@clear-capabilities/agentic-security-scanner 0.84.1 → 0.86.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. package/dist/agentic-security.mjs +1 -1
  2. package/dist/agentic-security.mjs.sha256 +1 -1
  3. package/package.json +1 -1
  4. package/src/posture/.agentic-security/dpia.md +26 -0
  5. package/src/posture/.agentic-security/pqc-migration-plan.json +65 -0
  6. package/src/posture/.agentic-security/pqc-migration-plan.md +30 -0
  7. package/src/posture/.agentic-security/sbom-history/7d45b5e03804aac084b4a2b4dc8c6f10107d2005.json +6 -0
  8. package/src/posture/.agentic-security/threat-model.json +2038 -0
  9. package/src/posture/.agentic-security/threat-model.md +73 -0
  10. package/src/posture/auditor-walkthrough.js +1 -1
  11. package/src/posture/pr-augment.js +1 -1
  12. package/src/posture/router.js +4 -4
  13. package/src/report/.agentic-security/sbom-history/7d45b5e03804aac084b4a2b4dc8c6f10107d2005.json +6 -0
  14. package/src/report/.agentic-security/threat-model.json +7 -0
  15. package/src/report/.agentic-security/threat-model.md +22 -0
  16. package/src/report/index.js +1 -1
package/src/posture/.agentic-security/threat-model.json ADDED
@@ -0,0 +1,2038 @@
1
+ {
2
+ "entities": [
3
+ {
4
+ "kind": "http-route",
5
+ "id": "route:GET:/api/users/2",
6
+ "method": "GET",
7
+ "path": "/api/users/2",
8
+ "file": "attack-playbooks.js",
9
+ "line": 92,
10
+ "requiresAuth": false
11
+ },
12
+ {
13
+ "kind": "http-route",
14
+ "id": "route:GET:/api/admin/users",
15
+ "method": "GET",
16
+ "path": "/api/admin/users",
17
+ "file": "attack-playbooks.js",
18
+ "line": 210,
19
+ "requiresAuth": false
20
+ },
21
+ {
22
+ "kind": "http-route",
23
+ "id": "route:GET:/api/health",
24
+ "method": "GET",
25
+ "path": "/api/health",
26
+ "file": "deploy-platform.js",
27
+ "line": 87,
28
+ "requiresAuth": false
29
+ }
30
+ ],
31
+ "boundaries": [
32
+ {
33
+ "from": "external",
34
+ "to": "route:GET:/api/users/2",
35
+ "kind": "trust-boundary",
36
+ "requiresAuth": false
37
+ },
38
+ {
39
+ "from": "external",
40
+ "to": "route:GET:/api/admin/users",
41
+ "kind": "trust-boundary",
42
+ "requiresAuth": false
43
+ },
44
+ {
45
+ "from": "external",
46
+ "to": "route:GET:/api/health",
47
+ "kind": "trust-boundary",
48
+ "requiresAuth": false
49
+ }
50
+ ],
51
+ "assets": [],
52
+ "threats": [
53
+ {
54
+ "stride": "T",
55
+ "strideLabel": "Tampering",
56
+ "cwe": "CWE-400",
57
+ "family": "dos-sync-io",
58
+ "severity": "medium",
59
+ "file": "deploy-platform.js",
60
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
61
+ "finding_id": "struct:deploy-platform.js:13:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
62
+ "affectsAsset": null,
63
+ "atEntity": null
64
+ },
65
+ {
66
+ "stride": "I",
67
+ "strideLabel": "Information Disclosure",
68
+ "cwe": "CWE-918",
69
+ "family": "ssrf",
70
+ "severity": "low",
71
+ "file": "attack-playbooks.js",
72
+ "line": 72,
73
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
74
+ "finding_id": "ssrf-meta-hardcoded:attack-playbooks.js:72",
75
+ "affectsAsset": null,
76
+ "atEntity": "route:GET:/api/users/2"
77
+ },
78
+ {
79
+ "stride": "E",
80
+ "strideLabel": "Elevation of Privilege",
81
+ "cwe": "CWE-918",
82
+ "family": "ssrf",
83
+ "severity": "low",
84
+ "file": "attack-playbooks.js",
85
+ "line": 72,
86
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
87
+ "finding_id": "ssrf-meta-hardcoded:attack-playbooks.js:72",
88
+ "affectsAsset": null,
89
+ "atEntity": "route:GET:/api/users/2"
90
+ },
91
+ {
92
+ "stride": "T",
93
+ "strideLabel": "Tampering",
94
+ "cwe": "CWE-915",
95
+ "family": "mass-assignment",
96
+ "severity": "low",
97
+ "file": "integrity.js",
98
+ "vuln": "Mass Assignment (req.body Direct to Model)",
99
+ "finding_id": "struct:integrity.js:69:Mass_Assignment_(req.body_Direct_to_Model)",
100
+ "affectsAsset": null,
101
+ "atEntity": null
102
+ },
103
+ {
104
+ "stride": "T",
105
+ "strideLabel": "Tampering",
106
+ "cwe": "CWE-400",
107
+ "family": "dos-sync-io",
108
+ "severity": "low",
109
+ "file": "agents-memory.js",
110
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
111
+ "finding_id": "struct:agents-memory.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
112
+ "affectsAsset": null,
113
+ "atEntity": null
114
+ },
115
+ {
116
+ "stride": "T",
117
+ "strideLabel": "Tampering",
118
+ "cwe": "CWE-400",
119
+ "family": "dos-sync-io",
120
+ "severity": "low",
121
+ "file": "api-contract.js",
122
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
123
+ "finding_id": "struct:api-contract.js:38:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
124
+ "affectsAsset": null,
125
+ "atEntity": null
126
+ },
127
+ {
128
+ "stride": "T",
129
+ "strideLabel": "Tampering",
130
+ "cwe": "CWE-400",
131
+ "family": "dos-sync-io",
132
+ "severity": "low",
133
+ "file": "auditor-walkthrough.js",
134
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
135
+ "finding_id": "struct:auditor-walkthrough.js:39:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
136
+ "affectsAsset": null,
137
+ "atEntity": null
138
+ },
139
+ {
140
+ "stride": "T",
141
+ "strideLabel": "Tampering",
142
+ "cwe": "CWE-400",
143
+ "family": "dos-sync-io",
144
+ "severity": "low",
145
+ "file": "auth-posture-import.js",
146
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
147
+ "finding_id": "struct:auth-posture-import.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
148
+ "affectsAsset": null,
149
+ "atEntity": null
150
+ },
151
+ {
152
+ "stride": "T",
153
+ "strideLabel": "Tampering",
154
+ "cwe": "CWE-400",
155
+ "family": "dos-sync-io",
156
+ "severity": "low",
157
+ "file": "blast-radius.js",
158
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
159
+ "finding_id": "struct:blast-radius.js:201:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
160
+ "affectsAsset": null,
161
+ "atEntity": null
162
+ },
163
+ {
164
+ "stride": "T",
165
+ "strideLabel": "Tampering",
166
+ "cwe": "CWE-400",
167
+ "family": "dos-sync-io",
168
+ "severity": "low",
169
+ "file": "calibration-drift.js",
170
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
171
+ "finding_id": "struct:calibration-drift.js:40:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
172
+ "affectsAsset": null,
173
+ "atEntity": null
174
+ },
175
+ {
176
+ "stride": "T",
177
+ "strideLabel": "Tampering",
178
+ "cwe": "CWE-400",
179
+ "family": "dos-sync-io",
180
+ "severity": "low",
181
+ "file": "calibration.js",
182
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
183
+ "finding_id": "struct:calibration.js:99:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
184
+ "affectsAsset": null,
185
+ "atEntity": null
186
+ },
187
+ {
188
+ "stride": "T",
189
+ "strideLabel": "Tampering",
190
+ "cwe": "CWE-400",
191
+ "family": "dos-sync-io",
192
+ "severity": "low",
193
+ "file": "compliance-policy.js",
194
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
195
+ "finding_id": "struct:compliance-policy.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
196
+ "affectsAsset": null,
197
+ "atEntity": null
198
+ },
199
+ {
200
+ "stride": "T",
201
+ "strideLabel": "Tampering",
202
+ "cwe": "CWE-400",
203
+ "family": "dos-sync-io",
204
+ "severity": "low",
205
+ "file": "cross-repo-memory.js",
206
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
207
+ "finding_id": "struct:cross-repo-memory.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
208
+ "affectsAsset": null,
209
+ "atEntity": null
210
+ },
211
+ {
212
+ "stride": "T",
213
+ "strideLabel": "Tampering",
214
+ "cwe": "CWE-400",
215
+ "family": "dos-sync-io",
216
+ "severity": "low",
217
+ "file": "custom-rules.js",
218
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
219
+ "finding_id": "struct:custom-rules.js:57:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
220
+ "affectsAsset": null,
221
+ "atEntity": null
222
+ },
223
+ {
224
+ "stride": "T",
225
+ "strideLabel": "Tampering",
226
+ "cwe": "CWE-400",
227
+ "family": "dos-sync-io",
228
+ "severity": "low",
229
+ "file": "cve-alert-daemon.js",
230
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
231
+ "finding_id": "struct:cve-alert-daemon.js:218:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
232
+ "affectsAsset": null,
233
+ "atEntity": null
234
+ },
235
+ {
236
+ "stride": "T",
237
+ "strideLabel": "Tampering",
238
+ "cwe": "CWE-400",
239
+ "family": "dos-sync-io",
240
+ "severity": "low",
241
+ "file": "cve-lookup.js",
242
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
243
+ "finding_id": "struct:cve-lookup.js:32:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
244
+ "affectsAsset": null,
245
+ "atEntity": null
246
+ },
247
+ {
248
+ "stride": "T",
249
+ "strideLabel": "Tampering",
250
+ "cwe": "CWE-400",
251
+ "family": "dos-sync-io",
252
+ "severity": "low",
253
+ "file": "dep-add-guard.js",
254
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
255
+ "finding_id": "struct:dep-add-guard.js:28:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
256
+ "affectsAsset": null,
257
+ "atEntity": null
258
+ },
259
+ {
260
+ "stride": "T",
261
+ "strideLabel": "Tampering",
262
+ "cwe": "CWE-400",
263
+ "family": "dos-sync-io",
264
+ "severity": "low",
265
+ "file": "deterministic.js",
266
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
267
+ "finding_id": "struct:deterministic.js:47:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
268
+ "affectsAsset": null,
269
+ "atEntity": null
270
+ },
271
+ {
272
+ "stride": "T",
273
+ "strideLabel": "Tampering",
274
+ "cwe": "CWE-400",
275
+ "family": "dos-sync-io",
276
+ "severity": "low",
277
+ "file": "epss.js",
278
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
279
+ "finding_id": "struct:epss.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
280
+ "affectsAsset": null,
281
+ "atEntity": null
282
+ },
283
+ {
284
+ "stride": "T",
285
+ "strideLabel": "Tampering",
286
+ "cwe": "CWE-400",
287
+ "family": "dos-sync-io",
288
+ "severity": "low",
289
+ "file": "exploitability-probability.js",
290
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
291
+ "finding_id": "struct:exploitability-probability.js:142:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
292
+ "affectsAsset": null,
293
+ "atEntity": null
294
+ },
295
+ {
296
+ "stride": "T",
297
+ "strideLabel": "Tampering",
298
+ "cwe": "CWE-400",
299
+ "family": "dos-sync-io",
300
+ "severity": "low",
301
+ "file": "feature-flags.js",
302
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
303
+ "finding_id": "struct:feature-flags.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
304
+ "affectsAsset": null,
305
+ "atEntity": null
306
+ },
307
+ {
308
+ "stride": "T",
309
+ "strideLabel": "Tampering",
310
+ "cwe": "CWE-400",
311
+ "family": "dos-sync-io",
312
+ "severity": "low",
313
+ "file": "federated-learning.js",
314
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
315
+ "finding_id": "struct:federated-learning.js:55:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
316
+ "affectsAsset": null,
317
+ "atEntity": null
318
+ },
319
+ {
320
+ "stride": "T",
321
+ "strideLabel": "Tampering",
322
+ "cwe": "CWE-400",
323
+ "family": "dos-sync-io",
324
+ "severity": "low",
325
+ "file": "findings-memory.js",
326
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
327
+ "finding_id": "struct:findings-memory.js:21:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
328
+ "affectsAsset": null,
329
+ "atEntity": null
330
+ },
331
+ {
332
+ "stride": "T",
333
+ "strideLabel": "Tampering",
334
+ "cwe": "CWE-400",
335
+ "family": "dos-sync-io",
336
+ "severity": "low",
337
+ "file": "fix-history.js",
338
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
339
+ "finding_id": "struct:fix-history.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
340
+ "affectsAsset": null,
341
+ "atEntity": null
342
+ },
343
+ {
344
+ "stride": "T",
345
+ "strideLabel": "Tampering",
346
+ "cwe": "CWE-400",
347
+ "family": "dos-sync-io",
348
+ "severity": "low",
349
+ "file": "fix-plan.js",
350
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
351
+ "finding_id": "struct:fix-plan.js:111:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
352
+ "affectsAsset": null,
353
+ "atEntity": null
354
+ },
355
+ {
356
+ "stride": "T",
357
+ "strideLabel": "Tampering",
358
+ "cwe": "CWE-400",
359
+ "family": "dos-sync-io",
360
+ "severity": "low",
361
+ "file": "fix-style-mirror.js",
362
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
363
+ "finding_id": "struct:fix-style-mirror.js:44:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
364
+ "affectsAsset": null,
365
+ "atEntity": null
366
+ },
367
+ {
368
+ "stride": "T",
369
+ "strideLabel": "Tampering",
370
+ "cwe": "CWE-400",
371
+ "family": "dos-sync-io",
372
+ "severity": "low",
373
+ "file": "fix-verify-loop.js",
374
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
375
+ "finding_id": "struct:fix-verify-loop.js:33:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
376
+ "affectsAsset": null,
377
+ "atEntity": null
378
+ },
379
+ {
380
+ "stride": "T",
381
+ "strideLabel": "Tampering",
382
+ "cwe": "CWE-400",
383
+ "family": "dos-sync-io",
384
+ "severity": "low",
385
+ "file": "grader-calibration.js",
386
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
387
+ "finding_id": "struct:grader-calibration.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
388
+ "affectsAsset": null,
389
+ "atEntity": null
390
+ },
391
+ {
392
+ "stride": "T",
393
+ "strideLabel": "Tampering",
394
+ "cwe": "CWE-400",
395
+ "family": "dos-sync-io",
396
+ "severity": "low",
397
+ "file": "holdout-eval.js",
398
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
399
+ "finding_id": "struct:holdout-eval.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
400
+ "affectsAsset": null,
401
+ "atEntity": null
402
+ },
403
+ {
404
+ "stride": "T",
405
+ "strideLabel": "Tampering",
406
+ "cwe": "CWE-400",
407
+ "family": "dos-sync-io",
408
+ "severity": "low",
409
+ "file": "integrity.js",
410
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
411
+ "finding_id": "struct:integrity.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
412
+ "affectsAsset": null,
413
+ "atEntity": null
414
+ },
415
+ {
416
+ "stride": "T",
417
+ "strideLabel": "Tampering",
418
+ "cwe": "CWE-400",
419
+ "family": "dos-sync-io",
420
+ "severity": "low",
421
+ "file": "intent-context.js",
422
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
423
+ "finding_id": "struct:intent-context.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
424
+ "affectsAsset": null,
425
+ "atEntity": null
426
+ },
427
+ {
428
+ "stride": "T",
429
+ "strideLabel": "Tampering",
430
+ "cwe": "CWE-400",
431
+ "family": "dos-sync-io",
432
+ "severity": "low",
433
+ "file": "learning.js",
434
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
435
+ "finding_id": "struct:learning.js:30:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
436
+ "affectsAsset": null,
437
+ "atEntity": null
438
+ },
439
+ {
440
+ "stride": "T",
441
+ "strideLabel": "Tampering",
442
+ "cwe": "CWE-400",
443
+ "family": "dos-sync-io",
444
+ "severity": "low",
445
+ "file": "license-attributions.js",
446
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
447
+ "finding_id": "struct:license-attributions.js:87:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
448
+ "affectsAsset": null,
449
+ "atEntity": null
450
+ },
451
+ {
452
+ "stride": "T",
453
+ "strideLabel": "Tampering",
454
+ "cwe": "CWE-400",
455
+ "family": "dos-sync-io",
456
+ "severity": "low",
457
+ "file": "license-graph.js",
458
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
459
+ "finding_id": "struct:license-graph.js:227:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
460
+ "affectsAsset": null,
461
+ "atEntity": null
462
+ },
463
+ {
464
+ "stride": "T",
465
+ "strideLabel": "Tampering",
466
+ "cwe": "CWE-400",
467
+ "family": "dos-sync-io",
468
+ "severity": "low",
469
+ "file": "license-policy.js",
470
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
471
+ "finding_id": "struct:license-policy.js:30:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
472
+ "affectsAsset": null,
473
+ "atEntity": null
474
+ },
475
+ {
476
+ "stride": "T",
477
+ "strideLabel": "Tampering",
478
+ "cwe": "CWE-400",
479
+ "family": "dos-sync-io",
480
+ "severity": "low",
481
+ "file": "model-rescan.js",
482
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
483
+ "finding_id": "struct:model-rescan.js:21:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
484
+ "affectsAsset": null,
485
+ "atEntity": null
486
+ },
487
+ {
488
+ "stride": "T",
489
+ "strideLabel": "Tampering",
490
+ "cwe": "CWE-400",
491
+ "family": "dos-sync-io",
492
+ "severity": "low",
493
+ "file": "network-policy-import.js",
494
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
