up

2025-12-01 21:16:22 +02:00
parent c11d87d252
commit 909d9b6220
208 changed files with 860954 additions and 832 deletions
--- a/bench/reachability-benchmark/benchmark/truth/c-guarded-system.json
+++ b/bench/reachability-benchmark/benchmark/truth/c-guarded-system.json
@@ -0,0 +1,36 @@
+{
+  "version": "1.0.0",
+  "cases": [
+    {
+      "case_id": "c-guarded-system:001",
+      "case_version": "1.0.0",
+      "notes": "system() is gated by ALLOW_CMD env; default unreachable.",
+      "sinks": [
+        {
+          "sink_id": "GuardedSystem::main",
+          "label": "unreachable",
+          "confidence": "medium",
+          "static_evidence": {
+            "call_path": [
+              "main(argv)",
+              "run_guarded",
+              "system() (guarded by ALLOW_CMD)"
+            ]
+          },
+          "dynamic_evidence": {
+            "covered_by_tests": [
+              "tests/run-tests.sh"
+            ],
+            "coverage_files": [
+              "outputs/coverage.json"
+            ]
+          },
+          "config_conditions": [
+            "ALLOW_CMD=1"
+          ],
+          "notes": "Sink activates only when ALLOW_CMD=1; default benchmark assumes flag disabled."
+        }
+      ]
+    }
+  ]
+}
--- a/bench/reachability-benchmark/benchmark/truth/c-memcpy-overflow.json
+++ b/bench/reachability-benchmark/benchmark/truth/c-memcpy-overflow.json
@@ -0,0 +1,33 @@
+{
+  "version": "1.0.0",
+  "cases": [
+    {
+      "case_id": "c-memcpy-overflow:001",
+      "case_version": "1.0.0",
+      "notes": "Attacker-controlled length passed to memcpy without bounds.",
+      "sinks": [
+        {
+          "sink_id": "Overflow::process",
+          "label": "reachable",
+          "confidence": "medium",
+          "static_evidence": {
+            "call_path": [
+              "process_buffer(len)",
+              "memcpy(dst, src, len)"
+            ]
+          },
+          "dynamic_evidence": {
+            "covered_by_tests": [
+              "tests/run-tests.sh"
+            ],
+            "coverage_files": [
+              "outputs/coverage.json"
+            ]
+          },
+          "config_conditions": [],
+          "notes": "len parameter flows directly to memcpy; overflow possible when len > sizeof(dst)."
+        }
+      ]
+    }
+  ]
+}
--- a/bench/reachability-benchmark/benchmark/truth/c-unsafe-system.json
+++ b/bench/reachability-benchmark/benchmark/truth/c-unsafe-system.json
@@ -0,0 +1,34 @@
+{
+  "version": "1.0.0",
+  "cases": [
+    {
+      "case_id": "c-unsafe-system:001",
+      "case_version": "1.0.0",
+      "notes": "User input forwarded to system() without validation.",
+      "sinks": [
+        {
+          "sink_id": "UnsafeSystem::main",
+          "label": "reachable",
+          "confidence": "high",
+          "static_evidence": {
+            "call_path": [
+              "main(argv)",
+              "run_command",
+              "system()"
+            ]
+          },
+          "dynamic_evidence": {
+            "covered_by_tests": [
+              "tests/run-tests.sh"
+            ],
+            "coverage_files": [
+              "outputs/coverage.json"
+            ]
+          },
+          "config_conditions": [],
+          "notes": "Command injection sink reachable with any argument."
+        }
+      ]
+    }
+  ]
+}