AVE hotfix: vendor boilerplate + ASI/ATLAS mappings (52-56)#39
Merged
Conversation
…00001-00003), generalize dependency phrasing (00024) Scope confirmed via grep before editing per the brief -- found 5 additional instances beyond this brief's expected 4 (00041, 00044, 00045, 00046, 00047, embedding literal bawbel CLI commands in remediation/detection_methodology), handled separately as Fix 3. 00001-00003: identical detection_methodology boilerplate named bawbel-scanner as the analysis engine; genericized to "in component content" / "an LLM-based reviewer" with no vendor reference. 00024: bawbel-scanner is a real dependency statement here (the record is detected exclusively via Magika, which bawbel-scanner integrates), not filler -- generalized to name the requirement (a Magika-integrated scanning tool) with bawbel-scanner kept as one example implementation, rather than deleted.
All four ASI category names/numbers verified against the current OWASP Top 10 for Agentic Applications 2026 list before writing (ASI01 Agent Goal Hijack, ASI02 Tool Misuse & Exploitation, ASI04 Agentic Supply Chain Compromise, ASI05 Unexpected Code Execution), and both new ATLAS technique names verified (AML.T0051 LLM Prompt Injection, AML.T0086 Exfiltration via AI Agent Tool Invocation) -- none taken on brief-text alone. - AVE-2026-00052: owasp_asi [ASI05, ASI02]. No mitre_atlas -- a generic CWE-78 implementation bug in a tool's own handler code, not an attack on an ML-specific surface ATLAS's techniques are scoped to. - AVE-2026-00053: owasp_asi [ASI02, ASI04], mitre_atlas [AML.T0086]. - AVE-2026-00054: owasp_asi [ASI05]. No mitre_atlas, same reasoning as 00052 -- a JS prototype-chain containment failure isn't an ML-specific technique category. - AVE-2026-00055: owasp_asi [ASI04, ASI05]. Existing mitre_atlas (AML.T0104) left unchanged -- verified still correct and unique in the corpus. - AVE-2026-00056: owasp_asi [ASI01], mitre_atlas [AML.T0051]. ASI01 citing EchoLeak (this record's own primary source, CVE-2025-32711) as OWASP's own worked example is confirmed accurate.
…dology (00041, 00044-00047) Scope found while confirming Fix 1's grep, per this brief's own instruction to stop and report if the file list differed -- these 5 embedded literal bawbel CLI invocations (bawbel scan, bawbel scan-server-card, bawbel pin, bawbel-ignore) as actionable steps inside remediation/detection_methodology, telling defenders to run one vendor's specific tool rather than describing the control abstractly. Arguably a stronger vendor-lock-in instance than Fix 1's boilerplate, since these are commands a defender would actually copy-paste and run. Same treatment as AVE-2026-00024 in Fix 1: describe what to do, not which tool to run. - AVE-2026-00041: "bawbel scan-server-card <url>" -> "scan the server-card for behavioral injection patterns"; "bawbel pin" -> dropped the flag name, kept the pin-and-detect-changes instruction - AVE-2026-00044: "scan with bawbel scan" -> "scan for injection patterns" - AVE-2026-00045: "bawbel scan-server-card" -> "scan ... for behavioral injection patterns" - AVE-2026-00046: "bawbel scan" -> "scan ... for hook registration patterns"; "bawbel-ignore with justification" -> "suppress the finding with documented justification" - AVE-2026-00047: "bawbel scan --fail-on-severity high" -> "credential- pattern scanning ... failing on high-severity findings"; "bawbel- ignore" -> "suppress the finding" Repo-wide recheck after this commit: only AVE-2026-00024 still references bawbel-scanner by name, correctly (Fix 1's generalized "one example implementation" phrasing).
Stats table was stale at 51 records / schema 1.0.0 / old severity counts (badges were already correct at 56, from earlier work -- this table wasn't). Recomputed severity breakdown from the actual records: CRITICAL 1, HIGH 11 (was 9), MEDIUM 43 (was 40), LOW 1. Record index table was missing rows for AVE-2026-00052 through 00056 entirely. Added, titles condensed to match the table's existing Title Case convention (the same style already used for e.g. 00041's full title vs. its table row).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three independent commits per the hotfix brief.
Fix 1 — remove vendor-name boilerplate (
482c348): the brief specified a 4-file scope (00001-00003, 00024). Ran the grep first as instructed and found 9 files, not 4 — 5 more (00041, 00044-00047) embed literalbawbel scan/bawbel-ignore/bawbel pinCLI commands. Per the brief's own instruction to stop and report if the scope differed, flagged this before editing; confirmed with the requester to handle the extra 5 as Fix 3. Applied the original scope as specified: 00001-00003 get the generic detection_methodology text, 00024 keepsbawbel-scanneras a named example implementation (real dependency, not filler) rather than deleting it.Fix 2 — ASI/ATLAS mappings on 52-56 (
1ff7384): applied exactly as specified in the brief, but verified every ASI category number/name and both new ATLAS technique names against current sources before writing them into records, rather than taking the brief's citations on faith:All validation from the brief's own checklist passes (owasp_asi present on all 5, mitre_atlas present only on 00053/00055/00056 and absent on 00052/00054, 00055's pre-existing
AML.T0104left untouched).Fix 3 — generalize the 5 additional vendor CLI instances (
1f77a64, added scope, confirmed with requester before proceeding): same "describe what to do, not which tool to run" treatment as Fix 1's 00024 case, applied to 00041, 00044, 00045, 00046, 00047. Repo-wide recheck after this commit: only AVE-2026-00024 still namesbawbel-scanner, correctly, as the generalized example-implementation reference.Test plan
python scripts/validate_records.py— all 56 records validpytest tests/ -x -q— 112 passedpython scripts/check_fixtures.py/check_rule_coverage.py— cleanschema_versionbump, noschema/changes — pure record-content edits against the existing v1.1.0 schema, as the brief required