Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
2025-11-08 20:53:45 +02:00
parent 515975edc5
commit 536f6249a6
837 changed files with 37279 additions and 14675 deletions
--- a/docs/api/console/samples/vex-statement-sse.ndjson
+++ b/docs/api/console/samples/vex-statement-sse.ndjson
@@ -0,0 +1,5 @@
+{"event":"statement.created","data":{"statementId":"vex:tenant-default:jwt-auth:5d1a","advisoryId":"CVE-2024-12345","product":"registry.local/ops/auth:2025.10.0","state":"under_investigation","justification":"exploit_observed","sequence":4178,"updatedAt":"2025-11-07T23:10:09Z"}}
+{"event":"statement.updated","data":{"statementId":"vex:tenant-default:jwt-auth:5d1a","advisoryId":"CVE-2024-12345","product":"registry.local/ops/auth:2025.10.0","state":"fixed","justification":"solution_available","sequence":4182,"updatedAt":"2025-11-08T11:44:32Z"}}
+{"event":"statement.conflict","data":{"statementId":"vex:tenant-default:jwt-auth:5d1a","advisoryId":"CVE-2024-12345","product":"registry.local/ops/auth:2025.10.0","conflictSummary":"Excititor statement GHSA-1111 differs on status","sequence":4183,"updatedAt":"2025-11-08T11:44:59Z"}}
+{"event":"statement.updated","data":{"statementId":"vex:tenant-default:jwt-auth:5d1a","advisoryId":"CVE-2024-12345","product":"registry.local/ops/auth:2025.10.0","state":"fixed","justification":"solution_available","sequence":4184,"updatedAt":"2025-11-08T11:45:04Z"}}
+{"event":"statement.deleted","data":{"statementId":"vex:tenant-default:legacy:1a2b","advisoryId":"CVE-2023-9999","product":"registry.local/ops/legacy:2024.01.0","sequence":4185,"updatedAt":"2025-11-08T12:01:01Z"}}
--- a/docs/api/console/samples/vuln-findings-sample.json
+++ b/docs/api/console/samples/vuln-findings-sample.json
@@ -0,0 +1,84 @@
+{
+  "items": [
+    {
+      "findingId": "tenant-default:advisory-ai:sha256:5d1a",
+      "coordinates": {
+        "advisoryId": "CVE-2024-12345",
+        "package": "pkg:npm/jsonwebtoken@9.0.2",
+        "component": "jwt-auth-service",
+        "image": "registry.local/ops/auth:2025.10.0"
+      },
+      "summary": "jsonwebtoken <10.0.0 allows algorithm downgrade.",
+      "severity": "high",
+      "cvss": 8.1,
+      "kev": true,
+      "policyBadge": "fail",
+      "vex": {
+        "statementId": "vex:tenant-default:jwt-auth:5d1a",
+        "state": "under_investigation",
+        "justification": "Advisory AI flagged reachable path via Scheduler run 42."
+      },
+      "reachability": {
+        "status": "reachable",
+        "lastObserved": "2025-11-07T23:11:04Z",
+        "signalsVersion": "signals-2025.310.1"
+      },
+      "evidence": {
+        "sbomDigest": "sha256:6c81f2bbd8bd7336f197f3f68fba2f76d7287dd1a5e2a0f0e9f14f23f3c2f917",
+        "policyRunId": "policy-run::2025-11-07::ca9f",
+        "attestationId": "dsse://authority/attest/84a2"
+      },
+      "timestamps": {
+        "firstSeen": "2025-10-31T04:22:18Z",
+        "lastSeen": "2025-11-07T23:16:51Z"
+      }
+    },
+    {
+      "findingId": "tenant-default:advisory-ai:sha256:9bf4",
+      "coordinates": {
+        "advisoryId": "GHSA-xxxx-yyyy-zzzz",
+        "package": "pkg:docker/library/nginx@1.25.2",
+        "component": "ingress-gateway",
+        "image": "registry.local/ops/ingress:2025.09.1"
+      },
+      "summary": "Heap overflow in nginx HTTP/3 parsing.",
+      "severity": "critical",
+      "cvss": 9.8,
+      "kev": false,
+      "policyBadge": "warn",
+      "vex": {
+        "statementId": "vex:tenant-default:ingress:9bf4",
+        "state": "not_affected",
+        "justification": "component_not_present"
+      },
+      "reachability": {
+        "status": "unknown",
+        "signalsVersion": "signals-2025.309.0"
+      },
+      "evidence": {
+        "sbomDigest": "sha256:99f1e2a7aa0f7c970dcb6674244f0bfb5f37148e3ee09fd4f925d3358dea2239",
+        "policyRunId": "policy-run::2025-11-06::b210",
+        "attestationId": "dsse://authority/attest/1d34"
+      },
+      "timestamps": {
+        "firstSeen": "2025-10-29T18:03:11Z",
+        "lastSeen": "2025-11-07T10:45:03Z"
+      }
+    }
+  ],
+  "facets": {
+    "severity": [
+      { "value": "critical", "count": 1 },
+      { "value": "high", "count": 1 }
+    ],
+    "policyBadge": [
+      { "value": "fail", "count": 1 },
+      { "value": "warn", "count": 1 }
+    ],
+    "reachability": [
+      { "value": "reachable", "count": 1 },
+      { "value": "unknown", "count": 1 }
+    ]
+  },
+  "nextPageToken": "eyJjdXJzb3IiOiJmZjg0NiJ9"
+}