Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
2025-11-08 20:53:45 +02:00
parent 515975edc5
commit 536f6249a6
837 changed files with 37279 additions and 14675 deletions
--- a/src/Concelier/__Libraries/StellaOps.Concelier.RawModels/RawDocumentFactory.cs
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.RawModels/RawDocumentFactory.cs
@@ -21,14 +21,14 @@ public static class RawDocumentFactory
        return new AdvisoryRawDocument(tenant, source, upstream, clonedContent, identifiers, linkset, advisoryKey, normalizedLinks, supersedes);
    }

-    public static VexRawDocument CreateVex(
-        string tenant,
-        RawSourceMetadata source,
-        RawUpstreamMetadata upstream,
-        RawContent content,
-        RawLinkset linkset,
-        ImmutableArray<VexStatementSummary> statements,
-        string? supersedes = null)
+    public static VexRawDocument CreateVex(
+        string tenant,
+        RawSourceMetadata source,
+        RawUpstreamMetadata upstream,
+        RawContent content,
+        RawLinkset linkset,
+        ImmutableArray<VexStatementSummary>? statements = null,
+        string? supersedes = null)
    {
        var clonedContent = content with { Raw = Clone(content.Raw) };
        return new VexRawDocument(tenant, source, upstream, clonedContent, linkset, statements, supersedes);
--- a/src/Concelier/__Libraries/StellaOps.Concelier.RawModels/VexRawDocument.cs
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.RawModels/VexRawDocument.cs
@@ -3,15 +3,17 @@ using System.Text.Json.Serialization;

 namespace StellaOps.Concelier.RawModels;

-public sealed record VexRawDocument(
-    [property: JsonPropertyName("tenant")] string Tenant,
-    [property: JsonPropertyName("source")] RawSourceMetadata Source,
-    [property: JsonPropertyName("upstream")] RawUpstreamMetadata Upstream,
-    [property: JsonPropertyName("content")] RawContent Content,
-    [property: JsonPropertyName("linkset")] RawLinkset Linkset,
-    [property: JsonPropertyName("statements")] ImmutableArray<VexStatementSummary> Statements,
-    [property: JsonPropertyName("supersedes")] string? Supersedes = null)
-{
+public sealed record VexRawDocument(
+    [property: JsonPropertyName("tenant")] string Tenant,
+    [property: JsonPropertyName("source")] RawSourceMetadata Source,
+    [property: JsonPropertyName("upstream")] RawUpstreamMetadata Upstream,
+    [property: JsonPropertyName("content")] RawContent Content,
+    [property: JsonPropertyName("linkset")] RawLinkset Linkset,
+    [property: JsonPropertyName("statements")]
+    [property: JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+    ImmutableArray<VexStatementSummary>? Statements = null,
+    [property: JsonPropertyName("supersedes")] string? Supersedes = null)
+{
    public VexRawDocument WithSupersedes(string supersedes)
        => this with { Supersedes = supersedes };
 }