Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
This commit is contained in:
master
444
tests/reachability/fixtures/reachbench-2025-expanded/INDEX.json
Normal file
444
tests/reachability/fixtures/reachbench-2025-expanded/INDEX.json
Normal file
@@ -0,0 +1,444 @@
|
||||
{
|
||||
"version": "0.1",
|
||||
"generated_at": "2025-11-07T22:40:04Z",
|
||||
"cases": [
|
||||
{
|
||||
"id": "runc-CVE-2024-21626-symlink-breakout",
|
||||
"primary_axis": "container-escape",
|
||||
"tags": [
|
||||
"symlink",
|
||||
"filesystem",
|
||||
"userns"
|
||||
],
|
||||
"languages": [
|
||||
"binary"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 9.0,
|
||||
"references": [
|
||||
"cve:CVE-2024-21626"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "linux-cgroups-CVE-2022-0492-release_agent",
|
||||
"primary_axis": "container-escape",
|
||||
"tags": [
|
||||
"cgroups",
|
||||
"kernel",
|
||||
"priv-esc"
|
||||
],
|
||||
"languages": [
|
||||
"binary"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 9.0,
|
||||
"references": [
|
||||
"cve:CVE-2022-0492"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "glibc-CVE-2023-4911-looney-tunables",
|
||||
"primary_axis": "binary-hybrid",
|
||||
"tags": [
|
||||
"env-vars",
|
||||
"libc",
|
||||
"ldso"
|
||||
],
|
||||
"languages": [
|
||||
"c"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": [
|
||||
"cve:CVE-2023-4911"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "curl-CVE-2023-38545-socks5-heap",
|
||||
"primary_axis": "binary-hybrid",
|
||||
"tags": [
|
||||
"networking",
|
||||
"proxy",
|
||||
"heap"
|
||||
],
|
||||
"languages": [
|
||||
"c"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": [
|
||||
"cve:CVE-2023-38545"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "openssl-CVE-2022-3602-x509-name-constraints",
|
||||
"primary_axis": "binary-hybrid",
|
||||
"tags": [
|
||||
"x509",
|
||||
"parser",
|
||||
"stack-overflow"
|
||||
],
|
||||
"languages": [
|
||||
"c"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": [
|
||||
"cve:CVE-2022-3602"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "openssh-CVE-2024-6387-regreSSHion",
|
||||
"primary_axis": "binary-hybrid",
|
||||
"tags": [
|
||||
"signal-handler",
|
||||
"daemon"
|
||||
],
|
||||
"languages": [
|
||||
"c"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": [
|
||||
"cve:CVE-2024-6387"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "redis-CVE-2022-0543-lua-sandbox-escape",
|
||||
"primary_axis": "binary-hybrid",
|
||||
"tags": [
|
||||
"lua",
|
||||
"sandbox",
|
||||
"rce"
|
||||
],
|
||||
"languages": [
|
||||
"c",
|
||||
"lua"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": [
|
||||
"cve:CVE-2022-0543"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "java-log4j-CVE-2021-44228-log4shell",
|
||||
"primary_axis": "lang-jvm",
|
||||
"tags": [
|
||||
"jndi",
|
||||
"deserialization",
|
||||
"rce"
|
||||
],
|
||||
"languages": [
|
||||
"java"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 9.8,
|
||||
"references": [
|
||||
"cve:CVE-2021-44228"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "java-spring-CVE-2022-22965-spring4shell",
|
||||
"primary_axis": "lang-jvm",
|
||||
"tags": [
|
||||
"binding",
|
||||
"reflection",
|
||||
"rce"
|
||||
],
|
||||
"languages": [
|
||||
"java"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 9.8,
|
||||
"references": [
|
||||
"cve:CVE-2022-22965"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "java-jackson-CVE-2019-12384-polymorphic-deser",
|
||||
"primary_axis": "lang-jvm",
|
||||
"tags": [
|
||||
"deserialization",
|
||||
"polymorphism"
|
||||
],
|
||||
"languages": [
|
||||
"java"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": [
|
||||
"cve:CVE-2019-12384"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
|
||||
"primary_axis": "lang-dotnet",
|
||||
"tags": [
|
||||
"protocol",
|
||||
"http2",
|
||||
"dos"
|
||||
],
|
||||
"languages": [
|
||||
"dotnet"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": [
|
||||
"cve:CVE-2023-44487"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "dotnet-newtonsoft-deser-TBD",
|
||||
"primary_axis": "lang-dotnet",
|
||||
"tags": [
|
||||
"deserialization",
|
||||
"json",
|
||||
"polymorphic"
|
||||
],
|
||||
"languages": [
|
||||
"dotnet"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": []
|
||||
},
|
||||
{
|
||||
"id": "go-ssh-CVE-2020-9283-keyexchange",
|
||||
"primary_axis": "lang-go",
|
||||
"tags": [
|
||||
"crypto",
|
||||
"handshake"
|
||||
],
|
||||
"languages": [
|
||||
"go"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": [
|
||||
"cve:CVE-2020-9283"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "go-gateway-reflection-auth-bypass",
|
||||
"primary_axis": "lang-go",
|
||||
"tags": [
|
||||
"grpc",
|
||||
"reflection",
|
||||
"authz-gap"
|
||||
