From 689c656f20cb504d03d9fabe7b989d06d5765f4a Mon Sep 17 00:00:00 2001
From: StellaOps Bot <stellaops-bot@example.com>
Date: Tue, 9 Dec 2025 09:40:36 +0200
Subject: [PATCH] up

---
 .../outputs/attestation.json                  |  22 ++++++++++++++++++
 .../outputs/binary.tar.gz                     | Bin 0 -> 2529 bytes
 .../micronaut/Controller$Response.class       | Bin 0 -> 1455 bytes
 .../reachability/micronaut/Controller.class   | Bin 0 -> 1626 bytes
 .../micronaut/ControllerTest.class            | Bin 0 -> 2357 bytes
 .../outputs/classes/outputs/SINK_REACHED      |   1 +
 .../outputs/coverage.json                     |  13 +++++++++++
 .../outputs/sbom.cdx.json                     |  14 +++++++++++
 .../outputs/traces/trace.json                 |   9 +++++++
 .../outputs/attestation.json                  |  22 ++++++++++++++++++
 .../micronaut-guarded/outputs/binary.tar.gz   | Bin 0 -> 2541 bytes
 .../micronautguard/Controller$Response.class  | Bin 0 -> 1480 bytes
 .../micronautguard/Controller.class           | Bin 0 -> 1951 bytes
 .../micronautguard/ControllerTest.class       | Bin 0 -> 2461 bytes
 .../outputs/classes/outputs/SINK_BLOCKED      |   1 +
 .../micronaut-guarded/outputs/coverage.json   |  13 +++++++++++
 .../micronaut-guarded/outputs/sbom.cdx.json   |  14 +++++++++++
 .../outputs/traces/trace.json                 |   8 +++++++
 .../outputs/attestation.json                  |  22 ++++++++++++++++++
 .../spring-deserialize/outputs/binary.tar.gz  | Bin 0 -> 2589 bytes
 .../bench/reachability/App$Response.class     | Bin 0 -> 1363 bytes
 .../classes/bench/reachability/App.class      | Bin 0 -> 1370 bytes
 .../classes/bench/reachability/AppTest.class  | Bin 0 -> 2203 bytes
 .../outputs/classes/outputs/SINK_REACHED      |   1 +
 .../spring-deserialize/outputs/coverage.json  |  14 +++++++++++
 .../spring-deserialize/outputs/sbom.cdx.json  |  14 +++++++++++
 .../outputs/traces/trace.json                 |   9 +++++++
 .../spring-guarded/outputs/attestation.json   |  22 ++++++++++++++++++
 .../java/spring-guarded/outputs/binary.tar.gz | Bin 0 -> 2532 bytes
 .../bench/reachability/App$Response.class     | Bin 0 -> 1363 bytes
 .../classes/bench/reachability/App.class      | Bin 0 -> 1661 bytes
 .../classes/bench/reachability/AppTest.class  | Bin 0 -> 2290 bytes
 .../outputs/classes/outputs/SINK_BLOCKED      |   1 +
 .../java/spring-guarded/outputs/coverage.json |  13 +++++++++++
 .../java/spring-guarded/outputs/sbom.cdx.json |  14 +++++++++++
 .../spring-guarded/outputs/traces/trace.json  |   8 +++++++
 .../outputs/attestation.json                  |  22 ++++++++++++++++++
 .../spring-reflection/outputs/binary.tar.gz   | Bin 0 -> 2398 bytes
 .../ReflectController$Marker.class            | Bin 0 -> 456 bytes
 .../ReflectController$Response.class          | Bin 0 -> 1532 bytes
 .../springreflection/ReflectController.class  | Bin 0 -> 1491 bytes
 .../ReflectControllerTest.class               | Bin 0 -> 1880 bytes
 .../outputs/classes/outputs/SINK_REACHED      |   1 +
 .../spring-reflection/outputs/coverage.json   |  13 +++++++++++
 .../spring-reflection/outputs/sbom.cdx.json   |  14 +++++++++++
 .../outputs/traces/trace.json                 |   9 +++++++
 46 files changed, 294 insertions(+)
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/attestation.json
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/binary.tar.gz
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/Controller$Response.class
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/Controller.class
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/ControllerTest.class
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/outputs/SINK_REACHED
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/coverage.json
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/sbom.cdx.json
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/traces/trace.json
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/attestation.json
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/binary.tar.gz
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/Controller$Response.class
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/Controller.class
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/ControllerTest.class
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/outputs/SINK_BLOCKED
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/coverage.json
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/sbom.cdx.json
 create mode 100644 bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/traces/trace.json
 create mode 100644 bench/reachability-benchmark/cases/java/spring-deserialize/outputs/attestation.json
 create mode 100644 bench/reachability-benchmark/cases/java/spring-deserialize/outputs/binary.tar.gz
 create mode 100644 bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/App$Response.class
 create mode 100644 bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/App.class
 create mode 100644 bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/AppTest.class
 create mode 100644 bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/outputs/SINK_REACHED
 create mode 100644 bench/reachability-benchmark/cases/java/spring-deserialize/outputs/coverage.json
 create mode 100644 bench/reachability-benchmark/cases/java/spring-deserialize/outputs/sbom.cdx.json
 create mode 100644 bench/reachability-benchmark/cases/java/spring-deserialize/outputs/traces/trace.json
 create mode 100644 bench/reachability-benchmark/cases/java/spring-guarded/outputs/attestation.json
 create mode 100644 bench/reachability-benchmark/cases/java/spring-guarded/outputs/binary.tar.gz
 create mode 100644 bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/App$Response.class
 create mode 100644 bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/App.class
 create mode 100644 bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/AppTest.class
 create mode 100644 bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/outputs/SINK_BLOCKED
 create mode 100644 bench/reachability-benchmark/cases/java/spring-guarded/outputs/coverage.json
 create mode 100644 bench/reachability-benchmark/cases/java/spring-guarded/outputs/sbom.cdx.json
 create mode 100644 bench/reachability-benchmark/cases/java/spring-guarded/outputs/traces/trace.json
 create mode 100644 bench/reachability-benchmark/cases/java/spring-reflection/outputs/attestation.json
 create mode 100644 bench/reachability-benchmark/cases/java/spring-reflection/outputs/binary.tar.gz
 create mode 100644 bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController$Marker.class
 create mode 100644 bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController$Response.class
 create mode 100644 bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController.class
 create mode 100644 bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectControllerTest.class
 create mode 100644 bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/outputs/SINK_REACHED
 create mode 100644 bench/reachability-benchmark/cases/java/spring-reflection/outputs/coverage.json
 create mode 100644 bench/reachability-benchmark/cases/java/spring-reflection/outputs/sbom.cdx.json
 create mode 100644 bench/reachability-benchmark/cases/java/spring-reflection/outputs/traces/trace.json

diff --git a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/attestation.json b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/attestation.json
new file mode 100644
index 000000000..310df298d
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/attestation.json
@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "java-micronaut-deserialize:203"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/binary.tar.gz b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/binary.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..e9737cac21ad3e92a48588b69536e52251beaab3
GIT binary patch
literal 2529
zcmV<72_E(ziwFP!000001MOLDbK5o&&S(A#9GhvWt4T_>9L*?}=N#L;q~}DQ*zR2~
zm(f5ZWFaOA762_P8UOcN03=1dIQHDcZl{Nx#3F#jF0fcUyGsflh0h+D+CaTtPyYg~
z{_5vWx7Y6N>}+rA{ujGDyU)<>V=qimAtdGqJ%y@2A_+MELzYR-l7#T!6TZgZT*p1<
z-|2Qc%je(e>~6n!hT7kJB^&7f{QPqqUExcD#w3fT0Vg<`;xSFAoChh5ILmM$Upfv=
zbH*i7?hzD{Cc#^rzg+Kqg#~%hT^^t;_$x@ri*Z6D6eU;)wD36e#X&$}h%PdLCj`Yr
z5KeJIKVwN*h6K&7kXJ4&AuY{b3WKAQ@bjLCoMnQbDbC`AT;vJEu?H*MJCmGdms`mE
z?xQh_=dDtuBGZp@JXcfDKr;lFM0#%7=eAzf+;oDxnstD(B1xLU6mcR8o}rA)>Q#B&
zc6$rCW0=IrZv_#uDf6~|l6;Q5;rJ7Y<eMxnB&?0#6fr7bT}t5En75=_kz#u_m*jwR
zJa2NEgHby>A`y!T_gX=$pQ;_TfL1nR6e2eM1S^1bDEEj>r`OoRUHjfv`-aJZWX8^3
ztGRI$VHr)4cYG6(Tpu;Ld5Af8l~{74_HwA433dXHXW()Pd52T7ti>^Zn_k0V-#lIj
zq?y#7REWw^DnGe(Zk^xzf<7`W<NrB$=eLgm_u+r9w~GJUJH4*O|EHk;0sjr4uVMeD
zzA7F#fbZspBDk@HtLyHMVK7FF;|RLFpD!{h{Rt-oO&CXPGD&Er!hs|_r5P1z>#i80
zytV|6oYQM8NfjB&>s&<?;w>Pph2)g8nLuxb3j|uAPmQ9(LN35~%qlS6INn6X2AnU6
zU~C!Bm*#`~H57&k!HiQ$O5{~*-xNPetXv@daaJKc(NE_U41*TH<a!4+U@pUCX~Jtp
zW0Yc=d1m&9j|lTiQJZg*@$L$}uyGg)*klo2w;G4z)*k0JG5i|tCnw5kjYM@R)N8n2
zOfW8{<^%@Uy_SmC04=DGT+`)lWLJWey?!fjB9_*pW~xz`S5N$jg5$D69#LK%sp|1u
zrjJxK!@S`N(yN$qvF0Xf+CSA1b2OPXM43LXmTaUzGI93i-9JX}j}H!CA0N5vfqODD
z9^<)^7i2x%XvDQ~L6bPte*-an9E`aK|93j=?G^lQcY)pF{}a%6e+di0!!gZ5l3gRf
z<f$WwL_R4P%4tp}m?qBq;qZLmKKG&+!C&y<3=%DPY`d*62we32_b8vmE!P=dC_cp=
zR=2=8dw*E<LAK#Kua4gxz8)=!)Pq4_{x!tu`-1!&SU|GtkQ*If&W0E7506Jj2j|D5
z<I~~c>%sFcYkhsc)7vRs?6#VD{_nxX`C-*MIUF6FoD2>fN3eoNYDbI3g_5yEgesVU
zX+*)v=u><Jmjsq!nmT5xPG@DIp^i{QxMfp9jDwcre1{^I<_b1`M7+q#;O8hE5%S~J
z*?zgKP7nFurGV+`(R~gUbyutQ_3k>EbD~wrS|gk>{%YJ0mSs6keOCIQN2dqpuLtI2
zP(GJahygy@+xy}4*B|OsK(Gvo0LZL!ET;(_I}Z2-KwQ}jPT|*scm&QzLF)&%66}6#
zIT5=iTxBPN65!kk*iN|p2Hv?F-e4>-XeO0Qh>?~@Vi^9=>1?4+7yj?U|K7)~P3)3M
zoB(sTy|n>A6&j-uxz!>AwO6-gkar}>jr3Gc5Ep4KyozfJ(JUsJ9Bf160}G9=$XpE0
z0j66mNBhZQv%tpZpx-?mo}HsG&B7u#LDP&Y8>+pycf>^quI^gV*eK%Ma@($|v6Y^;
z)yW^#ML6mAmqnTx8I$@PT$66p74#%gIRR8uY`t7XGYUQeM!PI9SCVechQ%n>0kpJd
zby*f;CTv2X%E2PWSgHb~LXOy#v7O^JL{&n*ej=LXtH*KrtGcm^3{<5<a1F;eNgzK(
z=5h)I=0PcuIK~n?Dwz1b5;f2m>HBP!5k6?c(<Ns`uAj0Z1^Y&34E;yj)b~?KQ!;S>
z_IwS?+=?gqJSnd-AU5Xn0Q3cypQ~}W3url_LzOK^Fvn?vv^(Vt4o8@doTb4{nm7}%
zL5Z+{GxHoWaKMHe0=s1el;{eWHZJPRE&B1#ULgO;sdkS?)NxP#2gUx*%KQJ`?(VM5
z|DJ+q3?QyzreBABKW?D^c6-Nl5}W~MUy{Bq?VX%61?_#baf$<hPCz{fayvmgXuA#!
zMx5#*u^D81A?J_@MT>XAIpI+Irveq5-vz_J@)c?oa8xc<qgo#@&|i<1jtXz(px*8S
z!kj6DA-<}z?_nuYurA;VfE5Hp;A1Q`T?vcyUixK5p%R)t+K|JP<0=#BqfT2lb=2)|
z2<pl*1?<JIjTtvBq*JRDETyzEF`}tHOqWCn%?0r#Neigb``aBKvRSoINKRESGOJX}
z0q*UN8Zl9C1i_AsNX{a#&?3)PGfByj(3F}pK`6=#CBT><B`M=`Xm|fkT}KBh#RZvh
zinYCha5;uOL~U7Z7<HISI>C_~nG-C>mP4kAmt&T$FsZH}if?rCU>0AdZYzvSd7ooy
z`6>ljaG5@{Dha12_35vOYK$0Zs(HUnpo#%EAn~YL3gm(xoBc+4)tg-#>->E1%faY;
zI6N5*PtV^B-<^SYC<R<c<tLe%Rlwqu%?r@3PwHspBG#W{^fIm~q)>1;IypBw;2J_L
zr*963xC*t*@NS$jshT5TvtxFnWMo9n7{BVnjbZs1M^}z{y9YWh)t)$G64VI?5_&l5
z@=E2D_R$0<f~W>dXf&^Guv!PGoZupn;Wha3?+v|w2wF`FA4A7|-~V^Iz18o(kQ3PW
z{}iP1ztMw|0Ocvv-0!KBd3DeA+_jKvf*0V4RB>i~1nQ+Jt7cZ6CV&EX-dWI=jLQkd
zD-G*)2|CslX><Ltz3X>USpz<*j{Cm<wYzKi|Mm;}{qIR=uT16<I6)=`uD;q~nBr@a
z1vrN=PXfj-!_(p0u&dK~!`Z(PwC0}8X2EPn^TGLb!hgLzIfIEQ_Gt#@h1{UJxj-<n
zFZAe1nF~KaE4qv0M#QGm*L(rA-F;BDm$H~7znD^FUytpDOMQw-zma(p?}Ma3NRlL&
z<s#7O!d_SnD#j|Kgyu$w+zT5VYC>5A?RSjk>xNSE$yI$6`-J&kxM=D@&T{pAl!$$8
zvOTlo^0hG!Odh=7>FtG^M>ftfFON6PDo2#+u&G<Olw<5$?6hRbk|j%)ELpN-$&w{Y
rmMmGaWXX~xOO`BIvSi7UB}<kpS+Zowk|j%){%G`HXC$<h08jt`p_tX!

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/Controller$Response.class b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/Controller$Response.class
new file mode 100644
index 0000000000000000000000000000000000000000..a8f5cb0add88b411160dde7250438f9cee151911
GIT binary patch
literal 1455
zcmbVMTTc@~6#j-ww=Ih;6;MPjDoDE^ix<2Vd=P^)sc3-kpik3wLKn6>b#_X^fAT>R
zi3tz>0DqM6Y<HncXo&JKIlE`heDj^}oHM`woc;o^iq$lF&}*R2L_ZP?*?oS<ZI^p{
z_LithRbxo3IG&^5F!bgNyD21*GLSYg0Fz;<BD`wdR)SaSyyCcyKC&B5RY{Mxw7n)h
zt)%M;HM1rBru2M4aK7fc<ukBS0CvMf23dx_imV+m<jNfa+gdr^UNJ{Rb0%(Lm?5cU
z=w(>Xm;d+jVxc?wsEJ#+P3U#**Vkl?ST0`&y%bQrV`3b4DNpgW#a+tt{WYLsJU>?U
zMO7CIpBYB;rPxL!PhpqD3rT0njwd!-jfzk^yy8+C*$+b3W$hDJydktuL}xhPMTK^8
zOAI6V*afkh)7!G8s$$&<Kr@}XE(X;i;WmY@H>9r(<QeAvu`Z<1S&wDkN~wLVcrzsI
zC$YdV5VlG&XpIbmL2EFRz)~8I@x;JW6VI^BFx6=p)$+8{5OzpC!eU5O&fpo2<0(4c
zp*#?F7`VZ`nk)R7vXlp{W-+EjBz4Ra9o#u;ig&`VDyONXiXT~Xx$nmv5yqFxAo1HT
zv}jZS2D9XOLbV|Ul`wfWO$J^u%y!bhA{_%ohRLf#sUTtQq;Hbm1<=X`gC0y^Fs5V^
zVDwT<(9R_N%>}Oq*^KoQ%o;y|VJ)0s@R(dwmna-GUDNcP>LDzOr8Pw3e2+o`j485=
ztYMv!AK&To;@KfOf4@uc2=J{-@Hies!PCSp$RcUYpJJ?AH1*gy^aPy>c=TI8U|a^K
zzCWiN4;{QrxF0iw(}P(&Y}+{$$lf4NsAZ_6)%G#i=p(h~@d%4}PQDz)B}v&AMENCN
IV+CV>0TEVRAOHXW

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/Controller.class b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/Controller.class
new file mode 100644
index 0000000000000000000000000000000000000000..c5ed7fede8eef6208f642841db414a39dd5b0ed7
GIT binary patch
literal 1626
zcmbVMU3U{j7=9*Ay6I-yCMjZrM2Z$jT1xm5ZBs!KK&nkpQi?rXO_Dk7;&wM~HfsNc
z|H50mN!6aC-0AW6aOtr=vq_qidckooW@g`cKc46Pn7{t{^)~<?W6MMYV+NuYVi*@l
zK9}Fhf+OAS!lU|g)d&Q}S8dl0ZVQa%@|$tQ1&o&5b3EBhz(m4;WnmIi0+XR_C$ODD
zMYgEFt!RERxBj}%V*aGaK=N4hTHxF6wt=+3)w*&UI|X0K#*VDpjvee3cI}4mxv~=!
z%AOnep5rKg{;_JeJh!dlI3<v%%jTS~zUioTU?PRnn&I05r*mr~(R*Qv`Aq{EflP?h
z_WIn{+*T)`hLXDm-Vr!ExGwDl>aOq0y%7x)S-flDoP{}@A5aOCQIc(S>!yIoeB4tF
zuc>_c%Jq{lqB7sVEt+^A^9C+hxQI&vv%|#pd<_&?oMz}y)A|oq&q^lFAg`G(2*h&F
zO8HF_v$(7!OLW{fBI6Mz%!XDfSh$L7giZd<K{K2hz#eH4!j0gDg`4<5ARc(VoC+M*
z?Ppqh{?Nily4hk4$7?GCD*`ja9@*IOz3*h*Q6`qLYOzV#dy}%+taVx~U$xt+IYb`9
zII;-q_{lME_rGtbR$zOs23fLD#yx^$CCZL$x2bxJP$(py2l&*$Lknw~()18p-)NHd
zHG8+^sH)s0fzJgly<w9IM9b^|dR@0&RqgE7mA|3c3RpYRZ93{nOV5@-xnG>YKyhl`
zFvig!6q&eMARAwE9{WKiYWB7(gO1OD_G=MVPqxrW$?gA#!>oB7zo8!3n(6d#Xs_tx
za$2h#(~8pBU{S0!*HwO)Y{lRBV6gf0^hX5e@fi!MzX;e#80WgqzbtpbJ+`n9@e>aM
z6|VXkFff5C9?^uVVvf=nrNKhl_yrRYykt=p|3LBpsjZawAw9E?w_Y4zcIyCVwtmLh
z#V+34M{XaBmCIdRsfK#^bE%8#)Le;Dcq<cqQPum8NUTJcGSM!IOTSlo9$)d|ZWs5p
zTSRdK4~b<NUtj}Ixo3$=;tpjp+#@0K>#&H?<eET|YZg<ufN5GMIYlY@NYgGwt0`Kg
zQO68D0wu)$M%KXeA+G5c-sI8X@CgIUhs;FuNJK#>H4d4iNKdQ<ckm_sMDQ46sD-Bu
aJmDUtS_+#yrFolTA)X?`7b}aeF!3*%>6Fs|

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/ControllerTest.class b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/ControllerTest.class
new file mode 100644
index 0000000000000000000000000000000000000000..8bb01d8dd983b84d9f478457b76ea86a70735bde
GIT binary patch
literal 2357
zcmb7FTUQfT6#h;~a>6huL{NfatD+JRqOF&fs1-0G8o(OFa%t@(Ifc<-CeBR6*sHzY
z^auFTM;`i8+qDu_S*yNw^&k1r(tReG7%dO>Av2k?@8ACRK7al5`yT+#;Gu#5nmB?g
zLI^Xo-PG=A2}3iN64Tk6BIh!MPwS@co@Hq2i_daI7<xP<-Aas>TrpzXT4}oI7K(1h
zwS~5#fJ=`p4Bft7)z$M#3R-2%Z49x#bX~E*PclBMKtY>|c0?IkR&CuCeo~z^n}$ql
z`W-4dWhJ4UVL5_h7sHNcMa?YR)~c2@go2%jsp!UThE^?~&lC#<TR4u$GjugNuUmNj
zd$5<|6&0^ypAS~i)s4ic=7^KW8I&dArp%m`7dFG5zIe5=29@5LG$~;^prRKCsW#WD
zL&*^Ai!Y2SIE+4yxQc!ZP)c42TlitvCcJnv7QwHZOAI^v7Dj7<J$S0;$p{7+ctI-}
zmX?no!O*;-=WNT=imrlVc#Y$A6~}RcVIWIBmlM>@+_IL{4c#pz>bi+B%XDqaFoZoL
z93n`wBWztW^m~HgP$P8JW+k`Cr3I((2FIH!hLNNOJgaU}D=-AC4;W5t;i?Mfb4_nR
zm~08wGdRofmWp#2VL1Gfl`yEwnwdAmwSt6)VXPM2gIqd}r(e=l?^WRxEYlImW<qsL
z#d)NNgS{G&%XW2=oYx&mL5jlW6^!E|$ApSYxXf_${|2G?bX?6XI^KLva7_AS@lYD^
zgQjfTvLm>pAdM?>@S-yERTUY`5aqH~zQoYs6Sk2z3TAPg;~f=qnD<HFpg<Xj+eOWw
z47Qxg`3N!`?-IiPlwZ&d5y1^&qvg%JqhJx5Oe*_=j~aF5CRjvXg#ZyFymBkA+tq^S
zIhGlsjh?T|Jwc`3q==b`smnL6rbfmtrp`+jh77X8aG=&*+F>%8WCO1nLN39Q`b5a~
z7xd$^5zv4KUAst|WC^Z{qD(&IEh%}@q2Mk`9QRawD3jjqrRc#nW)Kx<O!LCgZIQ3H
zC{ycWaE#UmS)_GSOchtMG-r}7G$y2xyG3NIeJiQEIZ^N^#c|)?b5zsBbX`J8u4uaH
zZH29><oJpV7yc{a_{R6>W!>O0ayn<!?gS-c744jmAd>d;n_)<nOih?DO<{XQ3o4t}
z*JH#V6zrox3DAAS+PdVl(7zxEOoZwA5q<U0o6$SeUjch874b1Wr5K3NB|%$@97xrl
z(L{#8@CNu?1<mOVD02f9sFO$f%h-OTj2&y}oT|QChJ%B#U>RM5Pu8(#pp5-x9QuVk
zwbSj;L%+S)kAw6Mc=5U^A}Cq}Eu^8+c`IqPAc1Z8gd_<BH|c;bzW@j4q{%pTZqlL;
z){p4GJLOL)`A^A6R{9y5@j1SzmcZf^hLhxB^hk7Q9Y@!3GCi=4)04kq^bvMZ>KEGa
z=TB(eKzc4ZRl)QVPZA@^+tHyiu05*B7Nl$gi*wQUDtLctu#DXG4J^&cqrs?N!L16+
z;b1Hny<LVQk+`#l*l?)!PaO`&La{L66AL|gOxZ2N!YUO|qH^!oVHqL_fG9n8pbZ^#
zVRhmHcHs)Ta1AlC>L$D0WEsN)?D3#VA^bP`IZknm@7}~wggCyeesU~w8lWn4%?Q6B
z@BxfGrG$I{zowpiTc^u$j~76D^jI0IkHCX#2sZtOQAwR@D}Cz7wuKN-&(WoW?>zDM
W_`xeDKsRs?ex%ln)1C4Fv3~(nK08DJ

