hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动

更新: 359 个文件 - 2026-03-16 23:30:01

浏览代码
这个提交包含在:
hao
2026-03-16 23:30:01 -07:00
父节点 527990f535
当前提交 2974cd9ad9
修改 359 个文件,包含 6332 行新增673 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

13
scripts/intel/config.py
查看文件

@@ -12,10 +12,13 @@ THREAT_INTEL_ROOT = ROOT / "08-threat-intel"
REGISTRY_ROOT = THREAT_INTEL_ROOT / "registry"
ADVISORIES_DIR = REGISTRY_ROOT / "advisories"
SYSTEMS_DIR = REGISTRY_ROOT / "systems"
RUNS_DIR = REGISTRY_ROOT / "runs"
TRIAGE_DIR = REGISTRY_ROOT / "triage"
GENERATED_DIR = THREAT_INTEL_ROOT / "generated"
SECURE_CODE_ROOT = ROOT / "05-defense" / "secure-code"
SOURCE_MAP_PATH = THREAT_INTEL_ROOT / "source-map.yaml"
REPRO_MAP_PATH = THREAT_INTEL_ROOT / "repro-map.yaml"
REPRO_PROFILES_DIR = THREAT_INTEL_ROOT / "repro-profiles"
STATE_DIR = Path.home() / ".local" / "state" / "websafe-intel"
STATE_PATH = STATE_DIR / "state.json"
@@ -33,6 +36,16 @@ def load_source_map() -> Dict[str, Any]:
return data
def load_repro_map() -> Dict[str, Any]:
if not REPRO_MAP_PATH.exists():
return {"systems": []}
with REPRO_MAP_PATH.open("r", encoding="utf-8") as handle:
data = yaml.safe_load(handle) or {}
if not isinstance(data, dict) or "systems" not in data:
return {"systems": []}
return data
def get_systems_by_group(source_map: Dict[str, Any]) -> Dict[str, List[Dict[str, Any]]]:
groups: Dict[str, List[Dict[str, Any]]] = {}
for system in source_map["systems"]:

15
scripts/intel/models.py
查看文件

@@ -64,6 +64,21 @@ class AdvisoryRecord:
secure_code_topics: List[str]
status: str
triage_reasons: List[str] = field(default_factory=list)
verification_status: str = "triage-manual"
verification_mode: str = "synthetic"
last_verified_at: Optional[str] = None
last_run_id: Optional[str] = None
evidence_bundle: Optional[str] = None
browser_evidence: Dict[str, Any] = field(
default_factory=lambda: {
"required": False,
"present": False,
"refs": [],
}
)
repro_profile_id: Optional[str] = None
artifact_mode: Optional[str] = None
blocked_reason: Optional[str] = None
metadata: Dict[str, Any] = field(default_factory=dict)
def to_dict(self) -> Dict[str, Any]:

83
scripts/intel/render.py
查看文件

@@ -8,6 +8,8 @@ from typing import Any, Dict, Iterable, List
from intel.config import FRAMEWORK_ROOT, GENERATED_DIR, REGISTRY_ROOT, ROOT, SECURE_CODE_ROOT, SYSTEMS_DIR, TRIAGE_DIR
from intel.models import AdvisoryRecord
from intel.utils import ensure_dir, isoformat, now_utc, write_json, write_text
from lab.render import render_dashboard as render_lab_dashboard
from lab.repro import annotate_with_latest_run, latest_runs_by_advisory
UTC = timezone.utc
@@ -109,6 +111,25 @@ FORBIDDEN_SCENARIOS = [
]
def _merged_item(item: AdvisoryRecord, run_map: Dict[str, Dict[str, Any]]) -> Dict[str, Any]:
return annotate_with_latest_run(item.to_dict(), run_map.get(item.canonical_id))
def _status_counts(items: List[Dict[str, Any]]) -> Dict[str, int]:
counts = {"verified_real": 0, "verified_synthetic": 0, "blocked": 0, "manual": 0}
for item in items:
status = item.get("verification_status")
if status == "verified-real":
counts["verified_real"] += 1
elif status == "verified-synthetic":
counts["verified_synthetic"] += 1
elif status and status.startswith("blocked-"):
counts["blocked"] += 1
else:
counts["manual"] += 1
return counts
def _recent_count(items: Iterable[AdvisoryRecord], days: int = 30) -> int:
cutoff = now_utc() - timedelta(days=days)
total = 0
@@ -161,6 +182,7 @@ def _clear_json_dir(path: Path) -> None:
def render_system_scaffolding(source_map: Dict[str, Any], advisories: List[AdvisoryRecord]) -> None:
run_map = latest_runs_by_advisory()
grouped: Dict[str, List[AdvisoryRecord]] = defaultdict(list)
for advisory in advisories:
grouped[advisory.system_id].append(advisory)
@@ -172,7 +194,9 @@ def render_system_scaffolding(source_map: Dict[str, Any], advisories: List[Advis
ensure_dir(system_dir / "cases")
items = sorted(grouped.get(system["system_id"], []), key=lambda item: item.published_at or "", reverse=True)
merged_items = [_merged_item(item, run_map) for item in items]
markdown_count = len([item for item in items if item.render_markdown and item.case_path])
counts = _status_counts(merged_items)
index_lines = [
f"# {system['display_name']}",
"",
@@ -184,6 +208,10 @@ def render_system_scaffolding(source_map: Dict[str, Any], advisories: List[Advis
f"- 总案例数: `{len(items)}`",
f"- 近 30 天新增/更新: `{_recent_count(items)}`",
f"- 重点 Markdown 案例数: `{markdown_count}`",
f"- 已实证(真实版本): `{counts['verified_real']}`",
f"- 已实证(synthetic): `{counts['verified_synthetic']}`",
f"- 阻塞数: `{counts['blocked']}`",
f"- 待人工/缺浏览器证据: `{counts['manual']}`",
f"- 最近渲染时间: `{isoformat(now_utc())}`",
"",
"## 目标约束",
@@ -205,19 +233,19 @@ def render_system_scaffolding(source_map: Dict[str, Any], advisories: List[Advis
"",
"## 案例列表",
"",
"| 标题 | 严重度 | 状态 | 来源置信度 | 更新时间 | 案例页 |",
"|------|--------|------|------------|----------|--------|",
"| 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |",
"|------|--------|----------|----------|----------|------------|----------|--------|",
]
)
if items:
for item in items:
case_link = f"[link]({_abs_repo_path(item.case_path)})" if item.case_path else "-"
timestamp = item.updated_at or item.published_at or ""
if merged_items:
for item in merged_items:
case_link = f"[link]({_abs_repo_path(item['case_path'])})" if item.get("case_path") else "-"
timestamp = item.get("updated_at") or item.get("published_at") or ""
index_lines.append(
f"| {item.title} | `{item.severity}` | `{item.status}` | `{item.source_confidence}` | `{timestamp}` | {case_link} |"
f"| {item['title']} | `{item['severity']}` | `{item['status']}` | `{item.get('verification_status', 'triage-manual')}` | `{item.get('verification_mode', '-')}` | `{item['source_confidence']}` | `{timestamp}` | {case_link} |"
)
else:
index_lines.append("| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | - |")
index_lines.append("| No advisories yet | `n/a` | `empty` | `n/a` | `n/a` | `n/a` | `n/a` | - |")
write_text(system_dir / "INDEX.md", "\n".join(index_lines))
system_registry_path = _abs_repo_path("08-threat-intel", "registry", "systems", f"{system['system_id']}.json")
@@ -274,9 +302,11 @@ def render_system_scaffolding(source_map: Dict[str, Any], advisories: List[Advis
def render_case_pages(advisories: List[AdvisoryRecord]) -> None:
run_map = latest_runs_by_advisory()
for item in advisories:
if not item.render_markdown or not item.case_path:
continue
merged = _merged_item(item, run_map)
lines = [
"---",
f'title: "{item.title.replace(chr(34), chr(39))}"',
@@ -288,6 +318,10 @@ def render_case_pages(advisories: List[AdvisoryRecord]) -> None:
f'severity: "{item.severity}"',
f'exploit_status: "{item.exploit_status}"',
f'source_confidence: "{item.source_confidence}"',
f'verification_status: "{merged.get("verification_status", "triage-manual")}"',
f'verification_mode: "{merged.get("verification_mode", "synthetic")}"',
f'artifact_mode: "{merged.get("artifact_mode") or ""}"',
f'last_run_id: "{merged.get("last_run_id") or ""}"',
'target_types:',
' - "lab-local"',
' - "lab-public"',
@@ -315,6 +349,15 @@ def render_case_pages(advisories: List[AdvisoryRecord]) -> None:
"",
f"# {item.title}",
"",
"## 本地实证状态",
"",
f"- 实证状态: `{merged.get('verification_status', 'triage-manual')}`",
f"- 实证方式: `{merged.get('verification_mode', 'synthetic')}`",
f"- Artifact 模式: `{merged.get('artifact_mode') or 'unknown'}`",
f"- 最近运行: `{merged.get('last_run_id') or '-'}`",
f"- 浏览器证据: `{'present' if merged.get('browser_evidence', {}).get('present') else 'missing'}`",
f"- Run Bundle: `{merged.get('evidence_bundle') or '-'}`",
"",
"## 事件层",
"",
f"- Canonical ID: `{item.canonical_id}`",
@@ -362,9 +405,10 @@ def render_registry(source_map: Dict[str, Any], advisories: List[AdvisoryRecord]
_clear_json_dir(REGISTRY_ROOT / "systems")
_clear_json_dir(TRIAGE_DIR)
run_map = latest_runs_by_advisory()
grouped: Dict[str, List[AdvisoryRecord]] = defaultdict(list)
for advisory in advisories:
write_json(REGISTRY_ROOT / "advisories" / f"{advisory.canonical_id}.json", advisory.to_dict())
write_json(REGISTRY_ROOT / "advisories" / f"{advisory.canonical_id}.json", _merged_item(advisory, run_map))
grouped[advisory.system_id].append(advisory)
triage_by_system: Dict[str, List[Dict[str, Any]]] = defaultdict(list)
@@ -375,6 +419,8 @@ def render_registry(source_map: Dict[str, Any], advisories: List[AdvisoryRecord]
for system in source_map["systems"]:
system_id = system["system_id"]
items = grouped.get(system_id, [])
merged_items = [_merged_item(item, run_map) for item in items]
counts = _status_counts(merged_items)
payload = {
"system_id": system_id,
"display_name": system["display_name"],
@@ -386,6 +432,10 @@ def render_registry(source_map: Dict[str, Any], advisories: List[AdvisoryRecord]
"latest_update": max((item.updated_at or item.published_at or "" for item in items), default=""),
"output_dir": system["output_dir"],
"secure_code_topics": system.get("secure_code_topics", []),
"verified_real": counts["verified_real"],
"verified_synthetic": counts["verified_synthetic"],
"blocked_count": counts["blocked"],
"manual_count": counts["manual"],
"items": [item.canonical_id for item in sorted(items, key=lambda item: item.published_at or "", reverse=True)],
}
write_json(SYSTEMS_DIR / f"{system_id}.json", payload)
@@ -400,6 +450,7 @@ def render_generated(
) -> None:
ensure_dir(GENERATED_DIR)
systems = {item["system_id"]: item for item in source_map["systems"]}
run_map = latest_runs_by_advisory()
change_summary = change_summary or {}
triage_by_system: Dict[str, List[Dict[str, Any]]] = defaultdict(list)
for item in triage:
@@ -408,19 +459,24 @@ def render_generated(
coverage_lines = [
"# 覆盖矩阵",
"",
"| 系统 | 分类 | 覆盖策略 | 历史全量 | 近两年全量 | 全量 registry | 重点案例 Markdown | secure-code 关联 | 自动同步状态 | triage | 最近更新 |",
"|------|------|----------|----------|------------|--------------|--------------------|------------------|--------------|--------|----------|",
"| 系统 | 分类 | 覆盖策略 | 历史全量 | 近两年全量 | 全量 registry | 重点案例 Markdown | secure-code 关联 | 自动同步状态 | 本地实证状态 | 浏览器证据 | run bundle | triage | 最近更新 |",
"|------|------|----------|----------|------------|--------------|--------------------|------------------|--------------|--------------|------------|-----------|--------|----------|",
]
by_system: Dict[str, List[AdvisoryRecord]] = defaultdict(list)
for advisory in advisories:
by_system[advisory.system_id].append(advisory)
for system_id, system in sorted(systems.items()):
items = by_system.get(system_id, [])
merged_items = [_merged_item(item, run_map) for item in items]
counts = _status_counts(merged_items)
markdown_count = len([item for item in items if item.case_path])
sync_state = "seeded" if items else "scaffolded"
recent = max((item.updated_at or item.published_at or "" for item in items), default="")
browser_present = len([item for item in merged_items if item.get("browser_evidence", {}).get("present")])
run_bundle_count = len([item for item in merged_items if item.get("last_run_id")])
proof_state = f"real:{counts['verified_real']}/synthetic:{counts['verified_synthetic']}/blocked:{counts['blocked']}"
coverage_lines.append(
f"| {system['display_name']} | `{system['category']}` | `{system['tier']}` | `{'yes' if system['tier'] == 'history-full' else '-'}` | `yes` | `{len(items)}` | `{markdown_count}` | `{len(system.get('secure_code_topics', []))}` | `{sync_state}` | `{len(triage_by_system.get(system_id, []))}` | `{recent}` |"
f"| {system['display_name']} | `{system['category']}` | `{system['tier']}` | `{'yes' if system['tier'] == 'history-full' else '-'}` | `yes` | `{len(items)}` | `{markdown_count}` | `{len(system.get('secure_code_topics', []))}` | `{sync_state}` | `{proof_state}` | `{browser_present}` | `{run_bundle_count}` | `{len(triage_by_system.get(system_id, []))}` | `{recent}` |"
)
write_text(GENERATED_DIR / "coverage-matrix.md", "\n".join(coverage_lines))
@@ -432,6 +488,7 @@ def render_generated(
f"- 系统数量: `{len(source_map['systems'])}`",
f"- Advisory 数量: `{len(advisories)}`",
f"- 重点 Markdown 数量: `{markdown_total}`",
f"- Run Bundle 数量: `{len(run_map)}`",
f"- 新增记录: `{change_summary.get('new_count', 0)}`",
f"- 更新记录: `{change_summary.get('updated_count', 0)}`",
f"- Triage 数量: `{len(triage)}`",
@@ -454,9 +511,11 @@ def render_generated(
"updated_count": change_summary.get("updated_count", 0),
"systems_touched": change_summary.get("systems_touched", []),
"triage_count": len(triage),
"run_bundle_count": len(run_map),
"failures": failures,
},
)
render_lab_dashboard()
def render_secure_code(source_map: Dict[str, Any]) -> None:

