stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

reachability test material

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-25 23:26:46 +02:00
parent 9f6e6f7fb3
commit 56e2f64d07
48 changed files with 434 additions and 428 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
tests/reachability/README.md
View File

@@ -9,7 +9,13 @@ This directory carries the reachbench fixture packs used by Sprint 201 to valida
```bash
# From the repo root
DOTNET_CLI_UI_LANGUAGE=en dotnet test tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj
DOTNET_CLI_UI_LANGUAGE=en DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 \
dotnet test tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj
# Focus only the evaluation harness checks
DOTNET_CLI_UI_LANGUAGE=en DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 \
dotnet test tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj \
--filter ReachbenchEvaluationHarnessTests
```
The tests simply validate the fixtures today; once the reachability engine lands they become the seed harness to replay reachable vs. unreachable scans deterministically.
The tests validate fixture integrity (hashes, schema versions) and now enforce the evaluation harness contract: reachable variants must surface execution paths while unreachable variants must not. Keep the environment overrides above in CI to avoid localization drift during hash comparisons.

24
tests/reachability/corpus/manifest.json
View File

@@ -1,36 +1,36 @@
[
{
"files": {
"callgraph.static.json": "7359d8c26f16151a4b05cf0e6675e5c66b5ffb6396b906e74c0d5bb2f290e972",
"expect.yaml": "08859e027299b83fbe0a2754797df09736c08c1dd050da830d4e55ed416e77d0",
"vex.openvex.json": "c3593790f769974b1b66aa5331f1d3ad4d699f77f198b2e77e78659ee79d3c15"
"callgraph.static.json": "b2f32c667c8ec76d50d2b106dc055777f0135e2cf6938540fd1840eda82b4fe7",
"expect.yaml": "ffbbd4d12e2ee1898db9c34556754df8b7e1b21208298831714ee5e18ff4637d",
"vex.openvex.json": "e8cb5215049b9b1fe76354da6f67e8a5ef336a49780a0881e50b85d3ac526e63"
},
"id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"language": "dotnet"
},
{
"files": {
"callgraph.static.json": "7359d8c26f16151a4b05cf0e6675e5c66b5ffb6396b906e74c0d5bb2f290e972",
"expect.yaml": "ad5375a8f2ad10378a48ca031afe726ac8ce94e8faea8e7fba907ca571ab5811",
"vex.openvex.json": "c3593790f769974b1b66aa5331f1d3ad4d699f77f198b2e77e78659ee79d3c15"
"callgraph.static.json": "b2f32c667c8ec76d50d2b106dc055777f0135e2cf6938540fd1840eda82b4fe7",
"expect.yaml": "e9b38f76f0814b90c401368335cc953afc511d2256f3bfa76a84928175b506ac",
"vex.openvex.json": "e8cb5215049b9b1fe76354da6f67e8a5ef336a49780a0881e50b85d3ac526e63"
},
"id": "go-ssh-CVE-2020-9283-keyexchange",
"language": "go"
},
{
"files": {
"callgraph.static.json": "7359d8c26f16151a4b05cf0e6675e5c66b5ffb6396b906e74c0d5bb2f290e972",
"expect.yaml": "c2516433b685aa955342a3a1a70485c3742eca654aa6245866084da6d7574815",
"vex.openvex.json": "c3593790f769974b1b66aa5331f1d3ad4d699f77f198b2e77e78659ee79d3c15"
"callgraph.static.json": "b2f32c667c8ec76d50d2b106dc055777f0135e2cf6938540fd1840eda82b4fe7",
"expect.yaml": "381e9379618014f346e11462ffe79b22785113f05def078bf85c26fe7a696830",
"vex.openvex.json": "e8cb5215049b9b1fe76354da6f67e8a5ef336a49780a0881e50b85d3ac526e63"
},
"id": "python-django-CVE-2019-19844-sqli-like",
"language": "python"
},
{
"files": {
"callgraph.static.json": "7359d8c26f16151a4b05cf0e6675e5c66b5ffb6396b906e74c0d5bb2f290e972",
"expect.yaml": "01fd3ce042e65f4d17ca8a6144fefcbb32b945ae720d136d0d9207e17974ee0a",
"vex.openvex.json": "c3593790f769974b1b66aa5331f1d3ad4d699f77f198b2e77e78659ee79d3c15"
"callgraph.static.json": "b2f32c667c8ec76d50d2b106dc055777f0135e2cf6938540fd1840eda82b4fe7",
"expect.yaml": "6c3bd42fd80277b874021b2f1a43133a9365ad298428b202d75970037de5d95f",
"vex.openvex.json": "e8cb5215049b9b1fe76354da6f67e8a5ef336a49780a0881e50b85d3ac526e63"
},
"id": "rust-axum-header-parsing-TBD",
"language": "rust"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "curl-CVE-2023-38545-socks5-heap",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "9545261d413f4f85d120ebe8432c32ba97ba3feb2d34075fd689fcb5794f3ab0",
"sbom.cdx.json": "ce41fd9b9edadf94a8cc84a3cce4e175b0602fd2e0d8dcb067273b9584479980",
"sbom.spdx.json": "10d7417961d3cac0f3a5c4b083917fba3dc4f9bd9140d80aad0a873435158482",
"symbols.json": "c5f473aff5b428df5a3f9c3393b7fbceb94214e3c2fd4f547d4f258ca25a3080",
"vex.openvex.json": "0518d09c2ae692b96553feb821ff8138fc0ea6c840d75c1f80149add21127ddd"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "73617ac40fc52b1f17fb157cc9b3b3112af81efc299a551fab811dae272ff905",
"sbom.cdx.json": "c89dcfe1faad15e6cd441bc5d4a0269b9586238750c5b93350660cd0603e3318",
"sbom.spdx.json": "abc7d79dd5ef2df5b2a3287fa761912cf04e7f5107b268fc96dfff157b92fdca",
"symbols.json": "a701cf77e8bf77b8b46618bb9ed16938aa7c5fdefdcd56a4a21722622a711470",
"vex.openvex.json": "e697ff8a01a9217f97736306fdfe11a323d1fda3c79e41e10fd7c18cbc4ba601"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "curl-CVE-2023-38545-socks5-heap",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "490c4175eb06e0c623e60263d2ce029ffa8b236aea5780c448b8180f38a1bf6f",
"sbom.cdx.json": "ce41fd9b9edadf94a8cc84a3cce4e175b0602fd2e0d8dcb067273b9584479980",
"sbom.spdx.json": "10d7417961d3cac0f3a5c4b083917fba3dc4f9bd9140d80aad0a873435158482",
"symbols.json": "1b6a9e5598d2521e0ca55ed0f3f287ef19dc11cb1fb24fe961370c2fa7036214",
"vex.openvex.json": "a9fa7e917601538e17750fb1c25b24e18333c779ec0d5d98d4fbccf84e2f544e"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "835f69f6cec3472d786be6cd1b66062dfef84dea87e1885023a10f77a9cf5c85",
"sbom.cdx.json": "c89dcfe1faad15e6cd441bc5d4a0269b9586238750c5b93350660cd0603e3318",
"sbom.spdx.json": "abc7d79dd5ef2df5b2a3287fa761912cf04e7f5107b268fc96dfff157b92fdca",
"symbols.json": "a9c96e72421bfc775df8cc7cf7203eda01e7ce9101ec6eff03decc5960fe3c1a",
"vex.openvex.json": "6ce74c0c7b7b9502a189334aea3e0c4b03c7d396bff553697dc41ae3d8eb21de"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "5396e1c97612e0963bdaf9d5d3f570f095feaccfd46ed6e96af52a6dc4608608",
"sbom.cdx.json": "8747790b2c9638b08aedca818367852889ee9bb50f1be1212b9c46b27296b8b9",
"sbom.spdx.json": "fd5b8befa1a59f06c315406213426ee516276ad806f4acb1f53472149d97c402",
"symbols.json": "c2bc2c131db1565b272900b2d86733086d601fc05a9072a43b9cd8b89a2e6f95",
