stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

Add integration tests for Proof Chain and Reachability workflows

Browse Source 
- Implement ProofChainTestFixture for PostgreSQL-backed integration tests.
- Create StellaOps.Integration.ProofChain project with necessary dependencies.
- Add ReachabilityIntegrationTests to validate call graph extraction and reachability analysis.
- Introduce ReachabilityTestFixture for managing corpus and fixture paths.
- Establish StellaOps.Integration.Reachability project with required references.
- Develop UnknownsWorkflowTests to cover the unknowns lifecycle: detection, ranking, escalation, and resolution.
- Create StellaOps.Integration.Unknowns project with dependencies for unknowns workflow.
This commit is contained in:
StellaOps Bot
2025-12-20 22:19:26 +02:00
parent 3c6e14fca5
commit efe9bd8cfe
86 changed files with 9616 additions and 323 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
bench/baselines/performance-baselines.json Normal file
View File

@@ -0,0 +1,22 @@
{
"schema_version": "stellaops.perf.baselines/v1",
"updated_at": "2025-01-15T00:00:00Z",
"environment": {
"runtime": ".NET 10",
"os": "ubuntu-22.04",
"cpu": "8 cores",
"memory_gb": 16
},
"baselines": {
"score_computation_ms": 100,
"score_computation_large_ms": 500,
"proof_bundle_generation_ms": 200,
"proof_signing_ms": 50,
"dotnet_callgraph_extraction_ms": 500,
"reachability_computation_ms": 100,
"reachability_large_graph_ms": 500,
"reachability_deep_path_ms": 200
},
"threshold_percent": 20,
"notes": "Initial baselines established on CI runner. Update after algorithm changes."
}

107
bench/golden-corpus/README.md Normal file
View File

@@ -0,0 +1,107 @@
# Golden Test Corpus
This directory contains the golden test corpus for StellaOps scoring validation.
Each test case is a complete, reproducible scenario with known-good inputs and expected outputs.
## Schema Version
**Corpus Version**: `1.0.0`
**Scoring Algorithm**: `v2.0` (See `docs/modules/scanner/scoring-algorithm.md`)
**OpenVEX Schema**: `0.2.0`
**SPDX Version**: `3.0.1`
**CycloneDX Version**: `1.6`
## Directory Structure
```
golden-corpus/
├── README.md # This file
├── corpus-manifest.json # Index of all test cases with hashes
├── corpus-version.json # Versioning metadata
├── severity-levels/ # CVE severity coverage
│ ├── critical/
│ ├── high/
│ ├── medium/
│ └── low/
├── vex-scenarios/ # VEX override scenarios
│ ├── not-affected/
│ ├── affected/
│ ├── fixed/
│ └── under-investigation/
├── reachability/ # Reachability analysis scenarios
│ ├── reachable/
│ ├── unreachable/
│ └── unknown/
└── composite/ # Complex multi-factor scenarios
├── reachable-with-vex/
└── unreachable-high-severity/
```
## Test Case Format
Each test case directory contains:
| File | Description |
|------|-------------|
| `case.json` | Scenario metadata and description |
| `sbom.spdx.json` | SPDX 3.0.1 SBOM |
| `sbom.cdx.json` | CycloneDX 1.6 SBOM (optional) |
| `manifest.json` | Scan manifest with digest bindings |
| `vex.openvex.json` | OpenVEX document (if applicable) |
| `callgraph.json` | Static call graph (if reachability applies) |
| `proof-bundle.json` | Expected proof bundle structure |
| `expected-score.json` | Expected scoring output |
## Expected Score Format
```json
{
"schema_version": "stellaops.golden.expected/v1",
"score_hash": "sha256:...",
"stella_score": 7.5,
"base_cvss": 9.8,
"temporal_cvss": 8.5,
"environmental_cvss": 7.5,
"vex_impact": -1.0,
"reachability_impact": -1.3,
"kev_flag": false,
"exploit_maturity": "proof-of-concept",
"determinism_salt": "frozen-2025-01-15T00:00:00Z"
}
```
## Running Golden Tests
```bash
# Run all golden tests
dotnet test tests/integration/StellaOps.Integration.Determinism \
--filter "Category=GoldenCorpus"
# Regenerate expected outputs (after algorithm changes)
dotnet run --project bench/tools/corpus-regenerate -- \
--corpus-path bench/golden-corpus \
--algorithm-version v2.0
```
## Adding New Cases
1. Create directory under appropriate category
2. Add all required files (see Test Case Format)
3. Run corpus validation: `dotnet run --project bench/tools/corpus-validate`
4. Update `corpus-manifest.json` hash entries
5. Commit with message: `corpus: add <case-id> for <scenario>`
## Versioning Policy
- **Patch** (1.0.x): Add new cases, fix existing case data
- **Minor** (1.x.0): Algorithm tuning that preserves relative ordering
- **Major** (x.0.0): Algorithm changes that alter expected scores
When scoring algorithm changes:
1. Increment corpus version
2. Regenerate all expected scores
3. Document changes in CHANGELOG.md

