nsauditor-ai 0.1.59 → 0.1.60
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -19,7 +19,8 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
|
|
|
19
19
|
|
|
20
20
|
For complete per-release history, see [CHANGELOG.md](./CHANGELOG.md). The Community Edition binary has been unchanged since 0.1.40; recent CE patches are documentation refreshes paired with Enterprise Edition (`@nsasoft/nsauditor-ai-ee`) ships.
|
|
21
21
|
|
|
22
|
-
- **0.1.
|
|
22
|
+
- **0.1.60 (current)** — Paired with EE 0.6.6: minor cycle — **EE-RT.16 v3 plugin 1170 SG→SG transitive chain reachability** (closes false-CLEAN class on multi-hop SG exposure: BFS from public-CIDR roots through `UserIdGroupPairs` chains with cycle defense + depth cap + per-target chain cap; 2-hop emits **HIGH**, 3+ hop emits **CRITICAL** per operator-blindness principle; cross-VPC edges skipped as INFO trailer) **+ EE-RT.20.5 v6 plugin 1200 dead-target probe warm-up** (closes 0.6.5-reviewer-deferred long-tail: IAM role `iam:GetRole` + EventBridge API destination `events:DescribeApiDestination` + CloudWatch Logs `logs:DescribeLogGroups` with exact-name disambiguation; new SDK deps `@aws-sdk/client-iam` + `@aws-sdk/client-cloudwatch-logs`). 5 R1 reviewer folds: R-HIGH-1 BFS no-enqueue-past-cap (closes path-enumeration explosion on hub-and-spoke topologies) + R-MEDIUM-1 IAM `NoSuchEntityException` lifted into `_DEAD_TARGET_NOTFOUND_ERROR_NAMES` Set (restores eventual-consistency retry for IAM — the canonical worst case) + R-MEDIUM-2 IAM partition-routing contract documented + R-LOW-2 depth-cap-hit surfaced separately from per-target-cap + R-LOW-2 API destination ARN regex future-proofed. 3 new soc2.json mappings under CC6.6.
|
|
23
|
+
- **0.1.59** — Paired with EE 0.6.5: plugin 1200 v5 v4-reviewer-cleanup cycle — R-NIT named-constants + targetVerificationReason sentinel observability + **sessionToken cross-plugin sweep** (18 plugins; unblocks AssumeRole-style auditor credentials across the EE catalog) + **dead-target companion-LOW** (per-target liveness probes for Lambda / SNS / SQS; emits LOW alongside PASS when targets point to deleted resources). 5 R1 reviewer folds incl. case-insensitive NotFound + Lambda full-ARN + one-retry on eventual-consistency + parallel probes + SQS partition-aware via `GetQueueUrl`.
|
|
23
24
|
- **0.1.58** — Paired with EE 0.6.4: plugin 1200 v4 reviewer-cleanup — EventBridge target verification (closes substrate-without-sink false-PASS at the RULE level via `events:ListTargetsByRule`; sink-less rule → MEDIUM TARGETLESS), multi-failedAccount surface (delegated-admin Inspector2 scans now emit per-account LOWs with per-region cap + rollup), trigger uniformity (GD/Inspector2 alerting gates symmetrized on enabled-status). 5 R1 reviewer folds incl. R-HIGH-1 cap-skew classifier closure.
|
|
24
25
|
- **0.1.57** — Paired with EE 0.6.3: plugin 1200 v3 alerting-destination dim — closes the substrate-without-sink false-PASS class for GuardDuty / Inspector2 (no EventBridge rule + no SecurityHub integration = HIGH). SH-only path emits MEDIUM (aggregation-only). R-CRITICAL Inspector Classic ARN-collision closure + EventBridge content-filter grammar (`{prefix}` / `{wildcard}`).
|
|
25
26
|
- **0.1.56** — Paired with EE 0.6.2: plugin 1200 v2 evidence-acquisition extension — multi-region GuardDuty + Inspector2 enumeration (closes the single-region false-PASS class), GovCloud + ISO region support (closes a FedRAMP / StateRAMP / IL5+ false-PASS class), GuardDuty `FindingPublishingFrequency` check, Inspector2 baseline expansion (lambdaCode + codeRepository for Inspector2 GA 2024+).
|