consolidate the tests locations

tests/reachability/fixtures/reachbench-2025-expanded/INDEX.json

@@ -1,444 +0,0 @@
-{
-  "version": "0.1",
-  "generated_at": "2025-11-07T22:40:04Z",
-  "cases": [
-    {
-      "id": "runc-CVE-2024-21626-symlink-breakout",
-      "primary_axis": "container-escape",
-      "tags": [
-        "symlink",
-        "filesystem",
-        "userns"
-      ],
-      "languages": [
-        "binary"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 9.0,
-      "references": [
-        "cve:CVE-2024-21626"
-      ]
-    },
-    {
-      "id": "linux-cgroups-CVE-2022-0492-release_agent",
-      "primary_axis": "container-escape",
-      "tags": [
-        "cgroups",
-        "kernel",
-        "priv-esc"
-      ],
-      "languages": [
-        "binary"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 9.0,
-      "references": [
-        "cve:CVE-2022-0492"
-      ]
-    },
-    {
-      "id": "glibc-CVE-2023-4911-looney-tunables",
-      "primary_axis": "binary-hybrid",
-      "tags": [
-        "env-vars",
-        "libc",
-        "ldso"
-      ],
-      "languages": [
-        "c"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": [
-        "cve:CVE-2023-4911"
-      ]
-    },
-    {
-      "id": "curl-CVE-2023-38545-socks5-heap",
-      "primary_axis": "binary-hybrid",
-      "tags": [
-        "networking",
-        "proxy",
-        "heap"
-      ],
-      "languages": [
-        "c"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": [
-        "cve:CVE-2023-38545"
-      ]
-    },
-    {
-      "id": "openssl-CVE-2022-3602-x509-name-constraints",
-      "primary_axis": "binary-hybrid",
-      "tags": [
-        "x509",
-        "parser",
-        "stack-overflow"
-      ],
-      "languages": [
-        "c"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": [
-        "cve:CVE-2022-3602"
-      ]
-    },
-    {
-      "id": "openssh-CVE-2024-6387-regreSSHion",
-      "primary_axis": "binary-hybrid",
-      "tags": [
-        "signal-handler",
-        "daemon"
-      ],
-      "languages": [
-        "c"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": [
-        "cve:CVE-2024-6387"
-      ]
-    },
-    {
-      "id": "redis-CVE-2022-0543-lua-sandbox-escape",
-      "primary_axis": "binary-hybrid",
-      "tags": [
-        "lua",
-        "sandbox",
-        "rce"
-      ],
-      "languages": [
-        "c",
-        "lua"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": [
-        "cve:CVE-2022-0543"
-      ]
-    },
-    {
-      "id": "java-log4j-CVE-2021-44228-log4shell",
-      "primary_axis": "lang-jvm",
-      "tags": [
-        "jndi",
-        "deserialization",
-        "rce"
-      ],
-      "languages": [
-        "java"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 9.8,
-      "references": [
-        "cve:CVE-2021-44228"
-      ]
-    },
-    {
-      "id": "java-spring-CVE-2022-22965-spring4shell",
-      "primary_axis": "lang-jvm",
-      "tags": [
-        "binding",
-        "reflection",
-        "rce"
-      ],
-      "languages": [
-        "java"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 9.8,
-      "references": [
-        "cve:CVE-2022-22965"
-      ]
-    },
-    {
-      "id": "java-jackson-CVE-2019-12384-polymorphic-deser",
-      "primary_axis": "lang-jvm",
-      "tags": [
-        "deserialization",
-        "polymorphism"
-      ],
-      "languages": [
-        "java"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": [
-        "cve:CVE-2019-12384"
-      ]
-    },
-    {
-      "id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
-      "primary_axis": "lang-dotnet",
-      "tags": [
-        "protocol",
-        "http2",
-        "dos"
-      ],
-      "languages": [
-        "dotnet"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": [
-        "cve:CVE-2023-44487"
-      ]
-    },
-    {
-      "id": "dotnet-newtonsoft-deser-TBD",
-      "primary_axis": "lang-dotnet",
-      "tags": [
-        "deserialization",
-        "json",
-        "polymorphic"
-      ],
-      "languages": [
-        "dotnet"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": []
-    },
-    {
-      "id": "go-ssh-CVE-2020-9283-keyexchange",
-      "primary_axis": "lang-go",
-      "tags": [
-        "crypto",
-        "handshake"
-      ],
-      "languages": [
-        "go"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": [
-        "cve:CVE-2020-9283"
-      ]
-    },
-    {
-      "id": "go-gateway-reflection-auth-bypass",
-      "primary_axis": "lang-go",
-      "tags": [
-        "grpc",
-        "reflection",
-        "authz-gap"
-      ],
-      "languages": [
-        "go"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": []
-    },
-    {
-      "id": "node-tar-CVE-2021-37713-path-traversal",
-      "primary_axis": "lang-node",
-      "tags": [
-        "path-traversal",
-        "archive-extract"
-      ],
-      "languages": [
-        "node"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": [
-        "cve:CVE-2021-37713"
-      ]
-    },
-    {
-      "id": "node-express-middleware-order-auth-bypass",
-      "primary_axis": "lang-node",
-      "tags": [
-        "middleware-order",
-        "authz"
-      ],
-      "languages": [
-        "node"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": []
-    },
-    {
-      "id": "python-jinja2-CVE-2019-10906-template-injection",
-      "primary_axis": "lang-python",
-      "tags": [
-        "template-injection"
-      ],
-      "languages": [
-        "python"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": [
-        "cve:CVE-2019-10906"
-      ]
-    },
-    {
-      "id": "python-django-CVE-2019-19844-sqli-like",
-      "primary_axis": "lang-python",
-      "tags": [
-        "sqli",
-        "orm"
-      ],
-      "languages": [
-        "python"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": [
-        "cve:CVE-2019-19844"
-      ]
-    },
-    {
-      "id": "python-urllib3-dos-regex-TBD",
-      "primary_axis": "lang-python",
-      "tags": [
-        "regex-dos",
-        "parser"
-      ],
-      "languages": [
-        "python"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": []
-    },
-    {
-      "id": "php-phpmailer-CVE-2016-10033-rce",
-      "primary_axis": "lang-php",
-      "tags": [
-        "rce",
-        "email"
-      ],
-      "languages": [
-        "php"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": [
-        "cve:CVE-2016-10033"
-      ]
-    },
-    {
-      "id": "wordpress-core-CVE-2022-21661-sqli",
-      "primary_axis": "lang-php",
-      "tags": [
-        "sqli",
-        "core"
-      ],
-      "languages": [
-        "php"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": [
-        "cve:CVE-2022-21661"
-      ]
-    },
-    {
-      "id": "rails-CVE-2019-5418-file-content-disclosure",
-      "primary_axis": "lang-ruby",
-      "tags": [
-        "path-traversal",
-        "mime"
-      ],
-      "languages": [
-        "ruby"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": [
-        "cve:CVE-2019-5418"
-      ]
-    },
-    {
-      "id": "rust-axum-header-parsing-TBD",
-      "primary_axis": "lang-rust",
-      "tags": [
-        "parser",
-        "config-sensitive"
-      ],
-      "languages": [
-        "rust"
-      ],
-      "variants": [
-        "reachable",
-        "unreachable"
-      ],
-      "severity_cvss": 7.5,
-      "references": []
-    }
-  ]
-}