59
bench/golden-corpus/composite/reachable-with-vex/mitigated/callgraph.json Normal file
View File

@@ -0,0 +1,59 @@
{
"schema_version": "reach-corpus.callgraph/v1",
"analysis_timestamp": "2025-01-15T00:00:00Z",
"target_package": "pkg:nuget/HttpClient@5.0.0",
"nodes": [
{
"id": "node-001",
"symbol": "Example.Api.Controllers.ProxyController.Forward",
"type": "entrypoint",
"file": "src/Controllers/ProxyController.cs",
"line": 20
},
{
"id": "node-002",
"symbol": "Example.Services.ProxyService.MakeRequest",
"type": "method",
"file": "src/Services/ProxyService.cs",
"line": 35
},
{
"id": "node-003",
"symbol": "HttpClient.SendAsync",
"type": "sink",
"file": null,
"line": null,
"package": "pkg:nuget/HttpClient@5.0.0",
"vulnerable": true,
"cve_ids": ["CVE-2024-44444"],
"notes": "Vulnerable when redirect following is enabled"
}
],
"edges": [
{
"from": "node-001",
"to": "node-002",
"type": "call"
},
{
"from": "node-002",
"to": "node-003",
"type": "call",
"tainted": true,
"taint_source": "user_url"
}
],
"reachability_result": {
"status": "reachable",
"confidence": 0.88,
"paths": [
{
"path_id": "path-001",
"nodes": ["node-001", "node-002", "node-003"],
"taint_flow": true,
"explanation": "User-provided URL flows to HttpClient.SendAsync"
}
],
"notes": "Code path exists but VEX states configuration mitigates the vulnerability"
}
}

30
bench/golden-corpus/composite/reachable-with-vex/mitigated/case.json Normal file
View File

@@ -0,0 +1,30 @@
{
"schema_version": "stellaops.golden.case/v1",
"case_id": "composite-reachable-with-vex-mitigated",
"category": "composite/reachable-with-vex",
"description": "High severity CVE, reachable, but mitigated via configuration (VEX not_affected)",
"tags": ["composite", "reachable", "vex", "mitigated", "vulnerable-code-not-invoked"],
"cve_id": "CVE-2024-44444",
"cwe_id": "CWE-918",
"affected_package": {
"purl": "pkg:nuget/HttpClient@5.0.0",
"ecosystem": "nuget",
"name": "HttpClient",
"version": "5.0.0",
"vendor": "Example"
},
"scenario": {
"base_cvss": 8.5,
"kev_listed": false,
"exploit_maturity": "proof-of-concept",
"reachability": "reachable",
"vex_status": "not_affected",
"vex_justification": "vulnerable_code_not_in_execute_path"
},
"expected_outcome": {
"stella_score_min": 1.0,
"stella_score_max": 3.5,
"action": "monitor"
},
"notes": "SSRF vulnerability in HttpClient. Code path exists but vulnerable feature (redirect following) is disabled via configuration. VEX declares not_affected."
}

32
bench/golden-corpus/composite/reachable-with-vex/mitigated/expected-score.json Normal file
View File

@@ -0,0 +1,32 @@
{
"schema_version": "stellaops.golden.expected/v1",
"case_id": "composite-reachable-with-vex-mitigated",
"determinism_salt": "frozen-2025-01-15T00:00:00Z",
"score_hash": "sha256:e1f2a3b4c5d67890123456789012345678901234567890123456789012e567",
"stella_score": 2.5,
"scoring_factors": {
"base_cvss": 8.5,
"temporal_cvss": 8.0,
"environmental_cvss": 2.5,
"kev_multiplier": 1.0,
"exploit_maturity_adjustment": -0.3,
"reachability_adjustment": 0.0,
"vex_adjustment": -5.5
},
"flags": {
"kev_listed": false,
"exploit_maturity": "proof-of-concept",
"reachability_status": "reachable",
"reachability_confidence": 0.88,
"vex_status": "not_affected",
"vex_justification": "vulnerable_code_not_in_execute_path"
},
"action_recommendation": "monitor",
"action_rationale": "Code path is reachable but VEX declares not_affected due to configuration mitigation (redirects disabled). Monitor for configuration changes.",
"expected_assertions": {
"score_ge": 1.0,
"score_le": 3.5,
"reachability_reachable": true,
"vex_status_is": "not_affected"
}
}

23
bench/golden-corpus/composite/reachable-with-vex/mitigated/vex.openvex.json Normal file
View File

@@ -0,0 +1,23 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://stellaops.io/vex/golden-corpus/composite-reachable-with-vex-mitigated",
"author": "StellaOps Golden Corpus",
"timestamp": "2025-01-15T00:00:00Z",
"version": 1,
"statements": [
{
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-2024-44444",
"name": "CVE-2024-44444"
},
"products": [
{
"@id": "pkg:nuget/HttpClient@5.0.0"
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "The SSRF vulnerability requires automatic redirect following to be enabled. Our configuration explicitly disables redirect following (MaxRedirects=0), so the vulnerable code path is never executed."
}
]
}

157
bench/golden-corpus/corpus-manifest.json Normal file
View File

@@ -0,0 +1,157 @@
{
"schema_version": "stellaops.corpus.manifest/v1",
"corpus_version": "1.0.0",
"generated_at": "2025-01-15T00:00:00Z",
"total_cases": 12,
"categories": {
"severity-levels": 4,
"vex-scenarios": 4,
"reachability": 3,
"composite": 1
},
"cases": [
{
"case_id": "critical-log4shell-CVE-2021-44228",
"path": "severity-levels/critical/log4shell-CVE-2021-44228",
"category": "severity-levels/critical",
"cve_id": "CVE-2021-44228",
"expected_score": 10.0,
"files_hash": {
"case.json": "sha256:case001",
"sbom.spdx.json": "sha256:sbom001",
"manifest.json": "sha256:manifest001",
"callgraph.json": "sha256:callgraph001",
"expected-score.json": "sha256:expected001"
}
},
{
"case_id": "high-http2-rapid-reset-CVE-2023-44487",
"path": "severity-levels/high/http2-rapid-reset-CVE-2023-44487",
"category": "severity-levels/high",
"cve_id": "CVE-2023-44487",
"expected_score": 7.8,
"files_hash": {
"case.json": "sha256:case002",
"expected-score.json": "sha256:expected002"
}
},
{
"case_id": "medium-json-dos-CVE-2024-12345",
"path": "severity-levels/medium/json-dos-CVE-2024-12345",
"category": "severity-levels/medium",
"cve_id": "CVE-2024-12345",
"expected_score": 3.2,
"files_hash": {
"case.json": "sha256:case003",
"expected-score.json": "sha256:expected003"
}
},
{
"case_id": "low-info-disclosure-CVE-2024-99999",
"path": "severity-levels/low/info-disclosure-CVE-2024-99999",
"category": "severity-levels/low",
"cve_id": "CVE-2024-99999",
"expected_score": 3.1,
"files_hash": {
"case.json": "sha256:case004",
"expected-score.json": "sha256:expected004"
}
},
{
"case_id": "vex-not-affected-component-not-present",
"path": "vex-scenarios/not-affected/component-not-present",
"category": "vex-scenarios/not-affected",
"cve_id": "CVE-2023-99998",
"expected_score": 0.0,
"files_hash": {
"case.json": "sha256:case005",
"vex.openvex.json": "sha256:vex005",
"expected-score.json": "sha256:expected005"
}
},
{
"case_id": "vex-affected-action-required",
"path": "vex-scenarios/affected/action-required",
"category": "vex-scenarios/affected",
"cve_id": "CVE-2023-99997",
"expected_score": 8.2,
"files_hash": {
"case.json": "sha256:case006",
"vex.openvex.json": "sha256:vex006",
"expected-score.json": "sha256:expected006"
}
},
{
"case_id": "vex-fixed-remediated",
"path": "vex-scenarios/fixed/remediated",
"category": "vex-scenarios/fixed",
"cve_id": "CVE-2021-44228",
"expected_score": 0.0,
"files_hash": {
"case.json": "sha256:case007",
"vex.openvex.json": "sha256:vex007",
"expected-score.json": "sha256:expected007"
}
},
{
"case_id": "vex-under-investigation",
"path": "vex-scenarios/under-investigation/pending-analysis",
"category": "vex-scenarios/under-investigation",
"cve_id": "CVE-2025-00001",
"expected_score": 6.5,
"files_hash": {
"case.json": "sha256:case008",
"vex.openvex.json": "sha256:vex008",
"expected-score.json": "sha256:expected008"
}
},
{
"case_id": "reachability-confirmed-reachable",
"path": "reachability/reachable/confirmed-path",
"category": "reachability/reachable",
"cve_id": "CVE-2024-11111",
"expected_score": 7.9,
"files_hash": {
"case.json": "sha256:case009",
"callgraph.json": "sha256:callgraph009",
"expected-score.json": "sha256:expected009"
}
},
{
"case_id": "reachability-unreachable-dead-code",
"path": "reachability/unreachable/dead-code",
"category": "reachability/unreachable",
"cve_id": "CVE-2024-22222",
"expected_score": 4.2,
"files_hash": {
"case.json": "sha256:case010",
"callgraph.json": "sha256:callgraph010",
"expected-score.json": "sha256:expected010"
}
},
{
"case_id": "reachability-unknown-analysis-incomplete",
"path": "reachability/unknown/analysis-incomplete",
"category": "reachability/unknown",
"cve_id": "CVE-2024-33333",
"expected_score": 6.5,
"files_hash": {
"case.json": "sha256:case011",
"expected-score.json": "sha256:expected011"
}
},
{
"case_id": "composite-reachable-with-vex-mitigated",
"path": "composite/reachable-with-vex/mitigated",
"category": "composite/reachable-with-vex",
"cve_id": "CVE-2024-44444",
"expected_score": 2.5,
"files_hash": {
"case.json": "sha256:case012",
"vex.openvex.json": "sha256:vex012",
"callgraph.json": "sha256:callgraph012",
"expected-score.json": "sha256:expected012"
}
}
]
}

15
bench/golden-corpus/corpus-version.json Normal file
View File

@@ -0,0 +1,15 @@
{
"schema_version": "stellaops.corpus.version/v1",
"corpus_version": "1.0.0",
"scoring_algorithm_version": "v2.0",
"created_at": "2025-01-15T00:00:00Z",
"updated_at": "2025-01-15T00:00:00Z",
"openvex_schema": "0.2.0",
"spdx_version": "3.0.1",
"cyclonedx_version": "1.6",
"determinism_salt": "frozen-2025-01-15T00:00:00Z",
"compatibility": {
"min_stellaops_version": "0.9.0",
"max_stellaops_version": null
}
}

61
bench/golden-corpus/reachability/reachable/confirmed-path/callgraph.json Normal file
View File

@@ -0,0 +1,61 @@
{
"schema_version": "reach-corpus.callgraph/v1",
"analysis_timestamp": "2025-01-15T00:00:00Z",
"target_package": "pkg:nuget/SerializationLib@2.0.0",
"nodes": [
{
"id": "node-001",
"symbol": "Example.Api.Controllers.DataController.Import",
"type": "entrypoint",
"file": "src/Controllers/DataController.cs",
"line": 25,
"attributes": {
"http_method": "POST",
"route": "/api/data/import"
}
},
{
"id": "node-002",
"symbol": "Example.Services.ImportService.ProcessData",
"type": "method",
"file": "src/Services/ImportService.cs",
"line": 42
},
{
"id": "node-003",
"symbol": "SerializationLib.JsonSerializer.Deserialize",
"type": "sink",
"file": null,
"line": null,
"package": "pkg:nuget/SerializationLib@2.0.0",
"vulnerable": true,
"cve_ids": ["CVE-2024-11111"]
}
],
"edges": [
{
"from": "node-001",
"to": "node-002",
"type": "call"
},
{
"from": "node-002",
"to": "node-003",
"type": "call",
"tainted": true,
"taint_source": "http_body"
}
],
"reachability_result": {
"status": "reachable",
"confidence": 0.92,
"paths": [
{
"path_id": "path-001",
"nodes": ["node-001", "node-002", "node-003"],
"taint_flow": true,
"explanation": "HTTP POST body flows through ImportService to vulnerable Deserialize method"
}
]
}
}

29
bench/golden-corpus/reachability/reachable/confirmed-path/case.json Normal file
View File

@@ -0,0 +1,29 @@
{
"schema_version": "stellaops.golden.case/v1",
"case_id": "reachability-confirmed-reachable",
"category": "reachability/reachable",
"description": "High severity CVE with confirmed reachable code path from entrypoint",
"tags": ["reachability", "reachable", "call-graph", "taint-analysis"],
"cve_id": "CVE-2024-11111",
"cwe_id": "CWE-502",
"affected_package": {
"purl": "pkg:nuget/SerializationLib@2.0.0",
"ecosystem": "nuget",
"name": "SerializationLib",
"version": "2.0.0",
"vendor": "Example"
},
"scenario": {
"base_cvss": 8.1,
"kev_listed": false,
"exploit_maturity": "proof-of-concept",
"reachability": "reachable",
"vex_status": null
},
"expected_outcome": {
"stella_score_min": 7.5,
"stella_score_max": 8.5,
"action": "remediate-soon"
},
"notes": "Call graph analysis confirms vulnerable deserialization code is reachable from HTTP endpoint."
}

30
bench/golden-corpus/reachability/reachable/confirmed-path/expected-score.json Normal file
View File

@@ -0,0 +1,30 @@
{
"schema_version": "stellaops.golden.expected/v1",
"case_id": "reachability-confirmed-reachable",
"determinism_salt": "frozen-2025-01-15T00:00:00Z",
"score_hash": "sha256:b8c9d0e1f2a34567890123456789012345678901234567890123456789b234",
"stella_score": 7.9,
"scoring_factors": {
"base_cvss": 8.1,
"temporal_cvss": 7.8,
"environmental_cvss": 7.9,
"kev_multiplier": 1.0,
"exploit_maturity_adjustment": -0.2,
"reachability_adjustment": 0.0,
"vex_adjustment": 0.0
},
"flags": {
"kev_listed": false,
"exploit_maturity": "proof-of-concept",
"reachability_status": "reachable",
"reachability_confidence": 0.92,
"vex_status": null
},
"action_recommendation": "remediate-soon",
"action_rationale": "High severity deserialization vulnerability (CVSS 8.1) with confirmed reachable path from HTTP endpoint. PoC exists.",
"expected_assertions": {
"score_ge": 7.5,
"score_le": 8.5,
"reachability_reachable": true
}
}

29
bench/golden-corpus/reachability/unknown/analysis-incomplete/case.json Normal file
View File

@@ -0,0 +1,29 @@
{
"schema_version": "stellaops.golden.case/v1",
"case_id": "reachability-unknown-analysis-incomplete",
"category": "reachability/unknown",
"description": "High severity CVE with unknown reachability - analysis inconclusive",
"tags": ["reachability", "unknown", "inconclusive"],
"cve_id": "CVE-2024-33333",
"cwe_id": "CWE-611",
"affected_package": {
"purl": "pkg:nuget/XmlParser@3.0.0",
"ecosystem": "nuget",
"name": "XmlParser",
"version": "3.0.0",
"vendor": "Example"
},
"scenario": {
"base_cvss": 7.5,
"kev_listed": false,
"exploit_maturity": "unproven",
"reachability": "unknown",
"vex_status": null
},
"expected_outcome": {
"stella_score_min": 5.5,
"stella_score_max": 7.5,
"action": "investigate"
},
"notes": "Static analysis could not determine reachability. Dynamic analysis or manual review recommended."
}

30
bench/golden-corpus/reachability/unknown/analysis-incomplete/expected-score.json Normal file
View File

@@ -0,0 +1,30 @@
{
"schema_version": "stellaops.golden.expected/v1",
"case_id": "reachability-unknown-analysis-incomplete",
"determinism_salt": "frozen-2025-01-15T00:00:00Z",
"score_hash": "sha256:d0e1f2a3b4c56789012345678901234567890123456789012345678901d456",
"stella_score": 6.5,
"scoring_factors": {
"base_cvss": 7.5,
"temporal_cvss": 7.0,
"environmental_cvss": 6.5,
"kev_multiplier": 1.0,
"exploit_maturity_adjustment": -0.5,
"reachability_adjustment": 0.0,
"vex_adjustment": 0.0
},
"flags": {
"kev_listed": false,
"exploit_maturity": "unproven",
"reachability_status": "unknown",
"reachability_confidence": 0.0,
"vex_status": null
},
"action_recommendation": "investigate",
"action_rationale": "High severity XXE (CVSS 7.5) with unknown reachability. Cannot confirm or deny exploitability. Manual review needed.",
"expected_assertions": {
"score_ge": 5.5,
"score_le": 7.5,
"reachability_unknown": true
}
}

60
bench/golden-corpus/reachability/unreachable/dead-code/callgraph.json Normal file
View File

@@ -0,0 +1,60 @@
{
"schema_version": "reach-corpus.callgraph/v1",
"analysis_timestamp": "2025-01-15T00:00:00Z",
"target_package": "pkg:nuget/ScriptEngine@1.5.0",
"nodes": [
{
"id": "node-001",
"symbol": "Example.Api.Controllers.MainController.Index",
"type": "entrypoint",
"file": "src/Controllers/MainController.cs",
"line": 15
},
{
"id": "node-002",
"symbol": "Example.Services.DataService.Process",
"type": "method",
"file": "src/Services/DataService.cs",
"line": 30
},
{
"id": "node-003",
"symbol": "Example.Legacy.ScriptRunner.Execute",
"type": "method",
"file": "src/Legacy/ScriptRunner.cs",
"line": 50,
"attributes": {
"dead_code": true,
"reason": "no_callers"
}
},
{
"id": "node-004",
"symbol": "ScriptEngine.Evaluator.Eval",
"type": "sink",
"file": null,
"line": null,
"package": "pkg:nuget/ScriptEngine@1.5.0",
"vulnerable": true,
"cve_ids": ["CVE-2024-22222"]
}
],
"edges": [
{
"from": "node-001",
"to": "node-002",
"type": "call"
},
{
"from": "node-003",
"to": "node-004",
"type": "call"
}
],
"reachability_result": {
"status": "unreachable",
"confidence": 0.95,
"paths": [],
"explanation": "ScriptRunner.Execute has no callers. The vulnerable Eval method is only called from dead code."
}
}