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/outputs/SINK_REACHED b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/outputs/SINK_REACHED
new file mode 100644
index 000000000..f32a5804e
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/outputs/SINK_REACHED
@@ -0,0 +1 @@
+true
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/coverage.json b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/coverage.json
new file mode 100644
index 000000000..d9842ff5b
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/coverage.json
@@ -0,0 +1,13 @@
+{
+  "files": {
+    "src/Controller.java": {
+      "lines_covered": [
+        11,
+        14,
+        15,
+        17
+      ],
+      "lines_total": 40
+    }
+  }
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/sbom.cdx.json b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/sbom.cdx.json
new file mode 100644
index 000000000..b7a8b9f4d
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "micronaut-deserialize",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/traces/trace.json b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/traces/trace.json
new file mode 100644
index 000000000..2d75dfb4c
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/traces/trace.json
@@ -0,0 +1,9 @@
+{
+  "entry": "POST /mn/upload",
+  "notes": "Base64 payload flows into ObjectInputStream without guard",
+  "path": [
+    "Controller.handleUpload",
+    "ObjectInputStream.readObject"
+  ],
+  "sink": "MicronautDeserialize::handleUpload"
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/attestation.json b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/attestation.json
new file mode 100644
index 000000000..dd450804f
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/attestation.json
@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "java-micronaut-guarded:204"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/binary.tar.gz b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/binary.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..282b5979007bca10392431e6d1c238272a052236
GIT binary patch
literal 2541
zcmV<J2@>`niwFP!000001MOLDbKAHP&S(A#9GkhLt|lqTRy3nXo;tSglAaTJV&|^c
zG^2q?NJdN&EC5PYGXC$k07!{?@i}c{_ol^8ViCY%cL6M(-6aK&!Y2<*O`vYKtABwu
zfAw?gpxf;3@3-5!|5<0h^8|Gs+Au|hkeDO%7^?n=B;fpyStdD462gOzc!s~aj(g6(
z)$Q!BpMR^>**|!KnqS?L9rS;G{yC1W@syx3$)c-(6C7RPF-@pk1SyR;%Wxs51?KT{
z$DwJ?xJ1fFf<n?Hc#ZSt+r2NaAkPlg2Pg}^2MKvGPH2Rp1Pg&yZihZQ2q+BE2@!--
zoX}5LQkH>PS2T;!gkV{4f+h)`K1W4X+L;h|P6)_4Iy)QwGJ5@HbaHxe`gS0BLA1zH
zA)K*<pSMKhEE5D>;Ve$byF6hy_FxtL3(09V-9zU05RF;9*h9NUNH%Mf_9~(i<bC5R
zeQrShS>Qx?z!6M|9P$$~!9^lHcilR754jUyByOWo7o~_3SZ9VZGG7|&9W?jV493Sa
zj!EV=o-e1|E}x8fD8~!6CN$71P-b{;*;k*ZtX{GXP*x<#ms!#TOU5vX!&-@uyKRwt
zfxO}PBZ=gzEH5P3MsSK46=0VVxHaajsaB-eUMwUz;v6sPoW{G<%1%hcV#2*f5bLLE
zMUCxkH3|_Me*_D_4&~^v>GWz#xNF^QwQiUkNM`ogYt$ExA}pgT<elC`B-d_BZoXtY
zJ4!6MQENF?Hv(1yj~8%n67mM8WL=A6{?^@^!@7CA5=b+tUA+*MziKxCTW+0OXXpK2
z$Nx(>)2|-`?!o`|R{U?Z_dCxl{yzr&yZCPaeGB_{^;PlUF7#JUSKgMK(;1ee!t2t9
ztB^pv)je(?dBxdWpjX4ywOd`eC3Fl6xk8{Zs}N}CcpVCA7`7&Yv2_qzn-B80pa&)d
zb512G;YQiM3p7iBSi#$AR>2$5PnQ+;fEECv<qDQ4v5pPp7S0%rQHp8inc43@Ak3#?
zxqZ7f@2-Fd3x}bAO;#~wuXZ@@IAPH>fk0DR;2j~fChE@MxDqmh8_J2=_*$yE7Q;=v
zR<U_C3%rbgBf`YMfTGt>!4ASH>LJ&3xjWgFG_~(0p4UUKnyE%%-g4p(6!H*O$P>y-
z*HAs4%d~5V`a%p>kY2}>i!FCk(|%E|!qH@26J`3mrDP)oHtOQlo1aE6&W6W7ou2GS
zCMI*^d7jBnb_A1KXI#)E4)xzaTs;iN+=u_&XPpiFZ+2Q8i~o;7fBGgY1P{kF3)Qt8
zV{zpOB9TuDhH{!i3QH5`?QnQGaG!cnjNmUgZwBcJJT~1%7z8f*_FI(C<A&=D-zh%D
z9#-z}T)aK5`XJkIofoHXj$e+}MC!pHF#l@e^hH5_4lE$qb;ym5Ef>RgZ;ww$Cr6j3
zqto-@@yo%}&s%*xzt!C@UF^1+dHMIjyUXLMb#^=g^cfsGj$j3k)QVQdg_5yEges1~
z)(9v+MjzvAxFlePY3i7%I-LzeLmlFXaLcCTID(erC}9!u<4rcd)ZgkNAKVepUp=}{
zVe8z@@_f5{nYB65rev)V4in!W;DdF6j<Y-&eXOJNqsx~Aa}Fq9$SVjLKI-?sJOA~&
zWy}{WgG3p!&m7CEgpM5tya14_YzF7>>p}PeSEHc%y;})(KQx?(%?MYy$e_eAcLHc9
z++GdV+#T;L))+KXLNg*pS{{U>9(vzu@1Yh{QLPUA?|#_Z#V(n|2{0eD_jcf<0$mg$
zw=yzNYjqn2U`LYNNKf?yagpZ2tGM<MRIenH1JEyEhep?AAqJO##*K!fy<)XkVB-tW
z@174YE>W0fVUe2{YsS?cs<pUx#6Y)PmMds>t>nC}j(1g5lONSdlepJgn^{iGnAF?t
zYA%ST5ct4vH;U_xVq9rMFcWFlA~6~-P;3fckb7%ZDMqmlj^!p+_hB_=LLyXf9Jayi
zkSdL+kRx_&Hq7yAqADT3e+-)CchBJbSI1HK@B3<KpkdAT**qhB(1fQcXGN}`vLb~|
zjLaDNhu$&YPbE#s!2Qe9E%<ROp6Ju0yp#a4m@fj*7fe4@<KWO}JqSZNDM+xuX@ay*
z<P7RMVLEb_1~+NqOw?PE@-q5zk;7@gEx#cVlB|GQR6)#6qdwoFKi4b4rLG5zG55v)
z11R>^-~V<yovw}lk3lqs`>s&bUq%CeT7pEodEhz;&Y(RdJzdc`IcKVj>7gxl2Ov*C
zAp!DQK{IH&PE16^sje>SaO4ZQfQ&g>z5de@1i;45mw%h^1F(a<`a8fC;xtrjUS63V
zTrhtdPaOqW<)B{vmjk6KumFfv8SpOz)L>i6H7pIJMBslcHC<3X>4o>o_@lyK5ABF}
z<+zGlJ=ALHrUq{ixc%O33Kg}6<&8?qDWh--Tc%VpF`}tHX_rI^%?0r#NeigidhM1E
zX^ygz7ny=QW1_MJxZ5o?Vp5n<4BAE{XA$htDgje7Ny(AWl$ygqD9Q^Zz^p$dDdP)h
zAN)vNQ<*5Ph@~mkn-zrXNckmd%QV!e!(7q{j^xOkVL7%A%m$UmEZtyIT|pGz=#XQK
zFQfbh<64T~nCh+yTq`cqXRMNNbW$JvhN#+zk*1pW?+K*0-~%KcRi;4N@S)yslvlmk
z%<RrzkA6NHT@Ht5qv84GtKpjq5D%%N>!>K0saXXWr}n%6?fRrlrl1S|?fZN8yLoNo
zj6zt3qtjWQu>fu>lmPl>fr9H$YYcb8lL`HffNdDF8#O;8a?bd54=xhR$2hun%o`<;
zKUJ&cj7epY16d(BL3z`1N_$AZa!?JH&}dQJZe@dCLQ6OUFaK|&_1CA(4C5hm-1q%=
zAA<eH_rLZ*)5ibDAeH}(?o9%emr!#_ucXYY%c|#Xg;x`t05YTsCEFt@f#R{6S#_EK
z3HW$tc~dg3Cl#CD3rnlFqn%D0{ueLse@JCP@t`{H`~KhD?{4P*?PoUse-!GM2|WTQ
z$i%?a*E<YTJR@0vb5+s@j8DV!;p^}~r}c)jcO&SMdp@5B^L@<+=hq7V_WJAsCZ^b@
z8Eh{E`Reup!Ni`>qi1El`vqFjT^u(eHl4oa3!v>Dg0g<fVv_u9N|Hl8)(_YE6q7FR
zU&V(YDG-t*31+znbnNek)u3Xm5=UrmL1aIyjVk7{5ISrbt+Sd!^SMoZ1^I}1KU_8S
zAZIxNQA8Z-?dqG=Lavun1&1cpJ#2OR;qH;0v&{R%U9-v&r8=zZ)-B}}hZZj_S+Zow
zk|j%)ELpN-$&w{YmMmGaWXX~xOO`BIvSi7UB}<kpS+Zowk|j%){%G_Y@mT`~08jt`
DT2$D0

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/Controller$Response.class b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/Controller$Response.class
new file mode 100644
index 0000000000000000000000000000000000000000..47149251e1579d85d3cf3b20162866c905e640d4
GIT binary patch
literal 1480
zcmbVM+fLg+5IxH!PJ$sJ1zJkEw1tucihH9M0(~e|Mbwm5fOu%1Hpz+@9B;Z_Bk@mt
zC{j@+9{K_OsH)@G5F;Wac(BGE&z?DRW@i8XJN*M-4Qpxipw~d3iGCy)vitmyTMl>k
ztSwQKs?LyDwOw1kW$4Wpc2h_qWgu;004Bq7Rk*c=r39}vc-3}nePlK5nvyQ}^`6gF
z-CCEfR?=~Vn%xp!OS+yQOiy#|dkm}`AP$+xAj{BKmGvWrT&2TeTPxe$E9Ho7&crQ@
zFeJ4My$m1ol^ZcA6}qPwGjSVtC`E&NjdfWksw+26Q4UDoH8FvERI&K(bB8Lf+!Qay
z_;Yn%)O4xvm0>Jjj{S(#D(sS$A^l9ncEzUOtO~Wms}2>E{Umfl*1vGYn?egkoJR6p
z^k_G{%rKgdC5UBCZ%bd*#0NV7&2-wl6f}<{+!UVPke)V>XIQ*Wn@Fv*;mf|0QhQqQ
zR>;~*Vv%7W9G_A!E*S=cp2184PttgbX9k{|c!6bx>CPA_-_>?gSRwxiiy>7#gJ(F7
z*J-<l@<3Q&;0AZ=j__tHQXcrNQcR9W@0ce#xO3DJ?}b-Wc1ueYKeFy{&x<=EjBl4g
z;@K}uY}5q?v+TM;wIK!dF?qIO2Hr5tb;`e@90MhWsjEY&Az|&LZ;~zy(31;pfM6?w
z)g_w%qbp>R{!G!=d~mIh%@luw6(>$$6c<l0cuX$pOB7Dqff;&F^$-@t(lbmeexE`D
zjA^ortWi8AKYr5d#k0e-tPi>bj{-ls1W({$6g)%hf+~{5g;R`oi>4Vnhn}QU0gwLT
zFBq4BY5316$3q7%6Yj?>;q+h*kJ@$~1+qir3AGHBEVg|N7Wzo-1w6(QUXm|IaY<74
M6;XbT6|7?XKf^d@ssI20

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/Controller.class b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/Controller.class
new file mode 100644
index 0000000000000000000000000000000000000000..a9fae38c24d4f1cdb885bd25ac2671de26dea2cf
GIT binary patch
literal 1951
zcmbVNTUQ%Z6#h;~m@o{t5U^1ytzu1pHfk@{greN4(IhCLP>PBtnL{#lG7~2=)%<|^
z>{`CK`s#zP^(9zYOMTPj@A1(k?lVjvKp(7GS#!?p+xhml_dfIIKR^Eh;1&!OA@nE+
zYlxtiVfa3Oz|$tTs_E78eNk~4dglzwaOW9%lBta-q6}fz@kA6V!{9<bzq+|oDDEt;
zlvdWF&=?}S+-!<|3}Q&Zu!a%D7zX^fo@<!t0&g&ARpG8W%VL*%CY^CJnLmAS_N*jz
zR-_`1F$Loqp2N8l@Jp^^SXF{AzVHYT!`M^KNZnKLJj3;}uqw5*BY368%Z6#Vt#sX}
zIJU(-x9V|6PcPY)>)56#oT)X@Y}i(l7?@z_+qIptq3gm@k-&?R#z}_pWUdSAA(X6S
z?;?ZJ;4RbUx@72O4O4i9s3kfWE<FulSDeF&WTSYMp})-a3l8Nbny!KrL&7J}u!Fkg
ztcK^(!GhNn%rH!J)Qc@wEI1Btby=vmj4KM#8eYTe9Txp!E%K(gag9MGfXkv{>%yT}
z$)FNlCR2entKurIDY&lT2Hs>icU<_xSRF&EjP3`NY;`5sA!~b4#WdcMgl4FzlG}@^
z4HZeuNy#k=95_+NU6~Nc(&%js?_hyoQ~r9Vk>efMUF}V9Ls-(Vj1`8cYj?Wlq-}sn
zMt)brdvZ`B71M4C1@AMA9=Gm#&9T4aWmBlgA+Mo;BK1Dk^^(_UIHK7U`Z01J#*qgh
zSMcG9Xe(b;M8h>~YON5~G?cJTAgK~dCT~(lkDf@#7g9bO*i>*=!<I~G=onkzG(i3(
zquww@k=H4KZHC!rX@463C29i-oi{8|^y+2dtjm;XsB7HPO>w6o+nZrCs8DC>gNZ(R
zP352E+@rC}5~C%TS3akUBsjRQWK=EgdJcj3{?w^+XM5|cWd0Pk|LFApGf+#m=TyXP
zL-ICse7Rha^`hx6(pVRS<d*8J<t$4$e*FZ!MmrY}-6g@);Uex)kH}vL)ST$0=g0JR
zo>oR{WO@(mN7^uaLQkm%6!hU!?2rqYvJH~<lJvWnG85~I^*_Nt584=ggyDT8wno^u
zu^0Am{_%9|!V|m{!f%KdW`FM}zlmLv%6%la_A$Nn6J}@Icw-MY_mC}KZeu<Z_M_mB
zM7WJbvdu(Dd^-_&oC(X#5707^L^u&?<AX%_*W%%sf062=HtxvS2xAQf8Z=rC9-u|*
z9O`(8RgyjQ*N~rGhHh3sMGXCz!~kaKJ&hr<9-%>xQIt{Kr4NUJG4hX-_Xv59;cJZJ
zGxE%%ck*vcD2N}>WfoR2=>Ovi%|BC+J3thXZYjxpMf8BUq_1gUFJ-IX6fuM{dQkCq
bIs~m@sz3s}w2P58LFKE`^D14$HT3-p0E_mC

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/ControllerTest.class b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/ControllerTest.class
new file mode 100644
index 0000000000000000000000000000000000000000..ef821dc3ea20bf27cea2783adddd06567857e7c9
GIT binary patch
literal 2461
zcmbVNTUQfT6#fn*Ibj$SMpU9=tD+JC<J~r>l|XDMAy|V@uq{q92N;=T;$)(ty<2;+
zwKw}xUi#=mUuwHnV3oD%d;gIy+I=P$1B(~ClFZ4Rz0baU``i2c`|R(30G!1y3L4PJ
z;Zxy9fT8u8enXE~dTuT<mcAx3E<@mqnKRvU42|94363B`r>A7vk=UXu1{_CU94or{
zqMLFZp=T9vX|b7MM^&$EYORuj7U^>nL#R7ZQ>?SoAD&R4pjAa1G=}Dzj_HbOP+Kc!
z>LRV^x2xDHGx29EyC68WGi-U0)cCw(-_+BVP_PXl6+5t#p+z^0R571-M4=!IhK_pU
zwG*EGPVDA*Ma8SwQw6K&npPyH7sRO(49c8v<GGA&2!~-;cetEcok~|l+Am?+r=kn{
zDL2=yLCN6j4qu5WIEZeJu!=+Ip^&^3Hn796NqGLoZGzv-%`t52z7nfA_TVY+_Xp9(
z!1MZ|W$Q)|5qe2mc4k2s3Xb9!$8i-WaFXFjnk>#osFs;|J#AX1yBNuu8OP4)MR%^K
zJ4R&C&bf|lS;83?1>#6kK{%#vnYRVQfqL}H_3GasoMxQHYaFkuh@zir@FKxcJ<rf!
z&oZ3cz*HI0HFd88na)z8X9<;oL}F}mW;8i76i>x31@Q(^Vpg{bRQUnKI0jV=A<oeI
zGTAby^Loy(#O1t1kzukDp;sB{d|fQz#LJlPx+DsDJ690>O;nOMRlJ2^qHmW@ymVZX
zBtvFFvX?xwX$2!laEz)*VvNB0U!JJH3$E@K3toQ@bG%a}n+Neg)pOi&Y$u4Mf{PfJ
zjjKub6DlV0E>SjZ8;cC>Rl=|3-82zo)^^gSVThc9_wYW)2P$T8wc0~<`V^43UZg@X
zY}n+}K}>RFs1ntoaly1i5X3xgd*h>^AdNX0<NP`sl}?a@C5>w;7GROP?1EuB<@~2P
zatvC%<w-eqD0AYZni@`y%)}C7gCp@FX~L0C=;Xc%3uq+DU@9c2OUj!aSrn!I4TiRL
z`r(NnZV`&EQzUw3aa+Y58NA<{d2**+!N>T7<5Lx%$)GoTA$lGLEusf?y&(#wBaB+b
zQkAm$25B16iG-OG$znE5Ju4|hEk_!e1tM+bU5Veyh`dKLj<2d?lX4m!t4S!xtZouU
zG-T>Ju?8&1w{&m=5yyk7MK9_)i@`G)t8&FCDZA)oganba*G`$kGG!{la4shtFKIz(
z^V+lxR+|TVsCgRbdSk5}vV-WK4+JIx^!%LOI%#FJ`VTFGJ(h~NOHU~VO=U%nK{6m!
ze@7!71fr|pQ_E;dtU{UUS%x~=d#HrXy(MgUgssW)+8p)ug?uG+^gUU@uAUP1mT=$?
zveZVGO(*?!V=wm8+Ti)yK^}o71j%C?nrUApEd>#@;0uyO;CoIRbeA@8a2Xfl*!G+v
z^wqX#!`tOgDfoMINM`ya8T}gHlv7|aauX!UlGdvoUcr$SoJweCv~#qM_VljceDY6R
zSi<(c65eiO4}U|;DlSfGmzI%w;z>dzxvWi<aAm0?)1_<`=_$=v#%$CllQt(;k)4v8
zA)jV1<N7k(s6XV_ZkDhZ@|W=8BZQ)X%0D&ALxB({tU`e&k10}@7=M?Nxrh6BKx-MI
zV+092a5QY8PYCTePWSs5wqqI{xJo-NUE+7JlTL^5D|UI%B@uXr;~b~G@5s*QbSl7c
zzqZ4X=G0bYK$|4G>t$7BgHI`zDze`ZlHb>ObiyMH#it!D;iDyR-y`@M|H1{ysd55U
kPRV-u(V(8En+-pB;vex7ts1=_q$>YRH5;Lu=^;Y@0frt~Qvd(}

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/outputs/SINK_BLOCKED b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/outputs/SINK_BLOCKED
new file mode 100644
index 000000000..f32a5804e
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/outputs/SINK_BLOCKED
@@ -0,0 +1 @@
+true
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/coverage.json b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/coverage.json
new file mode 100644
index 000000000..cb48c78cf
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/coverage.json
@@ -0,0 +1,13 @@
+{
+  "files": {
+    "src/Controller.java": {
+      "lines_covered": [
+        12,
+        13,
+        15,
+        17
+      ],
+      "lines_total": 42
+    }
+  }
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/sbom.cdx.json b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/sbom.cdx.json
new file mode 100644
index 000000000..7d464b71d
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "micronaut-guarded",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/traces/trace.json b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/traces/trace.json
new file mode 100644
index 000000000..dadf3b0b1
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/traces/trace.json
@@ -0,0 +1,8 @@
+{
+  "entry": "POST /mn/upload",
+  "notes": "Guard enforces ALLOW_MN_DESER feature flag; sink not reached by default",
+  "path": [
+    "Controller.handleUpload"
+  ],
+  "sink": "MicronautDeserializeGuarded::handleUpload"
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/attestation.json b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/attestation.json
new file mode 100644
index 000000000..221f2bba1
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/attestation.json
@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "java-spring-deserialize:201"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/binary.tar.gz b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/binary.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..fb19054f1c6083ec9ae9062e824961acdf5d9cc2
GIT binary patch
literal 2589
zcmV+&3gY!2iwFP!000001MOOEbK5o&&S(A#9GhvWt3^ukizbTYsbl*t={b=nc6!&#
zWi${8S%^u31whG4#{d0x0aBt~QfF?)ZZpRn+aiI*?qadneE?a>FnIF7)B@^uyXF&U
z{nI?R_qwg_?rx`J+7I@3_n(mchc*l;SDH#f9z)fikrb@|ahCZX>6AW{j(gU>z29!H
zu7A7L?zEqf)<YRorT_Ew&uDl<uNfJ!G@SU7(QraXJmz}-+;Mo438@LjhM#L5`>$#C
ze6#fhRqSAIwSx=)uOK1IM==jc7*nMP#2NYQ5TGC+?@~p_jQkADBw~t5PGkOwYA#Zu
zczQ#;!kCyf%$PzHESH9lw@hUsRg6q%8pZ4_`z>cmdtl(<rItLs-XZq$h>S!uZxo7=
zY&*&5JQg$}eZ$~iGwr!Wo7;H4;O1lEEm->`&EvQ#3`sJb%ao*SwlK@vYqfTWJAy&d
znpTy0w|LTWz9wum*X;cV5>ZXTH0xS4?v#ZhV$y5)k$EbOs)$7zj6SkZze=-Q!#o*H
zh~NqYp>Z319=5&!g~w9Td9?%8H@1o<V)PN@fmDo^$ToUwtk@gI0{pPnvCUN-bQMVT
zwXjR$RW;v{km_(kytCVoWhOk>?bocpK8j_x=(`gPKkytpUP6$@><vxWsusuotwx#z
zKg(z-kf+*2U#`m7DnskexpV&Ljr>1Sk^iqCLLaOK+>`%1?bhCU{_h^N>iqv0^ws&_
zCiIQmzpbsT2M(lpyWdQfZb}iyEFv0W4H{(1peA^!fK95IOlb^tAX5#JE8JS9Fu=BD
z68F6FH%bYHY>@^s$){AavNjZ(v#cr1TV}2X(Gw|Vio6;u^T{%oEOOx>*UJn#5@iP6
z+F#9aR@2I8Ay)J6%1{tp84axdOmfYNtcnJ&_HHEABJ(Zl#93O_31*(I%A^XaAj2+Z
zut<NaNw09>RPcx-l&78@4Hb#XYqfCSHs@{B)#U=X6Bfs!S^~dRs9_j%`C_~*#ye!Q
z)J<W}N`{U_@VbftOj2I5+89D^-)3*GfrT6r4e1frHo05bQ4sp^x17dmF$WxlJ(V#K
z=VuAmgaUFg;hs==!z3AVcpeK0WuAsC2*s31+-#r}wgXSqLc-sWQ{?)T%OY5?#dC!T
z7FG3}<?@r8h)Y!s1;i2_4*MsD5NMxOMA<fPA=yd+h;sSr%|C{3&yG)Co}Idl#(HHP
z&um0`u9i951To)m>8lB7l=C<W%wJzk9!AGK^?$eB-d(T%`>p!?_bBw;UxHl8V8qja
zrBgDZYT_uSNt5M*WISVI%46s4U~tuUpL$_L;4dVe6aX|lw%kVG`!4zZdy>tfhU*O8
zAs?~_W$JP+-=36hfHqy{#o3#am%|m2rqlQBPeq(ba-^973rKbyc59%<<>1}hle6LJ
z@zvSz>|${8vj6n+Mq97h?(P;Lc2|zP`gi}`)k*nwelk2hKkuJ7juN>HaYjqy0xd+W
z0)#c-8kI{n{21N9CIK_-tHDgz=&TtU7?8r0TiWe>M?#Tgka!)G7m{YQ&e<$XXm?2y
zA`&V&KDtlAd+y?frt-c(>?mC3=_;(6aXqP^C&E%ZNJmb%uGiQDt4+5cK)+C9%`a-#
zkG7a8zyq3(X{eR6SVFV@!;9mqmwh{NlFju5Kthuo9{zCg>kkX8s6+~9K82-SPhviD
z90(UESH-J;0iPZK7KlkMMf%<?1-l;_&cc>{QLJ1nw94&OYL{ER*jni^y)g$j4UHfc
zLHGM-JEXl2zX$N!h2Li%cD9YsLem)dI|n;k3L#ci5)ijE(8qbY4O>Bn8gQ<MEq;_I
znes}m9m3OyrMlnQAqu=RykT?Izk+hxXgJ2%%ZUP;oP&P%VsLpy0-Et4&n!x^4Cp|d
zkGp}307tnSHvpA0yj#rJ#oHHDfe8F`aWlhuy)|)`I~Cfv-hCs;bxvjU9Fquu(FG7(
z-tI6o^Ulsm4I_hf3YXb7x6)@3j+aphleYfA^E_92C~mBK9Iqm(6!QB{H!Q#F@rz$E
z-XjKZDd8!o12_yDazx{ph%vF-6v97^$~_&CVmDQH0#=n~6Q%b}vTQcREM>Caf~RXK
z^2|J?c>=x(Z6EoMacQ%eXr8dX`_t2nq~?}9;iqx2lOc6eIrl-IfBmWKhv+A(rJaPZ
zD*l`%F)=}u2@Y<x4Vg&%+az|z;Fcm~K@ys00A3+A+%j;0$is=rT3e0!d`Et)Vc@q&
zi>P=&9rxY;?6x~=-~V*?_YP|O_ZY+@NZnW?n<~Roc(anNd!1I>bz+)AUcY8NbHn3g
zQed^{kxhOF>X`z#0TSDO%Wt_3bcT|fi-Mw{Y`^PYT=kPFr(~nHIhBmngZ$RqQvVzj
zRP>rj-BZ5or3X|?JkD>0KK_;gH;^G=KnPJI65AAu(9EP)00P7!JyL}qMF%2?9(iWo
zOw}wrk5_A3uI*EjgYnH!z})S{S$QGi6sRZxx1d&`hCDGV<gzg4nPN@Nk{p(&*J(Ea
zpQ51v5wWURD^V?QciPxvE7~xkP%c>}Lh#5EIpauHaKt>}b^!<pvm6Cj7bGkZat`l%
zf9I}aDh_f%c}%GBmmjPaqpwk0oFA;Z5^N6biWPmUwa*s5kx15<u*najTLTQN@dff)
zV_bo4j=fST;l+~6wppt*f^M_=YoaPWRvNzE?-MweKp3!SSegPz?nAZRDlc2psrAm!
z$G;p8uLgtj;o#!x)!@w~hzCgTItVmU9F>D{=<^)3o0U3U+lGrBXv~;$fJd-623K1h
zu;<`(W_AkRZUshW@P*7_F_@!ZrXz8S0#c@DLf-UXyNGN=!yCt5+k%2?oRAbkgD&L&
z9*1=<_EW}rkBn)o7`}*@hx2l~q7k5SO!HU=QwZcgI+K2zw2lQILdSjo|FOHb_WvL4
zc4xQ#{^wB$@!#-%5P)IAZ7P^(os}uU4BRZmw%$SR(O8qVbR|qrL^-x>wB;5u?Uu7^
z!Lo`cUYP8^IA_{pXLIGaS!acNs5tsPsE+&o|EIOS|6AS8L4E)GD0Eohc>+O@s=jM>
zcMv3W%2J<Z01B8d<aKZ{cpdB+P;WVVw~8;gXS10<+ckW!e(m62ug@=GU_$XbE=>VR
zlp7cb2KJQcJui^+S7;?);<#0jZEPAoAKu*~P<EJzh{eCy1Idx;I}BFZkjY%cyo!!M
zlCLz2V=6M`8+>sXl%2>};!k+pOp%8{r5m}6bI?)Ss-0Fe+V9)(>&}l<9tO)-(<w!U
zH?~Y28Gjwx=@!>a(zlTLsNFpbw)bouWp9(WjVgLjbx_r9-Y_bT>ik(#O*Pe2Q%yD1
zR8vhg)l^eWHPuv8O*Pe2Q%yD1R8vhg)l^eWHPuv8O*Pf@C#C-a$Bqbn08jt`{9FOZ

