stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.
This commit is contained in:
master
2025-11-08 20:53:45 +02:00
parent 515975edc5
commit 536f6249a6
837 changed files with 37279 additions and 14675 deletions
Download Patch File Download Diff File Expand all files Collapse all files

207
src/Concelier/__Tests/StellaOps.Concelier.Connector.Acsc.Tests/Acsc/Fixtures/acsc-advisories-multi.snapshot.actual.json Normal file
View File

@@ -0,0 +1,207 @@
[
{
"advisoryKey": "acsc/multi/https-origin-example-advisories-info-bulletin",
"affectedPackages": [],
"aliases": [
"ACSC-2025-011",
"Bulletin",
"https://origin.example/advisories/info-bulletin"
],
"canonicalMetricId": null,
"credits": [],
"cvssMetrics": [],
"cwes": [],
"description": null,
"exploitKnown": false,
"language": "en",
"modified": null,
"provenance": [
{
"source": "acsc",
"kind": "document",
"value": "https://origin.example/feeds/multi/rss",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
},
{
"source": "acsc",
"kind": "feed",
"value": "multi",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"summary"
]
},
{
"source": "acsc",
"kind": "mapping",
"value": "https://origin.example/advisories/info-bulletin",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
}
],
"published": "2025-10-12T02:30:00+00:00",
"references": [
{
"kind": "advisory",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://origin.example/advisories/info-bulletin",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": "multi",
"summary": "Information bulletin",
"url": "https://origin.example/advisories/info-bulletin"
}
],
"severity": null,
"summary": "Serial number: ACSC-2025-011\n\nAdvisory type: Bulletin\n\nGeneral guidance bulletin.",
"title": "Information bulletin"
},
{
"advisoryKey": "acsc/multi/https-origin-example-advisories-router-critical",
"affectedPackages": [
{
"type": "vendor",
"identifier": "ExampleCo Router X",
"platform": null,
"versionRanges": [],
"normalizedVersions": [],
"statuses": [],
"provenance": [
{
"source": "acsc",
"kind": "affected",
"value": "ExampleCo Router X",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages"
]
}
]
},
{
"type": "vendor",
"identifier": "ExampleCo Router Y",
"platform": null,
"versionRanges": [],
"normalizedVersions": [],
"statuses": [],
"provenance": [
{
"source": "acsc",
"kind": "affected",
"value": "ExampleCo Router Y",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages"
]
}
]
}
],
"aliases": [
"ACSC-2025-010",
"CVE-2025-0001",
"https://origin.example/advisories/router-critical"
],
"canonicalMetricId": null,
"credits": [],
"cvssMetrics": [],
"cwes": [],
"description": null,
"exploitKnown": false,
"language": "en",
"modified": null,
"provenance": [
{
"source": "acsc",
"kind": "document",
"value": "https://origin.example/feeds/multi/rss",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
},
{
"source": "acsc",
"kind": "feed",
"value": "multi",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"summary"
]
},
{
"source": "acsc",
"kind": "mapping",
"value": "https://origin.example/advisories/router-critical",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
}
],
"published": "2025-10-12T04:45:00+00:00",
"references": [
{
"kind": "advisory",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://origin.example/advisories/router-critical",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": "multi",
"summary": "Critical router vulnerability",
"url": "https://origin.example/advisories/router-critical"
},
{
"kind": "reference",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://vendor.example/router/patch",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": null,
"summary": "vendor patch",
"url": "https://vendor.example/router/patch"
}
],
"severity": "critical",
"summary": "Serial number: ACSC-2025-010\n\nSeverity: Critical\n\nSystems affected: ExampleCo Router X, ExampleCo Router Y\n\nRemote code execution on ExampleCo routers. See vendor patch.\n\nCVE references: CVE-2025-0001",
"title": "Critical router vulnerability"
}
]

406
src/Concelier/__Tests/StellaOps.Concelier.Connector.Acsc.Tests/Acsc/Fixtures/acsc-advisories-multi.snapshot.json
View File

@@ -1,201 +1,207 @@
[
{
"advisoryKey": "acsc/multi/https-origin-example-advisories-info-bulletin",
"affectedPackages": [],
"aliases": [
"ACSC-2025-011",
"Bulletin",
"https://origin.example/advisories/info-bulletin"
],
"credits": [],
"cvssMetrics": [],
"exploitKnown": false,
"language": "en",
"modified": null,
"provenance": [
{
"source": "acsc",
"kind": "document",
"value": "https://origin.example/feeds/multi/rss",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
},
{
"source": "acsc",
"kind": "feed",
"value": "multi",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"summary"
]
},
{
"source": "acsc",
"kind": "mapping",
"value": "https://origin.example/advisories/info-bulletin",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
}
],
"published": "2025-10-12T02:30:00+00:00",
"references": [
{
"kind": "advisory",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://origin.example/advisories/info-bulletin",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": "multi",
"summary": "Information bulletin",
"url": "https://origin.example/advisories/info-bulletin"
}
],
"severity": null,
"summary": "Serial number: ACSC-2025-011\n\nAdvisory type: Bulletin\n\nGeneral guidance bulletin.",
"title": "Information bulletin"
},
{
"advisoryKey": "acsc/multi/https-origin-example-advisories-router-critical",
"affectedPackages": [
{
"type": "vendor",
"identifier": "ExampleCo Router X",
"platform": null,
"versionRanges": [],
"normalizedVersions": [],
"statuses": [],
"provenance": [
{
"source": "acsc",
"kind": "affected",
"value": "ExampleCo Router X",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages"
]
}
]
},
{
"type": "vendor",
"identifier": "ExampleCo Router Y",
"platform": null,
"versionRanges": [],
"normalizedVersions": [],
"statuses": [],
"provenance": [
{
"source": "acsc",
"kind": "affected",
"value": "ExampleCo Router Y",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages"
]
}
]
}
],
"aliases": [
"ACSC-2025-010",
"CVE-2025-0001",
"https://origin.example/advisories/router-critical"
],
"credits": [],
"cvssMetrics": [],
"exploitKnown": false,
"language": "en",
"modified": null,
"provenance": [
{
"source": "acsc",
"kind": "document",
"value": "https://origin.example/feeds/multi/rss",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
},
{
"source": "acsc",
"kind": "feed",
"value": "multi",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"summary"
]
},
{
"source": "acsc",
"kind": "mapping",
"value": "https://origin.example/advisories/router-critical",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
}
],
"published": "2025-10-12T04:45:00+00:00",
"references": [
{
"kind": "advisory",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://origin.example/advisories/router-critical",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": "multi",
"summary": "Critical router vulnerability",
"url": "https://origin.example/advisories/router-critical"
},
{
"kind": "reference",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://vendor.example/router/patch",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": null,
"summary": "vendor patch",
"url": "https://vendor.example/router/patch"
}
],
"severity": "critical",
"summary": "Serial number: ACSC-2025-010\n\nSeverity: Critical\n\nSystems affected: ExampleCo Router X, ExampleCo Router Y\n\nRemote code execution on ExampleCo routers. See vendor patch.\n\nCVE references: CVE-2025-0001",
"title": "Critical router vulnerability"
}
[
{
"advisoryKey": "acsc/multi/https-origin-example-advisories-info-bulletin",
"affectedPackages": [],
"aliases": [
"ACSC-2025-011",
"Bulletin",
"https://origin.example/advisories/info-bulletin"
],
"canonicalMetricId": null,
"credits": [],
"cvssMetrics": [],
"cwes": [],
"description": null,
"exploitKnown": false,
"language": "en",
"modified": null,
"provenance": [
{
"source": "acsc",
"kind": "document",
"value": "https://origin.example/feeds/multi/rss",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
},
{
"source": "acsc",
"kind": "feed",
"value": "multi",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"summary"
]
},
{
"source": "acsc",
"kind": "mapping",
"value": "https://origin.example/advisories/info-bulletin",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
}
],
"published": "2025-10-12T02:30:00+00:00",
"references": [
{
"kind": "advisory",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://origin.example/advisories/info-bulletin",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": "multi",
"summary": "Information bulletin",
"url": "https://origin.example/advisories/info-bulletin"
}
],
"severity": null,
"summary": "Serial number: ACSC-2025-011\n\nAdvisory type: Bulletin\n\nGeneral guidance bulletin.",
"title": "Information bulletin"
},
{
"advisoryKey": "acsc/multi/https-origin-example-advisories-router-critical",
"affectedPackages": [
{
"type": "vendor",
"identifier": "ExampleCo Router X",
"platform": null,
"versionRanges": [],
"normalizedVersions": [],
"statuses": [],
"provenance": [
{
"source": "acsc",
"kind": "affected",
"value": "ExampleCo Router X",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages"
]
}
]
},
{
"type": "vendor",
"identifier": "ExampleCo Router Y",
"platform": null,
"versionRanges": [],
"normalizedVersions": [],
"statuses": [],
"provenance": [
{
"source": "acsc",
"kind": "affected",
"value": "ExampleCo Router Y",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages"
]
}
]
}
],
"aliases": [
"ACSC-2025-010",
"CVE-2025-0001",
"https://origin.example/advisories/router-critical"
],
"canonicalMetricId": null,
"credits": [],
"cvssMetrics": [],
"cwes": [],
"description": null,
"exploitKnown": false,
"language": "en",
"modified": null,
"provenance": [
{
"source": "acsc",
"kind": "document",
"value": "https://origin.example/feeds/multi/rss",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
},
{
"source": "acsc",
"kind": "feed",
"value": "multi",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"summary"
]
},
{
"source": "acsc",
"kind": "mapping",
"value": "https://origin.example/advisories/router-critical",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
}
],
"published": "2025-10-12T04:45:00+00:00",
"references": [
{
"kind": "advisory",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://origin.example/advisories/router-critical",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": "multi",
"summary": "Critical router vulnerability",
"url": "https://origin.example/advisories/router-critical"
},
{
"kind": "reference",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://vendor.example/router/patch",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": null,
"summary": "vendor patch",
"url": "https://vendor.example/router/patch"
}
],
"severity": "critical",
"summary": "Serial number: ACSC-2025-010\n\nSeverity: Critical\n\nSystems affected: ExampleCo Router X, ExampleCo Router Y\n\nRemote code execution on ExampleCo routers. See vendor patch.\n\nCVE references: CVE-2025-0001",
"title": "Critical router vulnerability"
}
]

