diff --git a/tests/reachability/README.md b/tests/reachability/README.md index 5742fe19d..29f9f6f9f 100644 --- a/tests/reachability/README.md +++ b/tests/reachability/README.md @@ -2,8 +2,8 @@ This directory carries the reachbench fixture packs used by Sprint 201 to validate reachability explainability. -- `fixtures/reachbench-2025-expanded/` contains 24 multi-language cases with reachable and unreachable variants, SBOMs, callgraphs, runtime traces, and DSSE envelopes. -- `StellaOps.Reachability.FixtureTests` provides lightweight guard rails that ensure each case keeps the expected files, JSON schemas, and ground-truth metadata before the Signals/Scanner reachability pipeline consumes them. +- `fixtures/reachbench-2025-expanded/` contains 24 multi-language cases with reachable and unreachable variants, SBOMs, callgraphs, runtime traces, and DSSE envelopes. Each variant ships a manifest with SHA-256 hashes to keep runs deterministic. +- `StellaOps.Reachability.FixtureTests` provides guard rails that ensure files exist, hashes match manifests, and ground-truth paths align with reachable/unreachable variants before the Signals/Scanner reachability pipeline consumes them. ## Running the fixture tests diff --git a/tests/reachability/StellaOps.Reachability.FixtureTests/ReachbenchFixtureTests.cs b/tests/reachability/StellaOps.Reachability.FixtureTests/ReachbenchFixtureTests.cs index 82d78a1ee..76f820b98 100644 --- a/tests/reachability/StellaOps.Reachability.FixtureTests/ReachbenchFixtureTests.cs +++ b/tests/reachability/StellaOps.Reachability.FixtureTests/ReachbenchFixtureTests.cs @@ -1,6 +1,8 @@ using System.Text.Json; using FluentAssertions; using Xunit; +using System.Security.Cryptography; +using System.Linq; namespace StellaOps.Reachability.FixtureTests; @@ -88,6 +90,8 @@ public class ReachbenchFixtureTests using var truthDoc = JsonDocument.Parse(truthStream); truthDoc.RootElement.GetProperty("schema_version").GetString().Should().NotBeNullOrEmpty(); truthDoc.RootElement.GetProperty("paths").ValueKind.Should().Be(JsonValueKind.Array); + + VerifyManifestHashes(caseId, variantPath, requiredFiles); } [Theory] @@ -109,6 +113,13 @@ public class ReachbenchFixtureTests variant.TryGetProperty("evidence", out var evidence).Should().BeTrue($"{caseId}:{variantKey} should define evidence"); evidence.TryGetProperty("paths", out var pathsProp).Should().BeTrue(); pathsProp.ValueKind.Should().Be(JsonValueKind.Array); + + var truthPath = Path.Combine(variantPath, "reachgraph.truth.json"); + using var truthStream = File.OpenRead(truthPath); + using var truthDoc = JsonDocument.Parse(truthStream); + var paths = truthDoc.RootElement.GetProperty("paths"); + + paths.ValueKind.Should().Be(JsonValueKind.Array); } private static string LocateRepoRoot() @@ -126,4 +137,23 @@ public class ReachbenchFixtureTests throw new InvalidOperationException("Cannot locate repository root (missing Directory.Build.props)."); } + + private static void VerifyManifestHashes(string caseId, string variantPath, IEnumerable requiredFiles) + { + var manifestPath = Path.Combine(variantPath, "manifest.json"); + using var manifestStream = File.OpenRead(manifestPath); + using var manifestDoc = JsonDocument.Parse(manifestStream); + var files = manifestDoc.RootElement.GetProperty("files"); + + foreach (var file in requiredFiles.Where(f => f != "manifest.json")) + { + files.TryGetProperty(file, out var hashProp).Should().BeTrue($"{caseId}:{variantPath} manifest missing hash for {file}"); + var expectedHash = hashProp.GetString(); + expectedHash.Should().NotBeNullOrEmpty($"{caseId}:{variantPath} hash missing for {file}"); + + var path = Path.Combine(variantPath, file); + var actualHash = BitConverter.ToString(SHA256.HashData(File.ReadAllBytes(path))).Replace("-", "").ToLowerInvariant(); + actualHash.Should().Be(expectedHash, $"{caseId}:{variantPath} hash mismatch for {file}"); + } + } } diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/attestation.dsse.json index eba0a64c3..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/curl-CVE-2023-38545-socks5-heap:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/callgraph.static.json index 51e50e846..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://curl:curl.c#entry" - }, - { - "sid": "sym://curl:curl.c#sink" - } - ], - "edges": [ - { - "from": "sym://curl:curl.c#entry", - "to": "sym://curl:curl.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/manifest.json index c4ecf464f..888c4b81c 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/curl-CVE-2023-38545-socks5-heap:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "curl-CVE-2023-38545-socks5-heap", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "9545261d413f4f85d120ebe8432c32ba97ba3feb2d34075fd689fcb5794f3ab0", + "sbom.cdx.json": "ce41fd9b9edadf94a8cc84a3cce4e175b0602fd2e0d8dcb067273b9584479980", + "sbom.spdx.json": "10d7417961d3cac0f3a5c4b083917fba3dc4f9bd9140d80aad0a873435158482", + "symbols.json": "c5f473aff5b428df5a3f9c3393b7fbceb94214e3c2fd4f547d4f258ca25a3080", + "vex.openvex.json": "0518d09c2ae692b96553feb821ff8138fc0ea6c840d75c1f80149add21127ddd" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/reachgraph.truth.json index e0b3384f7..a52ebba37 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://curl:curl.c#sink", - "kind": "generic" - } - ], + "case_id": "curl-CVE-2023-38545-socks5-heap", "paths": [ [ "sym://net:handler#read", "sym://curl:curl.c#entry", "sym://curl:curl.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/sbom.cdx.json index 42913d53b..7d05ea6e3 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "curl-CVE-2023-38545-socks5-heap", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/sbom.spdx.json index 38e10e06b..41e5853ed 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "curl-CVE-2023-38545-socks5-heap", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/symbols.json index 8418109e8..b1f622030 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/curl@0.0.1", - "files": [ - { - "path": "/src/curl.c", - "funcs": [ - { - "sid": "sym://curl:curl.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://curl:curl.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "curl-CVE-2023-38545-socks5-heap", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://curl:curl.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/vex.openvex.json index 7fb2e0f81..6c4f8d20e 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2023-38545", + "products": [ + "pkg:curl-CVE-2023-38545-socks5-heap" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2023-38545" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/attestation.dsse.json index c61435ee1..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/curl-CVE-2023-38545-socks5-heap:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/callgraph.static.json index 51e50e846..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://curl:curl.c#entry" - }, - { - "sid": "sym://curl:curl.c#sink" - } - ], - "edges": [ - { - "from": "sym://curl:curl.c#entry", - "to": "sym://curl:curl.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/manifest.json index df343b8b0..ead315f92 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/curl-CVE-2023-38545-socks5-heap:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "curl-CVE-2023-38545-socks5-heap", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "490c4175eb06e0c623e60263d2ce029ffa8b236aea5780c448b8180f38a1bf6f", + "sbom.cdx.json": "ce41fd9b9edadf94a8cc84a3cce4e175b0602fd2e0d8dcb067273b9584479980", + "sbom.spdx.json": "10d7417961d3cac0f3a5c4b083917fba3dc4f9bd9140d80aad0a873435158482", + "symbols.json": "1b6a9e5598d2521e0ca55ed0f3f287ef19dc11cb1fb24fe961370c2fa7036214", + "vex.openvex.json": "a9fa7e917601538e17750fb1c25b24e18333c779ec0d5d98d4fbccf84e2f544e" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/reachgraph.truth.json index e0b3384f7..7210bf519 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://curl:curl.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://curl:curl.c#entry", - "sym://curl:curl.c#sink" - ] - ] + "case_id": "curl-CVE-2023-38545-socks5-heap", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/sbom.cdx.json index 42913d53b..7d05ea6e3 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "curl-CVE-2023-38545-socks5-heap", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/sbom.spdx.json index 38e10e06b..41e5853ed 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "curl-CVE-2023-38545-socks5-heap", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/symbols.json index 8418109e8..1d1c90c65 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/curl@0.0.1", - "files": [ - { - "path": "/src/curl.c", - "funcs": [ - { - "sid": "sym://curl:curl.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://curl:curl.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "curl-CVE-2023-38545-socks5-heap", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/vex.openvex.json index 81bf7b9a5..f1cd84fdd 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2023-38545", + "products": [ + "pkg:curl-CVE-2023-38545-socks5-heap" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2023-38545" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/attestation.dsse.json index b32578cbf..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/callgraph.framework.json index f280f3ea8..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/callgraph.framework.json @@ -1,10 +1,5 @@ { - "schema_version": "1.0", - "edges": [ - { - "from": "sym://dotnet:Startup#Configure", - "to": "sym://aspnet:UseEndpoints", - "kind": "pipeline" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/callgraph.static.json index be9e912a8..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://dotnet:dotnet.c#entry" - }, - { - "sid": "sym://dotnet:dotnet.c#sink" - } - ], - "edges": [ - { - "from": "sym://dotnet:dotnet.c#entry", - "to": "sym://dotnet:dotnet.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/manifest.json index 763f1cea2..385fb0ce3 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "5396e1c97612e0963bdaf9d5d3f570f095feaccfd46ed6e96af52a6dc4608608", + "sbom.cdx.json": "8747790b2c9638b08aedca818367852889ee9bb50f1be1212b9c46b27296b8b9", + "sbom.spdx.json": "fd5b8befa1a59f06c315406213426ee516276ad806f4acb1f53472149d97c402", + "symbols.json": "c2bc2c131db1565b272900b2d86733086d601fc05a9072a43b9cd8b89a2e6f95", + "vex.openvex.json": "2bc0466a7b733a0915b6a799e91ec731c0700d5bea8645c0bf983b6da180bc48" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/reachgraph.truth.json index 8490d250f..a42e4cae0 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://dotnet:dotnet.c#sink", - "kind": "generic" - } - ], + "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset", "paths": [ [ "sym://net:handler#read", "sym://dotnet:dotnet.c#entry", "sym://dotnet:dotnet.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/sbom.cdx.json index 42913d53b..cd16eeeaf 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/sbom.spdx.json index 38e10e06b..c07ab939c 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/symbols.json index dcd3f5385..b7f3b0cf9 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/dotnet@0.0.1", - "files": [ - { - "path": "/src/dotnet.c", - "funcs": [ - { - "sid": "sym://dotnet:dotnet.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://dotnet:dotnet.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://dotnet:dotnet.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/vex.openvex.json index 34c69c4ef..f9dc62e7f 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2023-44487", + "products": [ + "pkg:dotnet-kestrel-CVE-2023-44487-http2-rapid-reset" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2023-44487" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/attestation.dsse.json index 2b0e4a84d..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/callgraph.framework.json index f280f3ea8..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/callgraph.framework.json @@ -1,10 +1,5 @@ { - "schema_version": "1.0", - "edges": [ - { - "from": "sym://dotnet:Startup#Configure", - "to": "sym://aspnet:UseEndpoints", - "kind": "pipeline" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/callgraph.static.json index be9e912a8..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://dotnet:dotnet.c#entry" - }, - { - "sid": "sym://dotnet:dotnet.c#sink" - } - ], - "edges": [ - { - "from": "sym://dotnet:dotnet.c#entry", - "to": "sym://dotnet:dotnet.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/manifest.json index 38e73639f..157b3d8a9 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "86a0dad5b06b69018a35931b1ef8fb700abe6511f75aa81dcffc23f0411cc086", + "sbom.cdx.json": "8747790b2c9638b08aedca818367852889ee9bb50f1be1212b9c46b27296b8b9", + "sbom.spdx.json": "fd5b8befa1a59f06c315406213426ee516276ad806f4acb1f53472149d97c402", + "symbols.json": "0793a11190a789d63cac1d15ae259dcbe48764dd0f75000176e3abf8f3a3beb6", + "vex.openvex.json": "cd54fe28bf7f171a2a47e6118b05ad26013a32d97e2b9eef143eab75208d9fa4" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/reachgraph.truth.json index 8490d250f..0cfa6853f 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://dotnet:dotnet.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://dotnet:dotnet.c#entry", - "sym://dotnet:dotnet.c#sink" - ] - ] + "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/sbom.cdx.json index 42913d53b..cd16eeeaf 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/sbom.spdx.json index 38e10e06b..c07ab939c 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/symbols.json index dcd3f5385..7e600aba0 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/dotnet@0.0.1", - "files": [ - { - "path": "/src/dotnet.c", - "funcs": [ - { - "sid": "sym://dotnet:dotnet.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://dotnet:dotnet.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/vex.openvex.json index 8d117be4d..ba67dff61 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2023-44487", + "products": [ + "pkg:dotnet-kestrel-CVE-2023-44487-http2-rapid-reset" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2023-44487" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/attestation.dsse.json index d9f82f1bf..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/dotnet-newtonsoft-deser-TBD:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/callgraph.framework.json index f280f3ea8..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/callgraph.framework.json @@ -1,10 +1,5 @@ { - "schema_version": "1.0", - "edges": [ - { - "from": "sym://dotnet:Startup#Configure", - "to": "sym://aspnet:UseEndpoints", - "kind": "pipeline" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/callgraph.static.json index be9e912a8..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://dotnet:dotnet.c#entry" - }, - { - "sid": "sym://dotnet:dotnet.c#sink" - } - ], - "edges": [ - { - "from": "sym://dotnet:dotnet.c#entry", - "to": "sym://dotnet:dotnet.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/manifest.json index a7645af0d..ae021f0b8 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/dotnet-newtonsoft-deser-TBD:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "dotnet-newtonsoft-deser-TBD", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "7c1b7d56df4efc97360ba7754feb1051644e624afa2589971fab09507827e677", + "sbom.cdx.json": "c7283a731ca81300f6cda9e944451062a92c7eb0559ebdc6b96f6afeea637187", + "sbom.spdx.json": "da4978369cae300336e4abd570edb8c8de27bcb5ff2c5131975cae7d8ee01f8e", + "symbols.json": "d03361b683ae570864824a8e57c91ca875590373d949d2f706af488c4ccbcc01", + "vex.openvex.json": "41e52bf3c0b40ca614d32f5c9b719b68c53e2a0f08f483d6c429120060c9d930" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/reachgraph.truth.json index 8490d250f..42baf29fe 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://dotnet:dotnet.c#sink", - "kind": "generic" - } - ], + "case_id": "dotnet-newtonsoft-deser-TBD", "paths": [ [ "sym://net:handler#read", "sym://dotnet:dotnet.c#entry", "sym://dotnet:dotnet.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/sbom.cdx.json index 42913d53b..4357ecc76 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "dotnet-newtonsoft-deser-TBD", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/sbom.spdx.json index 38e10e06b..628eb1fd1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "dotnet-newtonsoft-deser-TBD", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/symbols.json index dcd3f5385..f6c4b69aa 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/dotnet@0.0.1", - "files": [ - { - "path": "/src/dotnet.c", - "funcs": [ - { - "sid": "sym://dotnet:dotnet.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://dotnet:dotnet.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "dotnet-newtonsoft-deser-TBD", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://dotnet:dotnet.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/vex.openvex.json index a9c299cc5..ee82e8bb1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "TBD", + "products": [ + "pkg:dotnet-newtonsoft-deser-TBD" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "dotnet-newtonsoft-deser-TBD" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/attestation.dsse.json index e3346d699..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/dotnet-newtonsoft-deser-TBD:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/callgraph.framework.json index f280f3ea8..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/callgraph.framework.json @@ -1,10 +1,5 @@ { - "schema_version": "1.0", - "edges": [ - { - "from": "sym://dotnet:Startup#Configure", - "to": "sym://aspnet:UseEndpoints", - "kind": "pipeline" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/callgraph.static.json index be9e912a8..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://dotnet:dotnet.c#entry" - }, - { - "sid": "sym://dotnet:dotnet.c#sink" - } - ], - "edges": [ - { - "from": "sym://dotnet:dotnet.c#entry", - "to": "sym://dotnet:dotnet.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/manifest.json index ca3253816..8eb124281 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/dotnet-newtonsoft-deser-TBD:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "dotnet-newtonsoft-deser-TBD", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "aa1c4c8133ae26349e1a740293e875d91f3a5ba1b241eb39617a09ea1b6ced8e", + "sbom.cdx.json": "c7283a731ca81300f6cda9e944451062a92c7eb0559ebdc6b96f6afeea637187", + "sbom.spdx.json": "da4978369cae300336e4abd570edb8c8de27bcb5ff2c5131975cae7d8ee01f8e", + "symbols.json": "a804343735751e99bda81ce614d890fe19cb510bcb3d3b17dff05ab01decf2e1", + "vex.openvex.json": "65cdb8a5d02277eacf194c23cdb7a8adada7318f45f5ce4eb0e09fbcd9d8b615" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/reachgraph.truth.json index 8490d250f..68c4c3480 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://dotnet:dotnet.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://dotnet:dotnet.c#entry", - "sym://dotnet:dotnet.c#sink" - ] - ] + "case_id": "dotnet-newtonsoft-deser-TBD", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/sbom.cdx.json index 42913d53b..4357ecc76 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "dotnet-newtonsoft-deser-TBD", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/sbom.spdx.json index 38e10e06b..628eb1fd1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "dotnet-newtonsoft-deser-TBD", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/symbols.json index dcd3f5385..253611ee6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/dotnet@0.0.1", - "files": [ - { - "path": "/src/dotnet.c", - "funcs": [ - { - "sid": "sym://dotnet:dotnet.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://dotnet:dotnet.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "dotnet-newtonsoft-deser-TBD", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/vex.openvex.json index eb7c35e0b..3bab1a3d6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "TBD", + "products": [ + "pkg:dotnet-newtonsoft-deser-TBD" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "dotnet-newtonsoft-deser-TBD" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/attestation.dsse.json index 43420b921..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/glibc-CVE-2023-4911-looney-tunables:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/callgraph.static.json index c53742bff..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://glibc:glibc.c#entry" - }, - { - "sid": "sym://glibc:glibc.c#sink" - } - ], - "edges": [ - { - "from": "sym://glibc:glibc.c#entry", - "to": "sym://glibc:glibc.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/manifest.json index 3ac7506e0..d74bfc872 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/glibc-CVE-2023-4911-looney-tunables:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "glibc-CVE-2023-4911-looney-tunables", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "f7200c066db6fefd2ed3168497ae7d8cb585f1d12479086217007df1bb2c1460", + "sbom.cdx.json": "e3bbce1051a27f877fdd76634902c835ac21a7f53241308878a404dbced491fc", + "sbom.spdx.json": "2b30ff6eabf0b4c5e76f2e5de6af21a6b48a746c51298a708a3674976ef5b8f8", + "symbols.json": "27dd785d49ef6b4229a0e5a25107346eea5cc8b7dd01c2fb9ba73b53456bcaee", + "vex.openvex.json": "bd6f67166fb31fa2a5e7211b71e083c8611f9c2b7d7e0607c31ce6df777a1f69" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/reachgraph.truth.json index 171e31b94..b743a4600 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://glibc:glibc.c#sink", - "kind": "generic" - } - ], + "case_id": "glibc-CVE-2023-4911-looney-tunables", "paths": [ [ "sym://net:handler#read", "sym://glibc:glibc.c#entry", "sym://glibc:glibc.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/sbom.cdx.json index 42913d53b..dd404feae 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "glibc-CVE-2023-4911-looney-tunables", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/sbom.spdx.json index 38e10e06b..d4f57694a 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "glibc-CVE-2023-4911-looney-tunables", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/symbols.json index 84134e556..5becc85cf 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/glibc@0.0.1", - "files": [ - { - "path": "/src/glibc.c", - "funcs": [ - { - "sid": "sym://glibc:glibc.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://glibc:glibc.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "glibc-CVE-2023-4911-looney-tunables", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://glibc:glibc.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/vex.openvex.json index be84e9c73..83463d235 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2023-4911", + "products": [ + "pkg:glibc-CVE-2023-4911-looney-tunables" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2023-4911" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/attestation.dsse.json index f704075e6..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/glibc-CVE-2023-4911-looney-tunables:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/callgraph.static.json index c53742bff..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://glibc:glibc.c#entry" - }, - { - "sid": "sym://glibc:glibc.c#sink" - } - ], - "edges": [ - { - "from": "sym://glibc:glibc.c#entry", - "to": "sym://glibc:glibc.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/manifest.json index f1d40604b..abab27268 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/glibc-CVE-2023-4911-looney-tunables:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "glibc-CVE-2023-4911-looney-tunables", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "836f543e3e7b593582e2ffb529456ffc4309ec79d41e5f8b9eb5696f54d17883", + "sbom.cdx.json": "e3bbce1051a27f877fdd76634902c835ac21a7f53241308878a404dbced491fc", + "sbom.spdx.json": "2b30ff6eabf0b4c5e76f2e5de6af21a6b48a746c51298a708a3674976ef5b8f8", + "symbols.json": "fe742caccb2134c46594f3816b58b06f1cad6f2d62ea8dd55ad31ce4ce672906", + "vex.openvex.json": "3ebcafe7d9e0f211f80783568cd9bc4a92ddaa3609b2b0ef11471031246cadde" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/reachgraph.truth.json index 171e31b94..12f08d1b9 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://glibc:glibc.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://glibc:glibc.c#entry", - "sym://glibc:glibc.c#sink" - ] - ] + "case_id": "glibc-CVE-2023-4911-looney-tunables", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/sbom.cdx.json index 42913d53b..dd404feae 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "glibc-CVE-2023-4911-looney-tunables", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/sbom.spdx.json index 38e10e06b..d4f57694a 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "glibc-CVE-2023-4911-looney-tunables", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/symbols.json index 84134e556..65a55aeb3 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/glibc@0.0.1", - "files": [ - { - "path": "/src/glibc.c", - "funcs": [ - { - "sid": "sym://glibc:glibc.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://glibc:glibc.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "glibc-CVE-2023-4911-looney-tunables", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/vex.openvex.json index 06aa27535..e178a4473 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2023-4911", + "products": [ + "pkg:glibc-CVE-2023-4911-looney-tunables" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2023-4911" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/attestation.dsse.json index 6bf3a3fdc..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/go-gateway-reflection-auth-bypass:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/callgraph.static.json index 748757d4e..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://go:go.c#entry" - }, - { - "sid": "sym://go:go.c#sink" - } - ], - "edges": [ - { - "from": "sym://go:go.c#entry", - "to": "sym://go:go.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/manifest.json index d1f2e178c..5bb8e6a10 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/go-gateway-reflection-auth-bypass:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "go-gateway-reflection-auth-bypass", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "f7c362965a307a6cf40f7921d2ad508cd503fa924ed3a391dba3afe54ab0dcdd", + "sbom.cdx.json": "16a041571c0641abe57929624e49f07353edb8980ecdd16340ef83f24f127cba", + "sbom.spdx.json": "8abd620f40a28d379b861d6ef640017ea119a8870890009dbd8126ed621a5c73", + "symbols.json": "dbf69a19ce1676cc809597ed9fce78c9fe8ebcf25186949a107971116a79a39b", + "vex.openvex.json": "b550e30451d7ef7ff612606711ecede1089d914bd8a26f5fbcf01ff1d4e36149" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/reachgraph.truth.json index b29ccad76..ad8690c84 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://go:go.c#sink", - "kind": "generic" - } - ], + "case_id": "go-gateway-reflection-auth-bypass", "paths": [ [ "sym://net:handler#read", "sym://go:go.c#entry", "sym://go:go.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/sbom.cdx.json index 42913d53b..a1e9c7cc0 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "go-gateway-reflection-auth-bypass", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/sbom.spdx.json index 38e10e06b..e30ef3556 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "go-gateway-reflection-auth-bypass", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/symbols.json index fd69f70b1..1f5204ee6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/go@0.0.1", - "files": [ - { - "path": "/src/go.c", - "funcs": [ - { - "sid": "sym://go:go.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://go:go.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "go-gateway-reflection-auth-bypass", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://go:go.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/vex.openvex.json index a9c299cc5..4262050e8 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "TBD", + "products": [ + "pkg:go-gateway-reflection-auth-bypass" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "go-gateway-reflection-auth-bypass" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/attestation.dsse.json index db7c250c9..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/go-gateway-reflection-auth-bypass:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/callgraph.static.json index 748757d4e..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://go:go.c#entry" - }, - { - "sid": "sym://go:go.c#sink" - } - ], - "edges": [ - { - "from": "sym://go:go.c#entry", - "to": "sym://go:go.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/manifest.json index e252d8835..acd665579 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/go-gateway-reflection-auth-bypass:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "go-gateway-reflection-auth-bypass", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "df9749530b5dc16127ab6782877e19e2bde09a40f7cd44edc8af327619498d32", + "sbom.cdx.json": "16a041571c0641abe57929624e49f07353edb8980ecdd16340ef83f24f127cba", + "sbom.spdx.json": "8abd620f40a28d379b861d6ef640017ea119a8870890009dbd8126ed621a5c73", + "symbols.json": "6571c9c658f4b0a967542a02cd5e5f4b82dd1ffaf7758c51d3ac9c2a83c6c86e", + "vex.openvex.json": "69ffc3f74db3d723a0354c0aa05f4e5920fdb02fc8ac72e9d82392b5997f074d" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/reachgraph.truth.json index b29ccad76..165afefb0 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://go:go.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://go:go.c#entry", - "sym://go:go.c#sink" - ] - ] + "case_id": "go-gateway-reflection-auth-bypass", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/sbom.cdx.json index 42913d53b..a1e9c7cc0 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "go-gateway-reflection-auth-bypass", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/sbom.spdx.json index 38e10e06b..e30ef3556 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "go-gateway-reflection-auth-bypass", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/symbols.json index fd69f70b1..5243c8ddc 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/go@0.0.1", - "files": [ - { - "path": "/src/go.c", - "funcs": [ - { - "sid": "sym://go:go.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://go:go.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "go-gateway-reflection-auth-bypass", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/vex.openvex.json index eb7c35e0b..dafa0f91a 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "TBD", + "products": [ + "pkg:go-gateway-reflection-auth-bypass" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "go-gateway-reflection-auth-bypass" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/attestation.dsse.json index bd2452b8d..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/go-ssh-CVE-2020-9283-keyexchange:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/callgraph.static.json index 748757d4e..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://go:go.c#entry" - }, - { - "sid": "sym://go:go.c#sink" - } - ], - "edges": [ - { - "from": "sym://go:go.c#entry", - "to": "sym://go:go.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/manifest.json index 314fa279e..2374343c5 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/go-ssh-CVE-2020-9283-keyexchange:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "go-ssh-CVE-2020-9283-keyexchange", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "43fee4eeb52cec12879355873638959460eb91c463e2b2d3a67ef033f906469f", + "sbom.cdx.json": "a975829c9537c16db4d19306ba6bc809930b6ad9f96495a8202d59d3f174cf2c", + "sbom.spdx.json": "399d1f0946dfbe0fb66749f2b08df539f93285affbd059e0b66df55f485ed39a", + "symbols.json": "189002d4626708cdad2ff1bda786c47dd90002915f411324ad5dccbce65ba26d", + "vex.openvex.json": "1fdce721814a1a0c502882ab514ac7a361fdd3ea866869f4cf2c07578feb23d7" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/reachgraph.truth.json index b29ccad76..ba7388926 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://go:go.c#sink", - "kind": "generic" - } - ], + "case_id": "go-ssh-CVE-2020-9283-keyexchange", "paths": [ [ "sym://net:handler#read", "sym://go:go.c#entry", "sym://go:go.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/sbom.cdx.json index 42913d53b..c2da74041 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "go-ssh-CVE-2020-9283-keyexchange", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/sbom.spdx.json index 38e10e06b..1c11d2993 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "go-ssh-CVE-2020-9283-keyexchange", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/symbols.json index fd69f70b1..de54442de 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/go@0.0.1", - "files": [ - { - "path": "/src/go.c", - "funcs": [ - { - "sid": "sym://go:go.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://go:go.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "go-ssh-CVE-2020-9283-keyexchange", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://go:go.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/vex.openvex.json index 5b63537f4..6173b94ea 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2020-9283", + "products": [ + "pkg:go-ssh-CVE-2020-9283-keyexchange" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2020-9283" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/attestation.dsse.json index c036a3ba3..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/go-ssh-CVE-2020-9283-keyexchange:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/callgraph.static.json index 748757d4e..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://go:go.c#entry" - }, - { - "sid": "sym://go:go.c#sink" - } - ], - "edges": [ - { - "from": "sym://go:go.c#entry", - "to": "sym://go:go.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/manifest.json index 590cdce10..fa046c7f9 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/go-ssh-CVE-2020-9283-keyexchange:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "go-ssh-CVE-2020-9283-keyexchange", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "ee1409484f2314be8471ebb0b1d3ab62d5bacbfd18dfc7380d9f94e2f214a6d4", + "sbom.cdx.json": "a975829c9537c16db4d19306ba6bc809930b6ad9f96495a8202d59d3f174cf2c", + "sbom.spdx.json": "399d1f0946dfbe0fb66749f2b08df539f93285affbd059e0b66df55f485ed39a", + "symbols.json": "b40d34be3d26d3293e9f06c21c58d1f89ef75897697207f71aa6e461cf9f72bf", + "vex.openvex.json": "537af070b5eb69fa842511fa63018ed6b8745631a156dcfc7abd1f60cc13e972" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/reachgraph.truth.json index b29ccad76..344f4d294 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://go:go.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://go:go.c#entry", - "sym://go:go.c#sink" - ] - ] + "case_id": "go-ssh-CVE-2020-9283-keyexchange", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/sbom.cdx.json index 42913d53b..c2da74041 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "go-ssh-CVE-2020-9283-keyexchange", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/sbom.spdx.json index 38e10e06b..1c11d2993 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "go-ssh-CVE-2020-9283-keyexchange", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/symbols.json index fd69f70b1..8b90dca39 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/go@0.0.1", - "files": [ - { - "path": "/src/go.c", - "funcs": [ - { - "sid": "sym://go:go.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://go:go.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "go-ssh-CVE-2020-9283-keyexchange", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/vex.openvex.json index 0bb3923d0..0f7b4292e 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2020-9283", + "products": [ + "pkg:go-ssh-CVE-2020-9283-keyexchange" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2020-9283" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/attestation.dsse.json index e99537197..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/java-jackson-CVE-2019-12384-polymorphic-deser:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/callgraph.framework.json index 4c65b9afe..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/callgraph.framework.json @@ -1,10 +1,5 @@ { - "schema_version": "1.0", - "edges": [ - { - "from": "sym://spring:DispatcherServlet#doDispatch", - "to": "sym://java:java.c#entry", - "kind": "framework" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/callgraph.static.json index ad4bcb5b8..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://java:java.c#entry" - }, - { - "sid": "sym://java:java.c#sink" - } - ], - "edges": [ - { - "from": "sym://java:java.c#entry", - "to": "sym://java:java.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/manifest.json index c5b4dc302..2910ab50f 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/java-jackson-CVE-2019-12384-polymorphic-deser:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "java-jackson-CVE-2019-12384-polymorphic-deser", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "8030095b4fc7157d09af6fd16fd3fccfb013f5a744c7e13e1bba1fb01201b2e6", + "sbom.cdx.json": "109a4ef5481c4597a26f3172e5f5fd1ead491b55f19c84bb93a46bd6e5c47b28", + "sbom.spdx.json": "619548fa26467f19ddef9a2b1adae3c0fec5b166a3a4f494901ae23ddac0156d", + "symbols.json": "4c4a40db721f39e3bd06a5dd63c408ebf6f8bd9dd3faf1892b2f0a712b81ad8c", + "vex.openvex.json": "13e69a076e5d4c622d82b042ce26129e0fcdf62eb8a800303a23ab9915938c2e" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/reachgraph.truth.json index 4f5e2dd61..04fc9f5a4 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://java:java.c#sink", - "kind": "generic" - } - ], + "case_id": "java-jackson-CVE-2019-12384-polymorphic-deser", "paths": [ [ "sym://net:handler#read", "sym://java:java.c#entry", "sym://java:java.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/sbom.cdx.json index 42913d53b..f92b4bf0e 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "java-jackson-CVE-2019-12384-polymorphic-deser", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/sbom.spdx.json index 38e10e06b..0ba9ab0e4 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "java-jackson-CVE-2019-12384-polymorphic-deser", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/symbols.json index f41e9ccf5..d153c7a74 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/java@0.0.1", - "files": [ - { - "path": "/src/java.c", - "funcs": [ - { - "sid": "sym://java:java.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://java:java.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "java-jackson-CVE-2019-12384-polymorphic-deser", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://java:java.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/vex.openvex.json index cf7bad2f1..6b499ab4c 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2019-12384", + "products": [ + "pkg:java-jackson-CVE-2019-12384-polymorphic-deser" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2019-12384" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/attestation.dsse.json index 5eb27ea59..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/java-jackson-CVE-2019-12384-polymorphic-deser:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/callgraph.framework.json index 4c65b9afe..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/callgraph.framework.json @@ -1,10 +1,5 @@ { - "schema_version": "1.0", - "edges": [ - { - "from": "sym://spring:DispatcherServlet#doDispatch", - "to": "sym://java:java.c#entry", - "kind": "framework" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/callgraph.static.json index ad4bcb5b8..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://java:java.c#entry" - }, - { - "sid": "sym://java:java.c#sink" - } - ], - "edges": [ - { - "from": "sym://java:java.c#entry", - "to": "sym://java:java.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/manifest.json index 6085f892a..7afc9c83d 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/java-jackson-CVE-2019-12384-polymorphic-deser:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "java-jackson-CVE-2019-12384-polymorphic-deser", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "0d7634e488cab16bd206235b80fb635187fe5c648f8ae97f7203d48490209c89", + "sbom.cdx.json": "109a4ef5481c4597a26f3172e5f5fd1ead491b55f19c84bb93a46bd6e5c47b28", + "sbom.spdx.json": "619548fa26467f19ddef9a2b1adae3c0fec5b166a3a4f494901ae23ddac0156d", + "symbols.json": "dc67782d6a011629563b6274b2980b80e60cee3dcb55cab4e4ea9d80dd41046e", + "vex.openvex.json": "c74db782f4df6c74b1a8ec386d2c698bd8ab2f26d7e11f2c4d0d80a5905e35c2" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/reachgraph.truth.json index 4f5e2dd61..6fe653ac9 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://java:java.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://java:java.c#entry", - "sym://java:java.c#sink" - ] - ] + "case_id": "java-jackson-CVE-2019-12384-polymorphic-deser", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/sbom.cdx.json index 42913d53b..f92b4bf0e 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "java-jackson-CVE-2019-12384-polymorphic-deser", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/sbom.spdx.json index 38e10e06b..0ba9ab0e4 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "java-jackson-CVE-2019-12384-polymorphic-deser", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/symbols.json index f41e9ccf5..8dc8b2026 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/java@0.0.1", - "files": [ - { - "path": "/src/java.c", - "funcs": [ - { - "sid": "sym://java:java.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://java:java.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "java-jackson-CVE-2019-12384-polymorphic-deser", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/vex.openvex.json index 47edfb577..f4f80c3c2 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-jackson-CVE-2019-12384-polymorphic-deser/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2019-12384", + "products": [ + "pkg:java-jackson-CVE-2019-12384-polymorphic-deser" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2019-12384" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/attestation.dsse.json index 655ed8f38..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/java-log4j-CVE-2021-44228-log4shell:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/callgraph.framework.json index 4c65b9afe..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/callgraph.framework.json @@ -1,10 +1,5 @@ { - "schema_version": "1.0", - "edges": [ - { - "from": "sym://spring:DispatcherServlet#doDispatch", - "to": "sym://java:java.c#entry", - "kind": "framework" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/callgraph.static.json index ad4bcb5b8..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://java:java.c#entry" - }, - { - "sid": "sym://java:java.c#sink" - } - ], - "edges": [ - { - "from": "sym://java:java.c#entry", - "to": "sym://java:java.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/manifest.json index 2af2351c1..a1ba9f27a 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/java-log4j-CVE-2021-44228-log4shell:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "java-log4j-CVE-2021-44228-log4shell", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "03d8edec093c07c9e0e77b6a52f015095db71ab9b8c2b2fdad245960e40bd2f2", + "sbom.cdx.json": "a43b3ae67d9423a75c709209b5c4c15c389163931bd2c57df1a924f92d0b871e", + "sbom.spdx.json": "b29f8c850043fbb66deb6a8ba9b764a3c66f8527ab47d0ea04cc63f10716334f", + "symbols.json": "b7b75e6116d33e98ae5b92598394095510e27afa8e0facdb617070fd8866d20b", + "vex.openvex.json": "67dd7e3220be878da101bc58d3e55bde4e69a6d56a4e14b4c3c3c5f4f1af8c3a" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/reachgraph.truth.json index 4f5e2dd61..af79d8525 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://java:java.c#sink", - "kind": "generic" - } - ], + "case_id": "java-log4j-CVE-2021-44228-log4shell", "paths": [ [ "sym://net:handler#read", "sym://java:java.c#entry", "sym://java:java.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/sbom.cdx.json index 42913d53b..265049f06 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "java-log4j-CVE-2021-44228-log4shell", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/sbom.spdx.json index 38e10e06b..1d239d6df 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "java-log4j-CVE-2021-44228-log4shell", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/symbols.json index f41e9ccf5..bb0cd3526 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/java@0.0.1", - "files": [ - { - "path": "/src/java.c", - "funcs": [ - { - "sid": "sym://java:java.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://java:java.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "java-log4j-CVE-2021-44228-log4shell", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://java:java.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/vex.openvex.json index 6f4449584..01b6fd9d9 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2021-44228", + "products": [ + "pkg:java-log4j-CVE-2021-44228-log4shell" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2021-44228" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/attestation.dsse.json index 73d67b03c..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/java-log4j-CVE-2021-44228-log4shell:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/callgraph.framework.json index 4c65b9afe..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/callgraph.framework.json @@ -1,10 +1,5 @@ { - "schema_version": "1.0", - "edges": [ - { - "from": "sym://spring:DispatcherServlet#doDispatch", - "to": "sym://java:java.c#entry", - "kind": "framework" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/callgraph.static.json index ad4bcb5b8..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://java:java.c#entry" - }, - { - "sid": "sym://java:java.c#sink" - } - ], - "edges": [ - { - "from": "sym://java:java.c#entry", - "to": "sym://java:java.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/manifest.json index 345932625..ca71df901 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/java-log4j-CVE-2021-44228-log4shell:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "java-log4j-CVE-2021-44228-log4shell", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "80427fa6cc873a3f440db5686d134709d34613394762ed8dc411dbfdeadaa8c9", + "sbom.cdx.json": "a43b3ae67d9423a75c709209b5c4c15c389163931bd2c57df1a924f92d0b871e", + "sbom.spdx.json": "b29f8c850043fbb66deb6a8ba9b764a3c66f8527ab47d0ea04cc63f10716334f", + "symbols.json": "7e4e19ff912bff2a72dd34cb814b2fd52b63f6dceb7e423ed2eb35a739d6719b", + "vex.openvex.json": "e65779c3e3469b618c2b2c978a66e077e6c70311434fe2ca1364bf30c8b9570e" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/reachgraph.truth.json index 4f5e2dd61..e5ff66b0e 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://java:java.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://java:java.c#entry", - "sym://java:java.c#sink" - ] - ] + "case_id": "java-log4j-CVE-2021-44228-log4shell", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/sbom.cdx.json index 42913d53b..265049f06 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "java-log4j-CVE-2021-44228-log4shell", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/sbom.spdx.json index 38e10e06b..1d239d6df 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "java-log4j-CVE-2021-44228-log4shell", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/symbols.json index f41e9ccf5..83027dad6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/java@0.0.1", - "files": [ - { - "path": "/src/java.c", - "funcs": [ - { - "sid": "sym://java:java.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://java:java.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "java-log4j-CVE-2021-44228-log4shell", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/vex.openvex.json index 6ccd2a3ca..c9adb06bd 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-log4j-CVE-2021-44228-log4shell/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2021-44228", + "products": [ + "pkg:java-log4j-CVE-2021-44228-log4shell" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2021-44228" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/attestation.dsse.json index eccf4efa3..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/java-spring-CVE-2022-22965-spring4shell:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/callgraph.framework.json index 4c65b9afe..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/callgraph.framework.json @@ -1,10 +1,5 @@ { - "schema_version": "1.0", - "edges": [ - { - "from": "sym://spring:DispatcherServlet#doDispatch", - "to": "sym://java:java.c#entry", - "kind": "framework" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/callgraph.static.json index ad4bcb5b8..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://java:java.c#entry" - }, - { - "sid": "sym://java:java.c#sink" - } - ], - "edges": [ - { - "from": "sym://java:java.c#entry", - "to": "sym://java:java.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/manifest.json index b25ae3351..203faf760 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/java-spring-CVE-2022-22965-spring4shell:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "java-spring-CVE-2022-22965-spring4shell", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "316f1bc49235fad6e8aeb59c95028e79801d1e0e87599dc87cbeb919e55a332d", + "sbom.cdx.json": "05d75b98871eb73a5f81774ce2eb9a74cd36e2e6751aebd28df64993a538501b", + "sbom.spdx.json": "97a3f8f8c8424f7caf000dcf8da67fd12ce7662302f5113d39058f4fba8d7061", + "symbols.json": "c45532d8f5df11d1ba108ee3203b66dc6eef453f7fad1df7b4f120c3be28d8e2", + "vex.openvex.json": "3faeae83e4427b7ad268d55b38d246982713cb18d1dbbb1af7f55bfdec2c528c" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/reachgraph.truth.json index 4f5e2dd61..a6faf1583 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://java:java.c#sink", - "kind": "generic" - } - ], + "case_id": "java-spring-CVE-2022-22965-spring4shell", "paths": [ [ "sym://net:handler#read", "sym://java:java.c#entry", "sym://java:java.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/sbom.cdx.json index 42913d53b..4d2484b4f 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "java-spring-CVE-2022-22965-spring4shell", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/sbom.spdx.json index 38e10e06b..e9fbb6a27 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "java-spring-CVE-2022-22965-spring4shell", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/symbols.json index f41e9ccf5..23123e520 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/java@0.0.1", - "files": [ - { - "path": "/src/java.c", - "funcs": [ - { - "sid": "sym://java:java.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://java:java.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "java-spring-CVE-2022-22965-spring4shell", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://java:java.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/vex.openvex.json index a67afde39..5beb82ce1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2022-22965", + "products": [ + "pkg:java-spring-CVE-2022-22965-spring4shell" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2022-22965" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/attestation.dsse.json index b979e782c..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/java-spring-CVE-2022-22965-spring4shell:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/callgraph.framework.json index 4c65b9afe..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/callgraph.framework.json @@ -1,10 +1,5 @@ { - "schema_version": "1.0", - "edges": [ - { - "from": "sym://spring:DispatcherServlet#doDispatch", - "to": "sym://java:java.c#entry", - "kind": "framework" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/callgraph.static.json index ad4bcb5b8..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://java:java.c#entry" - }, - { - "sid": "sym://java:java.c#sink" - } - ], - "edges": [ - { - "from": "sym://java:java.c#entry", - "to": "sym://java:java.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/manifest.json index 47dd702fc..264b4f5eb 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/java-spring-CVE-2022-22965-spring4shell:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "java-spring-CVE-2022-22965-spring4shell", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "d5dfb70311cdfcbb9d9dc00f2c432e21994a567b73afc2e5e51105dd75098a9d", + "sbom.cdx.json": "05d75b98871eb73a5f81774ce2eb9a74cd36e2e6751aebd28df64993a538501b", + "sbom.spdx.json": "97a3f8f8c8424f7caf000dcf8da67fd12ce7662302f5113d39058f4fba8d7061", + "symbols.json": "24c8f838eca93f887822a0e27608d21695c7e77aa5ffcb4f0b7f67e0c7f9254f", + "vex.openvex.json": "64c8b4fbc6462876ab6861b9235c1f11200a881392c55c40371786f5d21fcec5" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/reachgraph.truth.json index 4f5e2dd61..309774ca0 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://java:java.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://java:java.c#entry", - "sym://java:java.c#sink" - ] - ] + "case_id": "java-spring-CVE-2022-22965-spring4shell", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/sbom.cdx.json index 42913d53b..4d2484b4f 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "java-spring-CVE-2022-22965-spring4shell", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/sbom.spdx.json index 38e10e06b..e9fbb6a27 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "java-spring-CVE-2022-22965-spring4shell", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/symbols.json index f41e9ccf5..f1ff6869c 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/java@0.0.1", - "files": [ - { - "path": "/src/java.c", - "funcs": [ - { - "sid": "sym://java:java.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://java:java.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "java-spring-CVE-2022-22965-spring4shell", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/vex.openvex.json index cba12ec6b..d6390d329 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/java-spring-CVE-2022-22965-spring4shell/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2022-22965", + "products": [ + "pkg:java-spring-CVE-2022-22965-spring4shell" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2022-22965" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/attestation.dsse.json index 81a634aeb..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/linux-cgroups-CVE-2022-0492-release_agent:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/callgraph.static.json index a925f1553..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://linux:linux.c#entry" - }, - { - "sid": "sym://linux:linux.c#sink" - } - ], - "edges": [ - { - "from": "sym://linux:linux.c#entry", - "to": "sym://linux:linux.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/manifest.json index a3e784eac..49f5a4c86 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/linux-cgroups-CVE-2022-0492-release_agent:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "linux-cgroups-CVE-2022-0492-release_agent", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "8b212a35b6bbd0eebf58c888fa3ba2f15df2c223f46aa0cbe3a819eb0b00a04e", + "sbom.cdx.json": "011435c08b0937a16783c5513a7a6997562db09e5683663b72eef0582b117928", + "sbom.spdx.json": "2ffd0b73f7fac20f929aa782ac97496b693846c63cea70b22ca1ab07801dd8e1", + "symbols.json": "c8221bd84c11929566d8460068cc87b5b17fad5be3744b11bfde2f6c66ebb2cb", + "vex.openvex.json": "ec5738e266b360a5b176af280a68c9e147bdfc21a30c6429845d320ff7766819" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/reachgraph.truth.json index 1b95019d9..e5d8b189d 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://linux:linux.c#sink", - "kind": "generic" - } - ], + "case_id": "linux-cgroups-CVE-2022-0492-release_agent", "paths": [ [ "sym://net:handler#read", "sym://linux:linux.c#entry", "sym://linux:linux.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/sbom.cdx.json index 42913d53b..f4a306b4c 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "linux-cgroups-CVE-2022-0492-release_agent", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/sbom.spdx.json index 38e10e06b..822b49c80 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "linux-cgroups-CVE-2022-0492-release_agent", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/symbols.json index b8d714c58..d38986df2 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/linux@0.0.1", - "files": [ - { - "path": "/src/linux.c", - "funcs": [ - { - "sid": "sym://linux:linux.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://linux:linux.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "linux-cgroups-CVE-2022-0492-release_agent", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://linux:linux.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/vex.openvex.json index 2a9940d49..6367b2423 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2022-0492", + "products": [ + "pkg:linux-cgroups-CVE-2022-0492-release_agent" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2022-0492" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/attestation.dsse.json index a6176c434..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/linux-cgroups-CVE-2022-0492-release_agent:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/callgraph.static.json index a925f1553..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://linux:linux.c#entry" - }, - { - "sid": "sym://linux:linux.c#sink" - } - ], - "edges": [ - { - "from": "sym://linux:linux.c#entry", - "to": "sym://linux:linux.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/manifest.json index c9eda43b9..f6552a327 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/linux-cgroups-CVE-2022-0492-release_agent:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "linux-cgroups-CVE-2022-0492-release_agent", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "ceb7e2d85e6a23cc60caf2eb46e5e05cdc8af24661ffcc9ac674ed12234529e7", + "sbom.cdx.json": "011435c08b0937a16783c5513a7a6997562db09e5683663b72eef0582b117928", + "sbom.spdx.json": "2ffd0b73f7fac20f929aa782ac97496b693846c63cea70b22ca1ab07801dd8e1", + "symbols.json": "89e6fe61fa90b366b00e0e7f61bd9f4452e490e6197ea6d606751caa2e31bbb5", + "vex.openvex.json": "3e10a7fdece86c0aa73c1d8a86d693a75ad020d2351458878231944b9e4ae28a" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/reachgraph.truth.json index 1b95019d9..577feb66c 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://linux:linux.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://linux:linux.c#entry", - "sym://linux:linux.c#sink" - ] - ] + "case_id": "linux-cgroups-CVE-2022-0492-release_agent", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/sbom.cdx.json index 42913d53b..f4a306b4c 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "linux-cgroups-CVE-2022-0492-release_agent", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/sbom.spdx.json index 38e10e06b..822b49c80 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "linux-cgroups-CVE-2022-0492-release_agent", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/symbols.json index b8d714c58..ea89eff50 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/linux@0.0.1", - "files": [ - { - "path": "/src/linux.c", - "funcs": [ - { - "sid": "sym://linux:linux.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://linux:linux.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "linux-cgroups-CVE-2022-0492-release_agent", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/vex.openvex.json index 2b4f0d675..099828b7a 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/linux-cgroups-CVE-2022-0492-release_agent/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2022-0492", + "products": [ + "pkg:linux-cgroups-CVE-2022-0492-release_agent" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2022-0492" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/attestation.dsse.json index 0f6e5dbb1..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/node-express-middleware-order-auth-bypass:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/callgraph.framework.json index e7aafb7e4..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/callgraph.framework.json @@ -1,10 +1,5 @@ { - "schema_version": "1.0", - "edges": [ - { - "from": "sym://node:express#route:/vuln", - "to": "sym://node:node.c#entry", - "kind": "middleware" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/callgraph.static.json index 1942a53bc..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://node:node.c#entry" - }, - { - "sid": "sym://node:node.c#sink" - } - ], - "edges": [ - { - "from": "sym://node:node.c#entry", - "to": "sym://node:node.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/manifest.json index 820be7c3e..f834c8341 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/node-express-middleware-order-auth-bypass:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "node-express-middleware-order-auth-bypass", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "3ec9dce86031af5a893667834e8fd21c276a5afb1156544e0208a58e65f99841", + "sbom.cdx.json": "104dd5cb4497b83d59c6cb0a3e59af02d4f2b52ffa4709086a7dcccb5ef4d7b8", + "sbom.spdx.json": "3f4850fc7da4fde7f97d33d0c6b78a0e50bac716fbb4f0dab2b6a3c29fe302be", + "symbols.json": "8cc43736be4fddfbd8947e03263cc1a3d7301aa4be6bad1d6bf99d91787c14ab", + "vex.openvex.json": "d165dbc8f75c38b68a154f2ad365d686cb327883c96cd88669f4f163407598dd" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/reachgraph.truth.json index ec198e135..369f48bc9 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://node:node.c#sink", - "kind": "generic" - } - ], + "case_id": "node-express-middleware-order-auth-bypass", "paths": [ [ "sym://net:handler#read", "sym://node:node.c#entry", "sym://node:node.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/sbom.cdx.json index 42913d53b..4c607f2b8 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "node-express-middleware-order-auth-bypass", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/sbom.spdx.json index 38e10e06b..1d29fb92f 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "node-express-middleware-order-auth-bypass", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/symbols.json index 99b86a64c..1c5d2bda6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/node@0.0.1", - "files": [ - { - "path": "/src/node.c", - "funcs": [ - { - "sid": "sym://node:node.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://node:node.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "node-express-middleware-order-auth-bypass", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://node:node.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/vex.openvex.json index a9c299cc5..31a70f2db 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "TBD", + "products": [ + "pkg:node-express-middleware-order-auth-bypass" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "node-express-middleware-order-auth-bypass" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/attestation.dsse.json index c2fb07b90..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/node-express-middleware-order-auth-bypass:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/callgraph.framework.json index e7aafb7e4..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/callgraph.framework.json @@ -1,10 +1,5 @@ { - "schema_version": "1.0", - "edges": [ - { - "from": "sym://node:express#route:/vuln", - "to": "sym://node:node.c#entry", - "kind": "middleware" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/callgraph.static.json index 1942a53bc..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://node:node.c#entry" - }, - { - "sid": "sym://node:node.c#sink" - } - ], - "edges": [ - { - "from": "sym://node:node.c#entry", - "to": "sym://node:node.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/manifest.json index 29b2035c1..ce5828651 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/node-express-middleware-order-auth-bypass:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "node-express-middleware-order-auth-bypass", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "7fc0d7bf7870b42b4d216d2c9001446761aa86b073da551776350cbb481b14ce", + "sbom.cdx.json": "104dd5cb4497b83d59c6cb0a3e59af02d4f2b52ffa4709086a7dcccb5ef4d7b8", + "sbom.spdx.json": "3f4850fc7da4fde7f97d33d0c6b78a0e50bac716fbb4f0dab2b6a3c29fe302be", + "symbols.json": "45aa8a689a6fcca0a0c96e587da654d30301b37190d70dd25240231e14cf4df2", + "vex.openvex.json": "3fa11fea858bb9520c1b9c656d1d6b8191fb15a11aa92ccb933ce999b115a29b" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/reachgraph.truth.json index ec198e135..2afd278dc 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://node:node.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://node:node.c#entry", - "sym://node:node.c#sink" - ] - ] + "case_id": "node-express-middleware-order-auth-bypass", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/sbom.cdx.json index 42913d53b..4c607f2b8 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "node-express-middleware-order-auth-bypass", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/sbom.spdx.json index 38e10e06b..1d29fb92f 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "node-express-middleware-order-auth-bypass", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/symbols.json index 99b86a64c..ffdf2e5eb 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/node@0.0.1", - "files": [ - { - "path": "/src/node.c", - "funcs": [ - { - "sid": "sym://node:node.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://node:node.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "node-express-middleware-order-auth-bypass", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/vex.openvex.json index eb7c35e0b..6795af88d 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-express-middleware-order-auth-bypass/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "TBD", + "products": [ + "pkg:node-express-middleware-order-auth-bypass" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "node-express-middleware-order-auth-bypass" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/attestation.dsse.json index db3c76ac8..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/node-tar-CVE-2021-37713-path-traversal:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/callgraph.framework.json index e7aafb7e4..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/callgraph.framework.json @@ -1,10 +1,5 @@ { - "schema_version": "1.0", - "edges": [ - { - "from": "sym://node:express#route:/vuln", - "to": "sym://node:node.c#entry", - "kind": "middleware" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/callgraph.static.json index 1942a53bc..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://node:node.c#entry" - }, - { - "sid": "sym://node:node.c#sink" - } - ], - "edges": [ - { - "from": "sym://node:node.c#entry", - "to": "sym://node:node.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/manifest.json index 319e2fc59..f01fb5272 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/node-tar-CVE-2021-37713-path-traversal:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "node-tar-CVE-2021-37713-path-traversal", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "0bbbab7a034667021473bd75c43b5f4317e5b99aa55a1ffd37696c61899ffe14", + "sbom.cdx.json": "bd237786ad3208f9f41ad2b56d05c4f3482966628f28bd7ece00dc37d247fb3d", + "sbom.spdx.json": "971e3ef7be1edbf5b58b72753740742773333003d953ffbcc88581c97aea9464", + "symbols.json": "c532dbbb307244b4f83dab9b7a767906c90e4bea518f3753159064e34d4d70aa", + "vex.openvex.json": "bcd7c056e063ad8ed87cdfdfd3bb4e9bff1753acc738380b2e6c779db6f6ce46" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/reachgraph.truth.json index ec198e135..dccc82f40 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://node:node.c#sink", - "kind": "generic" - } - ], + "case_id": "node-tar-CVE-2021-37713-path-traversal", "paths": [ [ "sym://net:handler#read", "sym://node:node.c#entry", "sym://node:node.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/sbom.cdx.json index 42913d53b..841d4c5ad 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "node-tar-CVE-2021-37713-path-traversal", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/sbom.spdx.json index 38e10e06b..53c603757 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "node-tar-CVE-2021-37713-path-traversal", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/symbols.json index 99b86a64c..b0b62ec65 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/node@0.0.1", - "files": [ - { - "path": "/src/node.c", - "funcs": [ - { - "sid": "sym://node:node.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://node:node.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "node-tar-CVE-2021-37713-path-traversal", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://node:node.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/vex.openvex.json index 79a68ab9e..3ea714044 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2021-37713", + "products": [ + "pkg:node-tar-CVE-2021-37713-path-traversal" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2021-37713" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/attestation.dsse.json index cf8dfbe16..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/node-tar-CVE-2021-37713-path-traversal:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/callgraph.framework.json index e7aafb7e4..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/callgraph.framework.json @@ -1,10 +1,5 @@ { - "schema_version": "1.0", - "edges": [ - { - "from": "sym://node:express#route:/vuln", - "to": "sym://node:node.c#entry", - "kind": "middleware" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/callgraph.static.json index 1942a53bc..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://node:node.c#entry" - }, - { - "sid": "sym://node:node.c#sink" - } - ], - "edges": [ - { - "from": "sym://node:node.c#entry", - "to": "sym://node:node.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/manifest.json index fe5a92341..3722c3b69 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/node-tar-CVE-2021-37713-path-traversal:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "node-tar-CVE-2021-37713-path-traversal", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "02751e4826f1ebec26f76961b3993f0bf33d3af8d1778fb0ae384ef890eecc5c", + "sbom.cdx.json": "bd237786ad3208f9f41ad2b56d05c4f3482966628f28bd7ece00dc37d247fb3d", + "sbom.spdx.json": "971e3ef7be1edbf5b58b72753740742773333003d953ffbcc88581c97aea9464", + "symbols.json": "806a418424cbf187306971605d13cc4243e9203b8e0529eebbc9846ed67314b1", + "vex.openvex.json": "70174199bce72123d6a646dce6508d6693d7da1a92b464707b6a3fb3b2e4db7d" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/reachgraph.truth.json index ec198e135..47767fdde 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://node:node.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://node:node.c#entry", - "sym://node:node.c#sink" - ] - ] + "case_id": "node-tar-CVE-2021-37713-path-traversal", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/sbom.cdx.json index 42913d53b..841d4c5ad 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "node-tar-CVE-2021-37713-path-traversal", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/sbom.spdx.json index 38e10e06b..53c603757 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "node-tar-CVE-2021-37713-path-traversal", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/symbols.json index 99b86a64c..c13ea6654 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/node@0.0.1", - "files": [ - { - "path": "/src/node.c", - "funcs": [ - { - "sid": "sym://node:node.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://node:node.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "node-tar-CVE-2021-37713-path-traversal", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/vex.openvex.json index a2fffede0..c35f9265c 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/node-tar-CVE-2021-37713-path-traversal/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2021-37713", + "products": [ + "pkg:node-tar-CVE-2021-37713-path-traversal" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2021-37713" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/attestation.dsse.json index 09ecb47c5..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/openssh-CVE-2024-6387-regreSSHion:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/callgraph.static.json index 9a60bc46f..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://openssh:openssh.c#entry" - }, - { - "sid": "sym://openssh:openssh.c#sink" - } - ], - "edges": [ - { - "from": "sym://openssh:openssh.c#entry", - "to": "sym://openssh:openssh.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/manifest.json index 102de6964..547b73b57 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/openssh-CVE-2024-6387-regreSSHion:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "openssh-CVE-2024-6387-regreSSHion", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "573a54be180f06ac67ad206a9fc55b6e24a92b5560d931ecef7e534d35e0bd59", + "sbom.cdx.json": "04d9991ac2950015546093ad479344b1ab8365495c54a45a49ce6738d115b13d", + "sbom.spdx.json": "adb3128162032496f058f46b0e821b4f8c1a673c8ebdcd1ba3b0961912c95886", + "symbols.json": "73bdbf7929a114b682f37794706cbeb86d998a5558849fb17a6f74e07ddec575", + "vex.openvex.json": "a9a5faa5120965062783d59139da86fb1e56dfb946e033678ce908889a65adec" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/reachgraph.truth.json index 29d415030..e51ac37c1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://openssh:openssh.c#sink", - "kind": "generic" - } - ], + "case_id": "openssh-CVE-2024-6387-regreSSHion", "paths": [ [ "sym://net:handler#read", "sym://openssh:openssh.c#entry", "sym://openssh:openssh.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/sbom.cdx.json index 42913d53b..6a6882e14 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "openssh-CVE-2024-6387-regreSSHion", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/sbom.spdx.json index 38e10e06b..15d545dcb 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "openssh-CVE-2024-6387-regreSSHion", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/symbols.json index 2f060b67b..fb10138b1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/openssh@0.0.1", - "files": [ - { - "path": "/src/openssh.c", - "funcs": [ - { - "sid": "sym://openssh:openssh.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://openssh:openssh.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "openssh-CVE-2024-6387-regreSSHion", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://openssh:openssh.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/vex.openvex.json index ddfc7ccb9..4e364d592 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2024-6387", + "products": [ + "pkg:openssh-CVE-2024-6387-regreSSHion" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2024-6387" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/attestation.dsse.json index dfb9f68e8..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/openssh-CVE-2024-6387-regreSSHion:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/callgraph.static.json index 9a60bc46f..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://openssh:openssh.c#entry" - }, - { - "sid": "sym://openssh:openssh.c#sink" - } - ], - "edges": [ - { - "from": "sym://openssh:openssh.c#entry", - "to": "sym://openssh:openssh.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/manifest.json index 352503ca8..ed6b6ec15 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/openssh-CVE-2024-6387-regreSSHion:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "openssh-CVE-2024-6387-regreSSHion", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "e6ecfb707f6ef8b89f52aa4883bc48642dea20a3d7bf647fb04b30a55e5e6be0", + "sbom.cdx.json": "04d9991ac2950015546093ad479344b1ab8365495c54a45a49ce6738d115b13d", + "sbom.spdx.json": "adb3128162032496f058f46b0e821b4f8c1a673c8ebdcd1ba3b0961912c95886", + "symbols.json": "d57f06dcd7f95bf8dcc3c8dc7e2a5096b3a0b36098b9bb7714d4a434dd190371", + "vex.openvex.json": "25a0ed4ff5e7bc23f5b0c80c2264ad14b6a8a1bb124cf32360a227b2b2e68daf" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/reachgraph.truth.json index 29d415030..a6a90289d 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://openssh:openssh.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://openssh:openssh.c#entry", - "sym://openssh:openssh.c#sink" - ] - ] + "case_id": "openssh-CVE-2024-6387-regreSSHion", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/sbom.cdx.json index 42913d53b..6a6882e14 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "openssh-CVE-2024-6387-regreSSHion", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/sbom.spdx.json index 38e10e06b..15d545dcb 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "openssh-CVE-2024-6387-regreSSHion", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/symbols.json index 2f060b67b..a02cd8faf 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/openssh@0.0.1", - "files": [ - { - "path": "/src/openssh.c", - "funcs": [ - { - "sid": "sym://openssh:openssh.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://openssh:openssh.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "openssh-CVE-2024-6387-regreSSHion", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/vex.openvex.json index 9fcfef671..82afd433f 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssh-CVE-2024-6387-regreSSHion/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2024-6387", + "products": [ + "pkg:openssh-CVE-2024-6387-regreSSHion" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2024-6387" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/attestation.dsse.json index 444ceb36a..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/openssl-CVE-2022-3602-x509-name-constraints:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/callgraph.static.json index 2d20aff47..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://openssl:openssl.c#entry" - }, - { - "sid": "sym://openssl:openssl.c#sink" - } - ], - "edges": [ - { - "from": "sym://openssl:openssl.c#entry", - "to": "sym://openssl:openssl.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/manifest.json index 45105ba87..192b9e32e 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/openssl-CVE-2022-3602-x509-name-constraints:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "openssl-CVE-2022-3602-x509-name-constraints", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "bcc9ce550ea18fae6bd12fe8ff7af87e39b751c1f74735d003598548569858f7", + "sbom.cdx.json": "374cd5f25f0fcd1b58eb23707842ddc95a7755b934a4980ce128d3e03199620a", + "sbom.spdx.json": "0edaca9b8d2b7bceed84e66f0733a4ce66bfecfeccb60ce913f67048df3bb193", + "symbols.json": "a98a37d8759a6e9823d151d3485ef900e455bd6c7c0b47dae47a471ad0b4b8b2", + "vex.openvex.json": "a06ce87aed550880248f6b4e7bd5c78b9a3c967fdda83868557d4cbd2547cd29" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/reachgraph.truth.json index 80f286117..0ebf66250 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://openssl:openssl.c#sink", - "kind": "generic" - } - ], + "case_id": "openssl-CVE-2022-3602-x509-name-constraints", "paths": [ [ "sym://net:handler#read", "sym://openssl:openssl.c#entry", "sym://openssl:openssl.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/sbom.cdx.json index 42913d53b..cce6abc49 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "openssl-CVE-2022-3602-x509-name-constraints", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/sbom.spdx.json index 38e10e06b..ef16d4ffa 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "openssl-CVE-2022-3602-x509-name-constraints", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/symbols.json index 02d8ef9ce..ed1af487e 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/openssl@0.0.1", - "files": [ - { - "path": "/src/openssl.c", - "funcs": [ - { - "sid": "sym://openssl:openssl.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://openssl:openssl.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "openssl-CVE-2022-3602-x509-name-constraints", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://openssl:openssl.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/vex.openvex.json index b6b9a91a0..c42bb77ca 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2022-3602", + "products": [ + "pkg:openssl-CVE-2022-3602-x509-name-constraints" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2022-3602" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/attestation.dsse.json index aec32695f..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/openssl-CVE-2022-3602-x509-name-constraints:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/callgraph.static.json index 2d20aff47..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://openssl:openssl.c#entry" - }, - { - "sid": "sym://openssl:openssl.c#sink" - } - ], - "edges": [ - { - "from": "sym://openssl:openssl.c#entry", - "to": "sym://openssl:openssl.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/manifest.json index 894af1762..d3b562058 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/openssl-CVE-2022-3602-x509-name-constraints:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "openssl-CVE-2022-3602-x509-name-constraints", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "f114155ee62717f1d24fa2bdc42870eedb174e31a125e7e02a0fa2c469b10860", + "sbom.cdx.json": "374cd5f25f0fcd1b58eb23707842ddc95a7755b934a4980ce128d3e03199620a", + "sbom.spdx.json": "0edaca9b8d2b7bceed84e66f0733a4ce66bfecfeccb60ce913f67048df3bb193", + "symbols.json": "0cede4adadb502cfe38e2bfa85fa7886d1bb112e929574de1d7427b512c97b76", + "vex.openvex.json": "e478856a30ec642dfe6b63d8937de0a2ded4f73ad6d161f61b90326fbd6b2b65" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/reachgraph.truth.json index 80f286117..41ba0e1c2 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://openssl:openssl.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://openssl:openssl.c#entry", - "sym://openssl:openssl.c#sink" - ] - ] + "case_id": "openssl-CVE-2022-3602-x509-name-constraints", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/sbom.cdx.json index 42913d53b..cce6abc49 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "openssl-CVE-2022-3602-x509-name-constraints", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/sbom.spdx.json index 38e10e06b..ef16d4ffa 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "openssl-CVE-2022-3602-x509-name-constraints", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/symbols.json index 02d8ef9ce..bc3a435ce 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/openssl@0.0.1", - "files": [ - { - "path": "/src/openssl.c", - "funcs": [ - { - "sid": "sym://openssl:openssl.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://openssl:openssl.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "openssl-CVE-2022-3602-x509-name-constraints", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/vex.openvex.json index 718c169db..e9a12cedb 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/openssl-CVE-2022-3602-x509-name-constraints/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2022-3602", + "products": [ + "pkg:openssl-CVE-2022-3602-x509-name-constraints" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2022-3602" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/attestation.dsse.json index e618142f7..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/php-phpmailer-CVE-2016-10033-rce:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/callgraph.static.json index dd26df0a5..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://php:php.c#entry" - }, - { - "sid": "sym://php:php.c#sink" - } - ], - "edges": [ - { - "from": "sym://php:php.c#entry", - "to": "sym://php:php.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/manifest.json index 19a1ffb51..e7f2f57bb 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/php-phpmailer-CVE-2016-10033-rce:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "php-phpmailer-CVE-2016-10033-rce", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "8a4c1f78c866a351322eb9b12dca1b0a6218aee5094bca0a4b7090e00ae524cd", + "sbom.cdx.json": "9fc0ad284188e41a23fc678128e5e0fa263c39431e7c976c82d8ec7d0b6b0339", + "sbom.spdx.json": "96cf94ee5085078d14ee5c19666a9e146c278b785ed57eb2b47faf45b9d18b85", + "symbols.json": "2c47399bcb375356772a6f5fd4e1230721a0807f450b33dd9a512e72f0f932b0", + "vex.openvex.json": "2b258cf5cfb4a08edabcc0d865c4c4531b67a59b6c3835412f4b417e36693f84" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/reachgraph.truth.json index c3e890b27..f940819cd 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://php:php.c#sink", - "kind": "generic" - } - ], + "case_id": "php-phpmailer-CVE-2016-10033-rce", "paths": [ [ "sym://net:handler#read", "sym://php:php.c#entry", "sym://php:php.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/sbom.cdx.json index 42913d53b..da1687b35 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "php-phpmailer-CVE-2016-10033-rce", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/sbom.spdx.json index 38e10e06b..46c726ca9 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "php-phpmailer-CVE-2016-10033-rce", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/symbols.json index b8a19e77d..404b7c2e4 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/php@0.0.1", - "files": [ - { - "path": "/src/php.c", - "funcs": [ - { - "sid": "sym://php:php.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://php:php.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "php-phpmailer-CVE-2016-10033-rce", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://php:php.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/vex.openvex.json index 06d6fa6e7..620f129a6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2016-10033", + "products": [ + "pkg:php-phpmailer-CVE-2016-10033-rce" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2016-10033" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/attestation.dsse.json index 8138e6f69..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/php-phpmailer-CVE-2016-10033-rce:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/callgraph.static.json index dd26df0a5..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://php:php.c#entry" - }, - { - "sid": "sym://php:php.c#sink" - } - ], - "edges": [ - { - "from": "sym://php:php.c#entry", - "to": "sym://php:php.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/manifest.json index af22bcd6d..15c2a4765 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/php-phpmailer-CVE-2016-10033-rce:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "php-phpmailer-CVE-2016-10033-rce", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "03c99d5de2d6da9de07480d43bed6ce79a73b1a9abb2ccdd02c04c2eaa3c9bc4", + "sbom.cdx.json": "9fc0ad284188e41a23fc678128e5e0fa263c39431e7c976c82d8ec7d0b6b0339", + "sbom.spdx.json": "96cf94ee5085078d14ee5c19666a9e146c278b785ed57eb2b47faf45b9d18b85", + "symbols.json": "27a70634762c365d15ab5135cc5eb54721ad8407ae295ca71ca227f41847569c", + "vex.openvex.json": "56a227d9bf325b0dce2875c99d09bf999d2c7b17402af641c6902314108ee980" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/reachgraph.truth.json index c3e890b27..8f3253c1e 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://php:php.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://php:php.c#entry", - "sym://php:php.c#sink" - ] - ] + "case_id": "php-phpmailer-CVE-2016-10033-rce", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/sbom.cdx.json index 42913d53b..da1687b35 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "php-phpmailer-CVE-2016-10033-rce", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/sbom.spdx.json index 38e10e06b..46c726ca9 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "php-phpmailer-CVE-2016-10033-rce", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/symbols.json index b8a19e77d..2de317e29 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/php@0.0.1", - "files": [ - { - "path": "/src/php.c", - "funcs": [ - { - "sid": "sym://php:php.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://php:php.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "php-phpmailer-CVE-2016-10033-rce", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/vex.openvex.json index 271b2d42e..20664c839 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/php-phpmailer-CVE-2016-10033-rce/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2016-10033", + "products": [ + "pkg:php-phpmailer-CVE-2016-10033-rce" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2016-10033" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/attestation.dsse.json index 8bbd6878a..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/python-django-CVE-2019-19844-sqli-like:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/callgraph.static.json index 957504c2c..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://python:python.c#entry" - }, - { - "sid": "sym://python:python.c#sink" - } - ], - "edges": [ - { - "from": "sym://python:python.c#entry", - "to": "sym://python:python.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/manifest.json index a69b2391c..fc517959c 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/python-django-CVE-2019-19844-sqli-like:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "python-django-CVE-2019-19844-sqli-like", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "2ccb39511b35781e96992a480df92beef1c8dbf600d46090b309bfa459397b4f", + "sbom.cdx.json": "33856cb8dfc4b3f14550762c0d6f7d93ed4bc5bc249ed57fe963f7861839bf24", + "sbom.spdx.json": "49ad943b01713c7b711ca2636b351e96581f1323b4be819c3ef25d5cbeeb78c3", + "symbols.json": "b9e2cd285f58d83a44807eceb3011431bab2547dd4f8157f59e685d17b55a384", + "vex.openvex.json": "390fbd7d3099d948046fb31d83e805ea532ce7fb20abdbb270eea55d4c7d3019" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/reachgraph.truth.json index 8c105ee3a..e3b512b77 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://python:python.c#sink", - "kind": "generic" - } - ], + "case_id": "python-django-CVE-2019-19844-sqli-like", "paths": [ [ "sym://net:handler#read", "sym://python:python.c#entry", "sym://python:python.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/sbom.cdx.json index 42913d53b..c270ea2b6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "python-django-CVE-2019-19844-sqli-like", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/sbom.spdx.json index 38e10e06b..79690334b 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "python-django-CVE-2019-19844-sqli-like", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/symbols.json index fe54a5e55..ebad825c0 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/python@0.0.1", - "files": [ - { - "path": "/src/python.c", - "funcs": [ - { - "sid": "sym://python:python.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://python:python.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "python-django-CVE-2019-19844-sqli-like", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://python:python.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/vex.openvex.json index 6f9ef32fb..c2226dd73 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2019-19844", + "products": [ + "pkg:python-django-CVE-2019-19844-sqli-like" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2019-19844" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/attestation.dsse.json index b3d02d610..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/python-django-CVE-2019-19844-sqli-like:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/callgraph.static.json index 957504c2c..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://python:python.c#entry" - }, - { - "sid": "sym://python:python.c#sink" - } - ], - "edges": [ - { - "from": "sym://python:python.c#entry", - "to": "sym://python:python.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/manifest.json index ef132a4ca..55b5ef85b 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/python-django-CVE-2019-19844-sqli-like:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "python-django-CVE-2019-19844-sqli-like", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "ee0cdda20523335d8c65739d9509a710000e11d8bb2ece93ec7930e8d06590a7", + "sbom.cdx.json": "33856cb8dfc4b3f14550762c0d6f7d93ed4bc5bc249ed57fe963f7861839bf24", + "sbom.spdx.json": "49ad943b01713c7b711ca2636b351e96581f1323b4be819c3ef25d5cbeeb78c3", + "symbols.json": "2f907e2686535d69767522c43fc0c71962ef6ce8bd9e48746707887ce186bf07", + "vex.openvex.json": "a6bfc8b8e86ca4f9cd2d2d107a14531bc13f84261a13b5cafb4e8d4b1c92c01b" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/reachgraph.truth.json index 8c105ee3a..4e0fd917b 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://python:python.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://python:python.c#entry", - "sym://python:python.c#sink" - ] - ] + "case_id": "python-django-CVE-2019-19844-sqli-like", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/sbom.cdx.json index 42913d53b..c270ea2b6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "python-django-CVE-2019-19844-sqli-like", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/sbom.spdx.json index 38e10e06b..79690334b 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "python-django-CVE-2019-19844-sqli-like", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/symbols.json index fe54a5e55..ac1c0a954 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/python@0.0.1", - "files": [ - { - "path": "/src/python.c", - "funcs": [ - { - "sid": "sym://python:python.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://python:python.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "python-django-CVE-2019-19844-sqli-like", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/vex.openvex.json index acecc6979..9bc93c60e 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-django-CVE-2019-19844-sqli-like/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2019-19844", + "products": [ + "pkg:python-django-CVE-2019-19844-sqli-like" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2019-19844" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/attestation.dsse.json index 91e11f3ba..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/python-jinja2-CVE-2019-10906-template-injection:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/callgraph.static.json index 957504c2c..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://python:python.c#entry" - }, - { - "sid": "sym://python:python.c#sink" - } - ], - "edges": [ - { - "from": "sym://python:python.c#entry", - "to": "sym://python:python.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/manifest.json index 42a9193f3..f9c3a212f 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/python-jinja2-CVE-2019-10906-template-injection:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "python-jinja2-CVE-2019-10906-template-injection", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "2e56690ed9899e9ddad4a2dd9dd3715fe3b6349cc165fb10b797500d3b7bb240", + "sbom.cdx.json": "8a2681fcd3eb2aa82e2f0380126a9fe2caf130aac6ae4c66cd47f971c4ea347e", + "sbom.spdx.json": "4a04c563f3cf1b8a7b84add3443b9f2372150910844c2160193f26b75c004ff6", + "symbols.json": "97f7be8fae7c41424553821007c4e8ce0784c21014ceba12d77a8487af445ebb", + "vex.openvex.json": "088909aad48426345068b6373a27bacafcaa64fc49ecef43a15326d307f8b2e6" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/reachgraph.truth.json index 8c105ee3a..7d1393a62 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://python:python.c#sink", - "kind": "generic" - } - ], + "case_id": "python-jinja2-CVE-2019-10906-template-injection", "paths": [ [ "sym://net:handler#read", "sym://python:python.c#entry", "sym://python:python.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/sbom.cdx.json index 42913d53b..888637559 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "python-jinja2-CVE-2019-10906-template-injection", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/sbom.spdx.json index 38e10e06b..1a3f70441 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "python-jinja2-CVE-2019-10906-template-injection", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/symbols.json index fe54a5e55..59bcea1ff 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/python@0.0.1", - "files": [ - { - "path": "/src/python.c", - "funcs": [ - { - "sid": "sym://python:python.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://python:python.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "python-jinja2-CVE-2019-10906-template-injection", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://python:python.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/vex.openvex.json index 043b45cf9..3cc20cbb3 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2019-10906", + "products": [ + "pkg:python-jinja2-CVE-2019-10906-template-injection" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2019-10906" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/attestation.dsse.json index 0e6890217..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/python-jinja2-CVE-2019-10906-template-injection:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/callgraph.static.json index 957504c2c..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://python:python.c#entry" - }, - { - "sid": "sym://python:python.c#sink" - } - ], - "edges": [ - { - "from": "sym://python:python.c#entry", - "to": "sym://python:python.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/manifest.json index f023d4c01..c9ef86da5 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/python-jinja2-CVE-2019-10906-template-injection:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "python-jinja2-CVE-2019-10906-template-injection", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "df69cb0fd97c3f90700905edbb739c872b13bca26ec8b23b5fca7df95c88e649", + "sbom.cdx.json": "8a2681fcd3eb2aa82e2f0380126a9fe2caf130aac6ae4c66cd47f971c4ea347e", + "sbom.spdx.json": "4a04c563f3cf1b8a7b84add3443b9f2372150910844c2160193f26b75c004ff6", + "symbols.json": "e8b79c2d1c222102e4dd1b3f009c98301bb9d20bfe535959a968719f55dbe558", + "vex.openvex.json": "14189de5cdec146e3f3690f9a33bf7bd43e788c1bd52deb9fccfbddf548d0fb3" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/reachgraph.truth.json index 8c105ee3a..1d05170fc 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://python:python.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://python:python.c#entry", - "sym://python:python.c#sink" - ] - ] + "case_id": "python-jinja2-CVE-2019-10906-template-injection", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/sbom.cdx.json index 42913d53b..888637559 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "python-jinja2-CVE-2019-10906-template-injection", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/sbom.spdx.json index 38e10e06b..1a3f70441 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "python-jinja2-CVE-2019-10906-template-injection", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/symbols.json index fe54a5e55..05d7eeae0 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/python@0.0.1", - "files": [ - { - "path": "/src/python.c", - "funcs": [ - { - "sid": "sym://python:python.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://python:python.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "python-jinja2-CVE-2019-10906-template-injection", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/vex.openvex.json index 2bbb6c0bf..b78b4bdb0 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-jinja2-CVE-2019-10906-template-injection/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2019-10906", + "products": [ + "pkg:python-jinja2-CVE-2019-10906-template-injection" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2019-10906" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/attestation.dsse.json index dfd1c3f62..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/python-urllib3-dos-regex-TBD:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/callgraph.static.json index 957504c2c..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://python:python.c#entry" - }, - { - "sid": "sym://python:python.c#sink" - } - ], - "edges": [ - { - "from": "sym://python:python.c#entry", - "to": "sym://python:python.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/manifest.json index 7549f42d6..bac9ba3e5 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/python-urllib3-dos-regex-TBD:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "python-urllib3-dos-regex-TBD", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "77b65a72e7061171dd9bbabb55260c005e45c71156349c68995f5da21249f01d", + "sbom.cdx.json": "6de2dac2a942c4f98be45913bc283490e0a633d96f622864eba2f7e9ed40ddef", + "sbom.spdx.json": "fcc1da998d896c2a8d6c0b0386ae5a492ae242cc83dc03daaf2b6ee55d8ba9bb", + "symbols.json": "0de9697f4fe6f5d80df4aec4593599f6dbfbf9c92f2e19e4e8f6d39630a37aee", + "vex.openvex.json": "c785b009bc7c625f1e3cda129ab45ac436b43dc726f3902d092bfb4665a5a1dd" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/reachgraph.truth.json index 8c105ee3a..0d5eec2d0 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://python:python.c#sink", - "kind": "generic" - } - ], + "case_id": "python-urllib3-dos-regex-TBD", "paths": [ [ "sym://net:handler#read", "sym://python:python.c#entry", "sym://python:python.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/sbom.cdx.json index 42913d53b..cf727866a 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "python-urllib3-dos-regex-TBD", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/sbom.spdx.json index 38e10e06b..2f34d410f 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "python-urllib3-dos-regex-TBD", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/symbols.json index fe54a5e55..41617f85f 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/python@0.0.1", - "files": [ - { - "path": "/src/python.c", - "funcs": [ - { - "sid": "sym://python:python.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://python:python.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "python-urllib3-dos-regex-TBD", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://python:python.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/vex.openvex.json index a9c299cc5..ef6227aac 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "TBD", + "products": [ + "pkg:python-urllib3-dos-regex-TBD" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "python-urllib3-dos-regex-TBD" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/attestation.dsse.json index 5d409bf13..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/python-urllib3-dos-regex-TBD:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/callgraph.static.json index 957504c2c..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://python:python.c#entry" - }, - { - "sid": "sym://python:python.c#sink" - } - ], - "edges": [ - { - "from": "sym://python:python.c#entry", - "to": "sym://python:python.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/manifest.json index bd79cc931..2207997ca 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/python-urllib3-dos-regex-TBD:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "python-urllib3-dos-regex-TBD", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "fee28d40dd848e5e59b662622f33e2644e4328c6a2eb1a4f22f558fea0c69dfd", + "sbom.cdx.json": "6de2dac2a942c4f98be45913bc283490e0a633d96f622864eba2f7e9ed40ddef", + "sbom.spdx.json": "fcc1da998d896c2a8d6c0b0386ae5a492ae242cc83dc03daaf2b6ee55d8ba9bb", + "symbols.json": "bafb8c6703ba42f7fcb2d1bc5bba702282012d10f7d7026729083761e8b6bf26", + "vex.openvex.json": "342a13c0f33bbf5228756e7444aa1a0740b0f971115ead4db2668669e8055fb5" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/reachgraph.truth.json index 8c105ee3a..0cb40ca34 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://python:python.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://python:python.c#entry", - "sym://python:python.c#sink" - ] - ] + "case_id": "python-urllib3-dos-regex-TBD", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/sbom.cdx.json index 42913d53b..cf727866a 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "python-urllib3-dos-regex-TBD", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/sbom.spdx.json index 38e10e06b..2f34d410f 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "python-urllib3-dos-regex-TBD", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/symbols.json index fe54a5e55..b4a285494 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/python@0.0.1", - "files": [ - { - "path": "/src/python.c", - "funcs": [ - { - "sid": "sym://python:python.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://python:python.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "python-urllib3-dos-regex-TBD", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/vex.openvex.json index eb7c35e0b..e7d10e30b 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/python-urllib3-dos-regex-TBD/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "TBD", + "products": [ + "pkg:python-urllib3-dos-regex-TBD" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "python-urllib3-dos-regex-TBD" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/attestation.dsse.json index 123c314f1..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/rails-CVE-2019-5418-file-content-disclosure:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/callgraph.static.json index 37c19b1a4..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://rails:rails.c#entry" - }, - { - "sid": "sym://rails:rails.c#sink" - } - ], - "edges": [ - { - "from": "sym://rails:rails.c#entry", - "to": "sym://rails:rails.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/manifest.json index 15050a05b..042b44044 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/rails-CVE-2019-5418-file-content-disclosure:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "rails-CVE-2019-5418-file-content-disclosure", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "c9d31abd8f660694b9cc88b0663390c36be5ca0c16da8061911ede2af396d64a", + "sbom.cdx.json": "c50edcd3ebed1a651e29f3ab41cdb37e2a6a1f7bdb567191bcf83fc1e76eba24", + "sbom.spdx.json": "7bcda4289b9cd770cad6408cbb1e9bbd6b8ef7ba15b79b795b5a183f22722925", + "symbols.json": "895ed278a0c2eb90a697755ff7509d7e9df3a1aa26153d2deea2e2e858a62aea", + "vex.openvex.json": "500bbf7564559d0f10e4cdf97f8142868d6d068b72bb223b8a4f6850e917aa93" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/reachgraph.truth.json index b4d7d8086..c17b71680 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://rails:rails.c#sink", - "kind": "generic" - } - ], + "case_id": "rails-CVE-2019-5418-file-content-disclosure", "paths": [ [ "sym://net:handler#read", "sym://rails:rails.c#entry", "sym://rails:rails.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/sbom.cdx.json index 42913d53b..b53f075ea 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "rails-CVE-2019-5418-file-content-disclosure", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/sbom.spdx.json index 38e10e06b..6c17566e0 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "rails-CVE-2019-5418-file-content-disclosure", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/symbols.json index b908b06d3..f5b2bafde 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/rails@0.0.1", - "files": [ - { - "path": "/src/rails.c", - "funcs": [ - { - "sid": "sym://rails:rails.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://rails:rails.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "rails-CVE-2019-5418-file-content-disclosure", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://rails:rails.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/vex.openvex.json index c9995f83e..1d2c6b944 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2019-5418", + "products": [ + "pkg:rails-CVE-2019-5418-file-content-disclosure" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2019-5418" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/attestation.dsse.json index d4738f475..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/rails-CVE-2019-5418-file-content-disclosure:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/callgraph.static.json index 37c19b1a4..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://rails:rails.c#entry" - }, - { - "sid": "sym://rails:rails.c#sink" - } - ], - "edges": [ - { - "from": "sym://rails:rails.c#entry", - "to": "sym://rails:rails.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/manifest.json index de8baafdb..5d8f879f8 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/rails-CVE-2019-5418-file-content-disclosure:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "rails-CVE-2019-5418-file-content-disclosure", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "12a1d28dc31ce8a3e381fbfb195d942c879ac31003c2412d40d8b6e8a3808318", + "sbom.cdx.json": "c50edcd3ebed1a651e29f3ab41cdb37e2a6a1f7bdb567191bcf83fc1e76eba24", + "sbom.spdx.json": "7bcda4289b9cd770cad6408cbb1e9bbd6b8ef7ba15b79b795b5a183f22722925", + "symbols.json": "ae28dfed9d506cd92a0608f8a742716764b7f3f15d7b35b5f6990010a1d0b8fd", + "vex.openvex.json": "f3fe8061e72d74532921a4ac21107bfa5121cca2ce011c38580438738c071174" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/reachgraph.truth.json index b4d7d8086..05ef86f01 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://rails:rails.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://rails:rails.c#entry", - "sym://rails:rails.c#sink" - ] - ] + "case_id": "rails-CVE-2019-5418-file-content-disclosure", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/sbom.cdx.json index 42913d53b..b53f075ea 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "rails-CVE-2019-5418-file-content-disclosure", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/sbom.spdx.json index 38e10e06b..6c17566e0 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "rails-CVE-2019-5418-file-content-disclosure", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/symbols.json index b908b06d3..2a17e44b0 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/rails@0.0.1", - "files": [ - { - "path": "/src/rails.c", - "funcs": [ - { - "sid": "sym://rails:rails.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://rails:rails.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "rails-CVE-2019-5418-file-content-disclosure", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/vex.openvex.json index ddc1b2f3b..511f8a1f0 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rails-CVE-2019-5418-file-content-disclosure/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2019-5418", + "products": [ + "pkg:rails-CVE-2019-5418-file-content-disclosure" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2019-5418" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/attestation.dsse.json index 43a512c8b..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/redis-CVE-2022-0543-lua-sandbox-escape:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/callgraph.static.json index 2b5732497..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://redis:redis.c#entry" - }, - { - "sid": "sym://redis:redis.c#sink" - } - ], - "edges": [ - { - "from": "sym://redis:redis.c#entry", - "to": "sym://redis:redis.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/manifest.json index bfca928cd..70136c0d7 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/redis-CVE-2022-0543-lua-sandbox-escape:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "redis-CVE-2022-0543-lua-sandbox-escape", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "fbdd8b9e479d40cea9068a83c98619af1aa18dc3abcafc2ea2bdb463c25710a9", + "sbom.cdx.json": "66bcb9f575207e62f46230e9056c229d07821d700a7b90ebb6f84baaa28bc7ea", + "sbom.spdx.json": "02a37695184dfe333892c420b4890ea69497e2808aeeda42c6c5e211919a5db2", + "symbols.json": "9a5d1611a6e4d6d38feaa591be880bbb157680828b6e7c756442bc6995d960e7", + "vex.openvex.json": "1d86a9a2973f1ab8e5f57c57857c49da3d0d02aa54a8b2d5425021d2f9627690" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/reachgraph.truth.json index 8c67704fa..80948a6bd 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://redis:redis.c#sink", - "kind": "generic" - } - ], + "case_id": "redis-CVE-2022-0543-lua-sandbox-escape", "paths": [ [ "sym://net:handler#read", "sym://redis:redis.c#entry", "sym://redis:redis.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/sbom.cdx.json index 42913d53b..2b16ddb61 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "redis-CVE-2022-0543-lua-sandbox-escape", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/sbom.spdx.json index 38e10e06b..a72e5b4bd 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "redis-CVE-2022-0543-lua-sandbox-escape", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/symbols.json index 8bf798514..781db3c11 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/redis@0.0.1", - "files": [ - { - "path": "/src/redis.c", - "funcs": [ - { - "sid": "sym://redis:redis.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://redis:redis.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "redis-CVE-2022-0543-lua-sandbox-escape", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://redis:redis.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/vex.openvex.json index 53b717714..7634c0a3b 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2022-0543", + "products": [ + "pkg:redis-CVE-2022-0543-lua-sandbox-escape" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2022-0543" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/attestation.dsse.json index 3f219e041..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/redis-CVE-2022-0543-lua-sandbox-escape:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/callgraph.static.json index 2b5732497..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://redis:redis.c#entry" - }, - { - "sid": "sym://redis:redis.c#sink" - } - ], - "edges": [ - { - "from": "sym://redis:redis.c#entry", - "to": "sym://redis:redis.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/manifest.json index 9eb44f00c..bf982d889 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/redis-CVE-2022-0543-lua-sandbox-escape:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "redis-CVE-2022-0543-lua-sandbox-escape", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "bab266ab92040c3977c2f17cbddb6e91e0e9ea748b720ba4b3e35372063c8c75", + "sbom.cdx.json": "66bcb9f575207e62f46230e9056c229d07821d700a7b90ebb6f84baaa28bc7ea", + "sbom.spdx.json": "02a37695184dfe333892c420b4890ea69497e2808aeeda42c6c5e211919a5db2", + "symbols.json": "e1f5a9f63042d050a3966e95a5902797e00ae1703a8ecb69dff149e1bf8371e8", + "vex.openvex.json": "d0beebfb1d7a3cb086633040ddda7f9d4bb536d0df4176e8c093599988bb75f7" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/reachgraph.truth.json index 8c67704fa..f5993d6d8 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://redis:redis.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://redis:redis.c#entry", - "sym://redis:redis.c#sink" - ] - ] + "case_id": "redis-CVE-2022-0543-lua-sandbox-escape", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/sbom.cdx.json index 42913d53b..2b16ddb61 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "redis-CVE-2022-0543-lua-sandbox-escape", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/sbom.spdx.json index 38e10e06b..a72e5b4bd 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "redis-CVE-2022-0543-lua-sandbox-escape", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/symbols.json index 8bf798514..69f9af756 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/redis@0.0.1", - "files": [ - { - "path": "/src/redis.c", - "funcs": [ - { - "sid": "sym://redis:redis.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://redis:redis.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "redis-CVE-2022-0543-lua-sandbox-escape", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/vex.openvex.json index 33a312d55..559d2de8c 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/redis-CVE-2022-0543-lua-sandbox-escape/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2022-0543", + "products": [ + "pkg:redis-CVE-2022-0543-lua-sandbox-escape" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2022-0543" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/attestation.dsse.json index d41c01ae1..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/runc-CVE-2024-21626-symlink-breakout:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/callgraph.static.json index e4f83283b..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://runc:runc.c#entry" - }, - { - "sid": "sym://runc:runc.c#sink" - } - ], - "edges": [ - { - "from": "sym://runc:runc.c#entry", - "to": "sym://runc:runc.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/manifest.json index c7a716d5b..0ad6421b5 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/runc-CVE-2024-21626-symlink-breakout:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "runc-CVE-2024-21626-symlink-breakout", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "94d2522b2ab3632adadffdf2ca8c991260d2bbd1690fb4a00beb6207b1ba5c49", + "sbom.cdx.json": "f5d25c84c10d3588526ba08d1a03a8105f8da1279a44e0defee66285814437d4", + "sbom.spdx.json": "ee5aaaf68271588ee2b33d04e3815ca9a3f89a557a55c1f8d917c2af1b813c16", + "symbols.json": "1b8a40f0c8aabd9f84f06647490f450170c48c9cbba929a50caf441c92791df8", + "vex.openvex.json": "ca87293d1831169e427182e37e52713495b9e78a7e7b14f174012867f3cff6b9" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/reachgraph.truth.json index 50bd676e6..762e56b6e 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://runc:runc.c#sink", - "kind": "generic" - } - ], + "case_id": "runc-CVE-2024-21626-symlink-breakout", "paths": [ [ "sym://net:handler#read", "sym://runc:runc.c#entry", "sym://runc:runc.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/sbom.cdx.json index 42913d53b..6c47b14c5 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "runc-CVE-2024-21626-symlink-breakout", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/sbom.spdx.json index 38e10e06b..d51247fc1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "runc-CVE-2024-21626-symlink-breakout", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/symbols.json index a4c878da5..d75a47aab 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/runc@0.0.1", - "files": [ - { - "path": "/src/runc.c", - "funcs": [ - { - "sid": "sym://runc:runc.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://runc:runc.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "runc-CVE-2024-21626-symlink-breakout", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://runc:runc.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/vex.openvex.json index cb6b4a439..ec97f223c 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2024-21626", + "products": [ + "pkg:runc-CVE-2024-21626-symlink-breakout" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2024-21626" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/attestation.dsse.json index c8b6b4125..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/runc-CVE-2024-21626-symlink-breakout:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/callgraph.static.json index e4f83283b..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://runc:runc.c#entry" - }, - { - "sid": "sym://runc:runc.c#sink" - } - ], - "edges": [ - { - "from": "sym://runc:runc.c#entry", - "to": "sym://runc:runc.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/manifest.json index 6765246d1..73e1607a8 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/runc-CVE-2024-21626-symlink-breakout:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "runc-CVE-2024-21626-symlink-breakout", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "2f4803eb568d4f294f4241d068266b6241fd20f463e6945e1df3b84ccd89459e", + "sbom.cdx.json": "f5d25c84c10d3588526ba08d1a03a8105f8da1279a44e0defee66285814437d4", + "sbom.spdx.json": "ee5aaaf68271588ee2b33d04e3815ca9a3f89a557a55c1f8d917c2af1b813c16", + "symbols.json": "b48973486b29e184ae09ecfb9264a400fefae5c2df4d0d5f4bd868453fae1f99", + "vex.openvex.json": "06610030b92a3a5eb4e77c44c87066ce66dfc0018e4477de99f4bbf70424cf5a" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/reachgraph.truth.json index 50bd676e6..48e6024ee 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://runc:runc.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://runc:runc.c#entry", - "sym://runc:runc.c#sink" - ] - ] + "case_id": "runc-CVE-2024-21626-symlink-breakout", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/sbom.cdx.json index 42913d53b..6c47b14c5 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "runc-CVE-2024-21626-symlink-breakout", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/sbom.spdx.json index 38e10e06b..d51247fc1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "runc-CVE-2024-21626-symlink-breakout", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/symbols.json index a4c878da5..46f5cefd4 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/runc@0.0.1", - "files": [ - { - "path": "/src/runc.c", - "funcs": [ - { - "sid": "sym://runc:runc.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://runc:runc.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "runc-CVE-2024-21626-symlink-breakout", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/vex.openvex.json index 9c2943a5c..59fa32753 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/runc-CVE-2024-21626-symlink-breakout/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2024-21626", + "products": [ + "pkg:runc-CVE-2024-21626-symlink-breakout" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2024-21626" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/attestation.dsse.json index 06a4d7fef..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/rust-axum-header-parsing-TBD:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/callgraph.static.json index 6ff0ebcba..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://rust:rust.c#entry" - }, - { - "sid": "sym://rust:rust.c#sink" - } - ], - "edges": [ - { - "from": "sym://rust:rust.c#entry", - "to": "sym://rust:rust.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/manifest.json index 42c557076..7f9b9d296 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/rust-axum-header-parsing-TBD:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "rust-axum-header-parsing-TBD", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "f34d41548950529728b47d39699260a5a3b496f5b729c7981ef2d70622136df9", + "sbom.cdx.json": "ff9bfeeef7e41d934a051d5c4e20965819d2c4be0ff9ad68ba250eccae3aa487", + "sbom.spdx.json": "1de691c4665d49162633b6571bd142fbfdcf79a0c8bdfb6bbf8f8d4783587d01", + "symbols.json": "fc3923137f963fe08398a0cfc11d51d063104758ea574705476bb5fb07b0d6e0", + "vex.openvex.json": "f0aa98d011f0012ff230c44f69aaed51847a4ad9930bac52aa4467405c2122f5" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/reachgraph.truth.json index a91a2942a..3902bb6dd 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://rust:rust.c#sink", - "kind": "generic" - } - ], + "case_id": "rust-axum-header-parsing-TBD", "paths": [ [ "sym://net:handler#read", "sym://rust:rust.c#entry", "sym://rust:rust.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/sbom.cdx.json index 42913d53b..3cf32e773 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "rust-axum-header-parsing-TBD", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/sbom.spdx.json index 38e10e06b..95fa421a6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "rust-axum-header-parsing-TBD", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/symbols.json index 5526dfdd4..6d0a2da3f 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/rust@0.0.1", - "files": [ - { - "path": "/src/rust.c", - "funcs": [ - { - "sid": "sym://rust:rust.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://rust:rust.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "rust-axum-header-parsing-TBD", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://rust:rust.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/vex.openvex.json index a9c299cc5..81a2945fc 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "TBD", + "products": [ + "pkg:rust-axum-header-parsing-TBD" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "rust-axum-header-parsing-TBD" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/attestation.dsse.json index de845408e..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/rust-axum-header-parsing-TBD:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/callgraph.static.json index 6ff0ebcba..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://rust:rust.c#entry" - }, - { - "sid": "sym://rust:rust.c#sink" - } - ], - "edges": [ - { - "from": "sym://rust:rust.c#entry", - "to": "sym://rust:rust.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/manifest.json index 39f4e8754..ac017f08d 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/rust-axum-header-parsing-TBD:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "rust-axum-header-parsing-TBD", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "918f742dbfd9e786640660f13f60b1f9da329caee367851990c7d5b678fa5c8e", + "sbom.cdx.json": "ff9bfeeef7e41d934a051d5c4e20965819d2c4be0ff9ad68ba250eccae3aa487", + "sbom.spdx.json": "1de691c4665d49162633b6571bd142fbfdcf79a0c8bdfb6bbf8f8d4783587d01", + "symbols.json": "4ff5b34b01575558256364c017f6e3ed4dcb9c6d077b732d2dff1936431f607b", + "vex.openvex.json": "48e178a71126b1c57aaedf47ed85da10a8b391ddcff61e118f7fc26b1786e490" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/reachgraph.truth.json index a91a2942a..5755d4259 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://rust:rust.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://rust:rust.c#entry", - "sym://rust:rust.c#sink" - ] - ] + "case_id": "rust-axum-header-parsing-TBD", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/sbom.cdx.json index 42913d53b..3cf32e773 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "rust-axum-header-parsing-TBD", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/sbom.spdx.json index 38e10e06b..95fa421a6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "rust-axum-header-parsing-TBD", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/symbols.json index 5526dfdd4..d7768d3cc 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/rust@0.0.1", - "files": [ - { - "path": "/src/rust.c", - "funcs": [ - { - "sid": "sym://rust:rust.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://rust:rust.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "rust-axum-header-parsing-TBD", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/vex.openvex.json index eb7c35e0b..c22a0a52d 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/rust-axum-header-parsing-TBD/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "TBD", + "products": [ + "pkg:rust-axum-header-parsing-TBD" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "rust-axum-header-parsing-TBD" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/attestation.dsse.json index 2a480dcd2..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/wordpress-core-CVE-2022-21661-sqli:reachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/callgraph.static.json index fd271fd64..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://wordpress:wordpress.c#entry" - }, - { - "sid": "sym://wordpress:wordpress.c#sink" - } - ], - "edges": [ - { - "from": "sym://wordpress:wordpress.c#entry", - "to": "sym://wordpress:wordpress.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/manifest.json index 825fd9cf2..1fc7d7193 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/wordpress-core-CVE-2022-21661-sqli:reachable", - "config_flags": { - "FEATURE_FLAG": true, - "POLICY_MODE": "permissive" + "case_id": "wordpress-core-CVE-2022-21661-sqli", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "2491f25c8faaa3fcd6be0af96ee0bdb047ee457c674a3b0533a07bdf4f7bc9e6", + "sbom.cdx.json": "4d680dc644aedae0656a9aaf619804cc5db818071b15a4d4bffba85e4a72ec16", + "sbom.spdx.json": "654a9c21de6aece294f38e1b6590e82ddd4bbe92ca8dc17b9cdf404f7f423a05", + "symbols.json": "5e50e1037f4c8d80ad3d4e589a62eb4748e37410e4dd1336b9556bcebdb7f2fa", + "vex.openvex.json": "789eba2e95cc32972356f777b9b314cdd84d7ab8f62f9c65599ad46d53c1171c" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/reachgraph.truth.json index 0a162f4f8..c0ad3046b 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/reachgraph.truth.json @@ -1,16 +1,12 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://wordpress:wordpress.c#sink", - "kind": "generic" - } - ], + "case_id": "wordpress-core-CVE-2022-21661-sqli", "paths": [ [ "sym://net:handler#read", "sym://wordpress:wordpress.c#entry", "sym://wordpress:wordpress.c#sink" ] - ] + ], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/sbom.cdx.json index 42913d53b..9306615a5 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "wordpress-core-CVE-2022-21661-sqli", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/sbom.spdx.json index 38e10e06b..71b23fedf 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "wordpress-core-CVE-2022-21661-sqli", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/symbols.json index 2d9c7dfb6..7d9e496c9 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/symbols.json @@ -1,31 +1,8 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/wordpress@0.0.1", - "files": [ - { - "path": "/src/wordpress.c", - "funcs": [ - { - "sid": "sym://wordpress:wordpress.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://wordpress:wordpress.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "wordpress-core-CVE-2022-21661-sqli", + "schema_version": "reachbench.symbols/v1", + "symbols": [ + "sym://wordpress:wordpress.c#sink" + ], + "variant": "reachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/vex.openvex.json index cd3ab5743..92191117e 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/reachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2022-21661", + "products": [ + "pkg:wordpress-core-CVE-2022-21661-sqli" + ], "status": "affected", - "justification": "reasoning_provided", - "impact_statement": "Function-level path is reachable." + "statusJustification": "component_present", + "vulnerability": "cve:CVE-2022-21661" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/attestation.dsse.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/attestation.dsse.json index f830e9773..58efec7e1 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/attestation.dsse.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/attestation.dsse.json @@ -1,30 +1,5 @@ { - "dsse_version": "1.0", - "subject": [ - { - "name": "ghcr.io/reachbench/wordpress-core-CVE-2022-21661-sqli:unreachable", - "digest": { - "sha256": "STUB_DIGEST" - } - } - ], - "statement": { - "type": "reachbench.attestation", - "materials": [ - "sbom.cdx.json", - "sbom.spdx.json", - "symbols.json", - "callgraph.static.json", - "callgraph.framework.json", - "reachgraph.truth.json", - "vex.openvex.json" - ] - }, - "signatures": [ - { - "keyid": "STUB", - "sig": "STUB_SIGNATURE", - "alg": "dilithium2" - } - ] + "payload": "", + "payloadType": "application/vnd.in-toto+json", + "signatures": [] } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/callgraph.framework.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/callgraph.framework.json index 299d7dd3b..e05bd98c6 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/callgraph.framework.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/callgraph.framework.json @@ -1,4 +1,5 @@ { - "schema_version": "1.0", - "edges": [] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.framework/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/callgraph.static.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/callgraph.static.json index fd271fd64..6b25cb074 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/callgraph.static.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/callgraph.static.json @@ -1,18 +1,5 @@ { - "schema_version": "1.0", - "nodes": [ - { - "sid": "sym://wordpress:wordpress.c#entry" - }, - { - "sid": "sym://wordpress:wordpress.c#sink" - } - ], - "edges": [ - { - "from": "sym://wordpress:wordpress.c#entry", - "to": "sym://wordpress:wordpress.c#sink", - "kind": "direct" - } - ] + "edges": [], + "nodes": [], + "schema_version": "reachbench.callgraph.static/v1" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/manifest.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/manifest.json index d5d89b9a5..a3b451476 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/manifest.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/manifest.json @@ -1,8 +1,15 @@ { - "image": "ghcr.io/reachbench/wordpress-core-CVE-2022-21661-sqli:unreachable", - "config_flags": { - "FEATURE_FLAG": false, - "POLICY_MODE": "enforcing" + "case_id": "wordpress-core-CVE-2022-21661-sqli", + "files": { + "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f", + "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce", + "callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e", + "reachgraph.truth.json": "0855e5a1023d4a03c71ca526cd383cb09adb3ab67aa91039c8b96bb370aff3e5", + "sbom.cdx.json": "4d680dc644aedae0656a9aaf619804cc5db818071b15a4d4bffba85e4a72ec16", + "sbom.spdx.json": "654a9c21de6aece294f38e1b6590e82ddd4bbe92ca8dc17b9cdf404f7f423a05", + "symbols.json": "52cd52c683750cccde96c6d0034c129ede7e030bdf5df7b21d1b9bf64eb3b280", + "vex.openvex.json": "72c17746b337df751658ad7104d5f4e5962d97f9227ecbab810e7d2d8dbcad96" }, - "sha256": "STUB_DIGEST" + "schema_version": "reachbench.manifest/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/reachgraph.truth.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/reachgraph.truth.json index 0a162f4f8..7cab7b9c5 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/reachgraph.truth.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/reachgraph.truth.json @@ -1,16 +1,6 @@ { - "schema_version": "1.0", - "sinks": [ - { - "sid": "sym://wordpress:wordpress.c#sink", - "kind": "generic" - } - ], - "paths": [ - [ - "sym://net:handler#read", - "sym://wordpress:wordpress.c#entry", - "sym://wordpress:wordpress.c#sink" - ] - ] + "case_id": "wordpress-core-CVE-2022-21661-sqli", + "paths": [], + "schema_version": "reachbench.reachgraph.truth/v1", + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/sbom.cdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/sbom.cdx.json index 42913d53b..9306615a5 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/sbom.cdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/sbom.cdx.json @@ -1,5 +1,11 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.6", - "components": [] + "components": [], + "metadata": { + "component": { + "name": "wordpress-core-CVE-2022-21661-sqli", + "version": "0.0.0" + } + }, + "specVersion": "1.5" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/sbom.spdx.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/sbom.spdx.json index 38e10e06b..71b23fedf 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/sbom.spdx.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/sbom.spdx.json @@ -1,6 +1,6 @@ { - "spdxVersion": "SPDX-3.0", - "creationInfo": { - "created": "2025-11-07T22:40:04Z" - } + "SPDXID": "SPDXRef-DOCUMENT", + "name": "wordpress-core-CVE-2022-21661-sqli", + "packages": [], + "spdxVersion": "SPDX-2.3" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/symbols.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/symbols.json index 2d9c7dfb6..1f2f0015a 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/symbols.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/symbols.json @@ -1,31 +1,6 @@ { - "schema_version": "1.0", - "components": [ - { - "purl": "pkg:generic/wordpress@0.0.1", - "files": [ - { - "path": "/src/wordpress.c", - "funcs": [ - { - "sid": "sym://wordpress:wordpress.c#entry", - "name": "entry", - "range": { - "start": 10, - "end": 20 - } - }, - { - "sid": "sym://wordpress:wordpress.c#sink", - "name": "sink", - "range": { - "start": 30, - "end": 60 - } - } - ] - } - ] - } - ] + "case_id": "wordpress-core-CVE-2022-21661-sqli", + "schema_version": "reachbench.symbols/v1", + "symbols": [], + "variant": "unreachable" } \ No newline at end of file diff --git a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/vex.openvex.json b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/vex.openvex.json index 6c542c416..0cf0ef68c 100644 --- a/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/vex.openvex.json +++ b/tests/reachability/fixtures/reachbench-2025-expanded/cases/wordpress-core-CVE-2022-21661-sqli/images/unreachable/vex.openvex.json @@ -1,12 +1,15 @@ { - "author": "reachbench-2025", - "timestamp": "2025-11-07T22:40:04Z", + "author": "StellaOps", + "role": "reachbench", "statements": [ { - "vulnerability": "CVE-2022-21661", + "products": [ + "pkg:wordpress-core-CVE-2022-21661-sqli" + ], "status": "not_affected", - "justification": "vulnerable_code_not_in_execute_path", - "impact_statement": "Pruned by configuration; path unreachable." + "statusJustification": "component_not_present", + "vulnerability": "cve:CVE-2022-21661" } - ] + ], + "timestamp": "2025-11-18T00:00:00Z" } \ No newline at end of file