [],
707
+ "reachabilityFilter": "unaffected",
708
+ "clusterCollapsed": false,
709
+ "typeNarrowed": false,
710
+ "crownJewelTier": "low-value",
711
+ "mitigationVerdict": "unreachable-in-prod"
712
+ },
713
+ "scanner": {
714
+ "rulesetVersion": null,
715
+ "packHash": null,
716
+ "modelId": null
717
+ }
718
+ },
719
+ "adversaryTranscript": null,
720
+ "predictedBountyUsd": {
721
+ "low": 50,
722
+ "likely": 200,
723
+ "high": 600,
724
+ "program": "web2"
725
+ },
726
+ "bountyConfidence": "medium",
727
+ "attackPlaybook": {
728
+ "cwe": "CWE-915",
729
+ "kind": "curl",
730
+ "title": "Mass assignment — privilege escalation probe",
731
+ "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
732
+ "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
733
+ "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
734
+ }
735
+ },
736
+ {
737
+ "id": "struct:parser-php.js:209:Mass_Assignment_(req.body_Direct_to_Model)",
738
+ "kind": "sast",
739
+ "severity": "high",
740
+ "vuln": "Mass Assignment (req.body Direct to Model)",
741
+ "cwe": "CWE-915",
742
+ "owaspLlm": null,
743
+ "stride": "Tampering",
744
+ "file": "parser-php.js",
745
+ "line": 209,
746
+ "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
747
+ "fix": null,
748
+ "reachable": false,
749
+ "triage": 39,
750
+ "dataClasses": [],
751
+ "chain": null,
752
+ "confidence": 0.314,
753
+ "toxicity": 35,
754
+ "toxicityFactors": [
755
+ "high-severity",
756
+ "http-facing"
757
+ ],
758
+ "toxicityLabel": "Medium",
759
+ "sources": null,
760
+ "epssScore": null,
761
+ "epssPercentile": null,
762
+ "epssCve": null,
763
+ "exploitedNow": false,
764
+ "tags": null,
765
+ "blastRadius": {
766
+ "scope": "all-users",
767
+ "dataAtRisk": [
768
+ "config"
769
+ ],
770
+ "userCount": 50,
771
+ "industry": "generic",
772
+ "jurisdictions": [],
773
+ "controlsApplied": [],
774
+ "dollarBest": 23250,
775
+ "dollarLikely": 136250,
776
+ "dollarWorst": 775000,
777
+ "dollarLow": 23250,
778
+ "dollarHigh": 775000,
779
+ "components": {
780
+ "incidentResponse": {
781
+ "low": 8000,
782
+ "likely": 50000,
783
+ "high": 250000
784
+ },
785
+ "legal": {
786
+ "low": 10000,
787
+ "likely": 75000,
788
+ "high": 500000
789
+ },
790
+ "crisisPR": {
791
+ "low": 0,
792
+ "likely": 0,
793
+ "high": 0
794
+ },
795
+ "notification": {
796
+ "low": 5000,
797
+ "likely": 10000,
798
+ "high": 15000
799
+ },
800
+ "creditMonitoring": {
801
+ "low": 0,
802
+ "likely": 0,
803
+ "high": 0
804
+ },
805
+ "regulatoryFines": {
806
+ "low": 0,
807
+ "likely": 0,
808
+ "high": 0
809
+ },
810
+ "directDamage": {
811
+ "low": 250,
812
+ "likely": 1250,
813
+ "high": 10000
814
+ },
815
+ "classAction": {
816
+ "low": 0,
817
+ "likely": 0,
818
+ "high": 0
819
+ },
820
+ "lostBusiness": {
821
+ "low": 0,
822
+ "likely": 0,
823
+ "high": 0
824
+ }
825
+ },
826
+ "dominantDriver": "legal counsel",
827
+ "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
828
+ "confidence": "low",
829
+ "narrative": "Mass Assignment (req.body Direct to Model) on `parser-php.js:209` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
830
+ },
831
+ "stableId": "b73364b3c23bcce8",
832
+ "confidenceTier": "low",
833
+ "exploitability": 0.45,
834
+ "exploitabilityTier": "medium",
835
+ "exploitabilityFactors": [
836
+ "sev:high",
837
+ "unreachable"
838
+ ],
839
+ "clusterSize": null,
840
+ "unreachable": false,
841
+ "validator_verdict": "unvalidated",
842
+ "llm_confidence": null,
843
+ "unvalidated": true,
844
+ "cross_language": false,
845
+ "family": "mass-assignment",
846
+ "parser": "STRUCTURAL",
847
+ "_unsigned": false,
848
+ "_passThroughSigning": false,
849
+ "signatureStatus": "verified",
850
+ "regression_test": null,
851
+ "poc": null,
852
+ "calibrated_confidence": null,
853
+ "calibrated_confidence_ci": null,
854
+ "calibrated_n": 5,
855
+ "calibration_reason": "insufficient-samples",
856
+ "verifier_verdict": "cannot-verify",
857
+ "verifier_reason": "no-poc-no-sanitizer-rule",
858
+ "verifier_runner": null,
859
+ "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-php.js:?. Severity: high. Review the remediation field for class-specific guidance.",
860
+ "mitigationVerdict": "unreachable-in-prod",
861
+ "mitigationsApplied": [],
862
+ "mitigatedByWaf": false,
863
+ "wafRuleId": null,
864
+ "mitigatedByAuth": false,
865
+ "authMechanism": null,
866
+ "mitigatedByNetwork": false,
867
+ "networkExposure": null,
868
+ "featureFlag": null,
869
+ "featureFlagState": null,
870
+ "featureFlagRollout": null,
871
+ "exposedInProd": false,
872
+ "unreachableInProd": true,
873
+ "coldPath": false,
874
+ "hotPath": false,
875
+ "prodRequestCount": null,
876
+ "crownJewelScore": 0.15,
877
+ "crownJewelTier": "low-value",
878
+ "crownJewelFactors": [
879
+ "shell-execution"
880
+ ],
881
+ "cloneClusterId": "a0c829a31c63bf1a",
882
+ "cloneClusterSize": 5,
883
+ "provenance": "human-likely",
884
+ "provenanceScore": 0,
885
+ "typeNarrowed": null,
886
+ "strideCategory": null,
887
+ "personaScores": {
888
+ "script-kiddie": {
889
+ "score": 0.65,
890
+ "tier": "high",
891
+ "factors": [
892
+ "sev:high"
893
+ ]
894
+ },
895
+ "opportunistic-criminal": {
896
+ "score": 0.85,
897
+ "tier": "critical",
898
+ "factors": [
899
+ "sev:high",
900
+ "bias:mass-assignment+0.20"
901
+ ]
902
+ },
903
+ "apt-nation-state": {
904
+ "score": 0.65,
905
+ "tier": "high",
906
+ "factors": [
907
+ "sev:high"
908
+ ]
909
+ },
910
+ "supply-chain-attacker": {
911
+ "score": 0.65,
912
+ "tier": "high",
913
+ "factors": [
914
+ "sev:high"
915
+ ]
916
+ },
917
+ "malicious-insider": {
918
+ "score": 1,
919
+ "tier": "critical",
920
+ "factors": [
921
+ "sev:high",
922
+ "bias:mass-assignment+0.25",
923
+ "authz-bypass-favored"
924
+ ]
925
+ }
926
+ },
927
+ "personaTopTwo": [
928
+ "malicious-insider",
929
+ "opportunistic-criminal"
930
+ ],
931
+ "personaMaxName": "malicious-insider",
932
+ "personaMaxScore": 1,
933
+ "reverseExposure": null,
934
+ "specMined": null,
935
+ "whyFired": {
936
+ "detector": "sast/mass-assignment",
937
+ "ruleId": "CWE-915",
938
+ "parser": "STRUCTURAL",
939
+ "evidence": {
940
+ "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
941
+ "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
942
+ "pathSteps": [],
943
+ "sanitizers": [],
944
+ "guards": []
945
+ },
946
+ "considered": {
947
+ "suppressionsApplied": [],
948
+ "suppressionsSkipped": [],
949
+ "reachabilityFilter": "unaffected",
950
+ "clusterCollapsed": false,
951
+ "typeNarrowed": false,
952
+ "crownJewelTier": "low-value",
953
+ "mitigationVerdict": "unreachable-in-prod"
954
+ },
955
+ "scanner": {
956
+ "rulesetVersion": null,
957
+ "packHash": null,
958
+ "modelId": null
959
+ }
960
+ },
961
+ "adversaryTranscript": null,
962
+ "predictedBountyUsd": {
963
+ "low": 50,
964
+ "likely": 200,
965
+ "high": 600,
966
+ "program": "web2"
967
+ },
968
+ "bountyConfidence": "medium",
969
+ "attackPlaybook": {
970
+ "cwe": "CWE-915",
971
+ "kind": "curl",
972
+ "title": "Mass assignment — privilege escalation probe",
973
+ "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
974
+ "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
975
+ "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
976
+ }
977
+ },
978
+ {
979
+ "id": "struct:parser-rb.js:201:Mass_Assignment_(req.body_Direct_to_Model)",
980
+ "kind": "sast",
981
+ "severity": "high",
982
+ "vuln": "Mass Assignment (req.body Direct to Model)",
983
+ "cwe": "CWE-915",
984
+ "owaspLlm": null,
985
+ "stride": "Tampering",
986
+ "file": "parser-rb.js",
987
+ "line": 201,
988
+ "snippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
989
+ "fix": null,
990
+ "reachable": false,
991
+ "triage": 39,
992
+ "dataClasses": [],
993
+ "chain": null,
994
+ "confidence": 0.314,
995
+ "toxicity": 35,
996
+ "toxicityFactors": [
997
+ "high-severity",
998
+ "http-facing"
999
+ ],
1000
+ "toxicityLabel": "Medium",
1001
+ "sources": null,
1002
+ "epssScore": null,
1003
+ "epssPercentile": null,
1004
+ "epssCve": null,
1005
+ "exploitedNow": false,
1006
+ "tags": null,
1007
+ "blastRadius": {
1008
+ "scope": "all-users",
1009
+ "dataAtRisk": [
1010
+ "config"
1011
+ ],
1012
+ "userCount": 50,
1013
+ "industry": "generic",
1014
+ "jurisdictions": [],
1015
+ "controlsApplied": [],
1016
+ "dollarBest": 23250,
1017
+ "dollarLikely": 136250,
1018
+ "dollarWorst": 775000,
1019
+ "dollarLow": 23250,
1020
+ "dollarHigh": 775000,
1021
+ "components": {
1022
+ "incidentResponse": {
1023
+ "low": 8000,
1024
+ "likely": 50000,
1025
+ "high": 250000
1026
+ },
1027
+ "legal": {
1028
+ "low": 10000,
1029
+ "likely": 75000,
1030
+ "high": 500000
1031
+ },
1032
+ "crisisPR": {
1033
+ "low": 0,
1034
+ "likely": 0,
1035
+ "high": 0
1036
+ },
1037
+ "notification": {
1038
+ "low": 5000,
1039
+ "likely": 10000,
1040
+ "high": 15000
1041
+ },
1042
+ "creditMonitoring": {
1043
+ "low": 0,
1044
+ "likely": 0,
1045
+ "high": 0
1046
+ },
1047
+ "regulatoryFines": {
1048
+ "low": 0,
1049
+ "likely": 0,
1050
+ "high": 0
1051
+ },
1052
+ "directDamage": {
1053
+ "low": 250,
1054
+ "likely": 1250,
1055
+ "high": 10000
1056
+ },
1057
+ "classAction": {
1058
+ "low": 0,
1059
+ "likely": 0,
1060
+ "high": 0
1061
+ },
1062
+ "lostBusiness": {
1063
+ "low": 0,
1064
+ "likely": 0,
1065
+ "high": 0
1066
+ }
1067
+ },
1068
+ "dominantDriver": "legal counsel",
1069
+ "comparable": "GitHub mass-assignment 2012 → public ridicule + emergency rebuild",
1070
+ "confidence": "low",
1071
+ "narrative": "Mass Assignment (req.body Direct to Model) on `parser-rb.js:201` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: GitHub mass-assignment 2012 → public ridicule + emergency rebuild."
