Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 10 additions & 7 deletions .claude/skills/add-ave-record/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,16 +26,19 @@ Include the evidence fields:
- evidence_basis_engines
- derivable_into

### 4. Write the detection rule
One of: rules/pattern/, rules/yara/, rules/semgrep/.
Must reference the ave_id.

### 5. Write fixtures (TDD — fixtures first)
tests/fixtures/AVE-YYYY-NNNNN_positive.md — MUST trigger
tests/fixtures/AVE-YYYY-NNNNN_negative.md — MUST NOT trigger
### 4. Write conformance fixtures (TDD — fixtures first)
tests/fixtures/AVE-YYYY-NNNNN_positive.md — a conforming implementation MUST flag this
tests/fixtures/AVE-YYYY-NNNNN_negative.md — a conforming implementation MUST NOT flag this
The negative fixture is the false-positive guard. Make it realistic —
a benign file that looks similar to the malicious one.

### 5. Open a coordinated detection-rule PR
Detection rule implementations (pattern, YARA, semgrep, or anything else)
are implementation artifacts, not standard artifacts — they live in
whichever tool implements against this standard, not in this repo. Open a
PR in that tool's own repo (e.g. bawbel/scanner) referencing the ave_id and
the fixtures above; see CONTRIBUTING.md Step 4.

### 6. Validate
```bash
python scripts/validate_records.py
Expand Down
2 changes: 1 addition & 1 deletion .claude/skills/handoff/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ Start: read most recent, run python scripts/validate_records.py.

## Completed
- records/AVE-2026-00049.json — header injection (BadHost) record added
- rules/semgrep/ave-2026-00049.yaml — detection rule
- tests/fixtures/AVE-2026-00049_positive.md + _negative.md
- Coordinated detection-rule PR opened in bawbel/scanner, referencing AVE-2026-00049

## Status
python scripts/validate_records.py → all valid
Expand Down
15 changes: 7 additions & 8 deletions .github/workflows/notify-ave-site.yml
Original file line number Diff line number Diff line change
@@ -1,36 +1,35 @@
name: Notify ave-site on records update

# This workflow lives in bawbel/ave.
# This workflow lives in aveproject/ave.
# Place it at: .github/workflows/notify-ave-site.yml
#
# When records, schema, or rules change on main, it fires a
# repository_dispatch to bawbel/ave-site so the site rebuilds automatically.
# When records or schema change on main, it fires a
# repository_dispatch to aveproject/ave-site so the site rebuilds automatically.
#
# Required secret: AVE_SITE_DEPLOY_TOKEN
# Create a fine-grained PAT with:
# - Repository: bawbel/ave-site
# - Repository: aveproject/ave-site
# - Permissions: Contents (read), Actions (write)
# Add it as a secret named AVE_SITE_DEPLOY_TOKEN in bawbel/ave settings.
# Add it as a secret named AVE_SITE_DEPLOY_TOKEN in aveproject/ave settings.

on:
push:
branches: [main]
paths:
- "records/**"
- "schema/**"
- "rules/**"

jobs:
notify:
name: Trigger ave-site rebuild
runs-on: ubuntu-latest

steps:
- name: Dispatch to bawbel/ave-site
- name: Dispatch to aveproject/ave-site
uses: peter-evans/repository-dispatch@v3
with:
token: ${{ secrets.AVE_SITE_DEPLOY_TOKEN }}
repository: bawbel/ave-site
repository: aveproject/ave-site
event-type: ave-records-updated
client-payload: |
{
Expand Down
9 changes: 3 additions & 6 deletions .github/workflows/tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,8 @@ jobs:
- name: Validate all records against the schema
run: python scripts/validate_records.py

- name: Check every rule has positive and negative fixtures
- name: Check every record has positive and negative conformance fixtures
run: python scripts/check_fixtures.py

- name: Check every record has a detection rule
run: python scripts/check_rule_coverage.py

- name: Run tests with coverage (rules/)
run: pytest tests/ -x -q --cov=rules --cov-report=term-missing --cov-fail-under=95
- name: Run tests
run: pytest tests/ -x -q
20 changes: 13 additions & 7 deletions CLAUDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -83,9 +83,15 @@ Full reference: aveproject.org/schema.html

Use the add-ave-record skill. Every record requires:
1. A JSON record in records/ validating against the schema
2. At least one detection rule (pattern, yara, or semgrep)
3. A positive fixture in tests/fixtures/ that must trigger
4. A negative fixture in tests/fixtures/ that must NOT trigger
2. A positive fixture in tests/fixtures/ that a conforming implementation
must flag
3. A negative fixture in tests/fixtures/ that a conforming implementation
must not flag

Detection rule implementations (pattern, YARA, semgrep, or anything else)
are implementation artifacts, not standard artifacts. They live in whichever
tool implements against this standard — open a coordinated PR in that
tool's own repo (see CONTRIBUTING.md Step 4).

Open an issue first to confirm the id. A new ave_id is only for a
genuinely distinct behavioral class — variants go as sub-case notes
Expand Down Expand Up @@ -127,10 +133,9 @@ npm run build:local # build records.js for ave-site

# Python validation
pip install -e ".[dev]"
pytest tests/ -x -q # validate all records + rules
pytest tests/ -x -q # validate records + fixtures
python scripts/validate_records.py # schema-check every record
python scripts/check_rule_coverage.py # every record has >= 1 rule
python scripts/check_fixtures.py # every rule has +/- fixtures
python scripts/check_fixtures.py # every record has +/- fixtures
```

---
Expand All @@ -140,7 +145,8 @@ python scripts/check_fixtures.py # every rule has +/- fixtures
1. Every record validates against schema/ave-record-1.1.0.schema.json.
2. confidence NEVER appears in an AVE record — it is per-detection.
3. Behavioral fingerprints over signatures — describe what it DOES.
4. Every record has at least one rule and a positive + negative fixture.
4. Every record has a positive + negative conformance fixture. Detection
rule implementations live in the implementing tool's own repo, not here.
5. ave_id is immutable once published. Never renumber. Deprecate, never delete.
6. severity and aivss.aivss_score must agree (CRITICAL implies >= 9.0).
7. All names from LANGUAGE.md.
Expand Down
15 changes: 8 additions & 7 deletions LANGUAGE.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,15 +60,16 @@ Optional. The kind of agent component this class primarily affects.

## Rules and fixtures

**Rule** — a detection implementation for an AVE class. One class may have
rules across multiple engines. Lives in rules/pattern/, rules/yara/,
rules/semgrep/.
**Rule** — a detection implementation for an AVE class. An implementation
artifact, not a standard artifact; lives in whichever tool implements
against this standard, not in this repo.

**PositiveFixture** — a test file that MUST trigger the rule.
Lives in tests/fixtures/.
**PositiveFixture** — a test file that a conforming implementation MUST
flag. Lives in tests/fixtures/.

**NegativeFixture** — a benign test file that MUST NOT trigger the rule.
The false-positive guard. A rule without a negative fixture is incomplete.
**NegativeFixture** — a benign test file that a conforming implementation
MUST NOT flag. The false-positive guard. A record without a negative
fixture is incomplete.

---

Expand Down
16 changes: 5 additions & 11 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -16,18 +16,12 @@ dev = [
]

# Not a Python library -- nothing here imports "bawbel_ave" as a package.
# scripts/ are run directly (python scripts/foo.py) and tests/ load rule
# files dynamically. This pyproject.toml exists for dependency and pytest
# config only, so tell setuptools there's no package to discover/build.
# scripts/ are run directly (python scripts/foo.py) and tests/ check
# records and fixtures directly. This pyproject.toml exists for dependency
# and pytest config only, so tell setuptools there's no package to
# discover/build.
[tool.setuptools]
packages = []

[tool.pytest.ini_options]
testpaths = ["tests"]

[tool.coverage.run]
# Scoped to rules/ deliberately: that's the code pytest's fixture-driven tests
# actually exercise (CLAUDE.md's TDD loop). scripts/ holds one-time migration
# and validation tooling that isn't meant to carry unit-test coverage in the
# same sense -- validate_records.py's "test" is that it validates every record.
source = ["rules"]
testpaths = ["tests"]
21 changes: 0 additions & 21 deletions rules/pattern/AVE-2026-00001.py

This file was deleted.

20 changes: 0 additions & 20 deletions rules/pattern/AVE-2026-00002.py

This file was deleted.

18 changes: 0 additions & 18 deletions rules/pattern/AVE-2026-00003.py

This file was deleted.

18 changes: 0 additions & 18 deletions rules/pattern/AVE-2026-00004.py

This file was deleted.

18 changes: 0 additions & 18 deletions rules/pattern/AVE-2026-00005.py

This file was deleted.

18 changes: 0 additions & 18 deletions rules/pattern/AVE-2026-00006.py

This file was deleted.

17 changes: 0 additions & 17 deletions rules/pattern/AVE-2026-00007.py

This file was deleted.

18 changes: 0 additions & 18 deletions rules/pattern/AVE-2026-00008.py

This file was deleted.

18 changes: 0 additions & 18 deletions rules/pattern/AVE-2026-00009.py

This file was deleted.

18 changes: 0 additions & 18 deletions rules/pattern/AVE-2026-00010.py

This file was deleted.

17 changes: 0 additions & 17 deletions rules/pattern/AVE-2026-00011.py

This file was deleted.

Loading
Loading