partly or unimplemented features - now implemented

src/Scanner/__Tests/__Datasets/toys/README.md

@@ -0,0 +1,24 @@
+# Toy Service Reachability Corpus
+
+This dataset provides deterministic toy services and `labels.yaml` files for
+reachability-tier benchmarking in Scanner tests.
+
+## labels.yaml schema (v1)
+- `schema_version`: always `v1`
+- `service`: toy service directory name
+- `language`: primary language
+- `entrypoint`: relative source file used as app entrypoint
+- `cves`: list of CVE labels
+
+Each CVE label contains:
+- `id`: CVE identifier
+- `package`: vulnerable package identifier
+- `tier`: one of `R0`, `R1`, `R2`, `R3`, `R4`
+- `rationale`: deterministic explanation for expected tier
+
+Tier definitions:
+- `R0`: unreachable
+- `R1`: present in dependency only
+- `R2`: imported but not called
+- `R3`: called but not reachable from entrypoint
+- `R4`: reachable from entrypoint

src/Scanner/__Tests/__Datasets/toys/svc-01-log4shell-java/labels.yaml

@@ -0,0 +1,9 @@
+schema_version: v1
+service: svc-01-log4shell-java
+language: java
+entrypoint: src/main/java/com/stellaops/toys/App.java
+cves:
+  - id: CVE-2021-44228
+    package: pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1
+    tier: R4
+    rationale: User-controlled logging path starts from main() and reaches sink.

src/Scanner/__Tests/__Datasets/toys/svc-01-log4shell-java/src/main/java/com/stellaops/toys/App.java

@@ -0,0 +1,14 @@
+package com.stellaops.toys;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+public final class App {
+    private static final Logger Log = LogManager.getLogger(App.class);
+
+    public static void main(String[] args) {
+        String userInput = args.length > 0 ? args[0] : "default";
+        // Simulates the vulnerable path being reachable from entrypoint.
+        Log.error("User payload: {}", userInput);
+    }
+}

src/Scanner/__Tests/__Datasets/toys/svc-02-prototype-pollution-node/labels.yaml

@@ -0,0 +1,9 @@
+schema_version: v1
+service: svc-02-prototype-pollution-node
+language: node
+entrypoint: src/index.js
+cves:
+  - id: CVE-2022-24999
+    package: pkg:npm/qs@6.10.3
+    tier: R2
+    rationale: Package usage is imported-level only with no exploitable call path.

src/Scanner/__Tests/__Datasets/toys/svc-02-prototype-pollution-node/src/index.js

@@ -0,0 +1,6 @@
+const defaults = { safe: true };
+const input = JSON.parse('{"__proto__": {"polluted": true}}');
+
+// Import/package present and parsed, but no dangerous sink invocation.
+Object.assign(defaults, input);
+console.log(defaults.safe);

src/Scanner/__Tests/__Datasets/toys/svc-03-pickle-deserialization-python/app.py

@@ -0,0 +1,11 @@
+import pickle
+
+# Vulnerable helper exists, but entrypoint never routes attacker input into it.
+def unsafe_deserialize(data: bytes):
+    return pickle.loads(data)
+
+def main():
+    print("health check")
+
+if __name__ == "__main__":
+    main()

src/Scanner/__Tests/__Datasets/toys/svc-03-pickle-deserialization-python/labels.yaml

@@ -0,0 +1,9 @@
+schema_version: v1
+service: svc-03-pickle-deserialization-python
+language: python
+entrypoint: app.py
+cves:
+  - id: CVE-2011-2526
+    package: pkg:pypi/pickle@0
+    tier: R3
+    rationale: Vulnerable function is called in codebase but not reachable from main().

src/Scanner/__Tests/__Datasets/toys/svc-04-text-template-go/labels.yaml

@@ -0,0 +1,9 @@
+schema_version: v1
+service: svc-04-text-template-go
+language: go
+entrypoint: main.go
+cves:
+  - id: CVE-2023-24538
+    package: pkg:golang/text/template@1.20.0
+    tier: R1
+    rationale: Vulnerable package is present in dependency graph with no import usage.

src/Scanner/__Tests/__Datasets/toys/svc-04-text-template-go/main.go

@@ -0,0 +1,8 @@
+package main
+
+import "fmt"
+
+func main() {
+    // Dependency is present but only linked transitively in this toy service.
+    fmt.Println("template demo")
+}

src/Scanner/__Tests/__Datasets/toys/svc-05-xmlserializer-dotnet/Program.cs

@@ -0,0 +1,10 @@
+using System;
+using System.Xml.Serialization;
+
+internal static class Program
+{
+    private static void Main()
+    {
+        Console.WriteLine(typeof(XmlSerializer).Name);
+    }
+}

src/Scanner/__Tests/__Datasets/toys/svc-05-xmlserializer-dotnet/labels.yaml

@@ -0,0 +1,9 @@
+schema_version: v1
+service: svc-05-xmlserializer-dotnet
+language: dotnet
+entrypoint: Program.cs
+cves:
+  - id: CVE-2021-26701
+    package: pkg:nuget/system.xml.xmlserializer@4.3.0
+    tier: R0
+    rationale: Vulnerable pattern is not present and no reachable sink path exists.

src/Scanner/__Tests/__Datasets/toys/svc-06-erb-injection-ruby/app.rb

@@ -0,0 +1,9 @@
+require "erb"
+
+def render(payload)
+  ERB.new(payload).result(binding)
+end
+
+if __FILE__ == $PROGRAM_NAME
+  puts render("Hello <%= \"world\" %>")
+end

src/Scanner/__Tests/__Datasets/toys/svc-06-erb-injection-ruby/labels.yaml

@@ -0,0 +1,9 @@
+schema_version: v1
+service: svc-06-erb-injection-ruby
+language: ruby
+entrypoint: app.rb
+cves:
+  - id: CVE-2021-41819
+    package: pkg:gem/erb@2.7.0
+    tier: R4
+    rationale: Entry script invokes ERB rendering directly with user-controlled template input.