consolidate the tests locations
This commit is contained in:
StellaOps Bot
@@ -1,46 +0,0 @@
|
||||
{
|
||||
"id": "curl-CVE-2023-38545-socks5-heap",
|
||||
"cve": "CVE-2023-38545",
|
||||
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
|
||||
"threat_model": {
|
||||
"entry_points": [
|
||||
"STUB: define concrete inputs"
|
||||
],
|
||||
"preconditions": [
|
||||
"STUB: feature flags / modules / protocols enabled"
|
||||
],
|
||||
"privilege_boundary": [
|
||||
"STUB: describe boundary (if any)"
|
||||
]
|
||||
},
|
||||
"ground_truth": {
|
||||
"reachable_variant": {
|
||||
"status": "affected",
|
||||
"evidence": {
|
||||
"symbols": [
|
||||
"sym://curl:curl.c#sink"
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://curl:curl.c#entry",
|
||||
"sym://curl:curl.c#sink"
|
||||
]
|
||||
],
|
||||
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
|
||||
}
|
||||
},
|
||||
"unreachable_variant": {
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"evidence": {
|
||||
"pruning_reason": [
|
||||
"STUB: feature disabled, module absent, or policy denies"
|
||||
],
|
||||
"blocked_edges": [
|
||||
"sym://curl:curl.c#entry -> sym://curl:curl.c#sink"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
# curl-CVE-2023-38545-socks5-heap
|
||||
Primary axis: binary-hybrid
|
||||
Tags: networking, proxy, heap
|
||||
Languages: c
|
||||
|
||||
## Variants
|
||||
- reachable: vulnerable function/path is on an executable route.
|
||||
- unreachable: same base image/config with control toggles that prune the path.
|
||||
|
||||
## Entrypoint & Controls (fill in)
|
||||
- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
|
||||
- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
|
||||
|
||||
## Expected ground-truth path(s)
|
||||
See `images/*/reachgraph.truth.json`.
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"payload": "",
|
||||
"payloadType": "application/vnd.in-toto+json",
|
||||
"signatures": []
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.framework/v1"
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.static/v1"
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"case_id": "curl-CVE-2023-38545-socks5-heap",
|
||||
"files": {
|
||||
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
|
||||
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
|
||||
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
|
||||
"reachgraph.truth.json": "9545261d413f4f85d120ebe8432c32ba97ba3feb2d34075fd689fcb5794f3ab0",
|
||||
"sbom.cdx.json": "ce41fd9b9edadf94a8cc84a3cce4e175b0602fd2e0d8dcb067273b9584479980",
|
||||
"sbom.spdx.json": "10d7417961d3cac0f3a5c4b083917fba3dc4f9bd9140d80aad0a873435158482",
|
||||
"symbols.json": "c5f473aff5b428df5a3f9c3393b7fbceb94214e3c2fd4f547d4f258ca25a3080",
|
||||
"vex.openvex.json": "0518d09c2ae692b96553feb821ff8138fc0ea6c840d75c1f80149add21127ddd"
|
||||
},
|
||||
"schema_version": "reachbench.manifest/v1",
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,12 +0,0 @@
|
||||
{
|
||||
"case_id": "curl-CVE-2023-38545-socks5-heap",
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://curl:curl.c#entry",
|
||||
"sym://curl:curl.c#sink"
|
||||
]
|
||||
],
|
||||
"schema_version": "reachbench.reachgraph.truth/v1",
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,11 +0,0 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"components": [],
|
||||
"metadata": {
|
||||
"component": {
|
||||
"name": "curl-CVE-2023-38545-socks5-heap",
|
||||
"version": "0.0.0"
|
||||
}
|
||||
},
|
||||
"specVersion": "1.5"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"SPDXID": "SPDXRef-DOCUMENT",
|
||||
"name": "curl-CVE-2023-38545-socks5-heap",
|
||||
"packages": [],
|
||||
"spdxVersion": "SPDX-2.3"
|
||||
}
|
||||
@@ -1,8 +0,0 @@
|
||||
{
|
||||
"case_id": "curl-CVE-2023-38545-socks5-heap",
|
||||
"schema_version": "reachbench.symbols/v1",
|
||||
"symbols": [
|
||||
"sym://curl:curl.c#sink"
|
||||
],
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,2 +0,0 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://curl:curl.c#entry", "pid": 100}
|
||||
{"ts": 1.005, "event": "call", "sid": "sym://curl:curl.c#sink", "pid": 100}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"author": "StellaOps",
|
||||
"role": "reachbench",
|
||||
"statements": [
|
||||
{
|
||||
"products": [
|
||||
"pkg:curl-CVE-2023-38545-socks5-heap"
|
||||
],
|
||||
"status": "affected",
|
||||
"statusJustification": "component_present",
|
||||
"vulnerability": "cve:CVE-2023-38545"
|
||||
}
|
||||
],
|
||||
"timestamp": "2025-11-18T00:00:00Z"
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"payload": "",
|
||||
"payloadType": "application/vnd.in-toto+json",
|
||||
"signatures": []
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.framework/v1"
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.static/v1"
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"case_id": "curl-CVE-2023-38545-socks5-heap",
|
||||
"files": {
|
||||
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
|
||||
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
|
||||
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
|
||||
"reachgraph.truth.json": "490c4175eb06e0c623e60263d2ce029ffa8b236aea5780c448b8180f38a1bf6f",
|
||||
"sbom.cdx.json": "ce41fd9b9edadf94a8cc84a3cce4e175b0602fd2e0d8dcb067273b9584479980",
|
||||
"sbom.spdx.json": "10d7417961d3cac0f3a5c4b083917fba3dc4f9bd9140d80aad0a873435158482",
|
||||
"symbols.json": "1b6a9e5598d2521e0ca55ed0f3f287ef19dc11cb1fb24fe961370c2fa7036214",
|
||||
"vex.openvex.json": "a9fa7e917601538e17750fb1c25b24e18333c779ec0d5d98d4fbccf84e2f544e"
|
||||
},
|
||||
"schema_version": "reachbench.manifest/v1",
|
||||
"variant": "unreachable"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"case_id": "curl-CVE-2023-38545-socks5-heap",
|
||||
"paths": [],
|
||||
"schema_version": "reachbench.reachgraph.truth/v1",
|
||||
"variant": "unreachable"
|
||||
}
|
||||
@@ -1,11 +0,0 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"components": [],
|
||||
"metadata": {
|
||||
"component": {
|
||||
"name": "curl-CVE-2023-38545-socks5-heap",
|
||||
"version": "0.0.0"
|
||||
}
|
||||
},
|
||||
"specVersion": "1.5"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"SPDXID": "SPDXRef-DOCUMENT",
|
||||
"name": "curl-CVE-2023-38545-socks5-heap",
|
||||
"packages": [],
|
||||
"spdxVersion": "SPDX-2.3"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"case_id": "curl-CVE-2023-38545-socks5-heap",
|
||||
"schema_version": "reachbench.symbols/v1",
|
||||
"symbols": [],
|
||||
"variant": "unreachable"
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://curl:curl.c#entry", "pid": 100}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"author": "StellaOps",
|
||||
"role": "reachbench",
|
||||
"statements": [
|
||||
{
|
||||
"products": [
|
||||
"pkg:curl-CVE-2023-38545-socks5-heap"
|
||||
],
|
||||
"status": "not_affected",
|
||||
"statusJustification": "component_not_present",
|
||||
"vulnerability": "cve:CVE-2023-38545"
|
||||
}
|
||||
],
|
||||
"timestamp": "2025-11-18T00:00:00Z"
|
||||
}
|
||||
@@ -1,46 +0,0 @@
|
||||
{
|
||||
"id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
|
||||
"cve": "CVE-2023-44487",
|
||||
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
|
||||
"threat_model": {
|
||||
"entry_points": [
|
||||
"STUB: define concrete inputs"
|
||||
],
|
||||
"preconditions": [
|
||||
"STUB: feature flags / modules / protocols enabled"
|
||||
],
|
||||
"privilege_boundary": [
|
||||
"STUB: describe boundary (if any)"
|
||||
]
|
||||
},
|
||||
"ground_truth": {
|
||||
"reachable_variant": {
|
||||
"status": "affected",
|
||||
"evidence": {
|
||||
"symbols": [
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://dotnet:dotnet.c#entry",
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
]
|
||||
],
|
||||
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
|
||||
}
|
||||
},
|
||||
"unreachable_variant": {
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"evidence": {
|
||||
"pruning_reason": [
|
||||
"STUB: feature disabled, module absent, or policy denies"
|
||||
],
|
||||
"blocked_edges": [
|
||||
"sym://dotnet:dotnet.c#entry -> sym://dotnet:dotnet.c#sink"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
# dotnet-kestrel-CVE-2023-44487-http2-rapid-reset
|
||||
Primary axis: lang-dotnet
|
||||
Tags: protocol, http2, dos
|
||||
Languages: dotnet
|
||||
|
||||
## Variants
|
||||
- reachable: vulnerable function/path is on an executable route.
|
||||
- unreachable: same base image/config with control toggles that prune the path.
|
||||
|
||||
## Entrypoint & Controls (fill in)
|
||||
- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
|
||||
- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
|
||||
|
||||
## Expected ground-truth path(s)
|
||||
See `images/*/reachgraph.truth.json`.
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"payload": "",
|
||||
"payloadType": "application/vnd.in-toto+json",
|
||||
"signatures": []
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.framework/v1"
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.static/v1"
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
|
||||
"files": {
|
||||
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
|
||||
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
|
||||
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
|
||||
"reachgraph.truth.json": "5396e1c97612e0963bdaf9d5d3f570f095feaccfd46ed6e96af52a6dc4608608",
|
||||
"sbom.cdx.json": "8747790b2c9638b08aedca818367852889ee9bb50f1be1212b9c46b27296b8b9",
|
||||
"sbom.spdx.json": "fd5b8befa1a59f06c315406213426ee516276ad806f4acb1f53472149d97c402",
|
||||
"symbols.json": "c2bc2c131db1565b272900b2d86733086d601fc05a9072a43b9cd8b89a2e6f95",
|
||||
"vex.openvex.json": "2bc0466a7b733a0915b6a799e91ec731c0700d5bea8645c0bf983b6da180bc48"
|
||||
},
|
||||
"schema_version": "reachbench.manifest/v1",
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,12 +0,0 @@
|
||||
{
|
||||
"case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://dotnet:dotnet.c#entry",
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
]
|
||||
],
|
||||
"schema_version": "reachbench.reachgraph.truth/v1",
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,11 +0,0 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"components": [],
|
||||
"metadata": {
|
||||
"component": {
|
||||
"name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
|
||||
"version": "0.0.0"
|
||||
}
|
||||
},
|
||||
"specVersion": "1.5"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"SPDXID": "SPDXRef-DOCUMENT",
|
||||
"name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
|
||||
"packages": [],
|
||||
"spdxVersion": "SPDX-2.3"
|
||||
}
|
||||
@@ -1,8 +0,0 @@
|
||||
{
|
||||
"case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
|
||||
"schema_version": "reachbench.symbols/v1",
|
||||
"symbols": [
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
],
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,2 +0,0 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}
|
||||
{"ts": 1.005, "event": "call", "sid": "sym://dotnet:dotnet.c#sink", "pid": 100}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"author": "StellaOps",
|
||||
"role": "reachbench",
|
||||
"statements": [
|
||||
{
|
||||
"products": [
|
||||
"pkg:dotnet-kestrel-CVE-2023-44487-http2-rapid-reset"
|
||||
],
|
||||
"status": "affected",
|
||||
"statusJustification": "component_present",
|
||||
"vulnerability": "cve:CVE-2023-44487"
|
||||
}
|
||||
],
|
||||
"timestamp": "2025-11-18T00:00:00Z"
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"payload": "",
|
||||
"payloadType": "application/vnd.in-toto+json",
|
||||
"signatures": []
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.framework/v1"
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.static/v1"
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
|
||||
"files": {
|
||||
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
|
||||
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
|
||||
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
|
||||
"reachgraph.truth.json": "86a0dad5b06b69018a35931b1ef8fb700abe6511f75aa81dcffc23f0411cc086",
|
||||
"sbom.cdx.json": "8747790b2c9638b08aedca818367852889ee9bb50f1be1212b9c46b27296b8b9",
|
||||
"sbom.spdx.json": "fd5b8befa1a59f06c315406213426ee516276ad806f4acb1f53472149d97c402",
|
||||
"symbols.json": "0793a11190a789d63cac1d15ae259dcbe48764dd0f75000176e3abf8f3a3beb6",
|
||||
"vex.openvex.json": "cd54fe28bf7f171a2a47e6118b05ad26013a32d97e2b9eef143eab75208d9fa4"
|
||||
},
|
||||
"schema_version": "reachbench.manifest/v1",
|
||||
"variant": "unreachable"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
|
||||
"paths": [],
|
||||
"schema_version": "reachbench.reachgraph.truth/v1",
|
||||
"variant": "unreachable"
|
||||
}
|
||||
@@ -1,11 +0,0 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"components": [],
|
||||
"metadata": {
|
||||
"component": {
|
||||
"name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
|
||||
"version": "0.0.0"
|
||||
}
|
||||
},
|
||||
"specVersion": "1.5"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"SPDXID": "SPDXRef-DOCUMENT",
|
||||
"name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
|
||||
"packages": [],
|
||||
"spdxVersion": "SPDX-2.3"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
|
||||
"schema_version": "reachbench.symbols/v1",
|
||||
"symbols": [],
|
||||
"variant": "unreachable"
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"author": "StellaOps",
|
||||
"role": "reachbench",
|
||||
"statements": [
|
||||
{
|
||||
"products": [
|
||||
"pkg:dotnet-kestrel-CVE-2023-44487-http2-rapid-reset"
|
||||
],
|
||||
"status": "not_affected",
|
||||
"statusJustification": "component_not_present",
|
||||
"vulnerability": "cve:CVE-2023-44487"
|
||||
}
|
||||
],
|
||||
"timestamp": "2025-11-18T00:00:00Z"
|
||||
}
|
||||
@@ -1,46 +0,0 @@
|
||||
{
|
||||
"id": "dotnet-newtonsoft-deser-TBD",
|
||||
"cve": "N/A",
|
||||
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
|
||||
"threat_model": {
|
||||
"entry_points": [
|
||||
"STUB: define concrete inputs"
|
||||
],
|
||||
"preconditions": [
|
||||
"STUB: feature flags / modules / protocols enabled"
|
||||
],
|
||||
"privilege_boundary": [
|
||||
"STUB: describe boundary (if any)"
|
||||
]
|
||||
},
|
||||
"ground_truth": {
|
||||
"reachable_variant": {
|
||||
"status": "affected",
|
||||
"evidence": {
|
||||
"symbols": [
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://dotnet:dotnet.c#entry",
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
]
|
||||
],
|
||||
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
|
||||
}
|
||||
},
|
||||
"unreachable_variant": {
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"evidence": {
|
||||
"pruning_reason": [
|
||||
"STUB: feature disabled, module absent, or policy denies"
|
||||
],
|
||||
"blocked_edges": [
|
||||
"sym://dotnet:dotnet.c#entry -> sym://dotnet:dotnet.c#sink"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
# dotnet-newtonsoft-deser-TBD
|
||||
Primary axis: lang-dotnet
|
||||
Tags: deserialization, json, polymorphic
|
||||
Languages: dotnet
|
||||
|
||||
## Variants
|
||||
- reachable: vulnerable function/path is on an executable route.
|
||||
- unreachable: same base image/config with control toggles that prune the path.
|
||||
|
||||
## Entrypoint & Controls (fill in)
|
||||
- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
|
||||
- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
|
||||
|
||||
## Expected ground-truth path(s)
|
||||
See `images/*/reachgraph.truth.json`.