1072
+ },
1073
+ "stableId": "1889976dc0f1120c",
1074
+ "confidenceTier": "low",
1075
+ "exploitability": 0.45,
1076
+ "exploitabilityTier": "medium",
1077
+ "exploitabilityFactors": [
1078
+ "sev:high",
1079
+ "unreachable"
1080
+ ],
1081
+ "clusterSize": null,
1082
+ "unreachable": false,
1083
+ "validator_verdict": "unvalidated",
1084
+ "llm_confidence": null,
1085
+ "unvalidated": true,
1086
+ "cross_language": false,
1087
+ "family": "mass-assignment",
1088
+ "parser": "STRUCTURAL",
1089
+ "_unsigned": false,
1090
+ "_passThroughSigning": false,
1091
+ "signatureStatus": "verified",
1092
+ "regression_test": null,
1093
+ "poc": null,
1094
+ "calibrated_confidence": null,
1095
+ "calibrated_confidence_ci": null,
1096
+ "calibrated_n": 5,
1097
+ "calibration_reason": "insufficient-samples",
1098
+ "verifier_verdict": "cannot-verify",
1099
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1100
+ "verifier_runner": null,
1101
+ "narration": "A finding of type \"Mass Assignment (req.body Direct to Model)\" at parser-rb.js:?. Severity: high. Review the remediation field for class-specific guidance.",
1102
+ "mitigationVerdict": "unreachable-in-prod",
1103
+ "mitigationsApplied": [],
1104
+ "mitigatedByWaf": false,
1105
+ "wafRuleId": null,
1106
+ "mitigatedByAuth": false,
1107
+ "authMechanism": null,
1108
+ "mitigatedByNetwork": false,
1109
+ "networkExposure": null,
1110
+ "featureFlag": null,
1111
+ "featureFlagState": null,
1112
+ "featureFlagRollout": null,
1113
+ "exposedInProd": false,
1114
+ "unreachableInProd": true,
1115
+ "coldPath": false,
1116
+ "hotPath": false,
1117
+ "prodRequestCount": null,
1118
+ "crownJewelScore": 0.15,
1119
+ "crownJewelTier": "low-value",
1120
+ "crownJewelFactors": [
1121
+ "shell-execution"
1122
+ ],
1123
+ "cloneClusterId": "a0c829a31c63bf1a",
1124
+ "cloneClusterSize": 5,
1125
+ "provenance": "human-likely",
1126
+ "provenanceScore": 0,
1127
+ "typeNarrowed": null,
1128
+ "strideCategory": null,
1129
+ "personaScores": {
1130
+ "script-kiddie": {
1131
+ "score": 0.65,
1132
+ "tier": "high",
1133
+ "factors": [
1134
+ "sev:high"
1135
+ ]
1136
+ },
1137
+ "opportunistic-criminal": {
1138
+ "score": 0.85,
1139
+ "tier": "critical",
1140
+ "factors": [
1141
+ "sev:high",
1142
+ "bias:mass-assignment+0.20"
1143
+ ]
1144
+ },
1145
+ "apt-nation-state": {
1146
+ "score": 0.65,
1147
+ "tier": "high",
1148
+ "factors": [
1149
+ "sev:high"
1150
+ ]
1151
+ },
1152
+ "supply-chain-attacker": {
1153
+ "score": 0.65,
1154
+ "tier": "high",
1155
+ "factors": [
1156
+ "sev:high"
1157
+ ]
1158
+ },
1159
+ "malicious-insider": {
1160
+ "score": 1,
1161
+ "tier": "critical",
1162
+ "factors": [
1163
+ "sev:high",
1164
+ "bias:mass-assignment+0.25",
1165
+ "authz-bypass-favored"
1166
+ ]
1167
+ }
1168
+ },
1169
+ "personaTopTwo": [
1170
+ "malicious-insider",
1171
+ "opportunistic-criminal"
1172
+ ],
1173
+ "personaMaxName": "malicious-insider",
1174
+ "personaMaxScore": 1,
1175
+ "reverseExposure": null,
1176
+ "specMined": null,
1177
+ "whyFired": {
1178
+ "detector": "sast/mass-assignment",
1179
+ "ruleId": "CWE-915",
1180
+ "parser": "STRUCTURAL",
1181
+ "evidence": {
1182
+ "sinkSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
1183
+ "sourceSnippet": "const sha = crypto.createHash('sha256').update(body).digest('hex').slice(0, 8);",
1184
+ "pathSteps": [],
1185
+ "sanitizers": [],
1186
+ "guards": []
1187
+ },
1188
+ "considered": {
1189
+ "suppressionsApplied": [],
1190
+ "suppressionsSkipped": [],
1191
+ "reachabilityFilter": "unaffected",
1192
+ "clusterCollapsed": false,
1193
+ "typeNarrowed": false,
1194
+ "crownJewelTier": "low-value",
1195
+ "mitigationVerdict": "unreachable-in-prod"
1196
+ },
1197
+ "scanner": {
1198
+ "rulesetVersion": null,
1199
+ "packHash": null,
1200
+ "modelId": null
1201
+ }
1202
+ },
1203
+ "adversaryTranscript": null,
1204
+ "predictedBountyUsd": {
1205
+ "low": 50,
1206
+ "likely": 200,
1207
+ "high": 600,
1208
+ "program": "web2"
1209
+ },
1210
+ "bountyConfidence": "medium",
1211
+ "attackPlaybook": {
1212
+ "cwe": "CWE-915",
1213
+ "kind": "curl",
1214
+ "title": "Mass assignment — privilege escalation probe",
1215
+ "instruction": "Submit an extra field (role) on profile update; verify it sticks.",
1216
+ "script": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test.\n# CWE-915 — Mass assignment\ncurl -s -i -X PATCH \"${TARGET_URL}/api/me\" \\\n -H \"Authorization: Bearer ${TEST_TOKEN}\" -H \"Content-Type: application/json\" \\\n -d '{\"name\":\"x\",\"role\":\"admin\"}'\n# Confirmed when subsequent /api/me returns role=admin.",
1217
+ "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
1218
+ }
1219
+ },
1220
+ {
1221
+ "id": "struct:cpp-preprocessor.js:94:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1222
+ "kind": "sast",
1223
+ "severity": "medium",
1224
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1225
+ "cwe": "CWE-400",
1226
+ "owaspLlm": null,
1227
+ "stride": "Denial of Service",
1228
+ "file": "cpp-preprocessor.js",
1229
+ "line": 94,
1230
+ "snippet": "try { content = fs.readFileSync(abs, 'utf8'); }",
1231
+ "fix": null,
1232
+ "reachable": false,
1233
+ "triage": 22,
1234
+ "dataClasses": [],
1235
+ "chain": null,
1236
+ "confidence": 0.212,
1237
+ "toxicity": 28,
1238
+ "toxicityFactors": [
1239
+ "http-facing"
1240
+ ],
1241
+ "toxicityLabel": "Medium",
1242
+ "sources": null,
1243
+ "epssScore": null,
1244
+ "epssPercentile": null,
1245
+ "epssCve": null,
1246
+ "exploitedNow": false,
1247
+ "tags": null,
1248
+ "blastRadius": {
1249
+ "scope": "all-users",
1250
+ "dataAtRisk": [
1251
+ "config"
1252
+ ],
1253
+ "userCount": 50,
1254
+ "industry": "generic",
1255
+ "jurisdictions": [],
1256
+ "controlsApplied": [],
1257
+ "dollarBest": 23250,
1258
+ "dollarLikely": 136250,
1259
+ "dollarWorst": 775000,
1260
+ "dollarLow": 23250,
1261
+ "dollarHigh": 775000,
1262
+ "components": {
1263
+ "incidentResponse": {
1264
+ "low": 8000,
1265
+ "likely": 50000,
1266
+ "high": 250000
1267
+ },
1268
+ "legal": {
1269
+ "low": 10000,
1270
+ "likely": 75000,
1271
+ "high": 500000
1272
+ },
1273
+ "crisisPR": {
1274
+ "low": 0,
1275
+ "likely": 0,
1276
+ "high": 0
1277
+ },
1278
+ "notification": {
1279
+ "low": 5000,
1280
+ "likely": 10000,
1281
+ "high": 15000
1282
+ },
1283
+ "creditMonitoring": {
1284
+ "low": 0,
1285
+ "likely": 0,
1286
+ "high": 0
1287
+ },
1288
+ "regulatoryFines": {
1289
+ "low": 0,
1290
+ "likely": 0,
1291
+ "high": 0
1292
+ },
1293
+ "directDamage": {
1294
+ "low": 250,
1295
+ "likely": 1250,
1296
+ "high": 10000
1297
+ },
1298
+ "classAction": {
1299
+ "low": 0,
1300
+ "likely": 0,
1301
+ "high": 0
1302
+ },
1303
+ "lostBusiness": {
1304
+ "low": 0,
1305
+ "likely": 0,
1306
+ "high": 0
1307
+ }
1308
+ },
1309
+ "dominantDriver": "legal counsel",
1310
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1311
+ "confidence": "low",
1312
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `cpp-preprocessor.js:94` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1313
+ },
1314
+ "stableId": "0b0187a7e1476c07",
1315
+ "confidenceTier": "very-low",
1316
+ "exploitability": 0.2,
1317
+ "exploitabilityTier": "low",
1318
+ "exploitabilityFactors": [
1319
+ "sev:medium",
1320
+ "unreachable"
1321
+ ],
1322
+ "clusterSize": null,
1323
+ "unreachable": false,
1324
+ "validator_verdict": "unvalidated",
1325
+ "llm_confidence": null,
1326
+ "unvalidated": true,
1327
+ "cross_language": false,
1328
+ "family": "dos-sync-io",
1329
+ "parser": "STRUCTURAL",
1330
+ "_unsigned": false,
1331
+ "_passThroughSigning": false,
1332
+ "signatureStatus": "verified",
1333
+ "regression_test": null,
1334
+ "poc": null,
1335
+ "calibrated_confidence": null,
1336
+ "calibrated_confidence_ci": null,
1337
+ "calibrated_n": 0,
1338
+ "calibration_reason": "no-history",
1339
+ "verifier_verdict": "cannot-verify",
1340
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1341
+ "verifier_runner": null,
1342
+ "narration": null,
1343
+ "mitigationVerdict": "unreachable-in-prod",
1344
+ "mitigationsApplied": [],
1345
+ "mitigatedByWaf": false,
1346
+ "wafRuleId": null,
1347
+ "mitigatedByAuth": false,
1348
+ "authMechanism": null,
1349
+ "mitigatedByNetwork": false,
1350
+ "networkExposure": null,
1351
+ "featureFlag": null,
1352
+ "featureFlagState": null,
1353
+ "featureFlagRollout": null,
1354
+ "exposedInProd": false,
1355
+ "unreachableInProd": true,
1356
+ "coldPath": false,
1357
+ "hotPath": false,
1358
+ "prodRequestCount": null,
1359
+ "crownJewelScore": 0,
1360
+ "crownJewelTier": "unknown",
1361
+ "crownJewelFactors": [],
1362
+ "cloneClusterId": "c5704ff81dc82f80",
1363
+ "cloneClusterSize": 1,
1364
+ "provenance": "mixed",
1365
+ "provenanceScore": 0.3,
1366
+ "typeNarrowed": null,
1367
+ "strideCategory": "denialOfService",
1368
+ "personaScores": {
1369
+ "script-kiddie": {
1370
+ "score": 0.4,
1371
+ "tier": "medium",
1372
+ "factors": [
1373
+ "sev:medium"
1374
+ ]
1375
+ },
1376
+ "opportunistic-criminal": {
1377
+ "score": 0.4,
1378
+ "tier": "medium",
1379
+ "factors": [
1380
+ "sev:medium"
1381
+ ]
1382
+ },
1383
+ "apt-nation-state": {
1384
+ "score": 0.4,
1385
+ "tier": "medium",
1386
+ "factors": [
1387
+ "sev:medium"
1388
+ ]
1389
+ },
1390
+ "supply-chain-attacker": {
1391
+ "score": 0.4,
1392
+ "tier": "medium",
1393
+ "factors": [
1394
+ "sev:medium"
1395
+ ]
1396
+ },
1397
+ "malicious-insider": {
1398
+ "score": 0.4,
1399
+ "tier": "medium",
1400
+ "factors": [
1401
+ "sev:medium"
1402
+ ]
1403
+ }
1404
+ },
1405
+ "personaTopTwo": [
1406
+ "script-kiddie",
1407
+ "opportunistic-criminal"
1408
+ ],
1409
+ "personaMaxName": "script-kiddie",
1410
+ "personaMaxScore": 0.4,
1411
+ "reverseExposure": null,
1412
+ "specMined": null,
1413
+ "whyFired": {
1414
+ "detector": "sast/dos-sync-io",
1415
+ "ruleId": "CWE-400",
1416
+ "parser": "STRUCTURAL",
1417
+ "evidence": {
1418
+ "sinkSnippet": "try { content = fs.readFileSync(abs, 'utf8'); }",
1419
+ "sourceSnippet": "try { content = fs.readFileSync(abs, 'utf8'); }",
1420
+ "pathSteps": [],
1421
+ "sanitizers": [],
1422
+ "guards": []
1423
+ },
1424
+ "considered": {
1425
+ "suppressionsApplied": [],
1426
+ "suppressionsSkipped": [],
1427
+ "reachabilityFilter": "unaffected",
1428
+ "clusterCollapsed": false,
1429
+ "typeNarrowed": false,
1430
+ "crownJewelTier": "unknown",
1431
+ "mitigationVerdict": "unreachable-in-prod"
1432
+ },
1433
+ "scanner": {
1434
+ "rulesetVersion": null,
1435
+ "packHash": null,
1436
+ "modelId": null
1437
+ }
1438
+ },
1439
+ "adversaryTranscript": null,
1440
+ "predictedBountyUsd": {
1441
+ "low": 10,
1442
+ "likely": 40,
1443
+ "high": 120,
1444
+ "program": "web2"
1445
+ },
1446
+ "bountyConfidence": "high",
1447
+ "attackPlaybook": null
1448
+ },
1449
+ {
1450
+ "id": "struct:type-stubs.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1451
+ "kind": "sast",
1452
+ "severity": "medium",
1453
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1454
+ "cwe": "CWE-400",
1455
+ "owaspLlm": null,
1456
+ "stride": "Denial of Service",
1457
+ "file": "type-stubs.js",
1458
+ "line": 48,
1459
+ "snippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
1460
+ "fix": null,
1461
+ "reachable": false,
1462
+ "triage": 22,
1463
+ "dataClasses": [],
1464
+ "chain": null,
1465
+ "confidence": 0.212,
1466
+ "toxicity": 28,
1467
+ "toxicityFactors": [
1468
+ "http-facing"
1469
+ ],
1470
+ "toxicityLabel": "Medium",
1471
+ "sources": null,
1472
+ "epssScore": null,
1473
+ "epssPercentile": null,
1474
+ "epssCve": null,
1475
+ "exploitedNow": false,
1476
+ "tags": null,
1477
+ "blastRadius": {
1478
+ "scope": "all-users",
1479
+ "dataAtRisk": [
1480
+ "config"
1481
+ ],
1482
+ "userCount": 50,
1483
+ "industry": "generic",
1484
+ "jurisdictions": [],
1485
+ "controlsApplied": [],
1486
+ "dollarBest": 23250,
1487
+ "dollarLikely": 136250,
1488
+ "dollarWorst": 775000,
1489
+ "dollarLow": 23250,
1490
+ "dollarHigh": 775000,
1491
+ "components": {
1492
+ "incidentResponse": {
1493
+ "low": 8000,
1494
+ "likely": 50000,
1495
+ "high": 250000
1496
+ },
1497
+ "legal": {
1498
+ "low": 10000,
1499
+ "likely": 75000,
1500
+ "high": 500000
1501
+ },
1502
+ "crisisPR": {
1503
+ "low": 0,
1504
+ "likely": 0,
1505
+ "high": 0
1506
+ },
1507
+ "notification": {
1508
+ "low": 5000,
1509
+ "likely": 10000,
1510
+ "high": 15000
1511
+ },
1512
+ "creditMonitoring": {
1513
+ "low": 0,
1514
+ "likely": 0,
1515
+ "high": 0
1516
+ },
1517
+ "regulatoryFines": {
1518
+ "low": 0,
1519
+ "likely": 0,
1520
+ "high": 0
1521
+ },
1522
+ "directDamage": {
1523
+ "low": 250,
1524
+ "likely": 1250,
1525
+ "high": 10000
1526
+ },
1527
+ "classAction": {
1528
+ "low": 0,
1529
+ "likely": 0,
1530
+ "high": 0
1531
+ },
1532
+ "lostBusiness": {
1533
+ "low": 0,
1534
+ "likely": 0,
1535
+ "high": 0
1536
+ }
1537
+ },
1538
+ "dominantDriver": "legal counsel",
1539
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1540
+ "confidence": "low",
1541
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:48` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1542
+ },
1543
+ "stableId": "de7f5b06a0db0ac9",
1544
+ "confidenceTier": "very-low",
1545
+ "exploitability": 0.2,
1546
+ "exploitabilityTier": "low",
1547
+ "exploitabilityFactors": [
1548
+ "sev:medium",
1549
+ "unreachable"
1550
+ ],
1551
+ "clusterSize": null,
1552
+ "unreachable": false,
1553
+ "validator_verdict": "unvalidated",
1554
+ "llm_confidence": null,
1555
+ "unvalidated": true,
1556
+ "cross_language": false,
1557
+ "family": "dos-sync-io",
1558
+ "parser": "STRUCTURAL",
1559
+ "_unsigned": false,
1560
+ "_passThroughSigning": false,
1561
+ "signatureStatus": "verified",
1562
+ "regression_test": null,
1563
+ "poc": null,
1564
+ "calibrated_confidence": null,
1565
+ "calibrated_confidence_ci": null,
1566
+ "calibrated_n": 0,
1567
+ "calibration_reason": "no-history",
1568
+ "verifier_verdict": "cannot-verify",
1569
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1570
+ "verifier_runner": null,
1571
+ "narration": null,
1572
+ "mitigationVerdict": "unreachable-in-prod",
1573
+ "mitigationsApplied": [],
1574
+ "mitigatedByWaf": false,
1575
+ "wafRuleId": null,
1576
+ "mitigatedByAuth": false,
1577
+ "authMechanism": null,
1578
+ "mitigatedByNetwork": false,
1579
+ "networkExposure": null,
1580
+ "featureFlag": null,
1581
+ "featureFlagState": null,
1582
+ "featureFlagRollout": null,
1583
+ "exposedInProd": false,
1584
+ "unreachableInProd": true,
1585
+ "coldPath": false,
1586
+ "hotPath": false,
1587
+ "prodRequestCount": null,
1588
+ "crownJewelScore": 0.15,
1589
+ "crownJewelTier": "low-value",
1590
+ "crownJewelFactors": [
1591
+ "shell-execution"
1592
+ ],
1593
+ "cloneClusterId": "1ca765ccc2c8227c",
1594
+ "cloneClusterSize": 2,
1595
+ "provenance": "human-likely",
1596
+ "provenanceScore": 0.12,
1597
+ "typeNarrowed": null,
1598
+ "strideCategory": "denialOfService",
1599
+ "personaScores": {
1600
+ "script-kiddie": {
1601
+ "score": 0.4,
1602
+ "tier": "medium",
1603
+ "factors": [
1604
+ "sev:medium"
1605
+ ]
1606
+ },
1607
+ "opportunistic-criminal": {
1608
+ "score": 0.4,
1609
+ "tier": "medium",
1610
+ "factors": [
1611
+ "sev:medium"
1612
+ ]
1613
+ },
1614
+ "apt-nation-state": {
1615
+ "score": 0.4,
1616
+ "tier": "medium",
1617
+ "factors": [
1618
+ "sev:medium"
1619
+ ]
1620
+ },
1621
+ "supply-chain-attacker": {
1622
+ "score": 0.4,
1623
+ "tier": "medium",
1624
+ "factors": [
1625
+ "sev:medium"
1626
+ ]
1627
+ },
1628
+ "malicious-insider": {
1629
+ "score": 0.4,
1630
+ "tier": "medium",
1631
+ "factors": [
1632
+ "sev:medium"
1633
+ ]
1634
+ }
1635
+ },
1636
+ "personaTopTwo": [
1637
+ "script-kiddie",
1638
+ "opportunistic-criminal"
1639
+ ],
1640
+ "personaMaxName": "script-kiddie",
1641
+ "personaMaxScore": 0.4,
1642
+ "reverseExposure": null,
1643
+ "specMined": null,
1644
+ "whyFired": {
1645
+ "detector": "sast/dos-sync-io",
1646
+ "ruleId": "CWE-400",
1647
+ "parser": "STRUCTURAL",
1648
+ "evidence": {
1649
+ "sinkSnippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
1650
+ "sourceSnippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
1651
+ "pathSteps": [],
1652
+ "sanitizers": [],
1653
+ "guards": []
1654
+ },
1655
+ "considered": {
1656
+ "suppressionsApplied": [],
1657
+ "suppressionsSkipped": [],
1658
+ "reachabilityFilter": "unaffected",
1659
+ "clusterCollapsed": false,
1660
+ "typeNarrowed": false,
1661
+ "crownJewelTier": "low-value",
1662
+ "mitigationVerdict": "unreachable-in-prod"
1663
+ },
1664
+ "scanner": {
1665
+ "rulesetVersion": null,
1666
+ "packHash": null,
1667
+ "modelId": null
1668
+ }
1669
+ },
1670
+ "adversaryTranscript": null,
1671
+ "predictedBountyUsd": {
1672
+ "low": 10,
1673
+ "likely": 40,
1674
+ "high": 120,
1675
+ "program": "web2"
1676
+ },
1677
+ "bountyConfidence": "high",
1678
+ "attackPlaybook": null
1679
+ },
1680
+ {
1681
+ "id": "struct:type-stubs.js:57:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1682
+ "kind": "sast",
1683
+ "severity": "medium",
1684
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1685
+ "cwe": "CWE-400",
1686
+ "owaspLlm": null,
1687
+ "stride": "Denial of Service",
1688
+ "file": "type-stubs.js",
1689
+ "line": 57,
1690
+ "snippet": "if (!fs.existsSync(fp)) return null;",
1691
+ "fix": null,
1692
+ "reachable": false,
1693
+ "triage": 22,
1694
+ "dataClasses": [],
1695
+ "chain": null,
1696
+ "confidence": 0.212,
1697
+ "toxicity": 28,
1698
+ "toxicityFactors": [
1699
+ "http-facing"
1700
+ ],
1701
+ "toxicityLabel": "Medium",
1702
+ "sources": null,
1703
+ "epssScore": null,
1704
+ "epssPercentile": null,
1705
+ "epssCve": null,
1706
+ "exploitedNow": false,
1707
+ "tags": null,
1708
+ "blastRadius": {
1709
+ "scope": "all-users",
1710
+ "dataAtRisk": [
1711
+ "config"
1712
+ ],
1713
+ "userCount": 50,
1714
+ "industry": "generic",
1715
+ "jurisdictions": [],
1716
+ "controlsApplied": [],
1717
+ "dollarBest": 23250,
1718
+ "dollarLikely": 136250,
1719
+ "dollarWorst": 775000,
1720
+ "dollarLow": 23250,
1721
+ "dollarHigh": 775000,
1722
+ "components": {
1723
+ "incidentResponse": {
1724
+ "low": 8000,
1725
+ "likely": 50000,
1726
+ "high": 250000
1727
+ },
1728
+ "legal": {
1729
+ "low": 10000,
1730
+ "likely": 75000,
1731
+ "high": 500000
1732
+ },
1733
+ "crisisPR": {
1734
+ "low": 0,
1735
+ "likely": 0,
1736
+ "high": 0
1737
+ },
1738
+ "notification": {
1739
+ "low": 5000,
1740
+ "likely": 10000,
1741
+ "high": 15000
1742
+ },
1743
+ "creditMonitoring": {
1744
+ "low": 0,
1745
+ "likely": 0,
1746
+ "high": 0
1747
+ },
1748
+ "regulatoryFines": {
1749
+ "low": 0,
1750
+ "likely": 0,
1751
+ "high": 0
1752
+ },
1753
+ "directDamage": {
1754
+ "low": 250,
1755
+ "likely": 1250,
1756
+ "high": 10000
1757
+ },
1758
+ "classAction": {
1759
+ "low": 0,
1760
+ "likely": 0,
1761
+ "high": 0
1762
+ },
1763
+ "lostBusiness": {
1764
+ "low": 0,
1765
+ "likely": 0,
1766
+ "high": 0
1767
+ }
1768
+ },
1769
+ "dominantDriver": "legal counsel",
1770
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
1771
+ "confidence": "low",
1772
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:57` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
1773
+ },
1774
+ "stableId": "256de17293c86e74",
1775
+ "confidenceTier": "very-low",
1776
+ "exploitability": 0.2,
1777
+ "exploitabilityTier": "low",
1778
+ "exploitabilityFactors": [
1779
+ "sev:medium",
1780
+ "unreachable"
1781
+ ],
1782
+ "clusterSize": null,
1783
+ "unreachable": false,
1784
+ "validator_verdict": "unvalidated",
1785
+ "llm_confidence": null,
1786
+ "unvalidated": true,
1787
+ "cross_language": false,
1788
+ "family": "dos-sync-io",
1789
+ "parser": "STRUCTURAL",
1790
+ "_unsigned": false,
1791
+ "_passThroughSigning": false,
1792
+ "signatureStatus": "verified",
1793
+ "regression_test": null,
1794
+ "poc": null,
1795
+ "calibrated_confidence": null,
1796
+ "calibrated_confidence_ci": null,
1797
+ "calibrated_n": 0,
1798
+ "calibration_reason": "no-history",
1799
+ "verifier_verdict": "cannot-verify",
1800
+ "verifier_reason": "no-poc-no-sanitizer-rule",
1801
+ "verifier_runner": null,
1802
+ "narration": null,
1803
+ "mitigationVerdict": "unreachable-in-prod",
1804
+ "mitigationsApplied": [],
1805
+ "mitigatedByWaf": false,
1806
+ "wafRuleId": null,
1807
+ "mitigatedByAuth": false,
1808
+ "authMechanism": null,
1809
+ "mitigatedByNetwork": false,
1810
+ "networkExposure": null,
1811
+ "featureFlag": null,
1812
+ "featureFlagState": null,
1813
+ "featureFlagRollout": null,
1814
+ "exposedInProd": false,
1815
+ "unreachableInProd": true,
1816
+ "coldPath": false,
1817
+ "hotPath": false,
1818
+ "prodRequestCount": null,
1819
+ "crownJewelScore": 0.15,
1820
+ "crownJewelTier": "low-value",
1821
+ "crownJewelFactors": [
1822
+ "shell-execution"
1823
+ ],
1824
+ "cloneClusterId": "66b8a8c25816e7f9",
1825
+ "cloneClusterSize": 2,
1826
+ "provenance": "human-likely",
1827
+ "provenanceScore": 0.12,
1828
+ "typeNarrowed": null,
1829
+ "strideCategory": "denialOfService",
1830
+ "personaScores": {
1831
+ "script-kiddie": {
1832
+ "score": 0.4,
1833
+ "tier": "medium",
1834
+ "factors": [
1835
+ "sev:medium"
1836
+ ]
1837
+ },
1838
+ "opportunistic-criminal": {
1839
+ "score": 0.4,
1840
+ "tier": "medium",
1841
+ "factors": [
1842
+ "sev:medium"
1843
+ ]
1844
+ },
1845
+ "apt-nation-state": {
1846
+ "score": 0.4,
1847
+ "tier": "medium",
1848
+ "factors": [
1849
+ "sev:medium"
1850
+ ]
1851
+ },
1852
+ "supply-chain-attacker": {
1853
+ "score": 0.4,
1854
+ "tier": "medium",
1855
+ "factors": [
1856
+ "sev:medium"
1857
+ ]
1858
+ },
1859
+ "malicious-insider": {
1860
+ "score": 0.4,
1861
+ "tier": "medium",
1862
+ "factors": [
1863
+ "sev:medium"
1864
+ ]
1865
+ }
1866
+ },
1867
+ "personaTopTwo": [
1868
+ "script-kiddie",
1869
+ "opportunistic-criminal"
1870
+ ],
1871
+ "personaMaxName": "script-kiddie",
1872
+ "personaMaxScore": 0.4,
1873
+ "reverseExposure": null,
1874
+ "specMined": null,
1875
+ "whyFired": {
1876
+ "detector": "sast/dos-sync-io",
1877
+ "ruleId": "CWE-400",
1878
+ "parser": "STRUCTURAL",
1879
+ "evidence": {
1880
+ "sinkSnippet": "if (!fs.existsSync(fp)) return null;",
1881
+ "sourceSnippet": "if (!fs.existsSync(fp)) return null;",
1882
+ "pathSteps": [],
1883
+ "sanitizers": [],
1884
+ "guards": []
1885
+ },
1886
+ "considered": {
1887
+ "suppressionsApplied": [],
1888
+ "suppressionsSkipped": [],
1889
+ "reachabilityFilter": "unaffected",
1890
+ "clusterCollapsed": false,
1891
+ "typeNarrowed": false,
1892
+ "crownJewelTier": "low-value",
1893