tests/reachability/fixtures/reachbench-2025-expanded/README.md

@@ -1,2 +0,0 @@
-# ReachBench-2025 Expanded Kit (Skeleton)
-This is a scaffold containing diverse cases across languages and reach paths. Replace STUBs with real build configs, symbols, and call graphs.

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/case.json

@@ -1,46 +0,0 @@
-{
-  "id": "curl-CVE-2023-38545-socks5-heap",
-  "cve": "CVE-2023-38545",
-  "description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
-  "threat_model": {
-    "entry_points": [
-      "STUB: define concrete inputs"
-    ],
-    "preconditions": [
-      "STUB: feature flags / modules / protocols enabled"
-    ],
-    "privilege_boundary": [
-      "STUB: describe boundary (if any)"
-    ]
-  },
-  "ground_truth": {
-    "reachable_variant": {
-      "status": "affected",
-      "evidence": {
-        "symbols": [
-          "sym://curl:curl.c#sink"
-        ],
-        "paths": [
-          [
-            "sym://net:handler#read",
-            "sym://curl:curl.c#entry",
-            "sym://curl:curl.c#sink"
-          ]
-        ],
-        "runtime_proof": "traces.runtime.jsonl: lines 1-5"
-      }
-    },
-    "unreachable_variant": {
-      "status": "not_affected",
-      "justification": "vulnerable_code_not_in_execute_path",
-      "evidence": {
-        "pruning_reason": [
-          "STUB: feature disabled, module absent, or policy denies"
-        ],
-        "blocked_edges": [
-          "sym://curl:curl.c#entry -> sym://curl:curl.c#sink"
-        ]
-      }
-    }
-  }
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/docs/README.md

@@ -1,15 +0,0 @@
-# curl-CVE-2023-38545-socks5-heap
-Primary axis: binary-hybrid
-Tags: networking, proxy, heap
-Languages: c
-
-## Variants
-- reachable: vulnerable function/path is on an executable route.
-- unreachable: same base image/config with control toggles that prune the path.
-
-## Entrypoint & Controls (fill in)
-- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
-- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
-
-## Expected ground-truth path(s)
-See `images/*/reachgraph.truth.json`.

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/attestation.dsse.json

@@ -1,5 +0,0 @@
-{
-  "payload": "",
-  "payloadType": "application/vnd.in-toto+json",
-  "signatures": []
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/callgraph.framework.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.framework/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/callgraph.static.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.static/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/manifest.json

@@ -1,15 +0,0 @@
-{
-  "case_id": "curl-CVE-2023-38545-socks5-heap",
-  "files": {
-    "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
-    "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
-    "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
-    "reachgraph.truth.json": "9545261d413f4f85d120ebe8432c32ba97ba3feb2d34075fd689fcb5794f3ab0",
-    "sbom.cdx.json": "ce41fd9b9edadf94a8cc84a3cce4e175b0602fd2e0d8dcb067273b9584479980",
-    "sbom.spdx.json": "10d7417961d3cac0f3a5c4b083917fba3dc4f9bd9140d80aad0a873435158482",
-    "symbols.json": "c5f473aff5b428df5a3f9c3393b7fbceb94214e3c2fd4f547d4f258ca25a3080",
-    "vex.openvex.json": "0518d09c2ae692b96553feb821ff8138fc0ea6c840d75c1f80149add21127ddd"
-  },
-  "schema_version": "reachbench.manifest/v1",
-  "variant": "reachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/reachgraph.truth.json

@@ -1,12 +0,0 @@
-{
-  "case_id": "curl-CVE-2023-38545-socks5-heap",
-  "paths": [
-    [
-      "sym://net:handler#read",
-      "sym://curl:curl.c#entry",
-      "sym://curl:curl.c#sink"
-    ]
-  ],
-  "schema_version": "reachbench.reachgraph.truth/v1",
-  "variant": "reachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/sbom.cdx.json

@@ -1,11 +0,0 @@
-{
-  "bomFormat": "CycloneDX",
-  "components": [],
-  "metadata": {
-    "component": {
-      "name": "curl-CVE-2023-38545-socks5-heap",
-      "version": "0.0.0"
-    }
-  },
-  "specVersion": "1.5"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/sbom.spdx.json

@@ -1,6 +0,0 @@
-{
-  "SPDXID": "SPDXRef-DOCUMENT",
-  "name": "curl-CVE-2023-38545-socks5-heap",
-  "packages": [],
-  "spdxVersion": "SPDX-2.3"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/symbols.json

@@ -1,8 +0,0 @@
-{
-  "case_id": "curl-CVE-2023-38545-socks5-heap",
-  "schema_version": "reachbench.symbols/v1",
-  "symbols": [
-    "sym://curl:curl.c#sink"
-  ],
-  "variant": "reachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/traces.runtime.jsonl

@@ -1,2 +0,0 @@
-{"ts": 1.001, "event": "call", "sid": "sym://curl:curl.c#entry", "pid": 100}
-{"ts": 1.005, "event": "call", "sid": "sym://curl:curl.c#sink", "pid": 100}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/vex.openvex.json

@@ -1,15 +0,0 @@
-{
-  "author": "StellaOps",
-  "role": "reachbench",
-  "statements": [
-    {
-      "products": [
-        "pkg:curl-CVE-2023-38545-socks5-heap"
-      ],
-      "status": "affected",
-      "statusJustification": "component_present",
-      "vulnerability": "cve:CVE-2023-38545"
-    }
-  ],
-  "timestamp": "2025-11-18T00:00:00Z"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/attestation.dsse.json

@@ -1,5 +0,0 @@
-{
-  "payload": "",
-  "payloadType": "application/vnd.in-toto+json",
-  "signatures": []
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/callgraph.framework.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.framework/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/callgraph.static.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.static/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/manifest.json

@@ -1,15 +0,0 @@
-{
-  "case_id": "curl-CVE-2023-38545-socks5-heap",
-  "files": {
-    "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
-    "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
-    "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
-    "reachgraph.truth.json": "490c4175eb06e0c623e60263d2ce029ffa8b236aea5780c448b8180f38a1bf6f",
-    "sbom.cdx.json": "ce41fd9b9edadf94a8cc84a3cce4e175b0602fd2e0d8dcb067273b9584479980",
-    "sbom.spdx.json": "10d7417961d3cac0f3a5c4b083917fba3dc4f9bd9140d80aad0a873435158482",
-    "symbols.json": "1b6a9e5598d2521e0ca55ed0f3f287ef19dc11cb1fb24fe961370c2fa7036214",
-    "vex.openvex.json": "a9fa7e917601538e17750fb1c25b24e18333c779ec0d5d98d4fbccf84e2f544e"
-  },
-  "schema_version": "reachbench.manifest/v1",
-  "variant": "unreachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/reachgraph.truth.json

@@ -1,6 +0,0 @@
-{
-  "case_id": "curl-CVE-2023-38545-socks5-heap",
-  "paths": [],
-  "schema_version": "reachbench.reachgraph.truth/v1",
-  "variant": "unreachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/sbom.cdx.json

@@ -1,11 +0,0 @@
-{
-  "bomFormat": "CycloneDX",
-  "components": [],
-  "metadata": {
-    "component": {
-      "name": "curl-CVE-2023-38545-socks5-heap",
-      "version": "0.0.0"
-    }
-  },
-  "specVersion": "1.5"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/sbom.spdx.json

@@ -1,6 +0,0 @@
-{
-  "SPDXID": "SPDXRef-DOCUMENT",
-  "name": "curl-CVE-2023-38545-socks5-heap",
-  "packages": [],
-  "spdxVersion": "SPDX-2.3"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/symbols.json

@@ -1,6 +0,0 @@
-{
-  "case_id": "curl-CVE-2023-38545-socks5-heap",
-  "schema_version": "reachbench.symbols/v1",
-  "symbols": [],
-  "variant": "unreachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/traces.runtime.jsonl

@@ -1 +0,0 @@
-{"ts": 1.001, "event": "call", "sid": "sym://curl:curl.c#entry", "pid": 100}

tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/vex.openvex.json

@@ -1,15 +0,0 @@
-{
-  "author": "StellaOps",
-  "role": "reachbench",
-  "statements": [
-    {
-      "products": [
-        "pkg:curl-CVE-2023-38545-socks5-heap"
-      ],
-      "status": "not_affected",
-      "statusJustification": "component_not_present",
-      "vulnerability": "cve:CVE-2023-38545"
-    }
-  ],
-  "timestamp": "2025-11-18T00:00:00Z"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/case.json

@@ -1,46 +0,0 @@
-{
-  "id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
-  "cve": "CVE-2023-44487",
-  "description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
-  "threat_model": {
-    "entry_points": [
-      "STUB: define concrete inputs"
-    ],
-    "preconditions": [
-      "STUB: feature flags / modules / protocols enabled"
-    ],
-    "privilege_boundary": [
-      "STUB: describe boundary (if any)"
-    ]
-  },
-  "ground_truth": {
-    "reachable_variant": {
-      "status": "affected",
-      "evidence": {
-        "symbols": [
-          "sym://dotnet:dotnet.c#sink"
-        ],
-        "paths": [
-          [
-            "sym://net:handler#read",
-            "sym://dotnet:dotnet.c#entry",
-            "sym://dotnet:dotnet.c#sink"
-          ]
-        ],
-        "runtime_proof": "traces.runtime.jsonl: lines 1-5"
-      }
-    },
-    "unreachable_variant": {
-      "status": "not_affected",
-      "justification": "vulnerable_code_not_in_execute_path",
-      "evidence": {
-        "pruning_reason": [
-          "STUB: feature disabled, module absent, or policy denies"
-        ],
-        "blocked_edges": [
-          "sym://dotnet:dotnet.c#entry -> sym://dotnet:dotnet.c#sink"
-        ]
-      }
-    }
-  }
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/docs/README.md

@@ -1,15 +0,0 @@
-# dotnet-kestrel-CVE-2023-44487-http2-rapid-reset
-Primary axis: lang-dotnet
-Tags: protocol, http2, dos
-Languages: dotnet
-
-## Variants
-- reachable: vulnerable function/path is on an executable route.
-- unreachable: same base image/config with control toggles that prune the path.
-
-## Entrypoint & Controls (fill in)
-- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
-- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
-
-## Expected ground-truth path(s)
-See `images/*/reachgraph.truth.json`.

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/attestation.dsse.json

@@ -1,5 +0,0 @@
-{
-  "payload": "",
-  "payloadType": "application/vnd.in-toto+json",
-  "signatures": []
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/callgraph.framework.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.framework/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/callgraph.static.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.static/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/manifest.json

@@ -1,15 +0,0 @@
-{
-  "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
-  "files": {
-    "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
-    "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
-    "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
-    "reachgraph.truth.json": "5396e1c97612e0963bdaf9d5d3f570f095feaccfd46ed6e96af52a6dc4608608",
-    "sbom.cdx.json": "8747790b2c9638b08aedca818367852889ee9bb50f1be1212b9c46b27296b8b9",
-    "sbom.spdx.json": "fd5b8befa1a59f06c315406213426ee516276ad806f4acb1f53472149d97c402",
-    "symbols.json": "c2bc2c131db1565b272900b2d86733086d601fc05a9072a43b9cd8b89a2e6f95",
-    "vex.openvex.json": "2bc0466a7b733a0915b6a799e91ec731c0700d5bea8645c0bf983b6da180bc48"
-  },
-  "schema_version": "reachbench.manifest/v1",
-  "variant": "reachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/reachgraph.truth.json

@@ -1,12 +0,0 @@
-{
-  "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
-  "paths": [
-    [
-      "sym://net:handler#read",
-      "sym://dotnet:dotnet.c#entry",
-      "sym://dotnet:dotnet.c#sink"
-    ]
-  ],
-  "schema_version": "reachbench.reachgraph.truth/v1",
-  "variant": "reachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/sbom.cdx.json

@@ -1,11 +0,0 @@
-{
-  "bomFormat": "CycloneDX",
-  "components": [],
-  "metadata": {
-    "component": {
-      "name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
-      "version": "0.0.0"
-    }
-  },
-  "specVersion": "1.5"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/sbom.spdx.json

@@ -1,6 +0,0 @@
-{
-  "SPDXID": "SPDXRef-DOCUMENT",
-  "name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
-  "packages": [],
-  "spdxVersion": "SPDX-2.3"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/symbols.json

@@ -1,8 +0,0 @@
-{
-  "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
-  "schema_version": "reachbench.symbols/v1",
-  "symbols": [
-    "sym://dotnet:dotnet.c#sink"
-  ],
-  "variant": "reachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/traces.runtime.jsonl

@@ -1,2 +0,0 @@
-{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}
-{"ts": 1.005, "event": "call", "sid": "sym://dotnet:dotnet.c#sink", "pid": 100}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/vex.openvex.json

@@ -1,15 +0,0 @@
-{
-  "author": "StellaOps",
-  "role": "reachbench",
-  "statements": [
-    {
-      "products": [
-        "pkg:dotnet-kestrel-CVE-2023-44487-http2-rapid-reset"
-      ],
-      "status": "affected",
-      "statusJustification": "component_present",
-      "vulnerability": "cve:CVE-2023-44487"
-    }
-  ],
-  "timestamp": "2025-11-18T00:00:00Z"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/attestation.dsse.json

@@ -1,5 +0,0 @@
-{
-  "payload": "",
-  "payloadType": "application/vnd.in-toto+json",
-  "signatures": []
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/callgraph.framework.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.framework/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/callgraph.static.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.static/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/manifest.json

@@ -1,15 +0,0 @@
-{
-  "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
-  "files": {
-    "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
-    "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
-    "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
-    "reachgraph.truth.json": "86a0dad5b06b69018a35931b1ef8fb700abe6511f75aa81dcffc23f0411cc086",
-    "sbom.cdx.json": "8747790b2c9638b08aedca818367852889ee9bb50f1be1212b9c46b27296b8b9",
-    "sbom.spdx.json": "fd5b8befa1a59f06c315406213426ee516276ad806f4acb1f53472149d97c402",
-    "symbols.json": "0793a11190a789d63cac1d15ae259dcbe48764dd0f75000176e3abf8f3a3beb6",
-    "vex.openvex.json": "cd54fe28bf7f171a2a47e6118b05ad26013a32d97e2b9eef143eab75208d9fa4"
-  },
-  "schema_version": "reachbench.manifest/v1",
-  "variant": "unreachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/reachgraph.truth.json

@@ -1,6 +0,0 @@
-{
-  "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
-  "paths": [],
-  "schema_version": "reachbench.reachgraph.truth/v1",
-  "variant": "unreachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/sbom.cdx.json

@@ -1,11 +0,0 @@
-{
-  "bomFormat": "CycloneDX",
-  "components": [],
-  "metadata": {
-    "component": {
-      "name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
-      "version": "0.0.0"
-    }
-  },
-  "specVersion": "1.5"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/sbom.spdx.json

@@ -1,6 +0,0 @@
-{
-  "SPDXID": "SPDXRef-DOCUMENT",
-  "name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
-  "packages": [],
-  "spdxVersion": "SPDX-2.3"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/symbols.json

@@ -1,6 +0,0 @@
-{
-  "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
-  "schema_version": "reachbench.symbols/v1",
-  "symbols": [],
-  "variant": "unreachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/traces.runtime.jsonl

@@ -1 +0,0 @@
-{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/vex.openvex.json

@@ -1,15 +0,0 @@
-{
-  "author": "StellaOps",
-  "role": "reachbench",
-  "statements": [
-    {
-      "products": [
-        "pkg:dotnet-kestrel-CVE-2023-44487-http2-rapid-reset"
-      ],
-      "status": "not_affected",
-      "statusJustification": "component_not_present",
-      "vulnerability": "cve:CVE-2023-44487"
-    }
-  ],
-  "timestamp": "2025-11-18T00:00:00Z"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/case.json

@@ -1,46 +0,0 @@
-{
-  "id": "dotnet-newtonsoft-deser-TBD",
-  "cve": "N/A",
-  "description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
-  "threat_model": {
-    "entry_points": [
-      "STUB: define concrete inputs"
-    ],
-    "preconditions": [
-      "STUB: feature flags / modules / protocols enabled"
-    ],
-    "privilege_boundary": [
-      "STUB: describe boundary (if any)"
-    ]
-  },
-  "ground_truth": {
-    "reachable_variant": {
-      "status": "affected",
-      "evidence": {
-        "symbols": [
-          "sym://dotnet:dotnet.c#sink"
-        ],
-        "paths": [
-          [
-            "sym://net:handler#read",
-            "sym://dotnet:dotnet.c#entry",
-            "sym://dotnet:dotnet.c#sink"
-          ]
-        ],
-        "runtime_proof": "traces.runtime.jsonl: lines 1-5"
-      }
-    },
-    "unreachable_variant": {
-      "status": "not_affected",
-      "justification": "vulnerable_code_not_in_execute_path",
-      "evidence": {
-        "pruning_reason": [
-          "STUB: feature disabled, module absent, or policy denies"
-        ],
-        "blocked_edges": [
-          "sym://dotnet:dotnet.c#entry -> sym://dotnet:dotnet.c#sink"
-        ]
-      }
-    }
-  }
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/docs/README.md

@@ -1,15 +0,0 @@
-# dotnet-newtonsoft-deser-TBD
-Primary axis: lang-dotnet
-Tags: deserialization, json, polymorphic
-Languages: dotnet
-
-## Variants
-- reachable: vulnerable function/path is on an executable route.
-- unreachable: same base image/config with control toggles that prune the path.
-
-## Entrypoint & Controls (fill in)
-- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
-- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
-
-## Expected ground-truth path(s)
-See `images/*/reachgraph.truth.json`.

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/attestation.dsse.json

@@ -1,5 +0,0 @@
-{
-  "payload": "",
-  "payloadType": "application/vnd.in-toto+json",
-  "signatures": []
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/callgraph.framework.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.framework/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/callgraph.static.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.static/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/manifest.json

@@ -1,15 +0,0 @@
-{
-  "case_id": "dotnet-newtonsoft-deser-TBD",
-  "files": {
-    "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
-    "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
-    "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
-    "reachgraph.truth.json": "7c1b7d56df4efc97360ba7754feb1051644e624afa2589971fab09507827e677",
-    "sbom.cdx.json": "c7283a731ca81300f6cda9e944451062a92c7eb0559ebdc6b96f6afeea637187",
-    "sbom.spdx.json": "da4978369cae300336e4abd570edb8c8de27bcb5ff2c5131975cae7d8ee01f8e",
-    "symbols.json": "d03361b683ae570864824a8e57c91ca875590373d949d2f706af488c4ccbcc01",
-    "vex.openvex.json": "41e52bf3c0b40ca614d32f5c9b719b68c53e2a0f08f483d6c429120060c9d930"
-  },
-  "schema_version": "reachbench.manifest/v1",
-  "variant": "reachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/reachgraph.truth.json

@@ -1,12 +0,0 @@
-{
-  "case_id": "dotnet-newtonsoft-deser-TBD",
-  "paths": [
-    [
-      "sym://net:handler#read",
-      "sym://dotnet:dotnet.c#entry",
-      "sym://dotnet:dotnet.c#sink"
-    ]
-  ],
-  "schema_version": "reachbench.reachgraph.truth/v1",
-  "variant": "reachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/sbom.cdx.json

@@ -1,11 +0,0 @@
-{
-  "bomFormat": "CycloneDX",
-  "components": [],
-  "metadata": {
-    "component": {
-      "name": "dotnet-newtonsoft-deser-TBD",
-      "version": "0.0.0"
-    }
-  },
-  "specVersion": "1.5"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/sbom.spdx.json

@@ -1,6 +0,0 @@
-{
-  "SPDXID": "SPDXRef-DOCUMENT",
-  "name": "dotnet-newtonsoft-deser-TBD",
-  "packages": [],
-  "spdxVersion": "SPDX-2.3"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/symbols.json

@@ -1,8 +0,0 @@
-{
-  "case_id": "dotnet-newtonsoft-deser-TBD",
-  "schema_version": "reachbench.symbols/v1",
-  "symbols": [
-    "sym://dotnet:dotnet.c#sink"
-  ],
-  "variant": "reachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/traces.runtime.jsonl

@@ -1,2 +0,0 @@
-{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}
-{"ts": 1.005, "event": "call", "sid": "sym://dotnet:dotnet.c#sink", "pid": 100}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/vex.openvex.json

@@ -1,15 +0,0 @@
-{
-  "author": "StellaOps",
-  "role": "reachbench",
-  "statements": [
-    {
-      "products": [
-        "pkg:dotnet-newtonsoft-deser-TBD"
-      ],
-      "status": "affected",
-      "statusJustification": "component_present",
-      "vulnerability": "dotnet-newtonsoft-deser-TBD"
-    }
-  ],
-  "timestamp": "2025-11-18T00:00:00Z"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/attestation.dsse.json

@@ -1,5 +0,0 @@
-{
-  "payload": "",
-  "payloadType": "application/vnd.in-toto+json",
-  "signatures": []
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/callgraph.framework.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.framework/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/callgraph.static.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.static/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/manifest.json

@@ -1,15 +0,0 @@
-{
-  "case_id": "dotnet-newtonsoft-deser-TBD",
-  "files": {
-    "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
-    "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
-    "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
-    "reachgraph.truth.json": "aa1c4c8133ae26349e1a740293e875d91f3a5ba1b241eb39617a09ea1b6ced8e",
-    "sbom.cdx.json": "c7283a731ca81300f6cda9e944451062a92c7eb0559ebdc6b96f6afeea637187",
-    "sbom.spdx.json": "da4978369cae300336e4abd570edb8c8de27bcb5ff2c5131975cae7d8ee01f8e",
-    "symbols.json": "a804343735751e99bda81ce614d890fe19cb510bcb3d3b17dff05ab01decf2e1",
-    "vex.openvex.json": "65cdb8a5d02277eacf194c23cdb7a8adada7318f45f5ce4eb0e09fbcd9d8b615"
-  },
-  "schema_version": "reachbench.manifest/v1",
-  "variant": "unreachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/reachgraph.truth.json

@@ -1,6 +0,0 @@
-{
-  "case_id": "dotnet-newtonsoft-deser-TBD",
-  "paths": [],
-  "schema_version": "reachbench.reachgraph.truth/v1",
-  "variant": "unreachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/sbom.cdx.json

@@ -1,11 +0,0 @@
-{
-  "bomFormat": "CycloneDX",
-  "components": [],
-  "metadata": {
-    "component": {
-      "name": "dotnet-newtonsoft-deser-TBD",
-      "version": "0.0.0"
-    }
-  },
-  "specVersion": "1.5"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/sbom.spdx.json

@@ -1,6 +0,0 @@
-{
-  "SPDXID": "SPDXRef-DOCUMENT",
-  "name": "dotnet-newtonsoft-deser-TBD",
-  "packages": [],
-  "spdxVersion": "SPDX-2.3"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/symbols.json

@@ -1,6 +0,0 @@
-{
-  "case_id": "dotnet-newtonsoft-deser-TBD",
-  "schema_version": "reachbench.symbols/v1",
-  "symbols": [],
-  "variant": "unreachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/traces.runtime.jsonl

@@ -1 +0,0 @@
-{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}

tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/vex.openvex.json

@@ -1,15 +0,0 @@
-{
-  "author": "StellaOps",
-  "role": "reachbench",
-  "statements": [
-    {
-      "products": [
-        "pkg:dotnet-newtonsoft-deser-TBD"
-      ],
-      "status": "not_affected",
-      "statusJustification": "component_not_present",
-      "vulnerability": "dotnet-newtonsoft-deser-TBD"
-    }
-  ],
-  "timestamp": "2025-11-18T00:00:00Z"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/case.json

@@ -1,46 +0,0 @@
-{
-  "id": "glibc-CVE-2023-4911-looney-tunables",
-  "cve": "CVE-2023-4911",
-  "description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
-  "threat_model": {
-    "entry_points": [
-      "STUB: define concrete inputs"
-    ],
-    "preconditions": [
-      "STUB: feature flags / modules / protocols enabled"
-    ],
-    "privilege_boundary": [
-      "STUB: describe boundary (if any)"
-    ]
-  },
-  "ground_truth": {
-    "reachable_variant": {
-      "status": "affected",
-      "evidence": {
-        "symbols": [
-          "sym://glibc:glibc.c#sink"
-        ],
-        "paths": [
-          [
-            "sym://net:handler#read",
-            "sym://glibc:glibc.c#entry",
-            "sym://glibc:glibc.c#sink"
-          ]
-        ],
-        "runtime_proof": "traces.runtime.jsonl: lines 1-5"
-      }
-    },
-    "unreachable_variant": {
-      "status": "not_affected",
-      "justification": "vulnerable_code_not_in_execute_path",
-      "evidence": {
-        "pruning_reason": [
-          "STUB: feature disabled, module absent, or policy denies"
-        ],
-        "blocked_edges": [
-          "sym://glibc:glibc.c#entry -> sym://glibc:glibc.c#sink"
-        ]
-      }
-    }
-  }
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/docs/README.md

@@ -1,15 +0,0 @@
-# glibc-CVE-2023-4911-looney-tunables
-Primary axis: binary-hybrid
-Tags: env-vars, libc, ldso
-Languages: c
-
-## Variants
-- reachable: vulnerable function/path is on an executable route.
-- unreachable: same base image/config with control toggles that prune the path.
-
-## Entrypoint & Controls (fill in)
-- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
-- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
-
-## Expected ground-truth path(s)
-See `images/*/reachgraph.truth.json`.

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/attestation.dsse.json

@@ -1,5 +0,0 @@
-{
-  "payload": "",
-  "payloadType": "application/vnd.in-toto+json",
-  "signatures": []
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/callgraph.framework.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.framework/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/callgraph.static.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.static/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/manifest.json

@@ -1,15 +0,0 @@
-{
-  "case_id": "glibc-CVE-2023-4911-looney-tunables",
-  "files": {
-    "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
-    "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
-    "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
-    "reachgraph.truth.json": "f7200c066db6fefd2ed3168497ae7d8cb585f1d12479086217007df1bb2c1460",
-    "sbom.cdx.json": "e3bbce1051a27f877fdd76634902c835ac21a7f53241308878a404dbced491fc",
-    "sbom.spdx.json": "2b30ff6eabf0b4c5e76f2e5de6af21a6b48a746c51298a708a3674976ef5b8f8",
-    "symbols.json": "27dd785d49ef6b4229a0e5a25107346eea5cc8b7dd01c2fb9ba73b53456bcaee",
-    "vex.openvex.json": "bd6f67166fb31fa2a5e7211b71e083c8611f9c2b7d7e0607c31ce6df777a1f69"
-  },
-  "schema_version": "reachbench.manifest/v1",
-  "variant": "reachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/reachgraph.truth.json

@@ -1,12 +0,0 @@
-{
-  "case_id": "glibc-CVE-2023-4911-looney-tunables",
-  "paths": [
-    [
-      "sym://net:handler#read",
-      "sym://glibc:glibc.c#entry",
-      "sym://glibc:glibc.c#sink"
-    ]
-  ],
-  "schema_version": "reachbench.reachgraph.truth/v1",
-  "variant": "reachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/sbom.cdx.json

@@ -1,11 +0,0 @@
-{
-  "bomFormat": "CycloneDX",
-  "components": [],
-  "metadata": {
-    "component": {
-      "name": "glibc-CVE-2023-4911-looney-tunables",
-      "version": "0.0.0"
-    }
-  },
-  "specVersion": "1.5"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/sbom.spdx.json

@@ -1,6 +0,0 @@
-{
-  "SPDXID": "SPDXRef-DOCUMENT",
-  "name": "glibc-CVE-2023-4911-looney-tunables",
-  "packages": [],
-  "spdxVersion": "SPDX-2.3"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/symbols.json

@@ -1,8 +0,0 @@
-{
-  "case_id": "glibc-CVE-2023-4911-looney-tunables",
-  "schema_version": "reachbench.symbols/v1",
-  "symbols": [
-    "sym://glibc:glibc.c#sink"
-  ],
-  "variant": "reachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/traces.runtime.jsonl

@@ -1,2 +0,0 @@
-{"ts": 1.001, "event": "call", "sid": "sym://glibc:glibc.c#entry", "pid": 100}
-{"ts": 1.005, "event": "call", "sid": "sym://glibc:glibc.c#sink", "pid": 100}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/vex.openvex.json

@@ -1,15 +0,0 @@
-{
-  "author": "StellaOps",
-  "role": "reachbench",
-  "statements": [
-    {
-      "products": [
-        "pkg:glibc-CVE-2023-4911-looney-tunables"
-      ],
-      "status": "affected",
-      "statusJustification": "component_present",
-      "vulnerability": "cve:CVE-2023-4911"
-    }
-  ],
-  "timestamp": "2025-11-18T00:00:00Z"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/attestation.dsse.json

@@ -1,5 +0,0 @@
-{
-  "payload": "",
-  "payloadType": "application/vnd.in-toto+json",
-  "signatures": []
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/callgraph.framework.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.framework/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/callgraph.static.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.static/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/manifest.json

@@ -1,15 +0,0 @@
-{
-  "case_id": "glibc-CVE-2023-4911-looney-tunables",
-  "files": {
-    "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
-    "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
-    "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
-    "reachgraph.truth.json": "836f543e3e7b593582e2ffb529456ffc4309ec79d41e5f8b9eb5696f54d17883",
-    "sbom.cdx.json": "e3bbce1051a27f877fdd76634902c835ac21a7f53241308878a404dbced491fc",
-    "sbom.spdx.json": "2b30ff6eabf0b4c5e76f2e5de6af21a6b48a746c51298a708a3674976ef5b8f8",
-    "symbols.json": "fe742caccb2134c46594f3816b58b06f1cad6f2d62ea8dd55ad31ce4ce672906",
-    "vex.openvex.json": "3ebcafe7d9e0f211f80783568cd9bc4a92ddaa3609b2b0ef11471031246cadde"
-  },
-  "schema_version": "reachbench.manifest/v1",
-  "variant": "unreachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/reachgraph.truth.json

@@ -1,6 +0,0 @@
-{
-  "case_id": "glibc-CVE-2023-4911-looney-tunables",
-  "paths": [],
-  "schema_version": "reachbench.reachgraph.truth/v1",
-  "variant": "unreachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/sbom.cdx.json

@@ -1,11 +0,0 @@
-{
-  "bomFormat": "CycloneDX",
-  "components": [],
-  "metadata": {
-    "component": {
-      "name": "glibc-CVE-2023-4911-looney-tunables",
-      "version": "0.0.0"
-    }
-  },
-  "specVersion": "1.5"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/sbom.spdx.json