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/App$Response.class b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/App$Response.class
new file mode 100644
index 0000000000000000000000000000000000000000..d7200ca5b1ad5d9155ddf593f72d98e67c0f9eb0
GIT binary patch
literal 1363
zcma)5T~8BH5Iwg*cUu-(Dxipbs72ZZS--%Kf{9`bO)457Jm}Ni_J%H$z3c8R3IE9l
zNhBsb_yhb=#@X&xme7C?H*<G(=FB-WcYgml`vqVPYgwewr=j1#0MZQkeSXBP7I*io
zEm4<#gCV`@xQ=?w&{rz&W}qXZA!}d|2E&Xk+<MdU1+O=`?X(<qY`yWk;+6<J=>~$b
z1I1N4U|`iSci2D<d4_&lHjWtzwex!0%6HtoN`ZJ44BWsdgRW%cWmqoNuBlZi_XZm`
za1*x(tjUAsx@-`s;(vfuLn5~gOyUly5MSH8MJiUV&rGoRXzz=<s+2!7jF+m3AF<Z*
zE_EWJl&d+e*lZu#!r$R`i%8}_2-TF0Pu%B+LJ6O$kCu99><p&LFjh(wNL0>l%eG$^
z@0}1-r|B$(J*VrY2-JoQl!g-V>)l<F-hBu8w^FJ=`P_?$1v(ZP2BY~_!g=NxG&)1M
zG#+K~7*8}jHSi3}^ia;{?6+Oz911I<7-KPH>@GaRNm7dA9?1h?MS&aKZL~yCtVwy$
z_9_X*aZ3}PIC1CL6YoS&_Z?43Kbf-L;z5vf#28;LgCwh8cxZ8>8H}py3cmv>XjFQ4
z1vI>5m^+t$g&YkPhUu$AX&{ky>aR|_3p#~x8N;;+cZ+NqjJA1-{!G)?e7NCcbLLMl
zbMh3Lxp<196LQg9;&5OBvvkj-2#aFrjL;6=rH~L~hAbninP=q3ce-B89ibh&*CTig
z_|_wM68GcaSz;He(9MN2;?N_S-q=6rDas0Y446NlT?S@Eyh}M5I&_)v0E&c@!W<rS
r>^#b3hshK5GU}w+@iAEFr*1FcA(pU0z5>PR)Y<1m`2}8K6%&5}UI#Y0

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/App.class b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/App.class
new file mode 100644
index 0000000000000000000000000000000000000000..4b84e4b0791bb6a35a4664d0983442c60666c0f3
GIT binary patch
literal 1370
zcma)6*-{fh6g?dhCd(jU6_f~Qzz~)w0xCg~uxJ#55{r`Jsgrbt!O0{{CYJdNKSf^>
zlq$<NEx*S{%kuVQB4K%Os-~ys_C4n=eY$`C`SKOOBc%Osp-q8Xg$L~n!9)Iz$8>Jw
zW80ZSk+m4wmo!7O9y7E>CU(8>GAJcp)r&kAfFA(`s)`O=Vd${26-(1&Tf9X6c|q{;
z$mV&@_{2q%g5a6xY0K1%yn=3q;fye{2QgFd>;cbcx@J{lE2UC+N0duNqb$7WWe8+=
zZp0Kv6;ZbQ=t93N=qf{hB-s+I!5W{~^<xm%6kJy^gitfEoqB?o#ljqepR!*Q*<wzZ
z3_}qo<rbH)vl{nf7$XWsRouiahJn*IG`O0M)XJPqD6_gGsr`h4F@`}KuN9pQNE)Sz
zMR^NeP;i@4X)Y(KmRK=OUTyL4V;mE*@+gBRvY(KJhA|~A)0CMLmAG3lb~nO^skno?
zR5wM+HTS-^S$B&fsNOK{shE>`@nrR4Sx6BrsJM>@3|_0)=rY4uw9|V9iwr%dl30JA
z6(vh68j@s5B~6mlywv<votMkxdL{+iNEtlAih_iSRT;ALl+6Kk5I(IHO1en#f>5wd
zEx%kv4DMChV<Oqq43Vl7GQxb#Gdfv14!Dui#ZE(146{!AnhGZwU(WeYnQ<aXTRi)g
z&VxhhOKW+9TNRT6yg5g>bWs!+Esy^ztUq0>m|3x*$wItzT4rRA=$NGFd~69>CG}QK
z8ip|Ko(cN(Hcu2CaYx)3#TxC4d|aUIMmvog^cSKpqpv4g2m3@5hNm>jWk7)s&yXaD
zbUh}RhrXF;xAGZ27rs%mC%+?jg08(T_My9{j=qn_7?`Z##?}eKdnXv*o2nyH$7E`{
zhM7e-jkC5pehj*6n3o80mH1y%HN<OJmL`fGLJHe>NU>!;QM#f)uZjSIG=|WLF`CWO
z6%j`_meE7ry?BW}JSR^TuHOhL=sZ%0;{{n<*hCw)?3rW++!UpY5FosZW@~swx5+TQ
HJMjGlCXZ3q

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/AppTest.class b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/AppTest.class
new file mode 100644
index 0000000000000000000000000000000000000000..c6416f90e66a6f77d2dd5d2244fe63b5c6b106ec
GIT binary patch
literal 2203
zcmah~-E$LF6#v~e$xXLgpxaWqe27S?O<RbR549;sT8gdo1KS!*tKufPv<sVTy1N02
zAE+pP`=D=q@sU^2nWST9<kj&%@&!D1lMMkf<76hgd(XM&{C>Z4?z#Uw`tvUUXYiAP
z7PNANRD=;>*mcdgVZ<$?uo|DwToYN3Au?tbOz$j1>p(2U5oI{wJDGNTe8Uq-$1yhM
zOJ1?$EqabH@(Q?&*v_yw@T-P;+DSo&%(;U>ADF2-HpEH9QVJC8Qqc*Gq5Y;~dLjU|
zySAqRY0bY|#cs(YoV9FMDA<Eu4qe4w><j3XJkyGg8?HEgl0jJ&-ee(b=Y+$se;`)H
z(%{lpvnC|511es?K|<r%b@B|Mf!NBpf<t(T<FJZ89AW77IW>vHutWIymTVHtEUYs0
z46KaT68nUz>xn2{CLU|TvTOx03~~&q7{*ajHbWuS;v{!=&B&OR>21W5#p051sbFoc
za7@E8ZwrS0W;#_VKAkDfz>CI)WgEG69LEU92^A-CilO5Pky)e2&|+U@IMpO>L)dDW
z5{+WgUQ+N?yvFgmicutpc5@b#a?L2@EU_TgOFpBKS~g!z87MZ>d~4r=aEo@q6^S+y
z?2L-Dc!Qy<&u~c-&m_xv(={@d$T6^G1xbu^OsF`INrr>}6O)dD>lt3j^^d|d$D2Ww
zeJPVcj!DO{ohZ&LxPZ50k83i~jEY&zQLkj|+y+B;&}ofjP;d!vb1bM>#8S|$4Gx5W
zBrz;P(DVQ-M={HBnL!N>)CJQLQKYH3wtuu-1u3jZQ13kxqt<is(53K!iYxe#(&ew`
zOs7hCnIprXHAcQHk0engHPyxGxr<j8CX*9Wlf*oQt1=1o_TgIXXk17ziH0s|NNK>7
z{?`~fpYe~SqOeFd&neMqHc(JuOYmWT9>|q$4m!GBJ}_Ubr8URCDXXkt9iEC3ZctAd
zx!hu@Sabx{i2(ODc5r=%KSXX}gX6Y}kE8@UpTwQ8sE?>^bHX(pk*gPcvDOu#37R6b
zW5z6qxl%qOoF$2ZX3XTRtSI{Z$MIQ!l@yttuUm*>-Y^UPFleR`F`zuz>(u^!RF1DG
z(8}|!9A5_+d^H*}M8~pLZI~;IcFD;KSrRH<ZFU@!T<LSVP!NvKRuEraACJ-Cc+sef
z(ZvC<UA^**(OU>q6GZ6$WBNKkPe#x1U<K@fbi^n0FU>%d#yX8L3Lsr)(Mmty$ToPo
zg0`7$DCwaJ)Y;*|GIkD^(Y1x1p)&TD@#1gfSPj)f*+7A!Xr~K8MGrb?#_zzVv?{UO
zK^s2D7u6&zL8+r;`9<sB!oZAnY-kIw%noni^xW?l+r*xuWt{88-@l?`8yC{rR0Y!y
zeTz<(i&}pf^P4r>JJPm|R9bttg5}YW9xCJg%iA#0a#0Uy*$PAjYolR3tX(f7uZPPh
z-iJOKslBPAT#x9y3|Egld_WNM@JNew0)H3x=-J|{HA1uiji7fCxo&#fO}h193cWNS
zbfk%J9{XtTe%iekKa=ctX~!HQk1)(}iQ_m&a^GW|K!oGV`U(eK<OUeW`eTxbKW`(8
zZ;t*;SOQ7!k%ZsWOMKF=CD5tG%DA}+9=eZE>mL}C<*pJ4$}K^K(W0KC+XLVF=I`)5
UJvI71L|60=gd$0o!;jGa0~^8;UH||9