9
scripts/intel/validators.py
查看文件

@@ -3,7 +3,7 @@ from __future__ import annotations
from pathlib import Path
from typing import Any, Dict, List
from intel.config import FRAMEWORK_ROOT, GENERATED_DIR, REGISTRY_ROOT, ROOT, SECURE_CODE_ROOT, SOURCE_MAP_PATH, SYSTEMS_DIR
from intel.config import FRAMEWORK_ROOT, GENERATED_DIR, REGISTRY_ROOT, REPRO_MAP_PATH, ROOT, SECURE_CODE_ROOT, SOURCE_MAP_PATH, SYSTEMS_DIR
from intel.render import LANGUAGES, TOPIC_DESCRIPTIONS
from intel.utils import load_all_json
@@ -15,6 +15,9 @@ REQUIRED_REGISTRY_FIELDS = {
"severity",
"source_confidence",
"status",
"verification_status",
"verification_mode",
"repro_profile_id",
}
REQUIRED_SYSTEM_FIELDS = {
@@ -36,6 +39,8 @@ def validate(source_map: Dict[str, Any]) -> List[str]:
errors: List[str] = []
if not SOURCE_MAP_PATH.exists():
errors.append("source-map.yaml is missing")
if not REPRO_MAP_PATH.exists():
errors.append("repro-map.yaml is missing")
systems = source_map.get("systems", [])
ids = set()
@@ -76,6 +81,8 @@ def validate(source_map: Dict[str, Any]) -> List[str]:
GENERATED_DIR / "coverage-matrix.md",
GENERATED_DIR / "latest-ingest.md",
GENERATED_DIR / "run-summary.json",
GENERATED_DIR / "dashboard" / "index.html",
GENERATED_DIR / "dashboard" / "summary.json",
ROOT / "08-threat-intel" / "registry" / "source-confidence.md",
]:
if not path.exists():