],
|
||||
"languages": [
|
||||
"go"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": []
|
||||
},
|
||||
{
|
||||
"id": "node-tar-CVE-2021-37713-path-traversal",
|
||||
"primary_axis": "lang-node",
|
||||
"tags": [
|
||||
"path-traversal",
|
||||
"archive-extract"
|
||||
],
|
||||
"languages": [
|
||||
"node"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": [
|
||||
"cve:CVE-2021-37713"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "node-express-middleware-order-auth-bypass",
|
||||
"primary_axis": "lang-node",
|
||||
"tags": [
|
||||
"middleware-order",
|
||||
"authz"
|
||||
],
|
||||
"languages": [
|
||||
"node"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": []
|
||||
},
|
||||
{
|
||||
"id": "python-jinja2-CVE-2019-10906-template-injection",
|
||||
"primary_axis": "lang-python",
|
||||
"tags": [
|
||||
"template-injection"
|
||||
],
|
||||
"languages": [
|
||||
"python"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": [
|
||||
"cve:CVE-2019-10906"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "python-django-CVE-2019-19844-sqli-like",
|
||||
"primary_axis": "lang-python",
|
||||
"tags": [
|
||||
"sqli",
|
||||
"orm"
|
||||
],
|
||||
"languages": [
|
||||
"python"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": [
|
||||
"cve:CVE-2019-19844"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "python-urllib3-dos-regex-TBD",
|
||||
"primary_axis": "lang-python",
|
||||
"tags": [
|
||||
"regex-dos",
|
||||
"parser"
|
||||
],
|
||||
"languages": [
|
||||
"python"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": []
|
||||
},
|
||||
{
|
||||
"id": "php-phpmailer-CVE-2016-10033-rce",
|
||||
"primary_axis": "lang-php",
|
||||
"tags": [
|
||||
"rce",
|
||||
"email"
|
||||
],
|
||||
"languages": [
|
||||
"php"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": [
|
||||
"cve:CVE-2016-10033"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "wordpress-core-CVE-2022-21661-sqli",
|
||||
"primary_axis": "lang-php",
|
||||
"tags": [
|
||||
"sqli",
|
||||
"core"
|
||||
],
|
||||
"languages": [
|
||||
"php"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": [
|
||||
"cve:CVE-2022-21661"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "rails-CVE-2019-5418-file-content-disclosure",
|
||||
"primary_axis": "lang-ruby",
|
||||
"tags": [
|
||||
"path-traversal",
|
||||
"mime"
|
||||
],
|
||||
"languages": [
|
||||
"ruby"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": [
|
||||
"cve:CVE-2019-5418"
|
||||
]
|
||||
},
|
||||
{
|
||||
"id": "rust-axum-header-parsing-TBD",
|
||||
"primary_axis": "lang-rust",
|
||||
"tags": [
|
||||
"parser",
|
||||
"config-sensitive"
|
||||
],
|
||||
"languages": [
|
||||
"rust"
|
||||
],
|
||||
"variants": [
|
||||
"reachable",
|
||||
"unreachable"
|
||||
],
|
||||
"severity_cvss": 7.5,
|
||||
"references": []
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
# ReachBench-2025 Expanded Kit (Skeleton)
|
||||
This is a scaffold containing diverse cases across languages and reach paths. Replace STUBs with real build configs, symbols, and call graphs.
|
||||
@@ -0,0 +1,46 @@
|
||||
{
|
||||
"id": "curl-CVE-2023-38545-socks5-heap",
|
||||
"cve": "CVE-2023-38545",
|
||||
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
|
||||
"threat_model": {
|
||||
"entry_points": [
|
||||
"STUB: define concrete inputs"
|
||||
],
|
||||
"preconditions": [
|
||||
"STUB: feature flags / modules / protocols enabled"
|
||||
],
|
||||
"privilege_boundary": [
|
||||
"STUB: describe boundary (if any)"
|
||||
]
|
||||
},
|
||||
"ground_truth": {
|
||||
"reachable_variant": {
|
||||
"status": "affected",
|
||||
"evidence": {
|
||||
"symbols": [
|
||||
"sym://curl:curl.c#sink"
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://curl:curl.c#entry",
|
||||
"sym://curl:curl.c#sink"
|
||||
]
|
||||
],
|
||||
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
|
||||
}
|
||||
},
|
||||
"unreachable_variant": {
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"evidence": {
|
||||
"pruning_reason": [
|
||||
"STUB: feature disabled, module absent, or policy denies"
|
||||
],
|
||||
"blocked_edges": [
|
||||
"sym://curl:curl.c#entry -> sym://curl:curl.c#sink"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
# curl-CVE-2023-38545-socks5-heap
|
||||
Primary axis: binary-hybrid
|
||||
Tags: networking, proxy, heap
|
||||
Languages: c
|
||||
|
||||
## Variants
|
||||
- reachable: vulnerable function/path is on an executable route.
|
||||
- unreachable: same base image/config with control toggles that prune the path.
|
||||
|
||||
## Entrypoint & Controls (fill in)
|
||||
- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
|
||||
- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
|
||||
|
||||
## Expected ground-truth path(s)
|
||||
See `images/*/reachgraph.truth.json`.
|
||||
@@ -0,0 +1,30 @@
|
||||
{
|
||||
"dsse_version": "1.0",
|
||||
"subject": [
|
||||
{
|
||||
"name": "ghcr.io/reachbench/curl-CVE-2023-38545-socks5-heap:reachable",
|
||||
"digest": {
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
}
|
||||
],
|
||||
"statement": {
|
||||
"type": "reachbench.attestation",
|
||||
"materials": [
|
||||
"sbom.cdx.json",
|
||||
"sbom.spdx.json",
|
||||
"symbols.json",
|
||||
"callgraph.static.json",
|
||||
"callgraph.framework.json",
|
||||
"reachgraph.truth.json",
|
||||
"vex.openvex.json"
|
||||
]
|
||||
},
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "STUB",
|
||||
"sig": "STUB_SIGNATURE",
|
||||
"alg": "dilithium2"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"edges": []
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"nodes": [
|
||||
{
|
||||
"sid": "sym://curl:curl.c#entry"
|
||||
},
|
||||
{
|
||||
"sid": "sym://curl:curl.c#sink"
|
||||
}
|
||||
],
|
||||
"edges": [
|
||||
{
|
||||
"from": "sym://curl:curl.c#entry",
|
||||
"to": "sym://curl:curl.c#sink",
|
||||
"kind": "direct"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"image": "ghcr.io/reachbench/curl-CVE-2023-38545-socks5-heap:reachable",
|
||||
"config_flags": {
|
||||
"FEATURE_FLAG": true,
|
||||
"POLICY_MODE": "permissive"
|
||||
},
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"sinks": [
|
||||
{
|
||||
"sid": "sym://curl:curl.c#sink",
|
||||
"kind": "generic"
|
||||
}
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://curl:curl.c#entry",
|
||||
"sym://curl:curl.c#sink"
|
||||
]
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"specVersion": "1.6",
|
||||
"components": []
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"spdxVersion": "SPDX-3.0",
|
||||
"creationInfo": {
|
||||
"created": "2025-11-07T22:40:04Z"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"components": [
|
||||
{
|
||||
"purl": "pkg:generic/curl@0.0.1",
|
||||
"files": [
|
||||
{
|
||||
"path": "/src/curl.c",
|
||||
"funcs": [
|
||||
{
|
||||
"sid": "sym://curl:curl.c#entry",
|
||||
"name": "entry",
|
||||
"range": {
|
||||
"start": 10,
|
||||
"end": 20
|
||||
}
|
||||
},
|
||||
{
|
||||
"sid": "sym://curl:curl.c#sink",
|
||||
"name": "sink",
|
||||
"range": {
|
||||
"start": 30,
|
||||
"end": 60
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://curl:curl.c#entry", "pid": 100}
|
||||
{"ts": 1.005, "event": "call", "sid": "sym://curl:curl.c#sink", "pid": 100}
|
||||
@@ -0,0 +1,12 @@
|
||||
{
|
||||
"author": "reachbench-2025",
|
||||
"timestamp": "2025-11-07T22:40:04Z",
|
||||
"statements": [
|
||||
{
|
||||
"vulnerability": "CVE-2023-38545",
|
||||
"status": "affected",
|
||||
"justification": "reasoning_provided",
|
||||
"impact_statement": "Function-level path is reachable."
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,30 @@
|
||||
{
|
||||
"dsse_version": "1.0",
|
||||
"subject": [
|
||||
{
|
||||
"name": "ghcr.io/reachbench/curl-CVE-2023-38545-socks5-heap:unreachable",
|
||||
"digest": {
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
}
|
||||
],
|
||||
"statement": {
|
||||
"type": "reachbench.attestation",
|
||||
"materials": [
|
||||
"sbom.cdx.json",
|
||||
"sbom.spdx.json",
|
||||
"symbols.json",
|
||||
"callgraph.static.json",
|
||||
"callgraph.framework.json",
|
||||
"reachgraph.truth.json",
|
||||
"vex.openvex.json"
|
||||
]
|
||||
},
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "STUB",
|
||||
"sig": "STUB_SIGNATURE",
|
||||
"alg": "dilithium2"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"edges": []
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"nodes": [
|
||||
{
|
||||
"sid": "sym://curl:curl.c#entry"
|
||||
},
|
||||
{
|
||||
"sid": "sym://curl:curl.c#sink"
|
||||
}
|
||||
],
|
||||
"edges": [
|
||||
{
|
||||
"from": "sym://curl:curl.c#entry",
|
||||
"to": "sym://curl:curl.c#sink",
|
||||
"kind": "direct"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"image": "ghcr.io/reachbench/curl-CVE-2023-38545-socks5-heap:unreachable",
|
||||
"config_flags": {
|
||||
"FEATURE_FLAG": false,
|
||||
"POLICY_MODE": "enforcing"
|
||||
},
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"sinks": [
|
||||
{
|
||||
"sid": "sym://curl:curl.c#sink",
|
||||
"kind": "generic"
|
||||
}
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://curl:curl.c#entry",
|
||||
"sym://curl:curl.c#sink"
|
||||
]
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"specVersion": "1.6",
|
||||
"components": []
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"spdxVersion": "SPDX-3.0",
|
||||
"creationInfo": {
|
||||
"created": "2025-11-07T22:40:04Z"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"components": [
|
||||
{
|
||||
"purl": "pkg:generic/curl@0.0.1",
|
||||
"files": [
|
||||
{
|
||||
"path": "/src/curl.c",
|
||||
"funcs": [
|
||||
{
|
||||
"sid": "sym://curl:curl.c#entry",
|
||||
"name": "entry",
|
||||
"range": {
|
||||
"start": 10,
|
||||
"end": 20
|
||||
}
|
||||
},
|
||||
{
|
||||
"sid": "sym://curl:curl.c#sink",
|
||||
"name": "sink",
|
||||
"range": {
|
||||
"start": 30,
|
||||
"end": 60
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://curl:curl.c#entry", "pid": 100}
|
||||
@@ -0,0 +1,12 @@
|
||||
{
|
||||
"author": "reachbench-2025",
|
||||
"timestamp": "2025-11-07T22:40:04Z",
|
||||
"statements": [
|
||||
{
|
||||
"vulnerability": "CVE-2023-38545",
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"impact_statement": "Pruned by configuration; path unreachable."
