Add receipt input JSON and SHA256 hash for CVSS policy scoring tests

- Introduced a new JSON fixture `receipt-input.json` containing base, environmental, and threat metrics for CVSS scoring.
- Added corresponding SHA256 hash file `receipt-input.sha256` to ensure integrity of the JSON fixture.

bench/reachability-benchmark/cases/java/spring-deserialize/case.yaml

@@ -18,6 +18,9 @@ environment:
   runtime:
     java: "21"
   source_date_epoch: 1730000000
+  resource_limits:
+    cpu: "2"
+    memory: "4Gi"
 build:
   command: "./build/build.sh"
   source_date_epoch: 1730000000
@@ -26,6 +29,7 @@ build:
     sbom_path: outputs/sbom.cdx.json
     coverage_path: outputs/coverage.json
     traces_dir: outputs/traces
+    attestation_path: outputs/attestation.json
 test:
   command: "./build/build.sh"
   expected_coverage: []
@@ -36,3 +40,9 @@ ground_truth:
   summary: "Deserialization reachable"
   evidence_files:
     - "../benchmark/truth/java-spring-deserialize.json"
+sandbox:
+  network: loopback
+  privileges: rootless
+redaction:
+  pii: false
+  policy: "benchmark-default/v1"

bench/reachability-benchmark/cases/java/spring-guarded/case.yaml

@@ -18,6 +18,9 @@ environment:
   runtime:
     java: "21"
   source_date_epoch: 1730000000
+  resource_limits:
+    cpu: "2"
+    memory: "4Gi"
 build:
   command: "./build/build.sh"
   source_date_epoch: 1730000000
@@ -26,6 +29,7 @@ build:
     sbom_path: outputs/sbom.cdx.json
     coverage_path: outputs/coverage.json
     traces_dir: outputs/traces
+    attestation_path: outputs/attestation.json
 test:
   command: "./build/build.sh"
   expected_coverage: []
@@ -36,3 +40,9 @@ ground_truth:
   summary: "Guard blocks deserialization unless ALLOW_DESER=true"
   evidence_files:
     - "../benchmark/truth/java-spring-guarded.json"
+sandbox:
+  network: loopback
+  privileges: rootless
+redaction:
+  pii: false
+  policy: "benchmark-default/v1"