"vex.openvex.json": "2bc0466a7b733a0915b6a799e91ec731c0700d5bea8645c0bf983b6da180bc48"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "ea22d69670f767c677395af15b2b6098764b9ae3f5dd94c229886c22011a8a98",
"sbom.cdx.json": "4728c4bbdafe8f157820bb8559c13105aba373526699695b5ee53283ef761582",
"sbom.spdx.json": "84d8e2bd7b0fcc802cc91f21999908f1ae55659492969d48944a9652cbad0e7c",
"symbols.json": "77c5d912fd82799e53f3082fd3cb21074ef9962e1809ef6f045da84dadc9516d",
"vex.openvex.json": "d5c30749ed5dad4f2337f482d591e9755eb95efec99fdc9727fc8b7af1d13337"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "86a0dad5b06b69018a35931b1ef8fb700abe6511f75aa81dcffc23f0411cc086",
"sbom.cdx.json": "8747790b2c9638b08aedca818367852889ee9bb50f1be1212b9c46b27296b8b9",
"sbom.spdx.json": "fd5b8befa1a59f06c315406213426ee516276ad806f4acb1f53472149d97c402",
"symbols.json": "0793a11190a789d63cac1d15ae259dcbe48764dd0f75000176e3abf8f3a3beb6",
"vex.openvex.json": "cd54fe28bf7f171a2a47e6118b05ad26013a32d97e2b9eef143eab75208d9fa4"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "049dbb44a4e56e34d28fedaf09e41a025a0427935ee3b60017c23183ee58cb29",
"sbom.cdx.json": "4728c4bbdafe8f157820bb8559c13105aba373526699695b5ee53283ef761582",
"sbom.spdx.json": "84d8e2bd7b0fcc802cc91f21999908f1ae55659492969d48944a9652cbad0e7c",
"symbols.json": "c983b416c449d0ff5735bb5cc7f1792e113ae465d2f76aa3512a58d0d44b6962",
"vex.openvex.json": "5168a01bbbfe00f76ab536d818b9e2f156d37ffc01ffd278a52bebacbd6ee295"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "dotnet-newtonsoft-deser-TBD",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "7c1b7d56df4efc97360ba7754feb1051644e624afa2589971fab09507827e677",
"sbom.cdx.json": "c7283a731ca81300f6cda9e944451062a92c7eb0559ebdc6b96f6afeea637187",
"sbom.spdx.json": "da4978369cae300336e4abd570edb8c8de27bcb5ff2c5131975cae7d8ee01f8e",
"symbols.json": "d03361b683ae570864824a8e57c91ca875590373d949d2f706af488c4ccbcc01",
"vex.openvex.json": "41e52bf3c0b40ca614d32f5c9b719b68c53e2a0f08f483d6c429120060c9d930"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "0cb6f48faa72b41620612610e5e2e4f2ec03ec1a4e843a2e50437e9a95d5d261",
"sbom.cdx.json": "f7a517a7608f0216f1596811a0184c6df1ccf6e71f88aff26e4ddf0e0ca1d9ff",
"sbom.spdx.json": "c24a0ec0df18f1dea45f0afcb87fac8b17d1d0d87d711c9e9610244dc2ac9747",
"symbols.json": "bcbace5bc3c071f4a751844420a948b3932657dc287191957ea5247349e68e32",
"vex.openvex.json": "dafc01265689557670f9dc30874186942a018e9c095f64a03bb4b8d53e1e08d3"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "dotnet-newtonsoft-deser-TBD",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "aa1c4c8133ae26349e1a740293e875d91f3a5ba1b241eb39617a09ea1b6ced8e",
"sbom.cdx.json": "c7283a731ca81300f6cda9e944451062a92c7eb0559ebdc6b96f6afeea637187",
"sbom.spdx.json": "da4978369cae300336e4abd570edb8c8de27bcb5ff2c5131975cae7d8ee01f8e",
"symbols.json": "a804343735751e99bda81ce614d890fe19cb510bcb3d3b17dff05ab01decf2e1",
"vex.openvex.json": "65cdb8a5d02277eacf194c23cdb7a8adada7318f45f5ce4eb0e09fbcd9d8b615"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "1cdc387fc4487201eddb3d00e8d75deb053f87dff23a61cfe232d168e60ff91d",
"sbom.cdx.json": "f7a517a7608f0216f1596811a0184c6df1ccf6e71f88aff26e4ddf0e0ca1d9ff",
"sbom.spdx.json": "c24a0ec0df18f1dea45f0afcb87fac8b17d1d0d87d711c9e9610244dc2ac9747",
"symbols.json": "521cc59d537c4008afa37a1b8b379ede655f6619ee143bbae3123869fe12c653",
"vex.openvex.json": "a75b2a1ed3086773162b80e9fa307c2ab3dec809643c9bbd614432891b2bf5c2"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "glibc-CVE-2023-4911-looney-tunables",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "f7200c066db6fefd2ed3168497ae7d8cb585f1d12479086217007df1bb2c1460",
"sbom.cdx.json": "e3bbce1051a27f877fdd76634902c835ac21a7f53241308878a404dbced491fc",
"sbom.spdx.json": "2b30ff6eabf0b4c5e76f2e5de6af21a6b48a746c51298a708a3674976ef5b8f8",
"symbols.json": "27dd785d49ef6b4229a0e5a25107346eea5cc8b7dd01c2fb9ba73b53456bcaee",
"vex.openvex.json": "bd6f67166fb31fa2a5e7211b71e083c8611f9c2b7d7e0607c31ce6df777a1f69"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "d5dea5b832043e3268aecda2a423c959718e645589535c04f71652dfa06f54d1",
"sbom.cdx.json": "e969033f28fe3debd8c93226cb7212ac2b0b54c8fc3e8a4d126d5dfb7bd8da1d",
"sbom.spdx.json": "08a961ada88b9d5706f5baba763ccfddf2a474b9faf0981f0a87a2933f7031df",
"symbols.json": "f9103b6f3df6caed469a68ec9677a34573e662de4ae61b7b1df630cbd2aab769",
"vex.openvex.json": "207691b26721a773abe2b9242afe5e7f68ace37c307262d09adc188df9c20dbd"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "glibc-CVE-2023-4911-looney-tunables",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "836f543e3e7b593582e2ffb529456ffc4309ec79d41e5f8b9eb5696f54d17883",
"sbom.cdx.json": "e3bbce1051a27f877fdd76634902c835ac21a7f53241308878a404dbced491fc",
"sbom.spdx.json": "2b30ff6eabf0b4c5e76f2e5de6af21a6b48a746c51298a708a3674976ef5b8f8",
"symbols.json": "fe742caccb2134c46594f3816b58b06f1cad6f2d62ea8dd55ad31ce4ce672906",
"vex.openvex.json": "3ebcafe7d9e0f211f80783568cd9bc4a92ddaa3609b2b0ef11471031246cadde"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "04554e2014584d380d3d113ab6a81de20ba9a2097e6b828849e4f8d748664b30",
"sbom.cdx.json": "e969033f28fe3debd8c93226cb7212ac2b0b54c8fc3e8a4d126d5dfb7bd8da1d",
"sbom.spdx.json": "08a961ada88b9d5706f5baba763ccfddf2a474b9faf0981f0a87a2933f7031df",
"symbols.json": "c328ec1c9620d072176a4409b740a6cf9dcba732e88cfa8427e40c17a76a498d",
"vex.openvex.json": "3131068dec558feffad9cd829c02dab9dcf8dd9ea19505ef1f2ee104ce89f13a"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "go-gateway-reflection-auth-bypass",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "f7c362965a307a6cf40f7921d2ad508cd503fa924ed3a391dba3afe54ab0dcdd",
"sbom.cdx.json": "16a041571c0641abe57929624e49f07353edb8980ecdd16340ef83f24f127cba",
"sbom.spdx.json": "8abd620f40a28d379b861d6ef640017ea119a8870890009dbd8126ed621a5c73",
"symbols.json": "dbf69a19ce1676cc809597ed9fce78c9fe8ebcf25186949a107971116a79a39b",
"vex.openvex.json": "b550e30451d7ef7ff612606711ecede1089d914bd8a26f5fbcf01ff1d4e36149"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "4af3b748615b65895a3137f5781e8b8043afd2d28746b93ee5e4ab752efc4dd7",
"sbom.cdx.json": "033d6f89201c248b7d696af04d2dcf78434dd9f6ad8b64d5834d2fabe7ad5147",
"sbom.spdx.json": "3adb2a7c66b8135e3e96c113ee670a6932d24ec4737f52fd6156d3293de4f391",
"symbols.json": "55ce7298e1db590f299e9229b514a57b3ac6f461a876b07b1d80760c1df9cd5f",