495
+ "finding_id": "struct:network-policy-import.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
496
+ "affectsAsset": null,
497
+ "atEntity": null
498
+ },
499
+ {
500
+ "stride": "T",
501
+ "strideLabel": "Tampering",
502
+ "cwe": "CWE-400",
503
+ "family": "dos-sync-io",
504
+ "severity": "low",
505
+ "file": "policy-gate.js",
506
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
507
+ "finding_id": "struct:policy-gate.js:154:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
508
+ "affectsAsset": null,
509
+ "atEntity": null
510
+ },
511
+ {
512
+ "stride": "T",
513
+ "strideLabel": "Tampering",
514
+ "cwe": "CWE-400",
515
+ "family": "dos-sync-io",
516
+ "severity": "low",
517
+ "file": "pqc-migration-plan.js",
518
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
519
+ "finding_id": "struct:pqc-migration-plan.js:121:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
520
+ "affectsAsset": null,
521
+ "atEntity": null
522
+ },
523
+ {
524
+ "stride": "T",
525
+ "strideLabel": "Tampering",
526
+ "cwe": "CWE-400",
527
+ "family": "dos-sync-io",
528
+ "severity": "low",
529
+ "file": "pr-augment.js",
530
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
531
+ "finding_id": "struct:pr-augment.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
532
+ "affectsAsset": null,
533
+ "atEntity": null
534
+ },
535
+ {
536
+ "stride": "T",
537
+ "strideLabel": "Tampering",
538
+ "cwe": "CWE-400",
539
+ "family": "dos-sync-io",
540
+ "severity": "low",
541
+ "file": "pre-incident-archaeology.js",
542
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
543
+ "finding_id": "struct:pre-incident-archaeology.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
544
+ "affectsAsset": null,
545
+ "atEntity": null
546
+ },
547
+ {
548
+ "stride": "T",
549
+ "strideLabel": "Tampering",
550
+ "cwe": "CWE-400",
551
+ "family": "dos-sync-io",
552
+ "severity": "low",
553
+ "file": "profile.js",
554
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
555
+ "finding_id": "struct:profile.js:46:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
556
+ "affectsAsset": null,
557
+ "atEntity": null
558
+ },
559
+ {
560
+ "stride": "T",
561
+ "strideLabel": "Tampering",
562
+ "cwe": "CWE-400",
563
+ "family": "dos-sync-io",
564
+ "severity": "low",
565
+ "file": "realtime-cve-monitor.js",
566
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
567
+ "finding_id": "struct:realtime-cve-monitor.js:38:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
568
+ "affectsAsset": null,
569
+ "atEntity": null
570
+ },
571
+ {
572
+ "stride": "T",
573
+ "strideLabel": "Tampering",
574
+ "cwe": "CWE-400",
575
+ "family": "dos-sync-io",
576
+ "severity": "low",
577
+ "file": "risk-dollars.js",
578
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
579
+ "finding_id": "struct:risk-dollars.js:83:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
580
+ "affectsAsset": null,
581
+ "atEntity": null
582
+ },
583
+ {
584
+ "stride": "T",
585
+ "strideLabel": "Tampering",
586
+ "cwe": "CWE-400",
587
+ "family": "dos-sync-io",
588
+ "severity": "low",
589
+ "file": "router.js",
590
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
591
+ "finding_id": "struct:router.js:21:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
592
+ "affectsAsset": null,
593
+ "atEntity": null
594
+ },
595
+ {
596
+ "stride": "T",
597
+ "strideLabel": "Tampering",
598
+ "cwe": "CWE-400",
599
+ "family": "dos-sync-io",
600
+ "severity": "low",
601
+ "file": "rule-overrides.js",
602
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
603
+ "finding_id": "struct:rule-overrides.js:22:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
604
+ "affectsAsset": null,
605
+ "atEntity": null
606
+ },
607
+ {
608
+ "stride": "T",
609
+ "strideLabel": "Tampering",
610
+ "cwe": "CWE-400",
611
+ "family": "dos-sync-io",
612
+ "severity": "low",
613
+ "file": "rule-pack-signing.js",
614
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
615
+ "finding_id": "struct:rule-pack-signing.js:66:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
616
+ "affectsAsset": null,
617
+ "atEntity": null
618
+ },
619
+ {
620
+ "stride": "T",
621
+ "strideLabel": "Tampering",
622
+ "cwe": "CWE-400",
623
+ "family": "dos-sync-io",
624
+ "severity": "low",
625
+ "file": "rule-synthesis.js",
626
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
627
+ "finding_id": "struct:rule-synthesis.js:22:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
628
+ "affectsAsset": null,
629
+ "atEntity": null
630
+ },
631
+ {
632
+ "stride": "T",
633
+ "strideLabel": "Tampering",
634
+ "cwe": "CWE-400",
635
+ "family": "dos-sync-io",
636
+ "severity": "low",
637
+ "file": "ruleset-version.js",
638
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
639
+ "finding_id": "struct:ruleset-version.js:36:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
640
+ "affectsAsset": null,
641
+ "atEntity": null
642
+ },
643
+ {
644
+ "stride": "T",
645
+ "strideLabel": "Tampering",
646
+ "cwe": "CWE-400",
647
+ "family": "dos-sync-io",
648
+ "severity": "low",
649
+ "file": "runtime-correlation.js",
650
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
651
+ "finding_id": "struct:runtime-correlation.js:46:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
652
+ "affectsAsset": null,
653
+ "atEntity": null
654
+ },
655
+ {
656
+ "stride": "T",
657
+ "strideLabel": "Tampering",
658
+ "cwe": "CWE-400",
659
+ "family": "dos-sync-io",
660
+ "severity": "low",
661
+ "file": "sbom-diff.js",
662
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
663
+ "finding_id": "struct:sbom-diff.js:61:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
664
+ "affectsAsset": null,
665
+ "atEntity": null
666
+ },
667
+ {
668
+ "stride": "T",
669
+ "strideLabel": "Tampering",
670
+ "cwe": "CWE-400",
671
+ "family": "dos-sync-io",
672
+ "severity": "low",
673
+ "file": "sca-policy.js",
674
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
675
+ "finding_id": "struct:sca-policy.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
676
+ "affectsAsset": null,
677
+ "atEntity": null
678
+ },
679
+ {
680
+ "stride": "T",
681
+ "strideLabel": "Tampering",
682
+ "cwe": "CWE-400",
683
+ "family": "dos-sync-io",
684
+ "severity": "low",
685
+ "file": "security-trend.js",
686
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
687
+ "finding_id": "struct:security-trend.js:16:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
688
+ "affectsAsset": null,
689
+ "atEntity": null
690
+ },
691
+ {
692
+ "stride": "T",
693
+ "strideLabel": "Tampering",
694
+ "cwe": "CWE-400",
695
+ "family": "dos-sync-io",
696
+ "severity": "low",
697
+ "file": "stack-playbook.js",
698
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
699
+ "finding_id": "struct:stack-playbook.js:13:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
700
+ "affectsAsset": null,
701
+ "atEntity": null
702
+ },
703
+ {
704
+ "stride": "T",
705
+ "strideLabel": "Tampering",
706
+ "cwe": "CWE-400",
707
+ "family": "dos-sync-io",
708
+ "severity": "low",
709
+ "file": "state-dir.js",
710
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
711
+ "finding_id": "struct:state-dir.js:39:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
712
+ "affectsAsset": null,
713
+ "atEntity": null
714
+ },
715
+ {
716
+ "stride": "T",
717
+ "strideLabel": "Tampering",
718
+ "cwe": "CWE-400",
719
+ "family": "dos-sync-io",
720
+ "severity": "low",
721
+ "file": "streak.js",
722
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
723
+ "finding_id": "struct:streak.js:40:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
724
+ "affectsAsset": null,
725
+ "atEntity": null
726
+ },
727
+ {
728
+ "stride": "T",
729
+ "strideLabel": "Tampering",
730
+ "cwe": "CWE-400",
731
+ "family": "dos-sync-io",
732
+ "severity": "low",
733
+ "file": "suppressions.js",
734
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
735
+ "finding_id": "struct:suppressions.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
736
+ "affectsAsset": null,
737
+ "atEntity": null
738
+ },
739
+ {
740
+ "stride": "T",
741
+ "strideLabel": "Tampering",
742
+ "cwe": "CWE-400",
743
+ "family": "dos-sync-io",
744
+ "severity": "low",
745
+ "file": "telemetry-ingest.js",
746
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
747
+ "finding_id": "struct:telemetry-ingest.js:41:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
