Refactor code structure for improved readability and maintainability; removed redundant code blocks and optimized function calls.

2025-11-20 07:50:52 +02:00
parent 616ec73133
commit 10212d67c0
473 changed files with 316758 additions and 388 deletions
--- a/tests/reachability/corpus/README.md
+++ b/tests/reachability/corpus/README.md
@@ -0,0 +1,21 @@
+# Reachability Corpus (QA-CORPUS-401-031)
+
+Layout
+- `manifest.json` — deterministic SHA-256 hashes for each case file.
+- `<language>/<case>/expect.yaml` — state (`reachable|conditional|unreachable`), score, evidence refs.
+- `<language>/<case>/callgraph.static.json` — static call graph sample (stub for MVP).
+- `<language>/<case>/vex.openvex.json` — expected VEX slice for the case.
+
+Determinism
+- JSON files have sorted keys; hashes recorded in `manifest.json`.
+- Scores rounded to 2dp; timestamps (if added later) must be UTC ISO-8601.
+- No network access required to consume the corpus.
+
+MVP cases (stubs, to be replaced with real artifacts)
+- Go: `go-ssh-CVE-2020-9283-keyexchange`
+- .NET: `dotnet-kestrel-CVE-2023-44487-http2-rapid-reset`
+- Python: `python-django-CVE-2019-19844-sqli-like`
+- Rust: `rust-axum-header-parsing-TBD`
+
+CI intent
+- `CorpusFixtureTests` validates presence and hashes from the manifest; hook this into CI once repo build stabilises.
--- a/tests/reachability/corpus/dotnet/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/callgraph.static.json
+++ b/tests/reachability/corpus/dotnet/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/callgraph.static.json
@@ -0,0 +1,5 @@
+{
+  "schema_version": "reach-corpus.callgraph/v1",
+  "nodes": [],
+  "edges": []
+}
--- a/tests/reachability/corpus/dotnet/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/expect.yaml
+++ b/tests/reachability/corpus/dotnet/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/expect.yaml
@@ -0,0 +1,11 @@
+schema_version: reach-corpus.expect/v1
+id: dotnet-kestrel-CVE-2023-44487-http2-rapid-reset
+language: dotnet
+state: reachable
+score: 0.85
+static_evidence:
+  callgraphs:
+    - callgraph.static.json
+runtime_evidence: []
+vex: vex.openvex.json
+notes: "MVP fixture stub; replace with real callgraph and traces when available."
--- a/tests/reachability/corpus/dotnet/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/vex.openvex.json
+++ b/tests/reachability/corpus/dotnet/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/vex.openvex.json
@@ -0,0 +1,12 @@
+{
+  "author": "StellaOps",
+  "role": "reachability-corpus",
+  "timestamp": "2025-11-18T00:00:00Z",
+  "statements": [
+    {
+      "vulnerability": "TBD",
+      "products": ["pkg:demo/demo"],
+      "status": "affected"
+    }
+  ]
+}
--- a/tests/reachability/corpus/go/go-ssh-CVE-2020-9283-keyexchange/callgraph.static.json
+++ b/tests/reachability/corpus/go/go-ssh-CVE-2020-9283-keyexchange/callgraph.static.json
@@ -0,0 +1,5 @@
+{
+  "schema_version": "reach-corpus.callgraph/v1",
+  "nodes": [],
+  "edges": []
+}
--- a/tests/reachability/corpus/go/go-ssh-CVE-2020-9283-keyexchange/expect.yaml
+++ b/tests/reachability/corpus/go/go-ssh-CVE-2020-9283-keyexchange/expect.yaml
@@ -0,0 +1,11 @@
+schema_version: reach-corpus.expect/v1
+id: go-ssh-CVE-2020-9283-keyexchange
+language: go
+state: reachable
+score: 0.80
+static_evidence:
+  callgraphs:
+    - callgraph.static.json
+runtime_evidence: []
+vex: vex.openvex.json
+notes: "MVP fixture stub; replace with real callgraph and traces when available."
--- a/tests/reachability/corpus/go/go-ssh-CVE-2020-9283-keyexchange/vex.openvex.json
+++ b/tests/reachability/corpus/go/go-ssh-CVE-2020-9283-keyexchange/vex.openvex.json
@@ -0,0 +1,12 @@
+{
+  "author": "StellaOps",
+  "role": "reachability-corpus",
+  "timestamp": "2025-11-18T00:00:00Z",
+  "statements": [
+    {
+      "vulnerability": "TBD",
+      "products": ["pkg:demo/demo"],
+      "status": "affected"
+    }
+  ]
+}
--- a/tests/reachability/corpus/manifest.json
+++ b/tests/reachability/corpus/manifest.json
@@ -0,0 +1,38 @@
+[
+  {
+    "files": {
+      "callgraph.static.json": "7359d8c26f16151a4b05cf0e6675e5c66b5ffb6396b906e74c0d5bb2f290e972",
+      "expect.yaml": "08859e027299b83fbe0a2754797df09736c08c1dd050da830d4e55ed416e77d0",
+      "vex.openvex.json": "c3593790f769974b1b66aa5331f1d3ad4d699f77f198b2e77e78659ee79d3c15"
+    },
+    "id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
+    "language": "dotnet"
+  },
+  {
+    "files": {
+      "callgraph.static.json": "7359d8c26f16151a4b05cf0e6675e5c66b5ffb6396b906e74c0d5bb2f290e972",
+      "expect.yaml": "ad5375a8f2ad10378a48ca031afe726ac8ce94e8faea8e7fba907ca571ab5811",
+      "vex.openvex.json": "c3593790f769974b1b66aa5331f1d3ad4d699f77f198b2e77e78659ee79d3c15"
+    },
+    "id": "go-ssh-CVE-2020-9283-keyexchange",
+    "language": "go"
+  },
+  {
+    "files": {
+      "callgraph.static.json": "7359d8c26f16151a4b05cf0e6675e5c66b5ffb6396b906e74c0d5bb2f290e972",
+      "expect.yaml": "c2516433b685aa955342a3a1a70485c3742eca654aa6245866084da6d7574815",
+      "vex.openvex.json": "c3593790f769974b1b66aa5331f1d3ad4d699f77f198b2e77e78659ee79d3c15"
+    },
+    "id": "python-django-CVE-2019-19844-sqli-like",
+    "language": "python"
+  },
+  {
+    "files": {
+      "callgraph.static.json": "7359d8c26f16151a4b05cf0e6675e5c66b5ffb6396b906e74c0d5bb2f290e972",
+      "expect.yaml": "01fd3ce042e65f4d17ca8a6144fefcbb32b945ae720d136d0d9207e17974ee0a",
+      "vex.openvex.json": "c3593790f769974b1b66aa5331f1d3ad4d699f77f198b2e77e78659ee79d3c15"
+    },
+    "id": "rust-axum-header-parsing-TBD",
+    "language": "rust"
+  }
+]
--- a/tests/reachability/corpus/python/python-django-CVE-2019-19844-sqli-like/callgraph.static.json
+++ b/tests/reachability/corpus/python/python-django-CVE-2019-19844-sqli-like/callgraph.static.json
@@ -0,0 +1,5 @@
+{
+  "schema_version": "reach-corpus.callgraph/v1",
+  "nodes": [],
+  "edges": []
+}
--- a/tests/reachability/corpus/python/python-django-CVE-2019-19844-sqli-like/expect.yaml
+++ b/tests/reachability/corpus/python/python-django-CVE-2019-19844-sqli-like/expect.yaml
@@ -0,0 +1,11 @@
+schema_version: reach-corpus.expect/v1
+id: python-django-CVE-2019-19844-sqli-like
+language: python
+state: reachable
+score: 0.80
+static_evidence:
+  callgraphs:
+    - callgraph.static.json
+runtime_evidence: []
+vex: vex.openvex.json
+notes: "MVP fixture stub; replace with real callgraph and traces when available."
--- a/tests/reachability/corpus/python/python-django-CVE-2019-19844-sqli-like/vex.openvex.json
+++ b/tests/reachability/corpus/python/python-django-CVE-2019-19844-sqli-like/vex.openvex.json
@@ -0,0 +1,12 @@
+{
+  "author": "StellaOps",
+  "role": "reachability-corpus",
+  "timestamp": "2025-11-18T00:00:00Z",
+  "statements": [
+    {
+      "vulnerability": "TBD",
+      "products": ["pkg:demo/demo"],
+      "status": "affected"
+    }
+  ]
+}
--- a/tests/reachability/corpus/rust/rust-axum-header-parsing-TBD/callgraph.static.json
+++ b/tests/reachability/corpus/rust/rust-axum-header-parsing-TBD/callgraph.static.json
@@ -0,0 +1,5 @@
+{
+  "schema_version": "reach-corpus.callgraph/v1",
+  "nodes": [],
+  "edges": []
+}
--- a/tests/reachability/corpus/rust/rust-axum-header-parsing-TBD/expect.yaml
+++ b/tests/reachability/corpus/rust/rust-axum-header-parsing-TBD/expect.yaml
@@ -0,0 +1,11 @@
+schema_version: reach-corpus.expect/v1
+id: rust-axum-header-parsing-TBD
+language: rust
+state: conditional
+score: 0.60
+static_evidence:
+  callgraphs:
+    - callgraph.static.json
+runtime_evidence: []
+vex: vex.openvex.json
+notes: "MVP fixture stub; replace with real callgraph and traces when available."
--- a/tests/reachability/corpus/rust/rust-axum-header-parsing-TBD/vex.openvex.json
+++ b/tests/reachability/corpus/rust/rust-axum-header-parsing-TBD/vex.openvex.json
@@ -0,0 +1,12 @@
+{
+  "author": "StellaOps",
+  "role": "reachability-corpus",
+  "timestamp": "2025-11-18T00:00:00Z",
+  "statements": [
+    {
+      "vulnerability": "TBD",
+      "products": ["pkg:demo/demo"],
+      "status": "affected"
+    }
+  ]
+}