audit notes work completed, test fixes work (95% done), new sprints, new data sources setup and configuration

2026-01-14 10:48:00 +02:00
parent d7be6ba34b
commit 95d5898650
379 changed files with 40695 additions and 19041 deletions
--- a/datasets/golden-pairs/README.md
+++ b/datasets/golden-pairs/README.md
@@ -3,24 +3,39 @@
 Golden pairs are curated binary pairs (original vs patched) used to validate binary-diff logic.
 Binaries are stored outside git; this folder tracks metadata, hashes, and reports only.

+## Current Corpus
+
+| CVE | Name | Binary | Status | Notes |
+|-----|------|--------|--------|-------|
+| CVE-2021-3156 | Baron Samedit | sudo | Validated | Debian 10 packages with verified SHA-256 |
+| CVE-2022-0847 | Dirty Pipe | vmlinux | Pending | Kernel binaries large; fetch pending |
+
 ## Layout

 ```
 datasets/golden-pairs/
  index.json
+  README.md
+  CVE-2021-3156/
+    metadata.json
+    advisories/
  CVE-2022-0847/
    metadata.json
-    original/
-      vmlinux
-      vmlinux.sha256
-      vmlinux.sections.json
-    patched/
-      vmlinux
-      vmlinux.sha256
-      vmlinux.sections.json
-    diff-report.json
    advisories/
-      USN-5317-1.txt
+```
+
+When binaries are fetched:
+```
+  CVE-YYYY-NNNN/
+    original/
+      <binary>
+      <binary>.sha256
+      <binary>.sections.json
+    patched/
+      <binary>
+      <binary>.sha256
+      <binary>.sections.json
+    diff-report.json
 ```

 ## File Conventions
@@ -39,7 +54,22 @@ datasets/golden-pairs/
 4. Run `golden-pairs diff CVE-...` and review `diff-report.json`.
 5. Update `index.json` with status and summary counts.

+## Package Sources
+
+### CVE-2021-3156 (Baron Samedit)
+
+- **Vulnerable**: `sudo 1.8.27-1+deb10u2` from snapshot.debian.org
+- **Patched**: `sudo 1.8.27-1+deb10u3` from debian-security
+- Binary SHA-256 hashes verified and documented in metadata.json
+
+### CVE-2022-0847 (Dirty Pipe)
+
+- **Vulnerable**: `linux-image-unsigned-5.13.0-34-generic` from old-releases.ubuntu.com
+- **Patched**: `linux-image-unsigned-5.13.0-35-generic` from old-releases.ubuntu.com
+- Kernel binaries are large (100MB+); consider extracting specific sections
+
 ## Offline Notes

 - Use cached package mirrors or `file://` sources for air-gapped runs.
 - Keep hashes and timestamps deterministic; always use UTC ISO-8601 timestamps.
+- Debian packages available via snapshot.debian.org for reproducible fetches.