# LLM Supply Chain Vulnerabilities

- ID: javascript-llm-supply-chain
- Severity: HIGH
- CWE: Inclusion of Untrusted Functionality (CWE-829)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs

## Description

Detects potential supply chain vulnerabilities in AI/LLM implementations.
OWASP LLM05 - Supply Chain Vulnerabilities.

Supply chain attacks in AI can occur through:
- Loading models from untrusted sources
- Using unverified model weights or configurations
- Third-party plugins/tools without integrity verification
- Compromised training data sources
- Insecure model serialization formats

This rule detects:
- Dynamic model loading from user input
- Models loaded from HTTP (not HTTPS)
- Missing integrity verification for model files
- Pickle/unsafe deserialization of model data

## Detection Message

Potential supply chain vulnerability: {issue_type}

## Remediation

Use allowlists for permitted models and verify integrity with checksums.

```javascript
if (!ALLOWED_MODELS[modelId]) {
  throw new Error('Model not in allowlist');
}
const model = await loadVerifiedModel(modelId);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-829/llm-supply-chain

## Documentation

[object Object]

## Related Rules

- **LLM Supply Chain Vulnerabilities** [HIGH]: 
- **Container Using Latest Tag** [MEDIUM]: 
- **LLM Supply Chain Vulnerabilities** [HIGH]: