stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

consolidate the tests locations

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-26 01:48:24 +02:00
parent 17613acf57
commit 39359da171
2031 changed files with 2607 additions and 476 deletions
Download Patch File Download Diff File Expand all files Collapse all files

171
tests/reachability/fixtures/callgraph-schema-v1/all-edge-reasons.json
View File

@@ -1,171 +0,0 @@
{
"schema": "stella.callgraph.v1",
"scanKey": "scan:edge-reasons-test:1.0.0",
"language": "DotNet",
"artifacts": [
{
"artifactKey": "TestAssembly.dll",
"kind": "assembly",
"sha256": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
}
],
"nodes": [
{ "id": "async", "name": "AsyncTarget", "kind": "method", "visibility": "Public" },
{ "id": "caller", "name": "Caller", "kind": "method", "visibility": "Public" },
{ "id": "delegate", "name": "DelegateTarget", "kind": "method", "visibility": "Public" },
{ "id": "di", "name": "DiTarget", "kind": "method", "visibility": "Public" },
{ "id": "direct", "name": "DirectTarget", "kind": "method", "visibility": "Public" },
{ "id": "dynamic", "name": "DynamicTarget", "kind": "method", "visibility": "Public" },
{ "id": "event", "name": "EventTarget", "kind": "method", "visibility": "Public" },
{ "id": "generic", "name": "GenericTarget", "kind": "method", "visibility": "Public" },
{ "id": "native", "name": "NativeTarget", "kind": "method", "visibility": "Public" },
{ "id": "newobj", "name": "NewObjTarget", "kind": "method", "visibility": "Public" },
{ "id": "reflection", "name": "ReflectionTarget", "kind": "method", "visibility": "Public" },
{ "id": "runtime", "name": "RuntimeTarget", "kind": "method", "visibility": "Public" },
{ "id": "unknown", "name": "UnknownTarget", "kind": "method", "visibility": "Public" },
{ "id": "virtual", "name": "VirtualTarget", "kind": "method", "visibility": "Public" }
],
"edges": [
{
"sourceId": "caller",
"targetId": "direct",
"type": "call",
"kind": "Static",
"reason": "DirectCall",
"weight": 1.0,
"isResolved": true
},
{
"sourceId": "caller",
"targetId": "virtual",
"type": "callvirt",
"kind": "Static",
"reason": "VirtualCall",
"weight": 1.0,
"isResolved": true,
"candidates": ["impl1", "impl2"]
},
{
"sourceId": "caller",
"targetId": "reflection",
"type": "reflection",
"kind": "Heuristic",
"reason": "ReflectionString",
"weight": 0.5,
"isResolved": false,
"provenance": "Type.GetMethod"
},
{
"sourceId": "caller",
"targetId": "di",
"type": "di-binding",
"kind": "Heuristic",
"reason": "DiBinding",
"weight": 0.9,
"isResolved": true,
"provenance": "Microsoft.Extensions.DependencyInjection"
},
{
"sourceId": "caller",
"targetId": "dynamic",
"type": "dynamic-import",
"kind": "Heuristic",
"reason": "DynamicImport",
"weight": 0.7,
"isResolved": false
},
{
"sourceId": "caller",
"targetId": "newobj",
"type": "newobj",
"kind": "Static",
"reason": "NewObj",
"weight": 1.0,
"isResolved": true
},
{
"sourceId": "caller",
"targetId": "delegate",
"type": "ldftn",
"kind": "Static",
"reason": "DelegateCreate",
"weight": 1.0,
"isResolved": true
},
{
"sourceId": "caller",
"targetId": "async",
"type": "async",
"kind": "Static",
"reason": "AsyncContinuation",
"weight": 1.0,
"isResolved": true
},
{
"sourceId": "caller",
"targetId": "event",
"type": "event",
"kind": "Heuristic",
"reason": "EventHandler",
"weight": 0.85,
"isResolved": true
},
{
"sourceId": "caller",
"targetId": "generic",
"type": "generic",
"kind": "Static",
"reason": "GenericInstantiation",
"weight": 1.0,
"isResolved": true
},
{
"sourceId": "caller",
"targetId": "native",
"type": "pinvoke",
"kind": "Static",
"reason": "NativeInterop",
"weight": 1.0,
"isResolved": false,
"provenance": "kernel32.dll"
},
{
"sourceId": "caller",
"targetId": "runtime",
"type": "runtime",
"kind": "Runtime",
"reason": "RuntimeMinted",
"weight": 1.0,
"isResolved": true
},
{
"sourceId": "caller",
"targetId": "unknown",
"type": "unknown",
"kind": "Heuristic",
"reason": "Unknown",
"weight": 0.3,
"isResolved": false
}
],
"entrypoints": [
{
"nodeId": "caller",
"kind": "Test",
"framework": "Unknown",
"source": "test-runner",
"phase": "Runtime",
"order": 0
}
],
"metadata": {
"toolId": "stellaops.scanner.test",
"toolVersion": "1.0.0",
"analysisTimestamp": "2025-01-15T14:00:00Z"
},
"id": "cg-edge-reasons-001",
"component": "EdgeReasonsTest",
"version": "1.0.0",
"ingestedAt": "2025-01-15T14:00:00Z",
"graphHash": "sha256:edge-reasons"
}

119
tests/reachability/fixtures/callgraph-schema-v1/all-visibility-levels.json
View File

@@ -1,119 +0,0 @@
{
"schema": "stella.callgraph.v1",
"scanKey": "scan:visibility-test:1.0.0",
"language": "DotNet",
"artifacts": [
{
"artifactKey": "VisibilityTest.dll",
"kind": "assembly",
"sha256": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
}
],
"nodes": [
{
"id": "v001",
"name": "PublicMethod",
"kind": "method",
"namespace": "VisibilityTest",
"symbolKey": "VisibilityTest::PublicMethod()",
"visibility": "Public",
"isEntrypointCandidate": true
},
{
"id": "v002",
"name": "InternalMethod",
"kind": "method",
"namespace": "VisibilityTest.Internal",
"symbolKey": "VisibilityTest.Internal::InternalMethod()",
"visibility": "Internal",
"isEntrypointCandidate": false
},
{
"id": "v003",
"name": "ProtectedMethod",
"kind": "method",
"namespace": "VisibilityTest",
"symbolKey": "VisibilityTest.BaseClass::ProtectedMethod()",
"visibility": "Protected",
"isEntrypointCandidate": false
},
{
"id": "v004",
"name": "PrivateMethod",
"kind": "method",
"namespace": "VisibilityTest",
"symbolKey": "VisibilityTest.SomeClass::PrivateMethod()",
"visibility": "Private",
"isEntrypointCandidate": false
},
{
"id": "v005",
"name": "UnknownMethod",
"kind": "method",
"namespace": "External",
"symbolKey": "External::UnknownMethod()",
"visibility": "Unknown",
"isEntrypointCandidate": false
}
],
"edges": [
{
"sourceId": "v001",
"targetId": "v002",
"type": "call",
"kind": "Static",
"reason": "DirectCall",
"weight": 1.0,
"isResolved": true
},
{
"sourceId": "v002",
"targetId": "v003",
"type": "call",
"kind": "Static",
"reason": "DirectCall",
"weight": 1.0,
"isResolved": true
},
{
"sourceId": "v003",
"targetId": "v004",
"type": "call",
"kind": "Static",
"reason": "DirectCall",
"weight": 1.0,
"isResolved": true
},
{
"sourceId": "v004",
"targetId": "v005",
"type": "external",
"kind": "Static",
"reason": "DirectCall",
"weight": 1.0,
"isResolved": false
}
],
"entrypoints": [
{
"nodeId": "v001",
"kind": "Http",
"route": "/api/visibility",
"httpMethod": "GET",
"framework": "AspNetCore",
"source": "attribute",
"phase": "Runtime",
"order": 0
}
],
"metadata": {
"toolId": "stellaops.scanner.test",
"toolVersion": "1.0.0",
"analysisTimestamp": "2025-01-15T15:00:00Z"
},
"id": "cg-visibility-001",
"component": "VisibilityTest",
"version": "1.0.0",
"ingestedAt": "2025-01-15T15:00:00Z",
"graphHash": "sha256:visibility"
}

155
tests/reachability/fixtures/callgraph-schema-v1/dotnet-aspnetcore-minimal.json
View File

@@ -1,155 +0,0 @@
{
"schema": "stella.callgraph.v1",
"scanKey": "scan:dotnet-aspnetcore-minimal:v1.0.0",
"language": "DotNet",
"artifacts": [
{
"artifactKey": "SampleApi.dll",
"kind": "assembly",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"purl": "pkg:nuget/SampleApi@1.0.0",
"buildId": "build-001",
"filePath": "/app/SampleApi.dll",
"sizeBytes": 12345
}
],
"nodes": [
{
"id": "n001",
"nodeId": "n001",
"name": "Main",
"kind": "method",
"namespace": "SampleApi",
"file": "Program.cs",
"line": 1,
"symbolKey": "SampleApi::Main(string[])",
"artifactKey": "SampleApi.dll",
"visibility": "Public",
"isEntrypointCandidate": true,
"attributes": {
"returnType": "void"
},
"flags": 1
},
{
"id": "n002",
"nodeId": "n002",
"name": "GetWeatherForecast",
"kind": "method",
"namespace": "SampleApi.Controllers",
"file": "WeatherForecastController.cs",
"line": 15,
"symbolKey": "SampleApi.Controllers.WeatherForecastController::GetWeatherForecast()",
"artifactKey": "SampleApi.dll",
"visibility": "Public",
"isEntrypointCandidate": true,
"attributes": {
"returnType": "IEnumerable<WeatherForecast>",
"httpMethod": "GET",
"route": "/weatherforecast"
},
"flags": 3
},
{
"id": "n003",
"nodeId": "n003",
"name": "GetRandomSummary",
"kind": "method",
"namespace": "SampleApi.Services",
"file": "WeatherService.cs",
"line": 20,
"symbolKey": "SampleApi.Services.WeatherService::GetRandomSummary()",
"artifactKey": "SampleApi.dll",
"visibility": "Internal",
"isEntrypointCandidate": false,
"attributes": {
"returnType": "string"
},
"flags": 0
},
{
"id": "n004",
"nodeId": "n004",
"name": "CreateLogger",
"kind": "method",
"namespace": "SampleApi.Internal",
"file": "LoggingHelper.cs",
"line": 8,
"symbolKey": "SampleApi.Internal.LoggingHelper::CreateLogger()",
"artifactKey": "SampleApi.dll",
"visibility": "Private",
"isEntrypointCandidate": false,
"flags": 0
}
],
"edges": [
{
"sourceId": "n001",
"targetId": "n002",
"from": "n001",
"to": "n002",
"type": "call",
"kind": "Static",
"reason": "DirectCall",
"weight": 1.0,
"isResolved": true
},
{
"sourceId": "n002",
"targetId": "n003",
"from": "n002",
"to": "n003",
"type": "di",
"kind": "Heuristic",
"reason": "DiBinding",
"weight": 0.9,
"isResolved": true,
"provenance": "Microsoft.Extensions.DependencyInjection"
},
{
"sourceId": "n003",
"targetId": "n004",
"from": "n003",
"to": "n004",
"type": "call",
"kind": "Static",
"reason": "DirectCall",
"weight": 1.0,
"offset": 42,
"isResolved": true
}
],
"entrypoints": [
{
"nodeId": "n001",
"kind": "Main",
"framework": "AspNetCore",
"source": "attribute",
"phase": "AppStart",
"order": 0
},
{
"nodeId": "n002",
"kind": "Http",
"route": "/weatherforecast",
"httpMethod": "GET",
"framework": "AspNetCore",
"source": "attribute",
"phase": "Runtime",
"order": 1
}
],
"metadata": {
"toolId": "stellaops.scanner.dotnet",
"toolVersion": "1.0.0",
"analysisTimestamp": "2025-01-15T10:00:00Z",
"sourceCommit": "abc123def456",
"buildId": "build-001"
},
"id": "cg-dotnet-aspnetcore-minimal-001",
"languageString": "dotnet",
"component": "SampleApi",
"version": "1.0.0",
"ingestedAt": "2025-01-15T10:00:00Z",
"graphHash": "sha256:a1b2c3d4e5f6"
}

155
tests/reachability/fixtures/callgraph-schema-v1/go-gin-api.json
View File

@@ -1,155 +0,0 @@
{
"schema": "stella.callgraph.v1",
"scanKey": "scan:gin-api:1.5.0",
"language": "Go",
"artifacts": [
{
"artifactKey": "gin-api",
"kind": "go-binary",
"sha256": "d5e6f78901234567890abcdef0123456789abcdef0123456789abcdef0123456",
"purl": "pkg:golang/github.com/example/gin-api@1.5.0",
"filePath": "/app/gin-api",
"sizeBytes": 15000000
}
],
"nodes": [
{
"id": "g001",
"nodeId": "g001",
"name": "main",
"kind": "function",
"namespace": "main",
"file": "main.go",
"line": 12,
"symbolKey": "main.main",
"artifactKey": "gin-api",
"visibility": "Public",
"isEntrypointCandidate": true,
"flags": 1
},
{
"id": "g002",
"nodeId": "g002",
"name": "GetProduct",
"kind": "function",
"namespace": "handlers",
"file": "product_handler.go",
"line": 28,
"symbolKey": "github.com/example/gin-api/handlers.GetProduct",
"artifactKey": "gin-api",
"visibility": "Public",
"isEntrypointCandidate": true,
"attributes": {
"httpMethod": "GET",
"route": "/api/products/:id"
},
"flags": 3
},
{
"id": "g003",
"nodeId": "g003",
"name": "FindByID",
"kind": "function",
"namespace": "repository",
"file": "product_repo.go",
"line": 45,
"symbolKey": "github.com/example/gin-api/repository.(*ProductRepo).FindByID",
"artifactKey": "gin-api",
"visibility": "Public",
"isEntrypointCandidate": false,
"flags": 0
},
{
"id": "g004",
"nodeId": "g004",
"name": "init",
"kind": "function",
"namespace": "config",
"file": "config.go",
"line": 8,
"symbolKey": "github.com/example/gin-api/config.init",
"artifactKey": "gin-api",
"visibility": "Unknown",
"isEntrypointCandidate": true,
"flags": 2
}
],
"edges": [
{
"sourceId": "g004",
"targetId": "g001",
"from": "g004",
"to": "g001",
"type": "init",
"kind": "Static",
"reason": "DirectCall",
"weight": 1.0,
"isResolved": true,
"provenance": "go-init-order"
},
{
"sourceId": "g001",
"targetId": "g002",
"from": "g001",
"to": "g002",
"type": "router-bind",
"kind": "Heuristic",
"reason": "DelegateCreate",
"weight": 0.9,
"isResolved": true,
"provenance": "gin-router"
},
{
"sourceId": "g002",
"targetId": "g003",
"from": "g002",
"to": "g003",
"type": "interface",
"kind": "Static",
"reason": "VirtualCall",
"weight": 1.0,
"isResolved": true
}
],
"entrypoints": [
{
"nodeId": "g004",
"kind": "ModuleInit",
"framework": "Unknown",
"source": "convention",
"phase": "ModuleInit",
"order": 0
},
{
"nodeId": "g001",
"kind": "Main",
"framework": "Gin",
"source": "convention",
"phase": "AppStart",
"order": 1
},
{
"nodeId": "g002",
"kind": "Http",
"route": "/api/products/:id",
"httpMethod": "GET",
"framework": "Gin",
"source": "code-analysis",
"phase": "Runtime",
"order": 2
}
],
"metadata": {
"toolId": "stellaops.scanner.go",
"toolVersion": "1.0.0",
"analysisTimestamp": "2025-01-15T13:00:00Z",
"sourceCommit": "012def345abc",
"buildId": "build-004"
},
"id": "cg-go-gin-api-001",
"languageString": "go",
"component": "gin-api",
"version": "1.5.0",
"ingestedAt": "2025-01-15T13:00:00Z",
"graphHash": "sha256:d4e5f6a7b8c9"
}

155
tests/reachability/fixtures/callgraph-schema-v1/java-spring-boot.json
View File

@@ -1,155 +0,0 @@
{
"schema": "stella.callgraph.v1",
"scanKey": "scan:spring-petclinic:3.2.0",
"language": "Java",
"artifacts": [
{
"artifactKey": "spring-petclinic-3.2.0.jar",
"kind": "jar",
"sha256": "f4d3c2b1a0987654321fedcba0987654321fedcba0987654321fedcba098765",
"purl": "pkg:maven/org.springframework.samples/spring-petclinic@3.2.0",
"filePath": "/app/spring-petclinic-3.2.0.jar",
"sizeBytes": 54321000
}
],
"nodes": [
{
"id": "j001",
"nodeId": "j001",
"name": "main",
"kind": "method",
"namespace": "org.springframework.samples.petclinic",
"file": "PetClinicApplication.java",
"line": 25,
"symbolKey": "org.springframework.samples.petclinic.PetClinicApplication::main(String[])",
"artifactKey": "spring-petclinic-3.2.0.jar",
"visibility": "Public",
"isEntrypointCandidate": true,
"attributes": {
"returnType": "void",
"modifiers": "public static"
},
"flags": 1
},
{
"id": "j002",
"nodeId": "j002",
"name": "showOwner",
"kind": "method",
"namespace": "org.springframework.samples.petclinic.owner",
"file": "OwnerController.java",
"line": 87,
"symbolKey": "org.springframework.samples.petclinic.owner.OwnerController::showOwner(int)",
"artifactKey": "spring-petclinic-3.2.0.jar",
"visibility": "Public",
"isEntrypointCandidate": true,
"attributes": {
"returnType": "ModelAndView",
"httpMethod": "GET",
"route": "/owners/{ownerId}"
},
"flags": 3
},
{
"id": "j003",
"nodeId": "j003",
"name": "findById",
"kind": "method",
"namespace": "org.springframework.samples.petclinic.owner",
"file": "OwnerRepository.java",
"line": 42,
"symbolKey": "org.springframework.samples.petclinic.owner.OwnerRepository::findById(Integer)",
"artifactKey": "spring-petclinic-3.2.0.jar",
"visibility": "Public",
"isEntrypointCandidate": false,
"attributes": {
"returnType": "Owner"
},
"flags": 0
},
{
"id": "j004",
"nodeId": "j004",
"name": "validateOwner",
"kind": "method",
"namespace": "org.springframework.samples.petclinic.owner",
"file": "OwnerValidator.java",
"line": 30,
"symbolKey": "org.springframework.samples.petclinic.owner.OwnerValidator::validateOwner(Owner)",
"artifactKey": "spring-petclinic-3.2.0.jar",
"visibility": "Protected",
"isEntrypointCandidate": false,
"flags": 0
}
],
"edges": [
{
"sourceId": "j001",
"targetId": "j002",
"from": "j001",
"to": "j002",
"type": "spring-bean",
"kind": "Heuristic",
"reason": "DiBinding",
"weight": 0.85,
"isResolved": true,
"provenance": "SpringBoot"
},
{
"sourceId": "j002",
"targetId": "j003",
"from": "j002",
"to": "j003",
"type": "virtual",
"kind": "Static",
"reason": "VirtualCall",
"weight": 1.0,
"isResolved": true
},
{
"sourceId": "j002",
"targetId": "j004",
"from": "j002",
"to": "j004",
"type": "call",
"kind": "Static",
"reason": "DirectCall",
"weight": 1.0,
"offset": 156,
"isResolved": true
}
],
"entrypoints": [
{
"nodeId": "j001",
"kind": "Main",
"framework": "SpringBoot",
"source": "annotation",
"phase": "AppStart",
"order": 0
},
{
"nodeId": "j002",
"kind": "Http",
"route": "/owners/{ownerId}",
"httpMethod": "GET",
"framework": "Spring",
"source": "annotation",
"phase": "Runtime",
"order": 1
}
],
"metadata": {
"toolId": "stellaops.scanner.java",
"toolVersion": "1.0.0",
"analysisTimestamp": "2025-01-15T11:00:00Z",
"sourceCommit": "def789abc012",
"buildId": "build-002"
},
"id": "cg-java-spring-petclinic-001",
"languageString": "java",
"component": "spring-petclinic",
"version": "3.2.0",
"ingestedAt": "2025-01-15T11:00:00Z",
"graphHash": "sha256:b2c3d4e5f6a7"
}

47
tests/reachability/fixtures/callgraph-schema-v1/legacy-no-schema.json
View File

@@ -1,47 +0,0 @@
{
"id": "cg-legacy-001",
"languageString": "csharp",
"component": "LegacyApp",
"version": "0.9.0",
"ingestedAt": "2024-06-15T08:00:00Z",
"graphHash": "sha256:legacy123",
"nodes": [
{
"id": "l001",
"name": "Main",
"kind": "method",
"namespace": "LegacyApp"
},
{
"id": "l002",
"name": "ProcessData",
"kind": "method",
"namespace": "LegacyApp.Controllers"
},
{
"id": "l003",
"name": "ValidateInput",
"kind": "method",
"namespace": "LegacyApp.Internal"
}
],
"edges": [
{
"sourceId": "l001",
"targetId": "l002",
"type": "call"
},
{
"sourceId": "l002",
"targetId": "l003",
"type": "call"
}
],
"roots": [
{
"id": "l001",
"phase": "startup",
"source": "convention"
}
]
}

146
tests/reachability/fixtures/callgraph-schema-v1/node-express-api.json
View File

@@ -1,146 +0,0 @@
{
"schema": "stella.callgraph.v1",
"scanKey": "scan:express-api:2.1.0",
"language": "Node",
"artifacts": [
{
"artifactKey": "express-api",
"kind": "npm-package",
"sha256": "c4d5e6f7890123456789abcdef0123456789abcdef0123456789abcdef012345",
"purl": "pkg:npm/express-api@2.1.0",
"filePath": "/app",
"sizeBytes": 2500000
}
],
"nodes": [
{
"id": "e001",
"nodeId": "e001",
"name": "startServer",
"kind": "function",
"namespace": "src",
"file": "index.js",
"line": 15,
"symbolKey": "src/index.js::startServer",
"artifactKey": "express-api",
"visibility": "Public",
"isEntrypointCandidate": true,
"flags": 1
},
{
"id": "e002",
"nodeId": "e002",
"name": "getUserById",
"kind": "function",
"namespace": "src/routes",
"file": "users.js",
"line": 22,
"symbolKey": "src/routes/users.js::getUserById",
"artifactKey": "express-api",
"visibility": "Public",
"isEntrypointCandidate": true,
"attributes": {
"httpMethod": "GET",
"route": "/api/users/:id"
},
"flags": 3
},
{
"id": "e003",
"nodeId": "e003",
"name": "findUser",
"kind": "function",
"namespace": "src/services",
"file": "userService.js",
"line": 45,
"symbolKey": "src/services/userService.js::findUser",
"artifactKey": "express-api",
"visibility": "Public",
"isEntrypointCandidate": false,
"flags": 0
},
{
"id": "e004",
"nodeId": "e004",
"name": "query",
"kind": "function",
"namespace": "src/db",
"file": "connection.js",
"line": 30,
"symbolKey": "src/db/connection.js::query",
"artifactKey": "express-api",
"visibility": "Public",
"isEntrypointCandidate": false,
"flags": 0
}
],
"edges": [
{
"sourceId": "e001",
"targetId": "e002",
"from": "e001",
"to": "e002",
"type": "require",
"kind": "Static",
"reason": "DynamicImport",
"weight": 0.95,
"isResolved": true,
"provenance": "express-router"
},
{
"sourceId": "e002",
"targetId": "e003",
"from": "e002",
"to": "e003",
"type": "call",
"kind": "Static",
"reason": "DirectCall",
"weight": 1.0,
"isResolved": true
},
{
"sourceId": "e003",
"targetId": "e004",
"from": "e003",
"to": "e004",
"type": "async-call",
"kind": "Static",
"reason": "AsyncContinuation",
"weight": 1.0,
"isResolved": true
}
],
"entrypoints": [
{
"nodeId": "e001",
"kind": "Main",
"framework": "Express",
"source": "convention",
"phase": "AppStart",
"order": 0
},
{
"nodeId": "e002",
"kind": "Http",
"route": "/api/users/:id",
"httpMethod": "GET",
"framework": "Express",
"source": "code-analysis",
"phase": "Runtime",
"order": 1
}
],
"metadata": {
"toolId": "stellaops.scanner.node",
"toolVersion": "1.0.0",
"analysisTimestamp": "2025-01-15T12:00:00Z",
"sourceCommit": "789abc012def",
"buildId": "build-003"
},
"id": "cg-node-express-api-001",
"languageString": "javascript",
"component": "express-api",
"version": "2.1.0",
"ingestedAt": "2025-01-15T12:00:00Z",
"graphHash": "sha256:c3d4e5f6a7b8"
}

32
tests/reachability/fixtures/patch-oracles/INDEX.json
View File

@@ -1,32 +0,0 @@
{
"version": "1.0",
"schema": "patch-oracle/v1",
"generated_at": "2025-12-13T00:00:00Z",
"description": "Patch-oracle fixtures for CI graph validation. Each oracle defines expected functions/edges that must be present (or absent) in generated reachability graphs.",
"oracles": [
{
"id": "curl-CVE-2023-38545-socks5-heap-reachable",
"case_ref": "curl-CVE-2023-38545-socks5-heap",
"variant": "reachable",
"path": "cases/curl-CVE-2023-38545-socks5-heap/reachable.oracle.json"
},
{
"id": "curl-CVE-2023-38545-socks5-heap-unreachable",
"case_ref": "curl-CVE-2023-38545-socks5-heap",
"variant": "unreachable",
"path": "cases/curl-CVE-2023-38545-socks5-heap/unreachable.oracle.json"
},
{
"id": "java-log4j-CVE-2021-44228-log4shell-reachable",
"case_ref": "java-log4j-CVE-2021-44228-log4shell",
"variant": "reachable",
"path": "cases/java-log4j-CVE-2021-44228-log4shell/reachable.oracle.json"
},
{
"id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset-reachable",
"case_ref": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"variant": "reachable",
"path": "cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/reachable.oracle.json"
}
]
}

56
tests/reachability/fixtures/patch-oracles/cases/curl-CVE-2023-38545-socks5-heap/reachable.oracle.json
View File

@@ -1,56 +0,0 @@
{
"schema_version": "patch-oracle/v1",
"id": "curl-CVE-2023-38545-socks5-heap-reachable",
"case_ref": "curl-CVE-2023-38545-socks5-heap",
"variant": "reachable",
"description": "Validates that the SOCKS5 heap overflow vulnerability path is reachable from network handler to vulnerable sink",
"expected_functions": [
{
"symbol_id": "sym://net:handler#read",
"kind": "entrypoint",
"required": true,
"reason": "Network read handler is the entry point for external data"
},
{
"symbol_id": "sym://curl:curl.c#entry",
"kind": "function",
"required": true,
"reason": "SOCKS5 protocol handling entry point"
},
{
"symbol_id": "sym://curl:curl.c#sink",
"kind": "function",
"required": true,
"reason": "Vulnerable buffer handling function"
}
],
"expected_edges": [
{
"from": "sym://net:handler#read",
"to": "sym://curl:curl.c#entry",
"kind": "call",
"min_confidence": 0.8,
"required": true,
"reason": "Data flows from network handler to SOCKS5 handler"
},
{
"from": "sym://curl:curl.c#entry",
"to": "sym://curl:curl.c#sink",
"kind": "call",
"min_confidence": 0.8,
"required": true,
"reason": "SOCKS5 handler invokes vulnerable buffer function"
}
],
"expected_roots": [
{
"id": "sym://net:handler#read",
"phase": "runtime",
"required": true,
"reason": "Network handler is the runtime entry point"
}
],
"min_confidence": 0.5,
"strict_mode": false,
"created_at": "2025-12-13T00:00:00Z"
}

32
tests/reachability/fixtures/patch-oracles/cases/curl-CVE-2023-38545-socks5-heap/unreachable.oracle.json
View File

@@ -1,32 +0,0 @@
{
"schema_version": "patch-oracle/v1",
"id": "curl-CVE-2023-38545-socks5-heap-unreachable",
"case_ref": "curl-CVE-2023-38545-socks5-heap",
"variant": "unreachable",
"description": "Validates that the SOCKS5 heap overflow vulnerability path is NOT reachable when SOCKS5 is disabled",
"expected_functions": [
{
"symbol_id": "sym://net:handler#read",
"kind": "entrypoint",
"required": true,
"reason": "Network read handler still exists but cannot reach vulnerable code"
}
],
"expected_edges": [],
"forbidden_functions": [
{
"symbol_id": "sym://curl:curl.c#sink",
"reason": "Vulnerable sink should not be in call graph when SOCKS5 disabled"
}
],
"forbidden_edges": [
{
"from": "sym://curl:curl.c#entry",
"to": "sym://curl:curl.c#sink",
"reason": "This edge should not exist when SOCKS5 is disabled"
}
],
"min_confidence": 0.5,
"strict_mode": false,
"created_at": "2025-12-13T00:00:00Z"
}

44
tests/reachability/fixtures/patch-oracles/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/reachable.oracle.json
View File

@@ -1,44 +0,0 @@
{
"schema_version": "patch-oracle/v1",
"id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset-reachable",
"case_ref": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"variant": "reachable",
"description": "Validates that the HTTP/2 Rapid Reset DoS vulnerability path is reachable",
"expected_functions": [
{
"symbol_id": "sym://dotnet:Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http2.Http2Connection#ProcessRequestsAsync",
"lang": "dotnet",
"kind": "method",
"required": true,
"reason": "HTTP/2 connection handler entry point"
},
{
"symbol_id": "sym://dotnet:Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http2.Http2Stream#*",
"lang": "dotnet",
"kind": "method",
"required": true,
"reason": "HTTP/2 stream management affected by rapid reset"
}
],
"expected_edges": [
{
"from": "sym://dotnet:Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http2.Http2Connection#ProcessRequestsAsync",
"to": "sym://dotnet:Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http2.Http2Stream#*",
"kind": "call",
"min_confidence": 0.7,
"required": true,
"reason": "Connection handler creates/manages streams"
}
],
"expected_roots": [
{
"id": "sym://dotnet:Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http2.Http2Connection#ProcessRequestsAsync",
"phase": "runtime",
"required": true,
"reason": "HTTP/2 processing is a runtime entry point"
}
],
"min_confidence": 0.5,
"strict_mode": false,
"created_at": "2025-12-13T00:00:00Z"
}

64
tests/reachability/fixtures/patch-oracles/cases/java-log4j-CVE-2021-44228-log4shell/reachable.oracle.json
View File

@@ -1,64 +0,0 @@
{
"schema_version": "patch-oracle/v1",
"id": "java-log4j-CVE-2021-44228-log4shell-reachable",
"case_ref": "java-log4j-CVE-2021-44228-log4shell",
"variant": "reachable",
"description": "Validates that the Log4Shell JNDI injection path is reachable from logger to JNDI lookup",
"expected_functions": [
{
"symbol_id": "sym://java:org.apache.logging.log4j.core.Logger#logMessage",
"lang": "java",
"kind": "method",
"required": true,
"reason": "Logger entry point that processes user-controlled format strings"
},
{
"symbol_id": "sym://java:org.apache.logging.log4j.core.pattern.MessagePatternConverter#format",
"lang": "java",
"kind": "method",
"required": true,
"reason": "Pattern converter that triggers lookup substitution"
},
{
"symbol_id": "sym://java:org.apache.logging.log4j.core.lookup.StrSubstitutor#replace",
"lang": "java",
"kind": "method",
"required": true,
"reason": "String substitution that invokes lookups"
},
{
"symbol_id": "sym://java:org.apache.logging.log4j.core.lookup.JndiLookup#lookup",
"lang": "java",
"kind": "method",
"required": true,
"reason": "Vulnerable JNDI lookup method"
}
],
"expected_edges": [
{
"from": "sym://java:org.apache.logging.log4j.core.Logger#logMessage",
"to": "sym://java:org.apache.logging.log4j.core.pattern.MessagePatternConverter#format",
"kind": "call",
"required": true,
"reason": "Logger delegates to pattern converter"
},
{
"from": "sym://java:org.apache.logging.log4j.core.lookup.StrSubstitutor#replace",
"to": "sym://java:org.apache.logging.log4j.core.lookup.JndiLookup#lookup",
"kind": "call",
"required": true,
"reason": "String substitution invokes JNDI lookup"
}
],
"expected_roots": [
{
"id": "sym://java:org.apache.logging.log4j.core.Logger#*",
"phase": "runtime",
"required": true,
"reason": "Logger methods are runtime entry points"
}
],
"min_confidence": 0.6,
"strict_mode": false,
"created_at": "2025-12-13T00:00:00Z"
}

179
tests/reachability/fixtures/patch-oracles/schema/patch-oracle-v1.json
View File

@@ -1,179 +0,0 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "stellaops:patch-oracle/v1",
"title": "Patch Oracle Schema v1",
"description": "Defines expected functions/edges for reachability graph validation. CI fails when expected elements are missing.",
"type": "object",
"properties": {
"schema_version": {
"type": "string",
"const": "patch-oracle/v1",
"description": "Schema version identifier"
},
"id": {
"type": "string",
"description": "Unique oracle identifier (e.g., 'curl-CVE-2023-38545-socks5-heap-reachable')"
},
"case_ref": {
"type": "string",
"description": "Reference to parent reachbench case (e.g., 'curl-CVE-2023-38545-socks5-heap')"
},
"variant": {
"type": "string",
"enum": ["reachable", "unreachable"],
"description": "Which variant this oracle applies to"
},
"description": {
"type": "string",
"description": "Human-readable description of what this oracle validates"
},
"expected_functions": {
"type": "array",
"description": "Functions that MUST be present in the generated graph",
"items": {
"$ref": "#/definitions/expected_function"
}
},
"expected_edges": {
"type": "array",
"description": "Edges that MUST be present in the generated graph",
"items": {
"$ref": "#/definitions/expected_edge"
}
},
"expected_roots": {
"type": "array",
"description": "Root nodes that MUST be present in the generated graph",
"items": {
"$ref": "#/definitions/expected_root"
}
},
"forbidden_functions": {
"type": "array",
"description": "Functions that MUST NOT be present (for unreachable variants)",
"items": {
"$ref": "#/definitions/expected_function"
}
},
"forbidden_edges": {
"type": "array",
"description": "Edges that MUST NOT be present (for unreachable variants)",
"items": {
"$ref": "#/definitions/expected_edge"
}
},
"min_confidence": {
"type": "number",
"minimum": 0.0,
"maximum": 1.0,
"default": 0.5,
"description": "Minimum confidence threshold for edge matching"
},
"strict_mode": {
"type": "boolean",
"default": false,
"description": "If true, extra functions/edges not in oracle cause failure"
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "When this oracle was created"
},
"updated_at": {
"type": "string",
"format": "date-time",
"description": "When this oracle was last updated"
}
},
"required": ["schema_version", "id", "case_ref", "variant"],
"definitions": {
"expected_function": {
"type": "object",
"properties": {
"symbol_id": {
"type": "string",
"description": "Expected symbol ID (exact match or pattern with '*' wildcards)"
},
"lang": {
"type": "string",
"description": "Expected language (optional, for filtering)"
},
"kind": {
"type": "string",
"description": "Expected node kind (e.g., 'function', 'method', 'entrypoint')"
},
"purl_pattern": {
"type": "string",
"description": "Expected purl pattern (optional, supports wildcards)"
},
"required": {
"type": "boolean",
"default": true,
"description": "If true, missing this function fails CI"
},
"reason": {
"type": "string",
"description": "Why this function is expected (for documentation)"
}
},
"required": ["symbol_id"]
},
"expected_edge": {
"type": "object",
"properties": {
"from": {
"type": "string",
"description": "Source node symbol ID (exact match or pattern)"
},
"to": {
"type": "string",
"description": "Target node symbol ID (exact match or pattern)"
},
"kind": {
"type": "string",
"description": "Expected edge kind (e.g., 'call', 'plt', 'indirect')"
},
"min_confidence": {
"type": "number",
"minimum": 0.0,
"maximum": 1.0,
"description": "Minimum confidence for this specific edge"
},
"required": {
"type": "boolean",
"default": true,
"description": "If true, missing this edge fails CI"
},
"reason": {
"type": "string",
"description": "Why this edge is expected (for documentation)"
}
},
"required": ["from", "to"]
},
"expected_root": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Root node ID (exact match or pattern)"
},
"phase": {
"type": "string",
"enum": ["load", "init", "main", "runtime", "fini"],
"description": "Expected execution phase"
},
"required": {
"type": "boolean",
"default": true,
"description": "If true, missing this root fails CI"
},
"reason": {
"type": "string",
"description": "Why this root is expected"
}
},
"required": ["id"]
}
}
}

444
tests/reachability/fixtures/reachbench-2025-expanded/INDEX.json
View File

@@ -1,444 +0,0 @@
{
"version": "0.1",
"generated_at": "2025-11-07T22:40:04Z",
"cases": [
{
"id": "runc-CVE-2024-21626-symlink-breakout",
"primary_axis": "container-escape",
"tags": [
"symlink",
"filesystem",
"userns"
],
"languages": [
"binary"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 9.0,
"references": [
"cve:CVE-2024-21626"
]
},
{
"id": "linux-cgroups-CVE-2022-0492-release_agent",
"primary_axis": "container-escape",
"tags": [
"cgroups",
"kernel",
"priv-esc"
],
"languages": [
"binary"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 9.0,
"references": [
"cve:CVE-2022-0492"
]
},
{
"id": "glibc-CVE-2023-4911-looney-tunables",
"primary_axis": "binary-hybrid",
"tags": [
"env-vars",
"libc",
"ldso"
],
"languages": [
"c"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2023-4911"
]
},
{
"id": "curl-CVE-2023-38545-socks5-heap",
"primary_axis": "binary-hybrid",
"tags": [
"networking",
"proxy",
"heap"
],
"languages": [
"c"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2023-38545"
]
},
{
"id": "openssl-CVE-2022-3602-x509-name-constraints",
"primary_axis": "binary-hybrid",
"tags": [
"x509",
"parser",
"stack-overflow"
],
"languages": [
"c"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2022-3602"
]
},
{
"id": "openssh-CVE-2024-6387-regreSSHion",
"primary_axis": "binary-hybrid",
"tags": [
"signal-handler",
"daemon"
],
"languages": [
"c"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2024-6387"
]
},
{
"id": "redis-CVE-2022-0543-lua-sandbox-escape",
"primary_axis": "binary-hybrid",
"tags": [
"lua",
"sandbox",
"rce"
],
"languages": [
"c",
"lua"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2022-0543"
]
},
{
"id": "java-log4j-CVE-2021-44228-log4shell",
"primary_axis": "lang-jvm",
"tags": [
"jndi",
"deserialization",
"rce"
],
"languages": [
"java"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 9.8,
"references": [
"cve:CVE-2021-44228"
]
},
{
"id": "java-spring-CVE-2022-22965-spring4shell",
"primary_axis": "lang-jvm",
"tags": [
"binding",
"reflection",
"rce"
],
"languages": [
"java"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 9.8,
"references": [
"cve:CVE-2022-22965"
]
},
{
"id": "java-jackson-CVE-2019-12384-polymorphic-deser",
"primary_axis": "lang-jvm",
"tags": [
"deserialization",
"polymorphism"
],
"languages": [
"java"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2019-12384"
]
},
{
"id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"primary_axis": "lang-dotnet",
"tags": [
"protocol",
"http2",
"dos"
],
"languages": [
"dotnet"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2023-44487"
]
},
{
"id": "dotnet-newtonsoft-deser-TBD",
"primary_axis": "lang-dotnet",
"tags": [
"deserialization",
"json",
"polymorphic"
],
"languages": [
"dotnet"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": []
},
{
"id": "go-ssh-CVE-2020-9283-keyexchange",
"primary_axis": "lang-go",
"tags": [
"crypto",
"handshake"
],
"languages": [
"go"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2020-9283"
]
},
{
"id": "go-gateway-reflection-auth-bypass",
"primary_axis": "lang-go",
"tags": [
"grpc",
"reflection",
"authz-gap"
],
"languages": [
"go"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": []
},
{
"id": "node-tar-CVE-2021-37713-path-traversal",
"primary_axis": "lang-node",
"tags": [
"path-traversal",
"archive-extract"
],
"languages": [
"node"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2021-37713"
]
},
{
"id": "node-express-middleware-order-auth-bypass",
"primary_axis": "lang-node",
"tags": [
"middleware-order",
"authz"
],
"languages": [
"node"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": []
},
{
"id": "python-jinja2-CVE-2019-10906-template-injection",
"primary_axis": "lang-python",
"tags": [
"template-injection"
],
"languages": [
"python"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2019-10906"
]
},
{
"id": "python-django-CVE-2019-19844-sqli-like",
"primary_axis": "lang-python",
"tags": [
"sqli",
"orm"
],
"languages": [
"python"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2019-19844"
]
},
{
"id": "python-urllib3-dos-regex-TBD",
"primary_axis": "lang-python",
"tags": [
"regex-dos",
"parser"
],
"languages": [
"python"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": []
},
{
"id": "php-phpmailer-CVE-2016-10033-rce",
"primary_axis": "lang-php",
"tags": [
"rce",
"email"
],
"languages": [
"php"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2016-10033"
]
},
{
"id": "wordpress-core-CVE-2022-21661-sqli",
"primary_axis": "lang-php",
"tags": [
"sqli",
"core"
],
"languages": [
"php"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2022-21661"
]
},
{
"id": "rails-CVE-2019-5418-file-content-disclosure",
"primary_axis": "lang-ruby",
"tags": [
"path-traversal",
"mime"
],
"languages": [
"ruby"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2019-5418"
]
},
{
"id": "rust-axum-header-parsing-TBD",
"primary_axis": "lang-rust",
"tags": [
"parser",
"config-sensitive"
],
"languages": [
"rust"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": []
}
]
}

2
tests/reachability/fixtures/reachbench-2025-expanded/README.md
View File

@@ -1,2 +0,0 @@
# ReachBench-2025 Expanded Kit (Skeleton)
This is a scaffold containing diverse cases across languages and reach paths. Replace STUBs with real build configs, symbols, and call graphs.

46
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/case.json
View File

@@ -1,46 +0,0 @@
{
"id": "curl-CVE-2023-38545-socks5-heap",
"cve": "CVE-2023-38545",
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
"threat_model": {
"entry_points": [
"STUB: define concrete inputs"
],
"preconditions": [
"STUB: feature flags / modules / protocols enabled"
],
"privilege_boundary": [
"STUB: describe boundary (if any)"
]
},
"ground_truth": {
"reachable_variant": {
"status": "affected",
"evidence": {
"symbols": [
"sym://curl:curl.c#sink"
],
"paths": [
[
"sym://net:handler#read",
"sym://curl:curl.c#entry",
"sym://curl:curl.c#sink"
]
],
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
}
},
"unreachable_variant": {
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"evidence": {
"pruning_reason": [
"STUB: feature disabled, module absent, or policy denies"
],
"blocked_edges": [
"sym://curl:curl.c#entry -> sym://curl:curl.c#sink"
]
}
}
}
}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/docs/README.md
View File

@@ -1,15 +0,0 @@
# curl-CVE-2023-38545-socks5-heap
Primary axis: binary-hybrid
Tags: networking, proxy, heap
Languages: c
## Variants
- reachable: vulnerable function/path is on an executable route.
- unreachable: same base image/config with control toggles that prune the path.
## Entrypoint & Controls (fill in)
- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
## Expected ground-truth path(s)
See `images/*/reachgraph.truth.json`.

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/attestation.dsse.json
View File

@@ -1,5 +0,0 @@
{
"payload": "",
"payloadType": "application/vnd.in-toto+json",
"signatures": []
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/callgraph.framework.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/callgraph.static.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.static/v1"
}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/manifest.json
View File

@@ -1,15 +0,0 @@
{
"case_id": "curl-CVE-2023-38545-socks5-heap",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "9545261d413f4f85d120ebe8432c32ba97ba3feb2d34075fd689fcb5794f3ab0",
"sbom.cdx.json": "ce41fd9b9edadf94a8cc84a3cce4e175b0602fd2e0d8dcb067273b9584479980",
"sbom.spdx.json": "10d7417961d3cac0f3a5c4b083917fba3dc4f9bd9140d80aad0a873435158482",
"symbols.json": "c5f473aff5b428df5a3f9c3393b7fbceb94214e3c2fd4f547d4f258ca25a3080",
"vex.openvex.json": "0518d09c2ae692b96553feb821ff8138fc0ea6c840d75c1f80149add21127ddd"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"
}

12
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/reachgraph.truth.json
View File

@@ -1,12 +0,0 @@
{
"case_id": "curl-CVE-2023-38545-socks5-heap",
"paths": [
[
"sym://net:handler#read",
"sym://curl:curl.c#entry",
"sym://curl:curl.c#sink"
]
],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
}

11
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/sbom.cdx.json
View File

@@ -1,11 +0,0 @@
{
"bomFormat": "CycloneDX",
"components": [],
"metadata": {
"component": {
"name": "curl-CVE-2023-38545-socks5-heap",
"version": "0.0.0"
}
},
"specVersion": "1.5"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/sbom.spdx.json
View File

@@ -1,6 +0,0 @@
{
"SPDXID": "SPDXRef-DOCUMENT",
"name": "curl-CVE-2023-38545-socks5-heap",
"packages": [],
"spdxVersion": "SPDX-2.3"
}

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/symbols.json
View File

@@ -1,8 +0,0 @@
{
"case_id": "curl-CVE-2023-38545-socks5-heap",
"schema_version": "reachbench.symbols/v1",
"symbols": [
"sym://curl:curl.c#sink"
],
"variant": "reachable"
}

2
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/traces.runtime.jsonl
View File

@@ -1,2 +0,0 @@
{"ts": 1.001, "event": "call", "sid": "sym://curl:curl.c#entry", "pid": 100}
{"ts": 1.005, "event": "call", "sid": "sym://curl:curl.c#sink", "pid": 100}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/vex.openvex.json
View File

@@ -1,15 +0,0 @@
{
"author": "StellaOps",
"role": "reachbench",
"statements": [
{
"products": [
"pkg:curl-CVE-2023-38545-socks5-heap"
],
"status": "affected",
"statusJustification": "component_present",
"vulnerability": "cve:CVE-2023-38545"
}
],
"timestamp": "2025-11-18T00:00:00Z"
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/attestation.dsse.json
View File

@@ -1,5 +0,0 @@
{
"payload": "",
"payloadType": "application/vnd.in-toto+json",
"signatures": []
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/callgraph.framework.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/callgraph.static.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.static/v1"
}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/manifest.json
View File

@@ -1,15 +0,0 @@
{
"case_id": "curl-CVE-2023-38545-socks5-heap",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "490c4175eb06e0c623e60263d2ce029ffa8b236aea5780c448b8180f38a1bf6f",
"sbom.cdx.json": "ce41fd9b9edadf94a8cc84a3cce4e175b0602fd2e0d8dcb067273b9584479980",
"sbom.spdx.json": "10d7417961d3cac0f3a5c4b083917fba3dc4f9bd9140d80aad0a873435158482",
"symbols.json": "1b6a9e5598d2521e0ca55ed0f3f287ef19dc11cb1fb24fe961370c2fa7036214",
"vex.openvex.json": "a9fa7e917601538e17750fb1c25b24e18333c779ec0d5d98d4fbccf84e2f544e"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/reachgraph.truth.json
View File

@@ -1,6 +0,0 @@
{
"case_id": "curl-CVE-2023-38545-socks5-heap",
"paths": [],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "unreachable"
}

11
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/sbom.cdx.json
View File

@@ -1,11 +0,0 @@
{
"bomFormat": "CycloneDX",
"components": [],
"metadata": {
"component": {
"name": "curl-CVE-2023-38545-socks5-heap",
"version": "0.0.0"
}
},
"specVersion": "1.5"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/sbom.spdx.json
View File

@@ -1,6 +0,0 @@
{
"SPDXID": "SPDXRef-DOCUMENT",
"name": "curl-CVE-2023-38545-socks5-heap",
"packages": [],
"spdxVersion": "SPDX-2.3"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/symbols.json
View File

@@ -1,6 +0,0 @@
{
"case_id": "curl-CVE-2023-38545-socks5-heap",
"schema_version": "reachbench.symbols/v1",
"symbols": [],
"variant": "unreachable"
}

1
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/traces.runtime.jsonl
View File

@@ -1 +0,0 @@
{"ts": 1.001, "event": "call", "sid": "sym://curl:curl.c#entry", "pid": 100}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/vex.openvex.json
View File

@@ -1,15 +0,0 @@
{
"author": "StellaOps",
"role": "reachbench",
"statements": [
{
"products": [
"pkg:curl-CVE-2023-38545-socks5-heap"
],
"status": "not_affected",
"statusJustification": "component_not_present",
"vulnerability": "cve:CVE-2023-38545"
}
],
"timestamp": "2025-11-18T00:00:00Z"
}

46
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/case.json
View File

@@ -1,46 +0,0 @@
{
"id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"cve": "CVE-2023-44487",
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
"threat_model": {
"entry_points": [
"STUB: define concrete inputs"
],
"preconditions": [
"STUB: feature flags / modules / protocols enabled"
],
"privilege_boundary": [
"STUB: describe boundary (if any)"
]
},
"ground_truth": {
"reachable_variant": {
"status": "affected",
"evidence": {
"symbols": [
"sym://dotnet:dotnet.c#sink"
],
"paths": [
[
"sym://net:handler#read",
"sym://dotnet:dotnet.c#entry",
"sym://dotnet:dotnet.c#sink"
]
],
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
}
},
"unreachable_variant": {
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"evidence": {
"pruning_reason": [
"STUB: feature disabled, module absent, or policy denies"
],
"blocked_edges": [
"sym://dotnet:dotnet.c#entry -> sym://dotnet:dotnet.c#sink"
]
}
}
}
}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/docs/README.md
View File

@@ -1,15 +0,0 @@
# dotnet-kestrel-CVE-2023-44487-http2-rapid-reset
Primary axis: lang-dotnet
Tags: protocol, http2, dos
Languages: dotnet
## Variants
- reachable: vulnerable function/path is on an executable route.
- unreachable: same base image/config with control toggles that prune the path.
## Entrypoint & Controls (fill in)
- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
## Expected ground-truth path(s)
See `images/*/reachgraph.truth.json`.

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/attestation.dsse.json
View File

@@ -1,5 +0,0 @@
{
"payload": "",
"payloadType": "application/vnd.in-toto+json",
"signatures": []
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/callgraph.framework.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/callgraph.static.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.static/v1"
}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/manifest.json
View File

@@ -1,15 +0,0 @@
{
"case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "5396e1c97612e0963bdaf9d5d3f570f095feaccfd46ed6e96af52a6dc4608608",
"sbom.cdx.json": "8747790b2c9638b08aedca818367852889ee9bb50f1be1212b9c46b27296b8b9",
"sbom.spdx.json": "fd5b8befa1a59f06c315406213426ee516276ad806f4acb1f53472149d97c402",
"symbols.json": "c2bc2c131db1565b272900b2d86733086d601fc05a9072a43b9cd8b89a2e6f95",
"vex.openvex.json": "2bc0466a7b733a0915b6a799e91ec731c0700d5bea8645c0bf983b6da180bc48"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"
}

12
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/reachgraph.truth.json
View File

@@ -1,12 +0,0 @@
{
"case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"paths": [
[
"sym://net:handler#read",
"sym://dotnet:dotnet.c#entry",
"sym://dotnet:dotnet.c#sink"
]
],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
}

11
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/sbom.cdx.json
View File

@@ -1,11 +0,0 @@
{
"bomFormat": "CycloneDX",
"components": [],
"metadata": {
"component": {
"name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"version": "0.0.0"
}
},
"specVersion": "1.5"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/sbom.spdx.json
View File

@@ -1,6 +0,0 @@
{
"SPDXID": "SPDXRef-DOCUMENT",
"name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"packages": [],
"spdxVersion": "SPDX-2.3"
}

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/symbols.json
View File

@@ -1,8 +0,0 @@
{
"case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"schema_version": "reachbench.symbols/v1",
"symbols": [
"sym://dotnet:dotnet.c#sink"
],
"variant": "reachable"
}

2
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/traces.runtime.jsonl
View File

@@ -1,2 +0,0 @@
{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}
{"ts": 1.005, "event": "call", "sid": "sym://dotnet:dotnet.c#sink", "pid": 100}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/vex.openvex.json
View File

@@ -1,15 +0,0 @@
{
"author": "StellaOps",
"role": "reachbench",
"statements": [
{
"products": [
"pkg:dotnet-kestrel-CVE-2023-44487-http2-rapid-reset"
],
"status": "affected",
"statusJustification": "component_present",
"vulnerability": "cve:CVE-2023-44487"
}
],
"timestamp": "2025-11-18T00:00:00Z"
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/attestation.dsse.json
View File

@@ -1,5 +0,0 @@
{
"payload": "",
"payloadType": "application/vnd.in-toto+json",
"signatures": []
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/callgraph.framework.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/callgraph.static.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.static/v1"
}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/manifest.json
View File

@@ -1,15 +0,0 @@
{
"case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "86a0dad5b06b69018a35931b1ef8fb700abe6511f75aa81dcffc23f0411cc086",
"sbom.cdx.json": "8747790b2c9638b08aedca818367852889ee9bb50f1be1212b9c46b27296b8b9",
"sbom.spdx.json": "fd5b8befa1a59f06c315406213426ee516276ad806f4acb1f53472149d97c402",
"symbols.json": "0793a11190a789d63cac1d15ae259dcbe48764dd0f75000176e3abf8f3a3beb6",
"vex.openvex.json": "cd54fe28bf7f171a2a47e6118b05ad26013a32d97e2b9eef143eab75208d9fa4"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/reachgraph.truth.json
View File

@@ -1,6 +0,0 @@
{
"case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"paths": [],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "unreachable"
}

11
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/sbom.cdx.json
View File

@@ -1,11 +0,0 @@
{
"bomFormat": "CycloneDX",
"components": [],
"metadata": {
"component": {
"name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"version": "0.0.0"
}
},
"specVersion": "1.5"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/sbom.spdx.json
View File

@@ -1,6 +0,0 @@
{
"SPDXID": "SPDXRef-DOCUMENT",
"name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"packages": [],
"spdxVersion": "SPDX-2.3"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/symbols.json
View File

@@ -1,6 +0,0 @@
{
"case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"schema_version": "reachbench.symbols/v1",
"symbols": [],
"variant": "unreachable"
}

1
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/traces.runtime.jsonl
View File

@@ -1 +0,0 @@
{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/vex.openvex.json
View File

@@ -1,15 +0,0 @@
{
"author": "StellaOps",
"role": "reachbench",
"statements": [
{
"products": [
"pkg:dotnet-kestrel-CVE-2023-44487-http2-rapid-reset"
],
"status": "not_affected",
"statusJustification": "component_not_present",
"vulnerability": "cve:CVE-2023-44487"
}
],
"timestamp": "2025-11-18T00:00:00Z"
}

46
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/case.json
View File

@@ -1,46 +0,0 @@
{
"id": "dotnet-newtonsoft-deser-TBD",
"cve": "N/A",
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
"threat_model": {
"entry_points": [
"STUB: define concrete inputs"
],
"preconditions": [
"STUB: feature flags / modules / protocols enabled"
],
"privilege_boundary": [
"STUB: describe boundary (if any)"
]
},
"ground_truth": {
"reachable_variant": {
"status": "affected",
"evidence": {
"symbols": [
"sym://dotnet:dotnet.c#sink"
],
"paths": [
[
"sym://net:handler#read",
"sym://dotnet:dotnet.c#entry",
"sym://dotnet:dotnet.c#sink"
]
],
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
}
},
"unreachable_variant": {
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"evidence": {
"pruning_reason": [
"STUB: feature disabled, module absent, or policy denies"
],
"blocked_edges": [
"sym://dotnet:dotnet.c#entry -> sym://dotnet:dotnet.c#sink"
]
}
}
}
}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/docs/README.md
View File

@@ -1,15 +0,0 @@
# dotnet-newtonsoft-deser-TBD
Primary axis: lang-dotnet
Tags: deserialization, json, polymorphic
Languages: dotnet
## Variants
- reachable: vulnerable function/path is on an executable route.
- unreachable: same base image/config with control toggles that prune the path.
## Entrypoint & Controls (fill in)
- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
## Expected ground-truth path(s)
See `images/*/reachgraph.truth.json`.

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/attestation.dsse.json
View File

@@ -1,5 +0,0 @@
{
"payload": "",
"payloadType": "application/vnd.in-toto+json",
"signatures": []
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/callgraph.framework.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/callgraph.static.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.static/v1"
}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/manifest.json
View File

@@ -1,15 +0,0 @@
{
"case_id": "dotnet-newtonsoft-deser-TBD",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "7c1b7d56df4efc97360ba7754feb1051644e624afa2589971fab09507827e677",
"sbom.cdx.json": "c7283a731ca81300f6cda9e944451062a92c7eb0559ebdc6b96f6afeea637187",
"sbom.spdx.json": "da4978369cae300336e4abd570edb8c8de27bcb5ff2c5131975cae7d8ee01f8e",
"symbols.json": "d03361b683ae570864824a8e57c91ca875590373d949d2f706af488c4ccbcc01",
"vex.openvex.json": "41e52bf3c0b40ca614d32f5c9b719b68c53e2a0f08f483d6c429120060c9d930"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"
}

12
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/reachgraph.truth.json
View File

@@ -1,12 +0,0 @@
{
"case_id": "dotnet-newtonsoft-deser-TBD",
"paths": [
[
"sym://net:handler#read",
"sym://dotnet:dotnet.c#entry",
"sym://dotnet:dotnet.c#sink"
]
],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
}

11
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/sbom.cdx.json
View File

@@ -1,11 +0,0 @@
{
"bomFormat": "CycloneDX",
"components": [],
"metadata": {
"component": {
"name": "dotnet-newtonsoft-deser-TBD",
"version": "0.0.0"
}
},
"specVersion": "1.5"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/sbom.spdx.json
View File

@@ -1,6 +0,0 @@
{
"SPDXID": "SPDXRef-DOCUMENT",
"name": "dotnet-newtonsoft-deser-TBD",
"packages": [],
"spdxVersion": "SPDX-2.3"
}

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/symbols.json
View File

@@ -1,8 +0,0 @@
{
"case_id": "dotnet-newtonsoft-deser-TBD",
"schema_version": "reachbench.symbols/v1",
"symbols": [
"sym://dotnet:dotnet.c#sink"
],
"variant": "reachable"
}

2
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/traces.runtime.jsonl
View File

@@ -1,2 +0,0 @@
{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}
{"ts": 1.005, "event": "call", "sid": "sym://dotnet:dotnet.c#sink", "pid": 100}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/vex.openvex.json
View File

@@ -1,15 +0,0 @@
{
"author": "StellaOps",
"role": "reachbench",
"statements": [
{
"products": [
"pkg:dotnet-newtonsoft-deser-TBD"
],
"status": "affected",
"statusJustification": "component_present",
"vulnerability": "dotnet-newtonsoft-deser-TBD"
}
],
"timestamp": "2025-11-18T00:00:00Z"
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/attestation.dsse.json
View File

@@ -1,5 +0,0 @@
{
"payload": "",
"payloadType": "application/vnd.in-toto+json",
"signatures": []
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/callgraph.framework.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/callgraph.static.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.static/v1"
}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/manifest.json
View File

@@ -1,15 +0,0 @@
{
"case_id": "dotnet-newtonsoft-deser-TBD",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "aa1c4c8133ae26349e1a740293e875d91f3a5ba1b241eb39617a09ea1b6ced8e",
"sbom.cdx.json": "c7283a731ca81300f6cda9e944451062a92c7eb0559ebdc6b96f6afeea637187",
"sbom.spdx.json": "da4978369cae300336e4abd570edb8c8de27bcb5ff2c5131975cae7d8ee01f8e",
"symbols.json": "a804343735751e99bda81ce614d890fe19cb510bcb3d3b17dff05ab01decf2e1",
"vex.openvex.json": "65cdb8a5d02277eacf194c23cdb7a8adada7318f45f5ce4eb0e09fbcd9d8b615"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/reachgraph.truth.json
View File

@@ -1,6 +0,0 @@
{
"case_id": "dotnet-newtonsoft-deser-TBD",
"paths": [],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "unreachable"
}

11
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/sbom.cdx.json
View File

@@ -1,11 +0,0 @@
{
"bomFormat": "CycloneDX",
"components": [],
"metadata": {
"component": {
"name": "dotnet-newtonsoft-deser-TBD",
"version": "0.0.0"
}
},
"specVersion": "1.5"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/sbom.spdx.json
View File

@@ -1,6 +0,0 @@
{
"SPDXID": "SPDXRef-DOCUMENT",
"name": "dotnet-newtonsoft-deser-TBD",
"packages": [],
"spdxVersion": "SPDX-2.3"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/symbols.json
View File

@@ -1,6 +0,0 @@
{
"case_id": "dotnet-newtonsoft-deser-TBD",
"schema_version": "reachbench.symbols/v1",
"symbols": [],
"variant": "unreachable"
}

1
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/traces.runtime.jsonl
View File

@@ -1 +0,0 @@
{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/vex.openvex.json
View File

@@ -1,15 +0,0 @@
{
"author": "StellaOps",
"role": "reachbench",
"statements": [
{
"products": [
"pkg:dotnet-newtonsoft-deser-TBD"
],
"status": "not_affected",
"statusJustification": "component_not_present",
"vulnerability": "dotnet-newtonsoft-deser-TBD"
}
],
"timestamp": "2025-11-18T00:00:00Z"
}

46
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/case.json
View File

@@ -1,46 +0,0 @@
{
"id": "glibc-CVE-2023-4911-looney-tunables",
"cve": "CVE-2023-4911",
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
"threat_model": {
"entry_points": [
"STUB: define concrete inputs"
],
"preconditions": [
"STUB: feature flags / modules / protocols enabled"
],
"privilege_boundary": [
"STUB: describe boundary (if any)"
]
},
"ground_truth": {
"reachable_variant": {
"status": "affected",
"evidence": {
"symbols": [
"sym://glibc:glibc.c#sink"
],
"paths": [
[
"sym://net:handler#read",
"sym://glibc:glibc.c#entry",
"sym://glibc:glibc.c#sink"
]
],
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
}
},
"unreachable_variant": {
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"evidence": {
"pruning_reason": [
"STUB: feature disabled, module absent, or policy denies"
],
"blocked_edges": [
"sym://glibc:glibc.c#entry -> sym://glibc:glibc.c#sink"
]
}
}
}
}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/docs/README.md
View File

@@ -1,15 +0,0 @@
# glibc-CVE-2023-4911-looney-tunables
Primary axis: binary-hybrid
Tags: env-vars, libc, ldso
Languages: c
## Variants
- reachable: vulnerable function/path is on an executable route.
- unreachable: same base image/config with control toggles that prune the path.
## Entrypoint & Controls (fill in)
- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
## Expected ground-truth path(s)
See `images/*/reachgraph.truth.json`.

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/attestation.dsse.json
View File

@@ -1,5 +0,0 @@
{
"payload": "",
"payloadType": "application/vnd.in-toto+json",
"signatures": []
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/callgraph.framework.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/callgraph.static.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.static/v1"
}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/manifest.json
View File

@@ -1,15 +0,0 @@
{
"case_id": "glibc-CVE-2023-4911-looney-tunables",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "f7200c066db6fefd2ed3168497ae7d8cb585f1d12479086217007df1bb2c1460",
"sbom.cdx.json": "e3bbce1051a27f877fdd76634902c835ac21a7f53241308878a404dbced491fc",
"sbom.spdx.json": "2b30ff6eabf0b4c5e76f2e5de6af21a6b48a746c51298a708a3674976ef5b8f8",
"symbols.json": "27dd785d49ef6b4229a0e5a25107346eea5cc8b7dd01c2fb9ba73b53456bcaee",
"vex.openvex.json": "bd6f67166fb31fa2a5e7211b71e083c8611f9c2b7d7e0607c31ce6df777a1f69"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"
}

12
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/reachgraph.truth.json
View File

@@ -1,12 +0,0 @@
{
"case_id": "glibc-CVE-2023-4911-looney-tunables",
"paths": [
[
"sym://net:handler#read",
"sym://glibc:glibc.c#entry",
"sym://glibc:glibc.c#sink"
]
],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
}

11
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/sbom.cdx.json
View File

@@ -1,11 +0,0 @@
{
"bomFormat": "CycloneDX",
"components": [],
"metadata": {
"component": {
"name": "glibc-CVE-2023-4911-looney-tunables",
"version": "0.0.0"
}
},
"specVersion": "1.5"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/sbom.spdx.json
View File

@@ -1,6 +0,0 @@
{
"SPDXID": "SPDXRef-DOCUMENT",
"name": "glibc-CVE-2023-4911-looney-tunables",
"packages": [],
"spdxVersion": "SPDX-2.3"
}

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/symbols.json
View File

@@ -1,8 +0,0 @@
{
"case_id": "glibc-CVE-2023-4911-looney-tunables",
"schema_version": "reachbench.symbols/v1",
"symbols": [
"sym://glibc:glibc.c#sink"
],
"variant": "reachable"
}

2
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/traces.runtime.jsonl
View File

@@ -1,2 +0,0 @@
{"ts": 1.001, "event": "call", "sid": "sym://glibc:glibc.c#entry", "pid": 100}
{"ts": 1.005, "event": "call", "sid": "sym://glibc:glibc.c#sink", "pid": 100}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/vex.openvex.json
View File

@@ -1,15 +0,0 @@
{
"author": "StellaOps",
"role": "reachbench",
"statements": [
{
"products": [
"pkg:glibc-CVE-2023-4911-looney-tunables"
],
"status": "affected",
"statusJustification": "component_present",
"vulnerability": "cve:CVE-2023-4911"
}
],
"timestamp": "2025-11-18T00:00:00Z"
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/attestation.dsse.json
View File

@@ -1,5 +0,0 @@
{
"payload": "",
"payloadType": "application/vnd.in-toto+json",
"signatures": []
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/callgraph.framework.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
}

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/callgraph.static.json
View File

@@ -1,5 +0,0 @@
{
"edges": [],
"nodes": [],
"schema_version": "reachbench.callgraph.static/v1"
}

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/manifest.json
View File

@@ -1,15 +0,0 @@
{
"case_id": "glibc-CVE-2023-4911-looney-tunables",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "836f543e3e7b593582e2ffb529456ffc4309ec79d41e5f8b9eb5696f54d17883",
"sbom.cdx.json": "e3bbce1051a27f877fdd76634902c835ac21a7f53241308878a404dbced491fc",
"sbom.spdx.json": "2b30ff6eabf0b4c5e76f2e5de6af21a6b48a746c51298a708a3674976ef5b8f8",
"symbols.json": "fe742caccb2134c46594f3816b58b06f1cad6f2d62ea8dd55ad31ce4ce672906",
"vex.openvex.json": "3ebcafe7d9e0f211f80783568cd9bc4a92ddaa3609b2b0ef11471031246cadde"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/reachgraph.truth.json
View File

@@ -1,6 +0,0 @@
{
"case_id": "glibc-CVE-2023-4911-looney-tunables",
"paths": [],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "unreachable"
}

11
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/sbom.cdx.json
View File

@@ -1,11 +0,0 @@
{
"bomFormat": "CycloneDX",
"components": [],
"metadata": {
"component": {
"name": "glibc-CVE-2023-4911-looney-tunables",
"version": "0.0.0"
}
},
"specVersion": "1.5"
}

6
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/sbom.spdx.json
View File

@@ -1,6 +0,0 @@
{
"SPDXID": "SPDXRef-DOCUMENT",
"name": "glibc-CVE-2023-4911-looney-tunables",
"packages": [],
"spdxVersion": "SPDX-2.3"
}

Some files were not shown because too many files have changed in this diff Show More