plugin-scanner 2.0.127__tar.gz → 2.0.128__tar.gz

{plugin_scanner-2.0.127 → plugin_scanner-2.0.128}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.127
+Version: 2.0.128
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.127 → plugin_scanner-2.0.128}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.127"
+version = "2.0.128"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.127 → plugin_scanner-2.0.128}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.127"
+version = "2.0.128"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.127 → plugin_scanner-2.0.128}/src/codex_plugin_scanner/guard/cli/commands.py

@@ -472,6 +472,22 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
     advisories_parser = guard_subparsers.add_parser("advisories", help="List cached Guard advisories and verdicts")
     _add_guard_common_args(advisories_parser)
     advisories_parser.add_argument("--json", action="store_true")
+    advisories_sub = advisories_parser.add_subparsers(dest="advisories_subcommand")
+
+    _adv_list = advisories_sub.add_parser("list", help="List cached advisories")
+    _adv_list.add_argument("--json", action="store_true")
+    _adv_list.add_argument(
+        "--severity",
+        choices=["low", "medium", "high", "critical"],
+        help="Filter by minimum severity",
+    )
+
+    _adv_sync = advisories_sub.add_parser("sync", help="Sync advisories from Guard Cloud")
+    _adv_sync.add_argument("--json", action="store_true")
+
+    _adv_explain = advisories_sub.add_parser("explain", help="Explain a specific advisory by ID")
+    _adv_explain.add_argument("--json", action="store_true")
+    _adv_explain.add_argument("advisory_id", help="Advisory ID to explain")
 
     events_parser = guard_subparsers.add_parser("events", help="List local Guard lifecycle events")
     _add_guard_common_args(events_parser)
@@ -1081,11 +1097,44 @@ def run_guard_command(
         return 0
 
     if args.guard_command == "advisories":
-        _emit(
-            "advisories",
-            {"generated_at": _now(), "items": store.list_cached_advisories()},
-            getattr(args, "json", False),
-        )
+        adv_sub = getattr(args, "advisories_subcommand", None)
+        if adv_sub == "sync":
+            credentials = store.get_sync_credentials()
+            if credentials is None:
+                _emit(
+                    "advisories_sync",
+                    {"generated_at": _now(), "status": "no_cloud_sync_configured"},
+                    getattr(args, "json", False),
+                )
+            else:
+                _emit(
+                    "advisories_sync",
+                    {"generated_at": _now(), "status": "advisory_sync_not_available", "synced": False},
+                    getattr(args, "json", False),
+                )
+        elif adv_sub == "explain":
+            target_id = getattr(args, "advisory_id", None)
+            all_advs = store.list_cached_advisories(limit=None)
+            match = next(
+                (a for a in all_advs if a.get("advisory_id") == target_id or a.get("id") == target_id),
+                None,
+            )
+            if match:
+                _emit("advisory_explain", match, getattr(args, "json", False))
+            else:
+                _emit("advisory_explain", {"error": f"advisory {target_id!r} not found"}, getattr(args, "json", False))
+        else:
+            all_advs = store.list_cached_advisories()
+            sev_filter = getattr(args, "severity", None)
+            _sev_rank = {"low": 0, "medium": 1, "high": 2, "critical": 3}
+            if sev_filter and sev_filter in _sev_rank:
+                min_rank = _sev_rank[sev_filter]
+                all_advs = [a for a in all_advs if _sev_rank.get(str(a.get("severity", "")).lower(), -1) >= min_rank]
+            _emit(
+                "advisories",
+                {"generated_at": _now(), "items": all_advs},
+                getattr(args, "json", False),
+            )
         return 0
 
     if args.guard_command == "events":

{plugin_scanner-2.0.127 → plugin_scanner-2.0.128}/src/codex_plugin_scanner/guard/daemon/server.py

@@ -208,10 +208,12 @@ class _GuardDaemonHandler(BaseHTTPRequestHandler):
                     limit=limit_v,
                 )
                 total = count_evidence(conn)
-            self._write_json({
-                "items": [vars(r) for r in records],
-                "total": total,
-            })
+            self._write_json(
+                {
+                    "items": [vars(r) for r in records],
+                    "total": total,
+                }
+            )
             return
         if parsed.path == "/v1/evidence/export":
             with store._connect() as conn:

plugin_scanner-2.0.128/src/codex_plugin_scanner/guard/runtime/advisory_escalation.py

@@ -0,0 +1,65 @@
+"""Advisory-driven policy escalation for Guard decisions.
+
+When a cached threat intelligence bundle contains a critical advisory that
+matches the current artifact, a lower-severity policy action such as ``allow``
+or ``warn`` can be escalated to ``ask`` or ``block`` to ensure the user
+reviews the risk before the action proceeds.
+"""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from codex_plugin_scanner.guard.models import GuardAction
+    from codex_plugin_scanner.guard.runtime.threat_intel import ThreatAdvisory
+
+_ESCALATION_TABLE: dict[str, dict[str, str]] = {
+    "critical": {
+        "allow": "ask",
+        "warn": "ask",
+        "review": "block",
+    },
+    "high": {
+        "allow": "ask",
+        "warn": "ask",
+    },
+}
+
+_ESCALATION_THRESHOLD_SEVERITIES = frozenset({"critical", "high"})
+
+
+def escalate_for_advisories(
+    policy_action: GuardAction,
+    matched_advisories: tuple[ThreatAdvisory, ...],
+) -> tuple[GuardAction, str | None]:
+    """Return the escalated policy action and the advisory id that triggered it.
+
+    If no advisory warrants escalation, returns the original action and None.
+    The most severe advisory match drives escalation; within the same severity
+    the first match in the input tuple wins.
+    """
+    if not matched_advisories:
+        return policy_action, None
+
+    ranked = sorted(
+        (a for a in matched_advisories if a.severity.lower() in _ESCALATION_THRESHOLD_SEVERITIES),
+        key=lambda a: 0 if a.severity.lower() == "critical" else 1,
+    )
+
+    for advisory in ranked:
+        escalation_map = _ESCALATION_TABLE.get(advisory.severity.lower(), {})
+        escalated = escalation_map.get(policy_action)
+        if escalated is not None:
+            return escalated, advisory.advisory_id  # type: ignore[return-value]
+
+    return policy_action, None
+
+
+def advisory_match_summary(matched_advisories: tuple[ThreatAdvisory, ...]) -> str:
+    """Return a brief human-readable summary of matched advisories for logging."""
+    if not matched_advisories:
+        return "no advisory matches"
+    parts = [f"{a.advisory_id}({a.severity.lower()})" for a in matched_advisories[:5]]
+    suffix = f" +{len(matched_advisories) - 5} more" if len(matched_advisories) > 5 else ""
+    return ", ".join(parts) + suffix

plugin_scanner-2.0.128/src/codex_plugin_scanner/guard/runtime/advisory_matchers.py

@@ -0,0 +1,164 @@
+"""Advisory matchers for multi-source threat intelligence.
+
+Each matcher takes a ThreatAdvisory and a target dict, and returns True if
+the advisory applies to the target. Matchers are keyed by their `matcher`
+field value in the advisory.
+"""
+
+from __future__ import annotations
+
+import re
+from typing import Protocol, runtime_checkable
+
+from .threat_intel import ThreatAdvisory
+
+
+@runtime_checkable
+class AdvisoryMatcher(Protocol):
+    """Callable that tests an advisory against a target dict."""
+
+    def __call__(self, advisory: ThreatAdvisory, target: dict[str, object]) -> bool: ...
+
+
+def _norm(val: object) -> str:
+    if not isinstance(val, str):
+        return ""
+    return val.strip().lower()
+
+
+def _package_matches(advisory_pkg: str, target_pkg: str) -> bool:
+    if not advisory_pkg or not target_pkg:
+        return False
+    return _norm(advisory_pkg) == _norm(target_pkg)
+
+
+def match_osv(advisory: ThreatAdvisory, target: dict[str, object]) -> bool:
+    """Match OSV advisories by package name and ecosystem."""
+    pkg_name = target.get("package_name")
+    ecosystem = target.get("ecosystem")
+    advisory_pkg = advisory.matcher.split(":", 1)[-1] if ":" in advisory.matcher else advisory.matcher
+    parts = advisory.source.split("/", 1)
+    advisory_eco = parts[1] if len(parts) > 1 else parts[0]
+    eco_match = not ecosystem or _norm(advisory_eco) in (_norm(str(ecosystem)), "*")
+    return eco_match and _package_matches(advisory_pkg, str(pkg_name or ""))
+
+
+def match_github_advisory(advisory: ThreatAdvisory, target: dict[str, object]) -> bool:
+    """Match GitHub Security Advisory by GHSA ID or package name."""
+    matcher_val = advisory.matcher
+    if re.match(r"^GHSA-", matcher_val, re.IGNORECASE):
+        ghsa_id = target.get("ghsa_id")
+        return isinstance(ghsa_id, str) and _norm(ghsa_id) == _norm(matcher_val)
+    return _package_matches(matcher_val, str(target.get("package_name") or ""))
+
+
+def match_nvd_cve(advisory: ThreatAdvisory, target: dict[str, object]) -> bool:
+    """Match NVD CVE by CVE ID or harness name."""
+    matcher_val = advisory.matcher
+    if re.match(r"^CVE-", matcher_val, re.IGNORECASE):
+        cve_id = target.get("cve_id")
+        return isinstance(cve_id, str) and _norm(cve_id) == _norm(matcher_val)
+    harness = target.get("harness")
+    return isinstance(harness, str) and _norm(harness) == _norm(matcher_val)
+
+
+def match_npm_advisory(advisory: ThreatAdvisory, target: dict[str, object]) -> bool:
+    """Match npm advisory by package name when ecosystem is npm."""
+    eco = target.get("ecosystem")
+    if not isinstance(eco, str) or _norm(eco) not in ("npm",):
+        return False
+    return _package_matches(advisory.matcher, str(target.get("package_name") or ""))
+
+
+def match_pypi_advisory(advisory: ThreatAdvisory, target: dict[str, object]) -> bool:
+    """Match PyPI advisory by package name when ecosystem is pypi."""
+    eco = target.get("ecosystem")
+    if not isinstance(eco, str) or _norm(eco) not in ("pypi", "pip"):
+        return False
+    return _package_matches(advisory.matcher, str(target.get("package_name") or ""))
+
+
+def match_github_action(advisory: ThreatAdvisory, target: dict[str, object]) -> bool:
+    """Match a GitHub Action by action slug (owner/name)."""
+    action_slug = target.get("action_slug")
+    if not isinstance(action_slug, str):
+        return False
+    return _norm(advisory.matcher) == _norm(action_slug)
+
+
+def match_mcp_server(advisory: ThreatAdvisory, target: dict[str, object]) -> bool:
+    """Match an MCP server advisory by exact server name."""
+    server_name = target.get("mcp_server")
+    if not isinstance(server_name, str):
+        return False
+    return _norm(server_name) == _norm(advisory.matcher)
+
+
+def match_skill_hash(advisory: ThreatAdvisory, target: dict[str, object]) -> bool:
+    """Match a skill (extension/tool) by its content hash."""
+    skill_hash = target.get("skill_hash")
+    if not isinstance(skill_hash, str):
+        return False
+    return _norm(advisory.matcher) == _norm(skill_hash)
+
+
+def match_malicious_domain(advisory: ThreatAdvisory, target: dict[str, object]) -> bool:
+    """Match a network destination against a known-malicious domain.
+
+    Uses exact match or subdomain boundary match to avoid false positives.
+    e.g. advisory matcher ``evil.com`` matches ``evil.com`` and ``sub.evil.com``
+    but not ``not-evil.com``.
+    """
+    hosts: object = target.get("network_hosts")
+    if not isinstance(hosts, list):
+        hosts = [target.get("network_host")] if target.get("network_host") else []
+    matcher_norm = _norm(advisory.matcher)
+    return any(_norm(str(h)) == matcher_norm or _norm(str(h)).endswith("." + matcher_norm) for h in hosts if h)
+
+
+def match_malicious_package_hash(advisory: ThreatAdvisory, target: dict[str, object]) -> bool:
+    """Match a package by its content hash (e.g., tarball SHA256)."""
+    pkg_hash = target.get("package_hash")
+    if not isinstance(pkg_hash, str):
+        return False
+    return _norm(advisory.matcher) == _norm(pkg_hash)
+
+
+_MATCHER_REGISTRY: dict[str, AdvisoryMatcher] = {
+    "osv": match_osv,
+    "github_advisory": match_github_advisory,
+    "nvd_cve": match_nvd_cve,
+    "npm": match_npm_advisory,
+    "pypi": match_pypi_advisory,
+    "github_action": match_github_action,
+    "mcp_server": match_mcp_server,
+    "skill_hash": match_skill_hash,
+    "malicious_domain": match_malicious_domain,
+    "malicious_package_hash": match_malicious_package_hash,
+}
+
+
+def get_matcher(matcher_key: str) -> AdvisoryMatcher | None:
+    """Return the matcher function for a given matcher key, or None if unknown."""
+    return _MATCHER_REGISTRY.get(matcher_key)
+
+
+def apply_advisory(advisory: ThreatAdvisory, target: dict[str, object]) -> bool:
+    """Test a single advisory against a target using the registered matcher.
+
+    Dispatcher reads the advisory `source` field to select the matcher function.
+    Returns False for unknown source keys (safe default — no false positives).
+    """
+    source_key = advisory.source.split("/")[0].lower()
+    matcher_fn = get_matcher(source_key)
+    if matcher_fn is None:
+        return False
+    return matcher_fn(advisory, target)
+
+
+def match_all_advisories(
+    advisories: tuple[ThreatAdvisory, ...],
+    target: dict[str, object],
+) -> tuple[ThreatAdvisory, ...]:
+    """Return all advisories from the bundle that match the given target."""
+    return tuple(a for a in advisories if apply_advisory(a, target))

