Server identity does not match a known security advisory

Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.

When a server identifies itself as a publicly-documented vulnerable build, the scoring engine must not split the difference. Signing off on a known-bad implementation as `review` or even `block-without-block-flag` would invite operators to reason past the advisory. The hard-fail forces the verdict to `block` regardless of how clean the rest of the surface looks.

No entry in the in-tree advisory catalog matches the advertised `serverInfo.name` (and `version`, where the entry pins one).

At least one advisory entry matches the advertised name + version pair.

When the rule fails, the report records evidence in roughly this shape:

• {"hits": [{"advisoryId": "GHSA-xxxx-xxxx-xxxx", "serverName": "postmark-mcp", "serverVersion": "1.0.16", "reference": "https://example.com/post-mortem"}]}

Roll forward to a version not listed in the advisory, or migrate to a different implementation. Treat the cited public reference as the authoritative remediation source — the advisory catalog only mirrors it.

This rule belongs to the Tool surface risk dimension. What an agent could do if it trusted every advertised tool. Covers destructive actions, credential disclosure, code execution, filesystem mutation, PII handling, prompt-injection-shaped input fields, and injection-bearing tool descriptions — i.e. the agent-specific threat surface, not just generic verb risk.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.