29
bench/golden-corpus/reachability/unreachable/dead-code/case.json Normal file
View File

@@ -0,0 +1,29 @@
{
"schema_version": "stellaops.golden.case/v1",
"case_id": "reachability-unreachable-dead-code",
"category": "reachability/unreachable",
"description": "High severity CVE in dead code - no path from entrypoints",
"tags": ["reachability", "unreachable", "dead-code"],
"cve_id": "CVE-2024-22222",
"cwe_id": "CWE-94",
"affected_package": {
"purl": "pkg:nuget/ScriptEngine@1.5.0",
"ecosystem": "nuget",
"name": "ScriptEngine",
"version": "1.5.0",
"vendor": "Example"
},
"scenario": {
"base_cvss": 9.0,
"kev_listed": false,
"exploit_maturity": "proof-of-concept",
"reachability": "unreachable",
"vex_status": null
},
"expected_outcome": {
"stella_score_min": 3.0,
"stella_score_max": 5.0,
"action": "backlog"
},
"notes": "Critical code injection CVE but vulnerable method is in dead code path. Score significantly reduced."
}

30
bench/golden-corpus/reachability/unreachable/dead-code/expected-score.json Normal file
View File

@@ -0,0 +1,30 @@
{
"schema_version": "stellaops.golden.expected/v1",
"case_id": "reachability-unreachable-dead-code",
"determinism_salt": "frozen-2025-01-15T00:00:00Z",
"score_hash": "sha256:c9d0e1f2a3b45678901234567890123456789012345678901234567890c345",
"stella_score": 4.2,
"scoring_factors": {
"base_cvss": 9.0,
"temporal_cvss": 8.5,
"environmental_cvss": 4.2,
"kev_multiplier": 1.0,
"exploit_maturity_adjustment": -0.3,
"reachability_adjustment": -4.3,
"vex_adjustment": 0.0
},
"flags": {
"kev_listed": false,
"exploit_maturity": "proof-of-concept",
"reachability_status": "unreachable",
"reachability_confidence": 0.95,
"vex_status": null
},
"action_recommendation": "backlog",
"action_rationale": "Critical code injection (CVSS 9.0) but vulnerable code is unreachable (dead code). Add to backlog for cleanup.",
"expected_assertions": {
"score_ge": 3.0,
"score_le": 5.0,
"reachability_unreachable": true
}
}

57
bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/callgraph.json Normal file
View File

@@ -0,0 +1,57 @@
{
"schema_version": "reach-corpus.callgraph/v1",
"analysis_timestamp": "2025-01-15T00:00:00Z",
"target_package": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
"nodes": [
{
"id": "node-001",
"symbol": "com.example.app.Main.main",
"type": "entrypoint",
"file": "src/main/java/com/example/app/Main.java",
"line": 10
},
{
"id": "node-002",
"symbol": "com.example.app.UserService.processRequest",
"type": "method",
"file": "src/main/java/com/example/app/UserService.java",
"line": 25
},
{
"id": "node-003",
"symbol": "org.apache.logging.log4j.Logger.info",
"type": "sink",
"file": null,
"line": null,
"package": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
"vulnerable": true,
"cve_ids": ["CVE-2021-44228"]
}
],
"edges": [
{
"from": "node-001",
"to": "node-002",
"type": "call"
},
{
"from": "node-002",
"to": "node-003",
"type": "call",
"tainted": true,
"taint_source": "user_input"
}
],
"reachability_result": {
"status": "reachable",
"paths": [
{
"path_id": "path-001",
"nodes": ["node-001", "node-002", "node-003"],
"taint_flow": true,
"confidence": 0.95
}
],
"explanation": "User input flows from Main.main through UserService.processRequest to Logger.info, where JNDI lookup can be triggered."
}
}

29
bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/case.json Normal file
View File

@@ -0,0 +1,29 @@
{
"schema_version": "stellaops.golden.case/v1",
"case_id": "critical-log4shell-CVE-2021-44228",
"category": "severity-levels/critical",
"description": "Log4Shell JNDI injection - Critical severity (CVSS 10.0), in KEV, reachable",
"tags": ["critical", "kev", "reachable", "remote-code-execution"],
"cve_id": "CVE-2021-44228",
"cwe_id": "CWE-917",
"affected_package": {
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
"ecosystem": "maven",
"name": "log4j-core",
"version": "2.14.1",
"vendor": "Apache"
},
"scenario": {
"base_cvss": 10.0,
"kev_listed": true,
"exploit_maturity": "weaponized",
"reachability": "reachable",
"vex_status": null
},
"expected_outcome": {
"stella_score_min": 9.5,
"stella_score_max": 10.0,
"action": "remediate-immediately"
},
"notes": "This is the canonical critical case - maximum severity, in KEV, actively weaponized, and reachable."
}

31
bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/expected-score.json Normal file
View File

@@ -0,0 +1,31 @@
{
"schema_version": "stellaops.golden.expected/v1",
"case_id": "critical-log4shell-CVE-2021-44228",
"determinism_salt": "frozen-2025-01-15T00:00:00Z",
"score_hash": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"stella_score": 10.0,
"scoring_factors": {
"base_cvss": 10.0,
"temporal_cvss": 10.0,
"environmental_cvss": 10.0,
"kev_multiplier": 1.0,
"exploit_maturity_adjustment": 0.0,
"reachability_adjustment": 0.0,
"vex_adjustment": 0.0
},
"flags": {
"kev_listed": true,
"exploit_maturity": "weaponized",
"reachability_status": "reachable",
"vex_status": null
},
"action_recommendation": "remediate-immediately",
"action_rationale": "Critical severity (CVSS 10.0), listed in KEV, actively weaponized exploit, and reachable from application entrypoint. Immediate remediation required.",
"expected_assertions": {
"score_ge": 9.5,
"score_le": 10.0,
"kev_flag_true": true,
"reachability_reachable": true,
"action_is_remediate": true
}
}

32
bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/manifest.json Normal file
View File

@@ -0,0 +1,32 @@
{
"schema_version": "stellaops.manifest/v1",
"manifest_id": "golden-corpus-log4shell-manifest",
"created_at": "2025-01-15T00:00:00Z",
"scan_target": {
"type": "container",
"digest": "sha256:deadbeef1234567890abcdef1234567890abcdef1234567890abcdef12345678",
"name": "example.io/vulnerable-java-app:1.0.0"
},
"sbom_binding": {
"sbom_digest": "sha256:sbom0123456789abcdef0123456789abcdef0123456789abcdef0123456789ab",
"sbom_format": "spdx",
"sbom_version": "3.0.1"
},
"findings": [
{
"finding_id": "finding-001",
"cve_id": "CVE-2021-44228",
"package_purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
"severity": "CRITICAL",
"cvss_v3_score": 10.0,
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"kev_listed": true,
"epss_score": 0.975,
"exploit_maturity": "weaponized"
}
],
"attestations": {
"sbom_attestation": "sha256:attest01234567890abcdef0123456789abcdef0123456789abcdef01234567",
"scan_attestation": null
}
}

60
bench/golden-corpus/severity-levels/critical/log4shell-CVE-2021-44228/sbom.spdx.json Normal file
View File

@@ -0,0 +1,60 @@
{
"spdxVersion": "SPDX-3.0.1",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "golden-corpus-log4shell",
"documentNamespace": "https://stellaops.io/spdx/golden-corpus/critical-log4shell-CVE-2021-44228",
"creationInfo": {
"created": "2025-01-15T00:00:00Z",
"creators": ["Tool: stellaops-corpus-generator-1.0.0"]
},
"packages": [
{
"SPDXID": "SPDXRef-Package-log4j-core",
"name": "log4j-core",
"versionInfo": "2.14.1",
"packageUrl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
"downloadLocation": "https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar",
"filesAnalyzed": false,
"supplier": "Organization: Apache Software Foundation",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1"
}
],
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "a1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"
}
]
},
{
"SPDXID": "SPDXRef-Package-application",
"name": "vulnerable-java-app",
"versionInfo": "1.0.0",
"packageUrl": "pkg:maven/com.example/vulnerable-java-app@1.0.0",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-Package-application"
},
{
"spdxElementId": "SPDXRef-Package-application",
"relationshipType": "DEPENDS_ON",
"relatedSpdxElement": "SPDXRef-Package-log4j-core"
}
]
}

29
bench/golden-corpus/severity-levels/high/http2-rapid-reset-CVE-2023-44487/case.json Normal file
View File