748
+ "affectsAsset": null,
749
+ "atEntity": null
750
+ },
751
+ {
752
+ "stride": "T",
753
+ "strideLabel": "Tampering",
754
+ "cwe": "CWE-400",
755
+ "family": "dos-sync-io",
756
+ "severity": "low",
757
+ "file": "threat-model-auto.js",
758
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
759
+ "finding_id": "struct:threat-model-auto.js:216:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
760
+ "affectsAsset": null,
761
+ "atEntity": null
762
+ },
763
+ {
764
+ "stride": "T",
765
+ "strideLabel": "Tampering",
766
+ "cwe": "CWE-400",
767
+ "family": "dos-sync-io",
768
+ "severity": "low",
769
+ "file": "threat-model-grounding.js",
770
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
771
+ "finding_id": "struct:threat-model-grounding.js:34:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
772
+ "affectsAsset": null,
773
+ "atEntity": null
774
+ },
775
+ {
776
+ "stride": "T",
777
+ "strideLabel": "Tampering",
778
+ "cwe": "CWE-400",
779
+ "family": "dos-sync-io",
780
+ "severity": "low",
781
+ "file": "time-to-fix.js",
782
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
783
+ "finding_id": "struct:time-to-fix.js:54:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
784
+ "affectsAsset": null,
785
+ "atEntity": null
786
+ },
787
+ {
788
+ "stride": "T",
789
+ "strideLabel": "Tampering",
790
+ "cwe": "CWE-400",
791
+ "family": "dos-sync-io",
792
+ "severity": "low",
793
+ "file": "triage-learning.js",
794
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
795
+ "finding_id": "struct:triage-learning.js:49:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
796
+ "affectsAsset": null,
797
+ "atEntity": null
798
+ },
799
+ {
800
+ "stride": "T",
801
+ "strideLabel": "Tampering",
802
+ "cwe": "CWE-400",
803
+ "family": "dos-sync-io",
804
+ "severity": "low",
805
+ "file": "triage-memory.js",
806
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
807
+ "finding_id": "struct:triage-memory.js:61:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
808
+ "affectsAsset": null,
809
+ "atEntity": null
810
+ },
811
+ {
812
+ "stride": "T",
813
+ "strideLabel": "Tampering",
814
+ "cwe": "CWE-400",
815
+ "family": "dos-sync-io",
816
+ "severity": "low",
817
+ "file": "triage.js",
818
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
819
+ "finding_id": "struct:triage.js:20:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
820
+ "affectsAsset": null,
821
+ "atEntity": null
822
+ },
823
+ {
824
+ "stride": "T",
825
+ "strideLabel": "Tampering",
826
+ "cwe": "CWE-400",
827
+ "family": "dos-sync-io",
828
+ "severity": "low",
829
+ "file": "validator-metrics.js",
830
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
831
+ "finding_id": "struct:validator-metrics.js:35:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
832
+ "affectsAsset": null,
833
+ "atEntity": null
834
+ },
835
+ {
836
+ "stride": "T",
837
+ "strideLabel": "Tampering",
838
+ "cwe": "CWE-400",
839
+ "family": "dos-sync-io",
840
+ "severity": "low",
841
+ "file": "verifier-ephemeral.js",
842
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
843
+ "finding_id": "struct:verifier-ephemeral.js:90:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
844
+ "affectsAsset": null,
845
+ "atEntity": null
846
+ },
847
+ {
848
+ "stride": "T",
849
+ "strideLabel": "Tampering",
850
+ "cwe": "CWE-400",
851
+ "family": "dos-sync-io",
852
+ "severity": "low",
853
+ "file": "verifier-target.js",
854
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
855
+ "finding_id": "struct:verifier-target.js:66:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
856
+ "affectsAsset": null,
857
+ "atEntity": null
858
+ },
859
+ {
860
+ "stride": "T",
861
+ "strideLabel": "Tampering",
862
+ "cwe": "CWE-400",
863
+ "family": "dos-sync-io",
864
+ "severity": "low",
865
+ "file": "verifier.js",
866
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
867
+ "finding_id": "struct:verifier.js:129:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
868
+ "affectsAsset": null,
869
+ "atEntity": null
870
+ },
871
+ {
872
+ "stride": "T",
873
+ "strideLabel": "Tampering",
874
+ "cwe": "CWE-400",
875
+ "family": "dos-sync-io",
876
+ "severity": "low",
877
+ "file": "version.js",
878
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
879
+ "finding_id": "struct:version.js:43:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
880
+ "affectsAsset": null,
881
+ "atEntity": null
882
+ },
883
+ {
884
+ "stride": "T",
885
+ "strideLabel": "Tampering",
886
+ "cwe": "CWE-400",
887
+ "family": "dos-sync-io",
888
+ "severity": "low",
889
+ "file": "waf-ingest.js",
890
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
891
+ "finding_id": "struct:waf-ingest.js:138:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
892
+ "affectsAsset": null,
893
+ "atEntity": null
894
+ },
895
+ {
896
+ "stride": "T",
897
+ "strideLabel": "Tampering",
898
+ "cwe": "CWE-400",
899
+ "family": "dos-sync-io",
900
+ "severity": "low",
901
+ "file": "workflow-installer.js",
902
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
903
+ "finding_id": "struct:workflow-installer.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
904
+ "affectsAsset": null,
905
+ "atEntity": null
906
+ },
907
+ {
908
+ "stride": "T",
909
+ "strideLabel": "Tampering",
910
+ "cwe": "CWE-400",
911
+ "family": "dos-sync-io",
912
+ "severity": "low",
913
+ "file": "fix-verify.js",
914
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
915
+ "finding_id": "struct:fix-verify.js:65:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
916
+ "affectsAsset": null,
917
+ "atEntity": null
918
+ },
919
+ {
920
+ "stride": "T",
921
+ "strideLabel": "Tampering",
922
+ "cwe": "CWE-400",
923
+ "family": "dos-sync-io",
924
+ "severity": "low",
925
+ "file": "sca-upgrade.js",
926
+ "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
927
+ "finding_id": "struct:sca-upgrade.js:79:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
928
+ "affectsAsset": null,
929
+ "atEntity": null
930
+ },
931
+ {
932
+ "stride": "T",
933
+ "strideLabel": "Tampering",
934
+ "cwe": "CWE-841",
935
+ "family": "state-machine-bypass",
936
+ "severity": "medium",
937
+ "file": "business-logic.js",
938
+ "line": 141,
939
+ "vuln": "State-machine bypass: write '<not in set>' not in declared set pending,approved,rejected",
940
+ "finding_id": "state-machine:business-logic.js:141:<not in set>",
941
+ "affectsAsset": null,
942
+ "atEntity": null
943
+ },
944
+ {
945
+ "stride": "T",
946
+ "strideLabel": "Tampering",
947
+ "cwe": "CWE-841",
948
+ "family": "state-machine-bypass",
949
+ "severity": "medium",
950
+ "file": "fix-history.js",
951
+ "line": 261,
952
+ "vuln": "State-machine bypass: write 'failed' not in declared set pending,approved,rejected",
953
+ "finding_id": "state-machine:fix-history.js:261:failed",
954
+ "affectsAsset": null,
955
+ "atEntity": null
956
+ },
957
+ {
958
+ "stride": "T",
959
+ "strideLabel": "Tampering",
960
+ "cwe": "CWE-841",
961
+ "family": "state-machine-bypass",
962
+ "severity": "medium",
963
+ "file": "fix-history.js",
964
+ "line": 267,
965
+ "vuln": "State-machine bypass: write 'applied' not in declared set pending,approved,rejected",
966
+ "finding_id": "state-machine:fix-history.js:267:applied",
967
+ "affectsAsset": null,
968
+ "atEntity": null
969
+ },
970
+ {
971
+ "stride": "T",
972
+ "strideLabel": "Tampering",
973
+ "cwe": "CWE-841",
974
+ "family": "state-machine-bypass",
975
+ "severity": "medium",
976
+ "file": "fix-history.js",
977
+ "line": 312,
978
+ "vuln": "State-machine bypass: write 'failed' not in declared set pending,approved,rejected",
979
+ "finding_id": "state-machine:fix-history.js:312:failed",
980
+ "affectsAsset": null,
981
+ "atEntity": null
982
+ },
983
+ {
984
+ "stride": "T",
985
+ "strideLabel": "Tampering",
986
+ "cwe": "CWE-841",
987
+ "family": "state-machine-bypass",
988
+ "severity": "medium",
989
+ "file": "fix-history.js",
990
+ "line": 322,
991
+ "vuln": "State-machine bypass: write 'applied-stale' not in declared set pending,approved,rejected",
992
+ "finding_id": "state-machine:fix-history.js:322:applied-stale",
993
+ "affectsAsset": null,
994
+ "atEntity": null
995
+ },
996
+ {
997
+ "stride": "T",
998
+ "strideLabel": "Tampering",
999
+ "cwe": "CWE-841",
1000
+ "family": "state-machine-bypass",
1001
+ "severity": "medium",
1002
+ "file": "fix-history.js",
1003
