@zerothreatai/vulnerability-registry 1.0.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/dist/categories/configuration.js +378 -0
  2. package/dist/error-codes.d.ts +18 -0
  3. package/dist/error-codes.js +18 -0
  4. package/dist-cjs/categories/configuration.js +378 -0
  5. package/dist-cjs/error-codes.js +18 -0
  6. package/dist-cjs/package.json +3 -0
  7. package/package.json +3 -1
  8. package/scripts/write-cjs-package.cjs +12 -0
  9. package/src/categories/configuration.ts +427 -31
  10. package/src/error-codes.ts +30 -12
  11. package/zerothreatai-vulnerability-registry-2.0.0.tgz +0 -0
package/dist-cjs/categories/configuration.js CHANGED
@@ -53,6 +53,90 @@ exports.CONFIG_VULNERABILITIES = {
53
53
  ],
54
54
  remediation: 'Add Strict-Transport-Security header with max-age of at least 31536000 (1 year). Include includeSubDomains directive. Consider HSTS preloading for maximum protection.',
55
55
  },
56
+ [error_codes_js_1.VulnerabilityCode.HEADER_HSTS_BAD_MAX_AGE]: {
57
+ id: 1011,
58
+ code: error_codes_js_1.VulnerabilityCode.HEADER_HSTS_BAD_MAX_AGE,
59
+ title: 'HSTS Misconfiguration - Invalid Max-Age',
60
+ description: 'The Strict-Transport-Security header uses an invalid or malformed max-age value, preventing reliable HTTPS enforcement.',
61
+ severity: 'medium',
62
+ category: 'configuration',
63
+ scanner: 'security-headers',
64
+ cvss: {
65
+ score: 5.3,
66
+ vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N',
67
+ severity: 'MEDIUM',
68
+ },
69
+ cwe: [
70
+ { id: 'CWE-319', name: 'Cleartext Transmission', url: 'https://cwe.mitre.org/data/definitions/319.html' },
71
+ ],
72
+ owasp: [
73
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
74
+ ],
75
+ remediation: 'Set a valid numeric max-age on Strict-Transport-Security (at least 31536000).',
76
+ },
77
+ [error_codes_js_1.VulnerabilityCode.HEADER_HSTS_SHORT_MAX_AGE]: {
78
+ id: 1012,
79
+ code: error_codes_js_1.VulnerabilityCode.HEADER_HSTS_SHORT_MAX_AGE,
80
+ title: 'HSTS Misconfiguration - Max-Age Too Short',
81
+ description: 'The Strict-Transport-Security header uses a short max-age value that weakens HTTPS enforcement and allows downgrade risk to return quickly.',
82
+ severity: 'medium',
83
+ category: 'configuration',
84
+ scanner: 'security-headers',
85
+ cvss: {
86
+ score: 5.3,
87
+ vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N',
88
+ severity: 'MEDIUM',
89
+ },
90
+ cwe: [
91
+ { id: 'CWE-319', name: 'Cleartext Transmission', url: 'https://cwe.mitre.org/data/definitions/319.html' },
92
+ ],
93
+ owasp: [
94
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
95
+ ],
96
+ remediation: 'Increase max-age to at least 31536000 (1 year) to provide durable HTTPS enforcement.',
97
+ },
98
+ [error_codes_js_1.VulnerabilityCode.HEADER_HSTS_NO_INCLUDESUBDOMAINS]: {
99
+ id: 1013,
100
+ code: error_codes_js_1.VulnerabilityCode.HEADER_HSTS_NO_INCLUDESUBDOMAINS,
101
+ title: 'HSTS Misconfiguration - Missing includeSubDomains',
102
+ description: 'The Strict-Transport-Security header is missing includeSubDomains, leaving subdomains unprotected from downgrade and stripping attacks.',
103
+ severity: 'medium',
104
+ category: 'configuration',
105
+ scanner: 'security-headers',
106
+ cvss: {
107
+ score: 5.3,
108
+ vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N',
109
+ severity: 'MEDIUM',
110
+ },
111
+ cwe: [
112