"vex.openvex.json": "8252cba56e4b2a7785f0d62c6d3a2752f6ef27611fcfbb5808a3caac94c75097"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "go-gateway-reflection-auth-bypass",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "df9749530b5dc16127ab6782877e19e2bde09a40f7cd44edc8af327619498d32",
"sbom.cdx.json": "16a041571c0641abe57929624e49f07353edb8980ecdd16340ef83f24f127cba",
"sbom.spdx.json": "8abd620f40a28d379b861d6ef640017ea119a8870890009dbd8126ed621a5c73",
"symbols.json": "6571c9c658f4b0a967542a02cd5e5f4b82dd1ffaf7758c51d3ac9c2a83c6c86e",
"vex.openvex.json": "69ffc3f74db3d723a0354c0aa05f4e5920fdb02fc8ac72e9d82392b5997f074d"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "b384a5d1977eab4f390c7112cc8006940d42701f7bfa71635c3e2edabc5929fa",
"sbom.cdx.json": "033d6f89201c248b7d696af04d2dcf78434dd9f6ad8b64d5834d2fabe7ad5147",
"sbom.spdx.json": "3adb2a7c66b8135e3e96c113ee670a6932d24ec4737f52fd6156d3293de4f391",
"symbols.json": "6ef5a5a9514afba7c768af1e27f9963b066aa7c4dc0295a436d8716e089a86dd",
"vex.openvex.json": "1a44ff9f0fa8098c5d74c12836d90efbe39dbf15a0360cf654b69e14fbf59cee"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "go-ssh-CVE-2020-9283-keyexchange",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "43fee4eeb52cec12879355873638959460eb91c463e2b2d3a67ef033f906469f",
"sbom.cdx.json": "a975829c9537c16db4d19306ba6bc809930b6ad9f96495a8202d59d3f174cf2c",
"sbom.spdx.json": "399d1f0946dfbe0fb66749f2b08df539f93285affbd059e0b66df55f485ed39a",
"symbols.json": "189002d4626708cdad2ff1bda786c47dd90002915f411324ad5dccbce65ba26d",
"vex.openvex.json": "1fdce721814a1a0c502882ab514ac7a361fdd3ea866869f4cf2c07578feb23d7"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "d5e2ec246dbd03eb9af759e416bba5a00eb18a3dc344590b31e87bf69098d877",
"sbom.cdx.json": "1f685f8db5be777fe56e0d2f13769e2b7667bf7837b745e5c461175c1e3e6e1a",
"sbom.spdx.json": "ea729e7e6842f10375261f5f2fe949521a513adee0eb72a6f38ca5d2e93798a7",
"symbols.json": "4284612efe2a3770f720ffa490c5304a469baa36b5b7533f7ec9be24cf88be16",
"vex.openvex.json": "9a62366bb238e0ad0e025fdd675226e3959ffc1307f890d009a69212897d4b04"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "go-ssh-CVE-2020-9283-keyexchange",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "ee1409484f2314be8471ebb0b1d3ab62d5bacbfd18dfc7380d9f94e2f214a6d4",
"sbom.cdx.json": "a975829c9537c16db4d19306ba6bc809930b6ad9f96495a8202d59d3f174cf2c",
"sbom.spdx.json": "399d1f0946dfbe0fb66749f2b08df539f93285affbd059e0b66df55f485ed39a",
"symbols.json": "b40d34be3d26d3293e9f06c21c58d1f89ef75897697207f71aa6e461cf9f72bf",
"vex.openvex.json": "537af070b5eb69fa842511fa63018ed6b8745631a156dcfc7abd1f60cc13e972"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "0fc5055224899bfc0fe645929dfc519e36fbdb2c939498fd22efc951f0b9f55c",
"sbom.cdx.json": "1f685f8db5be777fe56e0d2f13769e2b7667bf7837b745e5c461175c1e3e6e1a",
"sbom.spdx.json": "ea729e7e6842f10375261f5f2fe949521a513adee0eb72a6f38ca5d2e93798a7",
"symbols.json": "2f50e84f8b75e56d77574781a392743a564a6602d50b19ceb551f99051a42a4b",
"vex.openvex.json": "96f4f675a58cdf81002166b3d74b4a1481d9039593ed40b75e47e2c8ac262b5f"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "java-jackson-CVE-2019-12384-polymorphic-deser",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "8030095b4fc7157d09af6fd16fd3fccfb013f5a744c7e13e1bba1fb01201b2e6",
"sbom.cdx.json": "109a4ef5481c4597a26f3172e5f5fd1ead491b55f19c84bb93a46bd6e5c47b28",
"sbom.spdx.json": "619548fa26467f19ddef9a2b1adae3c0fec5b166a3a4f494901ae23ddac0156d",
"symbols.json": "4c4a40db721f39e3bd06a5dd63c408ebf6f8bd9dd3faf1892b2f0a712b81ad8c",
"vex.openvex.json": "13e69a076e5d4c622d82b042ce26129e0fcdf62eb8a800303a23ab9915938c2e"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "1a8a4447a07938fb604399b29f52c52fe8abcb5777fa94c32697be3b4936deb5",
"sbom.cdx.json": "bc802fbfc6cd9cbe431416484872cbbaafe2e1e4bb8d00d1437a8d48bfc2d2cc",
"sbom.spdx.json": "ffb869fd2e4d6d8bbad352d91a431f1038359995701dda2c44d15b32fbf6bb0c",
"symbols.json": "d39267f0d6c8e267b8d4ec04f600012f08e9a9b3344ea4cbe5ebe8303e5fdd30",
"vex.openvex.json": "28a1e5373cd7d22a0078e4655ca51ac127a81a056cb1bc751add88cbba886b78"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "java-jackson-CVE-2019-12384-polymorphic-deser",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "0d7634e488cab16bd206235b80fb635187fe5c648f8ae97f7203d48490209c89",
"sbom.cdx.json": "109a4ef5481c4597a26f3172e5f5fd1ead491b55f19c84bb93a46bd6e5c47b28",
"sbom.spdx.json": "619548fa26467f19ddef9a2b1adae3c0fec5b166a3a4f494901ae23ddac0156d",
"symbols.json": "dc67782d6a011629563b6274b2980b80e60cee3dcb55cab4e4ea9d80dd41046e",
"vex.openvex.json": "c74db782f4df6c74b1a8ec386d2c698bd8ab2f26d7e11f2c4d0d80a5905e35c2"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "fab11e90f6e9fab6af782059b6ca8363d39dc57fe11c475566d60aabbdcf5579",
"sbom.cdx.json": "bc802fbfc6cd9cbe431416484872cbbaafe2e1e4bb8d00d1437a8d48bfc2d2cc",
"sbom.spdx.json": "ffb869fd2e4d6d8bbad352d91a431f1038359995701dda2c44d15b32fbf6bb0c",
"symbols.json": "bf928643842abab67d785259cbe9c3b8b655969d037b678bd51e7834fd27926f",
"vex.openvex.json": "d0028bf8a37999413fc66906394072a08ad47b48b53cd914e2e10cf128ad1e31"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "java-log4j-CVE-2021-44228-log4shell",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "03d8edec093c07c9e0e77b6a52f015095db71ab9b8c2b2fdad245960e40bd2f2",
"sbom.cdx.json": "a43b3ae67d9423a75c709209b5c4c15c389163931bd2c57df1a924f92d0b871e",
"sbom.spdx.json": "b29f8c850043fbb66deb6a8ba9b764a3c66f8527ab47d0ea04cc63f10716334f",
"symbols.json": "b7b75e6116d33e98ae5b92598394095510e27afa8e0facdb617070fd8866d20b",
"vex.openvex.json": "67dd7e3220be878da101bc58d3e55bde4e69a6d56a4e14b4c3c3c5f4f1af8c3a"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "18e1e5f2d183fced40abed7ffd688b09688f28b0c96b6bf67f3bcd04fd39951e",
"sbom.cdx.json": "372ddb8f9e5d47faaad77ad7c3629eac3283adff306c5891e3fdff073d741e9b",
"sbom.spdx.json": "82f9f8e671138a3d2134be3ce583af42069cd20c2b57657cdad13668b0a9cfe2",
"symbols.json": "69eef48ff4667ba0cd6d454f08405c7fb04891fd8182279fe8d42ced59d15328",
"vex.openvex.json": "b2fad990e76faec9eb20475d1b1a4e0e42012f03db28973237ec338d076d26f9"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "java-log4j-CVE-2021-44228-log4shell",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "80427fa6cc873a3f440db5686d134709d34613394762ed8dc411dbfdeadaa8c9",
"sbom.cdx.json": "a43b3ae67d9423a75c709209b5c4c15c389163931bd2c57df1a924f92d0b871e",
"sbom.spdx.json": "b29f8c850043fbb66deb6a8ba9b764a3c66f8527ab47d0ea04cc63f10716334f",
"symbols.json": "7e4e19ff912bff2a72dd34cb814b2fd52b63f6dceb7e423ed2eb35a739d6719b",
"vex.openvex.json": "e65779c3e3469b618c2b2c978a66e077e6c70311434fe2ca1364bf30c8b9570e"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "2bcfc3d70ef20266eeb90a42ad92127be3b7fe17d1a3bc03a8002dc5d42498c9",
"sbom.cdx.json": "372ddb8f9e5d47faaad77ad7c3629eac3283adff306c5891e3fdff073d741e9b",
"sbom.spdx.json": "82f9f8e671138a3d2134be3ce583af42069cd20c2b57657cdad13668b0a9cfe2",
"symbols.json": "32146204dbcc7be27e80cf6a12d15f53b5c2f36a043adad94266f70b371fbc6e",
"vex.openvex.json": "e9db528da741ec09b92b6166f1382bfc340f1effc93a4ad61d0da8817a1df5d0"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "java-spring-CVE-2022-22965-spring4shell",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "316f1bc49235fad6e8aeb59c95028e79801d1e0e87599dc87cbeb919e55a332d",
"sbom.cdx.json": "05d75b98871eb73a5f81774ce2eb9a74cd36e2e6751aebd28df64993a538501b",
"sbom.spdx.json": "97a3f8f8c8424f7caf000dcf8da67fd12ce7662302f5113d39058f4fba8d7061",
"symbols.json": "c45532d8f5df11d1ba108ee3203b66dc6eef453f7fad1df7b4f120c3be28d8e2",
"vex.openvex.json": "3faeae83e4427b7ad268d55b38d246982713cb18d1dbbb1af7f55bfdec2c528c"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "4e42e16ec75b44cd13fec0687b5baeae4fe9d3e909b2cd420d869831332b555b",
"sbom.cdx.json": "607256a4708ac35a12f7fa3b229158e28bd4ac1183e81327c2369fa9cff4d214",
"sbom.spdx.json": "cf583ebd3bba7aa0dba50b435adcbfdc8878e9c516f6fd540fcf59f16cb989b0",
"symbols.json": "7eb263746a5371dcd706ae6f92ba9b01f16de87ba385d1c7ce5c94784ed309a0",
"vex.openvex.json": "84af60858e98b8b8367c4a747176319357abd5e49cf4826454ee076ae07c759f"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "java-spring-CVE-2022-22965-spring4shell",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "d5dfb70311cdfcbb9d9dc00f2c432e21994a567b73afc2e5e51105dd75098a9d",
"sbom.cdx.json": "05d75b98871eb73a5f81774ce2eb9a74cd36e2e6751aebd28df64993a538501b",
"sbom.spdx.json": "97a3f8f8c8424f7caf000dcf8da67fd12ce7662302f5113d39058f4fba8d7061",
"symbols.json": "24c8f838eca93f887822a0e27608d21695c7e77aa5ffcb4f0b7f67e0c7f9254f",
"vex.openvex.json": "64c8b4fbc6462876ab6861b9235c1f11200a881392c55c40371786f5d21fcec5"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "1ad19ebfd6a160fd4c1290aebaeda41c7dc2850c2355f407b1beb62743e6d385",
"sbom.cdx.json": "607256a4708ac35a12f7fa3b229158e28bd4ac1183e81327c2369fa9cff4d214",
"sbom.spdx.json": "cf583ebd3bba7aa0dba50b435adcbfdc8878e9c516f6fd540fcf59f16cb989b0",
"symbols.json": "18f2e58edb1bb5e9c9526cde7e03f0e0f5c6dcac248b65efb7f4c53272f42376",
"vex.openvex.json": "d214434c583ec25326745612135b6bde54f96c31040b4d20c1e82ae592c38e9f"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "linux-cgroups-CVE-2022-0492-release_agent",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "8b212a35b6bbd0eebf58c888fa3ba2f15df2c223f46aa0cbe3a819eb0b00a04e",
"sbom.cdx.json": "011435c08b0937a16783c5513a7a6997562db09e5683663b72eef0582b117928",
"sbom.spdx.json": "2ffd0b73f7fac20f929aa782ac97496b693846c63cea70b22ca1ab07801dd8e1",
"symbols.json": "c8221bd84c11929566d8460068cc87b5b17fad5be3744b11bfde2f6c66ebb2cb",
"vex.openvex.json": "ec5738e266b360a5b176af280a68c9e147bdfc21a30c6429845d320ff7766819"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "1b1d298f981935c318b3c010219ab24a4446b0525ad1016e914202922bc1661e",
"sbom.cdx.json": "4490a3b78cbac995e5c4ed2e13e948d7e6b1ed042ab693e5d881871282b5d2b8",
"sbom.spdx.json": "ee4568feb4a4c83d6cc10518bbc83a6f985b74a43f2ce4c8e3aaa519bb842e5c",
"symbols.json": "ea98caf1fd5a099bd197eeccb973b951eefd48dbb1c8f1dba4230fb71a71ad8f",
"vex.openvex.json": "cc7ac5157ccc6fff563a060e7af71150eba5af7023e159964fbd4f33629d2d40"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "linux-cgroups-CVE-2022-0492-release_agent",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "ceb7e2d85e6a23cc60caf2eb46e5e05cdc8af24661ffcc9ac674ed12234529e7",
"sbom.cdx.json": "011435c08b0937a16783c5513a7a6997562db09e5683663b72eef0582b117928",
"sbom.spdx.json": "2ffd0b73f7fac20f929aa782ac97496b693846c63cea70b22ca1ab07801dd8e1",
"symbols.json": "89e6fe61fa90b366b00e0e7f61bd9f4452e490e6197ea6d606751caa2e31bbb5",
"vex.openvex.json": "3e10a7fdece86c0aa73c1d8a86d693a75ad020d2351458878231944b9e4ae28a"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "d12f50088d87da6735bf77315520c649b7b270926487b35427eabf9c09c70f53",
"sbom.cdx.json": "4490a3b78cbac995e5c4ed2e13e948d7e6b1ed042ab693e5d881871282b5d2b8",
"sbom.spdx.json": "ee4568feb4a4c83d6cc10518bbc83a6f985b74a43f2ce4c8e3aaa519bb842e5c",
"symbols.json": "74a8557624a8459c59919421209e564b8592a0a1e1e3c80f9c9ba267140b024c",
"vex.openvex.json": "1f205cca143401fcfcd9c61f33ffce9bf51839546a8031f583ca04aa83ae6df7"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "node-express-middleware-order-auth-bypass",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "3ec9dce86031af5a893667834e8fd21c276a5afb1156544e0208a58e65f99841",
"sbom.cdx.json": "104dd5cb4497b83d59c6cb0a3e59af02d4f2b52ffa4709086a7dcccb5ef4d7b8",
"sbom.spdx.json": "3f4850fc7da4fde7f97d33d0c6b78a0e50bac716fbb4f0dab2b6a3c29fe302be",
"symbols.json": "8cc43736be4fddfbd8947e03263cc1a3d7301aa4be6bad1d6bf99d91787c14ab",
"vex.openvex.json": "d165dbc8f75c38b68a154f2ad365d686cb327883c96cd88669f4f163407598dd"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "b105d1e625d001e8e801b67f40b72f13ffaa3889505353e9ae9aa6316ae92e06",
"sbom.cdx.json": "96830b648c0267ae5fea1bc534c2868778028f04b15365c8e42fcf0b9ad8ec90",
"sbom.spdx.json": "432b218689fb7e6affe40229822ed1632823f59ffa7ce19d44ece9a512c4e7a4",
"symbols.json": "5f2abc128a64ae085cffaca5b1c9d21cd22abcac35f3b79963c213a5e965d800",
"vex.openvex.json": "4ae403a8c67fb67d430059af05c72358356f291c13fc3219b97c29d74acebc9a"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "node-express-middleware-order-auth-bypass",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "7fc0d7bf7870b42b4d216d2c9001446761aa86b073da551776350cbb481b14ce",
"sbom.cdx.json": "104dd5cb4497b83d59c6cb0a3e59af02d4f2b52ffa4709086a7dcccb5ef4d7b8",
"sbom.spdx.json": "3f4850fc7da4fde7f97d33d0c6b78a0e50bac716fbb4f0dab2b6a3c29fe302be",