+ "line": 325,
1004
+ "vuln": "State-machine bypass: write 'applied' not in declared set pending,approved,rejected",
1005
+ "finding_id": "state-machine:fix-history.js:325:applied",
1006
+ "affectsAsset": null,
1007
+ "atEntity": null
1008
+ },
1009
+ {
1010
+ "stride": "T",
1011
+ "strideLabel": "Tampering",
1012
+ "cwe": "CWE-841",
1013
+ "family": "state-machine-bypass",
1014
+ "severity": "medium",
1015
+ "file": "fix-history.js",
1016
+ "line": 330,
1017
+ "vuln": "State-machine bypass: write 'failed' not in declared set pending,approved,rejected",
1018
+ "finding_id": "state-machine:fix-history.js:330:failed",
1019
+ "affectsAsset": null,
1020
+ "atEntity": null
1021
+ },
1022
+ {
1023
+ "stride": "T",
1024
+ "strideLabel": "Tampering",
1025
+ "cwe": "CWE-841",
1026
+ "family": "state-machine-bypass",
1027
+ "severity": "medium",
1028
+ "file": "fix-history.js",
1029
+ "line": 335,
1030
+ "vuln": "State-machine bypass: write 'failed' not in declared set pending,approved,rejected",
1031
+ "finding_id": "state-machine:fix-history.js:335:failed",
1032
+ "affectsAsset": null,
1033
+ "atEntity": null
1034
+ },
1035
+ {
1036
+ "stride": "T",
1037
+ "strideLabel": "Tampering",
1038
+ "cwe": "CWE-841",
1039
+ "family": "state-machine-bypass",
1040
+ "severity": "medium",
1041
+ "file": "triage.js",
1042
+ "line": 68,
1043
+ "vuln": "State-machine bypass: write 'fixed' not in declared set pending,approved,rejected",
1044
+ "finding_id": "state-machine:triage.js:68:fixed",
1045
+ "affectsAsset": null,
1046
+ "atEntity": null
1047
+ },
1048
+ {
1049
+ "stride": "T",
1050
+ "strideLabel": "Tampering",
1051
+ "cwe": "CWE-1321",
1052
+ "family": "prototype-pollution",
1053
+ "severity": "low",
1054
+ "file": "adversarial-self-test.js",
1055
+ "line": 60,
1056
+ "vuln": "Prototype Pollution: Direct write to __proto__ / constructor.prototype",
1057
+ "finding_id": "prototype-pollution-direct:adversarial-self-test.js:60",
1058
+ "affectsAsset": null,
1059
+ "atEntity": null
1060
+ },
1061
+ {
1062
+ "stride": "E",
1063
+ "strideLabel": "Elevation of Privilege",
1064
+ "cwe": "CWE-1321",
1065
+ "family": "prototype-pollution",
1066
+ "severity": "low",
1067
+ "file": "adversarial-self-test.js",
1068
+ "line": 60,
1069
+ "vuln": "Prototype Pollution: Direct write to __proto__ / constructor.prototype",
1070
+ "finding_id": "prototype-pollution-direct:adversarial-self-test.js:60",
1071
+ "affectsAsset": null,
1072
+ "atEntity": null
1073
+ },
1074
+ {
1075
+ "stride": "T",
1076
+ "strideLabel": "Tampering",
1077
+ "cwe": "CWE-77",
1078
+ "family": "user-input-concatenated-into-system-prom",
1079
+ "severity": "low",
1080
+ "file": "adversary-agent.js",
1081
+ "line": 109,
1082
+ "vuln": "User input concatenated into system prompt — direct prompt injection",
1083
+ "finding_id": "llm-redteam:userInputInSystem:adversary-agent.js:109",
1084
+ "affectsAsset": null,
1085
+ "atEntity": null
1086
+ },
1087
+ {
1088
+ "stride": "T",
1089
+ "strideLabel": "Tampering",
1090
+ "cwe": "CWE-1336",
1091
+ "family": "prompt-template-user-input-interpolated-",
1092
+ "severity": "low",
1093
+ "file": "llm-redteam-prompts.js",
1094
+ "line": 332,
1095
+ "vuln": "Prompt Template: user input interpolated into prompt string without isolation",
1096
+ "finding_id": "prompt-tpl:llm-redteam-prompts.js:332:Prompt_Template__user_input_interpolated_into_prompt_string_",
1097
+ "affectsAsset": null,
1098
+ "atEntity": null
1099
+ },
1100
+ {
1101
+ "stride": "T",
1102
+ "strideLabel": "Tampering",
1103
+ "cwe": "CWE-367",
1104
+ "family": "toctou-file-existence-permission-check-b",
1105
+ "severity": "low",
1106
+ "file": "agents-memory.js",
1107
+ "line": 44,
1108
+ "vuln": "TOCTOU: file existence/permission check before open",
1109
+ "finding_id": "toctou-fs:agents-memory.js:44",
1110
+ "affectsAsset": null,
1111
+ "atEntity": null
1112
+ },
1113
+ {
1114
+ "stride": "T",
1115
+ "strideLabel": "Tampering",
1116
+ "cwe": "CWE-367",
1117
+ "family": "toctou-file-existence-permission-check-b",
1118
+ "severity": "low",
1119
+ "file": "agents-memory.js",
1120
+ "line": 69,
1121
+ "vuln": "TOCTOU: file existence/permission check before open",
1122
+ "finding_id": "toctou-fs:agents-memory.js:69",
1123
+ "affectsAsset": null,
1124
+ "atEntity": null
1125
+ },
1126
+ {
1127
+ "stride": "T",
1128
+ "strideLabel": "Tampering",
1129
+ "cwe": "CWE-367",
1130
+ "family": "toctou-file-existence-permission-check-b",
1131
+ "severity": "low",
1132
+ "file": "agents-memory.js",
1133
+ "line": 72,
1134
+ "vuln": "TOCTOU: file existence/permission check before open",
1135
+ "finding_id": "toctou-fs:agents-memory.js:72",
1136
+ "affectsAsset": null,
1137
+ "atEntity": null
1138
+ },
1139
+ {
1140
+ "stride": "T",
1141
+ "strideLabel": "Tampering",
1142
+ "cwe": "CWE-367",
1143
+ "family": "toctou-file-existence-permission-check-b",
1144
+ "severity": "low",
1145
+ "file": "agents-memory.js",
1146
+ "line": 107,
1147
+ "vuln": "TOCTOU: file existence/permission check before open",
1148
+ "finding_id": "toctou-fs:agents-memory.js:107",
1149
+ "affectsAsset": null,
1150
+ "atEntity": null
1151
+ },
1152
+ {
1153
+ "stride": "T",
1154
+ "strideLabel": "Tampering",
1155
+ "cwe": "CWE-400",
1156
+ "family": "prompt-firewall-missing-max-tokens-cap",
1157
+ "severity": "low",
1158
+ "file": "aibom.js",
1159
+ "line": 31,
1160
+ "vuln": "Prompt Firewall — Missing max_tokens Cap",
1161
+ "finding_id": "prompt-firewall:MISSING_MAX_TOKENS:aibom.js:31",
1162
+ "affectsAsset": null,
1163
+ "atEntity": null
1164
+ },
1165
+ {
1166
+ "stride": "T",
1167
+ "strideLabel": "Tampering",
1168
+ "cwe": "CWE-770",
1169
+ "family": "llm-call-without-max-tokens-unbounded-co",
1170
+ "severity": "low",
1171
+ "file": "aibom.js",
1172
+ "line": 31,
1173
+ "vuln": "LLM call without max_tokens — unbounded cost / DoS",
1174
+ "finding_id": "llm-redteam:noMaxTokens:aibom.js:31",
1175
+ "affectsAsset": null,
1176
+ "atEntity": null
1177
+ },
1178
+ {
1179
+ "stride": "T",
1180
+ "strideLabel": "Tampering",
1181
+ "cwe": "CWE-770",
1182
+ "family": "llm-call-without-max-tokens-unbounded-co",
1183
+ "severity": "low",
1184
+ "file": "aibom.js",
1185
+ "line": 34,
1186
+ "vuln": "LLM call without max_tokens — unbounded cost / DoS",
1187
+ "finding_id": "llm-redteam:noMaxTokens:aibom.js:34",
1188
+ "affectsAsset": null,
1189
+ "atEntity": null
1190
+ },
1191
+ {
1192
+ "stride": "T",
1193
+ "strideLabel": "Tampering",
1194
+ "cwe": "CWE-367",
1195
+ "family": "toctou-file-existence-permission-check-b",
1196
+ "severity": "low",
1197
+ "file": "auditor-walkthrough.js",
1198
+ "line": 60,
1199
+ "vuln": "TOCTOU: file existence/permission check before open",
1200
+ "finding_id": "toctou-fs:auditor-walkthrough.js:60",
1201
+ "affectsAsset": null,
1202
+ "atEntity": null
1203
+ },
1204
+ {
1205
+ "stride": "T",
1206
+ "strideLabel": "Tampering",
1207
+ "cwe": "CWE-367",
1208
+ "family": "toctou-file-existence-permission-check-b",
1209
+ "severity": "low",
1210
+ "file": "auth-posture-import.js",
1211
+ "line": 53,
1212
+ "vuln": "TOCTOU: file existence/permission check before open",
1213
+ "finding_id": "toctou-fs:auth-posture-import.js:53",
1214
+ "affectsAsset": null,
1215
+ "atEntity": null
1216
+ },
1217
+ {
1218
+ "stride": "T",
1219
+ "strideLabel": "Tampering",
1220
+ "cwe": "CWE-367",
1221
+ "family": "toctou-file-existence-permission-check-b",
1222
+ "severity": "low",
1223
+ "file": "calibration-drift.js",
1224
+ "line": 40,
1225
+ "vuln": "TOCTOU: file existence/permission check before open",
1226
+ "finding_id": "toctou-fs:calibration-drift.js:40",
1227
+ "affectsAsset": null,
1228
+ "atEntity": null
1229
+ },
1230
+ {
1231
+ "stride": "T",
1232
+ "strideLabel": "Tampering",
1233
+ "cwe": "CWE-367",
1234
+ "family": "toctou-file-existence-permission-check-b",
1235
+ "severity": "low",
1236
+ "file": "compliance-policy.js",
1237
+ "line": 48,
1238
+ "vuln": "TOCTOU: file existence/permission check before open",
1239
+ "finding_id": "toctou-fs:compliance-policy.js:48",
1240
+ "affectsAsset": null,
1241
+ "atEntity": null
1242
+ },
1243
+ {
1244
+ "stride": "T",
1245
+ "strideLabel": "Tampering",
1246
+ "cwe": "CWE-367",
1247
+ "family": "toctou-file-existence-permission-check-b",
1248
+ "severity": "low",
1249
+ "file": "compliance-policy.js",
1250
+ "line": 109,
1251
+ "vuln": "TOCTOU: file existence/permission check before open",
1252