+ { id: 'CWE-319', name: 'Cleartext Transmission', url: 'https://cwe.mitre.org/data/definitions/319.html' },
113
+ ],
114
+ owasp: [
115
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
116
+ ],
117
+ remediation: 'Add includeSubDomains to the HSTS header to protect all subdomains.',
118
+ },
119
+ [error_codes_js_1.VulnerabilityCode.HEADER_HSTS_PRELOAD_LOW_MAX_AGE]: {
120
+ id: 1018,
121
+ code: error_codes_js_1.VulnerabilityCode.HEADER_HSTS_PRELOAD_LOW_MAX_AGE,
122
+ title: 'HSTS Preload Requirements Not Met',
123
+ description: 'The HSTS header indicates preload intent but does not meet preload requirements, such as a sufficiently long max-age or includeSubDomains, reducing preload effectiveness.',
124
+ severity: 'medium',
125
+ category: 'configuration',
126
+ scanner: 'security-headers',
127
+ cvss: {
128
+ score: 5.3,
129
+ vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N',
130
+ severity: 'MEDIUM',
131
+ },
132
+ cwe: [
133
+ { id: 'CWE-319', name: 'Cleartext Transmission', url: 'https://cwe.mitre.org/data/definitions/319.html' },
134
+ ],
135
+ owasp: [
136
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
137
+ ],
138
+ remediation: 'Ensure HSTS max-age is at least 31536000, include includeSubDomains, and add preload before submitting to the preload list.',
139
+ },
56
140
  [error_codes_js_1.VulnerabilityCode.HEADER_MISSING_XFRAME]: {
57
141
  id: 71,
58
142
  code: error_codes_js_1.VulnerabilityCode.HEADER_MISSING_XFRAME,
@@ -95,6 +179,174 @@ exports.CONFIG_VULNERABILITIES = {
95
179
  ],
96
180
  remediation: 'Remove unsafe-inline and unsafe-eval directives. Use nonce-based or hash-based CSP for inline scripts. Restrict source allowlists to specific trusted domains rather than wildcards.',
97
181
  },
182
+ [error_codes_js_1.VulnerabilityCode.HEADER_CSP_REPORT_ONLY]: {
183
+ id: 1001,
184
+ code: error_codes_js_1.VulnerabilityCode.HEADER_CSP_REPORT_ONLY,
185
+ title: 'Content-Security-Policy Report-Only Enabled',
186
+ description: 'The Content-Security-Policy header is deployed in report-only mode, which does not enforce protections and allows unsafe content to execute while only logging violations.',
187
+ severity: 'medium',
188
+ category: 'configuration',
189
+ scanner: 'security-headers',
190
+ cvss: {
191
+ score: 5.3,
192
+ vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
193
+ severity: 'MEDIUM',
194
+ },
195
+ cwe: [
196
+ { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
197
+ ],
198
+ owasp: [
199
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
200
+ ],
201
+ remediation: 'Switch to enforcing Content-Security-Policy once violations are reviewed. Use report-only during rollout, then enforce with strict directives.',
202
+ },
203
+ [error_codes_js_1.VulnerabilityCode.HEADER_CSP_WEAK_DIRECTIVES]: {
204
+ id: 1002,
205
+ code: error_codes_js_1.VulnerabilityCode.HEADER_CSP_WEAK_DIRECTIVES,
206
+ title: 'Content-Security-Policy Contains Unsafe Directives',
207
+ description: 'The Content-Security-Policy header includes unsafe directives such as unsafe-inline or unsafe-eval that reduce XSS protection and allow risky script execution paths.',
208
+ severity: 'medium',
209
+ category: 'configuration',
210
+ scanner: 'security-headers',
211
+ cvss: {
212
+ score: 5.3,
213
+ vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
214
+ severity: 'MEDIUM',
215
+ },
216
+ cwe: [
217
+ { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
218
