Add receipt input JSON and SHA256 hash for CVSS policy scoring tests

- Introduced a new JSON fixture `receipt-input.json` containing base, environmental, and threat metrics for CVSS scoring. - Added corresponding SHA256 hash file `receipt-input.sha256` to ensure integrity of the JSON fixture.
2025-12-04 07:30:42 +02:00
parent 2d079d61ed
commit e1262eb916
91 changed files with 19493 additions and 187 deletions
--- a/bench/reachability-benchmark/cases/c/guarded-system/case.yaml
+++ b/bench/reachability-benchmark/cases/c/guarded-system/case.yaml
@@ -18,13 +18,18 @@ environment:
  runtime:
    gcc: "13"
  source_date_epoch: 1730000000
+  resource_limits:
+    cpu: "2"
+    memory: "4Gi"
 build:
  command: "./build/build.sh"
  source_date_epoch: 1730000000
  outputs:
    artifact_path: outputs/binary.tar.gz
+    sbom_path: outputs/sbom.cdx.json
    coverage_path: outputs/coverage.json
-    traces_path: outputs/traces/traces.json
+    traces_dir: outputs/traces
+    attestation_path: outputs/attestation.json
 test:
  command: "./tests/run-tests.sh"
  expected_coverage:
@@ -35,3 +40,9 @@ ground_truth:
  summary: "Without ALLOW_CMD, the system() sink remains unreachable; with ALLOW_CMD=1, it executes."
  evidence_files:
    - "../../../benchmark/truth/c-guarded-system.json"
+sandbox:
+  network: loopback
+  privileges: rootless
+redaction:
+  pii: false
+  policy: "benchmark-default/v1"
--- a/bench/reachability-benchmark/cases/c/guarded-system/entrypoints.yaml
+++ b/bench/reachability-benchmark/cases/c/guarded-system/entrypoints.yaml
@@ -0,0 +1,7 @@
+case_id: "c-guarded-system:001"
+entries:
+  cli:
+    - id: "main"
+      command: "./app"
+      args: ["<user_input>"]
+      description: "system() guarded by ALLOW_CMD flag"
--- a/bench/reachability-benchmark/cases/c/guarded-system/outputs/sbom.cdx.json
+++ b/bench/reachability-benchmark/cases/c/guarded-system/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "guarded-system",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
--- a/bench/reachability-benchmark/cases/c/memcpy-overflow/case.yaml
+++ b/bench/reachability-benchmark/cases/c/memcpy-overflow/case.yaml
@@ -18,13 +18,18 @@ environment:
  runtime:
    gcc: "13"
  source_date_epoch: 1730000000
+  resource_limits:
+    cpu: "2"
+    memory: "4Gi"
 build:
  command: "./build/build.sh"
  source_date_epoch: 1730000000
  outputs:
    artifact_path: outputs/binary.tar.gz
+    sbom_path: outputs/sbom.cdx.json
    coverage_path: outputs/coverage.json
-    traces_path: outputs/traces/traces.json
+    traces_dir: outputs/traces
+    attestation_path: outputs/attestation.json
 test:
  command: "./tests/run-tests.sh"
  expected_coverage:
@@ -35,3 +40,9 @@ ground_truth:
  summary: "Calling process_buffer with len>256 drives memcpy with attacker length (reachable)."
  evidence_files:
    - "../../../benchmark/truth/c-memcpy-overflow.json"
+sandbox:
+  network: loopback
+  privileges: rootless
+redaction:
+  pii: false
+  policy: "benchmark-default/v1"
--- a/bench/reachability-benchmark/cases/c/memcpy-overflow/entrypoints.yaml
+++ b/bench/reachability-benchmark/cases/c/memcpy-overflow/entrypoints.yaml
@@ -0,0 +1,7 @@
+case_id: "c-memcpy-overflow:001"
+entries:
+  cli:
+    - id: "process_buffer"
+      command: "./app"
+      args: ["<length>"]
+      description: "User length forwarded to memcpy without bounds"
--- a/bench/reachability-benchmark/cases/c/memcpy-overflow/outputs/sbom.cdx.json
+++ b/bench/reachability-benchmark/cases/c/memcpy-overflow/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "memcpy-overflow",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}
--- a/bench/reachability-benchmark/cases/c/unsafe-system/case.yaml
+++ b/bench/reachability-benchmark/cases/c/unsafe-system/case.yaml
@@ -18,13 +18,18 @@ environment:
  runtime:
    gcc: "13"
  source_date_epoch: 1730000000
+  resource_limits:
+    cpu: "2"
+    memory: "4Gi"
 build:
  command: "./build/build.sh"
  source_date_epoch: 1730000000
  outputs:
    artifact_path: outputs/binary.tar.gz
+    sbom_path: outputs/sbom.cdx.json
    coverage_path: outputs/coverage.json
-    traces_path: outputs/traces/traces.json
+    traces_dir: outputs/traces
+    attestation_path: outputs/attestation.json
 test:
  command: "./tests/run-tests.sh"
  expected_coverage:
@@ -35,3 +40,9 @@ ground_truth:
  summary: "Running with argument 'echo OK' executes system() with user-controlled payload."
  evidence_files:
    - "../../../benchmark/truth/c-unsafe-system.json"
+sandbox:
+  network: loopback
+  privileges: rootless
+redaction:
+  pii: false
+  policy: "benchmark-default/v1"
--- a/bench/reachability-benchmark/cases/c/unsafe-system/entrypoints.yaml
+++ b/bench/reachability-benchmark/cases/c/unsafe-system/entrypoints.yaml
@@ -0,0 +1,7 @@
+case_id: "c-unsafe-system:001"
+entries:
+  cli:
+    - id: "main"
+      command: "./app"
+      args: ["<user_input>"]
+      description: "Passes argv directly into system()"
--- a/bench/reachability-benchmark/cases/c/unsafe-system/outputs/sbom.cdx.json
+++ b/bench/reachability-benchmark/cases/c/unsafe-system/outputs/sbom.cdx.json
@@ -0,0 +1,14 @@
+{
+  "bomFormat": "CycloneDX",
+  "components": [],
+  "metadata": {
+    "component": {
+      "name": "unsafe-system",
+      "type": "application",
+      "version": "1.0.0"
+    },
+    "timestamp": "1970-01-01T00:00:00Z"
+  },
+  "specVersion": "1.5",
+  "version": 1
+}