+ "finding_id": "toctou-fs:compliance-policy.js:109",
1253
+ "affectsAsset": null,
1254
+ "atEntity": null
1255
+ },
1256
+ {
1257
+ "stride": "T",
1258
+ "strideLabel": "Tampering",
1259
+ "cwe": "CWE-367",
1260
+ "family": "toctou-file-existence-permission-check-b",
1261
+ "severity": "low",
1262
+ "file": "cross-repo-memory.js",
1263
+ "line": 62,
1264
+ "vuln": "TOCTOU: file existence/permission check before open",
1265
+ "finding_id": "toctou-fs:cross-repo-memory.js:62",
1266
+ "affectsAsset": null,
1267
+ "atEntity": null
1268
+ },
1269
+ {
1270
+ "stride": "T",
1271
+ "strideLabel": "Tampering",
1272
+ "cwe": "CWE-176",
1273
+ "family": "path-normalization",
1274
+ "severity": "low",
1275
+ "file": "custom-rules.js",
1276
+ "line": 182,
1277
+ "vuln": "Path Normalization Gap — extension extraction without null-byte/traversal sanitization",
1278
+ "finding_id": "path-norm:custom-rules.js:182",
1279
+ "affectsAsset": null,
1280
+ "atEntity": null
1281
+ },
1282
+ {
1283
+ "stride": "T",
1284
+ "strideLabel": "Tampering",
1285
+ "cwe": "CWE-367",
1286
+ "family": "toctou-file-existence-permission-check-b",
1287
+ "severity": "low",
1288
+ "file": "cve-alert-daemon.js",
1289
+ "line": 271,
1290
+ "vuln": "TOCTOU: file existence/permission check before open",
1291
+ "finding_id": "toctou-fs:cve-alert-daemon.js:271",
1292
+ "affectsAsset": null,
1293
+ "atEntity": null
1294
+ },
1295
+ {
1296
+ "stride": "T",
1297
+ "strideLabel": "Tampering",
1298
+ "cwe": "CWE-367",
1299
+ "family": "toctou-file-existence-permission-check-b",
1300
+ "severity": "low",
1301
+ "file": "cve-alert-daemon.js",
1302
+ "line": 289,
1303
+ "vuln": "TOCTOU: file existence/permission check before open",
1304
+ "finding_id": "toctou-fs:cve-alert-daemon.js:289",
1305
+ "affectsAsset": null,
1306
+ "atEntity": null
1307
+ },
1308
+ {
1309
+ "stride": "T",
1310
+ "strideLabel": "Tampering",
1311
+ "cwe": "CWE-367",
1312
+ "family": "toctou-file-existence-permission-check-b",
1313
+ "severity": "low",
1314
+ "file": "cve-lookup.js",
1315
+ "line": 32,
1316
+ "vuln": "TOCTOU: file existence/permission check before open",
1317
+ "finding_id": "toctou-fs:cve-lookup.js:32",
1318
+ "affectsAsset": null,
1319
+ "atEntity": null
1320
+ },
1321
+ {
1322
+ "stride": "I",
1323
+ "strideLabel": "Information Disclosure",
1324
+ "cwe": "CWE-918",
1325
+ "family": "ssrf",
1326
+ "severity": "low",
1327
+ "file": "defender-agent.js",
1328
+ "line": 41,
1329
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
1330
+ "finding_id": "ssrf-meta-hardcoded:defender-agent.js:41",
1331
+ "affectsAsset": null,
1332
+ "atEntity": null
1333
+ },
1334
+ {
1335
+ "stride": "E",
1336
+ "strideLabel": "Elevation of Privilege",
1337
+ "cwe": "CWE-918",
1338
+ "family": "ssrf",
1339
+ "severity": "low",
1340
+ "file": "defender-agent.js",
1341
+ "line": 41,
1342
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
1343
+ "finding_id": "ssrf-meta-hardcoded:defender-agent.js:41",
1344
+ "affectsAsset": null,
1345
+ "atEntity": null
1346
+ },
1347
+ {
1348
+ "stride": "T",
1349
+ "strideLabel": "Tampering",
1350
+ "cwe": "CWE-367",
1351
+ "family": "toctou-file-existence-permission-check-b",
1352
+ "severity": "low",
1353
+ "file": "dep-add-guard.js",
1354
+ "line": 28,
1355
+ "vuln": "TOCTOU: file existence/permission check before open",
1356
+ "finding_id": "toctou-fs:dep-add-guard.js:28",
1357
+ "affectsAsset": null,
1358
+ "atEntity": null
1359
+ },
1360
+ {
1361
+ "stride": "T",
1362
+ "strideLabel": "Tampering",
1363
+ "cwe": "CWE-367",
1364
+ "family": "toctou-file-existence-permission-check-b",
1365
+ "severity": "low",
1366
+ "file": "dep-add-guard.js",
1367
+ "line": 65,
1368
+ "vuln": "TOCTOU: file existence/permission check before open",
1369
+ "finding_id": "toctou-fs:dep-add-guard.js:65",
1370
+ "affectsAsset": null,
1371
+ "atEntity": null
1372
+ },
1373
+ {
1374
+ "stride": "T",
1375
+ "strideLabel": "Tampering",
1376
+ "cwe": "CWE-367",
1377
+ "family": "toctou-file-existence-permission-check-b",
1378
+ "severity": "low",
1379
+ "file": "deterministic.js",
1380
+ "line": 53,
1381
+ "vuln": "TOCTOU: file existence/permission check before open",
1382
+ "finding_id": "toctou-fs:deterministic.js:53",
1383
+ "affectsAsset": null,
1384
+ "atEntity": null
1385
+ },
1386
+ {
1387
+ "stride": "T",
1388
+ "strideLabel": "Tampering",
1389
+ "cwe": "CWE-367",
1390
+ "family": "toctou-file-existence-permission-check-b",
1391
+ "severity": "low",
1392
+ "file": "epss.js",
1393
+ "line": 34,
1394
+ "vuln": "TOCTOU: file existence/permission check before open",
1395
+ "finding_id": "toctou-fs:epss.js:34",
1396
+ "affectsAsset": null,
1397
+ "atEntity": null
1398
+ },
1399
+ {
1400
+ "stride": "T",
1401
+ "strideLabel": "Tampering",
1402
+ "cwe": "CWE-367",
1403
+ "family": "toctou-file-existence-permission-check-b",
1404
+ "severity": "low",
1405
+ "file": "exploitability-probability.js",
1406
+ "line": 142,
1407
+ "vuln": "TOCTOU: file existence/permission check before open",
1408
+ "finding_id": "toctou-fs:exploitability-probability.js:142",
1409
+ "affectsAsset": null,
1410
+ "atEntity": null
1411
+ },
1412
+ {
1413
+ "stride": "T",
1414
+ "strideLabel": "Tampering",
1415
+ "cwe": "CWE-367",
1416
+ "family": "toctou-file-existence-permission-check-b",
1417
+ "severity": "low",
1418
+ "file": "feature-flags.js",
1419
+ "line": 53,
1420
+ "vuln": "TOCTOU: file existence/permission check before open",
1421
+ "finding_id": "toctou-fs:feature-flags.js:53",
1422
+ "affectsAsset": null,
1423
+ "atEntity": null
1424
+ },
1425
+ {
1426
+ "stride": "T",
1427
+ "strideLabel": "Tampering",
1428
+ "cwe": "CWE-367",
1429
+ "family": "toctou-file-existence-permission-check-b",
1430
+ "severity": "low",
1431
+ "file": "federated-learning.js",
1432
+ "line": 60,
1433
+ "vuln": "TOCTOU: file existence/permission check before open",
1434
+ "finding_id": "toctou-fs:federated-learning.js:60",
1435
+ "affectsAsset": null,
1436
+ "atEntity": null
1437
+ },
1438
+ {
1439
+ "stride": "T",
1440
+ "strideLabel": "Tampering",
1441
+ "cwe": "CWE-367",
1442
+ "family": "toctou-file-existence-permission-check-b",
1443
+ "severity": "low",
1444
+ "file": "fix-history.js",
1445
+ "line": 31,
1446
+ "vuln": "TOCTOU: file existence/permission check before open",
1447
+ "finding_id": "toctou-fs:fix-history.js:31",
1448
+ "affectsAsset": null,
1449
+ "atEntity": null
1450
+ },
1451
+ {
1452
+ "stride": "T",
1453
+ "strideLabel": "Tampering",
1454
+ "cwe": "CWE-367",
1455
+ "family": "toctou-file-existence-permission-check-b",
1456
+ "severity": "low",
1457
+ "file": "fix-history.js",
1458
+ "line": 48,
1459
+ "vuln": "TOCTOU: file existence/permission check before open",
1460
+ "finding_id": "toctou-fs:fix-history.js:48",
1461
+ "affectsAsset": null,
1462
+ "atEntity": null
1463
+ },
1464
+ {
1465
+ "stride": "T",
1466
+ "strideLabel": "Tampering",
1467
+ "cwe": "CWE-176",
1468
+ "family": "path-normalization",
1469
+ "severity": "low",
1470
+ "file": "fix-style-mirror.js",
1471
+ "line": 39,
1472
+ "vuln": "Path Normalization Gap — extension extraction without null-byte/traversal sanitization",
1473
+ "finding_id": "path-norm:fix-style-mirror.js:39",
1474
+ "affectsAsset": null,
1475
+ "atEntity": null
1476
+ },
1477
+ {
1478
+ "stride": "T",
1479
+ "strideLabel": "Tampering",
1480
+ "cwe": "CWE-367",
1481
+ "family": "toctou-file-existence-permission-check-b",
1482
+ "severity": "low",
1483
+ "file": "fix-style-mirror.js",
1484
+ "line": 97,
1485
+ "vuln": "TOCTOU: file existence/permission check before open",
1486
+ "finding_id": "toctou-fs:fix-style-mirror.js:97",
1487
+ "affectsAsset": null,
1488
+ "atEntity": null
1489
+ },
1490
+ {
1491
+ "stride": "T",
1492
+ "strideLabel": "Tampering",
1493
+ "cwe": "CWE-367",
1494
+ "family": "toctou-file-existence-permission-check-b",
1495
+ "severity": "low",
1496
+ "file": "fix-verify-loop.js",
1497
+ "line": 33,
1498
+ "vuln": "TOCTOU: file existence/permission check before open",
1499
+ "finding_id": "toctou-fs:fix-verify-loop.js:33",
1500
+ "affectsAsset": null,
1501
+ "atEntity": null
1502
+ },
1503
+ {
1504
+ "stride": "I",
1505
+ "strideLabel": "Information Disclosure",
1506
+ "cwe": "CWE-918",
1507
+ "family": "ssrf",
1508
+ "severity": "low",
1509
+ "file": "flow-narration.js",
1510
+ "line": 24,
1511
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
1512
+ "finding_id": "ssrf-meta-hardcoded:flow-narration.js:24",