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,46 @@
|
||||
{
|
||||
"id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
|
||||
"cve": "CVE-2023-44487",
|
||||
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
|
||||
"threat_model": {
|
||||
"entry_points": [
|
||||
"STUB: define concrete inputs"
|
||||
],
|
||||
"preconditions": [
|
||||
"STUB: feature flags / modules / protocols enabled"
|
||||
],
|
||||
"privilege_boundary": [
|
||||
"STUB: describe boundary (if any)"
|
||||
]
|
||||
},
|
||||
"ground_truth": {
|
||||
"reachable_variant": {
|
||||
"status": "affected",
|
||||
"evidence": {
|
||||
"symbols": [
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://dotnet:dotnet.c#entry",
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
]
|
||||
],
|
||||
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
|
||||
}
|
||||
},
|
||||
"unreachable_variant": {
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"evidence": {
|
||||
"pruning_reason": [
|
||||
"STUB: feature disabled, module absent, or policy denies"
|
||||
],
|
||||
"blocked_edges": [
|
||||
"sym://dotnet:dotnet.c#entry -> sym://dotnet:dotnet.c#sink"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
# dotnet-kestrel-CVE-2023-44487-http2-rapid-reset
|
||||
Primary axis: lang-dotnet
|
||||
Tags: protocol, http2, dos
|
||||
Languages: dotnet
|
||||
|
||||
## Variants
|
||||
- reachable: vulnerable function/path is on an executable route.
|
||||
- unreachable: same base image/config with control toggles that prune the path.
|
||||
|
||||
## Entrypoint & Controls (fill in)
|
||||
- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
|
||||
- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
|
||||
|
||||
## Expected ground-truth path(s)
|
||||
See `images/*/reachgraph.truth.json`.
|
||||
@@ -0,0 +1,30 @@
|
||||
{
|
||||
"dsse_version": "1.0",
|
||||
"subject": [
|
||||
{
|
||||
"name": "ghcr.io/reachbench/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset:reachable",
|
||||
"digest": {
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
}
|
||||
],
|
||||
"statement": {
|
||||
"type": "reachbench.attestation",
|
||||
"materials": [
|
||||
"sbom.cdx.json",
|
||||
"sbom.spdx.json",
|
||||
"symbols.json",
|
||||
"callgraph.static.json",
|
||||
"callgraph.framework.json",
|
||||
"reachgraph.truth.json",
|
||||
"vex.openvex.json"
|
||||
]
|
||||
},
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "STUB",
|
||||
"sig": "STUB_SIGNATURE",
|
||||
"alg": "dilithium2"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"edges": [
|
||||
{
|
||||
"from": "sym://dotnet:Startup#Configure",
|
||||
"to": "sym://aspnet:UseEndpoints",
|
||||
"kind": "pipeline"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"nodes": [
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#entry"
|
||||
},
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#sink"
|
||||
}
|
||||
],
|
||||
"edges": [
|
||||
{
|
||||
"from": "sym://dotnet:dotnet.c#entry",
|
||||
"to": "sym://dotnet:dotnet.c#sink",
|
||||
"kind": "direct"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"image": "ghcr.io/reachbench/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset:reachable",
|
||||
"config_flags": {
|
||||
"FEATURE_FLAG": true,
|
||||
"POLICY_MODE": "permissive"
|
||||
},
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"sinks": [
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#sink",
|
||||
"kind": "generic"
|
||||
}
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://dotnet:dotnet.c#entry",
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
]
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"specVersion": "1.6",
|
||||
"components": []
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"spdxVersion": "SPDX-3.0",
|
||||
"creationInfo": {
|
||||
"created": "2025-11-07T22:40:04Z"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"components": [
|
||||
{
|
||||
"purl": "pkg:generic/dotnet@0.0.1",
|
||||
"files": [
|
||||
{
|
||||
"path": "/src/dotnet.c",
|
||||
"funcs": [
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#entry",
|
||||
"name": "entry",
|
||||
"range": {
|
||||
"start": 10,
|
||||
"end": 20
|
||||
}
|
||||
},
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#sink",
|
||||
"name": "sink",
|
||||
"range": {
|
||||
"start": 30,
|
||||
"end": 60
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}
|
||||
{"ts": 1.005, "event": "call", "sid": "sym://dotnet:dotnet.c#sink", "pid": 100}
|
||||
@@ -0,0 +1,12 @@
|
||||
{
|
||||
"author": "reachbench-2025",
|
||||
"timestamp": "2025-11-07T22:40:04Z",
|
||||
"statements": [
|
||||
{
|
||||
"vulnerability": "CVE-2023-44487",
|
||||
"status": "affected",
|
||||
"justification": "reasoning_provided",
|
||||
"impact_statement": "Function-level path is reachable."