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"payload": "",
|
||||
"payloadType": "application/vnd.in-toto+json",
|
||||
"signatures": []
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.framework/v1"
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.static/v1"
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"case_id": "dotnet-newtonsoft-deser-TBD",
|
||||
"files": {
|
||||
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
|
||||
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
|
||||
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
|
||||
"reachgraph.truth.json": "7c1b7d56df4efc97360ba7754feb1051644e624afa2589971fab09507827e677",
|
||||
"sbom.cdx.json": "c7283a731ca81300f6cda9e944451062a92c7eb0559ebdc6b96f6afeea637187",
|
||||
"sbom.spdx.json": "da4978369cae300336e4abd570edb8c8de27bcb5ff2c5131975cae7d8ee01f8e",
|
||||
"symbols.json": "d03361b683ae570864824a8e57c91ca875590373d949d2f706af488c4ccbcc01",
|
||||
"vex.openvex.json": "41e52bf3c0b40ca614d32f5c9b719b68c53e2a0f08f483d6c429120060c9d930"
|
||||
},
|
||||
"schema_version": "reachbench.manifest/v1",
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,12 +0,0 @@
|
||||
{
|
||||
"case_id": "dotnet-newtonsoft-deser-TBD",
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://dotnet:dotnet.c#entry",
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
]
|
||||
],
|
||||
"schema_version": "reachbench.reachgraph.truth/v1",
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,11 +0,0 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"components": [],
|
||||
"metadata": {
|
||||
"component": {
|
||||
"name": "dotnet-newtonsoft-deser-TBD",
|
||||
"version": "0.0.0"
|
||||
}
|
||||
},
|
||||
"specVersion": "1.5"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"SPDXID": "SPDXRef-DOCUMENT",
|
||||
"name": "dotnet-newtonsoft-deser-TBD",
|
||||
"packages": [],
|
||||
"spdxVersion": "SPDX-2.3"
|
||||
}
|
||||
@@ -1,8 +0,0 @@
|
||||
{
|
||||
"case_id": "dotnet-newtonsoft-deser-TBD",
|
||||
"schema_version": "reachbench.symbols/v1",
|
||||
"symbols": [
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
],
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,2 +0,0 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}
|
||||
{"ts": 1.005, "event": "call", "sid": "sym://dotnet:dotnet.c#sink", "pid": 100}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"author": "StellaOps",
|
||||
"role": "reachbench",
|
||||
"statements": [
|
||||
{
|
||||
"products": [
|
||||
"pkg:dotnet-newtonsoft-deser-TBD"
|
||||
],
|
||||
"status": "affected",
|
||||
"statusJustification": "component_present",
|
||||
"vulnerability": "dotnet-newtonsoft-deser-TBD"
|
||||
}
|
||||
],
|
||||
"timestamp": "2025-11-18T00:00:00Z"
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"payload": "",
|
||||
"payloadType": "application/vnd.in-toto+json",
|
||||
"signatures": []
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.framework/v1"
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.static/v1"
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"case_id": "dotnet-newtonsoft-deser-TBD",
|
||||
"files": {
|
||||
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
|
||||
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
|
||||
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
|
||||
"reachgraph.truth.json": "aa1c4c8133ae26349e1a740293e875d91f3a5ba1b241eb39617a09ea1b6ced8e",
|
||||
"sbom.cdx.json": "c7283a731ca81300f6cda9e944451062a92c7eb0559ebdc6b96f6afeea637187",
|
||||
"sbom.spdx.json": "da4978369cae300336e4abd570edb8c8de27bcb5ff2c5131975cae7d8ee01f8e",
|
||||
"symbols.json": "a804343735751e99bda81ce614d890fe19cb510bcb3d3b17dff05ab01decf2e1",
|
||||
"vex.openvex.json": "65cdb8a5d02277eacf194c23cdb7a8adada7318f45f5ce4eb0e09fbcd9d8b615"
|
||||
},
|
||||
"schema_version": "reachbench.manifest/v1",
|
||||
"variant": "unreachable"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"case_id": "dotnet-newtonsoft-deser-TBD",
|
||||
"paths": [],
|
||||
"schema_version": "reachbench.reachgraph.truth/v1",
|
||||
"variant": "unreachable"
|
||||
}
|
||||
@@ -1,11 +0,0 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"components": [],
|
||||
"metadata": {
|
||||
"component": {
|
||||
"name": "dotnet-newtonsoft-deser-TBD",
|
||||
"version": "0.0.0"
|
||||
}
|
||||
},
|
||||
"specVersion": "1.5"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"SPDXID": "SPDXRef-DOCUMENT",
|
||||
"name": "dotnet-newtonsoft-deser-TBD",
|
||||
"packages": [],
|
||||