"symbols.json": "45aa8a689a6fcca0a0c96e587da654d30301b37190d70dd25240231e14cf4df2",
"vex.openvex.json": "3fa11fea858bb9520c1b9c656d1d6b8191fb15a11aa92ccb933ce999b115a29b"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "ae08f45e5718acefc99d0146143b699022486b8baad91d32622345b82aca46d6",
"sbom.cdx.json": "96830b648c0267ae5fea1bc534c2868778028f04b15365c8e42fcf0b9ad8ec90",
"sbom.spdx.json": "432b218689fb7e6affe40229822ed1632823f59ffa7ce19d44ece9a512c4e7a4",
"symbols.json": "18062cd7e4c9e4e4313223533ca6308bb3d5d469feca8689aaf897f95830b4b7",
"vex.openvex.json": "25a9db016befed97dd385225ad9bcdd25e7a60d65f049051884e504100ae6d6d"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "node-tar-CVE-2021-37713-path-traversal",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "0bbbab7a034667021473bd75c43b5f4317e5b99aa55a1ffd37696c61899ffe14",
"sbom.cdx.json": "bd237786ad3208f9f41ad2b56d05c4f3482966628f28bd7ece00dc37d247fb3d",
"sbom.spdx.json": "971e3ef7be1edbf5b58b72753740742773333003d953ffbcc88581c97aea9464",
"symbols.json": "c532dbbb307244b4f83dab9b7a767906c90e4bea518f3753159064e34d4d70aa",
"vex.openvex.json": "bcd7c056e063ad8ed87cdfdfd3bb4e9bff1753acc738380b2e6c779db6f6ce46"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "f4e47da91b002b9bbab2e79fc84b103ec3310fead248588abfe77c4bc0b9d8eb",
"sbom.cdx.json": "3109ba08a7a9a908282f3d2014e78ff74418b925ead00b64c26400c508cce9d6",
"sbom.spdx.json": "3422be00cedf9ff4a4a808bfb7c4abdd491fd545da2a6076cae6096710c4abc5",
"symbols.json": "d9b88cab4fdc99df1f009fd65aa70da74c4f45e79919b754092d63439f1cdf9e",
"vex.openvex.json": "f9e650b96ea369d484ffecb37787ce43d54feb09c2f49e2bf948213be7855c9f"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "node-tar-CVE-2021-37713-path-traversal",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "02751e4826f1ebec26f76961b3993f0bf33d3af8d1778fb0ae384ef890eecc5c",
"sbom.cdx.json": "bd237786ad3208f9f41ad2b56d05c4f3482966628f28bd7ece00dc37d247fb3d",
"sbom.spdx.json": "971e3ef7be1edbf5b58b72753740742773333003d953ffbcc88581c97aea9464",
"symbols.json": "806a418424cbf187306971605d13cc4243e9203b8e0529eebbc9846ed67314b1",
"vex.openvex.json": "70174199bce72123d6a646dce6508d6693d7da1a92b464707b6a3fb3b2e4db7d"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "d4c0bdae4cbc822f587e626fe1dab278fb486b295f0b4451475afdede3bccb18",
"sbom.cdx.json": "3109ba08a7a9a908282f3d2014e78ff74418b925ead00b64c26400c508cce9d6",
"sbom.spdx.json": "3422be00cedf9ff4a4a808bfb7c4abdd491fd545da2a6076cae6096710c4abc5",
"symbols.json": "31863df6aeb0fa6204816c0a4efc842b0af7ce8db22e9cd15849f94aa27b7e87",
"vex.openvex.json": "204c982c4db778940bc3a65dec3c8b5e6fb867e5f348c6e5dc28be0f643fd01c"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "openssh-CVE-2024-6387-regreSSHion",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "573a54be180f06ac67ad206a9fc55b6e24a92b5560d931ecef7e534d35e0bd59",
"sbom.cdx.json": "04d9991ac2950015546093ad479344b1ab8365495c54a45a49ce6738d115b13d",
"sbom.spdx.json": "adb3128162032496f058f46b0e821b4f8c1a673c8ebdcd1ba3b0961912c95886",
"symbols.json": "73bdbf7929a114b682f37794706cbeb86d998a5558849fb17a6f74e07ddec575",
"vex.openvex.json": "a9a5faa5120965062783d59139da86fb1e56dfb946e033678ce908889a65adec"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "4f4b92f6d94f293e8c200a9254b88a92d5777cfe33a5b4e52ad5953284af6c24",
"sbom.cdx.json": "d203047eb82f5fe63bc1254c83840dcefd25c80caa29d209416a4363b216a7e8",
"sbom.spdx.json": "d6be2733c73b4615707f8b81b60b0c266febcd621094b2e75448073269aaf8dc",
"symbols.json": "88fd0e3ec2b0f54c2f8bc610fe6a5086a361798f2d1a6e52bb21a3852bf1953e",
"vex.openvex.json": "913cf9478b644202660c348f59ae09b540529549cc6937047a29d8397a43ff6f"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "openssh-CVE-2024-6387-regreSSHion",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "e6ecfb707f6ef8b89f52aa4883bc48642dea20a3d7bf647fb04b30a55e5e6be0",
"sbom.cdx.json": "04d9991ac2950015546093ad479344b1ab8365495c54a45a49ce6738d115b13d",
"sbom.spdx.json": "adb3128162032496f058f46b0e821b4f8c1a673c8ebdcd1ba3b0961912c95886",
"symbols.json": "d57f06dcd7f95bf8dcc3c8dc7e2a5096b3a0b36098b9bb7714d4a434dd190371",
"vex.openvex.json": "25a0ed4ff5e7bc23f5b0c80c2264ad14b6a8a1bb124cf32360a227b2b2e68daf"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "d5dd3c0bf3efa2aa38c5453fedf2a541a350c32f0b3f48507e9077b6a8d5674c",
"sbom.cdx.json": "d203047eb82f5fe63bc1254c83840dcefd25c80caa29d209416a4363b216a7e8",
"sbom.spdx.json": "d6be2733c73b4615707f8b81b60b0c266febcd621094b2e75448073269aaf8dc",
"symbols.json": "bfc07a65bf9e823635068e606a75b6fb3cd8bd7a07493432ce3986c6ba22c028",
"vex.openvex.json": "485f80b704b9e4a1f5a6c16d2d89eb02704f5337d47ebbf90cad6372a412bb91"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "openssl-CVE-2022-3602-x509-name-constraints",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "bcc9ce550ea18fae6bd12fe8ff7af87e39b751c1f74735d003598548569858f7",
"sbom.cdx.json": "374cd5f25f0fcd1b58eb23707842ddc95a7755b934a4980ce128d3e03199620a",
"sbom.spdx.json": "0edaca9b8d2b7bceed84e66f0733a4ce66bfecfeccb60ce913f67048df3bb193",
"symbols.json": "a98a37d8759a6e9823d151d3485ef900e455bd6c7c0b47dae47a471ad0b4b8b2",
"vex.openvex.json": "a06ce87aed550880248f6b4e7bd5c78b9a3c967fdda83868557d4cbd2547cd29"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "38e3f5d0bee340b5e41aae8c3f81a4d8c9f8dbcd9a558a562e072e54f235e11c",
"sbom.cdx.json": "f38df383173720772d3e2da65d3c797c5f835dc6b69a3ec6fd2b3b3d1d108a59",
"sbom.spdx.json": "3658e0973b3a78e9b497e16d86dc73c0d89ec21b6519911ca78e2e8b1a0688a2",
"symbols.json": "49fbb599d179d7a5fc88cf24f6e6e9267f0fae43763c89c959342a795e61334b",
"vex.openvex.json": "b7ce60d2e199ff3d58036665e268edc493114ce82d8e49c26b2e701d390b4198"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "openssl-CVE-2022-3602-x509-name-constraints",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "f114155ee62717f1d24fa2bdc42870eedb174e31a125e7e02a0fa2c469b10860",
"sbom.cdx.json": "374cd5f25f0fcd1b58eb23707842ddc95a7755b934a4980ce128d3e03199620a",
"sbom.spdx.json": "0edaca9b8d2b7bceed84e66f0733a4ce66bfecfeccb60ce913f67048df3bb193",
"symbols.json": "0cede4adadb502cfe38e2bfa85fa7886d1bb112e929574de1d7427b512c97b76",
"vex.openvex.json": "e478856a30ec642dfe6b63d8937de0a2ded4f73ad6d161f61b90326fbd6b2b65"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "7a53699425f69e94c99a5956a738d33ff8b213e79ab6c685cd2e5a516145d2a4",
"sbom.cdx.json": "f38df383173720772d3e2da65d3c797c5f835dc6b69a3ec6fd2b3b3d1d108a59",
"sbom.spdx.json": "3658e0973b3a78e9b497e16d86dc73c0d89ec21b6519911ca78e2e8b1a0688a2",
"symbols.json": "7093617c7478ac80d89ac9e887d7ea16442d589a70d3f0b447ba0ef5ccc1a8f8",
"vex.openvex.json": "576085af51d7388e605b6898261dadc425b4407e6182673d55108ff03779a7cb"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "php-phpmailer-CVE-2016-10033-rce",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "8a4c1f78c866a351322eb9b12dca1b0a6218aee5094bca0a4b7090e00ae524cd",
"sbom.cdx.json": "9fc0ad284188e41a23fc678128e5e0fa263c39431e7c976c82d8ec7d0b6b0339",
"sbom.spdx.json": "96cf94ee5085078d14ee5c19666a9e146c278b785ed57eb2b47faf45b9d18b85",
"symbols.json": "2c47399bcb375356772a6f5fd4e1230721a0807f450b33dd9a512e72f0f932b0",
"vex.openvex.json": "2b258cf5cfb4a08edabcc0d865c4c4531b67a59b6c3835412f4b417e36693f84"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "6b470ec13b3e8db799ecccce16b10d36d6655e5951038801b51955071ff7ec90",
"sbom.cdx.json": "f8d1582c3b6478cbd4879bcc07d60b21ff394df14f616bf12bb269217cfb57f1",
"sbom.spdx.json": "553220191e8f1fa9956f47ebd232ee2554e531b1928ee9d3e1d479b5b360139d",
"symbols.json": "f86de9fa107355075ccc3407dbefa15c27514975c211a9017e19ccc0cada9990",
"vex.openvex.json": "c0117f2b546df8ebed8409ea7472ea8a8f3f959f2b17d44c738a7cd24a209d78"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "php-phpmailer-CVE-2016-10033-rce",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "03c99d5de2d6da9de07480d43bed6ce79a73b1a9abb2ccdd02c04c2eaa3c9bc4",
"sbom.cdx.json": "9fc0ad284188e41a23fc678128e5e0fa263c39431e7c976c82d8ec7d0b6b0339",
"sbom.spdx.json": "96cf94ee5085078d14ee5c19666a9e146c278b785ed57eb2b47faf45b9d18b85",
"symbols.json": "27a70634762c365d15ab5135cc5eb54721ad8407ae295ca71ca227f41847569c",
"vex.openvex.json": "56a227d9bf325b0dce2875c99d09bf999d2c7b17402af641c6902314108ee980"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "7d3476c3d86e0dbef128efdfc16a88bbb13e1df0095a17a97a7fc75402da42b6",
"sbom.cdx.json": "f8d1582c3b6478cbd4879bcc07d60b21ff394df14f616bf12bb269217cfb57f1",
"sbom.spdx.json": "553220191e8f1fa9956f47ebd232ee2554e531b1928ee9d3e1d479b5b360139d",
"symbols.json": "891d0b017f95ff6d3f7f9e06495b39ed53565eab469d879f1a2fad2ca63e632b",
"vex.openvex.json": "e04cbaf855c3d14e918ad06a524d89dabb06c427e4a96e72eaaaa86ff16c5595"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "python-django-CVE-2019-19844-sqli-like",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "2ccb39511b35781e96992a480df92beef1c8dbf600d46090b309bfa459397b4f",
"sbom.cdx.json": "33856cb8dfc4b3f14550762c0d6f7d93ed4bc5bc249ed57fe963f7861839bf24",
"sbom.spdx.json": "49ad943b01713c7b711ca2636b351e96581f1323b4be819c3ef25d5cbeeb78c3",
"symbols.json": "b9e2cd285f58d83a44807eceb3011431bab2547dd4f8157f59e685d17b55a384",
"vex.openvex.json": "390fbd7d3099d948046fb31d83e805ea532ce7fb20abdbb270eea55d4c7d3019"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "91bdcbbf9400beac3d6ce39b81e5794f5a6715657ff541ed9e3d947b29332096",
"sbom.cdx.json": "12b2d32433bdf9c8c56c1f1de9dbd3d62c0205d815448789caeebe53cc7199cd",
"sbom.spdx.json": "ebb5b23674d0d6b6877e60a658ead722cbdfb2097b3d98d16bde492544334b4d",
"symbols.json": "b450cfbae441529396dbe049f5edb0e5a9c95e805d72c9baff25551a93e5633f",
"vex.openvex.json": "aa8c5da2e3f03d116d045cee53bb1fd52a2d20a42cd935b7ab0649aada9c1eca"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "python-django-CVE-2019-19844-sqli-like",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "ee0cdda20523335d8c65739d9509a710000e11d8bb2ece93ec7930e8d06590a7",
"sbom.cdx.json": "33856cb8dfc4b3f14550762c0d6f7d93ed4bc5bc249ed57fe963f7861839bf24",
"sbom.spdx.json": "49ad943b01713c7b711ca2636b351e96581f1323b4be819c3ef25d5cbeeb78c3",
"symbols.json": "2f907e2686535d69767522c43fc0c71962ef6ce8bd9e48746707887ce186bf07",
"vex.openvex.json": "a6bfc8b8e86ca4f9cd2d2d107a14531bc13f84261a13b5cafb4e8d4b1c92c01b"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "f8926492d1b5e8a15c9b0f82087797b26d0609bfb13f10d14f7803fe6a129d95",
"sbom.cdx.json": "12b2d32433bdf9c8c56c1f1de9dbd3d62c0205d815448789caeebe53cc7199cd",
"sbom.spdx.json": "ebb5b23674d0d6b6877e60a658ead722cbdfb2097b3d98d16bde492544334b4d",
"symbols.json": "69b7846dd716b8730d2e08a2e293124949fd3642d9fc83837612a4d9d228fad4",
"vex.openvex.json": "bbadc21dc72a1b9dd8e395b2b40c1dac987189a7f95c0064714737b1f9b00758"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "python-jinja2-CVE-2019-10906-template-injection",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "2e56690ed9899e9ddad4a2dd9dd3715fe3b6349cc165fb10b797500d3b7bb240",
"sbom.cdx.json": "8a2681fcd3eb2aa82e2f0380126a9fe2caf130aac6ae4c66cd47f971c4ea347e",
"sbom.spdx.json": "4a04c563f3cf1b8a7b84add3443b9f2372150910844c2160193f26b75c004ff6",
"symbols.json": "97f7be8fae7c41424553821007c4e8ce0784c21014ceba12d77a8487af445ebb",
"vex.openvex.json": "088909aad48426345068b6373a27bacafcaa64fc49ecef43a15326d307f8b2e6"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "bd19518d4bcaad1b2248ad44087296d0961c0b69ff92dd8dd3e02f2dd7ae50ad",
"sbom.cdx.json": "bee4564ef6e541d6c9342da6e9ec5c32245934af538285742a70b1a5574bab63",
"sbom.spdx.json": "fc8393d30763d114ec156faad13625a01d99637d6d5f94347f9103ec2f128c70",
"symbols.json": "12e9bd031247b0e7ced80b9f0be7366d53e3f6bc55dba8bc8e29dffa33b1428a",
"vex.openvex.json": "5831de3b541eb9cd8e318c3d9c58d4722c3706ae86dfe593edb7052bffa69d59"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "python-jinja2-CVE-2019-10906-template-injection",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "df69cb0fd97c3f90700905edbb739c872b13bca26ec8b23b5fca7df95c88e649",
"sbom.cdx.json": "8a2681fcd3eb2aa82e2f0380126a9fe2caf130aac6ae4c66cd47f971c4ea347e",
"sbom.spdx.json": "4a04c563f3cf1b8a7b84add3443b9f2372150910844c2160193f26b75c004ff6",
"symbols.json": "e8b79c2d1c222102e4dd1b3f009c98301bb9d20bfe535959a968719f55dbe558",
"vex.openvex.json": "14189de5cdec146e3f3690f9a33bf7bd43e788c1bd52deb9fccfbddf548d0fb3"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "5e976a5b02be9d80f73279250b9c7dc6a7a35b4949485ec8a3e654b56e92b472",
"sbom.cdx.json": "bee4564ef6e541d6c9342da6e9ec5c32245934af538285742a70b1a5574bab63",
"sbom.spdx.json": "fc8393d30763d114ec156faad13625a01d99637d6d5f94347f9103ec2f128c70",
"symbols.json": "7c9c852ec05f723da16662dafbee27d7f30930565483b3efd9a98124daf965ce",
"vex.openvex.json": "4814babf16abd8827888413cb3545fa592a544da2818c510f39f5bf6d626fcce"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "python-urllib3-dos-regex-TBD",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "77b65a72e7061171dd9bbabb55260c005e45c71156349c68995f5da21249f01d",
"sbom.cdx.json": "6de2dac2a942c4f98be45913bc283490e0a633d96f622864eba2f7e9ed40ddef",
"sbom.spdx.json": "fcc1da998d896c2a8d6c0b0386ae5a492ae242cc83dc03daaf2b6ee55d8ba9bb",
"symbols.json": "0de9697f4fe6f5d80df4aec4593599f6dbfbf9c92f2e19e4e8f6d39630a37aee",
"vex.openvex.json": "c785b009bc7c625f1e3cda129ab45ac436b43dc726f3902d092bfb4665a5a1dd"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "b76721e7be720aab8e6a391c4307a49c9ac5f91370d5ad94e6990851cd9f5599",
"sbom.cdx.json": "92f85cd1caf5e0d40bc489c74f61a10ef452f8a5929e95a52436e0a67827f1db",
"sbom.spdx.json": "14a0b0f27eddab4452da4b7d9da1992b8eaee4c9a56720accedae3f5c1669a72",
"symbols.json": "03872ddb4ff47802e1ca998b01e2578877bb0c73c0584d804002082f0be2d22f",
"vex.openvex.json": "c1b2c2b8af62f5d198e8986f25763c64126b7c930cca6580bb115351080478f4"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "python-urllib3-dos-regex-TBD",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "fee28d40dd848e5e59b662622f33e2644e4328c6a2eb1a4f22f558fea0c69dfd",
"sbom.cdx.json": "6de2dac2a942c4f98be45913bc283490e0a633d96f622864eba2f7e9ed40ddef",
"sbom.spdx.json": "fcc1da998d896c2a8d6c0b0386ae5a492ae242cc83dc03daaf2b6ee55d8ba9bb",
"symbols.json": "bafb8c6703ba42f7fcb2d1bc5bba702282012d10f7d7026729083761e8b6bf26",
"vex.openvex.json": "342a13c0f33bbf5228756e7444aa1a0740b0f971115ead4db2668669e8055fb5"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "022d9b1a05425205e685a3c3e0f4991f3dd0e311b0b443b0cbaed3e538fdece1",
"sbom.cdx.json": "92f85cd1caf5e0d40bc489c74f61a10ef452f8a5929e95a52436e0a67827f1db",
"sbom.spdx.json": "14a0b0f27eddab4452da4b7d9da1992b8eaee4c9a56720accedae3f5c1669a72",
"symbols.json": "2b7cf80eb18cbc9d815a5d9310b167b7bdebd5ee3288d679af1a60aa39bc2efa",
"vex.openvex.json": "b57bc50d2d4d3075d4797ed884546d733939c54b7ae5cc4dcf3e8aef1b5def08"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "rails-CVE-2019-5418-file-content-disclosure",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "c9d31abd8f660694b9cc88b0663390c36be5ca0c16da8061911ede2af396d64a",
"sbom.cdx.json": "c50edcd3ebed1a651e29f3ab41cdb37e2a6a1f7bdb567191bcf83fc1e76eba24",
"sbom.spdx.json": "7bcda4289b9cd770cad6408cbb1e9bbd6b8ef7ba15b79b795b5a183f22722925",
"symbols.json": "895ed278a0c2eb90a697755ff7509d7e9df3a1aa26153d2deea2e2e858a62aea",
"vex.openvex.json": "500bbf7564559d0f10e4cdf97f8142868d6d068b72bb223b8a4f6850e917aa93"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "a1e201f50ab1de6dc8a63a368bd11b8a684f68232fc3afd9c159303023f93dd3",
"sbom.cdx.json": "e311708a3d964928577bbcaa5422955d01d4ff41276cb1ced140d291c432f5df",
"sbom.spdx.json": "5ce3a3ad477927485ddc6e4a4600c780336dc086a4ec931f0be0472858deb88a",
"symbols.json": "bad5fe3ba1b5ebed91c92b95a4a579459220eefbda301f14f4c6e29b196fc646",
"vex.openvex.json": "335d81c4776df1c000846591e5e34c97c5e9fa5dc0da140524cc68a697d95476"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "rails-CVE-2019-5418-file-content-disclosure",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "12a1d28dc31ce8a3e381fbfb195d942c879ac31003c2412d40d8b6e8a3808318",
"sbom.cdx.json": "c50edcd3ebed1a651e29f3ab41cdb37e2a6a1f7bdb567191bcf83fc1e76eba24",
"sbom.spdx.json": "7bcda4289b9cd770cad6408cbb1e9bbd6b8ef7ba15b79b795b5a183f22722925",
"symbols.json": "ae28dfed9d506cd92a0608f8a742716764b7f3f15d7b35b5f6990010a1d0b8fd",
"vex.openvex.json": "f3fe8061e72d74532921a4ac21107bfa5121cca2ce011c38580438738c071174"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "bdc4a9b0600b2adbe376631ff42c62b0d2c09913ee5e6b709cfe2274aeafe5d9",
"sbom.cdx.json": "e311708a3d964928577bbcaa5422955d01d4ff41276cb1ced140d291c432f5df",
"sbom.spdx.json": "5ce3a3ad477927485ddc6e4a4600c780336dc086a4ec931f0be0472858deb88a",
"symbols.json": "6bb75ea71e5e1bfa9fd3a86b40e47ce436fd0b2d0d542657858c01dab6b818fa",
"vex.openvex.json": "d2958b20176758ba49b37add31f335c152b91f17aeedc2b0407bd2d673f7580f"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "redis-CVE-2022-0543-lua-sandbox-escape",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "fbdd8b9e479d40cea9068a83c98619af1aa18dc3abcafc2ea2bdb463c25710a9",
"sbom.cdx.json": "66bcb9f575207e62f46230e9056c229d07821d700a7b90ebb6f84baaa28bc7ea",
"sbom.spdx.json": "02a37695184dfe333892c420b4890ea69497e2808aeeda42c6c5e211919a5db2",
"symbols.json": "9a5d1611a6e4d6d38feaa591be880bbb157680828b6e7c756442bc6995d960e7",
"vex.openvex.json": "1d86a9a2973f1ab8e5f57c57857c49da3d0d02aa54a8b2d5425021d2f9627690"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "f8c53484a0f0b476c46fdcb74eb369e9043528019ee36b0537be0964d1bc443a",
"sbom.cdx.json": "262ee8cfcec9893d5eef21da86a51563d2f905fd0ded264ecd9b295c20ad4ff5",
"sbom.spdx.json": "207e2ddd259d5cf0d1b4b6e26bc4abd26d38e119dc4c635b0600d5ce4e4d4fd1",
"symbols.json": "add91063b52b65788cfcb6925811a9e51031d7d7bb7c97fcd4e45e1b1c702e43",
"vex.openvex.json": "b4e4b865b0982c89f3d8bbe27d6984016a9b43b7282b9c158063c65a67c4dece"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "redis-CVE-2022-0543-lua-sandbox-escape",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "bab266ab92040c3977c2f17cbddb6e91e0e9ea748b720ba4b3e35372063c8c75",
"sbom.cdx.json": "66bcb9f575207e62f46230e9056c229d07821d700a7b90ebb6f84baaa28bc7ea",
"sbom.spdx.json": "02a37695184dfe333892c420b4890ea69497e2808aeeda42c6c5e211919a5db2",
"symbols.json": "e1f5a9f63042d050a3966e95a5902797e00ae1703a8ecb69dff149e1bf8371e8",
"vex.openvex.json": "d0beebfb1d7a3cb086633040ddda7f9d4bb536d0df4176e8c093599988bb75f7"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "749316cd4d32d0fb0f9744f4ae7592674daed71c9000cd8b8e57f0372b665902",
"sbom.cdx.json": "262ee8cfcec9893d5eef21da86a51563d2f905fd0ded264ecd9b295c20ad4ff5",
"sbom.spdx.json": "207e2ddd259d5cf0d1b4b6e26bc4abd26d38e119dc4c635b0600d5ce4e4d4fd1",
"symbols.json": "51e50884d378b4f49dc742323912f3af0d600c120e1f448ff3c6929cd265ecff",
"vex.openvex.json": "7e8204c4e3ce4ac26028a390c3fecdd1251d6ad6e16653b1f972f2dc30688c4d"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "runc-CVE-2024-21626-symlink-breakout",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "94d2522b2ab3632adadffdf2ca8c991260d2bbd1690fb4a00beb6207b1ba5c49",