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,30 @@
|
||||
{
|
||||
"dsse_version": "1.0",
|
||||
"subject": [
|
||||
{
|
||||
"name": "ghcr.io/reachbench/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset:unreachable",
|
||||
"digest": {
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
}
|
||||
],
|
||||
"statement": {
|
||||
"type": "reachbench.attestation",
|
||||
"materials": [
|
||||
"sbom.cdx.json",
|
||||
"sbom.spdx.json",
|
||||
"symbols.json",
|
||||
"callgraph.static.json",
|
||||
"callgraph.framework.json",
|
||||
"reachgraph.truth.json",
|
||||
"vex.openvex.json"
|
||||
]
|
||||
},
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "STUB",
|
||||
"sig": "STUB_SIGNATURE",
|
||||
"alg": "dilithium2"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"edges": [
|
||||
{
|
||||
"from": "sym://dotnet:Startup#Configure",
|
||||
"to": "sym://aspnet:UseEndpoints",
|
||||
"kind": "pipeline"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"nodes": [
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#entry"
|
||||
},
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#sink"
|
||||
}
|
||||
],
|
||||
"edges": [
|
||||
{
|
||||
"from": "sym://dotnet:dotnet.c#entry",
|
||||
"to": "sym://dotnet:dotnet.c#sink",
|
||||
"kind": "direct"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"image": "ghcr.io/reachbench/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset:unreachable",
|
||||
"config_flags": {
|
||||
"FEATURE_FLAG": false,
|
||||
"POLICY_MODE": "enforcing"
|
||||
},
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"sinks": [
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#sink",
|
||||
"kind": "generic"
|
||||
}
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://dotnet:dotnet.c#entry",
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
]
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"specVersion": "1.6",
|
||||
"components": []
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"spdxVersion": "SPDX-3.0",
|
||||
"creationInfo": {
|
||||
"created": "2025-11-07T22:40:04Z"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"components": [
|
||||
{
|
||||
"purl": "pkg:generic/dotnet@0.0.1",
|
||||
"files": [
|
||||
{
|
||||
"path": "/src/dotnet.c",
|
||||
"funcs": [
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#entry",
|
||||
"name": "entry",
|
||||
"range": {
|
||||
"start": 10,
|
||||
"end": 20
|
||||
}
|
||||
},
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#sink",
|
||||
"name": "sink",
|
||||
"range": {
|
||||
"start": 30,
|
||||
"end": 60
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}
|
||||
@@ -0,0 +1,12 @@
|
||||
{
|
||||
"author": "reachbench-2025",
|
||||
"timestamp": "2025-11-07T22:40:04Z",
|
||||
"statements": [
|
||||
{
|
||||
"vulnerability": "CVE-2023-44487",
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"impact_statement": "Pruned by configuration; path unreachable."
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,46 @@
|
||||
{
|
||||
"id": "dotnet-newtonsoft-deser-TBD",
|
||||
"cve": "N/A",
|
||||
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
|
||||
"threat_model": {
|
||||
"entry_points": [
|
||||
"STUB: define concrete inputs"
|
||||
],
|
||||
"preconditions": [
|
||||
"STUB: feature flags / modules / protocols enabled"
|
||||
],
|
||||
"privilege_boundary": [
|
||||
"STUB: describe boundary (if any)"
|
||||
]
|
||||
},
|
||||
"ground_truth": {
|
||||
"reachable_variant": {
|
||||
"status": "affected",
|
||||
"evidence": {
|
||||
"symbols": [
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://dotnet:dotnet.c#entry",
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
]
|
||||
],
|
||||
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
|
||||
}
|
||||
},
|
||||
"unreachable_variant": {
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"evidence": {
|
||||
"pruning_reason": [
|
||||
"STUB: feature disabled, module absent, or policy denies"
|
||||
],
|
||||
"blocked_edges": [
|
||||
"sym://dotnet:dotnet.c#entry -> sym://dotnet:dotnet.c#sink"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
# dotnet-newtonsoft-deser-TBD
|
||||
Primary axis: lang-dotnet
|
||||
Tags: deserialization, json, polymorphic
|
||||
Languages: dotnet
|
||||
|
||||
## Variants
|
||||
- reachable: vulnerable function/path is on an executable route.
|
||||
- unreachable: same base image/config with control toggles that prune the path.
|
||||
|
||||
## Entrypoint & Controls (fill in)
|
||||
- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
|
||||
- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
|
||||
|
||||
## Expected ground-truth path(s)
|
||||
See `images/*/reachgraph.truth.json`.
|
||||
@@ -0,0 +1,30 @@
|
||||
{
|
||||
"dsse_version": "1.0",
|
||||
"subject": [
|
||||
{
|
||||
"name": "ghcr.io/reachbench/dotnet-newtonsoft-deser-TBD:reachable",
|
||||
"digest": {
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
}
|
||||
],
|
||||
"statement": {
|
||||
"type": "reachbench.attestation",
|
||||
"materials": [
|
||||
"sbom.cdx.json",
|
||||
"sbom.spdx.json",
|
||||
"symbols.json",
|
||||
"callgraph.static.json",
|
||||
"callgraph.framework.json",
|
||||
"reachgraph.truth.json",
|
||||
"vex.openvex.json"
|
||||
]
|
||||
},
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "STUB",
|
||||
"sig": "STUB_SIGNATURE",
|
||||
"alg": "dilithium2"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"edges": [
|
||||
{
|
||||
"from": "sym://dotnet:Startup#Configure",
|
||||
"to": "sym://aspnet:UseEndpoints",
|
||||
"kind": "pipeline"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"nodes": [
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#entry"
|
||||
},
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#sink"
|
||||
}
|
||||
],
|
||||
"edges": [
|
||||
{
|
||||
"from": "sym://dotnet:dotnet.c#entry",
|
||||
"to": "sym://dotnet:dotnet.c#sink",
|
||||
"kind": "direct"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"image": "ghcr.io/reachbench/dotnet-newtonsoft-deser-TBD:reachable",
|
||||
"config_flags": {
|
||||
"FEATURE_FLAG": true,
|
||||
"POLICY_MODE": "permissive"
|
||||
},
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"sinks": [
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#sink",
|
||||
"kind": "generic"
|
||||
}
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://dotnet:dotnet.c#entry",
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
]
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"specVersion": "1.6",
|
||||
"components": []
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"spdxVersion": "SPDX-3.0",
|
||||
"creationInfo": {
|
||||
"created": "2025-11-07T22:40:04Z"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"components": [
|
||||
{
|
||||
"purl": "pkg:generic/dotnet@0.0.1",
|
||||
"files": [
|
||||
{
|
||||
"path": "/src/dotnet.c",
|
||||
"funcs": [
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#entry",
|
||||
"name": "entry",
|
||||
"range": {
|
||||
"start": 10,
|
||||
"end": 20
|
||||
}
|
||||
},
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#sink",
|
||||
"name": "sink",
|
||||
"range": {
|
||||
"start": 30,
|
||||
"end": 60
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}
|
||||
{"ts": 1.005, "event": "call", "sid": "sym://dotnet:dotnet.c#sink", "pid": 100}
|
||||
@@ -0,0 +1,12 @@
|
||||
{
|
||||
"author": "reachbench-2025",
|
||||
"timestamp": "2025-11-07T22:40:04Z",
|
||||
"statements": [
|
||||
{
|
||||
"vulnerability": "TBD",
|
||||
"status": "affected",
|
||||
"justification": "reasoning_provided",
|
||||
"impact_statement": "Function-level path is reachable."
