up
This commit is contained in:
StellaOps Bot
@@ -0,0 +1,44 @@
|
||||
id: "js-express-blog:001"
|
||||
language: js
|
||||
project: express-blog
|
||||
version: "1.0.0"
|
||||
description: Minimal blog API with an unsafe deserializer sink.
|
||||
repository: "https://example.org/express-blog"
|
||||
entrypoints:
|
||||
- "POST /api/posts"
|
||||
sinks:
|
||||
- id: "Deserializer::parse"
|
||||
path: "src/deserializer.js::parse"
|
||||
kind: deserialization
|
||||
location:
|
||||
file: src/deserializer.js
|
||||
line: 42
|
||||
notes: "JSON.parse on user input without guards"
|
||||
environment:
|
||||
os_image: "ubuntu:24.04"
|
||||
runtime:
|
||||
node: "20.11.0"
|
||||
source_date_epoch: 1730000000
|
||||
build:
|
||||
command: "./build/build.sh"
|
||||
source_date_epoch: 1730000000
|
||||
outputs:
|
||||
artifact_path: outputs/binary.tar.gz
|
||||
sbom_path: outputs/sbom.cdx.json
|
||||
coverage_path: outputs/coverage.json
|
||||
traces_dir: outputs/traces
|
||||
env:
|
||||
NODE_ENV: production
|
||||
test:
|
||||
command: "npm test"
|
||||
expected_coverage:
|
||||
- outputs/coverage.json
|
||||
expected_traces:
|
||||
- outputs/traces/traces.json
|
||||
env:
|
||||
NODE_ENV: test
|
||||
ground_truth:
|
||||
summary: "Unit test test_reachable_deserialization hits the sink"
|
||||
evidence_files:
|
||||
- truth/truth.yaml
|
||||
notes: "FEATURE_JSON_ENABLED must be true for reachability"
|
||||
@@ -0,0 +1,17 @@
|
||||
case_id: "js-express-blog:001"
|
||||
entries:
|
||||
http:
|
||||
- id: "POST /api/posts"
|
||||
route: "/api/posts"
|
||||
method: "POST"
|
||||
handler: "PostsController.create"
|
||||
description: "Create a new post (hits deserializer)"
|
||||
cli:
|
||||
- id: "generate-report"
|
||||
command: "node cli.js generate-report"
|
||||
description: "Generates a report from posts"
|
||||
scheduled:
|
||||
- id: "daily-cleanup"
|
||||
schedule: "0 3 * * *"
|
||||
handler: "CleanupJob.run"
|
||||
description: "Archives soft-deleted posts nightly"
|
||||
@@ -0,0 +1,46 @@
|
||||
{
|
||||
"version": "1.0.0",
|
||||
"tool": {
|
||||
"name": "sample-tool",
|
||||
"version": "0.1.0"
|
||||
},
|
||||
"run": {
|
||||
"commit": "abcd1234",
|
||||
"platform": "ubuntu:24.04",
|
||||
"time_s": 182.4,
|
||||
"peak_mb": 3072
|
||||
},
|
||||
"cases": [
|
||||
{
|
||||
"case_id": "js-express-blog:001",
|
||||
"sinks": [
|
||||
{
|
||||
"sink_id": "Deserializer::parse",
|
||||
"prediction": "reachable",
|
||||
"confidence": 0.88,
|
||||
"explain": {
|
||||
"entry": "POST /api/posts",
|
||||
"path": [
|
||||
"PostsController.create",
|
||||
"PostsService.createFromJson",
|
||||
"Deserializer.parse"
|
||||
],
|
||||
"guards": [
|
||||
"process.env.FEATURE_JSON_ENABLED === 'true'"
|
||||
]
|
||||
},
|
||||
"notes": "Observed via dynamic trace"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"artifacts": {
|
||||
"sbom": "sha256:deadbeef",
|
||||
"attestation": "sha256:cafebabe"
|
||||
},
|
||||
"submitter": {
|
||||
"name": "Example Corp",
|
||||
"organization": "Example",
|
||||
"contact": "bench@example.org"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,37 @@
|
||||
{
|
||||
"version": "1.0.0",
|
||||
"cases": [
|
||||
{
|
||||
"case_id": "js-express-blog:001",
|
||||
"case_version": "1.0.0",
|
||||
"notes": "Baseline public case",
|
||||
"sinks": [
|
||||
{
|
||||
"sink_id": "Deserializer::parse",
|
||||
"label": "reachable",
|
||||
"confidence": "high",
|
||||
"dynamic_evidence": {
|
||||
"covered_by_tests": [
|
||||
"tests/test_reachable_deserialization.js::should_reach_sink"
|
||||
],
|
||||
"coverage_files": [
|
||||
"outputs/coverage.json"
|
||||
]
|
||||
},
|
||||
"static_evidence": {
|
||||
"call_path": [
|
||||
"POST /api/posts",
|
||||
"PostsController.create",
|
||||
"PostsService.createFromJson",
|
||||
"Deserializer.parse"
|
||||
]
|
||||
},
|
||||
"config_conditions": [
|
||||
"process.env.FEATURE_JSON_ENABLED == 'true'"
|
||||
],
|
||||
"notes": "If FEATURE_JSON_ENABLED=false the path is unreachable"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user