1513
+ "affectsAsset": null,
1514
+ "atEntity": null
1515
+ },
1516
+ {
1517
+ "stride": "E",
1518
+ "strideLabel": "Elevation of Privilege",
1519
+ "cwe": "CWE-918",
1520
+ "family": "ssrf",
1521
+ "severity": "low",
1522
+ "file": "flow-narration.js",
1523
+ "line": 24,
1524
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
1525
+ "finding_id": "ssrf-meta-hardcoded:flow-narration.js:24",
1526
+ "affectsAsset": null,
1527
+ "atEntity": null
1528
+ },
1529
+ {
1530
+ "stride": "T",
1531
+ "strideLabel": "Tampering",
1532
+ "cwe": "CWE-367",
1533
+ "family": "toctou-file-existence-permission-check-b",
1534
+ "severity": "low",
1535
+ "file": "grader-calibration.js",
1536
+ "line": 34,
1537
+ "vuln": "TOCTOU: file existence/permission check before open",
1538
+ "finding_id": "toctou-fs:grader-calibration.js:34",
1539
+ "affectsAsset": null,
1540
+ "atEntity": null
1541
+ },
1542
+ {
1543
+ "stride": "T",
1544
+ "strideLabel": "Tampering",
1545
+ "cwe": "CWE-367",
1546
+ "family": "toctou-file-existence-permission-check-b",
1547
+ "severity": "low",
1548
+ "file": "harness-discovery.js",
1549
+ "line": 39,
1550
+ "vuln": "TOCTOU: file existence/permission check before open",
1551
+ "finding_id": "toctou-fs:harness-discovery.js:39",
1552
+ "affectsAsset": null,
1553
+ "atEntity": null
1554
+ },
1555
+ {
1556
+ "stride": "T",
1557
+ "strideLabel": "Tampering",
1558
+ "cwe": "CWE-367",
1559
+ "family": "toctou-file-existence-permission-check-b",
1560
+ "severity": "low",
1561
+ "file": "holdout-eval.js",
1562
+ "line": 53,
1563
+ "vuln": "TOCTOU: file existence/permission check before open",
1564
+ "finding_id": "toctou-fs:holdout-eval.js:53",
1565
+ "affectsAsset": null,
1566
+ "atEntity": null
1567
+ },
1568
+ {
1569
+ "stride": "T",
1570
+ "strideLabel": "Tampering",
1571
+ "cwe": "CWE-367",
1572
+ "family": "toctou-file-existence-permission-check-b",
1573
+ "severity": "low",
1574
+ "file": "integrity.js",
1575
+ "line": 43,
1576
+ "vuln": "TOCTOU: file existence/permission check before open",
1577
+ "finding_id": "toctou-fs:integrity.js:43",
1578
+ "affectsAsset": null,
1579
+ "atEntity": null
1580
+ },
1581
+ {
1582
+ "stride": "T",
1583
+ "strideLabel": "Tampering",
1584
+ "cwe": "CWE-367",
1585
+ "family": "toctou-file-existence-permission-check-b",
1586
+ "severity": "low",
1587
+ "file": "integrity.js",
1588
+ "line": 77,
1589
+ "vuln": "TOCTOU: file existence/permission check before open",
1590
+ "finding_id": "toctou-fs:integrity.js:77",
1591
+ "affectsAsset": null,
1592
+ "atEntity": null
1593
+ },
1594
+ {
1595
+ "stride": "T",
1596
+ "strideLabel": "Tampering",
1597
+ "cwe": "CWE-367",
1598
+ "family": "toctou-file-existence-permission-check-b",
1599
+ "severity": "low",
1600
+ "file": "learning.js",
1601
+ "line": 30,
1602
+ "vuln": "TOCTOU: file existence/permission check before open",
1603
+ "finding_id": "toctou-fs:learning.js:30",
1604
+ "affectsAsset": null,
1605
+ "atEntity": null
1606
+ },
1607
+ {
1608
+ "stride": "T",
1609
+ "strideLabel": "Tampering",
1610
+ "cwe": "CWE-367",
1611
+ "family": "toctou-file-existence-permission-check-b",
1612
+ "severity": "low",
1613
+ "file": "license-graph.js",
1614
+ "line": 227,
1615
+ "vuln": "TOCTOU: file existence/permission check before open",
1616
+ "finding_id": "toctou-fs:license-graph.js:227",
1617
+ "affectsAsset": null,
1618
+ "atEntity": null
1619
+ },
1620
+ {
1621
+ "stride": "T",
1622
+ "strideLabel": "Tampering",
1623
+ "cwe": "CWE-367",
1624
+ "family": "toctou-file-existence-permission-check-b",
1625
+ "severity": "low",
1626
+ "file": "license-policy.js",
1627
+ "line": 30,
1628
+ "vuln": "TOCTOU: file existence/permission check before open",
1629
+ "finding_id": "toctou-fs:license-policy.js:30",
1630
+ "affectsAsset": null,
1631
+ "atEntity": null
1632
+ },
1633
+ {
1634
+ "stride": "T",
1635
+ "strideLabel": "Tampering",
1636
+ "cwe": "CWE-367",
1637
+ "family": "toctou-file-existence-permission-check-b",
1638
+ "severity": "low",
1639
+ "file": "network-policy-import.js",
1640
+ "line": 85,
1641
+ "vuln": "TOCTOU: file existence/permission check before open",
1642
+ "finding_id": "toctou-fs:network-policy-import.js:85",
1643
+ "affectsAsset": null,
1644
+ "atEntity": null
1645
+ },
1646
+ {
1647
+ "stride": "T",
1648
+ "strideLabel": "Tampering",
1649
+ "cwe": "CWE-367",
1650
+ "family": "toctou-file-existence-permission-check-b",
1651
+ "severity": "low",
1652
+ "file": "policy-gate.js",
1653
+ "line": 154,
1654
+ "vuln": "TOCTOU: file existence/permission check before open",
1655
+ "finding_id": "toctou-fs:policy-gate.js:154",
1656
+ "affectsAsset": null,
1657
+ "atEntity": null
1658
+ },
1659
+ {
1660
+ "stride": "T",
1661
+ "strideLabel": "Tampering",
1662
+ "cwe": "CWE-367",
1663
+ "family": "toctou-file-existence-permission-check-b",
1664
+ "severity": "low",
1665
+ "file": "profile.js",
1666
+ "line": 46,
1667
+ "vuln": "TOCTOU: file existence/permission check before open",
1668
+ "finding_id": "toctou-fs:profile.js:46",
1669
+ "affectsAsset": null,
1670
+ "atEntity": null
1671
+ },
1672
+ {
1673
+ "stride": "T",
1674
+ "strideLabel": "Tampering",
1675
+ "cwe": "CWE-367",
1676
+ "family": "toctou-file-existence-permission-check-b",
1677
+ "severity": "low",
1678
+ "file": "profile.js",
1679
+ "line": 77,
1680
+ "vuln": "TOCTOU: file existence/permission check before open",
1681
+ "finding_id": "toctou-fs:profile.js:77",
1682
+ "affectsAsset": null,
1683
+ "atEntity": null
1684
+ },
1685
+ {
1686
+ "stride": "T",
1687
+ "strideLabel": "Tampering",
1688
+ "cwe": "CWE-367",
1689
+ "family": "toctou-file-existence-permission-check-b",
1690
+ "severity": "low",
1691
+ "file": "realtime-cve-monitor.js",
1692
+ "line": 38,
1693
+ "vuln": "TOCTOU: file existence/permission check before open",
1694
+ "finding_id": "toctou-fs:realtime-cve-monitor.js:38",
1695
+ "affectsAsset": null,
1696
+ "atEntity": null
1697
+ },
1698
+ {
1699
+ "stride": "T",
1700
+ "strideLabel": "Tampering",
1701
+ "cwe": "CWE-367",
1702
+ "family": "toctou-file-existence-permission-check-b",
1703
+ "severity": "low",
1704
+ "file": "risk-dollars.js",
1705
+ "line": 83,
1706
+ "vuln": "TOCTOU: file existence/permission check before open",
1707
+ "finding_id": "toctou-fs:risk-dollars.js:83",
1708
+ "affectsAsset": null,
1709
+ "atEntity": null
1710
+ },
1711
+ {
1712
+ "stride": "T",
1713
+ "strideLabel": "Tampering",
1714
+ "cwe": "CWE-367",
1715
+ "family": "toctou-file-existence-permission-check-b",
1716
+ "severity": "low",
1717
+ "file": "router.js",
1718
+ "line": 21,
1719
+ "vuln": "TOCTOU: file existence/permission check before open",
1720
+ "finding_id": "toctou-fs:router.js:21",
1721
+ "affectsAsset": null,
1722
+ "atEntity": null
1723
+ },
1724
+ {
1725
+ "stride": "T",
1726
+ "strideLabel": "Tampering",
1727
+ "cwe": "CWE-367",
1728
+ "family": "toctou-file-existence-permission-check-b",
1729
+ "severity": "low",
1730
+ "file": "rule-overrides.js",
1731
+ "line": 22,
1732
+ "vuln": "TOCTOU: file existence/permission check before open",
1733
+ "finding_id": "toctou-fs:rule-overrides.js:22",
1734
+ "affectsAsset": null,
1735
+ "atEntity": null
1736
+ },
1737
+ {
1738
+ "stride": "T",
1739
+ "strideLabel": "Tampering",
1740
+ "cwe": "CWE-367",
1741
+ "family": "toctou-file-existence-permission-check-b",
1742
+ "severity": "low",
1743
+ "file": "rule-overrides.js",
1744
+ "line": 72,
1745
+ "vuln": "TOCTOU: file existence/permission check before open",
1746
+ "finding_id": "toctou-fs:rule-overrides.js:72",
1747
+ "affectsAsset": null,
1748
+ "atEntity": null
1749
+ },
1750
+ {
1751
+ "stride": "T",
1752
+ "strideLabel": "Tampering",
1753
+ "cwe": "CWE-367",
1754
+ "family": "toctou-file-existence-permission-check-b",
1755
+ "severity": "low",
1756
+ "file": "rule-pack-signing.js",
1757
+ "line": 66,
1758
+ "vuln": "TOCTOU: file existence/permission check before open",
1759
+ "finding_id": "toctou-fs:rule-pack-signing.js:66",
1760
+ "affectsAsset": null,
1761
+ "atEntity": null
1762
+ },
1763
+ {
1764
+ "stride": "T",
1765
+ "strideLabel": "Tampering",
1766
+ "cwe": "CWE-367",
1767
+ "family": "toctou-file-existence-permission-check-b",
1768
+ "severity": "low",
1769
+ "file": "rule-pack-signing.js",
1770
+ "line": 108,
1771
+ "vuln": "TOCTOU: file existence/permission check before open",
1772
+ "finding_id": "toctou-fs:rule-pack-signing.js:108",
1773
+ "affectsAsset": null,
1774