+ ],
219
+ owasp: [
220
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
221
+ ],
222
+ remediation: 'Remove unsafe-inline and unsafe-eval directives. Replace inline scripts with nonces or hashes and restrict sources to trusted domains.',
223
+ },
224
+ [error_codes_js_1.VulnerabilityCode.HEADER_CSP_DATA_URI_SCRIPT]: {
225
+ id: 1003,
226
+ code: error_codes_js_1.VulnerabilityCode.HEADER_CSP_DATA_URI_SCRIPT,
227
+ title: 'Content-Security-Policy Allows data: in script-src',
228
+ description: 'The CSP allows data: URIs for script execution, which can enable script injection through crafted data URLs and weaken XSS protections.',
229
+ severity: 'medium',
230
+ category: 'configuration',
231
+ scanner: 'security-headers',
232
+ cvss: {
233
+ score: 5.3,
234
+ vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
235
+ severity: 'MEDIUM',
236
+ },
237
+ cwe: [
238
+ { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
239
+ ],
240
+ owasp: [
241
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
242
+ ],
243
+ remediation: 'Remove data: from script-src. Use nonce or hash-based CSP for any required inline scripts.',
244
+ },
245
+ [error_codes_js_1.VulnerabilityCode.HEADER_CSP_BLOB_URI_SCRIPT]: {
246
+ id: 1004,
247
+ code: error_codes_js_1.VulnerabilityCode.HEADER_CSP_BLOB_URI_SCRIPT,
248
+ title: 'Content-Security-Policy Allows blob: in script-src',
249
+ description: 'The CSP allows blob: URIs for script execution, which can be abused to load attacker-controlled scripts in some contexts and weaken XSS mitigations.',
250
+ severity: 'medium',
251
+ category: 'configuration',
252
+ scanner: 'security-headers',
253
+ cvss: {
254
+ score: 5.3,
255
+ vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
256
+ severity: 'MEDIUM',
257
+ },
258
+ cwe: [
259
+ { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
260
+ ],
261
+ owasp: [
262
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
263
+ ],
264
+ remediation: 'Remove blob: from script-src unless strictly required. Use a narrower allowlist or nonces for trusted scripts.',
265
+ },
266
+ [error_codes_js_1.VulnerabilityCode.HEADER_CSP_WILDCARD_DEFAULT]: {
267
+ id: 1005,
268
+ code: error_codes_js_1.VulnerabilityCode.HEADER_CSP_WILDCARD_DEFAULT,
269
+ title: 'Content-Security-Policy default-src Uses Wildcard',
270
+ description: 'The CSP default-src directive allows all origins, which effectively disables the protection and allows untrusted content to load.',
271
+ severity: 'medium',
272
+ category: 'configuration',
273
+ scanner: 'security-headers',
274
+ cvss: {
275
+ score: 5.3,
276
+ vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
277
+ severity: 'MEDIUM',
278
+ },
279
+ cwe: [
280
+ { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
281
+ ],
282
+ owasp: [
283
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
284
+ ],
285
+ remediation: 'Replace wildcard default-src with explicit trusted origins and tighten resource-specific directives.',
286
+ },
287
+ [error_codes_js_1.VulnerabilityCode.HEADER_CSP_NO_BASE_URI]: {
288
+ id: 1006,
289
+ code: error_codes_js_1.VulnerabilityCode.HEADER_CSP_NO_BASE_URI,
290
+ title: 'Content-Security-Policy Missing base-uri Directive',
291
+ description: 'The CSP does not include a base-uri directive, allowing the base URL to be set by injected markup and enabling abuse of relative URL resolution.',
292
+ severity: 'medium',
293
