178 lines
5.3 KiB
JavaScript
178 lines
5.3 KiB
JavaScript
// severity.mjs — Constants, risk score calculation, verdict logic
|
|
// Zero dependencies. Used by all scanners and the orchestrator.
|
|
|
|
export const SEVERITY = Object.freeze({
|
|
CRITICAL: 'critical',
|
|
HIGH: 'high',
|
|
MEDIUM: 'medium',
|
|
LOW: 'low',
|
|
INFO: 'info',
|
|
});
|
|
|
|
const SEVERITY_WEIGHTS = { critical: 25, high: 10, medium: 4, low: 1, info: 0 };
|
|
|
|
/**
|
|
* Calculate aggregate risk score from severity counts.
|
|
* @param {{ critical: number, high: number, medium: number, low: number, info: number }} counts
|
|
* @returns {number} 0-100 capped score
|
|
*/
|
|
export function riskScore(counts) {
|
|
const raw =
|
|
(counts.critical || 0) * SEVERITY_WEIGHTS.critical +
|
|
(counts.high || 0) * SEVERITY_WEIGHTS.high +
|
|
(counts.medium || 0) * SEVERITY_WEIGHTS.medium +
|
|
(counts.low || 0) * SEVERITY_WEIGHTS.low +
|
|
(counts.info || 0) * SEVERITY_WEIGHTS.info;
|
|
return Math.min(raw, 100);
|
|
}
|
|
|
|
/**
|
|
* Derive verdict from severity counts and risk score.
|
|
* BLOCK if Critical >= 1 OR score >= 61. WARNING if High >= 1 OR score >= 21. Otherwise ALLOW.
|
|
* @param {{ critical: number, high: number, medium: number, low: number, info: number }} counts
|
|
* @returns {'BLOCK' | 'WARNING' | 'ALLOW'}
|
|
*/
|
|
export function verdict(counts) {
|
|
const score = riskScore(counts);
|
|
if ((counts.critical || 0) >= 1 || score >= 61) return 'BLOCK';
|
|
if ((counts.high || 0) >= 1 || score >= 21) return 'WARNING';
|
|
return 'ALLOW';
|
|
}
|
|
|
|
/**
|
|
* Map a 0-100 risk score to a human-readable risk band.
|
|
* @param {number} score - 0-100 risk score
|
|
* @returns {'Low' | 'Medium' | 'High' | 'Critical' | 'Extreme'}
|
|
*/
|
|
export function riskBand(score) {
|
|
if (score <= 20) return 'Low';
|
|
if (score <= 40) return 'Medium';
|
|
if (score <= 60) return 'High';
|
|
if (score <= 80) return 'Critical';
|
|
return 'Extreme';
|
|
}
|
|
|
|
/**
|
|
* Calculate A-F grade from posture/audit pass rate.
|
|
* @param {number} passRate - 0.0 to 1.0
|
|
* @param {number} failsInCritCats - Number of FAIL results in critical categories (1, 2, 5)
|
|
* @param {number} critCount - Number of Critical-severity findings
|
|
* @returns {'A' | 'B' | 'C' | 'D' | 'F'}
|
|
*/
|
|
export function gradeFromPassRate(passRate, failsInCritCats = 0, critCount = 0) {
|
|
if (passRate < 0.33 || critCount >= 3) return 'F';
|
|
if (passRate >= 0.89 && failsInCritCats === 0 && critCount === 0) return 'A';
|
|
if (passRate >= 0.72 && critCount === 0) return 'B';
|
|
if (passRate >= 0.56) return 'C';
|
|
if (passRate >= 0.33) return 'D';
|
|
return 'F';
|
|
}
|
|
|
|
/**
|
|
* Scanner prefix to OWASP LLM Top 10 category mapping.
|
|
*/
|
|
export const OWASP_MAP = Object.freeze({
|
|
UNI: ['LLM01'],
|
|
ENT: ['LLM01', 'LLM03'],
|
|
PRM: ['LLM06'],
|
|
DEP: ['LLM03'],
|
|
TNT: ['LLM01', 'LLM02'],
|
|
GIT: ['LLM03'],
|
|
NET: ['LLM02', 'LLM03'],
|
|
TFA: ['LLM01', 'LLM02', 'LLM06'],
|
|
MCI: ['LLM01', 'LLM02'],
|
|
MEM: ['LLM01'],
|
|
SCR: ['LLM03'],
|
|
PST: ['LLM01', 'LLM06'],
|
|
});
|
|
|
|
/**
|
|
* Scanner prefix to OWASP Agentic AI Top 10 (ASI) category mapping.