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,30 @@
|
||||
{
|
||||
"dsse_version": "1.0",
|
||||
"subject": [
|
||||
{
|
||||
"name": "ghcr.io/reachbench/dotnet-newtonsoft-deser-TBD:unreachable",
|
||||
"digest": {
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
}
|
||||
],
|
||||
"statement": {
|
||||
"type": "reachbench.attestation",
|
||||
"materials": [
|
||||
"sbom.cdx.json",
|
||||
"sbom.spdx.json",
|
||||
"symbols.json",
|
||||
"callgraph.static.json",
|
||||
"callgraph.framework.json",
|
||||
"reachgraph.truth.json",
|
||||
"vex.openvex.json"
|
||||
]
|
||||
},
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "STUB",
|
||||
"sig": "STUB_SIGNATURE",
|
||||
"alg": "dilithium2"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"edges": [
|
||||
{
|
||||
"from": "sym://dotnet:Startup#Configure",
|
||||
"to": "sym://aspnet:UseEndpoints",
|
||||
"kind": "pipeline"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"nodes": [
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#entry"
|
||||
},
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#sink"
|
||||
}
|
||||
],
|
||||
"edges": [
|
||||
{
|
||||
"from": "sym://dotnet:dotnet.c#entry",
|
||||
"to": "sym://dotnet:dotnet.c#sink",
|
||||
"kind": "direct"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"image": "ghcr.io/reachbench/dotnet-newtonsoft-deser-TBD:unreachable",
|
||||
"config_flags": {
|
||||
"FEATURE_FLAG": false,
|
||||
"POLICY_MODE": "enforcing"
|
||||
},
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"sinks": [
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#sink",
|
||||
"kind": "generic"
|
||||
}
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://dotnet:dotnet.c#entry",
|
||||
"sym://dotnet:dotnet.c#sink"
|
||||
]
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"specVersion": "1.6",
|
||||
"components": []
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"spdxVersion": "SPDX-3.0",
|
||||
"creationInfo": {
|
||||
"created": "2025-11-07T22:40:04Z"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"components": [
|
||||
{
|
||||
"purl": "pkg:generic/dotnet@0.0.1",
|
||||
"files": [
|
||||
{
|
||||
"path": "/src/dotnet.c",
|
||||
"funcs": [
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#entry",
|
||||
"name": "entry",
|
||||
"range": {
|
||||
"start": 10,
|
||||
"end": 20
|
||||
}
|
||||
},
|
||||
{
|
||||
"sid": "sym://dotnet:dotnet.c#sink",
|
||||
"name": "sink",
|
||||
"range": {
|
||||
"start": 30,
|
||||
"end": 60
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://dotnet:dotnet.c#entry", "pid": 100}
|
||||
@@ -0,0 +1,12 @@
|
||||
{
|
||||
"author": "reachbench-2025",
|
||||
"timestamp": "2025-11-07T22:40:04Z",
|
||||
"statements": [
|
||||
{
|
||||
"vulnerability": "TBD",
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"impact_statement": "Pruned by configuration; path unreachable."
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,46 @@
|
||||
{
|
||||
"id": "glibc-CVE-2023-4911-looney-tunables",
|
||||
"cve": "CVE-2023-4911",
|
||||
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
|
||||
"threat_model": {
|
||||
"entry_points": [
|
||||
"STUB: define concrete inputs"
|
||||
],
|
||||
"preconditions": [
|
||||
"STUB: feature flags / modules / protocols enabled"
|
||||
],
|
||||
"privilege_boundary": [
|
||||
"STUB: describe boundary (if any)"
|
||||
]
|
||||
},
|
||||
"ground_truth": {
|
||||
"reachable_variant": {
|
||||
"status": "affected",
|
||||
"evidence": {
|
||||
"symbols": [
|
||||
"sym://glibc:glibc.c#sink"
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://glibc:glibc.c#entry",
|
||||
"sym://glibc:glibc.c#sink"
|
||||
]
|
||||
],
|
||||
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
|
||||
}
|
||||
},
|
||||
"unreachable_variant": {
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"evidence": {
|
||||
"pruning_reason": [
|
||||
"STUB: feature disabled, module absent, or policy denies"
|
||||
],
|
||||
"blocked_edges": [
|
||||
"sym://glibc:glibc.c#entry -> sym://glibc:glibc.c#sink"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
# glibc-CVE-2023-4911-looney-tunables
|
||||
Primary axis: binary-hybrid
|
||||
Tags: env-vars, libc, ldso
|
||||
Languages: c
|
||||
|
||||
## Variants
|
||||
- reachable: vulnerable function/path is on an executable route.
|
||||
- unreachable: same base image/config with control toggles that prune the path.
|
||||
|
||||
## Entrypoint & Controls (fill in)
|
||||
- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
|
||||
- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
|
||||
|
||||
## Expected ground-truth path(s)
|
||||
See `images/*/reachgraph.truth.json`.