+ category: 'configuration',
294
+ scanner: 'security-headers',
295
+ cvss: {
296
+ score: 5.3,
297
+ vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
298
+ severity: 'MEDIUM',
299
+ },
300
+ cwe: [
301
+ { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
302
+ ],
303
+ owasp: [
304
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
305
+ ],
306
+ remediation: 'Add base-uri \'self\' (or a strict allowlist) to CSP to prevent base tag abuse.',
307
+ },
308
+ [error_codes_js_1.VulnerabilityCode.HEADER_CSP_NO_OBJECT_SRC]: {
309
+ id: 1007,
310
+ code: error_codes_js_1.VulnerabilityCode.HEADER_CSP_NO_OBJECT_SRC,
311
+ title: 'Content-Security-Policy Missing object-src Directive',
312
+ description: 'The CSP does not include an object-src directive, allowing embedded objects to load from arbitrary origins and weakening defense-in-depth against plugin-based risks.',
313
+ severity: 'medium',
314
+ category: 'configuration',
315
+ scanner: 'security-headers',
316
+ cvss: {
317
+ score: 5.3,
318
+ vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
319
+ severity: 'MEDIUM',
320
+ },
321
+ cwe: [
322
+ { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
323
+ ],
324
+ owasp: [
325
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
326
+ ],
327
+ remediation: 'Add object-src \'none\' (or a strict allowlist) to CSP to prevent plugin content loading.',
328
+ },
329
+ [error_codes_js_1.VulnerabilityCode.HEADER_CSP_NO_FRAME_ANCESTORS]: {
330
+ id: 1008,
331
+ code: error_codes_js_1.VulnerabilityCode.HEADER_CSP_NO_FRAME_ANCESTORS,
332
+ title: 'Content-Security-Policy Missing frame-ancestors Directive',
333
+ description: 'The CSP does not include a frame-ancestors directive, leaving pages potentially frameable and vulnerable to clickjacking attacks.',
334
+ severity: 'medium',
335
+ category: 'configuration',
336
+ scanner: 'security-headers',
337
+ cvss: {
338
+ score: 4.7,
339
+ vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N',
340
+ severity: 'MEDIUM',
341
+ },
342
+ cwe: [
343
+ { id: 'CWE-1021', name: 'Improper Restriction of Rendered UI Layers', url: 'https://cwe.mitre.org/data/definitions/1021.html' },
344
+ ],
345
+ owasp: [
346
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
347
+ ],
348
+ remediation: 'Add frame-ancestors \'none\' or a strict allowlist to CSP to prevent clickjacking.',
349
+ },
98
350
  [error_codes_js_1.VulnerabilityCode.HEADER_CORS_MISCONFIGURED]: {
99
351
  id: 73,
100
352
  code: error_codes_js_1.VulnerabilityCode.HEADER_CORS_MISCONFIGURED,
@@ -116,6 +368,90 @@ exports.CONFIG_VULNERABILITIES = {
116
368
  ],
117
369
  remediation: 'Implement strict Origin validation with allowlist of trusted domains. Never reflect Origin header without validation. Do not use wildcard with Access-Control-Allow-Credentials.',
118
370
  },
371
+ [error_codes_js_1.VulnerabilityCode.HEADER_CORS_STAR_WITH_CREDENTIALS]: {
372
+ id: 1014,
373
+ code: error_codes_js_1.VulnerabilityCode.HEADER_CORS_STAR_WITH_CREDENTIALS,
374
+ title: 'CORS Wildcard With Credentials',
375
+ description: 'Access-Control-Allow-Origin is set to * while Access-Control-Allow-Credentials is enabled, which browsers block but signals a dangerous CORS policy that can be misapplied in some environments.',
376
+ severity: 'high',
377
+ category: 'configuration',
378
+ scanner: 'security-headers',
379
+ cvss: {
380
+ score: 7.5,
381
+ vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
382
+ severity: 'HIGH',
383
+ },
384
+ cwe: [
385
+ { id: 'CWE-942', name: 'Permissive CORS Policy', url: 'https://cwe.mitre.org/data/definitions/942.html' },
386
+ ],
387
+ owasp: [
388
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
389
+ ],
390
+ remediation: 'Never use wildcard origins with credentials. Replace * with an explicit allowlist and set Vary: Origin.',
391
+ },
392
+ [error_codes_js_1.VulnerabilityCode.HEADER_CORS_ORIGIN_REFLECT_NO_VARY]: {
393
+ id: 1015,
394
+ code: error_codes_js_1.VulnerabilityCode.HEADER_CORS_ORIGIN_REFLECT_NO_VARY,
395
+ title: 'CORS Origin Reflection Without Vary',
396
+ description: 'The Origin header is reflected in Access-Control-Allow-Origin without Vary: Origin, which can lead to cache poisoning and unintended cross-origin access.',
397
+ severity: 'high',
398
+ category: 'configuration',
399
+ scanner: 'security-headers',
400
+ cvss: {
401
+ score: 7.5,
402
+ vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
403
+ severity: 'HIGH',
404
+ },
405
+ cwe: [
406
+ { id: 'CWE-942', name: 'Permissive CORS Policy', url: 'https://cwe.mitre.org/data/definitions/942.html' },
407
+ ],
408
+ owasp: [
409
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
410
+ ],
411
+ remediation: 'Validate origins against an allowlist and always include Vary: Origin when dynamically setting Access-Control-Allow-Origin.',
412
+ },
413
+ [error_codes_js_1.VulnerabilityCode.HEADER_CORS_NULL_ORIGIN]: {
414
+ id: 1016,
415
+ code: error_codes_js_1.VulnerabilityCode.HEADER_CORS_NULL_ORIGIN,
416
+ title: 'CORS Allows Null Origin',
417
+ description: 'Access-Control-Allow-Origin allows the null origin, enabling requests from opaque origins such as sandboxed iframes and file URLs that can be abused to access sensitive data.',
418
+ severity: 'high',
419
+ category: 'configuration',
420
+ scanner: 'security-headers',
421
+ cvss: {
422
+ score: 7.5,
423
+ vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
424
+ severity: 'HIGH',
425
+ },
426
+ cwe: [
427
+ { id: 'CWE-942', name: 'Permissive CORS Policy', url: 'https://cwe.mitre.org/data/definitions/942.html' },
428
+ ],
429
+ owasp: [
430
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
431
+ ],
432
+ remediation: 'Remove null from allowed origins. Restrict CORS to explicit trusted domains only.',
433
+ },
434
+ [error_codes_js_1.VulnerabilityCode.HEADER_CORS_WILDCARD_SUBDOMAIN]: {
435
+ id: 1017,
436
+ code: error_codes_js_1.VulnerabilityCode.HEADER_CORS_WILDCARD_SUBDOMAIN,
437
+ title: 'CORS Allows Wildcard Subdomains',
438
+ description: 'CORS policies allow wildcard subdomains that can be abused if any subdomain is compromised or can be controlled by untrusted parties.',
439
+ severity: 'high',
440
+ category: 'configuration',
441
+ scanner: 'security-headers',
442
+ cvss: {
443
+ score: 7.5,
444
+ vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
445
+ severity: 'HIGH',
446
+ },
447
+ cwe: [
448
+ { id: 'CWE-942', name: 'Permissive CORS Policy', url: 'https://cwe.mitre.org/data/definitions/942.html' },
449
+ ],
450
+ owasp: [
451
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
452
+ ],
453
+ remediation: 'Replace wildcard subdomains with a strict allowlist of trusted origins.',
454
+ },
119
455
  // ========================================
120
456
  // DIRECTORY BROWSING
121
457
  // ========================================
