feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
--- a/docs/attestor/schemas/trust-vector.schema.json
+++ b/docs/attestor/schemas/trust-vector.schema.json
@@ -0,0 +1,84 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stella-ops.org/schemas/trust-vector/1.0.0",
+  "title": "Trust Vector",
+  "description": "3-component trust vector for VEX sources (Provenance, Coverage, Replayability)",
+  "type": "object",
+  "required": ["provenance", "coverage", "replayability"],
+  "properties": {
+    "sourceId": {
+      "type": "string",
+      "description": "Identifier of the VEX source"
+    },
+    "sourceClass": {
+      "type": "string",
+      "description": "Classification of the source",
+      "enum": ["vendor", "distro", "internal", "hub", "attestation"]
+    },
+    "provenance": {
+      "type": "number",
+      "description": "Cryptographic and process integrity score [0..1]",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "coverage": {
+      "type": "number",
+      "description": "Scope match precision score [0..1]",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "replayability": {
+      "type": "number",
+      "description": "Determinism and input pinning score [0..1]",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "weights": {
+      "$ref": "#/$defs/TrustWeights"
+    },
+    "baseTrust": {
+      "type": "number",
+      "description": "Computed base trust: wP*P + wC*C + wR*R",
+      "minimum": 0,
+      "maximum": 1
+    },
+    "computedAt": {
+      "type": "string",
+      "description": "Timestamp when this vector was computed",
+      "format": "date-time"
+    },
+    "version": {
+      "type": "string",
+      "description": "Version of the trust vector configuration"
+    }
+  },
+  "$defs": {
+    "TrustWeights": {
+      "type": "object",
+      "description": "Weights for trust vector components",
+      "properties": {
+        "provenance": {
+          "type": "number",
+          "description": "Weight for provenance component (wP)",
+          "minimum": 0,
+          "maximum": 1,
+          "default": 0.45
+        },
+        "coverage": {
+          "type": "number",
+          "description": "Weight for coverage component (wC)",
+          "minimum": 0,
+          "maximum": 1,
+          "default": 0.35
+        },
+        "replayability": {
+          "type": "number",
+          "description": "Weight for replayability component (wR)",
+          "minimum": 0,
+          "maximum": 1,
+          "default": 0.20
+        }
+      }
+    }
+  }
+}