91
src/Concelier/__Tests/StellaOps.Concelier.Connector.Acsc.Tests/Acsc/Fixtures/acsc-advisories.snapshot.actual.json Normal file
View File

@@ -0,0 +1,91 @@
[
{
"advisoryKey": "acsc/alerts/https-origin-example-advisories-example",
"affectedPackages": [],
"aliases": [
"ACSC-2025-001",
"Alert",
"https://origin.example/advisories/example"
],
"canonicalMetricId": null,
"credits": [],
"cvssMetrics": [],
"cwes": [],
"description": null,
"exploitKnown": false,
"language": "en",
"modified": null,
"provenance": [
{
"source": "acsc",
"kind": "document",
"value": "https://origin.example/feeds/alerts/rss",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
},
{
"source": "acsc",
"kind": "feed",
"value": "alerts",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"summary"
]
},
{
"source": "acsc",
"kind": "mapping",
"value": "https://origin.example/advisories/example",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
}
],
"published": "2025-10-12T03:00:00+00:00",
"references": [
{
"kind": "advisory",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://origin.example/advisories/example",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": "alerts",
"summary": "ACSC-2025-001 Example Advisory",
"url": "https://origin.example/advisories/example"
},
{
"kind": "reference",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://vendor.example/patch",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": null,
"summary": "Vendor patch",
"url": "https://vendor.example/patch"
}
],
"severity": null,
"summary": "Serial number: ACSC-2025-001\n\nAdvisory type: Alert\n\nFirst paragraph describing issue.\n\nSecond paragraph with Vendor patch.",
"title": "ACSC-2025-001 Example Advisory"
}
]

177
src/Concelier/__Tests/StellaOps.Concelier.Connector.Acsc.Tests/Acsc/Fixtures/acsc-advisories.snapshot.json
View File

@@ -1,88 +1,91 @@
[
{
"advisoryKey": "acsc/alerts/https-origin-example-advisories-example",
"affectedPackages": [],
"aliases": [
"ACSC-2025-001",
"Alert",
"https://origin.example/advisories/example"
],
"credits": [],
"cvssMetrics": [],
"exploitKnown": false,
"language": "en",
"modified": null,
"provenance": [
{
"source": "acsc",
"kind": "document",
"value": "https://origin.example/feeds/alerts/rss",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
},
{
"source": "acsc",
"kind": "feed",
"value": "alerts",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"summary"
]
},
{
"source": "acsc",
"kind": "mapping",
"value": "https://origin.example/advisories/example",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
}
],
"published": "2025-10-12T03:00:00+00:00",
"references": [
{
"kind": "advisory",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://origin.example/advisories/example",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": "alerts",
"summary": "ACSC-2025-001 Example Advisory",
"url": "https://origin.example/advisories/example"
},
{
"kind": "reference",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://vendor.example/patch",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": null,
"summary": "Vendor patch",
"url": "https://vendor.example/patch"
}
],
"severity": null,
"summary": "Serial number: ACSC-2025-001\n\nAdvisory type: Alert\n\nFirst paragraph describing issue.\n\nSecond paragraph with Vendor patch.",
"title": "ACSC-2025-001 Example Advisory"
}
[
{
"advisoryKey": "acsc/alerts/https-origin-example-advisories-example",
"affectedPackages": [],
"aliases": [
"ACSC-2025-001",
"Alert",
"https://origin.example/advisories/example"
],
"canonicalMetricId": null,
"credits": [],
"cvssMetrics": [],
"cwes": [],
"description": null,
"exploitKnown": false,
"language": "en",
"modified": null,
"provenance": [
{
"source": "acsc",
"kind": "document",
"value": "https://origin.example/feeds/alerts/rss",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
},
{
"source": "acsc",
"kind": "feed",
"value": "alerts",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"summary"
]
},
{
"source": "acsc",
"kind": "mapping",
"value": "https://origin.example/advisories/example",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": [
"affectedpackages",
"aliases",
"references",
"summary"
]
}
],
"published": "2025-10-12T03:00:00+00:00",
"references": [
{
"kind": "advisory",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://origin.example/advisories/example",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": "alerts",
"summary": "ACSC-2025-001 Example Advisory",
"url": "https://origin.example/advisories/example"
},
{
"kind": "reference",
"provenance": {
"source": "acsc",
"kind": "reference",
"value": "https://vendor.example/patch",
"decisionReason": null,
"recordedAt": "2025-10-12T00:00:00+00:00",
"fieldMask": []
},
"sourceTag": null,
"summary": "Vendor patch",
"url": "https://vendor.example/patch"
}
],
"severity": null,
"summary": "Serial number: ACSC-2025-001\n\nAdvisory type: Alert\n\nFirst paragraph describing issue.\n\nSecond paragraph with Vendor patch.",
"title": "ACSC-2025-001 Example Advisory"
}
]