up

datasets/reachability/samples/csharp/dead-code/ground-truth.json

@@ -0,0 +1,86 @@
+{
+  "schema": "ground-truth-v1",
+  "sampleId": "sample:csharp:dead-code:001",
+  "generatedAt": "2025-12-13T12:00:00Z",
+  "generator": {
+    "name": "manual-annotation",
+    "version": "1.0.0",
+    "annotator": "scanner-guild"
+  },
+  "targets": [
+    {
+      "symbolId": "sym:csharp:JsonConvert.DeserializeObject",
+      "display": "Newtonsoft.Json.JsonConvert.DeserializeObject<T>(string, JsonSerializerSettings)",
+      "purl": "pkg:nuget/Newtonsoft.Json@13.0.1",
+      "expected": {
+        "latticeState": "CU",
+        "bucket": "unreachable",
+        "reachable": false,
+        "confidence": 0.95,
+        "pathLength": null,
+        "path": null
+      },
+      "reasoning": "DeserializeObject referenced in deprecated LegacyParser class but LegacyParser is never instantiated - new SafeParser uses System.Text.Json instead"
+    },
+    {
+      "symbolId": "sym:csharp:LegacyParser.ParseJson",
+      "display": "SampleApp.LegacyParser.ParseJson(string)",
+      "purl": "pkg:generic/SampleApp@1.0.0",
+      "expected": {
+        "latticeState": "SU",
+        "bucket": "unreachable",
+        "reachable": false,
+        "confidence": 0.90,
+        "pathLength": null,
+        "path": null
+      },
+      "reasoning": "LegacyParser.ParseJson exists but LegacyParser is never instantiated - replaced by SafeParser"
+    },
+    {
+      "symbolId": "sym:csharp:SafeParser.ParseJson",
+      "display": "SampleApp.SafeParser.ParseJson(string)",
+      "purl": "pkg:generic/SampleApp@1.0.0",
+      "expected": {
+        "latticeState": "SR",
+        "bucket": "direct",
+        "reachable": true,
+        "confidence": 0.95,
+        "pathLength": 2,
+        "path": [
+          "sym:csharp:Program.Main",
+          "sym:csharp:SafeParser.ParseJson"
+        ]
+      },
+      "reasoning": "SafeParser.ParseJson is the active implementation called from Main"
+    }
+  ],
+  "entryPoints": [
+    {
+      "symbolId": "sym:csharp:Program.Main",
+      "display": "SampleApp.Program.Main(string[])",
+      "phase": "runtime",
+      "source": "manifest"
+    }
+  ],
+  "expectedUncertainty": {
+    "states": [],
+    "aggregateTier": "T4",
+    "riskScore": 0.0
+  },
+  "expectedGateDecisions": [
+    {
+      "vulnId": "CVE-2024-21907",
+      "targetSymbol": "sym:csharp:JsonConvert.DeserializeObject",
+      "requestedStatus": "not_affected",
+      "expectedDecision": "allow",
+      "expectedReason": "CU state allows not_affected - confirmed unreachable"
+    },
+    {
+      "vulnId": "CVE-2024-21907",
+      "targetSymbol": "sym:csharp:JsonConvert.DeserializeObject",
+      "requestedStatus": "affected",
+      "expectedDecision": "warn",
+      "expectedReason": "Marking as affected when CU suggests false positive"
+    }
+  ]
+}

datasets/reachability/samples/csharp/dead-code/manifest.json

@@ -0,0 +1,27 @@
+{
+  "sampleId": "sample:csharp:dead-code:001",
+  "version": "1.0.0",
+  "createdAt": "2025-12-13T12:00:00Z",
+  "language": "csharp",
+  "category": "negative",
+  "description": "C# app where vulnerable code exists but is never called - deprecated API replaced by safe implementation",
+  "source": {
+    "repository": "synthetic",
+    "commit": "synthetic-sample",
+    "buildToolchain": "dotnet:10.0"
+  },
+  "vulnerabilities": [
+    {
+      "vulnId": "CVE-2024-21907",
+      "purl": "pkg:nuget/Newtonsoft.Json@13.0.1",
+      "affectedSymbol": "Newtonsoft.Json.JsonConvert.DeserializeObject"
+    }
+  ],
+  "artifacts": [
+    {
+      "path": "artifacts/app.dll",
+      "hash": "sha256:0000000000000000000000000000000000000000000000000000000000000002",
+      "type": "application/x-msdownload"
+    }
+  ]
+}