+ "mitigationVerdict": "unreachable-in-prod"
1894
+ },
1895
+ "scanner": {
1896
+ "rulesetVersion": null,
1897
+ "packHash": null,
1898
+ "modelId": null
1899
+ }
1900
+ },
1901
+ "adversaryTranscript": null,
1902
+ "predictedBountyUsd": {
1903
+ "low": 10,
1904
+ "likely": 40,
1905
+ "high": 120,
1906
+ "program": "web2"
1907
+ },
1908
+ "bountyConfidence": "high",
1909
+ "attackPlaybook": null
1910
+ },
1911
+ {
1912
+ "id": "struct:type-stubs.js:58:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
1913
+ "kind": "sast",
1914
+ "severity": "medium",
1915
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
1916
+ "cwe": "CWE-400",
1917
+ "owaspLlm": null,
1918
+ "stride": "Denial of Service",
1919
+ "file": "type-stubs.js",
1920
+ "line": 58,
1921
+ "snippet": "const obj = JSON.parse(fs.readFileSync(fp, 'utf8'));",
1922
+ "fix": null,
1923
+ "reachable": false,
1924
+ "triage": 22,
1925
+ "dataClasses": [],
1926
+ "chain": null,
1927
+ "confidence": 0.212,
1928
+ "toxicity": 28,
1929
+ "toxicityFactors": [
1930
+ "http-facing"
1931
+ ],
1932
+ "toxicityLabel": "Medium",
1933
+ "sources": null,
1934
+ "epssScore": null,
1935
+ "epssPercentile": null,
1936
+ "epssCve": null,
1937
+ "exploitedNow": false,
1938
+ "tags": null,
1939
+ "blastRadius": {
1940
+ "scope": "all-users",
1941
+ "dataAtRisk": [
1942
+ "config"
1943
+ ],
1944
+ "userCount": 50,
1945
+ "industry": "generic",
1946
+ "jurisdictions": [],
1947
+ "controlsApplied": [],
1948
+ "dollarBest": 23250,
1949
+ "dollarLikely": 136250,
1950
+ "dollarWorst": 775000,
1951
+ "dollarLow": 23250,
1952
+ "dollarHigh": 775000,
1953
+ "components": {
1954
+ "incidentResponse": {
1955
+ "low": 8000,
1956
+ "likely": 50000,
1957
+ "high": 250000
1958
+ },
1959
+ "legal": {
1960
+ "low": 10000,
1961
+ "likely": 75000,
1962
+ "high": 500000
1963
+ },
1964
+ "crisisPR": {
1965
+ "low": 0,
1966
+ "likely": 0,
1967
+ "high": 0
1968
+ },
1969
+ "notification": {
1970
+ "low": 5000,
1971
+ "likely": 10000,
1972
+ "high": 15000
1973
+ },
1974
+ "creditMonitoring": {
1975
+ "low": 0,
1976
+ "likely": 0,
1977
+ "high": 0
1978
+ },
1979
+ "regulatoryFines": {
1980
+ "low": 0,
1981
+ "likely": 0,
1982
+ "high": 0
1983
+ },
1984
+ "directDamage": {
1985
+ "low": 250,
1986
+ "likely": 1250,
1987
+ "high": 10000
1988
+ },
1989
+ "classAction": {
1990
+ "low": 0,
1991
+ "likely": 0,
1992
+ "high": 0
1993
+ },
1994
+ "lostBusiness": {
1995
+ "low": 0,
1996
+ "likely": 0,
1997
+ "high": 0
1998
+ }
1999
+ },
2000
+ "dominantDriver": "legal counsel",
2001
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
2002
+ "confidence": "low",
2003
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:58` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
2004
+ },
2005
+ "stableId": "4f8d060ad72a925a",
2006
+ "confidenceTier": "very-low",
2007
+ "exploitability": 0.2,
2008
+ "exploitabilityTier": "low",
2009
+ "exploitabilityFactors": [
2010
+ "sev:medium",
2011
+ "unreachable"
2012
+ ],
2013
+ "clusterSize": null,
2014
+ "unreachable": false,
2015
+ "validator_verdict": "unvalidated",
2016
+ "llm_confidence": null,
2017
+ "unvalidated": true,
2018
+ "cross_language": false,
2019
+ "family": "dos-sync-io",
2020
+ "parser": "STRUCTURAL",
2021
+ "_unsigned": false,
2022
+ "_passThroughSigning": false,
2023
+ "signatureStatus": "verified",
2024
+ "regression_test": null,
2025
+ "poc": null,
2026
+ "calibrated_confidence": null,
2027
+ "calibrated_confidence_ci": null,
2028
+ "calibrated_n": 0,
2029
+ "calibration_reason": "no-history",
2030
+ "verifier_verdict": "cannot-verify",
2031
+ "verifier_reason": "no-poc-no-sanitizer-rule",
2032
+ "verifier_runner": null,
2033
+ "narration": null,
2034
+ "mitigationVerdict": "unreachable-in-prod",
2035
+ "mitigationsApplied": [],
2036
+ "mitigatedByWaf": false,
2037
+ "wafRuleId": null,
2038
+ "mitigatedByAuth": false,
2039
+ "authMechanism": null,
2040
+ "mitigatedByNetwork": false,
2041
+ "networkExposure": null,
2042
+ "featureFlag": null,
2043
+ "featureFlagState": null,
2044
+ "featureFlagRollout": null,
2045
+ "exposedInProd": false,
2046
+ "unreachableInProd": true,
2047
+ "coldPath": false,
2048
+ "hotPath": false,
2049
+ "prodRequestCount": null,
2050
+ "crownJewelScore": 0.15,
2051
+ "crownJewelTier": "low-value",
2052
+ "crownJewelFactors": [
2053
+ "shell-execution"
2054
+ ],
2055
+ "cloneClusterId": "8b60c3f57d48c622",
2056
+ "cloneClusterSize": 1,
2057
+ "provenance": "human-likely",
2058
+ "provenanceScore": 0.12,
2059
+ "typeNarrowed": null,
2060
+ "strideCategory": "denialOfService",
2061
+ "personaScores": {
2062
+ "script-kiddie": {
2063
+ "score": 0.4,
2064
+ "tier": "medium",
2065
+ "factors": [
2066
+ "sev:medium"
2067
+ ]
2068
+ },
2069
+ "opportunistic-criminal": {
2070
+ "score": 0.4,
2071
+ "tier": "medium",
2072
+ "factors": [
2073
+ "sev:medium"
2074
+ ]
2075
+ },
2076
+ "apt-nation-state": {
2077
+ "score": 0.4,
2078
+ "tier": "medium",
2079
+ "factors": [
2080
+ "sev:medium"
2081
+ ]
2082
+ },
2083
+ "supply-chain-attacker": {
2084
+ "score": 0.4,
2085
+ "tier": "medium",
2086
+ "factors": [
2087
+ "sev:medium"
2088
+ ]
2089
+ },
2090
+ "malicious-insider": {
2091
+ "score": 0.4,
2092
+ "tier": "medium",
2093
+ "factors": [
2094
+ "sev:medium"
2095
+ ]
2096
+ }
2097
+ },
2098
+ "personaTopTwo": [
2099
+ "script-kiddie",
2100
+ "opportunistic-criminal"
2101
+ ],
2102
+ "personaMaxName": "script-kiddie",
2103
+ "personaMaxScore": 0.4,
2104
+ "reverseExposure": null,
2105
+ "specMined": null,
2106
+ "whyFired": {
2107
+ "detector": "sast/dos-sync-io",
2108
+ "ruleId": "CWE-400",
2109
+ "parser": "STRUCTURAL",
2110
+ "evidence": {
2111
+ "sinkSnippet": "const obj = JSON.parse(fs.readFileSync(fp, 'utf8'));",
2112
+ "sourceSnippet": "const obj = JSON.parse(fs.readFileSync(fp, 'utf8'));",
2113
+ "pathSteps": [],
2114
+ "sanitizers": [],
2115
+ "guards": []
2116
+ },
2117
+ "considered": {
2118
+ "suppressionsApplied": [],
2119
+ "suppressionsSkipped": [],
2120
+ "reachabilityFilter": "unaffected",
2121
+ "clusterCollapsed": false,
2122
+ "typeNarrowed": false,
2123
+ "crownJewelTier": "low-value",
2124
+ "mitigationVerdict": "unreachable-in-prod"
2125
+ },
2126
+ "scanner": {
2127
+ "rulesetVersion": null,
2128
+ "packHash": null,
2129
+ "modelId": null
2130
+ }
2131
+ },
2132
+ "adversaryTranscript": null,
2133
+ "predictedBountyUsd": {
2134
+ "low": 10,
2135
+ "likely": 40,
2136
+ "high": 120,
2137
+ "program": "web2"
2138
+ },
2139
+ "bountyConfidence": "high",
2140
+ "attackPlaybook": null
2141
+ },
2142
+ {
2143
+ "id": "struct:type-stubs.js:79:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
2144
+ "kind": "sast",
2145
+ "severity": "medium",
2146
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
2147
+ "cwe": "CWE-400",
2148
+ "owaspLlm": null,
2149
+ "stride": "Denial of Service",
2150
+ "file": "type-stubs.js",
2151
+ "line": 79,
2152
+ "snippet": "try { fs.writeFileSync(fp, JSON.stringify(obj)); } catch {}",
2153
+ "fix": null,
2154
+ "reachable": false,
2155
+ "triage": 22,
2156
+ "dataClasses": [],
2157
+ "chain": null,
2158
+ "confidence": 0.212,
2159
+ "toxicity": 28,
2160
+ "toxicityFactors": [
2161
+ "http-facing"
2162
+ ],
2163
+ "toxicityLabel": "Medium",
2164
+ "sources": null,
2165
+ "epssScore": null,
2166
+ "epssPercentile": null,
2167
+ "epssCve": null,
2168
+ "exploitedNow": false,
2169
+ "tags": null,
2170
+ "blastRadius": {
2171
+ "scope": "all-users",
2172
+ "dataAtRisk": [
2173
+ "config"
2174
+ ],
2175
+ "userCount": 50,
2176
+ "industry": "generic",
2177
+ "jurisdictions": [],
2178
+ "controlsApplied": [],
2179
+ "dollarBest": 23250,
2180
+ "dollarLikely": 136250,
2181
+ "dollarWorst": 775000,
2182
+ "dollarLow": 23250,
2183
+ "dollarHigh": 775000,
2184
+ "components": {
2185
+ "incidentResponse": {
2186
+ "low": 8000,
2187
+ "likely": 50000,
2188
+ "high": 250000
2189
+ },
2190
+ "legal": {
2191
+ "low": 10000,
2192
+ "likely": 75000,
2193
+ "high": 500000
2194
+ },
2195
+ "crisisPR": {
2196
+ "low": 0,
2197
+ "likely": 0,
2198
+ "high": 0
2199
+ },
2200
+ "notification": {
2201
+ "low": 5000,
2202
+ "likely": 10000,
2203
+ "high": 15000
2204
+ },
2205
+ "creditMonitoring": {
2206
+ "low": 0,
2207
+ "likely": 0,
2208
+ "high": 0
2209
+ },
2210
+ "regulatoryFines": {
2211
+ "low": 0,
2212
+ "likely": 0,
2213
+ "high": 0
2214
+ },
2215
+ "directDamage": {
2216
+ "low": 250,
2217
+ "likely": 1250,
2218
+ "high": 10000
2219
+ },
2220
+ "classAction": {
2221
+ "low": 0,
2222
+ "likely": 0,
2223
+ "high": 0
2224
+ },
2225
+ "lostBusiness": {
2226
+ "low": 0,
2227
+ "likely": 0,
2228
+ "high": 0
2229
+ }
2230
+ },
2231
+ "dominantDriver": "legal counsel",
2232
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
2233
+ "confidence": "low",
2234
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:79` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
2235
+ },
2236
+ "stableId": "e7a40ff787e8c228",
2237
+ "confidenceTier": "very-low",
2238
+ "exploitability": 0.2,
2239
+ "exploitabilityTier": "low",
2240
+ "exploitabilityFactors": [
2241
+ "sev:medium",
2242
+ "unreachable"
2243
+ ],
2244
+ "clusterSize": null,
2245
+ "unreachable": false,
2246
+ "validator_verdict": "unvalidated",
2247
+ "llm_confidence": null,
2248
+ "unvalidated": true,
2249
+ "cross_language": false,
2250
+ "family": "dos-sync-io",
2251
+ "parser": "STRUCTURAL",
2252
+ "_unsigned": false,
2253
+ "_passThroughSigning": false,
2254
+ "signatureStatus": "verified",
2255
+ "regression_test": null,
2256
+ "poc": null,
2257
+ "calibrated_confidence": null,
2258
+ "calibrated_confidence_ci": null,
2259
+ "calibrated_n": 0,
2260
+ "calibration_reason": "no-history",
2261
+ "verifier_verdict": "cannot-verify",
2262
+ "verifier_reason": "no-poc-no-sanitizer-rule",
2263
+ "verifier_runner": null,
2264
+ "narration": null,
2265
+ "mitigationVerdict": "unreachable-in-prod",
2266
+ "mitigationsApplied": [],
2267
+ "mitigatedByWaf": false,
2268
+ "wafRuleId": null,
2269
+ "mitigatedByAuth": false,
2270
+ "authMechanism": null,
2271
+ "mitigatedByNetwork": false,
2272
+ "networkExposure": null,
2273
+ "featureFlag": null,
2274
+ "featureFlagState": null,
2275
+ "featureFlagRollout": null,
2276
+ "exposedInProd": false,
2277
+ "unreachableInProd": true,
2278
+ "coldPath": false,
2279
+ "hotPath": false,
2280
+ "prodRequestCount": null,
2281
+ "crownJewelScore": 0.15,
2282
+ "crownJewelTier": "low-value",
2283
+ "crownJewelFactors": [
2284
+ "shell-execution"
2285
+ ],
2286
+ "cloneClusterId": "d2ce1948de2c53fb",
2287
+ "cloneClusterSize": 1,
2288
+ "provenance": "human-likely",
2289
+ "provenanceScore": 0.12,
2290
+ "typeNarrowed": null,
2291
+ "strideCategory": "denialOfService",
2292
+ "personaScores": {
2293
+ "script-kiddie": {
2294
+ "score": 0.4,
2295
+ "tier": "medium",
2296
+ "factors": [
2297
+ "sev:medium"
2298
+ ]
2299
+ },
2300
+ "opportunistic-criminal": {
2301
+ "score": 0.4,
2302
+ "tier": "medium",
2303
+ "factors": [
2304
+ "sev:medium"
2305
+ ]
2306
+ },
2307
+ "apt-nation-state": {
2308
+ "score": 0.4,
2309
+ "tier": "medium",
2310
+ "factors": [
2311
+ "sev:medium"
2312
+ ]
2313
+ },
2314
+ "supply-chain-attacker": {
2315
+ "score": 0.4,
2316
+ "tier": "medium",
2317
+ "factors": [
2318
+ "sev:medium"
2319
+ ]
2320
+ },
2321
+ "malicious-insider": {
2322
