up

tests/reachability/samples-public/samples/csharp/cs-001-binaryformatter-deserialize/Program.cs

@@ -0,0 +1,13 @@
+using System;
+using System.IO;
+using System.Runtime.Serialization.Formatters.Binary;
+
+// Fixture-only sample: demonstrates a BinaryFormatter deserialize-style sink.
+// Do not deploy.
+
+var payload = Environment.GetEnvironmentVariable("PAYLOAD") ?? string.Empty;
+var bytes = Convert.FromBase64String(payload);
+using var ms = new MemoryStream(bytes);
+var formatter = new BinaryFormatter();
+_ = formatter.Deserialize(ms);
+

tests/reachability/samples-public/samples/csharp/cs-001-binaryformatter-deserialize/README.md

@@ -0,0 +1,4 @@
+# cs-001-binaryformatter-deserialize
+
+Minimal C# sample used as a public reachability fixture.
+

tests/reachability/samples-public/samples/csharp/cs-001-binaryformatter-deserialize/callgraph.static.json

@@ -0,0 +1,14 @@
+{
+  "schema_version": "1.0",
+  "roots": [
+    { "id": "sym://dotnet:Program#Main", "phase": "runtime", "source": "static" }
+  ],
+  "nodes": [
+    { "id": "sym://dotnet:Program#Main", "name": "Main", "kind": "function", "language": "dotnet" },
+    { "id": "sym://dotnet:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter#Deserialize", "name": "Deserialize", "kind": "function", "language": "dotnet" }
+  ],
+  "edges": [
+    { "from": "sym://dotnet:Program#Main", "to": "sym://dotnet:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter#Deserialize", "kind": "call" }
+  ]
+}
+

tests/reachability/samples-public/samples/csharp/cs-001-binaryformatter-deserialize/ground-truth.json

@@ -0,0 +1,12 @@
+{
+  "case_id": "cs-001-binaryformatter-deserialize",
+  "paths": [
+    [
+      "sym://dotnet:Program#Main",
+      "sym://dotnet:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter#Deserialize"
+    ]
+  ],
+  "schema_version": "reachbench.reachgraph.truth/v1",
+  "variant": "reachable"
+}
+

tests/reachability/samples-public/samples/csharp/cs-001-binaryformatter-deserialize/repro.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "Fixture-only sample: no live repro; use callgraph.static.json + ground-truth.json for ingestion/tests."
+

tests/reachability/samples-public/samples/csharp/cs-001-binaryformatter-deserialize/sbom.cdx.json

@@ -0,0 +1,22 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "component": {
+      "type": "application",
+      "name": "cs-001-binaryformatter-deserialize",
+      "version": "0.0.0",
+      "purl": "pkg:nuget/cs-001-binaryformatter-deserialize@0.0.0"
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "System.Runtime.Serialization.Formatters",
+      "version": "4.3.0",
+      "purl": "pkg:nuget/System.Runtime.Serialization.Formatters@4.3.0"
+    }
+  ]
+}
+

tests/reachability/samples-public/samples/csharp/cs-001-binaryformatter-deserialize/vex.openvex.json

@@ -0,0 +1,21 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "urn:stellaops:vex:cs-001-binaryformatter-deserialize",
+  "author": "StellaOps",
+  "timestamp": "2025-12-12T00:00:00Z",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-TEST-0003"
+      },
+      "products": [
+        {
+          "@id": "pkg:nuget/System.Runtime.Serialization.Formatters@4.3.0"
+        }
+      ],
+      "status": "under_investigation"
+    }
+  ]
+}
+