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/outputs/SINK_REACHED b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/outputs/SINK_REACHED
new file mode 100644
index 000000000..f32a5804e
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/outputs/SINK_REACHED
@@ -0,0 +1 @@
+true
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/coverage.json b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/coverage.json
new file mode 100644
index 000000000..288abce0a
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/coverage.json
@@ -0,0 +1,14 @@
+{
+  "files": {
+    "src/App.java": {
+      "lines_covered": [
+        9,
+        15,
+        16,
+        17,
+        19
+      ],
+      "lines_total": 26
+    }
+  }
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/sbom.cdx.json b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/sbom.cdx.json
new file mode 100644
index 000000000..803d8958d
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "spring-deserialize",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/traces/trace.json b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/traces/trace.json
new file mode 100644
index 000000000..cb0d10da4
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/traces/trace.json
@@ -0,0 +1,9 @@
+{
+  "entry": "POST /api/upload",
+  "notes": "No guard; base64 payload deserialized",
+  "path": [
+    "App.handleRequest",
+    "ObjectInputStream.readObject"
+  ],
+  "sink": "JavaDeserialize::handleRequest"
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/attestation.json b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/attestation.json
new file mode 100644
index 000000000..a176cbc57
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/attestation.json
@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "java-spring-guarded:202"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/binary.tar.gz b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/binary.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..c8490106c60a01de82c0f0c656f20c34680fa2f0
GIT binary patch
literal 2532
zcmV<A2^;nwiwFP!000001MOLDbK5o&&S(A#l+Co%)gtv`M^nY})Uka{S|{?@PJ6vv
zMgx(M1e+vy0BBjs_`lx*ASFs-Vt+XMGIMw)u|#08SS%LLE-1mn;MpUi1?cs9`V+AE
zslT^(d#zr#+v(``7kk~kXK3%S4O7U4#2lfgnCe@Efc-zrGXDzS;K!Qdp8aq4c6;ml
z-)^<LyU$STu?(u>|9t;59A4uoL1U7JGoKS2&hVJVR4!gR4oxz~B~r2B=aR<$Tb#Yz
zZheIXd9l0RL7D$I(2(Whn1(2fu@DI241IPGAPCSg5rk75(@$7ZmLfsZYc$O<k4S{Z
z3p62E=A58OjHh}`p$fK3!pAug8A}C0Gn_^-IVb<liI5%`xPKuzO{Y7^d>)`NixxYm
zu7{*Ijlv=YIzirduH-p!eb9$v;emudC347*$pq)I^xVVK)8U_^<CBY%b9V>16ObZq
zqfynPzzJBNqLj>+rh2=rt{TDkm_`vv-Nwu1kh|qKV;jowB4#*318u&t!E=kY>NsWc
zQgndQJdPh`Nee6)!ys-PS8t2tiw$Mtg(M$7q6kY2rkRab#vPN8MTC0|Khobyqbh0@
zhT|&|$~S42OIRnt31U=$B4ylGpQl=1!GwpL<3+VYP2Z?hjoA1K^nq3t%aLjHHbhl#
z7&Gw0Mn|2iI?7d`)tAg{jaQxd4ux2TGvuAzh9uL0Ol}{t1A9s>xmCV9QilUP2VXDX
z2*u<bPRRN!j`>?X2ORv&qm@FMN_{qRQO3899I)lixpTgF{tN!Ugcx|V9B?oH_x3jV
zUo~0&e*!$1{|%vUaerM~nGd$uUqxAQHZo3cup}j&7ZF>g1mdlZa|6j4XLEtx3|EJ2
zb-<PcG0f$PR>rKPmD>L5!8bFljb?0}l-7oV>dI&k_2-;QQc#UDc)fRvX$m@6k>^QT
zk|)vME=#6?sepEtD_C;EIujHwykRs#38txMMgvV_J{3#%)j4k~*{n9eozZGi_)=np
zG0^3+$tpeVpl$O1LiVkUuFtD04L5K~IZ^wf%GLF(Z!)~f<|}y!IRa4$LwrMvUPEO_
z$ib+OT+`&%iYskuFH8kc&DUzA>aC3XJB<lqxjd%42pQGlxlD(QsII_B`N?%exu^z&
zO0%9C_NNLYjwbVpD%0jIH5)D9p^G=~ejmL$9UlFDa$Hk@Oy(voJyX!sWD}hg#yO3n
zK>zi{>~T2e9{%t2+O19g-)nU(|33x3|1QV{55_bN)Oj3ZF>?fws7Z2$GMYizOJnDJ
zIJ_LV&%H20@E77Yg%Sn6w%kVG`!4$72b9gDhU*O9D>)?|lqbNsI6o@epxSVqS10d|
zUXRvP>Q3J`|0?SASwYPVL_l+(6A2Nnd2}6et258V@csGG$>{j-@?>;!HavPgc>Z~-
zt>0|-x<$m@l_M|zIe340R6d;^jevy)M~)*{&O^1pm92qfEEa*va^NWeSCi3IbPZ<)
z%rK8Sg{nr!QBomlMw@mw3&rgoYC_ln_p7h&b8wNnyoOhvmt~m~ZtBu=z&7EU)a@5T
z9p`%#vKzuxhW`n828Y0)m`ggrp%l*2_j=<-XNQ-s2gbE1TgVxtiYD6M|MBdvAD2m9
zuoTK+p*UX7Vmfvl*k_=t;?X~YPY==-1QX>f{ot00-H#1tY0ID>D|Z5vCft67yWHv<
ziM1Zx8`G4Ckyb<^=>E`#I=bD4|8Tcz?|s~<6PHZl7=$}N@6@oMqEr+hx3tbzi*y@?
zK1Y(=N>8=;QJ!SNE2VZ2O(7}BL1zaEaLwqNEX3dvxVF)7w5M0A1TnsV`Q5YO#U%=G
zMuR*vxzY$I@2SPOTe;0GR^+Ptu~P9HxMg*BCcl~+bHBensu+|qsom>pF@4#iDv4H-
z?Lei6m*)Bn;&3M+VJ^)bJTjMF&~|5*Bu0_WbA`uDn_KBK*$r-g9M){yp{_Yp$Pv3X
z-f_H&s#3|<eXd2m>hQC_oN6>HN^drm)Ic*;v&rTu;e!@@n{t+C`dgYO;KtDOp?_(Y
zHJgc~2^qM*Jl~=ax0DG#O^VY9yove3hxz>Jr?MX+7_H}3xFrhWFK`kg9Sa$Q>zXhP
z8B6@zBz7jSyn@((92OZt6FA<m8%VMou9%8VYK{7Qhkp9<1@9g#4f}5<l?~jN|GT^0
zjrYI3y}gdj|4#uL0XrzFZHi2l<;~(1T))%mxK4~yc%G8JzTG()XX=vEN9(c<Frt8q
z1!!vfEx+YD5fLG$`nFL}7I4Y>`@YJnz6u-Z*L}##(;}TgalPW9hDx=|)6<8u)~uma
zM^RbPt5^3h#xyr7;9*tc*Jf0|X23NZS{M*Q6tToK#Vph->=&s<rMNz-X0@V2<)%LR
zSwCr_21VO1$fj6sc}e*}r`H7hq2^&?L=(MFE(v3r3DT4#$zhZFopuvS5@j0CQ$=mY
zE@cNuciO7QR3)PbrW%oqh2Vo#v7|<lLL#OKHJ(Q(%yOl`EIJ_x;|qA+{gt|oradJU
zvLwOULw>N%h!2^zs36UBWz{k=dsOtT6R=_5F-tatRFfY@w>rxh<BKf5A-GloIOc9v
z=BkyHX){(y*f**7dqY*F$7oZJ_xl7&Q3wDMjY?CXD)?A!H<OpG>5cKuZ-;*zjxLA8
z)6wwk^3Cww1*nJG&~;R{OVy|xj8i_(VRpS!rX(0cxL%8`)0wAGmu=Sx+QJ(OX&ClR
z*KTHdIEPTW>th4juLC_@P(v#w&pQGfFlM)Ea7yHy@#{XE8<vf6c<q>%L!f-B*2x)@
z$`%LeJ=p%@U}co{k$y*@9#~AnMR{(O0nLIjf*XkM|24&a)7UIW9%GLCe*f+6ZT|k(
z?(DW~{(lOn`fv30B0z-*H79*0WmcYeJ!m`on%oAgBULu4=}HLPEX%QFqe-p6u{AfK
zLS((BFmF$nZ!RBJU05#ILUH?e)H&|^{ioI4-K_sRFYNFCPlElTrbiG2sTjEWga<)_
zZ%FFn3@TvaGd>N@hHryiUECYV{;i-(>G^!_&%0U<_OBiM<L&7M3`}s7rr=&E7Ro~m
zfPsCXdryl>`2n+{FG<{r$TT*!oDa|L0Zg`^u!zKen2X7Q?%NO6+LVxf7w{%J08PG-
zB#tr5gs;np{h;hrf@SpykLwh<A5^-OWN{ZdXqzc-Dzlm2+SG3!SD5byt4H0*Sw=t=
z5eM2=`(~+7EoM*(ao-fn2kqW|P~THK%DiN(8&&kEse|g=`bkB^fh9`|3kwSi3kwSi
u3kwSi3kwSi3kwSi3kwSi3kwSi3kwSi3kwSi3k!>H5dQ&g_kdymPyhhlecm1b

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/App$Response.class b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/App$Response.class
new file mode 100644
index 0000000000000000000000000000000000000000..5d0c3232a4339eb239feee36aeb9ce4303e549fc
GIT binary patch
literal 1363
zcma)5+fLg+5IxH!c7h=x1zO6rZ77MMxHsq}P>E7iL`rD|h==xRover<cwKvg#6R_+
zNJW)+=m+$ps*Yo)7!g4qR<j<@oH=J^=l7rUUjWvymO&4CHS`(iM~WeLz>m4r<nF$;
zEo#!QGo)4>*HLd6dW)sKG<2jjWDE?zV3@ImTWeUp;I#&~ou;EstaZ;TY>U8?ZXhT-
zP+YYF2384khYVzqW9YMG{e&T3y{NaNe8=4{=ZRO|z%7h0=t@RjhUH@QhFaxPcd#)7
zw{eHS8a!xh$U2cK{0CSiBy!il1SUy^_}b!4Qn7M#W`e~>`#{uGx%8P~tXN6>h_#mX
zs1p&TY}IkaR_n+X{w}whL^Ah5sD`Y6;yynTO88WLq}WAcdoUG-(PE-NqH<<Ow)~oS
z?}VT_O=l_WIbF9zpf+WoG!%(n_wJJP&O6Axl~M)D=UzlC(6Puc5Y4w7&NIuP(HYF9
z@Hm4fc&g!<f#+DJhjKAzzvU|DNLUfY7>gloci<ULlTsY_SRM*13f$ywy(xl1Rm#Jb
zS57F7Tbl61iMuDBcqf9I?|4f3$&`&I4}zp4#`tm-Bw78^LyH^DU{qXJ_-#l*qtZJo
zpy3t6+=cvW<Y*`}OkW>L1BtX#e|6ej(8-6(7_LpYTVzvUw9QlWXPUm|!wn~!HGhJc
z6KBxO#WM_^l8fdNhXa$CrF*)Euqc+!Fzw(y3JEc0$TG5;c}{+Or|ae1VcN0#U4ln}
zZ(V{X@E{JJC3c|--CQ`wc(-VJWB;J1C@bXAZ~lOG6_^q64&`L%;8nu?C=gB$=J2p>
q=TRa%M4qUZQ76r|kHJD8b$bDiu!I%z<ta|5&b}bZFYy|y82<}v#x~0U

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/App.class b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/App.class
new file mode 100644
index 0000000000000000000000000000000000000000..3be47e29eec47c38cac0a66eec5bb370d3599dc7
GIT binary patch
literal 1661
zcma)6TXWk)6#mwi$W~;MDwoEPl9r~eol9Lx2qjJfc9OOM$7$m>ZJI*6mN$utBB`>>
zkau30VTLz;1$}WSnPGT?;cxI4cx0HKRiwtbJX8<6(%EzQ&bQyu-~a#iJAj)oRKyTh
zkkF7s7enuJ{w*(9+}<jz)SnB(XXu(WZPTA)i0ATaDWn(@zSj~ds0`huN@eBY(}l&_
z;%W*SLvoW_P0@{a(4(MN!x`udnILJ)H?6`lcNw%T;jefLVw1NlDsUrLIbOAR(vm-E
zQqhkA1%n#SV(19=n(vwR7GW1JS_Ft;;FKEq#|qwM7^w@}*e-a28{52YTBg5SD7o(F
zs%W~7-K0i`8Pc1MS2r6CVXMgEeaY4c!(eWy1Jyy%q9o}8gW~dC%i#^l#YGLHxI_$6
z;|!Ni!_txGfcRnxSBT&`Z=Cn23(@pd<T0jTT*Cw=qjm#U%e*P3rx;YqzaR{!Av}iR
zTu51m%V>C7R8hb+1s`g-j*l3I4sYlnSL8?(HiCq**$#|RuN!3rA2Vcwc+&|*vt+w1
zpIijrQSb>tiH^&=z9@Mf-|g^FF^x|pp)(|(+(tRSreX@S(sGlKg;gncM+}iHoj%j>
zIZD(wRcb_f?T`BIP%-s8g?SANQsYU(a+*R4|CWZ^xWkb0ok%f9qr)~8e8JFnDAL96
z4B`5wLt==bqG1_TN<!q%Tf9kX>pKD=FcN~hxTj!MLrs?KIm{LYWhlO8?zony@*Sbz
z0a1RsG-(3o>5eH$#k57WwNn?~eO|Z7lG)~V!xF0pieV^)^hLuL4%VB`eC6~KZ`5C;
zoHd^t-_YcSHPSV6%jSN|qk2Ca%RhTkBPT6$$56aw(A!{DYfj5E#4S^jk)koaDtV?k
zs?q>03&|ASkG5pn!V7p8^qGoAou)P%5M020x?B0gK$1Zht!wmkj&??Sa%>OmCA}~_
zq*WdR3etFlbqbNL{{&&c_qsB!r}gev$i&e`-_PjXM|S-T`$>Oq59fXv)6c)c2QmDC
z{^f~3qr)Hd%kuD7<R;p<THVLg`aY)DC--n;55<{8Hqpl1Oj2&;ARYe7Cfit)LF6s-
z|2x^nmu;*_6XBbMix*fTbQ1A(Xtb)((Tx#gFi!ue0(!_xr!ncn1Nyl>!2mc0De5dd
z4B;_FWDp<u55o%jeT9;3kSRuvaeNiLeT}EIC#YN&&*)93(=2hxX)VwXtd8_+qQa+a

