stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.
This commit is contained in:
master
2025-11-08 20:53:45 +02:00
parent 515975edc5
commit 536f6249a6
837 changed files with 37279 additions and 14675 deletions
Download Patch File Download Diff File Expand all files Collapse all files

444
tests/reachability/fixtures/reachbench-2025-expanded/INDEX.json Normal file
View File

@@ -0,0 +1,444 @@
{
"version": "0.1",
"generated_at": "2025-11-07T22:40:04Z",
"cases": [
{
"id": "runc-CVE-2024-21626-symlink-breakout",
"primary_axis": "container-escape",
"tags": [
"symlink",
"filesystem",
"userns"
],
"languages": [
"binary"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 9.0,
"references": [
"cve:CVE-2024-21626"
]
},
{
"id": "linux-cgroups-CVE-2022-0492-release_agent",
"primary_axis": "container-escape",
"tags": [
"cgroups",
"kernel",
"priv-esc"
],
"languages": [
"binary"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 9.0,
"references": [
"cve:CVE-2022-0492"
]
},
{
"id": "glibc-CVE-2023-4911-looney-tunables",
"primary_axis": "binary-hybrid",
"tags": [
"env-vars",
"libc",
"ldso"
],
"languages": [
"c"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2023-4911"
]
},
{
"id": "curl-CVE-2023-38545-socks5-heap",
"primary_axis": "binary-hybrid",
"tags": [
"networking",
"proxy",
"heap"
],
"languages": [
"c"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2023-38545"
]
},
{
"id": "openssl-CVE-2022-3602-x509-name-constraints",
"primary_axis": "binary-hybrid",
"tags": [
"x509",
"parser",
"stack-overflow"
],
"languages": [
"c"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2022-3602"
]
},
{
"id": "openssh-CVE-2024-6387-regreSSHion",
"primary_axis": "binary-hybrid",
"tags": [
"signal-handler",
"daemon"
],
"languages": [
"c"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2024-6387"
]
},
{
"id": "redis-CVE-2022-0543-lua-sandbox-escape",
"primary_axis": "binary-hybrid",
"tags": [
"lua",
"sandbox",
"rce"
],
"languages": [
"c",
"lua"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2022-0543"
]
},
{
"id": "java-log4j-CVE-2021-44228-log4shell",
"primary_axis": "lang-jvm",
"tags": [
"jndi",
"deserialization",
"rce"
],
"languages": [
"java"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 9.8,
"references": [
"cve:CVE-2021-44228"
]
},
{
"id": "java-spring-CVE-2022-22965-spring4shell",
"primary_axis": "lang-jvm",
"tags": [
"binding",
"reflection",
"rce"
],
"languages": [
"java"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 9.8,
"references": [
"cve:CVE-2022-22965"
]
},
{
"id": "java-jackson-CVE-2019-12384-polymorphic-deser",
"primary_axis": "lang-jvm",
"tags": [
"deserialization",
"polymorphism"
],
"languages": [
"java"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2019-12384"
]
},
{
"id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"primary_axis": "lang-dotnet",
"tags": [
"protocol",
"http2",
"dos"
],
"languages": [
"dotnet"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2023-44487"
]
},
{
"id": "dotnet-newtonsoft-deser-TBD",
"primary_axis": "lang-dotnet",
"tags": [
"deserialization",
"json",
"polymorphic"
],
"languages": [
"dotnet"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": []
},
{
"id": "go-ssh-CVE-2020-9283-keyexchange",
"primary_axis": "lang-go",
"tags": [
"crypto",
"handshake"
],
"languages": [
"go"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2020-9283"
]
},
{
"id": "go-gateway-reflection-auth-bypass",
"primary_axis": "lang-go",
"tags": [
"grpc",
"reflection",
"authz-gap"
],
"languages": [
"go"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": []
},
{
"id": "node-tar-CVE-2021-37713-path-traversal",
"primary_axis": "lang-node",
"tags": [
"path-traversal",
"archive-extract"
],
"languages": [
"node"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2021-37713"
]
},
{
"id": "node-express-middleware-order-auth-bypass",
"primary_axis": "lang-node",
"tags": [
"middleware-order",
"authz"
],
"languages": [
"node"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": []
},
{
"id": "python-jinja2-CVE-2019-10906-template-injection",
"primary_axis": "lang-python",
"tags": [
"template-injection"
],
"languages": [
"python"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2019-10906"
]
},
{
"id": "python-django-CVE-2019-19844-sqli-like",
"primary_axis": "lang-python",
"tags": [
"sqli",
"orm"
],
"languages": [
"python"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2019-19844"
]
},
{
"id": "python-urllib3-dos-regex-TBD",
"primary_axis": "lang-python",
"tags": [
"regex-dos",
"parser"
],
"languages": [
"python"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": []
},
{
"id": "php-phpmailer-CVE-2016-10033-rce",
"primary_axis": "lang-php",
"tags": [
"rce",
"email"
],
"languages": [
"php"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2016-10033"
]
},
{
"id": "wordpress-core-CVE-2022-21661-sqli",
"primary_axis": "lang-php",
"tags": [
"sqli",
"core"
],
"languages": [
"php"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2022-21661"
]
},
{
"id": "rails-CVE-2019-5418-file-content-disclosure",
"primary_axis": "lang-ruby",
"tags": [
"path-traversal",
"mime"
],
"languages": [
"ruby"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": [
"cve:CVE-2019-5418"
]
},
{
"id": "rust-axum-header-parsing-TBD",
"primary_axis": "lang-rust",
"tags": [
"parser",
"config-sensitive"
],
"languages": [
"rust"
],
"variants": [
"reachable",
"unreachable"
],
"severity_cvss": 7.5,
"references": []
}
]
}