up

2025-12-09 09:40:36 +02:00
parent 108d1c64b3
commit 689c656f20
46 changed files with 294 additions and 0 deletions
--- a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/attestation.json
+++ b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/attestation.json
@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "java-micronaut-deserialize:203"
+    }
+  ]
+}
--- a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/binary.tar.gz
+++ b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/binary.tar.gz
--- a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/Controller$Response.class
+++ b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/Controller$Response.class
--- a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/Controller.class
+++ b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/Controller.class
--- a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/ControllerTest.class
+++ b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/bench/reachability/micronaut/ControllerTest.class
--- a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/outputs/SINK_REACHED
+++ b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/classes/outputs/SINK_REACHED
@@ -0,0 +1 @@
+true
--- a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/coverage.json
+++ b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/coverage.json
@@ -0,0 +1,13 @@
+{
+  "files": {
+    "src/Controller.java": {
+      "lines_covered": [
+        11,
+        14,
+        15,
+        17
+      ],
+      "lines_total": 40
+    }
+  }
+}
--- a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/sbom.cdx.json
+++ b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "micronaut-deserialize",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
--- a/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/traces/trace.json
+++ b/bench/reachability-benchmark/cases/java/micronaut-deserialize/outputs/traces/trace.json
@@ -0,0 +1,9 @@
+{
+  "entry": "POST /mn/upload",
+  "notes": "Base64 payload flows into ObjectInputStream without guard",
+  "path": [
+    "Controller.handleUpload",
+    "ObjectInputStream.readObject"
+  ],
+  "sink": "MicronautDeserialize::handleUpload"
+}
--- a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/attestation.json
+++ b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/attestation.json
@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "java-micronaut-guarded:204"
+    }
+  ]
+}
--- a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/binary.tar.gz
+++ b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/binary.tar.gz
--- a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/Controller$Response.class
+++ b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/Controller$Response.class
--- a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/Controller.class
+++ b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/Controller.class
--- a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/ControllerTest.class
+++ b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/bench/reachability/micronautguard/ControllerTest.class
--- a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/outputs/SINK_BLOCKED
+++ b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/classes/outputs/SINK_BLOCKED
@@ -0,0 +1 @@
+true
--- a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/coverage.json
+++ b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/coverage.json
@@ -0,0 +1,13 @@
+{
+  "files": {
+    "src/Controller.java": {
+      "lines_covered": [
+        12,
+        13,
+        15,
+        17
+      ],
+      "lines_total": 42
+    }
+  }
+}
--- a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/sbom.cdx.json
+++ b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "micronaut-guarded",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
--- a/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/traces/trace.json
+++ b/bench/reachability-benchmark/cases/java/micronaut-guarded/outputs/traces/trace.json
@@ -0,0 +1,8 @@
+{
+  "entry": "POST /mn/upload",
+  "notes": "Guard enforces ALLOW_MN_DESER feature flag; sink not reached by default",
+  "path": [
+    "Controller.handleUpload"
+  ],
+  "sink": "MicronautDeserializeGuarded::handleUpload"
+}
--- a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/attestation.json
+++ b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/attestation.json
@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "java-spring-deserialize:201"
+    }
+  ]
+}
--- a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/binary.tar.gz
+++ b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/binary.tar.gz
--- a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/App$Response.class
+++ b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/App$Response.class
--- a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/App.class
+++ b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/App.class
--- a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/AppTest.class
+++ b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/bench/reachability/AppTest.class
--- a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/outputs/SINK_REACHED
+++ b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/classes/outputs/SINK_REACHED
@@ -0,0 +1 @@
+true
--- a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/coverage.json
+++ b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/coverage.json
@@ -0,0 +1,14 @@
+{
+  "files": {
+    "src/App.java": {
+      "lines_covered": [
+        9,
+        15,
+        16,
+        17,
+        19
+      ],
+      "lines_total": 26
+    }
+  }
+}
--- a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/sbom.cdx.json
+++ b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "spring-deserialize",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
--- a/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/traces/trace.json
+++ b/bench/reachability-benchmark/cases/java/spring-deserialize/outputs/traces/trace.json
@@ -0,0 +1,9 @@
+{
+  "entry": "POST /api/upload",
+  "notes": "No guard; base64 payload deserialized",
+  "path": [
+    "App.handleRequest",
+    "ObjectInputStream.readObject"
+  ],
+  "sink": "JavaDeserialize::handleRequest"
+}
--- a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/attestation.json
+++ b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/attestation.json
@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "java-spring-guarded:202"
+    }
+  ]
+}
--- a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/binary.tar.gz
+++ b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/binary.tar.gz
--- a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/App$Response.class
+++ b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/App$Response.class
--- a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/App.class
+++ b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/App.class
--- a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/AppTest.class
+++ b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/bench/reachability/AppTest.class
--- a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/outputs/SINK_BLOCKED
+++ b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/classes/outputs/SINK_BLOCKED
@@ -0,0 +1 @@
+true
--- a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/coverage.json
+++ b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/coverage.json
@@ -0,0 +1,13 @@
+{
+  "files": {
+    "src/App.java": {
+      "lines_covered": [
+        10,
+        11,
+        13,
+        15
+      ],
+      "lines_total": 29
+    }
+  }
+}
--- a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/sbom.cdx.json
+++ b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "spring-guarded",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
--- a/bench/reachability-benchmark/cases/java/spring-guarded/outputs/traces/trace.json
+++ b/bench/reachability-benchmark/cases/java/spring-guarded/outputs/traces/trace.json
@@ -0,0 +1,8 @@
+{
+  "entry": "POST /api/upload",
+  "notes": "Guard requires ALLOW_DESER=true; sink not executed by default",
+  "path": [
+    "App.handleRequest"
+  ],
+  "sink": "JavaDeserializeGuarded::handleRequest"
+}
--- a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/attestation.json
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/attestation.json
@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "java-spring-reflection:205"
+    }
+  ]
+}
--- a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/binary.tar.gz
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/binary.tar.gz
--- a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController$Marker.class
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController$Marker.class
--- a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController$Response.class
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController$Response.class
--- a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController.class
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectController.class
--- a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectControllerTest.class
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/bench/reachability/springreflection/ReflectControllerTest.class
--- a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/outputs/SINK_REACHED
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/classes/outputs/SINK_REACHED
@@ -0,0 +1 @@
+true
--- a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/coverage.json
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/coverage.json
@@ -0,0 +1,13 @@
+{
+  "files": {
+    "src/ReflectController.java": {
+      "lines_covered": [
+        7,
+        13,
+        14,
+        15
+      ],
+      "lines_total": 29
+    }
+  }
+}
--- a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/sbom.cdx.json
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "spring-reflection",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
--- a/bench/reachability-benchmark/cases/java/spring-reflection/outputs/traces/trace.json
+++ b/bench/reachability-benchmark/cases/java/spring-reflection/outputs/traces/trace.json
@@ -0,0 +1,9 @@
+{
+  "entry": "POST /api/reflect",
+  "notes": "User controls class name flowing into Class.forName/newInstance",
+  "path": [
+    "ReflectController.run",
+    "Class.forName"
+  ],
+  "sink": "SpringReflection::run"
+}