codejury 0.10.3__tar.gz → 0.10.4__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {codejury-0.10.3 → codejury-0.10.4}/PKG-INFO +2 -2
- {codejury-0.10.3 → codejury-0.10.4}/README.md +1 -1
- codejury-0.10.4/codejury/data/capabilities/model_supply_chain.yaml +59 -0
- codejury-0.10.4/codejury/data/golden/sc_pinned_safe.yaml +11 -0
- codejury-0.10.4/codejury/data/golden/sc_safetensors_safe.yaml +12 -0
- codejury-0.10.4/codejury/data/golden/sc_torch_load_vuln.yaml +11 -0
- codejury-0.10.4/codejury/data/golden/sc_trust_remote_code_vuln.yaml +11 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury.egg-info/PKG-INFO +2 -2
- {codejury-0.10.3 → codejury-0.10.4}/codejury.egg-info/SOURCES.txt +5 -0
- {codejury-0.10.3 → codejury-0.10.4}/pyproject.toml +1 -1
- {codejury-0.10.3 → codejury-0.10.4}/LICENSE +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/__init__.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/agents/__init__.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/agents/base.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/agents/debate.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/agents/mock.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/agents/parsing.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/agents/refuter.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/agents/verifier.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/analysis/__init__.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/analysis/provenance.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/analysis/taint.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/assembly.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/baseline.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/cli.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/authentication.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/authorization.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/business_logic.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/crypto.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/data_protection.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/dependency_config.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/error_logging.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/excessive_agency.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/input_validation.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/insecure_output_handling.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/output_encoding.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/prompt_injection.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/secrets.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/session.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ag_allowlist_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ag_arbitrary_tool_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ag_destructive_no_confirm_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ag_fixed_enum_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ag_human_approval_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ag_model_confirmed_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/authn_bcrypt_password.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/authn_jwt_noverify_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/authn_jwt_verified_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/authn_sha256_checksum_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/authn_sha256_password.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/authn_weak_hash_indirect_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/authz_idor_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/authz_owner_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/business_logic_price_tamper_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/business_logic_server_checked_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/cmdi_fixed_argv_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/cmdi_ossystem_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/cmdi_subprocess_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/crypto_aesgcm_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/crypto_ecb_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/data_protection_plaintext_pii_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/data_protection_tokenized_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/dependency_config_tls_verify_off_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/dependency_config_tls_verify_on_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/deserialize_json_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/deserialize_pickle_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/error_logging_redacted_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/error_logging_secret_leak_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ioh_escaped_output_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ioh_exec_output_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ioh_innerhtml_output_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ioh_json_response_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ioh_output_to_sql_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ioh_schema_validated_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/literal_eval_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/path_basename_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/path_contained_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/path_traversal_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/pi_delimited_data_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/pi_format_role_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/pi_indirect_rag_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/pi_system_concat_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/pi_user_content_concat_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/pi_user_role_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/secrets_env_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/secrets_hardcoded_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/session_fixation_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/session_secure_cookie_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/sql_constant_concat_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/sqli_format_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/sqli_fstring_query.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/sqli_indirect_var_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/sqli_parameterized_query.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ssrf_allowlist_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ssrf_constant_url_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ssrf_substring_allowlist_bypass_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ssrf_user_url_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/xfile_idor_no_check_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/xfile_idor_owner_checked_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/xfile_path_sanitized_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/xfile_path_tainted_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/xss_innerhtml_constant_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/xss_innerhtml_vuln.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/xss_textcontent_safe.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/suppressions.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/taint.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/tasks/audit_diff_debate.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/data/tasks/quick_scan_single.yaml +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/domain/__init__.