Skip to content

SAF-T1005: cite uncited claims, fix CVE attribution, tidy references#217

Open
fkautz wants to merge 1 commit into
secure-agentic-framework:mainfrom
fkautz:fix/saf-t1005-review
Open

SAF-T1005: cite uncited claims, fix CVE attribution, tidy references#217
fkautz wants to merge 1 commit into
secure-agentic-framework:mainfrom
fkautz:fix/saf-t1005-review

Conversation

@fkautz

@fkautz fkautz commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Summary

Addresses the SAF-T1005 (Exposed Endpoint Exploit) review (scored 91, merge-as-is with minor Accuracy fixes). Detection rule logic unchanged (still 26/26).

  • Cite uncited claims (2.1): 5,000+ SQLite-server forks -> Trend Micro; the vague "13,000+ new servers" reframed to the documented ~10,000-20,000 end-of-2025 range (Astrix); Asana -> The Register; Smithery -> GitGuardian + SC Media. All verified for content; dropped an unsourced Asana customer-count figure to match the cited source.
  • CVE-2025-6515 attribution (2.4): JFrog did discover it, so the reference now points at JFrog's primary advisory instead of a secondary Register article.
  • Orphaned references (2.5): moved eSentire / Strobes / Embrace The Red / Adversa AI into a Further Reading list.
  • Hype language (4.1): removed "sophisticated" and "simply".
  • T1046 (1.5): annotated as the Discovery/enumeration phase, not the Initial-Access entry.
  • Bonus: fixed the non-resolving detection-rule references URL (saf-mcp -> secure-agentic-framework) in the shipped file and inline copies, and updated the test that asserted the old URL. The preventive-control SAF-M TODO is left as the tracked follow-up the review flagged.

Test

python3 -m pytest techniques/SAF-T1005/test_detection_rule.py
# 26 passed

🤖 Generated with Claude Code

Address the SAF-T1005 review (scored 91, merge-with-minor-revisions):

- Accuracy 2.1: cited the previously uncited quantitative claims and incidents.
  The 5,000+ SQLite-server forks now cite Trend Micro; the vague "13,000+ new
  servers" claim is reframed to the documented ~10,000-20,000 end-of-2025 range
  (Astrix); the Asana and Smithery incidents now cite The Register and
  GitGuardian / SC Media respectively. Asana wording aligned strictly to what
  the cited source supports (dropped an unsourced customer count).
- Accuracy 2.4: the CVE-2025-6515 reference now points at JFrog's primary
  advisory (JFrog did discover it) instead of a secondary Register article, so
  the discoverer matches the link.
- Accuracy 2.5: moved the four orphaned references (eSentire, Strobes, Embrace
  The Red, Adversa AI) into a Further Reading list.
- Approachability 4.1: removed hype words ("sophisticated", "simply").
- Correctness 1.5: annotated the T1046 mapping as the Discovery/enumeration
  phase rather than the Initial-Access entry.
- Fixed the non-resolving detection-rule references URL (saf-mcp ->
  secure-agentic-framework) in the shipped file and inline copies, and updated
  the test that asserted the old URL.

Detection rule logic unchanged (still 26/26). All new citations verified for
reachability and content. The preventive-control SAF-M TODO is left as the
tracked follow-up the review flagged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Frederick F. Kautz IV <fkautz@alumni.cmu.edu>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant