up

bench/findings/CVE-BENCH-RUNC-CVE-reachable/decision.dsse.json

@@ -0,0 +1,10 @@
+{
+  "payload": "eyJAY29udGV4dCI6Imh0dHBzOi8vb3BlbnZleC5kZXYvbnMvdjAuMi4wIiwiQHR5cGUiOiJWRVgiLCJhdXRob3IiOiJTdGVsbGFPcHMgQmVuY2ggQXV0b21hdGlvbiIsInJvbGUiOiJzZWN1cml0eV90ZWFtIiwic3RhdGVtZW50cyI6W3siYWN0aW9uX3N0YXRlbWVudCI6IlVwZ3JhZGUgdG8gcGF0Y2hlZCB2ZXJzaW9uIG9yIGFwcGx5IG1pdGlnYXRpb24uIiwiaW1wYWN0X3N0YXRlbWVudCI6IkV2aWRlbmNlIGhhc2g6IHNoYTI1NjpjNDRmYjJlMmVmYjc5Yzc4YmJhYTZhOGUyYzZiYjM4MzE3ODJhMmQ1MzU4ZGU4N2ZjN2QxNzEwMmU4YzJlMzA1IiwicHJvZHVjdHMiOlt7IkBpZCI6InBrZzpnZW5lcmljL3J1bmMtQ1ZFLTIwMjQtMjE2MjYtc3ltbGluay1icmVha291dEAxLjAuMCJ9XSwic3RhdHVzIjoiYWZmZWN0ZWQiLCJ2dWxuZXJhYmlsaXR5Ijp7IkBpZCI6Imh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS1CRU5DSC1SVU5DLUNWRSIsIm5hbWUiOiJDVkUtQkVOQ0gtUlVOQy1DVkUifX1dLCJ0aW1lc3RhbXAiOiIyMDI1LTEyLTE0VDAyOjEzOjM4WiIsInRvb2xpbmciOiJTdGVsbGFPcHMvYmVuY2gtYXV0b0AxLjAuMCIsInZlcnNpb24iOjF9",
+  "payloadType": "application/vnd.openvex+json",
+  "signatures": [
+    {
+      "keyid": "stella.ops/bench-automation@v1",
+      "sig": "PLACEHOLDER_SIGNATURE_REQUIRES_ACTUAL_SIGNING"
+    }
+  ]
+}

bench/findings/CVE-BENCH-RUNC-CVE-reachable/decision.openvex.json

@@ -0,0 +1,25 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@type": "VEX",
+  "author": "StellaOps Bench Automation",
+  "role": "security_team",
+  "statements": [
+    {
+      "action_statement": "Upgrade to patched version or apply mitigation.",
+      "impact_statement": "Evidence hash: sha256:c44fb2e2efb79c78bbaa6a8e2c6bb3831782a2d5358de87fc7d17102e8c2e305",
+      "products": [
+        {
+          "@id": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0"
+        }
+      ],
+      "status": "affected",
+      "vulnerability": {
+        "@id": "https://nvd.nist.gov/vuln/detail/CVE-BENCH-RUNC-CVE",
+        "name": "CVE-BENCH-RUNC-CVE"
+      }
+    }
+  ],
+  "timestamp": "2025-12-14T02:13:38Z",
+  "tooling": "StellaOps/bench-auto@1.0.0",
+  "version": 1
+}

bench/findings/CVE-BENCH-RUNC-CVE-reachable/evidence/reachability.json

@@ -0,0 +1,25 @@
+{
+  "case_id": "runc-CVE-2024-21626-symlink-breakout",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "ground_truth": {
+    "case_id": "runc-CVE-2024-21626-symlink-breakout",
+    "paths": [
+      [
+        "sym://net:handler#read",
+        "sym://runc:runc.c#entry",
+        "sym://runc:runc.c#sink"
+      ]
+    ],
+    "schema_version": "reachbench.reachgraph.truth/v1",
+    "variant": "reachable"
+  },
+  "paths": [
+    [
+      "sym://net:handler#read",
+      "sym://runc:runc.c#entry",
+      "sym://runc:runc.c#sink"
+    ]
+  ],
+  "schema_version": "richgraph-excerpt/v1",
+  "variant": "reachable"
+}

bench/findings/CVE-BENCH-RUNC-CVE-reachable/evidence/sbom.cdx.json

@@ -0,0 +1,23 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [
+    {
+      "name": "runc-CVE-2024-21626-symlink-breakout",
+      "purl": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0",
+      "type": "library",
+      "version": "1.0.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2025-12-14T02:13:38Z",
+    "tools": [
+      {
+        "name": "bench-auto",
+        "vendor": "StellaOps",
+        "version": "1.0.0"
+      }
+    ]
+  },
+  "specVersion": "1.6",
+  "version": 1
+}

bench/findings/CVE-BENCH-RUNC-CVE-reachable/metadata.json

@@ -0,0 +1,11 @@
+{
+  "case_id": "runc-CVE-2024-21626-symlink-breakout",
+  "cve_id": "CVE-BENCH-RUNC-CVE",
+  "generated_at": "2025-12-14T02:13:38Z",
+  "generator": "scripts/bench/populate-findings.py",
+  "generator_version": "1.0.0",
+  "ground_truth_schema": "reachbench.reachgraph.truth/v1",
+  "purl": "pkg:generic/runc-CVE-2024-21626-symlink-breakout@1.0.0",
+  "reachability_status": "reachable",
+  "variant": "reachable"
+}

bench/findings/CVE-BENCH-RUNC-CVE-reachable/rekor.txt

@@ -0,0 +1,5 @@
+# Rekor log entry placeholder
+# Submit DSSE envelope to Rekor to populate this file
+log_index: PENDING
+uuid: PENDING
+timestamp: 2025-12-14T02:13:38Z