@@ -1,6 +0,0 @@
-{
-  "SPDXID": "SPDXRef-DOCUMENT",
-  "name": "glibc-CVE-2023-4911-looney-tunables",
-  "packages": [],
-  "spdxVersion": "SPDX-2.3"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/symbols.json

@@ -1,6 +0,0 @@
-{
-  "case_id": "glibc-CVE-2023-4911-looney-tunables",
-  "schema_version": "reachbench.symbols/v1",
-  "symbols": [],
-  "variant": "unreachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/traces.runtime.jsonl

@@ -1 +0,0 @@
-{"ts": 1.001, "event": "call", "sid": "sym://glibc:glibc.c#entry", "pid": 100}

tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/vex.openvex.json

@@ -1,15 +0,0 @@
-{
-  "author": "StellaOps",
-  "role": "reachbench",
-  "statements": [
-    {
-      "products": [
-        "pkg:glibc-CVE-2023-4911-looney-tunables"
-      ],
-      "status": "not_affected",
-      "statusJustification": "component_not_present",
-      "vulnerability": "cve:CVE-2023-4911"
-    }
-  ],
-  "timestamp": "2025-11-18T00:00:00Z"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/case.json

@@ -1,46 +0,0 @@
-{
-  "id": "go-gateway-reflection-auth-bypass",
-  "cve": "N/A",
-  "description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
-  "threat_model": {
-    "entry_points": [
-      "STUB: define concrete inputs"
-    ],
-    "preconditions": [
-      "STUB: feature flags / modules / protocols enabled"
-    ],
-    "privilege_boundary": [
-      "STUB: describe boundary (if any)"
-    ]
-  },
-  "ground_truth": {
-    "reachable_variant": {
-      "status": "affected",
-      "evidence": {
-        "symbols": [
-          "sym://go:go.c#sink"
-        ],
-        "paths": [
-          [
-            "sym://net:handler#read",
-            "sym://go:go.c#entry",
-            "sym://go:go.c#sink"
-          ]
-        ],
-        "runtime_proof": "traces.runtime.jsonl: lines 1-5"
-      }
-    },
-    "unreachable_variant": {
-      "status": "not_affected",
-      "justification": "vulnerable_code_not_in_execute_path",
-      "evidence": {
-        "pruning_reason": [
-          "STUB: feature disabled, module absent, or policy denies"
-        ],
-        "blocked_edges": [
-          "sym://go:go.c#entry -> sym://go:go.c#sink"
-        ]
-      }
-    }
-  }
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/docs/README.md

@@ -1,15 +0,0 @@
-# go-gateway-reflection-auth-bypass
-Primary axis: lang-go
-Tags: grpc, reflection, authz-gap
-Languages: go
-
-## Variants
-- reachable: vulnerable function/path is on an executable route.
-- unreachable: same base image/config with control toggles that prune the path.
-
-## Entrypoint & Controls (fill in)
-- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
-- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
-
-## Expected ground-truth path(s)
-See `images/*/reachgraph.truth.json`.

tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/attestation.dsse.json

@@ -1,5 +0,0 @@
-{
-  "payload": "",
-  "payloadType": "application/vnd.in-toto+json",
-  "signatures": []
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/callgraph.framework.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.framework/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/callgraph.static.json

@@ -1,5 +0,0 @@
-{
-  "edges": [],
-  "nodes": [],
-  "schema_version": "reachbench.callgraph.static/v1"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/manifest.json

@@ -1,15 +0,0 @@
-{
-  "case_id": "go-gateway-reflection-auth-bypass",
-  "files": {
-    "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
-    "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
-    "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
-    "reachgraph.truth.json": "f7c362965a307a6cf40f7921d2ad508cd503fa924ed3a391dba3afe54ab0dcdd",
-    "sbom.cdx.json": "16a041571c0641abe57929624e49f07353edb8980ecdd16340ef83f24f127cba",
-    "sbom.spdx.json": "8abd620f40a28d379b861d6ef640017ea119a8870890009dbd8126ed621a5c73",
-    "symbols.json": "dbf69a19ce1676cc809597ed9fce78c9fe8ebcf25186949a107971116a79a39b",
-    "vex.openvex.json": "b550e30451d7ef7ff612606711ecede1089d914bd8a26f5fbcf01ff1d4e36149"
-  },
-  "schema_version": "reachbench.manifest/v1",
-  "variant": "reachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/reachgraph.truth.json

@@ -1,12 +0,0 @@
-{
-  "case_id": "go-gateway-reflection-auth-bypass",
-  "paths": [
-    [
-      "sym://net:handler#read",
-      "sym://go:go.c#entry",
-      "sym://go:go.c#sink"
-    ]
-  ],
-  "schema_version": "reachbench.reachgraph.truth/v1",
-  "variant": "reachable"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/sbom.cdx.json

@@ -1,11 +0,0 @@
-{
-  "bomFormat": "CycloneDX",
-  "components": [],
-  "metadata": {
-    "component": {
-      "name": "go-gateway-reflection-auth-bypass",
-      "version": "0.0.0"
-    }
-  },
-  "specVersion": "1.5"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/sbom.spdx.json

@@ -1,6 +0,0 @@
-{
-  "SPDXID": "SPDXRef-DOCUMENT",
-  "name": "go-gateway-reflection-auth-bypass",
-  "packages": [],
-  "spdxVersion": "SPDX-2.3"
-}

tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/symbols.json

@@ -1,8 +0,0 @@
-{
-  "case_id": "go-gateway-reflection-auth-bypass",
-  "schema_version": "reachbench.symbols/v1",
-  "symbols": [
-    "sym://go:go.c#sink"
-  ],
-  "variant": "reachable"
-}