@@ -356,6 +692,27 @@ exports.CONFIG_VULNERABILITIES = {
356
692
  ],
357
693
  remediation: 'Add X-Content-Type-Options: nosniff header to all responses. Ensure correct Content-Type headers are set for all resources. Validate file types before serving user uploads.',
358
694
  },
695
+ [error_codes_js_1.VulnerabilityCode.HEADER_XCONTENT_TYPE_INVALID]: {
696
+ id: 1009,
697
+ code: error_codes_js_1.VulnerabilityCode.HEADER_XCONTENT_TYPE_INVALID,
698
+ title: 'Invalid Security Header - X-Content-Type-Options',
699
+ description: 'The X-Content-Type-Options header is present but misconfigured (not set to nosniff), which can allow MIME sniffing and reduce protection against content-type confusion.',
700
+ severity: 'low',
701
+ category: 'configuration',
702
+ scanner: 'security-headers',
703
+ cvss: {
704
+ score: 3.7,
705
+ vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N',
706
+ severity: 'LOW',
707
+ },
708
+ cwe: [
709
+ { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
710
+ ],
711
+ owasp: [
712
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
713
+ ],
714
+ remediation: 'Set X-Content-Type-Options to nosniff on all responses to prevent MIME sniffing.',
715
+ },
359
716
  [error_codes_js_1.VulnerabilityCode.HEADER_MISSING_REFERRER_POLICY]: {
360
717
  id: 85,
361
718
  code: error_codes_js_1.VulnerabilityCode.HEADER_MISSING_REFERRER_POLICY,
@@ -377,6 +734,27 @@ exports.CONFIG_VULNERABILITIES = {
377
734
  ],
378
735
  remediation: 'Implement Referrer-Policy header with strict-origin-when-cross-origin or no-referrer policy. Avoid passing sensitive data in URLs. Use POST requests for sensitive operations.',
379
736
  },
737
+ [error_codes_js_1.VulnerabilityCode.HEADER_REFERRER_POLICY_UNSAFE]: {
738
+ id: 1010,
739
+ code: error_codes_js_1.VulnerabilityCode.HEADER_REFERRER_POLICY_UNSAFE,
740
+ title: 'Unsafe Referrer-Policy Configuration',
741
+ description: 'The Referrer-Policy header is set to a permissive value that can leak full URLs and sensitive query parameters to external origins.',
742
+ severity: 'low',
743
+ category: 'configuration',
744
+ scanner: 'security-headers',
745
+ cvss: {
746
+ score: 3.1,
747
+ vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N',
748
+ severity: 'LOW',
749
+ },
750
+ cwe: [
751
+ { id: 'CWE-200', name: 'Information Exposure', url: 'https://cwe.mitre.org/data/definitions/200.html' },
752
+ ],
753
+ owasp: [
754
+ { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
755
+ ],
756
+ remediation: 'Use strict-origin-when-cross-origin or no-referrer to minimize leakage of sensitive URL data.',
757
+ },
380
758
  [error_codes_js_1.VulnerabilityCode.HEADER_MISSING_PERMISSIONS_POLICY]: {
381
759
  id: 86,
382
760
  code: error_codes_js_1.VulnerabilityCode.HEADER_MISSING_PERMISSIONS_POLICY,
package/dist-cjs/error-codes.js CHANGED
@@ -124,13 +124,31 @@ var VulnerabilityCode;
124
124
  VulnerabilityCode["HEADER_MISSING_REFERRER_POLICY"] = "HEADER_MISSING_REFERRER_POLICY";
125
125
  VulnerabilityCode["HEADER_MISSING_PERMISSIONS_POLICY"] = "HEADER_MISSING_PERMISSIONS_POLICY";
126
126
  VulnerabilityCode["HEADER_WEAK_CSP"] = "HEADER_WEAK_CSP";
127
+ VulnerabilityCode["HEADER_CSP_REPORT_ONLY"] = "HEADER_CSP_REPORT_ONLY";
128
+ VulnerabilityCode["HEADER_CSP_WEAK_DIRECTIVES"] = "HEADER_CSP_WEAK_DIRECTIVES";
129
+ VulnerabilityCode["HEADER_CSP_DATA_URI_SCRIPT"] = "HEADER_CSP_DATA_URI_SCRIPT";
130
