Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
2025-11-08 20:53:45 +02:00
parent 515975edc5
commit 536f6249a6
837 changed files with 37279 additions and 14675 deletions
--- a/src/__Libraries/StellaOps.Cryptography/DefaultCryptoProvider.cs
+++ b/src/__Libraries/StellaOps.Cryptography/DefaultCryptoProvider.cs
@@ -9,8 +9,8 @@ namespace StellaOps.Cryptography;
 /// <summary>
 /// Default in-process crypto provider exposing password hashing capabilities.
 /// </summary>
-public sealed class DefaultCryptoProvider : ICryptoProvider
-{
+public sealed class DefaultCryptoProvider : ICryptoProvider, ICryptoProviderDiagnostics
+{
    private readonly ConcurrentDictionary<string, IPasswordHasher> passwordHashers;
    private readonly ConcurrentDictionary<string, CryptoSigningKey> signingKeys;
    private static readonly HashSet<string> SupportedSigningAlgorithms = new(StringComparer.OrdinalIgnoreCase)
@@ -105,8 +105,38 @@ public sealed class DefaultCryptoProvider : ICryptoProvider
        return signingKeys.TryRemove(keyId, out _);
    }

-    public IReadOnlyCollection<CryptoSigningKey> GetSigningKeys()
-        => signingKeys.Values.ToArray();
+    public IReadOnlyCollection<CryptoSigningKey> GetSigningKeys()
+        => signingKeys.Values.ToArray();
+
+    public IEnumerable<CryptoProviderKeyDescriptor> DescribeKeys()
+    {
+        foreach (var key in signingKeys.Values)
+        {
+            var metadata = new Dictionary<string, string?>(StringComparer.OrdinalIgnoreCase)
+            {
+                ["kind"] = key.Kind.ToString(),
+                ["createdAt"] = key.CreatedAt.UtcDateTime.ToString("O"),
+                ["providerHint"] = key.Reference.ProviderHint,
+                ["provider"] = Name
+            };
+
+            if (key.ExpiresAt.HasValue)
+            {
+                metadata["expiresAt"] = key.ExpiresAt.Value.UtcDateTime.ToString("O");
+            }
+
+            foreach (var pair in key.Metadata)
+            {
+                metadata[$"meta.{pair.Key}"] = pair.Value;
+            }
+
+            yield return new CryptoProviderKeyDescriptor(
+                Name,
+                key.Reference.KeyId,
+                key.AlgorithmId,
+                metadata);
+        }
+    }

    private static void EnsureSigningSupported(string algorithmId)
    {