"spdxVersion": "SPDX-2.3"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"case_id": "dotnet-newtonsoft-deser-TBD",
|
||||
"schema_version": "reachbench.symbols/v1",
|
||||
"symbols": [],
|
||||
"variant": "unreachable"
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"author": "StellaOps",
|
||||
"role": "reachbench",
|
||||
"statements": [
|
||||
{
|
||||
"products": [
|
||||
"pkg:dotnet-newtonsoft-deser-TBD"
|
||||
],
|
||||
"status": "not_affected",
|
||||
"statusJustification": "component_not_present",
|
||||
"vulnerability": "dotnet-newtonsoft-deser-TBD"
|
||||
}
|
||||
],
|
||||
"timestamp": "2025-11-18T00:00:00Z"
|
||||
}
|
||||
@@ -1,46 +0,0 @@
|
||||
{
|
||||
"id": "glibc-CVE-2023-4911-looney-tunables",
|
||||
"cve": "CVE-2023-4911",
|
||||
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
|
||||
"threat_model": {
|
||||
"entry_points": [
|
||||
"STUB: define concrete inputs"
|
||||
],
|
||||
"preconditions": [
|
||||
"STUB: feature flags / modules / protocols enabled"
|
||||
],
|
||||
"privilege_boundary": [
|
||||
"STUB: describe boundary (if any)"
|
||||
]
|
||||
},
|
||||
"ground_truth": {
|
||||
"reachable_variant": {
|
||||
"status": "affected",
|
||||
"evidence": {
|
||||
"symbols": [
|
||||
"sym://glibc:glibc.c#sink"
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://glibc:glibc.c#entry",
|
||||
"sym://glibc:glibc.c#sink"
|
||||
]
|
||||
],
|
||||
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
|
||||
}
|
||||
},
|
||||
"unreachable_variant": {
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"evidence": {
|
||||
"pruning_reason": [
|
||||
"STUB: feature disabled, module absent, or policy denies"
|
||||
],
|
||||
"blocked_edges": [
|
||||
"sym://glibc:glibc.c#entry -> sym://glibc:glibc.c#sink"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
# glibc-CVE-2023-4911-looney-tunables
|
||||
Primary axis: binary-hybrid
|
||||
Tags: env-vars, libc, ldso
|
||||
Languages: c
|
||||
|
||||
## Variants
|
||||
- reachable: vulnerable function/path is on an executable route.
|
||||
- unreachable: same base image/config with control toggles that prune the path.
|
||||
|
||||
## Entrypoint & Controls (fill in)
|
||||
- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
|
||||
- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
|
||||
|
||||
## Expected ground-truth path(s)
|
||||
See `images/*/reachgraph.truth.json`.
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"payload": "",
|
||||
"payloadType": "application/vnd.in-toto+json",
|
||||
"signatures": []
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.framework/v1"
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.static/v1"
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"case_id": "glibc-CVE-2023-4911-looney-tunables",
|
||||
"files": {
|
||||
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
|
||||
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
|
||||
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
|
||||
"reachgraph.truth.json": "f7200c066db6fefd2ed3168497ae7d8cb585f1d12479086217007df1bb2c1460",
|
||||
"sbom.cdx.json": "e3bbce1051a27f877fdd76634902c835ac21a7f53241308878a404dbced491fc",
|
||||
"sbom.spdx.json": "2b30ff6eabf0b4c5e76f2e5de6af21a6b48a746c51298a708a3674976ef5b8f8",
|
||||
"symbols.json": "27dd785d49ef6b4229a0e5a25107346eea5cc8b7dd01c2fb9ba73b53456bcaee",
|
||||
"vex.openvex.json": "bd6f67166fb31fa2a5e7211b71e083c8611f9c2b7d7e0607c31ce6df777a1f69"
|
||||
},
|
||||
"schema_version": "reachbench.manifest/v1",
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,12 +0,0 @@
|
||||
{
|
||||
"case_id": "glibc-CVE-2023-4911-looney-tunables",
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://glibc:glibc.c#entry",
|
||||
"sym://glibc:glibc.c#sink"
|
||||
]
|
||||
],
|
||||
"schema_version": "reachbench.reachgraph.truth/v1",
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,11 +0,0 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"components": [],
|
||||
"metadata": {
|
||||
"component": {
|
||||
"name": "glibc-CVE-2023-4911-looney-tunables",
|
||||
"version": "0.0.0"
|
||||
}
|
||||
},
|
||||
"specVersion": "1.5"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"SPDXID": "SPDXRef-DOCUMENT",
|
||||
"name": "glibc-CVE-2023-4911-looney-tunables",
|
||||
"packages": [],
|
||||
"spdxVersion": "SPDX-2.3"
|
||||
}
|
||||
@@ -1,8 +0,0 @@
|
||||
{
|
||||
"case_id": "glibc-CVE-2023-4911-looney-tunables",
|
||||
"schema_version": "reachbench.symbols/v1",
|
||||
"symbols": [
|
||||
"sym://glibc:glibc.c#sink"
|
||||
],