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/domain/artifact.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/domain/capability.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/domain/context.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/domain/observation.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/domain/result.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/evaluation.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/infrastructure/__init__.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/infrastructure/cache.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/infrastructure/json_parse.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/integrations/__init__.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/integrations/github.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/orchestrators/__init__.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/orchestrators/adaptive.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/orchestrators/base.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/orchestrators/challenge.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/orchestrators/debate.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/orchestrators/pipeline.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/orchestrators/reflexion.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/orchestrators/single.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/orchestrators/taint_gate.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/providers/__init__.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/providers/anthropic.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/providers/base.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/providers/litellm.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/providers/mock.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/providers/openai.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/providers/openai_format.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/providers/retry.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/reporting.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/resources.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/sources/__init__.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/sources/base.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/sources/callers.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/sources/chunker.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/sources/diff.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/sources/function.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/sources/mock.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/sources/repo.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/suppression.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/tasks/__init__.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/tasks/base.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury/tasks/registry.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury.egg-info/dependency_links.txt +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury.egg-info/entry_points.txt +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury.egg-info/requires.txt +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/codejury.egg-info/top_level.txt +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/setup.cfg +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_adaptive.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_anthropic_provider.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_assembly.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_audit_pipeline.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_baseline.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_cache.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_callers.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_capability.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_challenge.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_cli_audit.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_context.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_debate_agents.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_debate_orchestrator.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_diff_source.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_evaluation.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_function_source.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_integrations.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_json_parse.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_litellm_provider.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_openai_provider.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_orchestrator.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_parsing.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_pipeline_orchestrator.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_provenance.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_reflexion_orchestrator.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_repo_source.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_reporting.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_retry_provider.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_review_fixes.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_sarif.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_suppression.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_taint.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_taint_crossfile.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_taint_gate.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_tasks.py +0 -0
- {codejury-0.10.3 → codejury-0.10.4}/tests/test_verifier.py +0 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: codejury
|
|
3
|
-
Version: 0.10.
|
|
3
|
+
Version: 0.10.4
|
|
4
4
|
Summary: General-purpose Application Security AI audit framework: five-layer architecture, capabilities as first-class data
|
|
5
5
|
Author: AISecLabs
|
|
6
6
|
License-Expression: MIT
|
|
@@ -186,7 +186,7 @@ what `--only` and a task's `capabilities:` accept:
|
|
|
186
186
|
`authn`, `authz`, `session`, `input_validation`, `output_encoding`, `crypto`,
|
|
187
187
|
`secrets`, `data_protection`, `error_logging`, `business_logic`,
|
|
188
188
|
`dependency_config`, `prompt_injection`, `insecure_output_handling`,
|
|
189
|
-
`excessive_agency`.
|
|
189
|
+
`excessive_agency`, `model_supply_chain`.
|
|
190
190
|
|
|
191
191
|
To tune for your codebase, edit these files, adding patterns or sharpening
|
|
192
192
|
wording. No code change is needed.
|
|
@@ -156,7 +156,7 @@ what `--only` and a task's `capabilities:` accept:
|
|
|
156
156
|
`authn`, `authz`, `session`, `input_validation`, `output_encoding`, `crypto`,
|
|
157
157
|
`secrets`, `data_protection`, `error_logging`, `business_logic`,
|
|
158
158
|
`dependency_config`, `prompt_injection`, `insecure_output_handling`,
|
|
159
|
-
`excessive_agency`.
|
|
159
|
+
`excessive_agency`, `model_supply_chain`.
|
|
160
160
|
|
|
161
161
|
To tune for your codebase, edit these files, adding patterns or sharpening
|
|
162
162
|
wording. No code change is needed.
|
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
# OWASP LLM Top 10 (2025), LLM03: Supply Chain.
|
|
2
|
+
id: model_supply_chain
|
|
3
|
+
name: Model Supply Chain
|
|
4
|
+
asvs_chapter: "" # OWASP LLM03, not an ASVS chapter
|
|
5
|
+
description: >-
|
|
6
|
+
Loading a model, its code, or its weights from an untrusted or unverified
|
|
7
|
+
source. The high-impact cases run code at load time: executing code shipped
|
|
8
|
+
with a third-party model, or deserializing weights through pickle. Pin and
|
|
9
|
+
verify artifacts, and do not enable remote code execution for a model you do
|
|
10
|
+
not control.
