feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
--- a/docs/schemas/trust-vector.schema.json
+++ b/docs/schemas/trust-vector.schema.json
@@ -0,0 +1,149 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://stella-ops.org/schemas/trust-vector/1.0.0",
+  "title": "Trust Vector Schema",
+  "description": "Schema for 3-component trust vectors (Provenance, Coverage, Replayability)",
+  "type": "object",
+  "required": [
+    "provenance",
+    "coverage",
+    "replayability"
+  ],
+  "properties": {
+    "provenance": {
+      "type": "number",
+      "minimum": 0,
+      "maximum": 1,
+      "description": "Provenance score (P): cryptographic and process integrity of the source"
+    },
+    "coverage": {
+      "type": "number",
+      "minimum": 0,
+      "maximum": 1,
+      "description": "Coverage score (C): how well the statement's scope maps to the target asset"
+    },
+    "replayability": {
+      "type": "number",
+      "minimum": 0,
+      "maximum": 1,
+      "description": "Replayability score (R): whether the claim can be deterministically re-derived"
+    }
+  },
+  "additionalProperties": false,
+  "$defs": {
+    "TrustWeights": {
+      "type": "object",
+      "description": "Weights for computing BaseTrust = wP*P + wC*C + wR*R",
+      "required": ["provenance", "coverage", "replayability"],
+      "properties": {
+        "provenance": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1,
+          "default": 0.45,
+          "description": "Weight for Provenance component (wP)"
+        },
+        "coverage": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1,
+          "default": 0.35,
+          "description": "Weight for Coverage component (wC)"
+        },
+        "replayability": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1,
+          "default": 0.20,
+          "description": "Weight for Replayability component (wR)"
+        }
+      },
+      "additionalProperties": false
+    },
+    "SourceClassDefaults": {
+      "type": "object",
+      "description": "Default trust vectors by source classification",
+      "properties": {
+        "vendor": {
+          "$ref": "#",
+          "description": "Default vector for vendor sources (P=0.90, C=0.70, R=0.60)"
+        },
+        "distro": {
+          "$ref": "#",
+          "description": "Default vector for distribution sources (P=0.80, C=0.85, R=0.60)"
+        },
+        "internal": {
+          "$ref": "#",
+          "description": "Default vector for internal sources (P=0.85, C=0.95, R=0.90)"
+        },
+        "hub": {
+          "$ref": "#",
+          "description": "Default vector for hub/aggregator sources (P=0.70, C=0.65, R=0.50)"
+        },
+        "attestation": {
+          "$ref": "#",
+          "description": "Default vector for attestation sources (P=0.95, C=0.80, R=0.95)"
+        }
+      },
+      "additionalProperties": {
+        "$ref": "#"
+      }
+    },
+    "ClaimStrength": {
+      "type": "string",
+      "enum": [
+        "exploitability_with_reachability",
+        "config_with_evidence",
+        "vendor_blanket",
+        "under_investigation"
+      ],
+      "description": "Evidence-based claim strength categories"
+    },
+    "ClaimStrengthMultipliers": {
+      "type": "object",
+      "description": "Multiplier values for each claim strength category",
+      "properties": {
+        "exploitability_with_reachability": {
+          "type": "number",
+          "const": 1.00,
+          "description": "Exploitability analysis + reachability proof"
+        },
+        "config_with_evidence": {
+          "type": "number",
+          "const": 0.80,
+          "description": "Config/feature-flag reason with evidence"
+        },
+        "vendor_blanket": {
+          "type": "number",
+          "const": 0.60,
+          "description": "Vendor blanket statement"
+        },
+        "under_investigation": {
+          "type": "number",
+          "const": 0.40,
+          "description": "Under investigation status"
+        }
+      }
+    },
+    "FreshnessConfig": {
+      "type": "object",
+      "description": "Configuration for freshness decay calculation",
+      "properties": {
+        "half_life_days": {
+          "type": "number",
+          "minimum": 1,
+          "default": 90,
+          "description": "Days until score halves"
+        },
+        "floor": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1,
+          "default": 0.35,
+          "description": "Minimum freshness unless revoked"
+        }
+      },
+      "additionalProperties": false
+    }
+  }
+}