open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/playground/test-fixtures/supply-check.md
Kjell Tore Guttormsen ce3891bdd0 feat(llm-security): playground Fase 3 — v7.5.0 med 18 parsere/renderere 
Single-file SPA playground har nå parser + renderer for alle 18
produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8
gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch,
registry, clean, threat-model). 18 markdown test-fixtures fungerer
som kontrakt-anker for parser-utvikling.

Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter
ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"-
paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean)
og matrix-risk (threat-model).

Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS /
CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy
med åpne vilkår) ikke kollapser til ALLOW.

Eksponert 11 window-globaler for testing/automasjon (__store,
__navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG,
__inferVerdict, __inferKeyStats, __renderPageShell,
__handlePasteImport, __scheduleRender). 12 Playwright-genererte
screenshots i playground/screenshots/v7.5.0/.

A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer
flagget for v7.5.x patch (skip-link, heading-hierarki på project,
aria-live toast).

Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json,
CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION-
konstanter, ROADMAP, marketplace-rot README).

Ingen scanner- eller hook-behavior-changes — purely additive surface.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 22:15:47 +02:00

3.5 KiB
Raw Blame History

Supply-Chain Recheck Report

Header

Field Value
Report type supply-check
Target ~/repos/dft-marketplace
Date 2026-05-05
Version llm-security v7.4.0
Scope npm + pip + cargo lockfiles
Frameworks OWASP LLM03, NIST SSDF
Triggered by /security supply-check

Risk Dashboard

Metric Value
Risk Score 22/100
Risk Band Medium
Grade B
Verdict WARNING
Severity Count
Critical 0
High 1
Medium 4
Low 2
Info 6
Total 13

Verdict rationale: 1 HIGH OSV.dev advisory on lefthook@1.4.2 (CVE-2024-1234, denial-of-service via crafted hook config). 4 MEDIUM typosquat candidates flagged for manual review.

Ecosystem Coverage

Ecosystem Lockfile Packages OSV.dev Hits Typosquats
npm package-lock.json 412 1 2
pip requirements.txt 38 0 1
cargo Cargo.lock 71 0 0
go go.sum 0 0 0
docker (none) 0 0 0
Total 521 1 3

Findings

High

ID Category File Line Description OWASP
SCR-001 OSV.dev CVE package-lock.json 8421 lefthook@1.4.2 → CVE-2024-1234 (DoS via crafted hook config) LLM03

Medium

ID Category File Line Description OWASP
SCR-002 Typosquat package-lock.json 1247 expresss (3 s's) Levenshtein 1 vs express LLM03
SCR-003 Typosquat package-lock.json 2891 lodahs Levenshtein 2 vs lodash LLM03
SCR-004 Typosquat requirements.txt 22 requests-mock legitimate, request-mock (no s) Levenshtein 1 — manual review LLM03
SCR-005 Recent package-lock.json 5103 colorette@3.1.0 published 71 hours ago (<72h gate) LLM03

Low

ID Category File Line Description OWASP
SCR-006 Maintenance package-lock.json 18 packages with last-published > 730 days
SCR-007 License requirements.txt 12 chardet==3.0.4 LGPL-2.1 — verify compatibility

Info

ID Category File Line Description OWASP
SCR-008 Provenance package-lock.json 412/412 packages have npm-registry provenance
SCR-009 Provenance Cargo.lock All 71 crates from crates.io
SCR-010 Coverage go.sum No Go dependencies detected
SCR-011 Coverage (docker) No Dockerfile detected
SCR-012 Cache OSV.dev 521 packages queried, 510 cached, 11 fresh lookups
SCR-013 Cache TTL OSV cache TTL: 6 hours, hit-rate 97.9%

Recommendations

  1. Immediate: Bump lefthook to ≥1.5.0 to clear CVE-2024-1234. Run npm install lefthook@latest.
  2. High: Verify expresss and lodahs are not legitimate packages. Both look like typosquat-bait.
  3. Medium: Wait 24h before pinning colorette@3.1.0 (currently <72h since publish — supply-chain attack window).
  4. Low: Audit LGPL-2.1 dependency chardet==3.0.4 for license-compatibility with project license.

Supply-chain recheck complete. 521 packages across 3 ecosystems, 13 findings.