From ca91f400512fb871ef935772c66ac38b2bed8e7e Mon Sep 17 00:00:00 2001
From: StellaOps Bot <stellaops-bot@example.com>
Date: Wed, 3 Dec 2025 09:47:40 +0200
Subject: [PATCH] feat: Add attestation and SBOM JSON outputs for various
 Python applications

---
 .../fastapi-guarded/outputs/attestation.json  | 22 +++++++++++++++++++
 .../py/fastapi-guarded/outputs/sbom.cdx.json  | 14 ++++++++++++
 .../flask-template/outputs/attestation.json   | 22 +++++++++++++++++++
 .../py/flask-template/outputs/sbom.cdx.json   | 14 ++++++++++++
 .../py/guarded-exec/outputs/attestation.json  | 22 +++++++++++++++++++
 .../py/guarded-exec/outputs/sbom.cdx.json     | 14 ++++++++++++
 .../py/unsafe-exec/outputs/attestation.json   | 22 +++++++++++++++++++
 .../py/unsafe-exec/outputs/sbom.cdx.json      | 14 ++++++++++++
 8 files changed, 144 insertions(+)
 create mode 100644 bench/reachability-benchmark/cases/py/fastapi-guarded/outputs/attestation.json
 create mode 100644 bench/reachability-benchmark/cases/py/fastapi-guarded/outputs/sbom.cdx.json
 create mode 100644 bench/reachability-benchmark/cases/py/flask-template/outputs/attestation.json
 create mode 100644 bench/reachability-benchmark/cases/py/flask-template/outputs/sbom.cdx.json
 create mode 100644 bench/reachability-benchmark/cases/py/guarded-exec/outputs/attestation.json
 create mode 100644 bench/reachability-benchmark/cases/py/guarded-exec/outputs/sbom.cdx.json
 create mode 100644 bench/reachability-benchmark/cases/py/unsafe-exec/outputs/attestation.json
 create mode 100644 bench/reachability-benchmark/cases/py/unsafe-exec/outputs/sbom.cdx.json

diff --git a/bench/reachability-benchmark/cases/py/fastapi-guarded/outputs/attestation.json b/bench/reachability-benchmark/cases/py/fastapi-guarded/outputs/attestation.json
new file mode 100644
index 000000000..75dbd7a1b
--- /dev/null
+++ b/bench/reachability-benchmark/cases/py/fastapi-guarded/outputs/attestation.json
@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "py-fastapi-guarded:104"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/py/fastapi-guarded/outputs/sbom.cdx.json b/bench/reachability-benchmark/cases/py/fastapi-guarded/outputs/sbom.cdx.json
new file mode 100644
index 000000000..f9c13c108
--- /dev/null
+++ b/bench/reachability-benchmark/cases/py/fastapi-guarded/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "fastapi-guarded",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/py/flask-template/outputs/attestation.json b/bench/reachability-benchmark/cases/py/flask-template/outputs/attestation.json
new file mode 100644
index 000000000..2f889bab3
--- /dev/null
+++ b/bench/reachability-benchmark/cases/py/flask-template/outputs/attestation.json
@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "py-flask-template:103"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/py/flask-template/outputs/sbom.cdx.json b/bench/reachability-benchmark/cases/py/flask-template/outputs/sbom.cdx.json
new file mode 100644
index 000000000..223891e99
--- /dev/null
+++ b/bench/reachability-benchmark/cases/py/flask-template/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "flask-template",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/py/guarded-exec/outputs/attestation.json b/bench/reachability-benchmark/cases/py/guarded-exec/outputs/attestation.json
new file mode 100644
index 000000000..b3c6012e6
--- /dev/null
+++ b/bench/reachability-benchmark/cases/py/guarded-exec/outputs/attestation.json
@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "py-guarded-exec:102"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/py/guarded-exec/outputs/sbom.cdx.json b/bench/reachability-benchmark/cases/py/guarded-exec/outputs/sbom.cdx.json
new file mode 100644
index 000000000..e5cd90624
--- /dev/null
+++ b/bench/reachability-benchmark/cases/py/guarded-exec/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "guarded-exec",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/py/unsafe-exec/outputs/attestation.json b/bench/reachability-benchmark/cases/py/unsafe-exec/outputs/attestation.json
new file mode 100644
index 000000000..8ff39e42b
--- /dev/null
+++ b/bench/reachability-benchmark/cases/py/unsafe-exec/outputs/attestation.json
@@ -0,0 +1,22 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicate": {
+    "buildType": "stub",
+    "builder": {
+      "id": "stub"
+    },
+    "metadata": {
+      "buildFinishedOn": "1970-01-01T00:00:00Z",
+      "buildStartedOn": "1970-01-01T00:00:00Z"
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v0.2",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "stub"
+      },
+      "name": "py-unsafe-exec:101"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/bench/reachability-benchmark/cases/py/unsafe-exec/outputs/sbom.cdx.json b/bench/reachability-benchmark/cases/py/unsafe-exec/outputs/sbom.cdx.json
new file mode 100644
index 000000000..e9ab95736
--- /dev/null
+++ b/bench/reachability-benchmark/cases/py/unsafe-exec/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "unsafe-exec",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
\ No newline at end of file