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,2 +0,0 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://glibc:glibc.c#entry", "pid": 100}
|
||||
{"ts": 1.005, "event": "call", "sid": "sym://glibc:glibc.c#sink", "pid": 100}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"author": "StellaOps",
|
||||
"role": "reachbench",
|
||||
"statements": [
|
||||
{
|
||||
"products": [
|
||||
"pkg:glibc-CVE-2023-4911-looney-tunables"
|
||||
],
|
||||
"status": "affected",
|
||||
"statusJustification": "component_present",
|
||||
"vulnerability": "cve:CVE-2023-4911"
|
||||
}
|
||||
],
|
||||
"timestamp": "2025-11-18T00:00:00Z"
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"payload": "",
|
||||
"payloadType": "application/vnd.in-toto+json",
|
||||
"signatures": []
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.framework/v1"
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.static/v1"
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"case_id": "glibc-CVE-2023-4911-looney-tunables",
|
||||
"files": {
|
||||
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
|
||||
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
|
||||
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
|
||||
"reachgraph.truth.json": "836f543e3e7b593582e2ffb529456ffc4309ec79d41e5f8b9eb5696f54d17883",
|
||||
"sbom.cdx.json": "e3bbce1051a27f877fdd76634902c835ac21a7f53241308878a404dbced491fc",
|
||||
"sbom.spdx.json": "2b30ff6eabf0b4c5e76f2e5de6af21a6b48a746c51298a708a3674976ef5b8f8",
|
||||
"symbols.json": "fe742caccb2134c46594f3816b58b06f1cad6f2d62ea8dd55ad31ce4ce672906",
|
||||
"vex.openvex.json": "3ebcafe7d9e0f211f80783568cd9bc4a92ddaa3609b2b0ef11471031246cadde"
|
||||
},
|
||||
"schema_version": "reachbench.manifest/v1",
|
||||
"variant": "unreachable"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"case_id": "glibc-CVE-2023-4911-looney-tunables",
|
||||
"paths": [],
|
||||
"schema_version": "reachbench.reachgraph.truth/v1",
|
||||
"variant": "unreachable"
|
||||
}
|
||||
@@ -1,11 +0,0 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"components": [],
|
||||
"metadata": {
|
||||
"component": {
|
||||
"name": "glibc-CVE-2023-4911-looney-tunables",
|
||||
"version": "0.0.0"
|
||||
}
|
||||
},
|
||||
"specVersion": "1.5"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"SPDXID": "SPDXRef-DOCUMENT",
|
||||
"name": "glibc-CVE-2023-4911-looney-tunables",
|
||||
"packages": [],
|
||||
"spdxVersion": "SPDX-2.3"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"case_id": "glibc-CVE-2023-4911-looney-tunables",
|
||||
"schema_version": "reachbench.symbols/v1",
|
||||
"symbols": [],
|
||||
"variant": "unreachable"
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://glibc:glibc.c#entry", "pid": 100}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"author": "StellaOps",
|
||||
"role": "reachbench",
|
||||
"statements": [
|
||||
{
|
||||
"products": [
|
||||
"pkg:glibc-CVE-2023-4911-looney-tunables"
|
||||
],
|
||||
"status": "not_affected",
|
||||
"statusJustification": "component_not_present",
|
||||
"vulnerability": "cve:CVE-2023-4911"
|
||||
}
|
||||
],
|
||||
"timestamp": "2025-11-18T00:00:00Z"
|
||||
}
|
||||
@@ -1,46 +0,0 @@
|
||||
{
|
||||
"id": "go-gateway-reflection-auth-bypass",
|
||||
"cve": "N/A",
|
||||
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
|
||||
"threat_model": {
|
||||
"entry_points": [
|
||||
"STUB: define concrete inputs"
|
||||
],
|
||||
"preconditions": [
|
||||
"STUB: feature flags / modules / protocols enabled"
|
||||
],
|
||||
"privilege_boundary": [
|
||||
"STUB: describe boundary (if any)"
|
||||
]
|
||||
},
|
||||
"ground_truth": {
|
||||
"reachable_variant": {
|
||||
"status": "affected",
|
||||
"evidence": {
|
||||
"symbols": [
|
||||
"sym://go:go.c#sink"
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://go:go.c#entry",
|
||||
"sym://go:go.c#sink"
|
||||
]
|
||||
],
|
||||
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
|
||||
}
|
||||
},
|
||||
"unreachable_variant": {
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"evidence": {
|
||||
"pruning_reason": [
|
||||
"STUB: feature disabled, module absent, or policy denies"
|
||||
],
|
||||
"blocked_edges": [
|
||||
"sym://go:go.c#entry -> sym://go:go.c#sink"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
# go-gateway-reflection-auth-bypass
|
||||
Primary axis: lang-go
|
||||
Tags: grpc, reflection, authz-gap
|
||||
Languages: go
|
||||
|
||||
## Variants
|
||||
- reachable: vulnerable function/path is on an executable route.