+ "score": 0.4,
2323
+ "tier": "medium",
2324
+ "factors": [
2325
+ "sev:medium"
2326
+ ]
2327
+ }
2328
+ },
2329
+ "personaTopTwo": [
2330
+ "script-kiddie",
2331
+ "opportunistic-criminal"
2332
+ ],
2333
+ "personaMaxName": "script-kiddie",
2334
+ "personaMaxScore": 0.4,
2335
+ "reverseExposure": null,
2336
+ "specMined": null,
2337
+ "whyFired": {
2338
+ "detector": "sast/dos-sync-io",
2339
+ "ruleId": "CWE-400",
2340
+ "parser": "STRUCTURAL",
2341
+ "evidence": {
2342
+ "sinkSnippet": "try { fs.writeFileSync(fp, JSON.stringify(obj)); } catch {}",
2343
+ "sourceSnippet": "try { fs.writeFileSync(fp, JSON.stringify(obj)); } catch {}",
2344
+ "pathSteps": [],
2345
+ "sanitizers": [],
2346
+ "guards": []
2347
+ },
2348
+ "considered": {
2349
+ "suppressionsApplied": [],
2350
+ "suppressionsSkipped": [],
2351
+ "reachabilityFilter": "unaffected",
2352
+ "clusterCollapsed": false,
2353
+ "typeNarrowed": false,
2354
+ "crownJewelTier": "low-value",
2355
+ "mitigationVerdict": "unreachable-in-prod"
2356
+ },
2357
+ "scanner": {
2358
+ "rulesetVersion": null,
2359
+ "packHash": null,
2360
+ "modelId": null
2361
+ }
2362
+ },
2363
+ "adversaryTranscript": null,
2364
+ "predictedBountyUsd": {
2365
+ "low": 10,
2366
+ "likely": 40,
2367
+ "high": 120,
2368
+ "program": "web2"
2369
+ },
2370
+ "bountyConfidence": "high",
2371
+ "attackPlaybook": null
2372
+ },
2373
+ {
2374
+ "id": "struct:type-stubs.js:190:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
2375
+ "kind": "sast",
2376
+ "severity": "medium",
2377
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
2378
+ "cwe": "CWE-400",
2379
+ "owaspLlm": null,
2380
+ "stride": "Denial of Service",
2381
+ "file": "type-stubs.js",
2382
+ "line": 190,
2383
+ "snippet": "try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }",
2384
+ "fix": null,
2385
+ "reachable": false,
2386
+ "triage": 22,
2387
+ "dataClasses": [],
2388
+ "chain": null,
2389
+ "confidence": 0.212,
2390
+ "toxicity": 28,
2391
+ "toxicityFactors": [
2392
+ "http-facing"
2393
+ ],
2394
+ "toxicityLabel": "Medium",
2395
+ "sources": null,
2396
+ "epssScore": null,
2397
+ "epssPercentile": null,
2398
+ "epssCve": null,
2399
+ "exploitedNow": false,
2400
+ "tags": null,
2401
+ "blastRadius": {
2402
+ "scope": "all-users",
2403
+ "dataAtRisk": [
2404
+ "config"
2405
+ ],
2406
+ "userCount": 50,
2407
+ "industry": "generic",
2408
+ "jurisdictions": [],
2409
+ "controlsApplied": [],
2410
+ "dollarBest": 23250,
2411
+ "dollarLikely": 136250,
2412
+ "dollarWorst": 775000,
2413
+ "dollarLow": 23250,
2414
+ "dollarHigh": 775000,
2415
+ "components": {
2416
+ "incidentResponse": {
2417
+ "low": 8000,
2418
+ "likely": 50000,
2419
+ "high": 250000
2420
+ },
2421
+ "legal": {
2422
+ "low": 10000,
2423
+ "likely": 75000,
2424
+ "high": 500000
2425
+ },
2426
+ "crisisPR": {
2427
+ "low": 0,
2428
+ "likely": 0,
2429
+ "high": 0
2430
+ },
2431
+ "notification": {
2432
+ "low": 5000,
2433
+ "likely": 10000,
2434
+ "high": 15000
2435
+ },
2436
+ "creditMonitoring": {
2437
+ "low": 0,
2438
+ "likely": 0,
2439
+ "high": 0
2440
+ },
2441
+ "regulatoryFines": {
2442
+ "low": 0,
2443
+ "likely": 0,
2444
+ "high": 0
2445
+ },
2446
+ "directDamage": {
2447
+ "low": 250,
2448
+ "likely": 1250,
2449
+ "high": 10000
2450
+ },
2451
+ "classAction": {
2452
+ "low": 0,
2453
+ "likely": 0,
2454
+ "high": 0
2455
+ },
2456
+ "lostBusiness": {
2457
+ "low": 0,
2458
+ "likely": 0,
2459
+ "high": 0
2460
+ }
2461
+ },
2462
+ "dominantDriver": "legal counsel",
2463
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
2464
+ "confidence": "low",
2465
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:190` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
2466
+ },
2467
+ "stableId": "db5b5598e24d7b37",
2468
+ "confidenceTier": "very-low",
2469
+ "exploitability": 0.2,
2470
+ "exploitabilityTier": "low",
2471
+ "exploitabilityFactors": [
2472
+ "sev:medium",
2473
+ "unreachable"
2474
+ ],
2475
+ "clusterSize": null,
2476
+ "unreachable": false,
2477
+ "validator_verdict": "unvalidated",
2478
+ "llm_confidence": null,
2479
+ "unvalidated": true,
2480
+ "cross_language": false,
2481
+ "family": "dos-sync-io",
2482
+ "parser": "STRUCTURAL",
2483
+ "_unsigned": false,
2484
+ "_passThroughSigning": false,
2485
+ "signatureStatus": "verified",
2486
+ "regression_test": null,
2487
+ "poc": null,
2488
+ "calibrated_confidence": null,
2489
+ "calibrated_confidence_ci": null,
2490
+ "calibrated_n": 0,
2491
+ "calibration_reason": "no-history",
2492
+ "verifier_verdict": "cannot-verify",
2493
+ "verifier_reason": "no-poc-no-sanitizer-rule",
2494
+ "verifier_runner": null,
2495
+ "narration": null,
2496
+ "mitigationVerdict": "unreachable-in-prod",
2497
+ "mitigationsApplied": [],
2498
+ "mitigatedByWaf": false,
2499
+ "wafRuleId": null,
2500
+ "mitigatedByAuth": false,
2501
+ "authMechanism": null,
2502
+ "mitigatedByNetwork": false,
2503
+ "networkExposure": null,
2504
+ "featureFlag": null,
2505
+ "featureFlagState": null,
2506
+ "featureFlagRollout": null,
2507
+ "exposedInProd": false,
2508
+ "unreachableInProd": true,
2509
+ "coldPath": false,
2510
+ "hotPath": false,
2511
+ "prodRequestCount": null,
2512
+ "crownJewelScore": 0.15,
2513
+ "crownJewelTier": "low-value",
2514
+ "crownJewelFactors": [
2515
+ "shell-execution"
2516
+ ],
2517
+ "cloneClusterId": "b093e72efde4b555",
2518
+ "cloneClusterSize": 1,
2519
+ "provenance": "human-likely",
2520
+ "provenanceScore": 0.12,
2521
+ "typeNarrowed": null,
2522
+ "strideCategory": "denialOfService",
2523
+ "personaScores": {
2524
+ "script-kiddie": {
2525
+ "score": 0.4,
2526
+ "tier": "medium",
2527
+ "factors": [
2528
+ "sev:medium"
2529
+ ]
2530
+ },
2531
+ "opportunistic-criminal": {
2532
+ "score": 0.4,
2533
+ "tier": "medium",
2534
+ "factors": [
2535
+ "sev:medium"
2536
+ ]
2537
+ },
2538
+ "apt-nation-state": {
2539
+ "score": 0.4,
2540
+ "tier": "medium",
2541
+ "factors": [
2542
+ "sev:medium"
2543
+ ]
2544
+ },
2545
+ "supply-chain-attacker": {
2546
+ "score": 0.4,
2547
+ "tier": "medium",
2548
+ "factors": [
2549
+ "sev:medium"
2550
+ ]
2551
+ },
2552
+ "malicious-insider": {
2553
+ "score": 0.4,
2554
+ "tier": "medium",
2555
+ "factors": [
2556
+ "sev:medium"
2557
+ ]
2558
+ }
2559
+ },
2560
+ "personaTopTwo": [
2561
+ "script-kiddie",
2562
+ "opportunistic-criminal"
2563
+ ],
2564
+ "personaMaxName": "script-kiddie",
2565
+ "personaMaxScore": 0.4,
2566
+ "reverseExposure": null,
2567
+ "specMined": null,
2568
+ "whyFired": {
2569
+ "detector": "sast/dos-sync-io",
2570
+ "ruleId": "CWE-400",
2571
+ "parser": "STRUCTURAL",
2572
+ "evidence": {
2573
+ "sinkSnippet": "try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }",
2574
+ "sourceSnippet": "try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }",
2575
+ "pathSteps": [],
2576
+ "sanitizers": [],
2577
+ "guards": []
2578
+ },
2579
+ "considered": {
2580
+ "suppressionsApplied": [],
2581
+ "suppressionsSkipped": [],
2582
+ "reachabilityFilter": "unaffected",
2583
+ "clusterCollapsed": false,
2584
+ "typeNarrowed": false,
2585
+ "crownJewelTier": "low-value",
2586
+ "mitigationVerdict": "unreachable-in-prod"
2587
+ },
2588
+ "scanner": {
2589
+ "rulesetVersion": null,
2590
+ "packHash": null,
2591
+ "modelId": null
2592
+ }
2593
+ },
2594
+ "adversaryTranscript": null,
2595
+ "predictedBountyUsd": {
2596
+ "low": 10,
2597
+ "likely": 40,
2598
+ "high": 120,
2599
+ "program": "web2"
2600
+ },
2601
+ "bountyConfidence": "high",
2602
+ "attackPlaybook": null
2603
+ },
2604
+ {
2605
+ "id": "struct:type-stubs.js:198:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
2606
+ "kind": "sast",
2607
+ "severity": "medium",
2608
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
2609
+ "cwe": "CWE-400",
2610
+ "owaspLlm": null,
2611
+ "stride": "Denial of Service",
2612
+ "file": "type-stubs.js",
2613
+ "line": 198,
2614
+ "snippet": "if (fs.existsSync(tdir)) walk(tdir, depth + 1);",
2615
+ "fix": null,
2616
+ "reachable": false,
2617
+ "triage": 22,
2618
+ "dataClasses": [],
2619
+ "chain": null,
2620
+ "confidence": 0.212,
2621
+ "toxicity": 28,
2622
+ "toxicityFactors": [
2623
+ "http-facing"
2624
+ ],
2625
+ "toxicityLabel": "Medium",
2626
+ "sources": null,
2627
+ "epssScore": null,
2628
+ "epssPercentile": null,
2629
+ "epssCve": null,
2630
+ "exploitedNow": false,
2631
+ "tags": null,
2632
+ "blastRadius": {
2633
+ "scope": "all-users",
2634
+ "dataAtRisk": [
2635
+ "config"
2636
+ ],
2637
+ "userCount": 50,
2638
+ "industry": "generic",
2639
+ "jurisdictions": [],
2640
+ "controlsApplied": [],
2641
+ "dollarBest": 23250,
2642
+ "dollarLikely": 136250,
2643
+ "dollarWorst": 775000,
2644
+ "dollarLow": 23250,
2645
+ "dollarHigh": 775000,
2646
+ "components": {
2647
+ "incidentResponse": {
2648
+ "low": 8000,
2649
+ "likely": 50000,
2650
+ "high": 250000
2651
+ },
2652
+ "legal": {
2653
+ "low": 10000,
2654
+ "likely": 75000,
2655
+ "high": 500000
2656
+ },
2657
+ "crisisPR": {
2658
+ "low": 0,
2659
+ "likely": 0,
2660
+ "high": 0
2661
+ },
2662
+ "notification": {
2663
+ "low": 5000,
2664
+ "likely": 10000,
2665
+ "high": 15000
2666
+ },
2667
+ "creditMonitoring": {
2668
+ "low": 0,
2669
+ "likely": 0,
2670
+ "high": 0
2671
+ },
2672
+ "regulatoryFines": {
2673
+ "low": 0,
2674
+ "likely": 0,
2675
+ "high": 0
2676
+ },
2677
+ "directDamage": {
2678
+ "low": 250,
2679
+ "likely": 1250,
2680
+ "high": 10000
2681
+ },
2682
+ "classAction": {
2683
+ "low": 0,
2684
+ "likely": 0,
2685
+ "high": 0
2686
+ },
2687
+ "lostBusiness": {
2688
+ "low": 0,
2689
+ "likely": 0,
2690
+ "high": 0
2691
+ }
2692
+ },
2693
+ "dominantDriver": "legal counsel",
2694
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
2695
+ "confidence": "low",
2696
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:198` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
2697
+ },
2698
+ "stableId": "da0930b64e53120b",
2699
+ "confidenceTier": "very-low",
2700
+ "exploitability": 0.2,
2701
+ "exploitabilityTier": "low",
2702
+ "exploitabilityFactors": [
2703
+ "sev:medium",
2704
+ "unreachable"
2705
+ ],
2706
+ "clusterSize": null,
2707
+ "unreachable": false,
2708
+ "validator_verdict": "unvalidated",
2709
+ "llm_confidence": null,
2710
+ "unvalidated": true,
2711
+ "cross_language": false,
2712
+ "family": "dos-sync-io",
2713
+ "parser": "STRUCTURAL",
2714
+ "_unsigned": false,
2715
+ "_passThroughSigning": false,
2716
+ "signatureStatus": "verified",
2717
+ "regression_test": null,
2718
+ "poc": null,
2719
+ "calibrated_confidence": null,
2720
+ "calibrated_confidence_ci": null,
2721
+ "calibrated_n": 0,
2722
+ "calibration_reason": "no-history",
2723
+ "verifier_verdict": "cannot-verify",
2724
+ "verifier_reason": "no-poc-no-sanitizer-rule",
2725
+ "verifier_runner": null,
2726
+ "narration": null,
2727
+ "mitigationVerdict": "unreachable-in-prod",
2728
+ "mitigationsApplied": [],
2729
+ "mitigatedByWaf": false,
2730
+ "wafRuleId": null,
2731
+ "mitigatedByAuth": false,
2732
+ "authMechanism": null,
2733
+ "mitigatedByNetwork": false,
2734
+ "networkExposure": null,
2735
+ "featureFlag": null,
2736
+ "featureFlagState": null,
2737
+ "featureFlagRollout": null,
2738
+ "exposedInProd": false,
2739
+ "unreachableInProd": true,
2740
+ "coldPath": false,
2741
+ "hotPath": false,
