stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

consolidate the tests locations

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-26 01:48:24 +02:00
parent 17613acf57
commit 39359da171
2031 changed files with 2607 additions and 476 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
datasets/reachability/README.md
View File

@@ -1,87 +0,0 @@
# Reachability Test Datasets
This directory contains ground truth samples for validating reachability analysis accuracy.
## Directory Structure
```
datasets/reachability/
├── README.md # This file
├── samples/ # Test samples by language
│ ├── csharp/
│ │ ├── simple-reachable/ # Positive: direct call path
│ │ └── dead-code/ # Negative: unreachable code
│ ├── java/
│ │ └── vulnerable-log4j/ # Positive: Log4Shell CVE
│ └── native/
│ └── stripped-elf/ # Positive: stripped binary
└── schema/
├── manifest.schema.json # Sample manifest schema
└── ground-truth.schema.json # Ground truth schema
```
## Sample Categories
### Positive (Reachable)
Samples where vulnerable code has a confirmed path from entry points:
- `csharp/simple-reachable` - Direct call to vulnerable API
- `java/vulnerable-log4j` - Log4Shell with runtime confirmation
- `native/stripped-elf` - Stripped ELF with heuristic analysis
### Negative (Unreachable)
Samples where vulnerable code exists but is never called:
- `csharp/dead-code` - Deprecated API replaced by safe implementation
## Schema Reference
### manifest.json
Sample metadata including:
- `sampleId` - Unique identifier
- `language` - Primary language (java, csharp, native, etc.)
- `category` - positive, negative, or contested
- `vulnerabilities` - CVEs and affected symbols
- `artifacts` - Binary/SBOM file references
### ground-truth.json
Expected outcomes including:
- `targets` - Symbols with expected lattice states
- `entryPoints` - Program entry points
- `expectedUncertainty` - Expected uncertainty tier
- `expectedGateDecisions` - Expected policy gate outcomes
## Lattice States
| Code | Name | Description |
|------|------|-------------|
| U | Unknown | No analysis performed |
| SR | StaticallyReachable | Static analysis finds path |
| SU | StaticallyUnreachable | Static analysis finds no path |
| RO | RuntimeObserved | Runtime probe observed execution |
| RU | RuntimeUnobserved | Runtime probe did not observe |
| CR | ConfirmedReachable | Both static and runtime confirm |
| CU | ConfirmedUnreachable | Both static and runtime confirm unreachable |
| X | Contested | Static and runtime evidence conflict |
## Running Tests
```bash
# Validate schemas
npx ajv validate -s schema/ground-truth.schema.json -d samples/**/ground-truth.json
# Run benchmark tests
dotnet test --filter "GroundTruth" src/Scanner/__Tests/StellaOps.Scanner.Reachability.Benchmarks/
```
## Adding New Samples
1. Create directory: `samples/{language}/{sample-name}/`
2. Add `manifest.json` with sample metadata
3. Add `ground-truth.json` with expected outcomes
4. Include `reasoning` for each target explaining the expected state
5. Validate against schema before committing
## Related Documentation
- [Ground Truth Schema](../../docs/reachability/ground-truth-schema.md)
- [Lattice Model](../../docs/reachability/lattice.md)
- [Policy Gates](../../docs/reachability/policy-gate.md)

143
datasets/reachability/corpus.json
View File

@@ -1,143 +0,0 @@
{
"$schema": "https://stellaops.io/schemas/corpus-index.v1.json",
"version": "1.0.0",
"description": "Ground-truth corpus for binary reachability benchmarking",
"createdAt": "2025-12-17T00:00:00Z",
"samples": [
{
"sampleId": "gt-0001",
"category": "basic",
"path": "ground-truth/basic/gt-0001/sample.manifest.json",
"description": "Direct call to vulnerable sink from main"
},
{
"sampleId": "gt-0002",
"category": "basic",
"path": "ground-truth/basic/gt-0002/sample.manifest.json",
"description": "Two-hop call chain to vulnerable sink"
},
{
"sampleId": "gt-0003",
"category": "basic",
"path": "ground-truth/basic/gt-0003/sample.manifest.json",
"description": "Three-hop call chain with multiple sinks"
},
{
"sampleId": "gt-0004",
"category": "basic",
"path": "ground-truth/basic/gt-0004/sample.manifest.json",
"description": "Function pointer call to sink"
},
{
"sampleId": "gt-0005",
"category": "basic",
"path": "ground-truth/basic/gt-0005/sample.manifest.json",
"description": "Recursive function with sink"
},
{
"sampleId": "gt-0006",
"category": "indirect",
"path": "ground-truth/indirect/gt-0006/sample.manifest.json",
"description": "Indirect call via callback"
},
{
"sampleId": "gt-0007",
"category": "indirect",
"path": "ground-truth/indirect/gt-0007/sample.manifest.json",
"description": "Virtual function dispatch"
},
{
"sampleId": "gt-0008",
"category": "guarded",
"path": "ground-truth/guarded/gt-0008/sample.manifest.json",
"description": "Sink behind constant false guard"
},
{
"sampleId": "gt-0009",
"category": "guarded",
"path": "ground-truth/guarded/gt-0009/sample.manifest.json",
"description": "Sink behind input-dependent guard"
},
{
"sampleId": "gt-0010",
"category": "guarded",
"path": "ground-truth/guarded/gt-0010/sample.manifest.json",
"description": "Sink behind environment variable guard"
},
{
"sampleId": "gt-0011",
"category": "basic",
"path": "ground-truth/basic/gt-0011/sample.manifest.json",
"description": "Unreachable sink - dead code after return"
},
{
"sampleId": "gt-0012",
"category": "basic",
"path": "ground-truth/basic/gt-0012/sample.manifest.json",
"description": "Unreachable sink - never called function"
},
{
"sampleId": "gt-0013",
"category": "basic",
"path": "ground-truth/basic/gt-0013/sample.manifest.json",
"description": "Unreachable sink - #ifdef disabled"
},
{
"sampleId": "gt-0014",
"category": "guarded",
"path": "ground-truth/guarded/gt-0014/sample.manifest.json",
"description": "Unreachable sink - constant true early return"
},
{
"sampleId": "gt-0015",
"category": "guarded",
"path": "ground-truth/guarded/gt-0015/sample.manifest.json",
"description": "Unreachable sink - impossible branch condition"
},
{
"sampleId": "gt-0016",
"category": "stripped",
"path": "ground-truth/stripped/gt-0016/sample.manifest.json",
"description": "Stripped binary - reachable sink"
},
{
"sampleId": "gt-0017",
"category": "stripped",
"path": "ground-truth/stripped/gt-0017/sample.manifest.json",
"description": "Stripped binary - unreachable sink"
},
{
"sampleId": "gt-0018",
"category": "obfuscated",
"path": "ground-truth/obfuscated/gt-0018/sample.manifest.json",
"description": "Control flow obfuscation - reachable"
},
{
"sampleId": "gt-0019",
"category": "obfuscated",
"path": "ground-truth/obfuscated/gt-0019/sample.manifest.json",
"description": "String obfuscation - reachable"
},
{
"sampleId": "gt-0020",
"category": "callback",
"path": "ground-truth/callback/gt-0020/sample.manifest.json",
"description": "Async callback chain - reachable"
}
],
"statistics": {
"totalSamples": 20,
"byCategory": {
"basic": 8,
"indirect": 2,
"guarded": 4,
"stripped": 2,
"obfuscated": 2,
"callback": 2
},
"byExpected": {
"reachable": 13,
"unreachable": 7
}
}
}