"sbom.cdx.json": "f5d25c84c10d3588526ba08d1a03a8105f8da1279a44e0defee66285814437d4",
"sbom.spdx.json": "ee5aaaf68271588ee2b33d04e3815ca9a3f89a557a55c1f8d917c2af1b813c16",
"symbols.json": "1b8a40f0c8aabd9f84f06647490f450170c48c9cbba929a50caf441c92791df8",
"vex.openvex.json": "ca87293d1831169e427182e37e52713495b9e78a7e7b14f174012867f3cff6b9"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "7462c1ff3fcfeaaf75793bc8cc6d433cfddcfc3c01aeed80d808368dbe7b208a",
"sbom.cdx.json": "102a4aa9b079e95ce6603f1077a03716215067f9db450f6eeeee3ffe91a3c03f",
"sbom.spdx.json": "84480ee0f19dd5bc8379dc257f9e86cec0644131f71304efab9d6f9343e5ddf7",
"symbols.json": "b3e49a7b256a4185969742db54584eaaab094893b77b155c482e5784123d4705",
"vex.openvex.json": "730b927596ceff24604ed3fdc008179b3b6a524e8ba1b2ce248706dfcbdd8e9f"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "runc-CVE-2024-21626-symlink-breakout",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "2f4803eb568d4f294f4241d068266b6241fd20f463e6945e1df3b84ccd89459e",
"sbom.cdx.json": "f5d25c84c10d3588526ba08d1a03a8105f8da1279a44e0defee66285814437d4",
"sbom.spdx.json": "ee5aaaf68271588ee2b33d04e3815ca9a3f89a557a55c1f8d917c2af1b813c16",
"symbols.json": "b48973486b29e184ae09ecfb9264a400fefae5c2df4d0d5f4bd868453fae1f99",
"vex.openvex.json": "06610030b92a3a5eb4e77c44c87066ce66dfc0018e4477de99f4bbf70424cf5a"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "d7aa1571a9338d19994f22672a0f21805b91433c44548db710f03bec7cf19293",
"sbom.cdx.json": "102a4aa9b079e95ce6603f1077a03716215067f9db450f6eeeee3ffe91a3c03f",
"sbom.spdx.json": "84480ee0f19dd5bc8379dc257f9e86cec0644131f71304efab9d6f9343e5ddf7",
"symbols.json": "445405207e280de83a29d0d9eb24d73dcf0b822eddbf6af7b4fbf8e5f9f61d51",
"vex.openvex.json": "4b5e515c8df7566a85a9a5628558157ce4f26d271b3c9d1ca9775b44970d9813"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "rust-axum-header-parsing-TBD",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "f34d41548950529728b47d39699260a5a3b496f5b729c7981ef2d70622136df9",
"sbom.cdx.json": "ff9bfeeef7e41d934a051d5c4e20965819d2c4be0ff9ad68ba250eccae3aa487",
"sbom.spdx.json": "1de691c4665d49162633b6571bd142fbfdcf79a0c8bdfb6bbf8f8d4783587d01",
"symbols.json": "fc3923137f963fe08398a0cfc11d51d063104758ea574705476bb5fb07b0d6e0",
"vex.openvex.json": "f0aa98d011f0012ff230c44f69aaed51847a4ad9930bac52aa4467405c2122f5"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "db51a2ce78f32b9cb4ec3ed5553129592d6b283269b781da07c2b9d248d3eded",
"sbom.cdx.json": "d591991aad584887e1febb7158aee2a8d255cb3bd904647c0465b2517f9b0420",
"sbom.spdx.json": "952f2911841aef80876fa5f3ef6ea3bb025d3fdf15af12a8a2dfd1a4912de327",
"symbols.json": "91f2bb239888454d2e868267474d31c7849348efab10296d50c2d542be287f18",
"vex.openvex.json": "78675798250d81e833b06e465b80e367cc9a3385dc83e26c9126dc8b81e39f07"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "rust-axum-header-parsing-TBD",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "918f742dbfd9e786640660f13f60b1f9da329caee367851990c7d5b678fa5c8e",
"sbom.cdx.json": "ff9bfeeef7e41d934a051d5c4e20965819d2c4be0ff9ad68ba250eccae3aa487",
"sbom.spdx.json": "1de691c4665d49162633b6571bd142fbfdcf79a0c8bdfb6bbf8f8d4783587d01",
"symbols.json": "4ff5b34b01575558256364c017f6e3ed4dcb9c6d077b732d2dff1936431f607b",
"vex.openvex.json": "48e178a71126b1c57aaedf47ed85da10a8b391ddcff61e118f7fc26b1786e490"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "6586881d4ab2e395e45ca6ca2c018ec6c8ef349d08a2d7729b1c2a39b79b578c",
"sbom.cdx.json": "d591991aad584887e1febb7158aee2a8d255cb3bd904647c0465b2517f9b0420",
"sbom.spdx.json": "952f2911841aef80876fa5f3ef6ea3bb025d3fdf15af12a8a2dfd1a4912de327",
"symbols.json": "5fb1a7d62e2b9c38c22cd55bb48a71a46c38b7d9aac5eb55064ca0918f246e7f",
"vex.openvex.json": "e24870c312cf61ce8e377993e2acda9f36ce817b8f97eedb339713cca52d8877"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "wordpress-core-CVE-2022-21661-sqli",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "2491f25c8faaa3fcd6be0af96ee0bdb047ee457c674a3b0533a07bdf4f7bc9e6",
"sbom.cdx.json": "4d680dc644aedae0656a9aaf619804cc5db818071b15a4d4bffba85e4a72ec16",
"sbom.spdx.json": "654a9c21de6aece294f38e1b6590e82ddd4bbe92ca8dc17b9cdf404f7f423a05",
"symbols.json": "5e50e1037f4c8d80ad3d4e589a62eb4748e37410e4dd1336b9556bcebdb7f2fa",
"vex.openvex.json": "789eba2e95cc32972356f777b9b314cdd84d7ab8f62f9c65599ad46d53c1171c"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "3400d2e5bb7e2444c5d8794deaa470162ae84ead4da2f357578bad79ff79fc46",
"sbom.cdx.json": "18ee89df532562af951ae92170a0c6fea0cf5260275becf2b136f58929565dd8",
"sbom.spdx.json": "d8d65f2816de794aeda9b758f9b85d5dc2e771179b1c9a489c83bb9098088eae",
"symbols.json": "b13fee6e67fd09b2655da862bc9557f516a73f8761d3d3ed6ac81839e9d61411",
"vex.openvex.json": "edcaa5bd78afa9a5c2254a536efb9413bf212b247fb81b83d39c71d1a63aff49"
},
"schema_version": "reachbench.manifest/v1",
"variant": "reachable"

16
tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/manifest.json
View File

@@ -1,14 +1,14 @@
{
"case_id": "wordpress-core-CVE-2022-21661-sqli",
"files": {
"attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "0855e5a1023d4a03c71ca526cd383cb09adb3ab67aa91039c8b96bb370aff3e5",
"sbom.cdx.json": "4d680dc644aedae0656a9aaf619804cc5db818071b15a4d4bffba85e4a72ec16",
"sbom.spdx.json": "654a9c21de6aece294f38e1b6590e82ddd4bbe92ca8dc17b9cdf404f7f423a05",
"symbols.json": "52cd52c683750cccde96c6d0034c129ede7e030bdf5df7b21d1b9bf64eb3b280",
"vex.openvex.json": "72c17746b337df751658ad7104d5f4e5962d97f9227ecbab810e7d2d8dbcad96"
"attestation.dsse.json": "30937c552127484d65b409f39fe31caa5a4f071142892cc336be2a22d747331d",
"callgraph.framework.json": "9ca4a75a6d19744789c7b34011e67126ab749b9626158ae57b03dbdfa6147a5e",
"callgraph.static.json": "0ae8872a65a499cc8109b36eac53dfa0b6cf60b29482ddcdab6992c49e35ec74",
"reachgraph.truth.json": "a84be394e3a8acc773ba5ffb2a6408850a1cc6e0729ed9223010e117d2270f8e",
"sbom.cdx.json": "18ee89df532562af951ae92170a0c6fea0cf5260275becf2b136f58929565dd8",
"sbom.spdx.json": "d8d65f2816de794aeda9b758f9b85d5dc2e771179b1c9a489c83bb9098088eae",
"symbols.json": "3a8ad137ba4c6f6701f2f974c5bf44ff8e4ff098fdf505f2b874d5b24a62f6e7",
"vex.openvex.json": "8ed2bbdb19741b03709d7bd095cb2ee8f2c035aa736cf1cc8938375a60f9f0dc"
},
"schema_version": "reachbench.manifest/v1",
"variant": "unreachable"