|
|
11
|
+
|
|
12
|
+
sub_capabilities:
|
|
13
|
+
remote_code:
|
|
14
|
+
correct_patterns:
|
|
15
|
+
- id: SC-OK-1
|
|
16
|
+
description: Load a model with remote code execution off and a pinned revision
|
|
17
|
+
signals: ["trust_remote_code=False", "revision="]
|
|
18
|
+
why_ok: The third-party repo cannot run code at load time and the artifact is pinned
|
|
19
|
+
|
|
20
|
+
anti_patterns:
|
|
21
|
+
- id: SC-BAD-1
|
|
22
|
+
cwe: CWE-494
|
|
23
|
+
severity: CRITICAL
|
|
24
|
+
description: >-
|
|
25
|
+
Load a model with trust_remote_code=True, which executes code shipped in
|
|
26
|
+
the model repository at load time
|
|
27
|
+
signals: ["trust_remote_code=True", "from_pretrained"]
|
|
28
|
+
why_bad: A malicious or compromised model repo runs arbitrary code in your process
|
|
29
|
+
example_bad: |
|
|
30
|
+
model = AutoModel.from_pretrained("vendor/model", trust_remote_code=True)
|
|
31
|
+
example_good: |
|
|
32
|
+
model = AutoModel.from_pretrained("vendor/model", revision="a1b2c3d")
|
|
33
|
+
|
|
34
|
+
artifact_integrity:
|
|
35
|
+
correct_patterns:
|
|
36
|
+
- id: SC-OK-2
|
|
37
|
+
description: Load weights from a data-only format such as safetensors
|
|
38
|
+
signals: ["safetensors", "load_file"]
|
|
39
|
+
why_ok: A data-only weights format cannot execute code on load
|
|
40
|
+
|
|
41
|
+
anti_patterns:
|
|
42
|
+
- id: SC-BAD-2
|
|
43
|
+
cwe: CWE-502
|
|
44
|
+
severity: HIGH
|
|
45
|
+
description: >-
|
|
46
|
+
Deserialize model weights or a checkpoint through pickle, for example
|
|
47
|
+
torch.load or joblib.load on a downloaded file, which can run code on load
|
|
48
|
+
signals: ["torch.load", "pickle.load", "joblib.load"]
|
|
49
|
+
why_bad: Pickle-based loaders execute code embedded in the file during deserialization
|
|
50
|
+
example_bad: |
|
|
51
|
+
state = torch.load(downloaded_checkpoint)
|
|
52
|
+
example_good: |
|
|
53
|
+
from safetensors.torch import load_file
|
|
54
|
+
state = load_file("model.safetensors")
|
|
55
|
+
|
|
56
|
+
trigger_signals:
|
|
57
|
+
- from_pretrained or a model or dataset download call
|
|
58
|
+
- trust_remote_code set on a model load
|
|
59
|
+
- torch.load, pickle.load, or joblib.load of model weights
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
capability: model_supply_chain
|
|
2
|
+
vulnerable: false
|
|
3
|
+
expected_verdict: SECURE
|
|
4
|
+
cwe: ""
|
|
5
|
+
source: synthetic
|
|
6
|
+
notes: >
|
|
7
|
+
An ordinary model load: remote code execution is off by default and the
|
|
8
|
+
revision is pinned, so a plain from_pretrained must not be flagged.
|
|
9
|
+
code: |
|
|
10
|
+
def load():
|
|
11
|
+
return AutoModel.from_pretrained("bert-base-uncased", revision="a1b2c3d")
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
capability: model_supply_chain
|
|
2
|
+
vulnerable: false
|
|
3
|
+
expected_verdict: SECURE
|
|
4
|
+
cwe: ""
|
|
5
|
+
source: synthetic
|
|
6
|
+
notes: >
|
|
7
|
+
safetensors is a data-only weights format that cannot execute code on load.
|
|
8
|
+
code: |
|
|
9
|
+
from safetensors.torch import load_file
|
|
10
|
+
|
|
11
|
+
def load_checkpoint(path):
|
|
12
|
+
return load_file(path)
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
capability: model_supply_chain
|
|
2
|
+
vulnerable: true
|
|
3
|
+
expected_verdict: VULNERABLE
|
|
4
|
+
cwe: CWE-502
|
|
5
|
+
source: synthetic
|
|
6
|
+
notes: >
|
|
7
|
+
torch.load deserializes through pickle, so loading a downloaded checkpoint runs
|
|
8
|
+
any code embedded in the file. Use a data-only format such as safetensors.