+ VulnerabilityCode["HEADER_CSP_BLOB_URI_SCRIPT"] = "HEADER_CSP_BLOB_URI_SCRIPT";
131
+ VulnerabilityCode["HEADER_CSP_WILDCARD_DEFAULT"] = "HEADER_CSP_WILDCARD_DEFAULT";
132
+ VulnerabilityCode["HEADER_CSP_NO_BASE_URI"] = "HEADER_CSP_NO_BASE_URI";
133
+ VulnerabilityCode["HEADER_CSP_NO_OBJECT_SRC"] = "HEADER_CSP_NO_OBJECT_SRC";
134
+ VulnerabilityCode["HEADER_CSP_NO_FRAME_ANCESTORS"] = "HEADER_CSP_NO_FRAME_ANCESTORS";
127
135
  VulnerabilityCode["HEADER_CORS_MISCONFIGURED"] = "HEADER_CORS_MISCONFIGURED";
136
+ VulnerabilityCode["HEADER_CORS_STAR_WITH_CREDENTIALS"] = "HEADER_CORS_STAR_WITH_CREDENTIALS";
137
+ VulnerabilityCode["HEADER_CORS_ORIGIN_REFLECT_NO_VARY"] = "HEADER_CORS_ORIGIN_REFLECT_NO_VARY";
138
+ VulnerabilityCode["HEADER_CORS_NULL_ORIGIN"] = "HEADER_CORS_NULL_ORIGIN";
139
+ VulnerabilityCode["HEADER_CORS_WILDCARD_SUBDOMAIN"] = "HEADER_CORS_WILDCARD_SUBDOMAIN";
128
140
  VulnerabilityCode["HEADER_COEP_WITHOUT_COOP"] = "HEADER_COEP_WITHOUT_COOP";
129
141
  VulnerabilityCode["HEADER_CORP_UNUSUAL"] = "HEADER_CORP_UNUSUAL";
130
142
  VulnerabilityCode["HEADER_EXPECT_CT_PRESENT"] = "HEADER_EXPECT_CT_PRESENT";
131
143
  VulnerabilityCode["HEADER_SERVER_HEADER_PRESENT"] = "HEADER_SERVER_HEADER_PRESENT";
132
144
  VulnerabilityCode["HEADER_X_POWERED_BY_PRESENT"] = "HEADER_X_POWERED_BY_PRESENT";
133
145
  VulnerabilityCode["HEADER_X_XSS_PROTECTION_ENABLED"] = "HEADER_X_XSS_PROTECTION_ENABLED";
146
+ VulnerabilityCode["HEADER_XCONTENT_TYPE_INVALID"] = "HEADER_XCONTENT_TYPE_INVALID";
147
+ VulnerabilityCode["HEADER_REFERRER_POLICY_UNSAFE"] = "HEADER_REFERRER_POLICY_UNSAFE";
148
+ VulnerabilityCode["HEADER_HSTS_BAD_MAX_AGE"] = "HEADER_HSTS_BAD_MAX_AGE";
149
+ VulnerabilityCode["HEADER_HSTS_SHORT_MAX_AGE"] = "HEADER_HSTS_SHORT_MAX_AGE";
150
+ VulnerabilityCode["HEADER_HSTS_NO_INCLUDESUBDOMAINS"] = "HEADER_HSTS_NO_INCLUDESUBDOMAINS";
151
+ VulnerabilityCode["HEADER_HSTS_PRELOAD_LOW_MAX_AGE"] = "HEADER_HSTS_PRELOAD_LOW_MAX_AGE";
134
152
  VulnerabilityCode["COOKIE_SAMESITE_NONE_WITHOUT_SECURE"] = "COOKIE_SAMESITE_NONE_WITHOUT_SECURE";
135
153
  VulnerabilityCode["COOKIE_SESSION_MISSING_SECURE"] = "COOKIE_SESSION_MISSING_SECURE";
136
154
  VulnerabilityCode["COOKIE_MISSING_SECURE"] = "COOKIE_MISSING_SECURE";
package/dist-cjs/package.json ADDED
@@ -0,0 +1,3 @@
1
+ {
2
+ "type": "commonjs"
3
+ }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@zerothreatai/vulnerability-registry",
3
- "version": "1.0.0",
3
+ "version": "3.0.0",
4
4
  "description": "Centralized vulnerability definitions, CVSS scores, and references for ZeroThreat scanners",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",
@@ -9,6 +9,8 @@
9
9
  "build:esm": "tsc -p tsconfig.json",
10
10
  "build:cjs": "tsc -p tsconfig.cjs.json",
11
11
  "build": "npm run build:esm && npm run build:cjs",
12
+ "postbuild": "node scripts/write-cjs-package.cjs",
13
+ "prepack": "npm run build",
12
14
  "test": "vitest run"
13
15
  },
14
16
  "exports": {
package/scripts/write-cjs-package.cjs ADDED
@@ -0,0 +1,12 @@
1
+ const fs = require("fs");
2
+ const path = require("path");
3
+
4
+ const distCjsDir = path.join(__dirname, "..", "dist-cjs");
5
+ fs.mkdirSync(distCjsDir, { recursive: true });
6
+
7
+ const packageJsonPath = path.join(distCjsDir, "package.json");
8
+ const packageJson = {
9
+ type: "commonjs",
10
+ };
11
+
12
+ fs.writeFileSync(packageJsonPath, JSON.stringify(packageJson, null, 2) + "\n");