|
|
*/
|
|
export const OWASP_AGENTIC_MAP = Object.freeze({
|
|
UNI: ['ASI01'],
|
|
ENT: ['ASI01', 'ASI04'],
|
|
PRM: ['ASI02', 'ASI03'],
|
|
DEP: ['ASI04'],
|
|
TNT: ['ASI01', 'ASI05'],
|
|
GIT: ['ASI04'],
|
|
NET: ['ASI02', 'ASI05'],
|
|
TFA: ['ASI01', 'ASI02', 'ASI05'],
|
|
MCI: ['ASI01', 'ASI04'],
|
|
MEM: ['ASI01', 'ASI02'],
|
|
SCR: ['ASI04'],
|
|
PST: ['ASI02', 'ASI03', 'ASI04', 'ASI05'],
|
|
});
|
|
|
|
/**
|
|
* Scanner prefix to OWASP Skills Top 10 (AST) category mapping.
|
|
*/
|
|
export const OWASP_SKILLS_MAP = Object.freeze({
|
|
UNI: ['AST05'],
|
|
ENT: ['AST02', 'AST05'],
|
|
PRM: ['AST03'],
|
|
DEP: ['AST06'],
|
|
TNT: ['AST01', 'AST02'],
|
|
GIT: ['AST06'],
|
|
NET: ['AST02'],
|
|
TFA: ['AST01', 'AST02', 'AST03'],
|
|
MCI: ['AST01', 'AST02'],
|
|
MEM: ['AST01', 'AST05'],
|
|
SCR: ['AST06'],
|
|
PST: ['AST01', 'AST03'],
|
|
});
|
|
|
|
/**
|
|
* Scanner prefix to OWASP MCP Top 10 category mapping.
|
|
*/
|
|
export const OWASP_MCP_MAP = Object.freeze({
|
|
UNI: ['MCP06'],
|
|
ENT: ['MCP01', 'MCP06'],
|
|
PRM: ['MCP02', 'MCP07'],
|
|
DEP: ['MCP04'],
|
|
TNT: ['MCP05', 'MCP06'],
|
|
GIT: ['MCP04'],
|
|
NET: ['MCP02', 'MCP10'],
|
|
TFA: ['MCP03', 'MCP06'],
|
|
MCI: ['MCP03', 'MCP06', 'MCP09'],
|
|
MEM: ['MCP05', 'MCP06'],
|
|
SCR: ['MCP04'],
|
|
PST: ['MCP02', 'MCP07'],
|
|
});
|
|
|
|
/**
|
|
* Regex matching all supported OWASP framework prefixes:
|
|
* LLM01-LLM10, ASI01-ASI10, AST01-AST10, MCP01-MCP10 (MCP1-MCP10 also accepted).
|
|
*/
|
|
const OWASP_PREFIX_RE = /(?:LLM|ASI|AST|MCP)\d{1,2}/g;
|
|
|
|
/**
|
|
* Group findings by OWASP category across all frameworks.
|
|
* Uses each finding's `owasp` field if present, otherwise falls back to OWASP_MAP by scanner prefix.
|
|
* Recognizes LLM, ASI, AST, and MCP prefixes.
|
|
* @param {object[]} findings - Array of finding objects with scanner, owasp, and severity fields
|
|
* @returns {Record<string, { count: number, critical: number, high: number, medium: number, low: number, info: number }>}
|
|
*/
|
|
export function owaspCategorize(findings) {
|
|
const cats = {};
|
|
for (const f of findings) {
|
|
const categories = [];
|
|
if (f.owasp) {
|
|
const match = f.owasp.match(OWASP_PREFIX_RE);
|
|
if (match) categories.push(...match);
|
|
}
|
|
if (categories.length === 0 && f.scanner && OWASP_MAP[f.scanner]) {
|
|
categories.push(...OWASP_MAP[f.scanner]);
|
|
}
|
|
if (categories.length === 0) categories.push('Unmapped');
|
|
|
|
for (const cat of categories) {
|
|
if (!cats[cat]) cats[cat] = { count: 0, critical: 0, high: 0, medium: 0, low: 0, info: 0 };
|
|
cats[cat].count++;
|
|
if (f.severity && cats[cat][f.severity] !== undefined) {
|
|
cats[cat][f.severity]++;
|
|
}
|
|
}
|
|
}
|
|
return cats;
|
|
}
|