stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Refactor JSON structures for reachability cases in reachbench-2025

Browse Source 
- Updated symbols.json for rust-axum-header-parsing-TBD to include case_id and schema_version, removing unnecessary components.
- Modified vex.openvex.json for rust-axum-header-parsing-TBD to change author and role, and updated vulnerability status.
- Simplified attestation.dsse.json for wordpress-core-CVE-2022-21661-sqli to remove unnecessary fields and added payloadType.
- Adjusted callgraph.framework.json and callgraph.static.json for wordpress-core-CVE-2022-21661-sqli to include empty nodes and edges with updated schema_version.
- Enhanced manifest.json for wordpress-core-CVE-2022-21661-sqli to include case_id and files with checksums, and updated schema_version.
- Updated reachgraph.truth.json for wordpress-core-CVE-2022-21661-sqli to reflect empty paths and added case_id.
- Modified sbom.cdx.json and sbom.spdx.json for wordpress-core-CVE-2022-21661-sqli to include metadata and updated specVersion.
- Refined symbols.json for wordpress-core-CVE-2022-21661-sqli to include case_id and schema_version, with an empty symbols array.
- Updated vex.openvex.json for wordpress-core-CVE-2022-21661-sqli to change author and role, and updated vulnerability status.
- Adjusted unreachable cases for wordpress-core-CVE-2022-21661-sqli to reflect similar structural changes as reachable cases.
This commit is contained in:
master
2025-11-19 00:24:12 +02:00
parent 33c7e77273
commit 616ec73133
416 changed files with 2378 additions and 4824 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
tests/reachability/README.md
View File

@@ -2,8 +2,8 @@
This directory carries the reachbench fixture packs used by Sprint 201 to validate reachability explainability. This directory carries the reachbench fixture packs used by Sprint 201 to validate reachability explainability.
- `fixtures/reachbench-2025-expanded/` contains 24 multi-language cases with reachable and unreachable variants, SBOMs, callgraphs, runtime traces, and DSSE envelopes. - `fixtures/reachbench-2025-expanded/` contains 24 multi-language cases with reachable and unreachable variants, SBOMs, callgraphs, runtime traces, and DSSE envelopes. Each variant ships a manifest with SHA-256 hashes to keep runs deterministic.
- `StellaOps.Reachability.FixtureTests` provides lightweight guard rails that ensure each case keeps the expected files, JSON schemas, and ground-truth metadata before the Signals/Scanner reachability pipeline consumes them. - `StellaOps.Reachability.FixtureTests` provides guard rails that ensure files exist, hashes match manifests, and ground-truth paths align with reachable/unreachable variants before the Signals/Scanner reachability pipeline consumes them.
## Running the fixture tests ## Running the fixture tests

30
tests/reachability/StellaOps.Reachability.FixtureTests/ReachbenchFixtureTests.cs
View File

@@ -1,6 +1,8 @@
using System.Text.Json; using System.Text.Json;
using FluentAssertions; using FluentAssertions;
using Xunit; using Xunit;
using System.Security.Cryptography;
using System.Linq;
namespace StellaOps.Reachability.FixtureTests; namespace StellaOps.Reachability.FixtureTests;
@@ -88,6 +90,8 @@ public class ReachbenchFixtureTests
using var truthDoc = JsonDocument.Parse(truthStream); using var truthDoc = JsonDocument.Parse(truthStream);
truthDoc.RootElement.GetProperty("schema_version").GetString().Should().NotBeNullOrEmpty(); truthDoc.RootElement.GetProperty("schema_version").GetString().Should().NotBeNullOrEmpty();
truthDoc.RootElement.GetProperty("paths").ValueKind.Should().Be(JsonValueKind.Array); truthDoc.RootElement.GetProperty("paths").ValueKind.Should().Be(JsonValueKind.Array);
VerifyManifestHashes(caseId, variantPath, requiredFiles);
} }
[Theory] [Theory]
@@ -109,6 +113,13 @@ public class ReachbenchFixtureTests
variant.TryGetProperty("evidence", out var evidence).Should().BeTrue($"{caseId}:{variantKey} should define evidence"); variant.TryGetProperty("evidence", out var evidence).Should().BeTrue($"{caseId}:{variantKey} should define evidence");
evidence.TryGetProperty("paths", out var pathsProp).Should().BeTrue(); evidence.TryGetProperty("paths", out var pathsProp).Should().BeTrue();
pathsProp.ValueKind.Should().Be(JsonValueKind.Array); pathsProp.ValueKind.Should().Be(JsonValueKind.Array);
var truthPath = Path.Combine(variantPath, "reachgraph.truth.json");
using var truthStream = File.OpenRead(truthPath);
using var truthDoc = JsonDocument.Parse(truthStream);
var paths = truthDoc.RootElement.GetProperty("paths");
paths.ValueKind.Should().Be(JsonValueKind.Array);
} }
private static string LocateRepoRoot() private static string LocateRepoRoot()
@@ -126,4 +137,23 @@ public class ReachbenchFixtureTests
throw new InvalidOperationException("Cannot locate repository root (missing Directory.Build.props)."); throw new InvalidOperationException("Cannot locate repository root (missing Directory.Build.props).");
} }
private static void VerifyManifestHashes(string caseId, string variantPath, IEnumerable<string> requiredFiles)
{
var manifestPath = Path.Combine(variantPath, "manifest.json");
using var manifestStream = File.OpenRead(manifestPath);
using var manifestDoc = JsonDocument.Parse(manifestStream);
var files = manifestDoc.RootElement.GetProperty("files");
foreach (var file in requiredFiles.Where(f => f != "manifest.json"))
{
files.TryGetProperty(file, out var hashProp).Should().BeTrue($"{caseId}:{variantPath} manifest missing hash for {file}");
var expectedHash = hashProp.GetString();
expectedHash.Should().NotBeNullOrEmpty($"{caseId}:{variantPath} hash missing for {file}");
var path = Path.Combine(variantPath, file);
var actualHash = BitConverter.ToString(SHA256.HashData(File.ReadAllBytes(path))).Replace("-", "").ToLowerInvariant();
actualHash.Should().Be(expectedHash, $"{caseId}:{variantPath} hash mismatch for {file}");
}
}
} }

31
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/attestation.dsse.json
View File

@@ -1,30 +1,5 @@
{ {
"dsse_version": "1.0", "payload": "",
"subject": [ "payloadType": "application/vnd.in-toto+json",
{ "signatures": []
"name": "ghcr.io/reachbench/curl-CVE-2023-38545-socks5-heap:reachable",
"digest": {
"sha256": "STUB_DIGEST"
}
}
],
"statement": {
"type": "reachbench.attestation",
"materials": [
"sbom.cdx.json",
"sbom.spdx.json",
"symbols.json",
"callgraph.static.json",
"callgraph.framework.json",
"reachgraph.truth.json",
"vex.openvex.json"
]
},
"signatures": [
{
"keyid": "STUB",
"sig": "STUB_SIGNATURE",
"alg": "dilithium2"
}
]
} }

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/callgraph.framework.json
View File

@@ -1,4 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"edges": [] "nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
} }

19
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/callgraph.static.json
View File

@@ -1,18 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"nodes": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.static/v1"
"sid": "sym://curl:curl.c#entry"
},
{
"sid": "sym://curl:curl.c#sink"
}
],
"edges": [
{
"from": "sym://curl:curl.c#entry",
"to": "sym://curl:curl.c#sink",
"kind": "direct"
}
]
} }

17
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/manifest.json
View File

@@ -1,8 +1,15 @@
{ {
"image": "ghcr.io/reachbench/curl-CVE-2023-38545-socks5-heap:reachable", "case_id": "curl-CVE-2023-38545-socks5-heap",
"config_flags": { "files": {
"FEATURE_FLAG": true, "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"POLICY_MODE": "permissive" "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "9545261d413f4f85d120ebe8432c32ba97ba3feb2d34075fd689fcb5794f3ab0",
"sbom.cdx.json": "ce41fd9b9edadf94a8cc84a3cce4e175b0602fd2e0d8dcb067273b9584479980",
"sbom.spdx.json": "10d7417961d3cac0f3a5c4b083917fba3dc4f9bd9140d80aad0a873435158482",
"symbols.json": "c5f473aff5b428df5a3f9c3393b7fbceb94214e3c2fd4f547d4f258ca25a3080",
"vex.openvex.json": "0518d09c2ae692b96553feb821ff8138fc0ea6c840d75c1f80149add21127ddd"
}, },
"sha256": "STUB_DIGEST" "schema_version": "reachbench.manifest/v1",
"variant": "reachable"
} }

12
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/reachgraph.truth.json
View File

@@ -1,16 +1,12 @@
{ {
"schema_version": "1.0", "case_id": "curl-CVE-2023-38545-socks5-heap",
"sinks": [
{
"sid": "sym://curl:curl.c#sink",
"kind": "generic"
}
],
"paths": [ "paths": [
[ [
"sym://net:handler#read", "sym://net:handler#read",
"sym://curl:curl.c#entry", "sym://curl:curl.c#entry",
"sym://curl:curl.c#sink" "sym://curl:curl.c#sink"
] ]
] ],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
} }

10
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/sbom.cdx.json
View File

@@ -1,5 +1,11 @@
{ {
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.6", "components": [],
"components": [] "metadata": {
"component": {
"name": "curl-CVE-2023-38545-socks5-heap",
"version": "0.0.0"
}
},
"specVersion": "1.5"
} }

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/sbom.spdx.json
View File

@@ -1,6 +1,6 @@
{ {
"spdxVersion": "SPDX-3.0", "SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": { "name": "curl-CVE-2023-38545-socks5-heap",
"created": "2025-11-07T22:40:04Z" "packages": [],
} "spdxVersion": "SPDX-2.3"
} }

35
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/symbols.json
View File

@@ -1,31 +1,8 @@
{ {
"schema_version": "1.0", "case_id": "curl-CVE-2023-38545-socks5-heap",
"components": [ "schema_version": "reachbench.symbols/v1",
{ "symbols": [
"purl": "pkg:generic/curl@0.0.1", "sym://curl:curl.c#sink"
"files": [ ],
{ "variant": "reachable"
"path": "/src/curl.c",
"funcs": [
{
"sid": "sym://curl:curl.c#entry",
"name": "entry",
"range": {
"start": 10,
"end": 20
}
},
{
"sid": "sym://curl:curl.c#sink",
"name": "sink",
"range": {
"start": 30,
"end": 60
}
}
]
}
]
}
]
} }

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/reachable/vex.openvex.json
View File

@@ -1,12 +1,15 @@
{ {
"author": "reachbench-2025", "author": "StellaOps",
"timestamp": "2025-11-07T22:40:04Z", "role": "reachbench",
"statements": [ "statements": [
{ {
"vulnerability": "CVE-2023-38545", "products": [
"pkg:curl-CVE-2023-38545-socks5-heap"
],
"status": "affected", "status": "affected",
"justification": "reasoning_provided", "statusJustification": "component_present",
"impact_statement": "Function-level path is reachable." "vulnerability": "cve:CVE-2023-38545"
} }
] ],
"timestamp": "2025-11-18T00:00:00Z"
} }

31
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/attestation.dsse.json
View File

@@ -1,30 +1,5 @@
{ {
"dsse_version": "1.0", "payload": "",
"subject": [ "payloadType": "application/vnd.in-toto+json",
{ "signatures": []
"name": "ghcr.io/reachbench/curl-CVE-2023-38545-socks5-heap:unreachable",
"digest": {
"sha256": "STUB_DIGEST"
}
}
],
"statement": {
"type": "reachbench.attestation",
"materials": [
"sbom.cdx.json",
"sbom.spdx.json",
"symbols.json",
"callgraph.static.json",
"callgraph.framework.json",
"reachgraph.truth.json",
"vex.openvex.json"
]
},
"signatures": [
{
"keyid": "STUB",
"sig": "STUB_SIGNATURE",
"alg": "dilithium2"
}
]
} }

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/callgraph.framework.json
View File

@@ -1,4 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"edges": [] "nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
} }

19
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/callgraph.static.json
View File

@@ -1,18 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"nodes": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.static/v1"
"sid": "sym://curl:curl.c#entry"
},
{
"sid": "sym://curl:curl.c#sink"
}
],
"edges": [
{
"from": "sym://curl:curl.c#entry",
"to": "sym://curl:curl.c#sink",
"kind": "direct"
}
]
} }

17
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/manifest.json
View File

@@ -1,8 +1,15 @@
{ {
"image": "ghcr.io/reachbench/curl-CVE-2023-38545-socks5-heap:unreachable", "case_id": "curl-CVE-2023-38545-socks5-heap",
"config_flags": { "files": {
"FEATURE_FLAG": false, "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"POLICY_MODE": "enforcing" "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "490c4175eb06e0c623e60263d2ce029ffa8b236aea5780c448b8180f38a1bf6f",
"sbom.cdx.json": "ce41fd9b9edadf94a8cc84a3cce4e175b0602fd2e0d8dcb067273b9584479980",
"sbom.spdx.json": "10d7417961d3cac0f3a5c4b083917fba3dc4f9bd9140d80aad0a873435158482",
"symbols.json": "1b6a9e5598d2521e0ca55ed0f3f287ef19dc11cb1fb24fe961370c2fa7036214",
"vex.openvex.json": "a9fa7e917601538e17750fb1c25b24e18333c779ec0d5d98d4fbccf84e2f544e"
}, },
"sha256": "STUB_DIGEST" "schema_version": "reachbench.manifest/v1",
"variant": "unreachable"
} }

18
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/reachgraph.truth.json
View File

@@ -1,16 +1,6 @@
{ {
"schema_version": "1.0", "case_id": "curl-CVE-2023-38545-socks5-heap",
"sinks": [ "paths": [],
{ "schema_version": "reachbench.reachgraph.truth/v1",
"sid": "sym://curl:curl.c#sink", "variant": "unreachable"
"kind": "generic"
}
],
"paths": [
[
"sym://net:handler#read",
"sym://curl:curl.c#entry",
"sym://curl:curl.c#sink"
]
]
} }

10
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/sbom.cdx.json
View File

@@ -1,5 +1,11 @@
{ {
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.6", "components": [],
"components": [] "metadata": {
"component": {
"name": "curl-CVE-2023-38545-socks5-heap",
"version": "0.0.0"
}
},
"specVersion": "1.5"
} }

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/sbom.spdx.json
View File

@@ -1,6 +1,6 @@
{ {
"spdxVersion": "SPDX-3.0", "SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": { "name": "curl-CVE-2023-38545-socks5-heap",
"created": "2025-11-07T22:40:04Z" "packages": [],
} "spdxVersion": "SPDX-2.3"
} }

33
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/symbols.json
View File

@@ -1,31 +1,6 @@
{ {
"schema_version": "1.0", "case_id": "curl-CVE-2023-38545-socks5-heap",
"components": [ "schema_version": "reachbench.symbols/v1",
{ "symbols": [],
"purl": "pkg:generic/curl@0.0.1", "variant": "unreachable"
"files": [
{
"path": "/src/curl.c",
"funcs": [
{
"sid": "sym://curl:curl.c#entry",
"name": "entry",
"range": {
"start": 10,
"end": 20
}
},
{
"sid": "sym://curl:curl.c#sink",
"name": "sink",
"range": {
"start": 30,
"end": 60
}
}
]
}
]
}
]
} }

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/curl-CVE-2023-38545-socks5-heap/images/unreachable/vex.openvex.json
View File

@@ -1,12 +1,15 @@
{ {
"author": "reachbench-2025", "author": "StellaOps",
"timestamp": "2025-11-07T22:40:04Z", "role": "reachbench",
"statements": [ "statements": [
{ {
"vulnerability": "CVE-2023-38545", "products": [
"pkg:curl-CVE-2023-38545-socks5-heap"
],
"status": "not_affected", "status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path", "statusJustification": "component_not_present",
"impact_statement": "Pruned by configuration; path unreachable." "vulnerability": "cve:CVE-2023-38545"
} }
] ],
"timestamp": "2025-11-18T00:00:00Z"
} }

31
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/attestation.dsse.json
View File

@@ -1,30 +1,5 @@
{ {
"dsse_version": "1.0", "payload": "",
"subject": [ "payloadType": "application/vnd.in-toto+json",
{ "signatures": []
"name": "ghcr.io/reachbench/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset:reachable",
"digest": {
"sha256": "STUB_DIGEST"
}
}
],
"statement": {
"type": "reachbench.attestation",
"materials": [
"sbom.cdx.json",
"sbom.spdx.json",
"symbols.json",
"callgraph.static.json",
"callgraph.framework.json",
"reachgraph.truth.json",
"vex.openvex.json"
]
},
"signatures": [
{
"keyid": "STUB",
"sig": "STUB_SIGNATURE",
"alg": "dilithium2"
}
]
} }

11
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/callgraph.framework.json
View File

@@ -1,10 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"edges": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.framework/v1"
"from": "sym://dotnet:Startup#Configure",
"to": "sym://aspnet:UseEndpoints",
"kind": "pipeline"
}
]
} }

19
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/callgraph.static.json
View File

@@ -1,18 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"nodes": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.static/v1"
"sid": "sym://dotnet:dotnet.c#entry"
},
{
"sid": "sym://dotnet:dotnet.c#sink"
}
],
"edges": [
{
"from": "sym://dotnet:dotnet.c#entry",
"to": "sym://dotnet:dotnet.c#sink",
"kind": "direct"
}
]
} }

17
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/manifest.json
View File

@@ -1,8 +1,15 @@
{ {
"image": "ghcr.io/reachbench/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset:reachable", "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"config_flags": { "files": {
"FEATURE_FLAG": true, "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"POLICY_MODE": "permissive" "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "5396e1c97612e0963bdaf9d5d3f570f095feaccfd46ed6e96af52a6dc4608608",
"sbom.cdx.json": "8747790b2c9638b08aedca818367852889ee9bb50f1be1212b9c46b27296b8b9",
"sbom.spdx.json": "fd5b8befa1a59f06c315406213426ee516276ad806f4acb1f53472149d97c402",
"symbols.json": "c2bc2c131db1565b272900b2d86733086d601fc05a9072a43b9cd8b89a2e6f95",
"vex.openvex.json": "2bc0466a7b733a0915b6a799e91ec731c0700d5bea8645c0bf983b6da180bc48"
}, },
"sha256": "STUB_DIGEST" "schema_version": "reachbench.manifest/v1",
"variant": "reachable"
} }

12
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/reachgraph.truth.json
View File

@@ -1,16 +1,12 @@
{ {
"schema_version": "1.0", "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"sinks": [
{
"sid": "sym://dotnet:dotnet.c#sink",
"kind": "generic"
}
],
"paths": [ "paths": [
[ [
"sym://net:handler#read", "sym://net:handler#read",
"sym://dotnet:dotnet.c#entry", "sym://dotnet:dotnet.c#entry",
"sym://dotnet:dotnet.c#sink" "sym://dotnet:dotnet.c#sink"
] ]
] ],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
} }

10
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/sbom.cdx.json
View File

@@ -1,5 +1,11 @@
{ {
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.6", "components": [],
"components": [] "metadata": {
"component": {
"name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"version": "0.0.0"
}
},
"specVersion": "1.5"
} }

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/sbom.spdx.json
View File

@@ -1,6 +1,6 @@
{ {
"spdxVersion": "SPDX-3.0", "SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": { "name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"created": "2025-11-07T22:40:04Z" "packages": [],
} "spdxVersion": "SPDX-2.3"
} }

35
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/symbols.json
View File

@@ -1,31 +1,8 @@
{ {
"schema_version": "1.0", "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"components": [ "schema_version": "reachbench.symbols/v1",
{ "symbols": [
"purl": "pkg:generic/dotnet@0.0.1", "sym://dotnet:dotnet.c#sink"
"files": [ ],
{ "variant": "reachable"
"path": "/src/dotnet.c",
"funcs": [
{
"sid": "sym://dotnet:dotnet.c#entry",
"name": "entry",
"range": {
"start": 10,
"end": 20
}
},
{
"sid": "sym://dotnet:dotnet.c#sink",
"name": "sink",
"range": {
"start": 30,
"end": 60
}
}
]
}
]
}
]
} }

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/reachable/vex.openvex.json
View File

@@ -1,12 +1,15 @@
{ {
"author": "reachbench-2025", "author": "StellaOps",
"timestamp": "2025-11-07T22:40:04Z", "role": "reachbench",
"statements": [ "statements": [
{ {
"vulnerability": "CVE-2023-44487", "products": [
"pkg:dotnet-kestrel-CVE-2023-44487-http2-rapid-reset"
],
"status": "affected", "status": "affected",
"justification": "reasoning_provided", "statusJustification": "component_present",
"impact_statement": "Function-level path is reachable." "vulnerability": "cve:CVE-2023-44487"
} }
] ],
"timestamp": "2025-11-18T00:00:00Z"
} }

31
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/attestation.dsse.json
View File

@@ -1,30 +1,5 @@
{ {
"dsse_version": "1.0", "payload": "",
"subject": [ "payloadType": "application/vnd.in-toto+json",
{ "signatures": []
"name": "ghcr.io/reachbench/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset:unreachable",
"digest": {
"sha256": "STUB_DIGEST"
}
}
],
"statement": {
"type": "reachbench.attestation",
"materials": [
"sbom.cdx.json",
"sbom.spdx.json",
"symbols.json",
"callgraph.static.json",
"callgraph.framework.json",
"reachgraph.truth.json",
"vex.openvex.json"
]
},
"signatures": [
{
"keyid": "STUB",
"sig": "STUB_SIGNATURE",
"alg": "dilithium2"
}
]
} }

11
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/callgraph.framework.json
View File

@@ -1,10 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"edges": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.framework/v1"
"from": "sym://dotnet:Startup#Configure",
"to": "sym://aspnet:UseEndpoints",
"kind": "pipeline"
}
]
} }

19
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/callgraph.static.json
View File

@@ -1,18 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"nodes": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.static/v1"
"sid": "sym://dotnet:dotnet.c#entry"
},
{
"sid": "sym://dotnet:dotnet.c#sink"
}
],
"edges": [
{
"from": "sym://dotnet:dotnet.c#entry",
"to": "sym://dotnet:dotnet.c#sink",
"kind": "direct"
}
]
} }

17
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/manifest.json
View File

@@ -1,8 +1,15 @@
{ {
"image": "ghcr.io/reachbench/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset:unreachable", "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"config_flags": { "files": {
"FEATURE_FLAG": false, "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"POLICY_MODE": "enforcing" "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "86a0dad5b06b69018a35931b1ef8fb700abe6511f75aa81dcffc23f0411cc086",
"sbom.cdx.json": "8747790b2c9638b08aedca818367852889ee9bb50f1be1212b9c46b27296b8b9",
"sbom.spdx.json": "fd5b8befa1a59f06c315406213426ee516276ad806f4acb1f53472149d97c402",
"symbols.json": "0793a11190a789d63cac1d15ae259dcbe48764dd0f75000176e3abf8f3a3beb6",
"vex.openvex.json": "cd54fe28bf7f171a2a47e6118b05ad26013a32d97e2b9eef143eab75208d9fa4"
}, },
"sha256": "STUB_DIGEST" "schema_version": "reachbench.manifest/v1",
"variant": "unreachable"
} }

18
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/reachgraph.truth.json
View File

@@ -1,16 +1,6 @@
{ {
"schema_version": "1.0", "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"sinks": [ "paths": [],
{ "schema_version": "reachbench.reachgraph.truth/v1",
"sid": "sym://dotnet:dotnet.c#sink", "variant": "unreachable"
"kind": "generic"
}
],
"paths": [
[
"sym://net:handler#read",
"sym://dotnet:dotnet.c#entry",
"sym://dotnet:dotnet.c#sink"
]
]
} }

10
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/sbom.cdx.json
View File

@@ -1,5 +1,11 @@
{ {
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.6", "components": [],
"components": [] "metadata": {
"component": {
"name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"version": "0.0.0"
}
},
"specVersion": "1.5"
} }

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/sbom.spdx.json
View File

@@ -1,6 +1,6 @@
{ {
"spdxVersion": "SPDX-3.0", "SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": { "name": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"created": "2025-11-07T22:40:04Z" "packages": [],
} "spdxVersion": "SPDX-2.3"
} }

33
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/symbols.json
View File

@@ -1,31 +1,6 @@
{ {
"schema_version": "1.0", "case_id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
"components": [ "schema_version": "reachbench.symbols/v1",
{ "symbols": [],
"purl": "pkg:generic/dotnet@0.0.1", "variant": "unreachable"
"files": [
{
"path": "/src/dotnet.c",
"funcs": [
{
"sid": "sym://dotnet:dotnet.c#entry",
"name": "entry",
"range": {
"start": 10,
"end": 20
}
},
{
"sid": "sym://dotnet:dotnet.c#sink",
"name": "sink",
"range": {
"start": 30,
"end": 60
}
}
]
}
]
}
]
} }

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/images/unreachable/vex.openvex.json
View File

@@ -1,12 +1,15 @@
{ {
"author": "reachbench-2025", "author": "StellaOps",
"timestamp": "2025-11-07T22:40:04Z", "role": "reachbench",
"statements": [ "statements": [
{ {
"vulnerability": "CVE-2023-44487", "products": [
"pkg:dotnet-kestrel-CVE-2023-44487-http2-rapid-reset"
],
"status": "not_affected", "status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path", "statusJustification": "component_not_present",
"impact_statement": "Pruned by configuration; path unreachable." "vulnerability": "cve:CVE-2023-44487"
} }
] ],
"timestamp": "2025-11-18T00:00:00Z"
} }

31
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/attestation.dsse.json
View File

@@ -1,30 +1,5 @@
{ {
"dsse_version": "1.0", "payload": "",
"subject": [ "payloadType": "application/vnd.in-toto+json",
{ "signatures": []
"name": "ghcr.io/reachbench/dotnet-newtonsoft-deser-TBD:reachable",
"digest": {
"sha256": "STUB_DIGEST"
}
}
],
"statement": {
"type": "reachbench.attestation",
"materials": [
"sbom.cdx.json",
"sbom.spdx.json",
"symbols.json",
"callgraph.static.json",
"callgraph.framework.json",
"reachgraph.truth.json",
"vex.openvex.json"
]
},
"signatures": [
{
"keyid": "STUB",
"sig": "STUB_SIGNATURE",
"alg": "dilithium2"
}
]
} }

11
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/callgraph.framework.json
View File

@@ -1,10 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"edges": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.framework/v1"
"from": "sym://dotnet:Startup#Configure",
"to": "sym://aspnet:UseEndpoints",
"kind": "pipeline"
}
]
} }

19
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/callgraph.static.json
View File

@@ -1,18 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"nodes": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.static/v1"
"sid": "sym://dotnet:dotnet.c#entry"
},
{
"sid": "sym://dotnet:dotnet.c#sink"
}
],
"edges": [
{
"from": "sym://dotnet:dotnet.c#entry",
"to": "sym://dotnet:dotnet.c#sink",
"kind": "direct"
}
]
} }

17
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/manifest.json
View File

@@ -1,8 +1,15 @@
{ {
"image": "ghcr.io/reachbench/dotnet-newtonsoft-deser-TBD:reachable", "case_id": "dotnet-newtonsoft-deser-TBD",
"config_flags": { "files": {
"FEATURE_FLAG": true, "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"POLICY_MODE": "permissive" "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "7c1b7d56df4efc97360ba7754feb1051644e624afa2589971fab09507827e677",
"sbom.cdx.json": "c7283a731ca81300f6cda9e944451062a92c7eb0559ebdc6b96f6afeea637187",
"sbom.spdx.json": "da4978369cae300336e4abd570edb8c8de27bcb5ff2c5131975cae7d8ee01f8e",
"symbols.json": "d03361b683ae570864824a8e57c91ca875590373d949d2f706af488c4ccbcc01",
"vex.openvex.json": "41e52bf3c0b40ca614d32f5c9b719b68c53e2a0f08f483d6c429120060c9d930"
}, },
"sha256": "STUB_DIGEST" "schema_version": "reachbench.manifest/v1",
"variant": "reachable"
} }

12
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/reachgraph.truth.json
View File

@@ -1,16 +1,12 @@
{ {
"schema_version": "1.0", "case_id": "dotnet-newtonsoft-deser-TBD",
"sinks": [
{
"sid": "sym://dotnet:dotnet.c#sink",
"kind": "generic"
}
],
"paths": [ "paths": [
[ [
"sym://net:handler#read", "sym://net:handler#read",
"sym://dotnet:dotnet.c#entry", "sym://dotnet:dotnet.c#entry",
"sym://dotnet:dotnet.c#sink" "sym://dotnet:dotnet.c#sink"
] ]
] ],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
} }

10
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/sbom.cdx.json
View File

@@ -1,5 +1,11 @@
{ {
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.6", "components": [],
"components": [] "metadata": {
"component": {
"name": "dotnet-newtonsoft-deser-TBD",
"version": "0.0.0"
}
},
"specVersion": "1.5"
} }

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/sbom.spdx.json
View File

@@ -1,6 +1,6 @@
{ {
"spdxVersion": "SPDX-3.0", "SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": { "name": "dotnet-newtonsoft-deser-TBD",
"created": "2025-11-07T22:40:04Z" "packages": [],
} "spdxVersion": "SPDX-2.3"
} }

35
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/symbols.json
View File

@@ -1,31 +1,8 @@
{ {
"schema_version": "1.0", "case_id": "dotnet-newtonsoft-deser-TBD",
"components": [ "schema_version": "reachbench.symbols/v1",
{ "symbols": [
"purl": "pkg:generic/dotnet@0.0.1", "sym://dotnet:dotnet.c#sink"
"files": [ ],
{ "variant": "reachable"
"path": "/src/dotnet.c",
"funcs": [
{
"sid": "sym://dotnet:dotnet.c#entry",
"name": "entry",
"range": {
"start": 10,
"end": 20
}
},
{
"sid": "sym://dotnet:dotnet.c#sink",
"name": "sink",
"range": {
"start": 30,
"end": 60
}
}
]
}
]
}
]
} }

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/reachable/vex.openvex.json
View File

@@ -1,12 +1,15 @@
{ {
"author": "reachbench-2025", "author": "StellaOps",
"timestamp": "2025-11-07T22:40:04Z", "role": "reachbench",
"statements": [ "statements": [
{ {
"vulnerability": "TBD", "products": [
"pkg:dotnet-newtonsoft-deser-TBD"
],
"status": "affected", "status": "affected",
"justification": "reasoning_provided", "statusJustification": "component_present",
"impact_statement": "Function-level path is reachable." "vulnerability": "dotnet-newtonsoft-deser-TBD"
} }
] ],
"timestamp": "2025-11-18T00:00:00Z"
} }

31
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/attestation.dsse.json
View File

@@ -1,30 +1,5 @@
{ {
"dsse_version": "1.0", "payload": "",
"subject": [ "payloadType": "application/vnd.in-toto+json",
{ "signatures": []
"name": "ghcr.io/reachbench/dotnet-newtonsoft-deser-TBD:unreachable",
"digest": {
"sha256": "STUB_DIGEST"
}
}
],
"statement": {
"type": "reachbench.attestation",
"materials": [
"sbom.cdx.json",
"sbom.spdx.json",
"symbols.json",
"callgraph.static.json",
"callgraph.framework.json",
"reachgraph.truth.json",
"vex.openvex.json"
]
},
"signatures": [
{
"keyid": "STUB",
"sig": "STUB_SIGNATURE",
"alg": "dilithium2"
}
]
} }

11
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/callgraph.framework.json
View File

@@ -1,10 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"edges": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.framework/v1"
"from": "sym://dotnet:Startup#Configure",
"to": "sym://aspnet:UseEndpoints",
"kind": "pipeline"
}
]
} }

19
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/callgraph.static.json
View File

@@ -1,18 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"nodes": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.static/v1"
"sid": "sym://dotnet:dotnet.c#entry"
},
{
"sid": "sym://dotnet:dotnet.c#sink"
}
],
"edges": [
{
"from": "sym://dotnet:dotnet.c#entry",
"to": "sym://dotnet:dotnet.c#sink",
"kind": "direct"
}
]
} }

17
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/manifest.json
View File

@@ -1,8 +1,15 @@
{ {
"image": "ghcr.io/reachbench/dotnet-newtonsoft-deser-TBD:unreachable", "case_id": "dotnet-newtonsoft-deser-TBD",
"config_flags": { "files": {
"FEATURE_FLAG": false, "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"POLICY_MODE": "enforcing" "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "aa1c4c8133ae26349e1a740293e875d91f3a5ba1b241eb39617a09ea1b6ced8e",
"sbom.cdx.json": "c7283a731ca81300f6cda9e944451062a92c7eb0559ebdc6b96f6afeea637187",
"sbom.spdx.json": "da4978369cae300336e4abd570edb8c8de27bcb5ff2c5131975cae7d8ee01f8e",
"symbols.json": "a804343735751e99bda81ce614d890fe19cb510bcb3d3b17dff05ab01decf2e1",
"vex.openvex.json": "65cdb8a5d02277eacf194c23cdb7a8adada7318f45f5ce4eb0e09fbcd9d8b615"
}, },
"sha256": "STUB_DIGEST" "schema_version": "reachbench.manifest/v1",
"variant": "unreachable"
} }

18
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/reachgraph.truth.json
View File

@@ -1,16 +1,6 @@
{ {
"schema_version": "1.0", "case_id": "dotnet-newtonsoft-deser-TBD",
"sinks": [ "paths": [],
{ "schema_version": "reachbench.reachgraph.truth/v1",
"sid": "sym://dotnet:dotnet.c#sink", "variant": "unreachable"
"kind": "generic"
}
],
"paths": [
[
"sym://net:handler#read",
"sym://dotnet:dotnet.c#entry",
"sym://dotnet:dotnet.c#sink"
]
]
} }

10
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/sbom.cdx.json
View File

@@ -1,5 +1,11 @@
{ {
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.6", "components": [],
"components": [] "metadata": {
"component": {
"name": "dotnet-newtonsoft-deser-TBD",
"version": "0.0.0"
}
},
"specVersion": "1.5"
} }

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/sbom.spdx.json
View File

@@ -1,6 +1,6 @@
{ {
"spdxVersion": "SPDX-3.0", "SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": { "name": "dotnet-newtonsoft-deser-TBD",
"created": "2025-11-07T22:40:04Z" "packages": [],
} "spdxVersion": "SPDX-2.3"
} }

33
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/symbols.json
View File

@@ -1,31 +1,6 @@
{ {
"schema_version": "1.0", "case_id": "dotnet-newtonsoft-deser-TBD",
"components": [ "schema_version": "reachbench.symbols/v1",
{ "symbols": [],
"purl": "pkg:generic/dotnet@0.0.1", "variant": "unreachable"
"files": [
{
"path": "/src/dotnet.c",
"funcs": [
{
"sid": "sym://dotnet:dotnet.c#entry",
"name": "entry",
"range": {
"start": 10,
"end": 20
}
},
{
"sid": "sym://dotnet:dotnet.c#sink",
"name": "sink",
"range": {
"start": 30,
"end": 60
}
}
]
}
]
}
]
} }

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/dotnet-newtonsoft-deser-TBD/images/unreachable/vex.openvex.json
View File

@@ -1,12 +1,15 @@
{ {
"author": "reachbench-2025", "author": "StellaOps",
"timestamp": "2025-11-07T22:40:04Z", "role": "reachbench",
"statements": [ "statements": [
{ {
"vulnerability": "TBD", "products": [
"pkg:dotnet-newtonsoft-deser-TBD"
],
"status": "not_affected", "status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path", "statusJustification": "component_not_present",
"impact_statement": "Pruned by configuration; path unreachable." "vulnerability": "dotnet-newtonsoft-deser-TBD"
} }
] ],
"timestamp": "2025-11-18T00:00:00Z"
} }

31
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/attestation.dsse.json
View File

@@ -1,30 +1,5 @@
{ {
"dsse_version": "1.0", "payload": "",
"subject": [ "payloadType": "application/vnd.in-toto+json",
{ "signatures": []
"name": "ghcr.io/reachbench/glibc-CVE-2023-4911-looney-tunables:reachable",
"digest": {
"sha256": "STUB_DIGEST"
}
}
],
"statement": {
"type": "reachbench.attestation",
"materials": [
"sbom.cdx.json",
"sbom.spdx.json",
"symbols.json",
"callgraph.static.json",
"callgraph.framework.json",
"reachgraph.truth.json",
"vex.openvex.json"
]
},
"signatures": [
{
"keyid": "STUB",
"sig": "STUB_SIGNATURE",
"alg": "dilithium2"
}
]
} }

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/callgraph.framework.json
View File

@@ -1,4 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"edges": [] "nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
} }

19
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/callgraph.static.json
View File

@@ -1,18 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"nodes": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.static/v1"
"sid": "sym://glibc:glibc.c#entry"
},
{
"sid": "sym://glibc:glibc.c#sink"
}
],
"edges": [
{
"from": "sym://glibc:glibc.c#entry",
"to": "sym://glibc:glibc.c#sink",
"kind": "direct"
}
]
} }

17
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/manifest.json
View File

@@ -1,8 +1,15 @@
{ {
"image": "ghcr.io/reachbench/glibc-CVE-2023-4911-looney-tunables:reachable", "case_id": "glibc-CVE-2023-4911-looney-tunables",
"config_flags": { "files": {
"FEATURE_FLAG": true, "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"POLICY_MODE": "permissive" "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "f7200c066db6fefd2ed3168497ae7d8cb585f1d12479086217007df1bb2c1460",
"sbom.cdx.json": "e3bbce1051a27f877fdd76634902c835ac21a7f53241308878a404dbced491fc",
"sbom.spdx.json": "2b30ff6eabf0b4c5e76f2e5de6af21a6b48a746c51298a708a3674976ef5b8f8",
"symbols.json": "27dd785d49ef6b4229a0e5a25107346eea5cc8b7dd01c2fb9ba73b53456bcaee",
"vex.openvex.json": "bd6f67166fb31fa2a5e7211b71e083c8611f9c2b7d7e0607c31ce6df777a1f69"
}, },
"sha256": "STUB_DIGEST" "schema_version": "reachbench.manifest/v1",
"variant": "reachable"
} }

12
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/reachgraph.truth.json
View File

@@ -1,16 +1,12 @@
{ {
"schema_version": "1.0", "case_id": "glibc-CVE-2023-4911-looney-tunables",
"sinks": [
{
"sid": "sym://glibc:glibc.c#sink",
"kind": "generic"
}
],
"paths": [ "paths": [
[ [
"sym://net:handler#read", "sym://net:handler#read",
"sym://glibc:glibc.c#entry", "sym://glibc:glibc.c#entry",
"sym://glibc:glibc.c#sink" "sym://glibc:glibc.c#sink"
] ]
] ],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
} }

10
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/sbom.cdx.json
View File

@@ -1,5 +1,11 @@
{ {
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.6", "components": [],
"components": [] "metadata": {
"component": {
"name": "glibc-CVE-2023-4911-looney-tunables",
"version": "0.0.0"
}
},
"specVersion": "1.5"
} }

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/sbom.spdx.json
View File

@@ -1,6 +1,6 @@
{ {
"spdxVersion": "SPDX-3.0", "SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": { "name": "glibc-CVE-2023-4911-looney-tunables",
"created": "2025-11-07T22:40:04Z" "packages": [],
} "spdxVersion": "SPDX-2.3"
} }

35
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/symbols.json
View File

@@ -1,31 +1,8 @@
{ {
"schema_version": "1.0", "case_id": "glibc-CVE-2023-4911-looney-tunables",
"components": [ "schema_version": "reachbench.symbols/v1",
{ "symbols": [
"purl": "pkg:generic/glibc@0.0.1", "sym://glibc:glibc.c#sink"
"files": [ ],
{ "variant": "reachable"
"path": "/src/glibc.c",
"funcs": [
{
"sid": "sym://glibc:glibc.c#entry",
"name": "entry",
"range": {
"start": 10,
"end": 20
}
},
{
"sid": "sym://glibc:glibc.c#sink",
"name": "sink",
"range": {
"start": 30,
"end": 60
}
}
]
}
]
}
]
} }

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/reachable/vex.openvex.json
View File

@@ -1,12 +1,15 @@
{ {
"author": "reachbench-2025", "author": "StellaOps",
"timestamp": "2025-11-07T22:40:04Z", "role": "reachbench",
"statements": [ "statements": [
{ {
"vulnerability": "CVE-2023-4911", "products": [
"pkg:glibc-CVE-2023-4911-looney-tunables"
],
"status": "affected", "status": "affected",
"justification": "reasoning_provided", "statusJustification": "component_present",
"impact_statement": "Function-level path is reachable." "vulnerability": "cve:CVE-2023-4911"
} }
] ],
"timestamp": "2025-11-18T00:00:00Z"
} }

31
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/attestation.dsse.json
View File

@@ -1,30 +1,5 @@
{ {
"dsse_version": "1.0", "payload": "",
"subject": [ "payloadType": "application/vnd.in-toto+json",
{ "signatures": []
"name": "ghcr.io/reachbench/glibc-CVE-2023-4911-looney-tunables:unreachable",
"digest": {
"sha256": "STUB_DIGEST"
}
}
],
"statement": {
"type": "reachbench.attestation",
"materials": [
"sbom.cdx.json",
"sbom.spdx.json",
"symbols.json",
"callgraph.static.json",
"callgraph.framework.json",
"reachgraph.truth.json",
"vex.openvex.json"
]
},
"signatures": [
{
"keyid": "STUB",
"sig": "STUB_SIGNATURE",
"alg": "dilithium2"
}
]
} }

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/callgraph.framework.json
View File

@@ -1,4 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"edges": [] "nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
} }

19
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/callgraph.static.json
View File

@@ -1,18 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"nodes": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.static/v1"
"sid": "sym://glibc:glibc.c#entry"
},
{
"sid": "sym://glibc:glibc.c#sink"
}
],
"edges": [
{
"from": "sym://glibc:glibc.c#entry",
"to": "sym://glibc:glibc.c#sink",
"kind": "direct"
}
]
} }

17
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/manifest.json
View File

@@ -1,8 +1,15 @@
{ {
"image": "ghcr.io/reachbench/glibc-CVE-2023-4911-looney-tunables:unreachable", "case_id": "glibc-CVE-2023-4911-looney-tunables",
"config_flags": { "files": {
"FEATURE_FLAG": false, "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"POLICY_MODE": "enforcing" "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "836f543e3e7b593582e2ffb529456ffc4309ec79d41e5f8b9eb5696f54d17883",
"sbom.cdx.json": "e3bbce1051a27f877fdd76634902c835ac21a7f53241308878a404dbced491fc",
"sbom.spdx.json": "2b30ff6eabf0b4c5e76f2e5de6af21a6b48a746c51298a708a3674976ef5b8f8",
"symbols.json": "fe742caccb2134c46594f3816b58b06f1cad6f2d62ea8dd55ad31ce4ce672906",
"vex.openvex.json": "3ebcafe7d9e0f211f80783568cd9bc4a92ddaa3609b2b0ef11471031246cadde"
}, },
"sha256": "STUB_DIGEST" "schema_version": "reachbench.manifest/v1",
"variant": "unreachable"
} }

18
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/reachgraph.truth.json
View File

@@ -1,16 +1,6 @@
{ {
"schema_version": "1.0", "case_id": "glibc-CVE-2023-4911-looney-tunables",
"sinks": [ "paths": [],
{ "schema_version": "reachbench.reachgraph.truth/v1",
"sid": "sym://glibc:glibc.c#sink", "variant": "unreachable"
"kind": "generic"
}
],
"paths": [
[
"sym://net:handler#read",
"sym://glibc:glibc.c#entry",
"sym://glibc:glibc.c#sink"
]
]
} }

10
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/sbom.cdx.json
View File

@@ -1,5 +1,11 @@
{ {
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.6", "components": [],
"components": [] "metadata": {
"component": {
"name": "glibc-CVE-2023-4911-looney-tunables",
"version": "0.0.0"
}
},
"specVersion": "1.5"
} }

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/sbom.spdx.json
View File

@@ -1,6 +1,6 @@
{ {
"spdxVersion": "SPDX-3.0", "SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": { "name": "glibc-CVE-2023-4911-looney-tunables",
"created": "2025-11-07T22:40:04Z" "packages": [],
} "spdxVersion": "SPDX-2.3"
} }

33
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/symbols.json
View File

@@ -1,31 +1,6 @@
{ {
"schema_version": "1.0", "case_id": "glibc-CVE-2023-4911-looney-tunables",
"components": [ "schema_version": "reachbench.symbols/v1",
{ "symbols": [],
"purl": "pkg:generic/glibc@0.0.1", "variant": "unreachable"
"files": [
{
"path": "/src/glibc.c",
"funcs": [
{
"sid": "sym://glibc:glibc.c#entry",
"name": "entry",
"range": {
"start": 10,
"end": 20
}
},
{
"sid": "sym://glibc:glibc.c#sink",
"name": "sink",
"range": {
"start": 30,
"end": 60
}
}
]
}
]
}
]
} }

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/glibc-CVE-2023-4911-looney-tunables/images/unreachable/vex.openvex.json
View File

@@ -1,12 +1,15 @@
{ {
"author": "reachbench-2025", "author": "StellaOps",
"timestamp": "2025-11-07T22:40:04Z", "role": "reachbench",
"statements": [ "statements": [
{ {
"vulnerability": "CVE-2023-4911", "products": [
"pkg:glibc-CVE-2023-4911-looney-tunables"
],
"status": "not_affected", "status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path", "statusJustification": "component_not_present",
"impact_statement": "Pruned by configuration; path unreachable." "vulnerability": "cve:CVE-2023-4911"
} }
] ],
"timestamp": "2025-11-18T00:00:00Z"
} }

31
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/attestation.dsse.json
View File

@@ -1,30 +1,5 @@
{ {
"dsse_version": "1.0", "payload": "",
"subject": [ "payloadType": "application/vnd.in-toto+json",
{ "signatures": []
"name": "ghcr.io/reachbench/go-gateway-reflection-auth-bypass:reachable",
"digest": {
"sha256": "STUB_DIGEST"
}
}
],
"statement": {
"type": "reachbench.attestation",
"materials": [
"sbom.cdx.json",
"sbom.spdx.json",
"symbols.json",
"callgraph.static.json",
"callgraph.framework.json",
"reachgraph.truth.json",
"vex.openvex.json"
]
},
"signatures": [
{
"keyid": "STUB",
"sig": "STUB_SIGNATURE",
"alg": "dilithium2"
}
]
} }

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/callgraph.framework.json
View File

@@ -1,4 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"edges": [] "nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
} }

19
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/callgraph.static.json
View File

@@ -1,18 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"nodes": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.static/v1"
"sid": "sym://go:go.c#entry"
},
{
"sid": "sym://go:go.c#sink"
}
],
"edges": [
{
"from": "sym://go:go.c#entry",
"to": "sym://go:go.c#sink",
"kind": "direct"
}
]
} }

17
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/manifest.json
View File

@@ -1,8 +1,15 @@
{ {
"image": "ghcr.io/reachbench/go-gateway-reflection-auth-bypass:reachable", "case_id": "go-gateway-reflection-auth-bypass",
"config_flags": { "files": {
"FEATURE_FLAG": true, "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"POLICY_MODE": "permissive" "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "f7c362965a307a6cf40f7921d2ad508cd503fa924ed3a391dba3afe54ab0dcdd",
"sbom.cdx.json": "16a041571c0641abe57929624e49f07353edb8980ecdd16340ef83f24f127cba",
"sbom.spdx.json": "8abd620f40a28d379b861d6ef640017ea119a8870890009dbd8126ed621a5c73",
"symbols.json": "dbf69a19ce1676cc809597ed9fce78c9fe8ebcf25186949a107971116a79a39b",
"vex.openvex.json": "b550e30451d7ef7ff612606711ecede1089d914bd8a26f5fbcf01ff1d4e36149"
}, },
"sha256": "STUB_DIGEST" "schema_version": "reachbench.manifest/v1",
"variant": "reachable"
} }

12
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/reachgraph.truth.json
View File

@@ -1,16 +1,12 @@
{ {
"schema_version": "1.0", "case_id": "go-gateway-reflection-auth-bypass",
"sinks": [
{
"sid": "sym://go:go.c#sink",
"kind": "generic"
}
],
"paths": [ "paths": [
[ [
"sym://net:handler#read", "sym://net:handler#read",
"sym://go:go.c#entry", "sym://go:go.c#entry",
"sym://go:go.c#sink" "sym://go:go.c#sink"
] ]
] ],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
} }

10
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/sbom.cdx.json
View File

@@ -1,5 +1,11 @@
{ {
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.6", "components": [],
"components": [] "metadata": {
"component": {
"name": "go-gateway-reflection-auth-bypass",
"version": "0.0.0"
}
},
"specVersion": "1.5"
} }

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/sbom.spdx.json
View File

@@ -1,6 +1,6 @@
{ {
"spdxVersion": "SPDX-3.0", "SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": { "name": "go-gateway-reflection-auth-bypass",
"created": "2025-11-07T22:40:04Z" "packages": [],
} "spdxVersion": "SPDX-2.3"
} }

35
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/symbols.json
View File

@@ -1,31 +1,8 @@
{ {
"schema_version": "1.0", "case_id": "go-gateway-reflection-auth-bypass",
"components": [ "schema_version": "reachbench.symbols/v1",
{ "symbols": [
"purl": "pkg:generic/go@0.0.1", "sym://go:go.c#sink"
"files": [ ],
{ "variant": "reachable"
"path": "/src/go.c",
"funcs": [
{
"sid": "sym://go:go.c#entry",
"name": "entry",
"range": {
"start": 10,
"end": 20
}
},
{
"sid": "sym://go:go.c#sink",
"name": "sink",
"range": {
"start": 30,
"end": 60
}
}
]
}
]
}
]
} }

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/reachable/vex.openvex.json
View File

@@ -1,12 +1,15 @@
{ {
"author": "reachbench-2025", "author": "StellaOps",
"timestamp": "2025-11-07T22:40:04Z", "role": "reachbench",
"statements": [ "statements": [
{ {
"vulnerability": "TBD", "products": [
"pkg:go-gateway-reflection-auth-bypass"
],
"status": "affected", "status": "affected",
"justification": "reasoning_provided", "statusJustification": "component_present",
"impact_statement": "Function-level path is reachable." "vulnerability": "go-gateway-reflection-auth-bypass"
} }
] ],
"timestamp": "2025-11-18T00:00:00Z"
} }

31
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/attestation.dsse.json
View File

@@ -1,30 +1,5 @@
{ {
"dsse_version": "1.0", "payload": "",
"subject": [ "payloadType": "application/vnd.in-toto+json",
{ "signatures": []
"name": "ghcr.io/reachbench/go-gateway-reflection-auth-bypass:unreachable",
"digest": {
"sha256": "STUB_DIGEST"
}
}
],
"statement": {
"type": "reachbench.attestation",
"materials": [
"sbom.cdx.json",
"sbom.spdx.json",
"symbols.json",
"callgraph.static.json",
"callgraph.framework.json",
"reachgraph.truth.json",
"vex.openvex.json"
]
},
"signatures": [
{
"keyid": "STUB",
"sig": "STUB_SIGNATURE",
"alg": "dilithium2"
}
]
} }

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/callgraph.framework.json
View File

@@ -1,4 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"edges": [] "nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
} }

19
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/callgraph.static.json
View File

@@ -1,18 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"nodes": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.static/v1"
"sid": "sym://go:go.c#entry"
},
{
"sid": "sym://go:go.c#sink"
}
],
"edges": [
{
"from": "sym://go:go.c#entry",
"to": "sym://go:go.c#sink",
"kind": "direct"
}
]
} }

17
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/manifest.json
View File

@@ -1,8 +1,15 @@
{ {
"image": "ghcr.io/reachbench/go-gateway-reflection-auth-bypass:unreachable", "case_id": "go-gateway-reflection-auth-bypass",
"config_flags": { "files": {
"FEATURE_FLAG": false, "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"POLICY_MODE": "enforcing" "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "df9749530b5dc16127ab6782877e19e2bde09a40f7cd44edc8af327619498d32",
"sbom.cdx.json": "16a041571c0641abe57929624e49f07353edb8980ecdd16340ef83f24f127cba",
"sbom.spdx.json": "8abd620f40a28d379b861d6ef640017ea119a8870890009dbd8126ed621a5c73",
"symbols.json": "6571c9c658f4b0a967542a02cd5e5f4b82dd1ffaf7758c51d3ac9c2a83c6c86e",
"vex.openvex.json": "69ffc3f74db3d723a0354c0aa05f4e5920fdb02fc8ac72e9d82392b5997f074d"
}, },
"sha256": "STUB_DIGEST" "schema_version": "reachbench.manifest/v1",
"variant": "unreachable"
} }