18
datasets/reachability/ground-truth/basic/gt-0001/main.c
View File

@@ -1,18 +0,0 @@
// gt-0001: Direct call to vulnerable sink from main
// Expected: REACHABLE (tier: executed)
// Vulnerability: CWE-120 (Buffer Copy without Checking Size)
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
char buffer[32];
if (argc > 1) {
// Vulnerable: strcpy without bounds checking
strcpy(buffer, argv[1]); // SINK: CWE-120
printf("Input: %s\n", buffer);
}
return 0;
}

29
datasets/reachability/ground-truth/basic/gt-0001/sample.manifest.json
View File

@@ -1,29 +0,0 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0001",
"version": "1.0.0",
"category": "basic",
"description": "Direct call to vulnerable sink from main - REACHABLE",
"language": "c",
"expectedResult": {
"reachable": true,
"tier": "executed",
"confidence": 1.0
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "strcpy",
"vulnerability": "CWE-120"
},
"callChain": [
{"function": "main", "file": "main.c", "line": 5},
{"function": "strcpy", "file": "<libc>", "line": null}
],
"annotations": {
"notes": "Simplest reachable case - direct call from entrypoint to vulnerable function",
"difficulty": "trivial"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

22
datasets/reachability/ground-truth/basic/gt-0002/main.c
View File

@@ -1,22 +0,0 @@
// gt-0002: Two-hop call chain to vulnerable sink
// Expected: REACHABLE (tier: executed)
// Vulnerability: CWE-134 (Format String)
#include <stdio.h>
#include <string.h>
void format_message(const char *user_input, char *output) {
// Vulnerable: format string from user input
sprintf(output, user_input); // SINK: CWE-134
}
int main(int argc, char *argv[]) {
char buffer[256];
if (argc > 1) {
format_message(argv[1], buffer);
printf("Result: %s\n", buffer);
}
return 0;
}

30
datasets/reachability/ground-truth/basic/gt-0002/sample.manifest.json
View File

@@ -1,30 +0,0 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0002",
"version": "1.0.0",
"category": "basic",
"description": "Two-hop call chain to vulnerable sink - REACHABLE",
"language": "c",
"expectedResult": {
"reachable": true,
"tier": "executed",
"confidence": 1.0
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "sprintf",
"vulnerability": "CWE-134"
},
"callChain": [
{"function": "main", "file": "main.c", "line": 15},
{"function": "format_message", "file": "main.c", "line": 7},
{"function": "sprintf", "file": "<libc>", "line": null}
],
"annotations": {
"notes": "Two-hop chain: main -> helper -> sink",
"difficulty": "easy"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

25
datasets/reachability/ground-truth/basic/gt-0003/main.c
View File

@@ -1,25 +0,0 @@
// gt-0003: Three-hop call chain with command injection
// Expected: REACHABLE (tier: executed)
// Vulnerability: CWE-78 (OS Command Injection)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void execute_command(const char *cmd) {
// Vulnerable: system call with user input
system(cmd); // SINK: CWE-78
}
void process_input(const char *input) {
char command[256];
snprintf(command, sizeof(command), "echo %s", input);
execute_command(command);
}
int main(int argc, char *argv[]) {
if (argc > 1) {
process_input(argv[1]);
}
return 0;
}

31
datasets/reachability/ground-truth/basic/gt-0003/sample.manifest.json
View File