plugin_scanner-2.0.128/src/codex_plugin_scanner/guard/runtime/threat_intel.py

@@ -0,0 +1,243 @@
+"""HOL Guard threat intelligence bundle handling.
+
+Provides typed dataclasses, signature verification, freshness checks,
+rollback protection, and multi-source advisory matching for the
+cloud advisory client subsystem.
+"""
+
+from __future__ import annotations
+
+import base64
+import json
+import time
+from dataclasses import dataclass
+from typing import Final
+
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
+
+_BUNDLE_MAX_AGE_SECONDS: Final[int] = 86_400 * 7
+_BUNDLE_CLOCK_SKEW_SECONDS: Final[int] = 300
+
+
+class ThreatIntelError(Exception):
+    """Base error for threat intel bundle validation failures."""
+
+
+class BundleSignatureError(ThreatIntelError):
+    """Bundle signature did not verify against the provided public key."""
+
+
+class BundleExpiredError(ThreatIntelError):
+    """Bundle freshness window has elapsed."""
+
+
+class BundleRollbackError(ThreatIntelError):
+    """Bundle version is older than the cached version — possible rollback attack."""
+
+
+class BundleMalformedError(ThreatIntelError):
+    """Bundle JSON is missing required fields or contains invalid types."""
+
+
+@dataclass(frozen=True, slots=True)
+class ThreatAdvisory:
+    """Single advisory record inside a threat intelligence bundle."""
+
+    advisory_id: str
+    source: str
+    severity: str
+    title: str
+    affected_type: str
+    matcher: str
+    recommendation: str
+
+    def to_dict(self) -> dict[str, object]:
+        return {
+            "advisory_id": self.advisory_id,
+            "source": self.source,
+            "severity": self.severity,
+            "title": self.title,
+            "affected_type": self.affected_type,
+            "matcher": self.matcher,
+            "recommendation": self.recommendation,
+        }
+
+    @staticmethod
+    def from_dict(data: dict[str, object]) -> ThreatAdvisory:
+        def _str(key: str) -> str:
+            val = data.get(key)
+            if not isinstance(val, str) or not val.strip():
+                raise BundleMalformedError(f"ThreatAdvisory missing required string field: {key!r}")
+            return val
+
+        return ThreatAdvisory(
+            advisory_id=_str("advisory_id"),
+            source=_str("source"),
+            severity=_str("severity"),
+            title=_str("title"),
+            affected_type=_str("affected_type"),
+            matcher=_str("matcher"),
+            recommendation=_str("recommendation"),
+        )
+
+
+@dataclass(frozen=True, slots=True)
+class ThreatIntelBundle:
+    """Signed, versioned advisory bundle from the HOL Guard cloud."""
+
+    version: int
+    generated_at: float
+    expires_at: float
+    source: str
+    signature: str
+    advisories: tuple[ThreatAdvisory, ...]
+
+    def to_dict(self) -> dict[str, object]:
+        return {
+            "version": self.version,
+            "generated_at": self.generated_at,
+            "expires_at": self.expires_at,
+            "source": self.source,
+            "signature": self.signature,
+            "advisories": [a.to_dict() for a in self.advisories],
+        }
+
+    @staticmethod
+    def from_dict(data: dict[str, object]) -> ThreatIntelBundle:
+        def _int(key: str) -> int:
+            val = data.get(key)
+            if not isinstance(val, int):
+                raise BundleMalformedError(f"ThreatIntelBundle missing required int field: {key!r}")
+            return val
+
+        def _float(key: str) -> float:
+            val = data.get(key)
+            if isinstance(val, (int, float)):
+                return float(val)
+            raise BundleMalformedError(f"ThreatIntelBundle missing required numeric field: {key!r}")
+
+        def _str(key: str) -> str:
+            val = data.get(key)
+            if not isinstance(val, str) or not val.strip():
+                raise BundleMalformedError(f"ThreatIntelBundle missing required string field: {key!r}")
+            return val
+
+        raw_advisories = data.get("advisories")
+        if not isinstance(raw_advisories, list):
+            raise BundleMalformedError("ThreatIntelBundle 'advisories' must be a list")
+
+        parsed_advisories: list[ThreatAdvisory] = []
+        for idx, item in enumerate(raw_advisories):
+            if not isinstance(item, dict):
+                raise BundleMalformedError(
+                    f"ThreatIntelBundle advisory at index {idx} must be an object, got {type(item).__name__}"
+                )
+            parsed_advisories.append(ThreatAdvisory.from_dict(item))
+
+        return ThreatIntelBundle(
+            version=_int("version"),
+            generated_at=_float("generated_at"),
+            expires_at=_float("expires_at"),
+            source=_str("source"),
+            signature=_str("signature"),
+            advisories=tuple(parsed_advisories),
+        )
+
+
+def _canonical_payload(bundle: ThreatIntelBundle) -> bytes:
+    """Deterministic JSON payload used for signature computation.
+
+    Signs only the stable fields — excludes `signature` itself.
+    Timestamps are serialized as integers to avoid float precision
+    differences across JSON implementations.
+    """
+    payload = {
+        "version": bundle.version,
+        "generated_at": int(bundle.generated_at),
+        "expires_at": int(bundle.expires_at),
+        "source": bundle.source,
+        "advisories": [a.to_dict() for a in bundle.advisories],
+    }
+    return json.dumps(payload, sort_keys=True, separators=(",", ":")).encode()
+
+
+def verify_bundle_signature(bundle: ThreatIntelBundle, public_key_pem: bytes) -> None:
+    """Verify the RSA-PSS signature on a bundle.
+
+    Raises BundleSignatureError if the signature does not verify.
+    """
+    try:
+        loaded_key = serialization.load_pem_public_key(public_key_pem)
+    except (ValueError, TypeError) as exc:
+        raise BundleSignatureError(f"Failed to load public key: {exc}") from exc
+
+    if not isinstance(loaded_key, RSAPublicKey):
+        raise BundleSignatureError("Public key must be RSA")
+
+    try:
+        sig_bytes = base64.b64decode(bundle.signature)
+    except Exception as exc:
+        raise BundleSignatureError(f"Signature is not valid base64: {exc}") from exc
+
+    payload = _canonical_payload(bundle)
+    try:
+        loaded_key.verify(
+            sig_bytes,
+            payload,
+            padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH),
+            hashes.SHA256(),
+        )
+    except InvalidSignature as exc:
+        raise BundleSignatureError("Bundle signature verification failed") from exc
+
+
+def check_bundle_freshness(bundle: ThreatIntelBundle, now: float | None = None) -> None:
+    """Raise BundleExpiredError if the bundle is outside its freshness window.
+
+    Uses wall-clock time by default; pass `now` in tests for determinism.
+    """
+    ts = now if now is not None else time.time()
+    if ts > bundle.expires_at + _BUNDLE_CLOCK_SKEW_SECONDS:
+        raise BundleExpiredError(f"Bundle expired at {bundle.expires_at:.0f}, current time is {ts:.0f}")
+    if ts < bundle.generated_at - _BUNDLE_CLOCK_SKEW_SECONDS:
+        raise BundleExpiredError(
+            f"Bundle generated_at {bundle.generated_at:.0f} is in the future (current time {ts:.0f})"
+        )
+    bundle_age = ts - bundle.generated_at
+    if bundle_age > _BUNDLE_MAX_AGE_SECONDS:
+        raise BundleExpiredError(
+            f"Bundle age {bundle_age:.0f}s exceeds maximum allowed age of {_BUNDLE_MAX_AGE_SECONDS}s"
+        )
+
+
+def check_bundle_rollback(bundle: ThreatIntelBundle, cached_version: int) -> None:
+    """Raise BundleRollbackError if the bundle version regresses.
+
+    Protects against a server serving an older bundle to downgrade protections.
+    """
+    if bundle.version < cached_version:
+        raise BundleRollbackError(f"Bundle version {bundle.version} is older than cached version {cached_version}")
+
+
+def load_bundle_from_json(raw_json: str) -> ThreatIntelBundle:
+    """Parse a raw JSON string into a ThreatIntelBundle.
+
+    Raises BundleMalformedError on invalid JSON or schema violations.
+    """
+    try:
+        data = json.loads(raw_json)
+    except json.JSONDecodeError as exc:
+        raise BundleMalformedError(f"Bundle JSON is invalid: {exc}") from exc
+
+    if not isinstance(data, dict):
+        raise BundleMalformedError("Bundle root must be a JSON object")
+
+    return ThreatIntelBundle.from_dict(data)
+
+
+def advisory_severity_rank(severity: str) -> int:
+    """Numeric rank for severity comparison (higher = more severe)."""
+    return {"info": 0, "low": 1, "medium": 2, "high": 3, "critical": 4}.get(severity.lower(), 0)

{plugin_scanner-2.0.127 → plugin_scanner-2.0.128}/src/codex_plugin_scanner/guard/store.py

@@ -75,6 +75,11 @@ from .store_evidence import (
     evidence_index_statements,
     evidence_schema_statement,
 )
+from .store_threat_intel import (
+    threat_intel_bundle_schema_statement,
+    threat_intel_index_statements,
+    threat_intel_matches_schema_statement,
+)
 from .types import CapabilitySet
 
 _SYNC_TOKEN_REF = "guard-cloud-token"
@@ -651,12 +656,16 @@ class GuardStore:
             connect_state_schema_statement(),
             approval_schema_statement(),
             evidence_schema_statement(),
+            threat_intel_bundle_schema_statement(),
+            threat_intel_matches_schema_statement(),
         )
         with self._connect() as connection:
             for statement in statements:
                 connection.execute(statement)
             for idx_stmt in evidence_index_statements():
                 connection.execute(idx_stmt)
+            for idx_stmt in threat_intel_index_statements():
+                connection.execute(idx_stmt)
             self._ensure_policy_column(connection, "publisher", "text")
             self._ensure_policy_column(connection, "artifact_hash", "text")
             self._ensure_policy_column(connection, "owner", "text")