|
||||
@@ -0,0 +1,30 @@
|
||||
{
|
||||
"dsse_version": "1.0",
|
||||
"subject": [
|
||||
{
|
||||
"name": "ghcr.io/reachbench/glibc-CVE-2023-4911-looney-tunables:reachable",
|
||||
"digest": {
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
}
|
||||
],
|
||||
"statement": {
|
||||
"type": "reachbench.attestation",
|
||||
"materials": [
|
||||
"sbom.cdx.json",
|
||||
"sbom.spdx.json",
|
||||
"symbols.json",
|
||||
"callgraph.static.json",
|
||||
"callgraph.framework.json",
|
||||
"reachgraph.truth.json",
|
||||
"vex.openvex.json"
|
||||
]
|
||||
},
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "STUB",
|
||||
"sig": "STUB_SIGNATURE",
|
||||
"alg": "dilithium2"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"edges": []
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"nodes": [
|
||||
{
|
||||
"sid": "sym://glibc:glibc.c#entry"
|
||||
},
|
||||
{
|
||||
"sid": "sym://glibc:glibc.c#sink"
|
||||
}
|
||||
],
|
||||
"edges": [
|
||||
{
|
||||
"from": "sym://glibc:glibc.c#entry",
|
||||
"to": "sym://glibc:glibc.c#sink",
|
||||
"kind": "direct"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"image": "ghcr.io/reachbench/glibc-CVE-2023-4911-looney-tunables:reachable",
|
||||
"config_flags": {
|
||||
"FEATURE_FLAG": true,
|
||||
"POLICY_MODE": "permissive"
|
||||
},
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"sinks": [
|
||||
{
|
||||
"sid": "sym://glibc:glibc.c#sink",
|
||||
"kind": "generic"
|
||||
}
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://glibc:glibc.c#entry",
|
||||
"sym://glibc:glibc.c#sink"
|
||||
]
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"specVersion": "1.6",
|
||||
"components": []
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"spdxVersion": "SPDX-3.0",
|
||||
"creationInfo": {
|
||||
"created": "2025-11-07T22:40:04Z"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"components": [
|
||||
{
|
||||
"purl": "pkg:generic/glibc@0.0.1",
|
||||
"files": [
|
||||
{
|
||||
"path": "/src/glibc.c",
|
||||
"funcs": [
|
||||
{
|
||||
"sid": "sym://glibc:glibc.c#entry",
|
||||
"name": "entry",
|
||||
"range": {
|
||||
"start": 10,
|
||||
"end": 20
|
||||
}
|
||||
},
|
||||
{
|
||||
"sid": "sym://glibc:glibc.c#sink",
|
||||
"name": "sink",
|
||||
"range": {
|
||||
"start": 30,
|
||||
"end": 60
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://glibc:glibc.c#entry", "pid": 100}
|
||||
{"ts": 1.005, "event": "call", "sid": "sym://glibc:glibc.c#sink", "pid": 100}
|
||||
@@ -0,0 +1,12 @@
|
||||
{
|
||||
"author": "reachbench-2025",
|
||||
"timestamp": "2025-11-07T22:40:04Z",
|
||||
"statements": [
|
||||
{
|
||||
"vulnerability": "CVE-2023-4911",
|
||||
"status": "affected",
|
||||
"justification": "reasoning_provided",
|
||||
"impact_statement": "Function-level path is reachable."
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,30 @@
|
||||
{
|
||||
"dsse_version": "1.0",
|
||||
"subject": [
|
||||
{
|
||||
"name": "ghcr.io/reachbench/glibc-CVE-2023-4911-looney-tunables:unreachable",
|
||||
"digest": {
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
}
|
||||
],
|
||||
"statement": {
|
||||
"type": "reachbench.attestation",
|
||||
"materials": [
|
||||
"sbom.cdx.json",
|
||||
"sbom.spdx.json",
|
||||
"symbols.json",
|
||||
"callgraph.static.json",
|
||||
"callgraph.framework.json",
|
||||
"reachgraph.truth.json",
|
||||
"vex.openvex.json"
|
||||
]
|
||||
},
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "STUB",
|
||||
"sig": "STUB_SIGNATURE",
|
||||
"alg": "dilithium2"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"edges": []
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"nodes": [
|
||||
{
|
||||
"sid": "sym://glibc:glibc.c#entry"
|
||||
},
|
||||
{
|
||||
"sid": "sym://glibc:glibc.c#sink"
|
||||
}
|
||||
],
|
||||
"edges": [
|
||||
{
|
||||
"from": "sym://glibc:glibc.c#entry",
|
||||
"to": "sym://glibc:glibc.c#sink",
|
||||
"kind": "direct"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"image": "ghcr.io/reachbench/glibc-CVE-2023-4911-looney-tunables:unreachable",
|
||||
"config_flags": {
|
||||
"FEATURE_FLAG": false,
|
||||
"POLICY_MODE": "enforcing"
|
||||
},
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"sinks": [
|
||||
{
|
||||
"sid": "sym://glibc:glibc.c#sink",
|
||||
"kind": "generic"
|
||||
}
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://glibc:glibc.c#entry",
|
||||
"sym://glibc:glibc.c#sink"
|
||||
]
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"specVersion": "1.6",
|
||||
"components": []
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"spdxVersion": "SPDX-3.0",
|
||||
"creationInfo": {
|
||||
"created": "2025-11-07T22:40:04Z"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"components": [
|
||||
{
|
||||
"purl": "pkg:generic/glibc@0.0.1",
|
||||
"files": [
|
||||
{
|
||||
"path": "/src/glibc.c",
|
||||
"funcs": [
|
||||
{
|
||||
"sid": "sym://glibc:glibc.c#entry",
|
||||
"name": "entry",
|
||||
"range": {
|
||||
"start": 10,
|
||||
"end": 20
|
||||
}
|
||||
},
|
||||
{
|
||||
"sid": "sym://glibc:glibc.c#sink",
|
||||
"name": "sink",
|
||||
"range": {
|
||||
"start": 30,
|
||||
"end": 60
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
{"ts": 1.001, "event": "call", "sid": "sym://glibc:glibc.c#entry", "pid": 100}
|
||||
@@ -0,0 +1,12 @@
|
||||
{
|
||||
"author": "reachbench-2025",
|
||||
"timestamp": "2025-11-07T22:40:04Z",
|
||||
"statements": [
|
||||
{
|
||||
"vulnerability": "CVE-2023-4911",
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"impact_statement": "Pruned by configuration; path unreachable."