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/AppTest.class b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/AppTest.class
new file mode 100644
index 0000000000000000000000000000000000000000..a416b9056c196930b97cd163a739ca39a2498c75
GIT binary patch
literal 2290
zcmah~TUQfT6#fn*Im0lhj7S;8S}R&2XllK+pjIxiq5&$QP%f2Dk|T_UOq`jBu{V2f
z?OpriLw)qMwreG<vQ~ZXKk7^EK9fm|HfwbyYtGEs`|SOF`*!~N=Z`-DoWjp4n$XM<
z(hx?3VcQk+x*5xwxs}*d>WWBv43U#o&hkz(H1|bkITVInzLI6fMv9&ob{w-fRq*l!
zFX=hLTvNfN#a4#ys$Rv^(@HAZq|Yr3Mqi?)SZ8M_I;%p(HVy628CusJ%M(>lJAyNH
zNCW*24Lc;0a5`(dLdA3F;xIIHV`r6K!Lzcl5z`gNk20t$!i(q9c1Ac1J$=y%mO7Q*
zKsqFe?b7f(b`u)Uu90U5^+gv)RP4cv9D6nNVjn}7&#8eOhAqPPH)B)4tlSDiXW!yT
z;MgZr*&kBy5<}Cfr6P(09Q_&waFD{9qVuaUigkL`Oj%jWE5?TN`5EC-wpv`_SZ3C`
zDH!%Q3Q~pN({5r6JZ~1WwwY<gVZ6d|M8i=WV`zKAV#3T58v8QCu?BYQ%vN$VR3Aw?
zOKeV1+=dg0sk!B`crre%;5ACqWiu<&G=!5Jr!<_#>lBa13<=JvnagCww76FA*$xLt
z{4h%=b=i}j(L`fQz0<<Y+c{SZwNPw_HH=`CVSBIXQusWJBx9Cqrm`Z#z!p@*ahBr^
z4d*b<u={^(Qp>oW=@neRWyU!!RI9;{`f$}p+;MD2!8sM@F)4dNmyX`la1ql~Qz<)B
zWay|?<kK0Op-f-4os^Zyh@6U9%yGP}VIB+BBCpdYKol^FGeg6^Sx|71;~fUA+J|SY
ztWdB_Wnudr>8e<QDKVy=u@RK2?A0Y?Gzd_EMAoimET_VMfn$|HueUrWJDHeYA&<%N
z$qUOPiK)>G@iA#4E1j${><uzYQ$~Ub5?e>gZ}%10QlAR5{Tcn}tO9E2kmnSrx>n$6
zC`j;Oe~ieT4vrg?b03&*cV^YG*JaXGtmCGJ_wYVdoSDfa3;DbwC~Z^?UG=qJJK=-*
z5Fc^e((thi!PX~sN3&E`RMZ*aT8_xn@}CTfBs5CHhfXA{oR}=ErGzshQP60L-$;wR
zUydAKRIyS-#;0l$qPS*SIe&)K^<XV6#DM&yuTnSoRyn>QLyP}a<@m1Z!H-6r2jyfs
z8{7eE(k?h@AyY!h3#QH?$(26Gb2;JoYz6V<wW+F9yNxDfl<pgVZR?UPM{gleP7tBz
zC-k+8Rz_?1KpE_zRK%zBlw#2IRpkIA15$MY&GZBIZGz92(URDNI^SQ0HZgFZgslT5
zY~Mg<e+fM$yznb2R!nu0H=qRy8EZ!?Iw7xyHhf0A63gc#`x0MOoUlc5-9nQ4`u+{{
zCG<o68+ds_Kd!$@>*T<}4Ga#3e#4o2=rTejjJ317_tCbA^YeP5jEP6Ss9TDr^kfNd
z-3x?^Qn-nwdHqru?+%8Ia0%(TO{~nzO(U#ZWn3*IHyAM@`n3{VBT~Zk2QUVC@TLta
z1~-%viUxo5kl+?^i(s$gHh#bzTATdH9Vcoaq7mryww<oV4)oCT1QDO1yKxy^)UpPh
z?xyoQ$%27jNaJfdbqSHjq!{M7%|SQ+VgDZodLH8l_%quaOPsojajZX<@ogw3p|7F*
zP57!I|CW;ReXRtJ`ne{|dbETO?tzCMAk_Rj&d748kgAr01Q|w?c82aHVlBl#;wM^l
RdfP+n?hueTT`hNE{0kGYCy@XE

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/outputs/SINK_BLOCKED b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/outputs/SINK_BLOCKED
new file mode 100644
index 000000000..f32a5804e
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/outputs/SINK_BLOCKED
@@ -0,0 +1 @@
+true
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/coverage.json b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/coverage.json
new file mode 100644
index 000000000..9b8cbaf62
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/coverage.json
@@ -0,0 +1,13 @@
+{
+  "files": {
+    "src/App.java": {
+      "lines_covered": [
+        10,
+        11,
+        13,
+        15
+      ],
+      "lines_total": 29
+    }
+  }
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/sbom.cdx.json b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/sbom.cdx.json
new file mode 100644
index 000000000..942ffde47
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "spring-guarded",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/traces/trace.json b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/traces/trace.json
new file mode 100644
index 000000000..10fe7be76
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/traces/trace.json
@@ -0,0 +1,8 @@
+{
+  "entry": "POST /api/upload",
+  "notes": "Guard requires ALLOW_DESER=true; sink not executed by default",
+  "path": [
+    "App.handleRequest"
+  ],
+  "sink": "JavaDeserializeGuarded::handleRequest"
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/attestation.json b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/attestation.json
new file mode 100644
index 000000000..92b9433d6
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/attestation.json
@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "java-spring-reflection:205"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/binary.tar.gz b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/binary.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..a48160ea2310bf2a8336268d88056eb75cb5fbf9
GIT binary patch
literal 2398
zcmV-k38D5MiwFP!000001MOLRbKAHPzrXn@P&9KV&6%VgRy0*4_k4=mq;(>X?Oc0J
zGa8D7EJP&10-zq3^LOt8Aocb+lZl<o1iwiv5m@Xl7K?pQf`|Th4~!b1-EQko!0xC1
zUO#Tv+RbL8p~s)Lnyv3p>!B4>$b}3zLXRQpYlMLFza-<BgtE_4$ypo|?!6CY!RM24
z&-vF|Ft>I7^=9oD&cF8gRJa@8`1xl+I1O$H8j&=dc$@^`BpA_{%B3eVPSYE1oP)CT
znd8tTV_YKT9$qeK?7a#y7|!xhOhXjLfe>iVo6rXb0erul0$xbablO3=fa%as3e;EY
zy)omjgM=VBmK!4V(t<ynl!T8<A~Kc=f_R=*K!NU+REi!U^Lc_sELv6zsS0M?sHa)?
zG>Hf7D_D=>>a!I!9iz$yX%D4&9HZZVU$6J5_&E;JX{EX;MS&BU^Ax3IzS6RCT&o=+
zJPIP1{a;Rm+!S`Z`X>2uhnY4<_pc{NE;FU`mU-4HZg5i=jNXHZ5lz8bX{gqz<!Z0b
z39R8Hf|C)F=b>c0QuRRBmj!KQht;9oG}LZN=ALB6wqS{kJ)tm=;RIFA79q*>X_Ljr
zSgNIXlZDb%?-jIzuUFu7G0}Uj?pf~E*>n(2LdK&tLz+tMG`T39qx6mKb%kRY|9utk
z>B?ypej3aO=QJX#kz!fFa&3ged&G(6i1&5Bb-wiVKOFzB!An154!AG=H|l%w|7rW!
z#{b8_r^kQFyuZ<yJUcY_FHR-l&ps_*DDNw7()RtFF&d#HplQWixVP^R<Ooqka>ChM
zpmn@i-^07|1H?s`^4Pe{07v_ZcqSBhnm~o3y&yCL*Wp9}v;D;?JLzb%CI>bI%mFJr
z6P6%kK!O3EM;(OC5I#t*7(qCM1QNueQbv@jTBfF8(Q1{lKVrFjPC4kM0<0RTU>M4B
zxs~b+m6uE-%Ee~%SIMZdK1ej4Z?H0Bl@({h1#;Zg%h&%LUY?!yUz|P1)xG36o_lk(
zw1Oe~ko_$9Rm8(@4WpdKk+1)HV)8ID?uq|RnB9s0wN|ZZ<Nsse&wuiB!Tk|UeUi@5
zC=e4z5Q$upGnCPci~|}wmxIA|4?n4d5rV%EEmBn*<0my-^*s-x@4rXcJgQ=6@J7)o
za=(l>&edhV9D`~DJ3pVj?!OprvDA~EXZ~%l(~$|e8IS;H?2v`dCs%_vm;JNh^V93I
z;n~HY|DyNg!`@iOt+$(ni`|whum96~bKNhW&iljD^YdQcaRkeGsCKkg&X)|D5?|#m
zFpbDL8NQFEa7jQ7^Qd#C8gzCP^>xM|0vC^x2O&H;j$#%fH`*n03;Fdna!uc(zTzif
zI($cae&_6}cyq#CIa)p(ZSXPa-aE+IaaISWPkVTAdi|njjt6B+If3l!qHgzxi(h|O
zrGLTFBgCKx&jLA#>Bw=wIUu7HkKP4*R+#X>11V?eTU;{6@2XD7p!`-PO0UQ#cnn!b
z;Lb*R!FRvL*rL<4F-?gWYPKYT>9_48RByunWBA{CcXWtaG8x1`+xW}TfvlxcAo39|
zRrS=4an+=|p(G1gQ6pZICz+^}RH~1PNGf}cBP761!zo#c-ZkXLYSqy$v)(e0@g>N|
z7lW&7<Odn`i<81eA*^hvHiHjVB2eDot^N@g`^2gdSB$Up@vl4dPDd{@L@ATn;`q&0
z!)^*V9Sg=Wo2zCBS}wNTsrnloCh)s8TNA@b*C&PL${VttGgV0?gN`+o#w@Biq(Tna
z)L6->Y_KYs{ITsd$sZd2;#bE}8NqecR8Mctb=f>6yjO#7H=N~}{+8wm;WRXJ=)c-h
zuA4}jkRJZ&$zDLhB~AF-xVV@Qb_2fjK%RH=TR9KDjJDG<G}MB4%OHu7c7%+9nS~k1
zSmG^`*cro~iZBT=M7=Q>!%bh15c<;`x^WeB4l4EG7X4`Ju5T49&w4-^_tbxl<3@ew
z{eQc4+_v@KV}M2w)m5H!P5yV+1wf}!Yhfo2(wiKzRY!O6PR5yfzt};0<PKytp_U<B
z_iA1ZI}s5fr@A9wB^X!8CG@A^`t7i)#h^GrYfcd4A|2wOu@5AQSr7^6^hXq;H#DZJ
zYGxxAb|7-Phq9xi@>?;j_j)+bnYRs)LRCZkDYcQe;xdIm3|vBRES8v|n1z9sRn!iu
zfa##SYnFmcl^z|`)=xSE7YW#1SufgoXZ|DFOtwx@PbFX|C7OvLP4rP>62>$W#FZq;
zVQZa6-Gw?<X$$*M8O*4vlmY5SUCo#pbr=PZS4qY~u+_T4Rx3$C5z~a4BS9$4a>c;d
zAt4FlOL#v1JH?L9Zi*^oNfKzIdH#0d`xvoBpJBuWT+(q6%Aq;SVs1Onnj|}7$qtbk
z^1^7LD+r@}QK{_^Zk2hCd0$f2A!{l#X0(!Ucv8E-4y%nB!%aQjZxgsP;58%~ma0JE
z_il6C2roy|nX%44PJcNaUJnN6!@<S%%fag_U=Q5@c2rT5s#Q5Cr)-{sbbV4gKiQz-
zTEG>aQ#sK;;B30%x+2tS&M4GbaCo|6H#)#Ag)UFuG4&S9*E0RX5y;eXjsQc9*g~yO
ziJUV&?ZA~{*(eC7Fb1n;!2d?=mop|olyIQ555n@!Wt4W%IEaOMg`csQhRgDvD;?Yj
zy4*aL{tW#5O9$jf#%?|N5Hjxj{lD3Iy7T_0-e}tV|0q!P-|*fdKzRu@H+UjtR^DX2
z?m*5p=?h|tRJrERTtei8m8;9a3EXo?f$OMqD7_-IT~=HkC>!pq7{0W%zdjW0<Ach$
z@Ato2v%OpYH=f%2|0w7d1w8^MNJS6p>+SnVFe9lKWRUEM$M}tZF?i)4>$2WZb{2xJ
zsOR&!H*ab>IKR68?^ownurLW+x~fH2Z`5F6N9ft}qAdOhspu|>g^0|ctLZ#=#wQ@G
zo3Mz)znGTfM9+2otuaNUU*^1wPJojqB#GmIWx~^iLDw%Q6=7Ld!sA|u?D`wCinwTm
zPU=SLY(t>=xmEoN`99!XfBmQ@Im-yJBH~1wt7~=(rC>%?3^bMSNxj|m56>K2W!@(r
zT2;&_(f+1v{iK}Y#0E?Y3kwSi3kwSi3kwSi3kwSi3kwSi3kwSi3kwSi3kwSi3kwSi
Qi?0#?2kuM8?*LE$0L0*{od5s;

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController$Marker.class b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController$Marker.class
new file mode 100644
index 0000000000000000000000000000000000000000..0be486ffe697828acb9f8b6340eb2aa913df467e
GIT binary patch
literal 456
zcmbVI!A=4(6rAn?%dRMhh>6C7i3jlDo;-<ONQ@?ki5TzQwL-D9rdv$>D?OQb@B{oP
z<0~9A@n#P*uhV(cm-qSg{sG_w?F0eB2&Edzs4z69{E4TE>v4LOO-1e)Dm|&CJ7owv
z-P<avq|CT|5H>=>(949*C#e-YpYTj7>7LW#(MmnG;$BgJG&;RrmVKk0HA)G)f4N9t
zDD};qV5kqI7Q^{06ZVE@ij=A|Bj;lnTAl9TXRM`q%#e)C+~(p;dVBlN7l*!ua)zRC
z=caHGHW-fnH7!H!LTh3BiWh|_XaURdv4@z}=T89U7f855w_RdJTt0XMd!>RB2>mm#
oMYxJJLT}w6_G;LSUWk4hw-KUFT7U-D7u-aPI3ZVzCN>d&19LNJ-2eap

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController$Response.class b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController$Response.class
new file mode 100644
index 0000000000000000000000000000000000000000..8deb4a49ba445c01e196b9581c05a42007d30480
GIT binary patch
literal 1532
zcmbtUT~pIQ6g|sFla@eB1r!lM1!)5kzwoQTgLND_Q_%tBL7$R#rGb#Gn=Lc^Cm&=+
z#u*;`0sbh*n<kYo?eHKEJ9l$)_uO;Oy}Q5voc#i@hP4d((63>@z#vi#xqbV{wmjS4
zv$l9m$T~x6)%9Jq&d^^d?xvw5ts!Gz2nNHt!~I&rlH9H}Y{&Inb!-Jq>H2$;fAM%t
zxxy!)_O>j1C57j4Ik&}wrtkw!;DNGLD_~%i5PHNw7CD9iN7RoQ^3`)X+bV=D<%xFQ
zz%`69=t@LhhMhw7YE(+a-nk|WT*nQ{)v$v`S=5Ph`RchUVHr0KOyL%3z`wR^k2Lsr
zW#B{&@11?pzf}ChFj1%^e#Al+cS+``plsFk`DW|T;c~}zJSs8wj;n^Kf3T%}$Q74F
zZmiHlq4rQz7{&{U1c}U<ZPAi7{?-jaC%Oh<IczU!yU7E!Ap)hLz_9XPjU*X61Dks-
zgbI|jn^6^kjwObnXwpjIWMvsNTEp2C9%k?ek2O3o@DwWyGv^a0TfTA+xfRtDV=<(i
z4m`t2vToNu5(nIh0yk{G?(tx*D#SsnSxU$g>!0w%2X~H}{0$Fk(rqdslSj&)9Rx{7
zjPbb}B$@rfOvhbeFe<*!WgC)HU-iyq)bNsF{=EE4%F$3_xP5sjH6*H?^wsH+0j+%a
zYJ?X!yyaw5VD#)v)1TY)wGci<WV7Z^Fmvh@nz?j};S+LEU*d3J9J91f_YoGw(i)}L
z;0}d^7&BxUS<O5nKfcrU;@MHU&UbqRj|1O&1W(~!96U?x!YXug@eGr_qG`tdK~K}E
zkjJ3;16nsQBjO#($<X0$!h@J2oIcFse%mgfNOpugk(QB?X4}VLVSv<L!~-nj8Ts-Q
Qr<1bJiSi4)!YU^J0@5aYn*aa+

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController.class b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController.class
new file mode 100644
index 0000000000000000000000000000000000000000..ad69e52197c6fc07372cdb21114d6362c83f4118
GIT binary patch
literal 1491
zcmb_cT~iWK7=8{Y3%Cg4S5}r9Du_yDR)$fDUo=9KG|rS)%X-Asb(eORtbfsMf1#_o
z!9J#@tETDqblEh$2QW~)a)Oz24lnP=^FHs#&p)5O0=SEZez@S4&?ciD9){4a@<K`I
zicw5FD(rIAVergrhUTOg+|k&E7hZ;TRab1g1AcT!kYxnW$q=YomK{w`WR((W7daV^
zMb}PxOvYM85<<sf=N(HkihcwUmeGwK21&CQ2-aQ|#xn_h45<P))SZOI6?I1`Xu9US
zO4ub~Xz^{GuxqA~Sg$?Prr}tou5&B0&h3(E*xZYA3>^h!Ysliy%iMPS=*4-#!v%)E
zXr>8e4Nfw);m05@Nw_Ry2*V7)Ms8_A3BlYpt(>yY8Ah8kKXTCIvucnO4zI|FV3cAK
zV~d=)wfGj{wH>RhI;O=i6WwevY$mauZlcME9FHR^Atqx2afZPL(o?jF2ZJAED5PSj
zgnj&2z*-}mRyNT*Q!=KJVDLI-ElY-;XfwKc?h>vsbT?ouy;ONglt?(4k#PgF<b)`w
zGueI2NrSChGH#1_0aDFt`z4(Vz9rmYm_1WNFtnx3Ey_B$rWrg}-Y;<LiBix>;<m~L
z!{d4-k9wP!I8&g1otGr^c}G$AXi(~re0i;CC{Ed;s0SzF%{LXlPG+kl^*>Pg^Jdvn
z`LZUG?`s*IX;D4ul^hLAmJ6P23Cj%gXQLylSbLn>Th15;x2hH9G(z5^0j1SbQ^7Fi
zs7b`f1zJDw(3zxPgLE^x+b0ge-qVAy&?){VA$+vpQe+}j-=dAaz~)3)`Usy3->Ba4
z@9@Vf=z4?DXY@YpVz0yfhZuMl|A33xN%t2FRxm=BtAepyRRce!Dwq^H*_y?#$qKGl
za8rmVYy>M<#Z?L_fQ-OPrx!9o>8EuWp;Z|}CuI{Ptq?Nk!adRm!2KKj5`wZSk@0;J
jx$ppPEL2}<EYj^E*%Ga&6?%v1-Ais(F+j38a^(99RGyQ~

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectControllerTest.class b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectControllerTest.class
new file mode 100644
index 0000000000000000000000000000000000000000..a2223d15aa225ef3478d21145618544861dcbddd
GIT binary patch
literal 1880
zcmbVNQCAa36#fR1OtLJJEQ&-6Z8fa~g=nj7C1|A~sZ>BE2!d_xCK+I1vm0kOrM&c<
z{($xe@X|-0ZO;jwa!!5i=|Ad2Ywv7Ah{zK!Gqd;Jx%a#Ges}io|Ni(Bz%4w}(1mV}
zkd81S4Dn6#doyF3&U)s4X;YMahRCGlSpIE>?veCT6j6q7*)~0oLt~gM38%b~k-{u*
zm?g`${GE(fla{kC#hOj`E!W8`G><vg@uh3qLZ;?Sxh13q9lac<bo3$4(03R+rvfnW
zb>YvORl#t2Bt3hmF8V4$wg(3KIZo?1g8_!#z@YA1c4p43F?6|W3^ztP?ln`&zAb4v
zKe(IKFo-0_IUVQm4mmkdmQ*oWcNiYFAhf-wXHVoWwIIBj>v$p?!!X|Ecu&XsxWI7p
zMD7-aN8RmDQKf}cee$L)&n(%Z!oXHFr0@a9hdM4{gyHsyLbMSRi#*@->(o<X(G15Z
z!{A{*rw$<GrF3N!mo%g?rYJeiaORi}rk51Ht2(YJ;)F_WWhaV{DN40PtQ+`*<5L}<
z;pQ8pZZd}q#k0C;6P#ncuSRi=W0FA+Fj{V=VA&!H8UpUt{aW4kG-Po{A)Gqmqs2{y
zFpHdyY2+2It%@a^*{^bZ$zXJPUY3?GDDN4HSe%)^_jDmYmAjjtRxa+TAhQe?TV-g0
z=_GMS$O7h-{e6bS5qmYe52;qZtP2eV6m={r@ZoJ0TuGL6EUPzw#@qD-#|p9Iut$p<
z(%n|{(C`>fbbO6(XynXFrC6`kq@WHGZw5Pi)xMEc#nACo$9Jk20~O&}QdHVqFSe)=
z%DEMq^}bol5%cwGNytSNkU&>Wiw0?6<VnZqwzDP}<e|JpLm$|4tP}EMOc}KN4`opc
z$j-6(Mt*G#Lv*rix86Lh=+<RfsP;3Qd+Q-nGc>MhM2(wq93g{;OHiXD%_okW9ZW6F
z>M%XF0E-XO`2wA~LDfctR+GMlXlJyCNB6*9C_|KJRce4EhB7MTfJ|AMq@1L`7~F_8
z(DM?B*~>3+cJ4O}?c(f}1}-M>*RSZ^M|#D$yoW2V0!@-M8RMe{uJ5*V6H2#_?22(~
z51-GEHSopqJ_;*JG-ll0!&iHln+PRC#)AeHlA#73Jx6jP+&bwKkz_a-X<#)Oe)WRT
zZNSAgF=Pin;wRd>f*i)tLug~PYKYT1N^~gT6dusa|A-_TNYFilZpQI5`XR_VkI26m
z<uEu>=U?M0!W?VOPmV07`;6o9Yw{X7q9Adgi~bV;0zy<m3sG#fYkfT^Dv&US8~An?
tJoFr)?%y$_>fXeBP<MqTj4u5S{ZU{C>M9)C4f>AJkHV!jMSBg&{{fp=({um;

literal 0
HcmV?d00001

diff --git a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/outputs/SINK_REACHED b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/outputs/SINK_REACHED
new file mode 100644
index 000000000..f32a5804e
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/outputs/SINK_REACHED
@@ -0,0 +1 @@
+true
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/coverage.json b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/coverage.json
new file mode 100644
index 000000000..0113cf0f8
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/coverage.json
@@ -0,0 +1,13 @@
+{
+  "files": {
+    "src/ReflectController.java": {
+      "lines_covered": [
+        7,
+        13,
+        14,
+        15
+      ],
+      "lines_total": 29
+    }
+  }
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/sbom.cdx.json b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/sbom.cdx.json
new file mode 100644
index 000000000..cc69ede30
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "spring-reflection",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/traces/trace.json b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/traces/trace.json
new file mode 100644
index 000000000..ff8466e0c
--- /dev/null
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/traces/trace.json
@@ -0,0 +1,9 @@
+{
+  "entry": "POST /api/reflect",
+  "notes": "User controls class name flowing into Class.forName/newInstance",
+  "path": [
+    "ReflectController.run",
+    "Class.forName"
+  ],
+  "sink": "SpringReflection::run"
+}
\ No newline at end of file