Skip to content

AVE hotfix: vendor boilerplate + ASI/ATLAS mappings (52-56)#39

Merged
chaksaray merged 4 commits into
developfrom
ave-hotfix-vendor-neutral-mappings
Jul 13, 2026
Merged

AVE hotfix: vendor boilerplate + ASI/ATLAS mappings (52-56)#39
chaksaray merged 4 commits into
developfrom
ave-hotfix-vendor-neutral-mappings

Conversation

@chaksaray

Copy link
Copy Markdown
Contributor

Summary

Three independent commits per the hotfix brief.

Fix 1 — remove vendor-name boilerplate (482c348): the brief specified a 4-file scope (00001-00003, 00024). Ran the grep first as instructed and found 9 files, not 4 — 5 more (00041, 00044-00047) embed literal bawbel scan/bawbel-ignore/bawbel pin CLI commands. Per the brief's own instruction to stop and report if the scope differed, flagged this before editing; confirmed with the requester to handle the extra 5 as Fix 3. Applied the original scope as specified: 00001-00003 get the generic detection_methodology text, 00024 keeps bawbel-scanner as a named example implementation (real dependency, not filler) rather than deleting it.

Fix 2 — ASI/ATLAS mappings on 52-56 (1ff7384): applied exactly as specified in the brief, but verified every ASI category number/name and both new ATLAS technique names against current sources before writing them into records, rather than taking the brief's citations on faith:

  • OWASP Top 10 for Agentic Applications 2026 full ASI01-10 list confirmed (ASI01 Agent Goal Hijack, ASI02 Tool Misuse & Exploitation, ASI04 Agentic Supply Chain Compromise, ASI05 Unexpected Code Execution)
  • AML.T0051 (LLM Prompt Injection) and AML.T0086 (Exfiltration via AI Agent Tool Invocation) confirmed
  • The strongest claim in the brief — that OWASP's own ASI01 material uses EchoLeak (this record's own primary source) as its worked example — confirmed accurate

All validation from the brief's own checklist passes (owasp_asi present on all 5, mitre_atlas present only on 00053/00055/00056 and absent on 00052/00054, 00055's pre-existing AML.T0104 left untouched).

Fix 3 — generalize the 5 additional vendor CLI instances (1f77a64, added scope, confirmed with requester before proceeding): same "describe what to do, not which tool to run" treatment as Fix 1's 00024 case, applied to 00041, 00044, 00045, 00046, 00047. Repo-wide recheck after this commit: only AVE-2026-00024 still names bawbel-scanner, correctly, as the generalized example-implementation reference.

Test plan

  • python scripts/validate_records.py — all 56 records valid
  • pytest tests/ -x -q — 112 passed
  • python scripts/check_fixtures.py / check_rule_coverage.py — clean
  • Fix 1/1.4: grep confirms only 00024 remains, in generalized form
  • Fix 2: all five validation checks from the brief pass (owasp_asi present, mitre_atlas correctly present/absent, 00055 unchanged)
  • Fix 3: repo-wide grep confirms zero remaining vendor CLI command instances outside the generalized 00024 reference
  • No schema_version bump, no schema/ changes — pure record-content edits against the existing v1.1.0 schema, as the brief required

…00001-00003), generalize dependency phrasing (00024)

Scope confirmed via grep before editing per the brief -- found 5
additional instances beyond this brief's expected 4 (00041, 00044,
00045, 00046, 00047, embedding literal bawbel CLI commands in
remediation/detection_methodology), handled separately as Fix 3.

00001-00003: identical detection_methodology boilerplate named
bawbel-scanner as the analysis engine; genericized to "in component
content" / "an LLM-based reviewer" with no vendor reference.

00024: bawbel-scanner is a real dependency statement here (the record
is detected exclusively via Magika, which bawbel-scanner integrates),
not filler -- generalized to name the requirement (a Magika-integrated
scanning tool) with bawbel-scanner kept as one example implementation,
rather than deleted.
All four ASI category names/numbers verified against the current
OWASP Top 10 for Agentic Applications 2026 list before writing (ASI01
Agent Goal Hijack, ASI02 Tool Misuse & Exploitation, ASI04 Agentic
Supply Chain Compromise, ASI05 Unexpected Code Execution), and both
new ATLAS technique names verified (AML.T0051 LLM Prompt Injection,
AML.T0086 Exfiltration via AI Agent Tool Invocation) -- none taken on
brief-text alone.

- AVE-2026-00052: owasp_asi [ASI05, ASI02]. No mitre_atlas -- a
  generic CWE-78 implementation bug in a tool's own handler code, not
  an attack on an ML-specific surface ATLAS's techniques are scoped to.
- AVE-2026-00053: owasp_asi [ASI02, ASI04], mitre_atlas [AML.T0086].
- AVE-2026-00054: owasp_asi [ASI05]. No mitre_atlas, same reasoning as
  00052 -- a JS prototype-chain containment failure isn't an
  ML-specific technique category.
- AVE-2026-00055: owasp_asi [ASI04, ASI05]. Existing mitre_atlas
  (AML.T0104) left unchanged -- verified still correct and unique in
  the corpus.
- AVE-2026-00056: owasp_asi [ASI01], mitre_atlas [AML.T0051]. ASI01
  citing EchoLeak (this record's own primary source, CVE-2025-32711)
  as OWASP's own worked example is confirmed accurate.
…dology (00041, 00044-00047)

Scope found while confirming Fix 1's grep, per this brief's own
instruction to stop and report if the file list differed -- these 5
embedded literal bawbel CLI invocations (bawbel scan, bawbel
scan-server-card, bawbel pin, bawbel-ignore) as actionable steps
inside remediation/detection_methodology, telling defenders to run one
vendor's specific tool rather than describing the control abstractly.
Arguably a stronger vendor-lock-in instance than Fix 1's boilerplate,
since these are commands a defender would actually copy-paste and run.

Same treatment as AVE-2026-00024 in Fix 1: describe what to do, not
which tool to run.

- AVE-2026-00041: "bawbel scan-server-card <url>" -> "scan the
  server-card for behavioral injection patterns"; "bawbel pin" ->
  dropped the flag name, kept the pin-and-detect-changes instruction
- AVE-2026-00044: "scan with bawbel scan" -> "scan for injection
  patterns"
- AVE-2026-00045: "bawbel scan-server-card" -> "scan ... for
  behavioral injection patterns"
- AVE-2026-00046: "bawbel scan" -> "scan ... for hook registration
  patterns"; "bawbel-ignore with justification" -> "suppress the
  finding with documented justification"
- AVE-2026-00047: "bawbel scan --fail-on-severity high" -> "credential-
  pattern scanning ... failing on high-severity findings"; "bawbel-
  ignore" -> "suppress the finding"

Repo-wide recheck after this commit: only AVE-2026-00024 still
references bawbel-scanner by name, correctly (Fix 1's generalized
"one example implementation" phrasing).
Stats table was stale at 51 records / schema 1.0.0 / old severity
counts (badges were already correct at 56, from earlier work -- this
table wasn't). Recomputed severity breakdown from the actual records:
CRITICAL 1, HIGH 11 (was 9), MEDIUM 43 (was 40), LOW 1.

Record index table was missing rows for AVE-2026-00052 through 00056
entirely. Added, titles condensed to match the table's existing Title
Case convention (the same style already used for e.g. 00041's full
title vs. its table row).
@chaksaray chaksaray merged commit 1d991ae into develop Jul 13, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant