up

2025-12-13 02:22:15 +02:00
parent 564df71bfb
commit 999e26a48e
395 changed files with 25045 additions and 2224 deletions
--- a/datasets/reachability/samples/java/vulnerable-log4j/ground-truth.json
+++ b/datasets/reachability/samples/java/vulnerable-log4j/ground-truth.json
@@ -0,0 +1,108 @@
+{
+  "schema": "ground-truth-v1",
+  "sampleId": "sample:java:vulnerable-log4j:001",
+  "generatedAt": "2025-12-13T12:00:00Z",
+  "generator": {
+    "name": "manual-annotation",
+    "version": "1.0.0",
+    "annotator": "security-team"
+  },
+  "targets": [
+    {
+      "symbolId": "sym:java:log4j.JndiLookup.lookup",
+      "display": "org.apache.logging.log4j.core.lookup.JndiLookup.lookup(LogEvent, String)",
+      "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
+      "expected": {
+        "latticeState": "CR",
+        "bucket": "runtime",
+        "reachable": true,
+        "confidence": 0.98,
+        "pathLength": 4,
+        "path": [
+          "sym:java:HttpRequestHandler.handle",
+          "sym:java:LogManager.getLogger",
+          "sym:java:Logger.info",
+          "sym:java:log4j.JndiLookup.lookup"
+        ]
+      },
+      "reasoning": "Confirmed reachable via runtime probe - HTTP request handler logs user-controlled input which triggers JNDI lookup via message substitution"
+    },
+    {
+      "symbolId": "sym:java:log4j.JndiManager.lookup",
+      "display": "org.apache.logging.log4j.core.net.JndiManager.lookup(String)",
+      "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
+      "expected": {
+        "latticeState": "CU",
+        "bucket": "unreachable",
+        "reachable": false,
+        "confidence": 0.92,
+        "pathLength": null,
+        "path": null
+      },
+      "reasoning": "JndiManager.lookup is present in log4j-core but the direct JndiManager usage path is not exercised - only JndiLookup wrapper is used"
+    },
+    {
+      "symbolId": "sym:java:log4j.ScriptLookup.lookup",
+      "display": "org.apache.logging.log4j.core.lookup.ScriptLookup.lookup(LogEvent, String)",
+      "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
+      "expected": {
+        "latticeState": "SU",
+        "bucket": "unreachable",
+        "reachable": false,
+        "confidence": 0.85,
+        "pathLength": null,
+        "path": null
+      },
+      "reasoning": "ScriptLookup exists in log4j-core but is disabled by default and no configuration enables it"
+    }
+  ],
+  "entryPoints": [
+    {
+      "symbolId": "sym:java:HttpRequestHandler.handle",
+      "display": "com.example.app.HttpRequestHandler.handle(HttpExchange)",
+      "phase": "runtime",
+      "source": "servlet"
+    },
+    {
+      "symbolId": "sym:java:Application.main",
+      "display": "com.example.app.Application.main(String[])",
+      "phase": "main",
+      "source": "manifest"
+    }
+  ],
+  "expectedUncertainty": {
+    "states": [],
+    "aggregateTier": "T4",
+    "riskScore": 0.0
+  },
+  "expectedGateDecisions": [
+    {
+      "vulnId": "CVE-2021-44228",
+      "targetSymbol": "sym:java:log4j.JndiLookup.lookup",
+      "requestedStatus": "not_affected",
+      "expectedDecision": "block",
+      "expectedBlockedBy": "LatticeState",
+      "expectedReason": "CR state blocks not_affected - runtime evidence confirms reachability"
+    },
+    {
+      "vulnId": "CVE-2021-44228",
+      "targetSymbol": "sym:java:log4j.JndiLookup.lookup",
+      "requestedStatus": "affected",
+      "expectedDecision": "allow"
+    },
+    {
+      "vulnId": "CVE-2021-44228",
+      "targetSymbol": "sym:java:log4j.JndiManager.lookup",
+      "requestedStatus": "not_affected",
+      "expectedDecision": "allow",
+      "expectedReason": "CU state allows not_affected - confirmed unreachable"
+    },
+    {
+      "vulnId": "CVE-2021-44228",
+      "targetSymbol": "sym:java:log4j.ScriptLookup.lookup",
+      "requestedStatus": "not_affected",
+      "expectedDecision": "warn",
+      "expectedReason": "SU state allows not_affected but with warning - static analysis only, no runtime confirmation"
+    }
+  ]
+}
--- a/datasets/reachability/samples/java/vulnerable-log4j/manifest.json
+++ b/datasets/reachability/samples/java/vulnerable-log4j/manifest.json
@@ -0,0 +1,32 @@
+{
+  "sampleId": "sample:java:vulnerable-log4j:001",
+  "version": "1.0.0",
+  "createdAt": "2025-12-13T12:00:00Z",
+  "language": "java",
+  "category": "positive",
+  "description": "Log4Shell CVE-2021-44228 reachable via JNDI lookup in logging path from HTTP request handler",
+  "source": {
+    "repository": "synthetic",
+    "commit": "synthetic-sample",
+    "buildToolchain": "maven:3.9.0,jdk:17"
+  },
+  "vulnerabilities": [
+    {
+      "vulnId": "CVE-2021-44228",
+      "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
+      "affectedSymbol": "org.apache.logging.log4j.core.lookup.JndiLookup.lookup"
+    }
+  ],
+  "artifacts": [
+    {
+      "path": "artifacts/app.jar",
+      "hash": "sha256:0000000000000000000000000000000000000000000000000000000000000004",
+      "type": "application/java-archive"
+    },
+    {
+      "path": "artifacts/sbom.cdx.json",
+      "hash": "sha256:0000000000000000000000000000000000000000000000000000000000000005",
+      "type": "application/vnd.cyclonedx+json"
+    }
+  ]
+}