up

2025-12-13 02:22:15 +02:00
parent 564df71bfb
commit 999e26a48e
395 changed files with 25045 additions and 2224 deletions
--- a/tests/reachability/samples-public/samples/php/php-001-phar-deserialize/README.md
+++ b/tests/reachability/samples-public/samples/php/php-001-phar-deserialize/README.md
@@ -0,0 +1,6 @@
+# php-001-phar-deserialize
+
+Minimal PHP sample used as a public reachability fixture.
+
+This is a fixture only: it is not intended to be deployed.
+
--- a/tests/reachability/samples-public/samples/php/php-001-phar-deserialize/app.php
+++ b/tests/reachability/samples-public/samples/php/php-001-phar-deserialize/app.php
@@ -0,0 +1,9 @@
+<?php
+declare(strict_types=1);
+
+// Fixture-only sample: demonstrates a deserialize-style sink.
+// Do not deploy.
+
+$payload = $_GET["payload"] ?? "";
+unserialize($payload);
+
--- a/tests/reachability/samples-public/samples/php/php-001-phar-deserialize/callgraph.static.json
+++ b/tests/reachability/samples-public/samples/php/php-001-phar-deserialize/callgraph.static.json
@@ -0,0 +1,16 @@
+{
+  "schema_version": "1.0",
+  "roots": [
+    { "id": "sym://php:public/index.php#main", "phase": "runtime", "source": "static" }
+  ],
+  "nodes": [
+    { "id": "sym://php:public/index.php#main", "name": "main", "kind": "function", "file": "public/index.php", "line": 1, "language": "php" },
+    { "id": "sym://php:app/UploadController.php#handle", "name": "handle", "kind": "function", "file": "app/UploadController.php", "line": 1, "language": "php" },
+    { "id": "sym://php:php.net#unserialize", "name": "unserialize", "kind": "function", "namespace": "php", "language": "php" }
+  ],
+  "edges": [
+    { "from": "sym://php:public/index.php#main", "to": "sym://php:app/UploadController.php#handle", "kind": "call" },
+    { "from": "sym://php:app/UploadController.php#handle", "to": "sym://php:php.net#unserialize", "kind": "call" }
+  ]
+}
+
--- a/tests/reachability/samples-public/samples/php/php-001-phar-deserialize/ground-truth.json
+++ b/tests/reachability/samples-public/samples/php/php-001-phar-deserialize/ground-truth.json
@@ -0,0 +1,13 @@
+{
+  "case_id": "php-001-phar-deserialize",
+  "paths": [
+    [
+      "sym://php:public/index.php#main",
+      "sym://php:app/UploadController.php#handle",
+      "sym://php:php.net#unserialize"
+    ]
+  ],
+  "schema_version": "reachbench.reachgraph.truth/v1",
+  "variant": "reachable"
+}
+
--- a/tests/reachability/samples-public/samples/php/php-001-phar-deserialize/repro.sh
+++ b/tests/reachability/samples-public/samples/php/php-001-phar-deserialize/repro.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "Fixture-only sample: no live repro; use callgraph.static.json + ground-truth.json for ingestion/tests."
+
--- a/tests/reachability/samples-public/samples/php/php-001-phar-deserialize/sbom.cdx.json
+++ b/tests/reachability/samples-public/samples/php/php-001-phar-deserialize/sbom.cdx.json
@@ -0,0 +1,21 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "component": {
+      "type": "application",
+      "name": "php-001-phar-deserialize",
+      "version": "0.0.0"
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "name": "php",
+      "version": "8.x",
+      "purl": "pkg:generic/php@8"
+    }
+  ]
+}
+
--- a/tests/reachability/samples-public/samples/php/php-001-phar-deserialize/vex.openvex.json
+++ b/tests/reachability/samples-public/samples/php/php-001-phar-deserialize/vex.openvex.json
@@ -0,0 +1,21 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "urn:stellaops:vex:php-001-phar-deserialize",
+  "author": "StellaOps",
+  "timestamp": "2025-12-12T00:00:00Z",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-TEST-0001"
+      },
+      "products": [
+        {
+          "@id": "pkg:generic/php@8"
+        }
+      ],
+      "status": "under_investigation"
+    }
+  ]
+}
+