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,46 @@
|
||||
{
|
||||
"id": "go-gateway-reflection-auth-bypass",
|
||||
"cve": "N/A",
|
||||
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
|
||||
"threat_model": {
|
||||
"entry_points": [
|
||||
"STUB: define concrete inputs"
|
||||
],
|
||||
"preconditions": [
|
||||
"STUB: feature flags / modules / protocols enabled"
|
||||
],
|
||||
"privilege_boundary": [
|
||||
"STUB: describe boundary (if any)"
|
||||
]
|
||||
},
|
||||
"ground_truth": {
|
||||
"reachable_variant": {
|
||||
"status": "affected",
|
||||
"evidence": {
|
||||
"symbols": [
|
||||
"sym://go:go.c#sink"
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://go:go.c#entry",
|
||||
"sym://go:go.c#sink"
|
||||
]
|
||||
],
|
||||
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
|
||||
}
|
||||
},
|
||||
"unreachable_variant": {
|
||||
"status": "not_affected",
|
||||
"justification": "vulnerable_code_not_in_execute_path",
|
||||
"evidence": {
|
||||
"pruning_reason": [
|
||||
"STUB: feature disabled, module absent, or policy denies"
|
||||
],
|
||||
"blocked_edges": [
|
||||
"sym://go:go.c#entry -> sym://go:go.c#sink"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
# go-gateway-reflection-auth-bypass
|
||||
Primary axis: lang-go
|
||||
Tags: grpc, reflection, authz-gap
|
||||
Languages: go
|
||||
|
||||
## Variants
|
||||
- reachable: vulnerable function/path is on an executable route.
|
||||
- unreachable: same base image/config with control toggles that prune the path.
|
||||
|
||||
## Entrypoint & Controls (fill in)
|
||||
- entrypoints: e.g., http:/route, grpc method, tcp port, OCI hook
|
||||
- flags: e.g., feature_on=true, middleware_order=bad|good, module_loaded=true|false, LSM=enforcing|permissive
|
||||
|
||||
## Expected ground-truth path(s)
|
||||
See `images/*/reachgraph.truth.json`.
|
||||
@@ -0,0 +1,30 @@
|
||||
{
|
||||
"dsse_version": "1.0",
|
||||
"subject": [
|
||||
{
|
||||
"name": "ghcr.io/reachbench/go-gateway-reflection-auth-bypass:reachable",
|
||||
"digest": {
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
}
|
||||
],
|
||||
"statement": {
|
||||
"type": "reachbench.attestation",
|
||||
"materials": [
|
||||
"sbom.cdx.json",
|
||||
"sbom.spdx.json",
|
||||
"symbols.json",
|
||||
"callgraph.static.json",
|
||||
"callgraph.framework.json",
|
||||
"reachgraph.truth.json",
|
||||
"vex.openvex.json"
|
||||
]
|
||||
},
|
||||
"signatures": [
|
||||
{
|
||||
"keyid": "STUB",
|
||||
"sig": "STUB_SIGNATURE",
|
||||
"alg": "dilithium2"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"edges": []
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"nodes": [
|
||||
{
|
||||
"sid": "sym://go:go.c#entry"
|
||||
},
|
||||
{
|
||||
"sid": "sym://go:go.c#sink"
|
||||
}
|
||||
],
|
||||
"edges": [
|
||||
{
|
||||
"from": "sym://go:go.c#entry",
|
||||
"to": "sym://go:go.c#sink",
|
||||
"kind": "direct"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"image": "ghcr.io/reachbench/go-gateway-reflection-auth-bypass:reachable",
|
||||
"config_flags": {
|
||||
"FEATURE_FLAG": true,
|
||||
"POLICY_MODE": "permissive"
|
||||
},
|
||||
"sha256": "STUB_DIGEST"
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"sinks": [
|
||||
{
|
||||
"sid": "sym://go:go.c#sink",
|
||||
"kind": "generic"
|
||||
}
|
||||
],
|
||||
"paths": [
|
||||
[
|
||||
"sym://net:handler#read",
|
||||
"sym://go:go.c#entry",
|
||||
"sym://go:go.c#sink"
|
||||
]
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
{
|
||||
"bomFormat": "CycloneDX",
|
||||
"specVersion": "1.6",
|
||||
"components": []
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
"spdxVersion": "SPDX-3.0",
|
||||
"creationInfo": {
|
||||
"created": "2025-11-07T22:40:04Z"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"schema_version": "1.0",
|
||||
"components": [
|
||||
{
|
||||
"purl": "pkg:generic/go@0.0.1",
|
||||
"files": [
|
||||
{
|
||||
"path": "/src/go.c",
|
||||
"funcs": [
|
||||
{
|
||||
"sid": "sym://go:go.c#entry",
|
||||
"name": "entry",
|
||||
"range": {
|
||||
"start": 10,
|
||||
"end": 20
|
||||
}
|
||||
},
|
||||
{
|
||||
"sid": "sym://go:go.c#sink",
|
||||
"name": "sink",
|
||||
"range": {
|
||||
"start": 30,
|
||||
"end": 60
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user