@@ -1,31 +0,0 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0003",
"version": "1.0.0",
"category": "basic",
"description": "Three-hop call chain with multiple sinks - REACHABLE",
"language": "c",
"expectedResult": {
"reachable": true,
"tier": "executed",
"confidence": 1.0
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "system",
"vulnerability": "CWE-78"
},
"callChain": [
{"function": "main", "file": "main.c", "line": 20},
{"function": "process_input", "file": "main.c", "line": 12},
{"function": "execute_command", "file": "main.c", "line": 6},
{"function": "system", "file": "<libc>", "line": null}
],
"annotations": {
"notes": "Three-hop chain demonstrating command injection path",
"difficulty": "easy"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

37
datasets/reachability/ground-truth/basic/gt-0004/main.c
View File

@@ -1,37 +0,0 @@
// gt-0004: Function pointer call to sink
// Expected: REACHABLE (tier: executed)
// Vulnerability: CWE-120 (Buffer Copy without Checking Size)
#include <stdio.h>
#include <string.h>
typedef void (*copy_func_t)(char *, const char *);
void copy_data(char *dest, const char *src) {
// Vulnerable: strcpy without bounds check
strcpy(dest, src); // SINK: CWE-120
}
void safe_copy(char *dest, const char *src) {
strncpy(dest, src, 31);
dest[31] = '\0';
}
int main(int argc, char *argv[]) {
char buffer[32];
copy_func_t copier;
// Function pointer assignment - harder for static analysis
if (argc > 2 && argv[2][0] == 's') {
copier = safe_copy;
} else {
copier = copy_data; // Vulnerable path selected
}
if (argc > 1) {
copier(buffer, argv[1]); // Indirect call
printf("Result: %s\n", buffer);
}
return 0;
}

31
datasets/reachability/ground-truth/basic/gt-0004/sample.manifest.json
View File

@@ -1,31 +0,0 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0004",
"version": "1.0.0",
"category": "basic",
"description": "Function pointer call to sink - REACHABLE",
"language": "c",
"expectedResult": {
"reachable": true,
"tier": "executed",
"confidence": 0.9
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "strcpy",
"vulnerability": "CWE-120"
},
"callChain": [
{"function": "main", "file": "main.c", "line": 18},
{"function": "<function_ptr>", "file": "main.c", "line": 19},
{"function": "copy_data", "file": "main.c", "line": 8},
{"function": "strcpy", "file": "<libc>", "line": null}
],
"annotations": {
"notes": "Indirect call via function pointer - harder for static analysis",
"difficulty": "medium"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

31
datasets/reachability/ground-truth/basic/gt-0005/main.c
View File

@@ -1,31 +0,0 @@
// gt-0005: Recursive function with sink
// Expected: REACHABLE (tier: executed)
// Vulnerability: CWE-134 (Format String)
#include <stdio.h>
#include <string.h>
char result[1024];
void process_recursive(const char *input, int depth) {
if (depth <= 0 || strlen(input) == 0) {
return;
}
// Vulnerable: format string in recursive context
sprintf(result + strlen(result), input); // SINK: CWE-134
// Recurse with modified input
process_recursive(input + 1, depth - 1);
}
int main(int argc, char *argv[]) {
result[0] = '\0';
if (argc > 1) {
process_recursive(argv[1], 5);
printf("Result: %s\n", result);
}
return 0;
}

31
datasets/reachability/ground-truth/basic/gt-0005/sample.manifest.json
View File

@@ -1,31 +0,0 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0005",
"version": "1.0.0",
"category": "basic",
"description": "Recursive function with sink - REACHABLE",
"language": "c",
"expectedResult": {
"reachable": true,
"tier": "executed",
"confidence": 1.0
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "sprintf",
"vulnerability": "CWE-134"
},
"callChain": [
{"function": "main", "file": "main.c", "line": 22},
{"function": "process_recursive", "file": "main.c", "line": 14},
{"function": "process_recursive", "file": "main.c", "line": 14},
{"function": "sprintf", "file": "<libc>", "line": null}
],
"annotations": {
"notes": "Recursive call pattern - tests loop/recursion handling",
"difficulty": "medium"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

25
datasets/reachability/ground-truth/unreachable/gt-0011/main.c
View File

@@ -1,25 +0,0 @@
// gt-0011: Dead code - function never called
// Expected: UNREACHABLE (tier: imported)
// Vulnerability: CWE-120 (Buffer Copy without Checking Size)
#include <stdio.h>
#include <string.h>
// This function is NEVER called - dead code
void vulnerable_function(const char *input) {
char buffer[32];
strcpy(buffer, input); // SINK: CWE-120 (but unreachable)
printf("Value: %s\n", buffer);
}
void safe_function(const char *input) {
printf("Safe: %.31s\n", input);
}
int main(int argc, char *argv[]) {
if (argc > 1) {
// Only safe_function is called
safe_function(argv[1]);
}
return 0;
}

27
datasets/reachability/ground-truth/unreachable/gt-0011/sample.manifest.json
View File

@@ -1,27 +0,0 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0011",
"version": "1.0.0",
"category": "unreachable",
"description": "Dead code - function never called - UNREACHABLE",
"language": "c",
"expectedResult": {
"reachable": false,
"tier": "imported",
"confidence": 1.0
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "strcpy",
"vulnerability": "CWE-120"
},
"callChain": null,
"annotations": {
"notes": "Vulnerable function exists but is never called from any reachable path",
"difficulty": "trivial",
"reason": "dead_code"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

28
datasets/reachability/ground-truth/unreachable/gt-0012/main.c
View File

@@ -1,28 +0,0 @@
// gt-0012: Compile-time constant false condition
// Expected: UNREACHABLE (tier: imported)
// Vulnerability: CWE-120 (Buffer Overflow)
#include <stdio.h>
#include <string.h>
#define DEBUG_MODE 0 // Compile-time constant
int main(int argc, char *argv[]) {
char buffer[64];
// This branch is constant false - will be optimized out
if (DEBUG_MODE) {
// Vulnerable code in dead branch
gets(buffer); // SINK: CWE-120 (but unreachable)
printf("Debug: %s\n", buffer);
} else {
// Safe path always taken
if (argc > 1) {
strncpy(buffer, argv[1], sizeof(buffer) - 1);
buffer[sizeof(buffer) - 1] = '\0';
printf("Input: %s\n", buffer);
}
}
return 0;
}

27
datasets/reachability/ground-truth/unreachable/gt-0012/sample.manifest.json
View File

@@ -1,27 +0,0 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0012",
"version": "1.0.0",
"category": "unreachable",
"description": "Compile-time constant false condition - UNREACHABLE",
"language": "c",
"expectedResult": {
"reachable": false,
"tier": "imported",
"confidence": 1.0
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "gets",
"vulnerability": "CWE-120"
},
"callChain": null,
"annotations": {
"notes": "Sink is behind a constant false condition that will be optimized out",
"difficulty": "easy",
"reason": "constant_false"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

27
datasets/reachability/ground-truth/unreachable/gt-0013/main.c
View File

@@ -1,27 +0,0 @@
// gt-0013: Ifdef-excluded code path
// Expected: UNREACHABLE (tier: imported)
// Vulnerability: CWE-78 (OS Command Injection)
// Compile with: gcc -DPRODUCTION main.c (LEGACY_SHELL not defined)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define PRODUCTION
void process_command(const char *cmd) {
#ifdef LEGACY_SHELL
// This code is excluded when LEGACY_SHELL is not defined
system(cmd); // SINK: CWE-78 (but unreachable - ifdef excluded)
#else
// Safe path: just print, don't execute
printf("Would execute: %s\n", cmd);
#endif
}
int main(int argc, char *argv[]) {
if (argc > 1) {
process_command(argv[1]);
}
return 0;
}

27
datasets/reachability/ground-truth/unreachable/gt-0013/sample.manifest.json
View File

@@ -1,27 +0,0 @@
{
"$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
"sampleId": "gt-0013",
"version": "1.0.0",
"category": "unreachable",
"description": "Ifdef-excluded code path - UNREACHABLE",
"language": "c",
"expectedResult": {
"reachable": false,
"tier": "imported",
"confidence": 1.0
},
"source": {
"files": ["main.c"],
"entrypoint": "main",
"sink": "system",
"vulnerability": "CWE-78"
},
"callChain": null,
"annotations": {
"notes": "Vulnerable code excluded by preprocessor directive",
"difficulty": "easy",
"reason": "preprocessor_excluded"
},
"createdAt": "2025-12-17T00:00:00Z",
"createdBy": "corpus-team"
}

86
datasets/reachability/samples/csharp/dead-code/ground-truth.json
View File

@@ -1,86 +0,0 @@
{
"schema": "ground-truth-v1",
"sampleId": "sample:csharp:dead-code:001",
"generatedAt": "2025-12-13T12:00:00Z",
"generator": {
"name": "manual-annotation",
"version": "1.0.0",
"annotator": "scanner-guild"
},
"targets": [
{
"symbolId": "sym:csharp:JsonConvert.DeserializeObject",
"display": "Newtonsoft.Json.JsonConvert.DeserializeObject<T>(string, JsonSerializerSettings)",
"purl": "pkg:nuget/Newtonsoft.Json@13.0.1",
"expected": {
"latticeState": "CU",
"bucket": "unreachable",
"reachable": false,
"confidence": 0.95,
"pathLength": null,
"path": null
},
"reasoning": "DeserializeObject referenced in deprecated LegacyParser class but LegacyParser is never instantiated - new SafeParser uses System.Text.Json instead"
},
{
"symbolId": "sym:csharp:LegacyParser.ParseJson",
"display": "SampleApp.LegacyParser.ParseJson(string)",
"purl": "pkg:generic/SampleApp@1.0.0",
"expected": {
"latticeState": "SU",
"bucket": "unreachable",
"reachable": false,
"confidence": 0.90,
"pathLength": null,
"path": null
},
"reasoning": "LegacyParser.ParseJson exists but LegacyParser is never instantiated - replaced by SafeParser"
},
{
"symbolId": "sym:csharp:SafeParser.ParseJson",
"display": "SampleApp.SafeParser.ParseJson(string)",
"purl": "pkg:generic/SampleApp@1.0.0",
"expected": {
"latticeState": "SR",
"bucket": "direct",
"reachable": true,
"confidence": 0.95,
"pathLength": 2,
"path": [
"sym:csharp:Program.Main",
"sym:csharp:SafeParser.ParseJson"
]
},
"reasoning": "SafeParser.ParseJson is the active implementation called from Main"
}
],
"entryPoints": [
{
"symbolId": "sym:csharp:Program.Main",
"display": "SampleApp.Program.Main(string[])",
"phase": "runtime",
"source": "manifest"
}
],
"expectedUncertainty": {
"states": [],
"aggregateTier": "T4",
"riskScore": 0.0
},
"expectedGateDecisions": [
{
"vulnId": "CVE-2024-21907",
"targetSymbol": "sym:csharp:JsonConvert.DeserializeObject",
"requestedStatus": "not_affected",
"expectedDecision": "allow",
"expectedReason": "CU state allows not_affected - confirmed unreachable"
},
{
"vulnId": "CVE-2024-21907",
"targetSymbol": "sym:csharp:JsonConvert.DeserializeObject",
"requestedStatus": "affected",
"expectedDecision": "warn",
"expectedReason": "Marking as affected when CU suggests false positive"
}
]
}

27
datasets/reachability/samples/csharp/dead-code/manifest.json
View File

@@ -1,27 +0,0 @@
{
"sampleId": "sample:csharp:dead-code:001",
"version": "1.0.0",
"createdAt": "2025-12-13T12:00:00Z",
"language": "csharp",
"category": "negative",
"description": "C# app where vulnerable code exists but is never called - deprecated API replaced by safe implementation",
"source": {
"repository": "synthetic",
"commit": "synthetic-sample",
"buildToolchain": "dotnet:10.0"
},
"vulnerabilities": [
{
"vulnId": "CVE-2024-21907",
"purl": "pkg:nuget/Newtonsoft.Json@13.0.1",
"affectedSymbol": "Newtonsoft.Json.JsonConvert.DeserializeObject"
}
],
"artifacts": [
{
"path": "artifacts/app.dll",
"hash": "sha256:0000000000000000000000000000000000000000000000000000000000000002",
"type": "application/x-msdownload"
}
]
}

79
datasets/reachability/samples/csharp/simple-reachable/ground-truth.json
View File

@@ -1,79 +0,0 @@
{
"schema": "ground-truth-v1",
"sampleId": "sample:csharp:simple-reachable:001",
"generatedAt": "2025-12-13T12:00:00Z",
"generator": {
"name": "manual-annotation",
"version": "1.0.0",
"annotator": "scanner-guild"
},
"targets": [
{
"symbolId": "sym:csharp:JsonConvert.DeserializeObject",
"display": "Newtonsoft.Json.JsonConvert.DeserializeObject<T>(string, JsonSerializerSettings)",
"purl": "pkg:nuget/Newtonsoft.Json@13.0.1",
"expected": {
"latticeState": "SR",
"bucket": "direct",
"reachable": true,
"confidence": 0.95,
"pathLength": 2,
"path": [
"sym:csharp:Program.Main",
"sym:csharp:JsonConvert.DeserializeObject"
]
},
"reasoning": "Direct call from Main() to JsonConvert.DeserializeObject with TypeNameHandling.All settings"
},
{
"symbolId": "sym:csharp:JsonConvert.SerializeObject",
"display": "Newtonsoft.Json.JsonConvert.SerializeObject(object)",
"purl": "pkg:nuget/Newtonsoft.Json@13.0.1",
"expected": {
"latticeState": "SU",
"bucket": "unreachable",
"reachable": false,
"confidence": 0.90,
"pathLength": null,
"path": null
},
"reasoning": "SerializeObject is present in the dependency but never called from any entry point"
}
],
"entryPoints": [
{
"symbolId": "sym:csharp:Program.Main",
"display": "SampleApp.Program.Main(string[])",
"phase": "runtime",
"source": "manifest"
}
],
"expectedUncertainty": {
"states": [],
"aggregateTier": "T4",
"riskScore": 0.0
},
"expectedGateDecisions": [
{
"vulnId": "CVE-2024-21907",
"targetSymbol": "sym:csharp:JsonConvert.DeserializeObject",
"requestedStatus": "not_affected",
"expectedDecision": "block",
"expectedBlockedBy": "LatticeState",
"expectedReason": "SR state incompatible with not_affected - code path exists from entry point"
},
{
"vulnId": "CVE-2024-21907",
"targetSymbol": "sym:csharp:JsonConvert.DeserializeObject",
"requestedStatus": "affected",
"expectedDecision": "allow"
},
{
"vulnId": "CVE-2024-21907",
"targetSymbol": "sym:csharp:JsonConvert.SerializeObject",
"requestedStatus": "not_affected",
"expectedDecision": "allow",
"expectedReason": "SU state allows not_affected - unreachable code path"
}
]
}

27
datasets/reachability/samples/csharp/simple-reachable/manifest.json
View File

@@ -1,27 +0,0 @@
{
"sampleId": "sample:csharp:simple-reachable:001",
"version": "1.0.0",
"createdAt": "2025-12-13T12:00:00Z",
"language": "csharp",
"category": "positive",
"description": "Simple C# console app with direct call path to vulnerable Newtonsoft.Json TypeNameHandling usage",
"source": {
"repository": "synthetic",
"commit": "synthetic-sample",
"buildToolchain": "dotnet:10.0"
},
"vulnerabilities": [
{
"vulnId": "CVE-2024-21907",
"purl": "pkg:nuget/Newtonsoft.Json@13.0.1",
"affectedSymbol": "Newtonsoft.Json.JsonConvert.DeserializeObject"
}
],
"artifacts": [
{
"path": "artifacts/app.dll",
"hash": "sha256:0000000000000000000000000000000000000000000000000000000000000001",
"type": "application/x-msdownload"
}
]
}

108
datasets/reachability/samples/java/vulnerable-log4j/ground-truth.json
View File

@@ -1,108 +0,0 @@
{
"schema": "ground-truth-v1",
"sampleId": "sample:java:vulnerable-log4j:001",
"generatedAt": "2025-12-13T12:00:00Z",
"generator": {
"name": "manual-annotation",
"version": "1.0.0",
"annotator": "security-team"
},
"targets": [
{
"symbolId": "sym:java:log4j.JndiLookup.lookup",
"display": "org.apache.logging.log4j.core.lookup.JndiLookup.lookup(LogEvent, String)",
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
"expected": {
"latticeState": "CR",
"bucket": "runtime",
"reachable": true,
"confidence": 0.98,
"pathLength": 4,
"path": [
"sym:java:HttpRequestHandler.handle",
"sym:java:LogManager.getLogger",
"sym:java:Logger.info",
"sym:java:log4j.JndiLookup.lookup"
]
},
"reasoning": "Confirmed reachable via runtime probe - HTTP request handler logs user-controlled input which triggers JNDI lookup via message substitution"
},
{
"symbolId": "sym:java:log4j.JndiManager.lookup",
"display": "org.apache.logging.log4j.core.net.JndiManager.lookup(String)",
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
"expected": {
"latticeState": "CU",
"bucket": "unreachable",
"reachable": false,
"confidence": 0.92,
"pathLength": null,
"path": null
},
"reasoning": "JndiManager.lookup is present in log4j-core but the direct JndiManager usage path is not exercised - only JndiLookup wrapper is used"
},
{
"symbolId": "sym:java:log4j.ScriptLookup.lookup",
"display": "org.apache.logging.log4j.core.lookup.ScriptLookup.lookup(LogEvent, String)",
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
"expected": {
"latticeState": "SU",
"bucket": "unreachable",
"reachable": false,
"confidence": 0.85,
"pathLength": null,
"path": null
},
"reasoning": "ScriptLookup exists in log4j-core but is disabled by default and no configuration enables it"
}
],
"entryPoints": [
{
"symbolId": "sym:java:HttpRequestHandler.handle",
"display": "com.example.app.HttpRequestHandler.handle(HttpExchange)",
"phase": "runtime",
"source": "servlet"
},
{
"symbolId": "sym:java:Application.main",
"display": "com.example.app.Application.main(String[])",
"phase": "main",
"source": "manifest"
}
],
"expectedUncertainty": {
"states": [],
"aggregateTier": "T4",
"riskScore": 0.0
},
"expectedGateDecisions": [
{
"vulnId": "CVE-2021-44228",
"targetSymbol": "sym:java:log4j.JndiLookup.lookup",
"requestedStatus": "not_affected",
"expectedDecision": "block",
"expectedBlockedBy": "LatticeState",
"expectedReason": "CR state blocks not_affected - runtime evidence confirms reachability"
},
{
"vulnId": "CVE-2021-44228",
"targetSymbol": "sym:java:log4j.JndiLookup.lookup",
"requestedStatus": "affected",
"expectedDecision": "allow"
},
{
"vulnId": "CVE-2021-44228",
"targetSymbol": "sym:java:log4j.JndiManager.lookup",
"requestedStatus": "not_affected",
"expectedDecision": "allow",
"expectedReason": "CU state allows not_affected - confirmed unreachable"
},
{
"vulnId": "CVE-2021-44228",
"targetSymbol": "sym:java:log4j.ScriptLookup.lookup",
"requestedStatus": "not_affected",
"expectedDecision": "warn",
"expectedReason": "SU state allows not_affected but with warning - static analysis only, no runtime confirmation"
}
]
}

32
datasets/reachability/samples/java/vulnerable-log4j/manifest.json
View File

@@ -1,32 +0,0 @@
{
"sampleId": "sample:java:vulnerable-log4j:001",
"version": "1.0.0",
"createdAt": "2025-12-13T12:00:00Z",
"language": "java",
"category": "positive",
"description": "Log4Shell CVE-2021-44228 reachable via JNDI lookup in logging path from HTTP request handler",
"source": {
"repository": "synthetic",
"commit": "synthetic-sample",
"buildToolchain": "maven:3.9.0,jdk:17"
},
"vulnerabilities": [
{
"vulnId": "CVE-2021-44228",
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
"affectedSymbol": "org.apache.logging.log4j.core.lookup.JndiLookup.lookup"
}
],
"artifacts": [
{
"path": "artifacts/app.jar",
"hash": "sha256:0000000000000000000000000000000000000000000000000000000000000004",
"type": "application/java-archive"
},
{
"path": "artifacts/sbom.cdx.json",
"hash": "sha256:0000000000000000000000000000000000000000000000000000000000000005",
"type": "application/vnd.cyclonedx+json"
}
]
}

100
datasets/reachability/samples/native/stripped-elf/ground-truth.json
View File

@@ -1,100 +0,0 @@
{
"schema": "ground-truth-v1",
"sampleId": "sample:native:stripped-elf:001",
"generatedAt": "2025-12-13T12:00:00Z",
"generator": {
"name": "manual-annotation",
"version": "1.0.0",
"annotator": "scanner-guild"
},
"targets": [
{
"symbolId": "sym:binary:ossl_punycode_decode",
"display": "ossl_punycode_decode",
"purl": "pkg:deb/ubuntu/openssl@3.0.2?arch=amd64",
"expected": {
"latticeState": "SR",
"bucket": "direct",
"reachable": true,
"confidence": 0.85,
"pathLength": 4,
"path": [
"sym:binary:_start",
"sym:binary:main",
"sym:binary:SSL_connect",
"sym:binary:ossl_punycode_decode"
]
},
"reasoning": "punycode_decode is reachable via SSL certificate validation during SSL_connect - lower confidence due to stripped binary heuristics"
},
{
"symbolId": "sym:binary:sub_401000",
"display": "sub_401000 (heuristic function)",
"purl": "pkg:generic/app@1.0.0",
"expected": {
"latticeState": "U",
"bucket": "unknown",
"reachable": null,
"confidence": 0.4,
"pathLength": null,
"path": null
},
"reasoning": "Stripped symbol detected by heuristic CFG analysis - function boundaries uncertain"
}
],
"entryPoints": [
{
"symbolId": "sym:binary:_start",
"display": "_start",
"phase": "load",
"source": "e_entry"
},
{
"symbolId": "sym:binary:main",
"display": "main",
"phase": "runtime",
"source": "symbol"
},
{
"symbolId": "init:binary:0x401000",
"display": "DT_INIT_ARRAY[0]",
"phase": "init",
"source": "DT_INIT_ARRAY"
}
],
"expectedUncertainty": {
"states": [
{
"code": "U1",
"entropy": 0.35
}
],
"aggregateTier": "T2",
"riskScore": 0.25
},
"expectedGateDecisions": [
{
"vulnId": "CVE-2022-3602",
"targetSymbol": "sym:binary:ossl_punycode_decode",
"requestedStatus": "not_affected",
"expectedDecision": "block",
"expectedBlockedBy": "LatticeState",
"expectedReason": "SR state blocks not_affected - static analysis shows reachability"
},
{
"vulnId": "CVE-2022-3602",
"targetSymbol": "sym:binary:ossl_punycode_decode",
"requestedStatus": "affected",
"expectedDecision": "warn",
"expectedReason": "T2 uncertainty tier requires review for affected status"
},
{
"vulnId": "CVE-2022-3602",
"targetSymbol": "sym:binary:sub_401000",
"requestedStatus": "not_affected",
"expectedDecision": "block",
"expectedBlockedBy": "UncertaintyTier",
"expectedReason": "Unknown state with U1 uncertainty blocks not_affected without justification"
}
]
}

27
datasets/reachability/samples/native/stripped-elf/manifest.json
View File

@@ -1,27 +0,0 @@
{
"sampleId": "sample:native:stripped-elf:001",
"version": "1.0.0",
"createdAt": "2025-12-13T12:00:00Z",
"language": "native",
"category": "positive",
"description": "Stripped ELF binary linking to vulnerable OpenSSL version with reachable SSL_read path",
"source": {
"repository": "synthetic",
"commit": "synthetic-sample",
"buildToolchain": "gcc:13.0,openssl:3.0.2"
},
"vulnerabilities": [
{
"vulnId": "CVE-2022-3602",
"purl": "pkg:deb/ubuntu/openssl@3.0.2?arch=amd64",
"affectedSymbol": "ossl_punycode_decode"
}
],
"artifacts": [
{
"path": "artifacts/app",
"hash": "sha256:0000000000000000000000000000000000000000000000000000000000000003",
"type": "application/x-executable"
}
]
}

189
datasets/reachability/schema/ground-truth.schema.json
View File

@@ -1,189 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://stellaops.io/schemas/reachability/ground-truth.schema.json",
"title": "Reachability Ground Truth",
"description": "Ground truth annotations for reachability test samples",
"type": "object",
"required": ["schema", "sampleId", "generatedAt", "generator", "targets", "entryPoints"],
"properties": {
"schema": {
"type": "string",
"const": "ground-truth-v1"
},
"sampleId": {
"type": "string",
"pattern": "^sample:[a-z]+:[a-z0-9-]+:[0-9]+$"
},
"generatedAt": {
"type": "string",
"format": "date-time"
},
"generator": {
"type": "object",
"required": ["name", "version"],
"properties": {
"name": {
"type": "string"
},
"version": {
"type": "string"
},
"annotator": {
"type": "string"
}
}
},
"targets": {
"type": "array",
"items": {
"$ref": "#/definitions/target"
}
},
"entryPoints": {
"type": "array",
"items": {
"$ref": "#/definitions/entryPoint"
}
},
"expectedUncertainty": {
"$ref": "#/definitions/uncertainty"
},
"expectedGateDecisions": {
"type": "array",
"items": {
"$ref": "#/definitions/gateDecision"
}
}
},
"definitions": {
"target": {
"type": "object",
"required": ["symbolId", "expected", "reasoning"],
"properties": {
"symbolId": {
"type": "string",
"pattern": "^sym:[a-z]+:.+"
},
"display": {
"type": "string"
},
"purl": {
"type": "string"
},
"expected": {
"type": "object",
"required": ["latticeState", "bucket", "reachable", "confidence"],
"properties": {
"latticeState": {
"type": "string",
"enum": ["U", "SR", "SU", "RO", "RU", "CR", "CU", "X"]
},
"bucket": {
"type": "string",
"enum": ["unknown", "direct", "runtime", "unreachable", "entrypoint"]
},
"reachable": {
"type": "boolean"
},
"confidence": {
"type": "number",
"minimum": 0,
"maximum": 1
},
"pathLength": {
"type": ["integer", "null"],
"minimum": 0
},
"path": {
"type": ["array", "null"],
"items": {
"type": "string"
}
}
}
},
"reasoning": {
"type": "string"
}
}
},
"entryPoint": {
"type": "object",
"required": ["symbolId", "phase", "source"],
"properties": {
"symbolId": {
"type": "string"
},
"display": {
"type": "string"
},
"phase": {
"type": "string",
"enum": ["load", "init", "runtime", "main", "fini"]
},
"source": {
"type": "string"
}
}
},
"uncertainty": {
"type": "object",
"required": ["aggregateTier"],
"properties": {
"states": {
"type": "array",
"items": {
"type": "object",
"required": ["code", "entropy"],
"properties": {
"code": {
"type": "string",
"enum": ["U1", "U2", "U3", "U4"]
},
"entropy": {
"type": "number",
"minimum": 0,
"maximum": 1
}
}
}
},
"aggregateTier": {
"type": "string",
"enum": ["T1", "T2", "T3", "T4"]
},
"riskScore": {
"type": "number",
"minimum": 0,
"maximum": 1
}
}
},
"gateDecision": {
"type": "object",
"required": ["vulnId", "targetSymbol", "requestedStatus", "expectedDecision"],
"properties": {
"vulnId": {
"type": "string"
},
"targetSymbol": {
"type": "string"
},
"requestedStatus": {
"type": "string",
"enum": ["affected", "not_affected", "under_investigation", "fixed"]
},
"expectedDecision": {
"type": "string",
"enum": ["allow", "block", "warn"]
},
"expectedBlockedBy": {
"type": "string"
},
"expectedReason": {
"type": "string"
}
}
}
}
}

94
datasets/reachability/schema/manifest.schema.json
View File

@@ -1,94 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://stellaops.io/schemas/reachability/manifest.schema.json",
"title": "Reachability Sample Manifest",
"description": "Metadata for a reachability test sample",
"type": "object",
"required": ["sampleId", "version", "createdAt", "language", "category", "description"],
"properties": {
"sampleId": {
"type": "string",
"pattern": "^sample:[a-z]+:[a-z0-9-]+:[0-9]+$",
"description": "Unique sample identifier"
},
"version": {
"type": "string",
"pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$",
"description": "Sample version (SemVer)"
},
"createdAt": {
"type": "string",
"format": "date-time",
"description": "Creation timestamp (UTC ISO-8601)"
},
"language": {
"type": "string",
"enum": ["java", "csharp", "javascript", "php", "python", "native", "polyglot"],
"description": "Primary language of the sample"
},
"category": {
"type": "string",
"enum": ["positive", "negative", "contested"],
"description": "Ground truth category"
},
"description": {
"type": "string",
"description": "Human-readable description"
},
"source": {
"type": "object",
"properties": {
"repository": {
"type": "string",
"format": "uri"
},
"commit": {
"type": "string"
},
"buildToolchain": {
"type": "string"
}
}
},
"vulnerabilities": {
"type": "array",
"items": {
"type": "object",
"required": ["vulnId", "purl", "affectedSymbol"],
"properties": {
"vulnId": {
"type": "string",
"description": "CVE or advisory ID"
},
"purl": {
"type": "string",
"description": "Package URL of vulnerable package"
},
"affectedSymbol": {
"type": "string",
"description": "Symbol name that is vulnerable"
}
}
}
},
"artifacts": {
"type": "array",
"items": {
"type": "object",
"required": ["path", "hash", "type"],
"properties": {
"path": {
"type": "string"
},
"hash": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"type": {
"type": "string"
}
}
}
}
}
}

121
datasets/reachability/schemas/corpus-sample.v1.json
View File

@@ -1,121 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://stellaops.io/schemas/corpus-sample.v1.json",
"title": "CorpusSample",
"description": "Schema for ground-truth corpus samples used in reachability benchmarking",
"type": "object",
"required": ["sampleId", "name", "format", "arch", "sinks"],
"properties": {
"sampleId": {
"type": "string",
"pattern": "^gt-[0-9]{4}$",
"description": "Unique identifier for the sample (e.g., gt-0001)"
},
"name": {
"type": "string",
"description": "Human-readable name for the sample"
},
"description": {
"type": "string",
"description": "Detailed description of what this sample tests"
},
"category": {
"type": "string",
"enum": ["basic", "indirect", "stripped", "obfuscated", "guarded", "callback", "virtual"],
"description": "Sample category for organization"
},
"format": {
"type": "string",
"enum": ["elf64", "elf32", "pe64", "pe32", "macho64", "macho32"],
"description": "Binary format"
},
"arch": {
"type": "string",
"enum": ["x86_64", "x86", "aarch64", "arm32", "riscv64"],
"description": "Target architecture"
},
"language": {
"type": "string",
"enum": ["c", "cpp", "rust", "go"],
"description": "Source language (for reference)"
},
"compiler": {
"type": "object",
"properties": {
"name": { "type": "string" },
"version": { "type": "string" },
"flags": { "type": "array", "items": { "type": "string" } }
},
"description": "Compiler information used to build the sample"
},
"entryPoint": {
"type": "string",
"default": "main",
"description": "Entry point function name"
},
"sinks": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"required": ["sinkId", "signature", "expected"],
"properties": {
"sinkId": {
"type": "string",
"pattern": "^sink-[0-9]{3}$",
"description": "Unique sink identifier within the sample"
},
"signature": {
"type": "string",
"description": "Function signature of the sink"
},
"sinkType": {
"type": "string",
"enum": ["memory_corruption", "command_injection", "sql_injection", "path_traversal", "format_string", "crypto_weakness", "custom"],
"description": "Type of vulnerability represented by the sink"
},
"expected": {
"type": "string",
"enum": ["reachable", "unreachable", "conditional"],
"description": "Expected reachability determination"
},
"expectedPaths": {
"type": "array",
"items": {
"type": "array",
"items": { "type": "string" }
},
"description": "Expected call paths from entry to sink (for reachable sinks)"
},
"guardConditions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"variable": { "type": "string" },
"condition": { "type": "string" },
"value": { "type": "string" }
}
},
"description": "Guard conditions that protect the sink (for conditional sinks)"
},
"notes": {
"type": "string",
"description": "Additional notes about this sink"
}
}
},
"description": "List of sinks with expected reachability"
},
"metadata": {
"type": "object",
"properties": {
"createdAt": { "type": "string", "format": "date-time" },
"createdBy": { "type": "string" },
"version": { "type": "string" },
"sha256": { "type": "string", "pattern": "^[a-f0-9]{64}$" }
},
"description": "Metadata about the sample"
}
}
}