|
||||
- unreachable: same base image/config with control toggles that prune the path.
|
||||
|
||||
## Entrypoint & Controls (fill in)
|
||||
- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
|
||||
- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
|
||||
|
||||
## Expected ground-truth path(s)
|
||||
See `images/*/reachgraph.truth.json`.
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"payload": "",
|
||||
"payloadType": "application/vnd.in-toto+json",
|
||||
"signatures": []
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.framework/v1"
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"edges": [],
|
||||
"nodes": [],
|
||||
"schema_version": "reachbench.callgraph.static/v1"
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"case_id": "go-gateway-reflection-auth-bypass",
|
||||
"files": {
|
||||
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
|
||||
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
|
||||
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
|
||||
"reachgraph.truth.json": "f7c362965a307a6cf40f7921d2ad508cd503fa924ed3a391dba3afe54ab0dcdd",
|
||||
"sbom.cdx.json": "16a041571c0641abe57929624e49f07353edb8980ecdd16340ef83f24f127cba",
|
||||
"sbom.spdx.json": "8abd620f40a28d379b861d6ef640017ea119a8870890009dbd8126ed621a5c73",
|
||||
"symbols.json": "dbf69a19ce1676cc809597ed9fce78c9fe8ebcf25186949a107971116a79a39b",
|
||||
"vex.openvex.json": "b550e30451d7ef7ff612606711ecede1089d914bd8a26f5fbcf01ff1d4e36149"
|
||||
},
|
||||
"schema_version": "reachbench.manifest/v1",
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,12 +0,0 @@
|
||||
{
|
||||
"case_id": "go-gateway-reflection-auth-bypass",
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://go:go.c#entry",
|
||||
"sym://go:go.c#sink"
|
||||
]
|
||||
],
|
||||
"schema_version": "reachbench.reachgraph.truth/v1",
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,11 +0,0 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"components": [],
|
||||
"metadata": {
|
||||
"component": {
|
||||
"name": "go-gateway-reflection-auth-bypass",
|
||||
"version": "0.0.0"
|
||||
}
|
||||
},
|
||||
"specVersion": "1.5"
|
||||
}
|
||||
@@ -1,6 +0,0 @@
|
||||
{
|
||||
"SPDXID": "SPDXRef-DOCUMENT",
|
||||
"name": "go-gateway-reflection-auth-bypass",
|
||||
"packages": [],
|
||||
"spdxVersion": "SPDX-2.3"
|
||||
}
|
||||
@@ -1,8 +0,0 @@
|
||||
{
|
||||
"case_id": "go-gateway-reflection-auth-bypass",
|
||||
"schema_version": "reachbench.symbols/v1",
|
||||
"symbols": [
|
||||
"sym://go:go.c#sink"
|
||||
],
|
||||
"variant": "reachable"
|
||||
}
|
||||
@@ -1,2 +0,0 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://go:go.c#entry", "pid": 100}
|
||||
{"ts": 1.005, "event": "call", "sid": "sym://go:go.c#sink", "pid": 100}
|
||||
@@ -1,15 +0,0 @@
|
||||
{
|
||||
"author": "StellaOps",
|
||||
"role": "reachbench",
|
||||
"statements": [
|
||||
{
|
||||
"products": [
|
||||
"pkg:go-gateway-reflection-auth-bypass"
|
||||
],
|
||||
"status": "affected",
|
||||
"statusJustification": "component_present",
|
||||
"vulnerability": "go-gateway-reflection-auth-bypass"
|
||||
}
|
||||
],
|
||||
"timestamp": "2025-11-18T00:00:00Z"
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user