2742
+ "prodRequestCount": null,
2743
+ "crownJewelScore": 0.15,
2744
+ "crownJewelTier": "low-value",
2745
+ "crownJewelFactors": [
2746
+ "shell-execution"
2747
+ ],
2748
+ "cloneClusterId": "5e5357c1989b7538",
2749
+ "cloneClusterSize": 1,
2750
+ "provenance": "human-likely",
2751
+ "provenanceScore": 0.12,
2752
+ "typeNarrowed": null,
2753
+ "strideCategory": "denialOfService",
2754
+ "personaScores": {
2755
+ "script-kiddie": {
2756
+ "score": 0.4,
2757
+ "tier": "medium",
2758
+ "factors": [
2759
+ "sev:medium"
2760
+ ]
2761
+ },
2762
+ "opportunistic-criminal": {
2763
+ "score": 0.4,
2764
+ "tier": "medium",
2765
+ "factors": [
2766
+ "sev:medium"
2767
+ ]
2768
+ },
2769
+ "apt-nation-state": {
2770
+ "score": 0.4,
2771
+ "tier": "medium",
2772
+ "factors": [
2773
+ "sev:medium"
2774
+ ]
2775
+ },
2776
+ "supply-chain-attacker": {
2777
+ "score": 0.4,
2778
+ "tier": "medium",
2779
+ "factors": [
2780
+ "sev:medium"
2781
+ ]
2782
+ },
2783
+ "malicious-insider": {
2784
+ "score": 0.4,
2785
+ "tier": "medium",
2786
+ "factors": [
2787
+ "sev:medium"
2788
+ ]
2789
+ }
2790
+ },
2791
+ "personaTopTwo": [
2792
+ "script-kiddie",
2793
+ "opportunistic-criminal"
2794
+ ],
2795
+ "personaMaxName": "script-kiddie",
2796
+ "personaMaxScore": 0.4,
2797
+ "reverseExposure": null,
2798
+ "specMined": null,
2799
+ "whyFired": {
2800
+ "detector": "sast/dos-sync-io",
2801
+ "ruleId": "CWE-400",
2802
+ "parser": "STRUCTURAL",
2803
+ "evidence": {
2804
+ "sinkSnippet": "if (fs.existsSync(tdir)) walk(tdir, depth + 1);",
2805
+ "sourceSnippet": "if (fs.existsSync(tdir)) walk(tdir, depth + 1);",
2806
+ "pathSteps": [],
2807
+ "sanitizers": [],
2808
+ "guards": []
2809
+ },
2810
+ "considered": {
2811
+ "suppressionsApplied": [],
2812
+ "suppressionsSkipped": [],
2813
+ "reachabilityFilter": "unaffected",
2814
+ "clusterCollapsed": false,
2815
+ "typeNarrowed": false,
2816
+ "crownJewelTier": "low-value",
2817
+ "mitigationVerdict": "unreachable-in-prod"
2818
+ },
2819
+ "scanner": {
2820
+ "rulesetVersion": null,
2821
+ "packHash": null,
2822
+ "modelId": null
2823
+ }
2824
+ },
2825
+ "adversaryTranscript": null,
2826
+ "predictedBountyUsd": {
2827
+ "low": 10,
2828
+ "likely": 40,
2829
+ "high": 120,
2830
+ "program": "web2"
2831
+ },
2832
+ "bountyConfidence": "high",
2833
+ "attackPlaybook": null
2834
+ },
2835
+ {
2836
+ "id": "struct:type-stubs.js:216:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
2837
+ "kind": "sast",
2838
+ "severity": "medium",
2839
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
2840
+ "cwe": "CWE-400",
2841
+ "owaspLlm": null,
2842
+ "stride": "Denial of Service",
2843
+ "file": "type-stubs.js",
2844
+ "line": 216,
2845
+ "snippet": "const pkg = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8'));",
2846
+ "fix": null,
2847
+ "reachable": false,
2848
+ "triage": 22,
2849
+ "dataClasses": [],
2850
+ "chain": null,
2851
+ "confidence": 0.212,
2852
+ "toxicity": 28,
2853
+ "toxicityFactors": [
2854
+ "http-facing"
2855
+ ],
2856
+ "toxicityLabel": "Medium",
2857
+ "sources": null,
2858
+ "epssScore": null,
2859
+ "epssPercentile": null,
2860
+ "epssCve": null,
2861
+ "exploitedNow": false,
2862
+ "tags": null,
2863
+ "blastRadius": {
2864
+ "scope": "all-users",
2865
+ "dataAtRisk": [
2866
+ "config"
2867
+ ],
2868
+ "userCount": 50,
2869
+ "industry": "generic",
2870
+ "jurisdictions": [],
2871
+ "controlsApplied": [],
2872
+ "dollarBest": 23250,
2873
+ "dollarLikely": 136250,
2874
+ "dollarWorst": 775000,
2875
+ "dollarLow": 23250,
2876
+ "dollarHigh": 775000,
2877
+ "components": {
2878
+ "incidentResponse": {
2879
+ "low": 8000,
2880
+ "likely": 50000,
2881
+ "high": 250000
2882
+ },
2883
+ "legal": {
2884
+ "low": 10000,
2885
+ "likely": 75000,
2886
+ "high": 500000
2887
+ },
2888
+ "crisisPR": {
2889
+ "low": 0,
2890
+ "likely": 0,
2891
+ "high": 0
2892
+ },
2893
+ "notification": {
2894
+ "low": 5000,
2895
+ "likely": 10000,
2896
+ "high": 15000
2897
+ },
2898
+ "creditMonitoring": {
2899
+ "low": 0,
2900
+ "likely": 0,
2901
+ "high": 0
2902
+ },
2903
+ "regulatoryFines": {
2904
+ "low": 0,
2905
+ "likely": 0,
2906
+ "high": 0
2907
+ },
2908
+ "directDamage": {
2909
+ "low": 250,
2910
+ "likely": 1250,
2911
+ "high": 10000
2912
+ },
2913
+ "classAction": {
2914
+ "low": 0,
2915
+ "likely": 0,
2916
+ "high": 0
2917
+ },
2918
+ "lostBusiness": {
2919
+ "low": 0,
2920
+ "likely": 0,
2921
+ "high": 0
2922
+ }
2923
+ },
2924
+ "dominantDriver": "legal counsel",
2925
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
2926
+ "confidence": "low",
2927
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:216` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
2928
+ },
2929
+ "stableId": "9f54fa968991f0c8",
2930
+ "confidenceTier": "very-low",
2931
+ "exploitability": 0.2,
2932
+ "exploitabilityTier": "low",
2933
+ "exploitabilityFactors": [
2934
+ "sev:medium",
2935
+ "unreachable"
2936
+ ],
2937
+ "clusterSize": null,
2938
+ "unreachable": false,
2939
+ "validator_verdict": "unvalidated",
2940
+ "llm_confidence": null,
2941
+ "unvalidated": true,
2942
+ "cross_language": false,
2943
+ "family": "dos-sync-io",
2944
+ "parser": "STRUCTURAL",
2945
+ "_unsigned": false,
2946
+ "_passThroughSigning": false,
2947
+ "signatureStatus": "verified",
2948
+ "regression_test": null,
2949
+ "poc": null,
2950
+ "calibrated_confidence": null,
2951
+ "calibrated_confidence_ci": null,
2952
+ "calibrated_n": 0,
2953
+ "calibration_reason": "no-history",
2954
+ "verifier_verdict": "cannot-verify",
2955
+ "verifier_reason": "no-poc-no-sanitizer-rule",
2956
+ "verifier_runner": null,
2957
+ "narration": null,
2958
+ "mitigationVerdict": "unreachable-in-prod",
2959
+ "mitigationsApplied": [],
2960
+ "mitigatedByWaf": false,
2961
+ "wafRuleId": null,
2962
+ "mitigatedByAuth": false,
2963
+ "authMechanism": null,
2964
+ "mitigatedByNetwork": false,
2965
+ "networkExposure": null,
2966
+ "featureFlag": null,
2967
+ "featureFlagState": null,
2968
+ "featureFlagRollout": null,
2969
+ "exposedInProd": false,
2970
+ "unreachableInProd": true,
2971
+ "coldPath": false,
2972
+ "hotPath": false,
2973
+ "prodRequestCount": null,
2974
+ "crownJewelScore": 0.15,
2975
+ "crownJewelTier": "low-value",
2976
+ "crownJewelFactors": [
2977
+ "shell-execution"
2978
+ ],
2979
+ "cloneClusterId": "f686c808d16515e4",
2980
+ "cloneClusterSize": 1,
2981
+ "provenance": "human-likely",
2982
+ "provenanceScore": 0.12,
2983
+ "typeNarrowed": null,
2984
+ "strideCategory": "denialOfService",
2985
+ "personaScores": {
2986
+ "script-kiddie": {
2987
+ "score": 0.4,
2988
+ "tier": "medium",
2989
+ "factors": [
2990
+ "sev:medium"
2991
+ ]
2992
+ },
2993
+ "opportunistic-criminal": {
2994
+ "score": 0.4,
2995
+ "tier": "medium",
2996
+ "factors": [
2997
+ "sev:medium"
2998
+ ]
2999
+ },
3000
+ "apt-nation-state": {
3001
+ "score": 0.4,
3002
+ "tier": "medium",
3003
+ "factors": [
3004
+ "sev:medium"
3005
+ ]
3006
+ },
3007
+ "supply-chain-attacker": {
3008
+ "score": 0.4,
3009
+ "tier": "medium",
3010
+ "factors": [
3011
+ "sev:medium"
3012
+ ]
3013
+ },
3014
+ "malicious-insider": {
3015
+ "score": 0.4,
3016
+ "tier": "medium",
3017
+ "factors": [
3018
+ "sev:medium"
3019
+ ]
3020
+ }
3021
+ },
3022
+ "personaTopTwo": [
3023
+ "script-kiddie",
3024
+ "opportunistic-criminal"
3025
+ ],
3026
+ "personaMaxName": "script-kiddie",
3027
+ "personaMaxScore": 0.4,
3028
+ "reverseExposure": null,
3029
+ "specMined": null,
3030
+ "whyFired": {
3031
+ "detector": "sast/dos-sync-io",
3032
+ "ruleId": "CWE-400",
3033
+ "parser": "STRUCTURAL",
3034
+ "evidence": {
3035
+ "sinkSnippet": "const pkg = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8'));",
3036
+ "sourceSnippet": "const pkg = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8'));",
3037
+ "pathSteps": [],
3038
+ "sanitizers": [],
3039
+ "guards": []
3040
+ },
3041
+ "considered": {
3042
+ "suppressionsApplied": [],
3043
+ "suppressionsSkipped": [],
3044
+ "reachabilityFilter": "unaffected",
3045
+ "clusterCollapsed": false,
3046
+ "typeNarrowed": false,
3047
+ "crownJewelTier": "low-value",
3048
+ "mitigationVerdict": "unreachable-in-prod"
3049
+ },
3050
+ "scanner": {
3051
+ "rulesetVersion": null,
3052
+ "packHash": null,
3053
+ "modelId": null
3054
+ }
3055
+ },
3056
+ "adversaryTranscript": null,
3057
+ "predictedBountyUsd": {
3058
+ "low": 10,
3059
+ "likely": 40,
3060
+ "high": 120,
3061
+ "program": "web2"
3062
+ },
3063
+ "bountyConfidence": "high",
3064
+ "attackPlaybook": null
3065
+ },
3066
+ {
3067
+ "id": "struct:type-stubs.js:245:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
3068
+ "kind": "sast",
3069
+ "severity": "medium",
3070
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3071
+ "cwe": "CWE-400",
3072
+ "owaspLlm": null,
3073
+ "stride": "Denial of Service",
3074
+ "file": "type-stubs.js",
3075
+ "line": 245,
3076
+ "snippet": "try { body = fs.readFileSync(f.path, 'utf8'); } catch { continue; }",
3077
+ "fix": null,
3078
+ "reachable": false,
3079
+ "triage": 22,
3080
+ "dataClasses": [],
3081
+ "chain": null,
3082
+ "confidence": 0.212,
3083
+ "toxicity": 28,
3084
+ "toxicityFactors": [
3085
+ "http-facing"
3086
+ ],
3087
+ "toxicityLabel": "Medium",
3088
+ "sources": null,
3089
+ "epssScore": null,
3090
+ "epssPercentile": null,
3091
+ "epssCve": null,
3092
+ "exploitedNow": false,
3093
+ "tags": null,
3094
+ "blastRadius": {
3095
+ "scope": "all-users",
3096
+ "dataAtRisk": [
3097
+ "config"
3098
+ ],
3099
+ "userCount": 50,
3100
+ "industry": "generic",
3101
+ "jurisdictions": [],
3102
+ "controlsApplied": [],
3103
+ "dollarBest": 23250,
3104
+ "dollarLikely": 136250,
3105
+ "dollarWorst": 775000,
3106
+ "dollarLow": 23250,
3107
+ "dollarHigh": 775000,
3108
+ "components": {
3109
+ "incidentResponse": {
3110
+ "low": 8000,
3111
+ "likely": 50000,
3112
+ "high": 250000
3113
+ },
3114
+ "legal": {
3115
+ "low": 10000,
3116
+ "likely": 75000,
3117
+ "high": 500000
3118
+ },
3119
+ "crisisPR": {
3120
+ "low": 0,
3121
+ "likely": 0,
3122
+ "high": 0
3123
+ },
3124
+ "notification": {
3125
+ "low": 5000,
3126
+ "likely": 10000,
3127
+ "high": 15000
3128
+ },
3129
+ "creditMonitoring": {
3130
+ "low": 0,
3131
+ "likely": 0,
3132
+ "high": 0
3133
+ },
3134
+ "regulatoryFines": {
3135
+ "low": 0,
3136
+ "likely": 0,
3137
+ "high": 0
3138
+ },
3139
+ "directDamage": {
3140
+ "low": 250,
3141
+ "likely": 1250,
3142
+ "high": 10000
3143
+ },
3144
+ "classAction": {
3145
+ "low": 0,
3146
+ "likely": 0,
3147
+ "high": 0
3148
+ },
3149
+ "lostBusiness": {
3150
+ "low": 0,
3151
+ "likely": 0,
3152
+ "high": 0
3153
+ }
3154
+ },
3155
+ "dominantDriver": "legal counsel",
3156
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
3157
+ "confidence": "low",
3158
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `type-stubs.js:245` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
3159
+ },
3160
+ "stableId": "d7f878f4239f7f2f",
3161
+ "confidenceTier": "very-low",
3162
+ "exploitability": 0.2,
3163
+ "exploitabilityTier": "low",
3164
+ "exploitabilityFactors": [
3165
+ "sev:medium",
3166
+ "unreachable"
3167
+ ],
3168
+ "clusterSize": null,
3169
+ "unreachable": false,
3170
+ "validator_verdict": "unvalidated",
3171
+ "llm_confidence": null,
3172
+ "unvalidated": true,
3173
+ "cross_language": false,
3174
+ "family": "dos-sync-io",
3175
+ "parser": "STRUCTURAL",
3176
+ "_unsigned": false,
3177
+ "_passThroughSigning": false,
3178
+ "signatureStatus": "verified",
3179
+ "regression_test": null,
3180
+ "poc": null,
3181
+ "calibrated_confidence": null,
3182
+ "calibrated_confidence_ci": null,
3183
+ "calibrated_n": 0,
3184
+ "calibration_reason": "no-history",
3185
+ "verifier_verdict": "cannot-verify",
3186
+ "verifier_reason": "no-poc-no-sanitizer-rule",
3187
+ "verifier_runner": null,
3188
+ "narration": null,
3189
+ "mitigationVerdict": "unreachable-in-prod",
3190
+ "mitigationsApplied": [],
3191
+ "mitigatedByWaf": false,
3192
+ "wafRuleId": null,
3193
+ "mitigatedByAuth": false,
3194
+ "authMechanism": null,
3195
+ "mitigatedByNetwork": false,
3196
+ "networkExposure": null,
3197
+ "featureFlag": null,
3198
+ "featureFlagState": null,
3199
+ "featureFlagRollout": null,
3200
+ "exposedInProd": false,
3201
+ "unreachableInProd": true,
3202
+ "coldPath": false,
3203
+ "hotPath": false,
3204
+ "prodRequestCount": null,
3205
+ "crownJewelScore": 0.15,
3206
+ "crownJewelTier": "low-value",
3207
+ "crownJewelFactors": [
3208
+ "shell-execution"
3209
+ ],
3210
+ "cloneClusterId": "01bed4bbdd04761a",
3211
+ "cloneClusterSize": 1,
3212
+ "provenance": "human-likely",
3213
+ "provenanceScore": 0.12,
3214
+ "typeNarrowed": null,
3215
+ "strideCategory": "denialOfService",
3216
+ "personaScores": {
3217
+ "script-kiddie": {
3218
+ "score": 0.4,
3219
+ "tier": "medium",
3220
+ "factors": [
3221
+ "sev:medium"
3222
+ ]
3223
+ },
3224
+ "opportunistic-criminal": {
3225
+ "score": 0.4,
3226
+ "tier": "medium",
3227
+ "factors": [
3228
+ "sev:medium"
3229
+ ]
3230
+ },
3231
+ "apt-nation-state": {
3232
+ "score": 0.4,
3233
+ "tier": "medium",
3234
+ "factors": [
3235
+ "sev:medium"
3236
+ ]
3237
+ },
3238
+ "supply-chain-attacker": {
3239
+ "score": 0.4,
3240
+ "tier": "medium",
3241
+ "factors": [
3242
+ "sev:medium"
3243
+ ]
3244
+ },
3245
+ "malicious-insider": {
3246
+ "score": 0.4,
3247
+ "tier": "medium",
3248
+ "factors": [
3249
+ "sev:medium"
3250
+ ]
3251
+ }
3252
+ },
3253
+ "personaTopTwo": [
3254
+ "script-kiddie",
3255
+ "opportunistic-criminal"
3256
+ ],
3257
+ "personaMaxName": "script-kiddie",
3258
+ "personaMaxScore": 0.4,
3259
+ "reverseExposure": null,
3260
+ "specMined": null,
3261
+ "whyFired": {
3262
+ "detector": "sast/dos-sync-io",
3263
+ "ruleId": "CWE-400",
3264
+ "parser": "STRUCTURAL",
3265
+ "evidence": {
3266
+ "sinkSnippet": "try { body = fs.readFileSync(f.path, 'utf8'); } catch { continue; }",
3267
+ "sourceSnippet": "try { body = fs.readFileSync(f.path, 'utf8'); } catch { continue; }",
3268
+ "pathSteps": [],
3269
+ "sanitizers": [],
3270
+ "guards": []
3271
+ },
3272
+ "considered": {
3273
+ "suppressionsApplied": [],
3274
+ "suppressionsSkipped": [],
3275
+ "reachabilityFilter": "unaffected",
3276
+ "clusterCollapsed": false,
3277
+ "typeNarrowed": false,
3278
+ "crownJewelTier": "low-value",
3279
+ "mitigationVerdict": "unreachable-in-prod"
3280
+ },
3281
+ "scanner": {
3282
+ "rulesetVersion": null,
3283
+ "packHash": null,
3284
+ "modelId": null
3285
+ }
3286
+ },
3287
+ "adversaryTranscript": null,
3288
+ "predictedBountyUsd": {
3289
+ "low": 10,
3290
+ "likely": 40,
3291
+ "high": 120,
3292
+ "program": "web2"
3293
+ },
3294
+ "bountyConfidence": "high",
3295
+ "attackPlaybook": null
3296
+ },
3297
+ {
3298
+ "id": "struct:parser-py-cst.js:91:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
3299
+ "kind": "sast",
3300
+ "severity": "medium",
3301
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3302
+ "cwe": "CWE-400",
3303
+ "owaspLlm": null,
3304
+ "stride": "Denial of Service",
3305
+ "file": "parser-py-cst.js",
3306
+ "line": 91,
3307
+ "snippet": "if (!fs.existsSync(HELPER_PATH)) return null;",
3308
+ "fix": null,
3309
+ "reachable": false,
3310
+ "triage": 18,
3311
+ "dataClasses": [],
3312
+ "chain": null,
3313
+ "confidence": 0.161,
3314
+ "toxicity": 28,
3315
+ "toxicityFactors": [
3316
+ "http-facing"
3317
+ ],
3318
+ "toxicityLabel": "Medium",
3319
+ "sources": null,
3320
+ "epssScore": null,
3321
+ "epssPercentile": null,
3322
+ "epssCve": null,
3323
+ "exploitedNow": false,
3324
+ "tags": null,
3325
+ "blastRadius": {
3326
+ "scope": "all-users",
3327
+ "dataAtRisk": [
3328
+ "config"
3329
+ ],
3330
+ "userCount": 50,
3331
+ "industry": "generic",
3332
+ "jurisdictions": [],
3333
+ "controlsApplied": [],
3334
+ "dollarBest": 23250,
3335
+ "dollarLikely": 136250,
3336
+ "dollarWorst": 775000,
3337
+ "dollarLow": 23250,
3338
+ "dollarHigh": 775000,
3339
+ "components": {
3340
+ "incidentResponse": {
3341
+ "low": 8000,
3342
+ "likely": 50000,
3343
+ "high": 250000
3344
+ },
3345
+ "legal": {
3346
+ "low": 10000,
3347
+ "likely": 75000,
3348
+ "high": 500000
3349
+ },
3350
+ "crisisPR": {
3351
+ "low": 0,
3352
+ "likely": 0,
3353
+ "high": 0
3354
+ },
3355
+ "notification": {
3356
+ "low": 5000,
3357
+ "likely": 10000,
3358
+ "high": 15000
3359
+ },
3360
+ "creditMonitoring": {
3361
+ "low": 0,
3362
+ "likely": 0,
3363
+ "high": 0
3364
+ },
3365
+ "regulatoryFines": {
3366
+ "low": 0,
3367
+ "likely": 0,
3368
+ "high": 0
3369
+ },
3370
+ "directDamage": {
3371
+ "low": 250,
3372
+ "likely": 1250,
3373
+ "high": 10000
3374
+ },
3375
+ "classAction": {
3376
+ "low": 0,
3377
+ "likely": 0,
3378
+ "high": 0
3379
+ },
3380
+ "lostBusiness": {
3381
+ "low": 0,
3382
+ "likely": 0,
3383
+ "high": 0
3384
+ }
3385
+ },
3386
+ "dominantDriver": "legal counsel",
3387
+ "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
3388
+ "confidence": "low",
3389
+ "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `parser-py-cst.js:91` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
3390
+ },
3391
+ "stableId": "ca57234f46aecc6a",
3392
+ "confidenceTier": "very-low",
3393
+ "exploitability": 0.05,
3394
+ "exploitabilityTier": "low",
3395
+ "exploitabilityFactors": [
3396
+ "sev:medium",
3397
+ "unreachable",
3398
+ "guards:1"
3399
+ ],
3400
+ "clusterSize": null,
3401
+ "unreachable": false,
3402
+ "validator_verdict": "unvalidated",
3403
+ "llm_confidence": null,
3404
+ "unvalidated": true,
3405
+ "cross_language": false,
3406
+ "family": "dos-sync-io",
3407
+ "parser": "STRUCTURAL",
3408
+ "_unsigned": false,
3409
+ "_passThroughSigning": false,
3410
+ "signatureStatus": "verified",
3411
+ "regression_test": null,
3412
+ "poc": null,
3413
+ "calibrated_confidence": null,
3414
+ "calibrated_confidence_ci": null,
3415
+ "calibrated_n": 0,
3416
+ "calibration_reason": "no-history",
3417
+ "verifier_verdict": "cannot-verify",
3418
+ "verifier_reason": "no-poc-no-sanitizer-rule",
3419
+ "verifier_runner": null,
3420
+ "narration": null,
3421
+ "mitigationVerdict": "unreachable-in-prod",
3422
+ "mitigationsApplied": [],
3423
+ "mitigatedByWaf": false,
3424
+ "wafRuleId": null,
3425
+ "mitigatedByAuth": false,
3426
+ "authMechanism": null,
3427
+ "mitigatedByNetwork": false,
3428
+ "networkExposure": null,
3429
+ "featureFlag": null,
3430
+ "featureFlagState": null,
3431
+ "featureFlagRollout": null,
3432
+ "exposedInProd": false,
3433
+ "unreachableInProd": true,
3434
+ "coldPath": false,
3435
+ "hotPath": false,
3436
+ "prodRequestCount": null,
3437
+ "crownJewelScore": 0.15,
3438
+ "crownJewelTier": "low-value",
3439
+ "crownJewelFactors": [
3440
+ "shell-execution"
3441
+ ],
3442
+ "cloneClusterId": "66b8a8c25816e7f9",
3443
+ "cloneClusterSize": 2,
3444
+ "provenance": "mixed",
3445
+ "provenanceScore": 0.4,
3446
+ "typeNarrowed": null,
3447
+ "strideCategory": "denialOfService",
3448
+ "personaScores": {
3449
+ "script-kiddie": {
3450
+ "score": 0.2,
3451
+ "tier": "low",
3452
+ "factors": [
3453
+ "sev:medium",
3454
+ "auth-gated:1"
3455
+ ]
3456
+ },
3457
+ "opportunistic-criminal": {
3458
+ "score": 0.4,
3459
+ "tier": "medium",
3460
+ "factors": [
3461
+ "sev:medium"
3462
+ ]
3463
+ },
3464
+ "apt-nation-state": {
3465
+ "score": 0.35,
3466
+ "tier": "medium",
3467
+ "factors": [
3468
+ "sev:medium",
3469
+ "minor-auth-cost"
3470
+ ]
3471
+ },
3472
+ "supply-chain-attacker": {
3473
+ "score": 0.4,
3474
+ "tier": "medium",
3475
+ "factors": [
3476
+ "sev:medium"
3477
+ ]
3478
+ },
3479
+ "malicious-insider": {
3480
+ "score": 0.3,
3481
+ "tier": "low",
3482
+ "factors": [
3483
+ "sev:medium",
3484
+ "insider-bypasses-edge"
3485
+ ]
3486
+ }
3487
+ },
3488
+ "personaTopTwo": [
3489
+ "opportunistic-criminal",
3490
+ "supply-chain-attacker"
3491
+ ],
3492
+ "personaMaxName": "opportunistic-criminal",
3493
+ "personaMaxScore": 0.4,
3494
+ "reverseExposure": null,
3495
+ "specMined": null,
3496
+ "whyFired": {
3497
+ "detector": "sast/dos-sync-io",
3498
+ "ruleId": "CWE-400",
3499
+ "parser": "STRUCTURAL",
3500
+ "evidence": {
3501
+ "sinkSnippet": "if (!fs.existsSync(HELPER_PATH)) return null;",
3502
+ "sourceSnippet": "if (!fs.existsSync(HELPER_PATH)) return null;",
3503
+ "pathSteps": [],
3504
+ "sanitizers": [],
3505
+ "guards": [
3506
+ "type-check"
3507
+ ]
3508
+ },
3509
+ "considered": {
3510
+ "suppressionsApplied": [],
3511
+ "suppressionsSkipped": [],
3512
+ "reachabilityFilter": "unaffected",
3513
+ "clusterCollapsed": false,
3514
+ "typeNarrowed": false,
3515
+ "crownJewelTier": "low-value",
3516
+ "mitigationVerdict": "unreachable-in-prod"
3517
+ },
3518
+ "scanner": {
3519
+ "rulesetVersion": null,
3520
+ "packHash": null,
3521
+ "modelId": null
3522
+ }
3523
+ },
3524
+ "adversaryTranscript": null,
3525
+ "predictedBountyUsd": {
3526
+ "low": 10,
3527
+ "likely": 40,
3528
+ "high": 120,
3529
+ "program": "web2"
3530
+ },
3531
+ "bountyConfidence": "high",
3532
+ "attackPlaybook": null
3533
+ },
3534
+ {
3535
+ "id": "toctou-fs:type-stubs.js:48",
3536
+ "kind": "sast",
3537
+ "severity": "medium",
3538
+ "vuln": "TOCTOU: file existence/permission check before open",
3539
+ "cwe": "CWE-367",
3540
+ "owaspLlm": null,
3541
+ "stride": "Tampering",
3542
+ "file": "type-stubs.js",
3543
+ "line": 48,
3544
+ "snippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
3545
+ "fix": null,
3546
+ "reachable": false,
3547
+ "triage": 22,
3548
+ "dataClasses": [],
3549
+ "chain": null,
3550
+ "confidence": 0.7,
3551
+ "toxicity": 8,
3552
+ "toxicityFactors": [],
3553
+ "toxicityLabel": "Low",
3554
+ "sources": null,
3555
+ "epssScore": null,
3556
+ "epssPercentile": null,
3557
+ "epssCve": null,
3558
+ "exploitedNow": false,
3559
+ "tags": null,
3560
+ "blastRadius": {
3561
+ "scope": "all-users",
3562
+ "dataAtRisk": [
3563
+ "config"
3564
+ ],
3565
+ "userCount": 50,
3566
+ "industry": "generic",
3567
+ "jurisdictions": [],
3568
+ "controlsApplied": [],
3569
+ "dollarBest": 23250,
3570
+ "dollarLikely": 136250,
3571
+ "dollarWorst": 775000,
3572
+ "dollarLow": 23250,
3573
+ "dollarHigh": 775000,
3574
+ "components": {
3575
+ "incidentResponse": {
3576
+ "low": 8000,
3577
+ "likely": 50000,
3578
+ "high": 250000
3579
+ },
3580
+ "legal": {
3581
+ "low": 10000,
3582
+ "likely": 75000,
3583
+ "high": 500000
3584
+ },
3585
+ "crisisPR": {
3586
+ "low": 0,
3587
+ "likely": 0,
3588
+ "high": 0
3589
+ },
3590
+ "notification": {
3591
+ "low": 5000,
3592
+ "likely": 10000,
3593
+ "high": 15000
3594
+ },
3595
+ "creditMonitoring": {
3596
+ "low": 0,
3597
+ "likely": 0,
3598
+ "high": 0
3599
+ },
3600
+ "regulatoryFines": {
3601
+ "low": 0,
3602
+ "likely": 0,
3603
+ "high": 0
3604
+ },
3605
+ "directDamage": {
3606
+ "low": 250,
3607
+ "likely": 1250,
3608
+ "high": 10000
3609
+ },
3610
+ "classAction": {
3611
+ "low": 0,
3612
+ "likely": 0,
3613
+ "high": 0
3614
+ },
3615
+ "lostBusiness": {
3616
+ "low": 0,
3617
+ "likely": 0,
3618
+ "high": 0
3619
+ }
3620
+ },
3621
+ "dominantDriver": "legal counsel",
3622
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3623
+ "confidence": "low",
3624
+ "narrative": "TOCTOU: file existence/permission check before open on `type-stubs.js:48` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3625
+ },
3626
+ "stableId": "d72348aa62acffcb",
3627
+ "confidenceTier": "medium",
3628
+ "exploitability": 0.2,
3629
+ "exploitabilityTier": "low",
3630
+ "exploitabilityFactors": [
3631
+ "sev:medium",
3632
+ "unreachable"
3633
+ ],
3634
+ "clusterSize": null,
3635
+ "unreachable": false,
3636
+ "validator_verdict": "unvalidated",
3637
+ "llm_confidence": null,
3638
+ "unvalidated": true,
3639
+ "cross_language": false,
3640
+ "family": "toctou-file-existence-permission-check-b",
3641
+ "parser": "TOCTOU",
3642
+ "_unsigned": false,
3643
+ "_passThroughSigning": false,
3644
+ "signatureStatus": "verified",
3645
+ "regression_test": null,
3646
+ "poc": null,
3647
+ "calibrated_confidence": null,
3648
+ "calibrated_confidence_ci": null,
3649
+ "calibrated_n": 0,
3650
+ "calibration_reason": "no-history",
3651
+ "verifier_verdict": "cannot-verify",
3652
+ "verifier_reason": "no-poc-no-sanitizer-rule",
3653
+ "verifier_runner": null,
3654
+ "narration": null,
3655
+ "mitigationVerdict": "unreachable-in-prod",
3656
+ "mitigationsApplied": [],
3657
+ "mitigatedByWaf": false,
3658
+ "wafRuleId": null,
3659
+ "mitigatedByAuth": false,
3660
+ "authMechanism": null,
3661
+ "mitigatedByNetwork": false,
3662
+ "networkExposure": null,
3663
+ "featureFlag": null,
3664
+ "featureFlagState": null,
3665
+ "featureFlagRollout": null,
3666
+ "exposedInProd": false,
3667
+ "unreachableInProd": true,
3668
+ "coldPath": false,
3669
+ "hotPath": false,
3670
+ "prodRequestCount": null,
3671
+ "crownJewelScore": 0.15,
3672
+ "crownJewelTier": "low-value",
3673
+ "crownJewelFactors": [
3674
+ "shell-execution"
3675
+ ],
3676
+ "cloneClusterId": "1ca765ccc2c8227c",
3677
+ "cloneClusterSize": 2,
3678
+ "provenance": "human-likely",
3679
+ "provenanceScore": 0.12,
3680
+ "typeNarrowed": null,
3681
+ "strideCategory": "tampering",
3682
+ "personaScores": {
3683
+ "script-kiddie": {
3684
+ "score": 0.4,
3685
+ "tier": "medium",
3686
+ "factors": [
3687
+ "sev:medium"
3688
+ ]
3689
+ },
3690
+ "opportunistic-criminal": {
3691
+ "score": 0.4,
3692
+ "tier": "medium",
3693
+ "factors": [
3694
+ "sev:medium"
3695
+ ]
3696
+ },
3697
+ "apt-nation-state": {
3698
+ "score": 0.4,
3699
+ "tier": "medium",
3700
+ "factors": [
3701
+ "sev:medium"
3702
+ ]
3703
+ },
3704
+ "supply-chain-attacker": {
3705
+ "score": 0.4,
3706
+ "tier": "medium",
3707
+ "factors": [
3708
+ "sev:medium"
3709
+ ]
3710
+ },
3711
+ "malicious-insider": {
3712
+ "score": 0.4,
3713
+ "tier": "medium",
3714
+ "factors": [
3715
+ "sev:medium"
3716
+ ]
3717
+ }
3718
+ },
3719
+ "personaTopTwo": [
3720
+ "script-kiddie",
3721
+ "opportunistic-criminal"
3722
+ ],
3723
+ "personaMaxName": "script-kiddie",
3724
+ "personaMaxScore": 0.4,
3725
+ "reverseExposure": null,
3726
+ "specMined": null,
3727
+ "whyFired": {
3728
+ "detector": "sast/toctou-file-existence-permission-check-b",
3729
+ "ruleId": "CWE-367",
3730
+ "parser": "TOCTOU",
3731
+ "evidence": {
3732
+ "sinkSnippet": "try { inputs.push(p + ':' + fs.statSync(fp).mtimeMs); } catch {}",
3733
+ "sourceSnippet": null,
3734
+ "pathSteps": [],
3735
+ "sanitizers": [],
3736
+ "guards": []
3737
+ },
3738
+ "considered": {
3739
+ "suppressionsApplied": [],
3740
+ "suppressionsSkipped": [],
3741
+ "reachabilityFilter": "unaffected",
3742
+ "clusterCollapsed": false,
3743
+ "typeNarrowed": false,
3744
+ "crownJewelTier": "low-value",
3745
+ "mitigationVerdict": "unreachable-in-prod"
3746
+ },
3747
+ "scanner": {
3748
+ "rulesetVersion": null,
3749
+ "packHash": null,
3750
+ "modelId": null
3751
+ }
3752
+ },
3753
+ "adversaryTranscript": null,
3754
+ "predictedBountyUsd": null,
3755
+ "bountyConfidence": null,
3756
+ "attackPlaybook": null
3757
+ },
3758
+ {
3759
+ "id": "logic:type-stubs.js:57:TOCTOU:_existsSync_followed_by_file_op",
3760
+ "kind": "logic",
3761
+ "severity": "medium",
3762
+ "vuln": "TOCTOU: existsSync followed by file op",
3763
+ "cwe": "CWE-367",
3764
+ "stride": "Tampering",
3765
+ "file": "type-stubs.js",
3766
+ "line": 57,
3767
+ "snippet": "if (!fs.existsSync(fp)) return null;",
3768
+ "fix": {
3769
+ "description": "Replace the check-then-act sequence with a single atomic operation (e.g., `fs.open` with appropriate flags). Between `existsSync` and the file op the file can be replaced by a symlink or removed.",
3770
+ "code": ""
3771
+ },
3772
+ "blastRadius": {
3773
+ "scope": "all-users",
3774
+ "dataAtRisk": [
3775
+ "config"
3776
+ ],
3777
+ "userCount": 50,
3778
+ "industry": "generic",
3779
+ "jurisdictions": [],
3780
+ "controlsApplied": [],
3781
+ "dollarBest": 23250,
3782
+ "dollarLikely": 136250,
3783
+ "dollarWorst": 775000,
3784
+ "dollarLow": 23250,
3785
+ "dollarHigh": 775000,
3786
+ "components": {
3787
+ "incidentResponse": {
3788
+ "low": 8000,
3789
+ "likely": 50000,
3790
+ "high": 250000
3791
+ },
3792
+ "legal": {
3793
+ "low": 10000,
3794
+ "likely": 75000,
3795
+ "high": 500000
3796
+ },
3797
+ "crisisPR": {
3798
+ "low": 0,
3799
+ "likely": 0,
3800
+ "high": 0
3801
+ },
3802
+ "notification": {
3803
+ "low": 5000,
3804
+ "likely": 10000,
3805
+ "high": 15000
3806
+ },
3807
+ "creditMonitoring": {
3808
+ "low": 0,
3809
+ "likely": 0,
3810
+ "high": 0
3811
+ },
3812
+ "regulatoryFines": {
3813
+ "low": 0,
3814
+ "likely": 0,
3815
+ "high": 0
3816
+ },
3817
+ "directDamage": {
3818
+ "low": 250,
3819
+ "likely": 1250,
3820
+ "high": 10000
3821
+ },
3822
+ "classAction": {
3823
+ "low": 0,
3824
+ "likely": 0,
3825
+ "high": 0
3826
+ },
3827
+ "lostBusiness": {
3828
+ "low": 0,
3829
+ "likely": 0,
3830
+ "high": 0
3831
+ }
3832
+ },
3833
+ "dominantDriver": "legal counsel",
3834
+ "comparable": "Generic finding — likely cost driven by user count + jurisdiction stack",
3835
+ "confidence": "low",
3836
+ "narrative": "TOCTOU: existsSync followed by file op on `type-stubs.js:57` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Generic finding — likely cost driven by user count + jurisdiction stack."
3837
+ },
3838
+ "parser": "LOGIC",
3839
+ "family": null
3840
+ }
3841
+ ],
3842
+ "bundles": [],
3843
+ "routes": [],
3844
+ "components": [],
3845
+ "suppressedCount": 6,
3846
+ "blastRadiusSignals": {
3847
+ "industry": "generic",
3848
+ "industryConfidence": "low",
3849
+ "jurisdictions": [],
3850
+ "controls": [],
3851
+ "estimatedUsers": 50,
3852
+ "revenueIndicator": "pre-revenue",
3853
+ "hasStripe": false,
3854
+ "hasAuth": false,
3855
+ "hasUserTable": false,
3856
+ "hasPII": false,
3857
+ "hasPHI": false,
3858
+ "hasS3": false
3859
+ },
3860
+ "_v3": {
3861
+ "counterfactual": {
3862
+ "spofControls": [],
3863
+ "controlsDetected": 379
3864
+ },
3865
+ "threatModel": {
3866
+ "summary": {
3867
+ "assetCount": 0,
3868
+ "boundaryCount": 2,
3869
+ "strideCounts": {
3870
+ "spoofing": 0,
3871
+ "tampering": 1,
3872
+ "repudiation": 0,
3873
+ "informationDisclosure": 0,
3874
+ "denialOfService": 10,
3875
+ "elevationOfPrivilege": 0
3876
+ }
3877
+ },
3878
+ "assets": [],
3879
+ "trustBoundaries": [
3880
+ {
3881
+ "type": "db-edge",
3882
+ "file": "parser-py-cst.js",
3883
+ "line": 13,
3884
+ "label": null
3885
+ },
3886
+ {
3887
+ "type": "db-edge",
3888
+ "file": "parser-py.js",
3889
+ "line": 72,
3890
+ "label": null
3891
+ }
3892
+ ],
3893
+ "stride": {
3894
+ "spoofing": [],
3895
+ "tampering": [
3896
+ {
3897
+ "vuln": "TOCTOU: file existence/permission check before open",
3898
+ "file": "type-stubs.js",
3899
+ "line": 48,
3900
+ "severity": "medium"
3901
+ }
3902
+ ],
3903
+ "repudiation": [],
3904
+ "informationDisclosure": [],
3905
+ "denialOfService": [
3906
+ {
3907
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3908
+ "file": "cpp-preprocessor.js",
3909
+ "severity": "medium"
3910
+ },
3911
+ {
3912
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3913
+ "file": "type-stubs.js",
3914
+ "severity": "medium"
3915
+ },
3916
+ {
3917
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3918
+ "file": "type-stubs.js",
3919
+ "severity": "medium"
3920
+ },
3921
+ {
3922
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3923
+ "file": "type-stubs.js",
3924
+ "severity": "medium"
3925
+ },
3926
+ {
3927
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3928
+ "file": "type-stubs.js",
3929
+ "severity": "medium"
3930
+ },
3931
+ {
3932
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3933
+ "file": "type-stubs.js",
3934
+ "severity": "medium"
3935
+ },
3936
+ {
3937
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3938
+ "file": "type-stubs.js",
3939
+ "severity": "medium"
3940
+ },
3941
+ {
3942
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3943
+ "file": "type-stubs.js",
3944
+ "severity": "medium"
3945
+ },
3946
+ {
3947
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3948
+ "file": "type-stubs.js",
3949
+ "severity": "medium"
3950
+ },
3951
+ {
3952
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
3953
+ "file": "parser-py-cst.js",
3954
+ "severity": "medium"
3955
+ }
3956
+ ],
3957
+ "elevationOfPrivilege": []
3958
+ }
3959
+ },
3960
+ "trustBoundaryDiagram": {
3961
+ "mermaid": "flowchart LR\n INTERNET((Internet))\n APP[\"Application\"]\n db_parser_py_cst_js_13[(\"db@parser-py-cst.js:13\")]\n db_parser_py_js_72[(\"db@parser-py.js:72\")]\n APP -->|db| db_parser_py_cst_js_13\n APP -->|db| db_parser_py_js_72\n class db_parser_py_cst_js_13 sev_medium;\n classDef sev_critical fill:#ffcccc,stroke:#a00,stroke-width:2px;\n classDef sev_high fill:#ffe0b2,stroke:#c60,stroke-width:2px;\n classDef sev_medium fill:#fff3cd,stroke:#a80;\n classDef sev_low fill:#e8eaf6,stroke:#557;",
3962
+ "nodes": [
3963
+ {
3964
+ "id": "INTERNET",
3965
+ "kind": "external",
3966
+ "label": "Internet"
3967
+ },
3968
+ {
3969
+ "id": "APP",
3970
+ "kind": "app",
3971
+ "label": "Application"
3972
+ },
3973
+ {
3974
+ "kind": "db",
3975
+ "id": "db_parser_py_cst_js_13",
3976
+ "label": "db@parser-py-cst.js:13"
3977
+ },
3978
+ {
3979
+ "kind": "db",
3980
+ "id": "db_parser_py_js_72",
3981
+ "label": "db@parser-py.js:72"
3982
+ }
3983
+ ],
3984
+ "edges": [
3985
+ {
3986
+ "from": "APP",
3987
+ "to": "db_parser_py_cst_js_13",
3988
+ "kind": "db"
3989
+ },
3990
+ {
3991
+ "from": "APP",
3992
+ "to": "db_parser_py_js_72",
3993
+ "kind": "db"
3994
+ }
3995
+ ],
3996
+ "decorations": [
3997
+ {
3998
+ "nodeId": "db_parser_py_cst_js_13",
3999
+ "severity": "medium",
4000
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
4001
+ "file": "parser-py-cst.js"
4002
+ }
4003
+ ]
4004
+ },
4005
+ "calibrationDrift": {
4006
+ "alarms": [],
4007
+ "note": "no-feedback-data"
4008
+ }
4009
+ },
4010
+ "annotatorErrors": []
4011
+ }