+ "atEntity": null
1775
+ },
1776
+ {
1777
+ "stride": "T",
1778
+ "strideLabel": "Tampering",
1779
+ "cwe": "CWE-367",
1780
+ "family": "toctou-file-existence-permission-check-b",
1781
+ "severity": "low",
1782
+ "file": "rule-pack-signing.js",
1783
+ "line": 155,
1784
+ "vuln": "TOCTOU: file existence/permission check before open",
1785
+ "finding_id": "toctou-fs:rule-pack-signing.js:155",
1786
+ "affectsAsset": null,
1787
+ "atEntity": null
1788
+ },
1789
+ {
1790
+ "stride": "I",
1791
+ "strideLabel": "Information Disclosure",
1792
+ "cwe": "CWE-327",
1793
+ "family": "pqc-migration",
1794
+ "severity": "low",
1795
+ "file": "rule-pack-signing.js",
1796
+ "line": 187,
1797
+ "vuln": "Pre-quantum ED25519 (ed25519) — replace with ML-DSA-65 before CRQC arrives",
1798
+ "finding_id": "pqc-ed25519:rule-pack-signing.js:187",
1799
+ "affectsAsset": null,
1800
+ "atEntity": null
1801
+ },
1802
+ {
1803
+ "stride": "T",
1804
+ "strideLabel": "Tampering",
1805
+ "cwe": "CWE-367",
1806
+ "family": "toctou-file-existence-permission-check-b",
1807
+ "severity": "low",
1808
+ "file": "rule-synthesis.js",
1809
+ "line": 22,
1810
+ "vuln": "TOCTOU: file existence/permission check before open",
1811
+ "finding_id": "toctou-fs:rule-synthesis.js:22",
1812
+ "affectsAsset": null,
1813
+ "atEntity": null
1814
+ },
1815
+ {
1816
+ "stride": "T",
1817
+ "strideLabel": "Tampering",
1818
+ "cwe": "CWE-367",
1819
+ "family": "toctou-file-existence-permission-check-b",
1820
+ "severity": "low",
1821
+ "file": "ruleset-version.js",
1822
+ "line": 36,
1823
+ "vuln": "TOCTOU: file existence/permission check before open",
1824
+ "finding_id": "toctou-fs:ruleset-version.js:36",
1825
+ "affectsAsset": null,
1826
+ "atEntity": null
1827
+ },
1828
+ {
1829
+ "stride": "T",
1830
+ "strideLabel": "Tampering",
1831
+ "cwe": "CWE-367",
1832
+ "family": "toctou-file-existence-permission-check-b",
1833
+ "severity": "low",
1834
+ "file": "sbom-diff.js",
1835
+ "line": 76,
1836
+ "vuln": "TOCTOU: file existence/permission check before open",
1837
+ "finding_id": "toctou-fs:sbom-diff.js:76",
1838
+ "affectsAsset": null,
1839
+ "atEntity": null
1840
+ },
1841
+ {
1842
+ "stride": "T",
1843
+ "strideLabel": "Tampering",
1844
+ "cwe": "CWE-367",
1845
+ "family": "toctou-file-existence-permission-check-b",
1846
+ "severity": "low",
1847
+ "file": "sca-policy.js",
1848
+ "line": 53,
1849
+ "vuln": "TOCTOU: file existence/permission check before open",
1850
+ "finding_id": "toctou-fs:sca-policy.js:53",
1851
+ "affectsAsset": null,
1852
+ "atEntity": null
1853
+ },
1854
+ {
1855
+ "stride": "T",
1856
+ "strideLabel": "Tampering",
1857
+ "cwe": "CWE-367",
1858
+ "family": "toctou-file-existence-permission-check-b",
1859
+ "severity": "low",
1860
+ "file": "sca-upgrade.js",
1861
+ "line": 79,
1862
+ "vuln": "TOCTOU: file existence/permission check before open",
1863
+ "finding_id": "toctou-fs:sca-upgrade.js:79",
1864
+ "affectsAsset": null,
1865
+ "atEntity": null
1866
+ },
1867
+ {
1868
+ "stride": "T",
1869
+ "strideLabel": "Tampering",
1870
+ "cwe": "CWE-367",
1871
+ "family": "toctou-file-existence-permission-check-b",
1872
+ "severity": "low",
1873
+ "file": "suppressions.js",
1874
+ "line": 24,
1875
+ "vuln": "TOCTOU: file existence/permission check before open",
1876
+ "finding_id": "toctou-fs:suppressions.js:24",
1877
+ "affectsAsset": null,
1878
+ "atEntity": null
1879
+ },
1880
+ {
1881
+ "stride": "T",
1882
+ "strideLabel": "Tampering",
1883
+ "cwe": "CWE-367",
1884
+ "family": "toctou-file-existence-permission-check-b",
1885
+ "severity": "low",
1886
+ "file": "telemetry-ingest.js",
1887
+ "line": 41,
1888
+ "vuln": "TOCTOU: file existence/permission check before open",
1889
+ "finding_id": "toctou-fs:telemetry-ingest.js:41",
1890
+ "affectsAsset": null,
1891
+ "atEntity": null
1892
+ },
1893
+ {
1894
+ "stride": "T",
1895
+ "strideLabel": "Tampering",
1896
+ "cwe": "CWE-367",
1897
+ "family": "toctou-file-existence-permission-check-b",
1898
+ "severity": "low",
1899
+ "file": "time-to-fix.js",
1900
+ "line": 54,
1901
+ "vuln": "TOCTOU: file existence/permission check before open",
1902
+ "finding_id": "toctou-fs:time-to-fix.js:54",
1903
+ "affectsAsset": null,
1904
+ "atEntity": null
1905
+ },
1906
+ {
1907
+ "stride": "T",
1908
+ "strideLabel": "Tampering",
1909
+ "cwe": "CWE-367",
1910
+ "family": "toctou-file-existence-permission-check-b",
1911
+ "severity": "low",
1912
+ "file": "triage-learning.js",
1913
+ "line": 49,
1914
+ "vuln": "TOCTOU: file existence/permission check before open",
1915
+ "finding_id": "toctou-fs:triage-learning.js:49",
1916
+ "affectsAsset": null,
1917
+ "atEntity": null
1918
+ },
1919
+ {
1920
+ "stride": "T",
1921
+ "strideLabel": "Tampering",
1922
+ "cwe": "CWE-367",
1923
+ "family": "toctou-file-existence-permission-check-b",
1924
+ "severity": "low",
1925
+ "file": "triage-memory.js",
1926
+ "line": 82,
1927
+ "vuln": "TOCTOU: file existence/permission check before open",
1928
+ "finding_id": "toctou-fs:triage-memory.js:82",
1929
+ "affectsAsset": null,
1930
+ "atEntity": null
1931
+ },
1932
+ {
1933
+ "stride": "T",
1934
+ "strideLabel": "Tampering",
1935
+ "cwe": "CWE-367",
1936
+ "family": "toctou-file-existence-permission-check-b",
1937
+ "severity": "low",
1938
+ "file": "triage.js",
1939
+ "line": 20,
1940
+ "vuln": "TOCTOU: file existence/permission check before open",
1941
+ "finding_id": "toctou-fs:triage.js:20",
1942
+ "affectsAsset": null,
1943
+ "atEntity": null
1944
+ },
1945
+ {
1946
+ "stride": "T",
1947
+ "strideLabel": "Tampering",
1948
+ "cwe": "CWE-367",
1949
+ "family": "toctou-file-existence-permission-check-b",
1950
+ "severity": "low",
1951
+ "file": "validator-metrics.js",
1952
+ "line": 35,
1953
+ "vuln": "TOCTOU: file existence/permission check before open",
1954
+ "finding_id": "toctou-fs:validator-metrics.js:35",
1955
+ "affectsAsset": null,
1956
+ "atEntity": null
1957
+ },
1958
+ {
1959
+ "stride": "T",
1960
+ "strideLabel": "Tampering",
1961
+ "cwe": "CWE-367",
1962
+ "family": "toctou-file-existence-permission-check-b",
1963
+ "severity": "low",
1964
+ "file": "verifier-target.js",
1965
+ "line": 66,
1966
+ "vuln": "TOCTOU: file existence/permission check before open",
1967
+ "finding_id": "toctou-fs:verifier-target.js:66",
1968
+ "affectsAsset": null,
1969
+ "atEntity": null
1970
+ },
1971
+ {
1972
+ "stride": "I",
1973
+ "strideLabel": "Information Disclosure",
1974
+ "cwe": "CWE-918",
1975
+ "family": "ssrf",
1976
+ "severity": "low",
1977
+ "file": "verifier.js",
1978
+ "line": 55,
1979
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
1980
+ "finding_id": "ssrf-meta-hardcoded:verifier.js:55",
1981
+ "affectsAsset": null,
1982
+ "atEntity": null
1983
+ },
1984
+ {
1985
+ "stride": "E",
1986
+ "strideLabel": "Elevation of Privilege",
1987
+ "cwe": "CWE-918",
1988
+ "family": "ssrf",
1989
+ "severity": "low",
1990
+ "file": "verifier.js",
1991
+ "line": 55,
1992
+ "vuln": "SSRF: explicit reference to cloud instance-metadata endpoint",
1993
+ "finding_id": "ssrf-meta-hardcoded:verifier.js:55",
1994
+ "affectsAsset": null,
1995
+ "atEntity": null
1996
+ },
1997
+ {
1998
+ "stride": "T",
1999
+ "strideLabel": "Tampering",
2000
+ "cwe": "CWE-367",
2001
+ "family": "toctou-file-existence-permission-check-b",
2002
+ "severity": "low",
2003
+ "file": "version.js",
2004
+ "line": 43,
2005
+ "vuln": "TOCTOU: file existence/permission check before open",
2006
+ "finding_id": "toctou-fs:version.js:43",
2007
+ "affectsAsset": null,
2008
+ "atEntity": null
2009
+ },
2010
+ {
2011
+ "stride": "T",
2012
+ "strideLabel": "Tampering",
2013
+ "cwe": "CWE-367",
2014
+ "family": "toctou-file-existence-permission-check-b",
2015
+ "severity": "low",
2016
+ "file": "waf-ingest.js",
2017
+ "line": 138,
2018
+ "vuln": "TOCTOU: file existence/permission check before open",
2019
+ "finding_id": "toctou-fs:waf-ingest.js:138",
2020
+ "affectsAsset": null,
2021
+ "atEntity": null
2022
+ },
2023
+ {
2024
+ "stride": "T",
2025
+ "strideLabel": "Tampering",
2026
+ "cwe": "CWE-367",
2027
+ "family": "toctou-file-existence-permission-check-b",
2028
+ "severity": "low",
2029
+ "file": "workflow-installer.js",
2030
+ "line": 24,
2031
+ "vuln": "TOCTOU: file existence/permission check before open",
2032
+ "finding_id": "toctou-fs:workflow-installer.js:24",
2033
+ "affectsAsset": null,
2034
+ "atEntity": null
2035
+ }
2036
+ ],
2037
+ "attackTrees": []
2038
+ }