|
|
9
|
+
code: |
|
|
10
|
+
def load_checkpoint(path):
|
|
11
|
+
return torch.load(path)
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
capability: model_supply_chain
|
|
2
|
+
vulnerable: true
|
|
3
|
+
expected_verdict: VULNERABLE
|
|
4
|
+
cwe: CWE-494
|
|
5
|
+
source: synthetic
|
|
6
|
+
notes: >
|
|
7
|
+
trust_remote_code=True runs code shipped in the third-party model repo at load
|
|
8
|
+
time, so a malicious or compromised repo executes arbitrary code in the process.
|
|
9
|
+
code: |
|
|
10
|
+
def load(name):
|
|
11
|
+
return AutoModel.from_pretrained(name, trust_remote_code=True)
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: codejury
|
|
3
|
-
Version: 0.10.
|
|
3
|
+
Version: 0.10.4
|
|
4
4
|
Summary: General-purpose Application Security AI audit framework: five-layer architecture, capabilities as first-class data
|
|
5
5
|
Author: AISecLabs
|
|
6
6
|
License-Expression: MIT
|
|
@@ -186,7 +186,7 @@ what `--only` and a task's `capabilities:` accept:
|
|
|
186
186
|
`authn`, `authz`, `session`, `input_validation`, `output_encoding`, `crypto`,
|
|
187
187
|
`secrets`, `data_protection`, `error_logging`, `business_logic`,
|
|
188
188
|
`dependency_config`, `prompt_injection`, `insecure_output_handling`,
|
|
189
|
-
`excessive_agency`.
|
|
189
|
+
`excessive_agency`, `model_supply_chain`.
|
|
190
190
|
|
|
191
191
|
To tune for your codebase, edit these files, adding patterns or sharpening
|
|
192
192
|
wording. No code change is needed.
|
|
@@ -37,6 +37,7 @@ codejury/data/capabilities/error_logging.yaml
|
|
|
37
37
|
codejury/data/capabilities/excessive_agency.yaml
|
|
38
38
|
codejury/data/capabilities/input_validation.yaml
|
|
39
39
|
codejury/data/capabilities/insecure_output_handling.yaml
|
|
40
|
+
codejury/data/capabilities/model_supply_chain.yaml
|
|
40
41
|
codejury/data/capabilities/output_encoding.yaml
|
|
41
42
|
codejury/data/capabilities/prompt_injection.yaml
|
|
42
43
|
codejury/data/capabilities/secrets.yaml
|
|
@@ -86,6 +87,10 @@ codejury/data/golden/pi_indirect_rag_vuln.yaml
|
|
|
86
87
|
codejury/data/golden/pi_system_concat_vuln.yaml
|
|
87
88
|
codejury/data/golden/pi_user_content_concat_safe.yaml
|
|
88
89
|
codejury/data/golden/pi_user_role_safe.yaml
|
|
90
|
+
codejury/data/golden/sc_pinned_safe.yaml
|
|
91
|
+
codejury/data/golden/sc_safetensors_safe.yaml
|
|
92
|
+
codejury/data/golden/sc_torch_load_vuln.yaml
|
|
93
|
+
codejury/data/golden/sc_trust_remote_code_vuln.yaml
|
|
89
94
|
codejury/data/golden/secrets_env_safe.yaml
|
|
90
95
|
codejury/data/golden/secrets_hardcoded_vuln.yaml
|
|
91
96
|
codejury/data/golden/session_fixation_vuln.yaml
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
{codejury-0.10.3 → codejury-0.10.4}/codejury/data/capabilities/insecure_output_handling.yaml
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
{codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ag_destructive_no_confirm_vuln.yaml
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
{codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/business_logic_price_tamper_vuln.yaml
RENAMED
|
File without changes
|
{codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/business_logic_server_checked_safe.yaml
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
{codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/data_protection_plaintext_pii_vuln.yaml
RENAMED
|
File without changes
|
{codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/data_protection_tokenized_safe.yaml
RENAMED
|
File without changes
|
{codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/dependency_config_tls_verify_off_vuln.yaml
RENAMED
|
File without changes
|
{codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/dependency_config_tls_verify_on_safe.yaml
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
{codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/error_logging_secret_leak_vuln.yaml
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
{codejury-0.10.3 → codejury-0.10.4}/codejury/data/golden/ssrf_substring_allowlist_bypass_vuln.yaml
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|