18
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/reachgraph.truth.json
View File

@@ -1,16 +1,6 @@
{ {
"schema_version": "1.0", "case_id": "go-gateway-reflection-auth-bypass",
"sinks": [ "paths": [],
{ "schema_version": "reachbench.reachgraph.truth/v1",
"sid": "sym://go:go.c#sink", "variant": "unreachable"
"kind": "generic"
}
],
"paths": [
[
"sym://net:handler#read",
"sym://go:go.c#entry",
"sym://go:go.c#sink"
]
]
} }

10
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/sbom.cdx.json
View File

@@ -1,5 +1,11 @@
{ {
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.6", "components": [],
"components": [] "metadata": {
"component": {
"name": "go-gateway-reflection-auth-bypass",
"version": "0.0.0"
}
},
"specVersion": "1.5"
} }

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/sbom.spdx.json
View File

@@ -1,6 +1,6 @@
{ {
"spdxVersion": "SPDX-3.0", "SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": { "name": "go-gateway-reflection-auth-bypass",
"created": "2025-11-07T22:40:04Z" "packages": [],
} "spdxVersion": "SPDX-2.3"
} }

33
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/symbols.json
View File

@@ -1,31 +1,6 @@
{ {
"schema_version": "1.0", "case_id": "go-gateway-reflection-auth-bypass",
"components": [ "schema_version": "reachbench.symbols/v1",
{ "symbols": [],
"purl": "pkg:generic/go@0.0.1", "variant": "unreachable"
"files": [
{
"path": "/src/go.c",
"funcs": [
{
"sid": "sym://go:go.c#entry",
"name": "entry",
"range": {
"start": 10,
"end": 20
}
},
{
"sid": "sym://go:go.c#sink",
"name": "sink",
"range": {
"start": 30,
"end": 60
}
}
]
}
]
}
]
} }

15
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-gateway-reflection-auth-bypass/images/unreachable/vex.openvex.json
View File

@@ -1,12 +1,15 @@
{ {
"author": "reachbench-2025", "author": "StellaOps",
"timestamp": "2025-11-07T22:40:04Z", "role": "reachbench",
"statements": [ "statements": [
{ {
"vulnerability": "TBD", "products": [
"pkg:go-gateway-reflection-auth-bypass"
],
"status": "not_affected", "status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path", "statusJustification": "component_not_present",
"impact_statement": "Pruned by configuration; path unreachable." "vulnerability": "go-gateway-reflection-auth-bypass"
} }
] ],
"timestamp": "2025-11-18T00:00:00Z"
} }

31
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/attestation.dsse.json
View File

@@ -1,30 +1,5 @@
{ {
"dsse_version": "1.0", "payload": "",
"subject": [ "payloadType": "application/vnd.in-toto+json",
{ "signatures": []
"name": "ghcr.io/reachbench/go-ssh-CVE-2020-9283-keyexchange:reachable",
"digest": {
"sha256": "STUB_DIGEST"
}
}
],
"statement": {
"type": "reachbench.attestation",
"materials": [
"sbom.cdx.json",
"sbom.spdx.json",
"symbols.json",
"callgraph.static.json",
"callgraph.framework.json",
"reachgraph.truth.json",
"vex.openvex.json"
]
},
"signatures": [
{
"keyid": "STUB",
"sig": "STUB_SIGNATURE",
"alg": "dilithium2"
}
]
} }

5
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/callgraph.framework.json
View File

@@ -1,4 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"edges": [] "nodes": [],
"schema_version": "reachbench.callgraph.framework/v1"
} }

19
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/callgraph.static.json
View File

@@ -1,18 +1,5 @@
{ {
"schema_version": "1.0", "edges": [],
"nodes": [ "nodes": [],
{ "schema_version": "reachbench.callgraph.static/v1"
"sid": "sym://go:go.c#entry"
},
{
"sid": "sym://go:go.c#sink"
}
],
"edges": [
{
"from": "sym://go:go.c#entry",
"to": "sym://go:go.c#sink",
"kind": "direct"
}
]
} }

17
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/manifest.json
View File

@@ -1,8 +1,15 @@
{ {
"image": "ghcr.io/reachbench/go-ssh-CVE-2020-9283-keyexchange:reachable", "case_id": "go-ssh-CVE-2020-9283-keyexchange",
"config_flags": { "files": {
"FEATURE_FLAG": true, "attestation.dsse.json": "12ced21ccc633b0f458df44e276c954ccdbb14c5acd0d234fdf7934eec48696f",
"POLICY_MODE": "permissive" "callgraph.framework.json": "86ebf343e4b684a3bf2b3200e0bd1849397ea69f280330b1095aceefdff799ce",
"callgraph.static.json": "99c850cccba6641635d1c668f831c80667930ddcd1f7acb2fe9c4c7771c63e7e",
"reachgraph.truth.json": "43fee4eeb52cec12879355873638959460eb91c463e2b2d3a67ef033f906469f",
"sbom.cdx.json": "a975829c9537c16db4d19306ba6bc809930b6ad9f96495a8202d59d3f174cf2c",
"sbom.spdx.json": "399d1f0946dfbe0fb66749f2b08df539f93285affbd059e0b66df55f485ed39a",
"symbols.json": "189002d4626708cdad2ff1bda786c47dd90002915f411324ad5dccbce65ba26d",
"vex.openvex.json": "1fdce721814a1a0c502882ab514ac7a361fdd3ea866869f4cf2c07578feb23d7"
}, },
"sha256": "STUB_DIGEST" "schema_version": "reachbench.manifest/v1",
"variant": "reachable"
} }

12
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/reachgraph.truth.json
View File

@@ -1,16 +1,12 @@
{ {
"schema_version": "1.0", "case_id": "go-ssh-CVE-2020-9283-keyexchange",
"sinks": [
{
"sid": "sym://go:go.c#sink",
"kind": "generic"
}
],
"paths": [ "paths": [
[ [
"sym://net:handler#read", "sym://net:handler#read",
"sym://go:go.c#entry", "sym://go:go.c#entry",
"sym://go:go.c#sink" "sym://go:go.c#sink"
] ]
] ],
"schema_version": "reachbench.reachgraph.truth/v1",
"variant": "reachable"
} }

10
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/sbom.cdx.json
View File

@@ -1,5 +1,11 @@
{ {
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.6", "components": [],
"components": [] "metadata": {
"component": {
"name": "go-ssh-CVE-2020-9283-keyexchange",
"version": "0.0.0"
}
},
"specVersion": "1.5"
} }

8
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/sbom.spdx.json
View File

@@ -1,6 +1,6 @@
{ {
"spdxVersion": "SPDX-3.0", "SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": { "name": "go-ssh-CVE-2020-9283-keyexchange",
"created": "2025-11-07T22:40:04Z" "packages": [],
} "spdxVersion": "SPDX-2.3"
} }

35
tests/reachability/fixtures/reachbench-2025-expanded/cases/go-ssh-CVE-2020-9283-keyexchange/images/reachable/symbols.json
View File

@@ -1,31 +1,8 @@
{ {
"schema_version": "1.0", "case_id": "go-ssh-CVE-2020-9283-keyexchange",
"components": [ "schema_version": "reachbench.symbols/v1",
{ "symbols": [
"purl": "pkg:generic/go@0.0.1", "sym://go:go.c#sink"
"files": [ ],
{ "variant": "reachable"
"path": "/src/go.c",
"funcs": [
{
"sid": "sym://go:go.c#entry",
"name": "entry",
"range": {
"start": 10,
"end": 20
}
},
{
"sid": "sym://go:go.c#sink",
"name": "sink",
"range": {
"start": 30,
"end": 60
}
}
]
}
]
}
]
} }

Some files were not shown because too many files have changed in this diff Show More