@@ -0,0 +1,29 @@
{
"schema_version": "stellaops.golden.case/v1",
"case_id": "high-http2-rapid-reset-CVE-2023-44487",
"category": "severity-levels/high",
"description": "HTTP/2 Rapid Reset DoS - High severity (CVSS 7.5), reachable web server",
"tags": ["high", "denial-of-service", "reachable", "http2"],
"cve_id": "CVE-2023-44487",
"cwe_id": "CWE-400",
"affected_package": {
"purl": "pkg:nuget/Microsoft.AspNetCore.Server.Kestrel@6.0.0",
"ecosystem": "nuget",
"name": "Microsoft.AspNetCore.Server.Kestrel",
"version": "6.0.0",
"vendor": "Microsoft"
},
"scenario": {
"base_cvss": 7.5,
"kev_listed": true,
"exploit_maturity": "proof-of-concept",
"reachability": "reachable",
"vex_status": null
},
"expected_outcome": {
"stella_score_min": 7.0,
"stella_score_max": 8.5,
"action": "remediate-soon"
},
"notes": "High severity DoS vulnerability. In KEV but only proof-of-concept exploit. Reachable as web server."
}

30
bench/golden-corpus/severity-levels/high/http2-rapid-reset-CVE-2023-44487/expected-score.json Normal file
View File

@@ -0,0 +1,30 @@
{
"schema_version": "stellaops.golden.expected/v1",
"case_id": "high-http2-rapid-reset-CVE-2023-44487",
"determinism_salt": "frozen-2025-01-15T00:00:00Z",
"score_hash": "sha256:a1b2c3d4e5f6789012345678901234567890123456789012345678901234abcd",
"stella_score": 7.8,
"scoring_factors": {
"base_cvss": 7.5,
"temporal_cvss": 7.5,
"environmental_cvss": 7.8,
"kev_multiplier": 1.05,
"exploit_maturity_adjustment": -0.2,
"reachability_adjustment": 0.0,
"vex_adjustment": 0.0
},
"flags": {
"kev_listed": true,
"exploit_maturity": "proof-of-concept",
"reachability_status": "reachable",
"vex_status": null
},
"action_recommendation": "remediate-soon",
"action_rationale": "High severity DoS (CVSS 7.5), in KEV, but only PoC exploit available. Web server is reachable. Schedule remediation within sprint.",
"expected_assertions": {
"score_ge": 7.0,
"score_le": 8.5,
"kev_flag_true": true,
"reachability_reachable": true
}
}

29
bench/golden-corpus/severity-levels/low/info-disclosure-CVE-2024-99999/case.json Normal file
View File

@@ -0,0 +1,29 @@
{
"schema_version": "stellaops.golden.case/v1",
"case_id": "low-info-disclosure-CVE-2024-99999",
"category": "severity-levels/low",
"description": "Minor information disclosure in error messages - Low severity (CVSS 3.1)",
"tags": ["low", "information-disclosure", "reachable"],
"cve_id": "CVE-2024-99999",
"cwe_id": "CWE-209",
"affected_package": {
"purl": "pkg:nuget/SomeLibrary@1.0.0",
"ecosystem": "nuget",
"name": "SomeLibrary",
"version": "1.0.0",
"vendor": "Example"
},
"scenario": {
"base_cvss": 3.1,
"kev_listed": false,
"exploit_maturity": "unproven",
"reachability": "reachable",
"vex_status": null
},
"expected_outcome": {
"stella_score_min": 2.5,
"stella_score_max": 3.5,
"action": "accept-risk"
},
"notes": "Low severity info disclosure. Reachable but minimal impact. May accept risk."
}

29
bench/golden-corpus/severity-levels/low/info-disclosure-CVE-2024-99999/expected-score.json Normal file
View File

@@ -0,0 +1,29 @@
{
"schema_version": "stellaops.golden.expected/v1",
"case_id": "low-info-disclosure-CVE-2024-99999",
"determinism_salt": "frozen-2025-01-15T00:00:00Z",
"score_hash": "sha256:c3d4e5f6a7b89012345678901234567890123456789012345678901234cdef",
"stella_score": 3.1,
"scoring_factors": {
"base_cvss": 3.1,
"temporal_cvss": 3.1,
"environmental_cvss": 3.1,
"kev_multiplier": 1.0,
"exploit_maturity_adjustment": 0.0,
"reachability_adjustment": 0.0,
"vex_adjustment": 0.0
},
"flags": {
"kev_listed": false,
"exploit_maturity": "unproven",
"reachability_status": "reachable",
"vex_status": null
},
"action_recommendation": "accept-risk",
"action_rationale": "Low severity (CVSS 3.1) information disclosure. Code is reachable but impact is minimal. Consider accepting risk.",
"expected_assertions": {
"score_ge": 2.5,
"score_le": 3.5,
"kev_flag_true": false
}
}

29
bench/golden-corpus/severity-levels/medium/json-dos-CVE-2024-12345/case.json Normal file
View File

@@ -0,0 +1,29 @@
{
"schema_version": "stellaops.golden.case/v1",
"case_id": "medium-json-dos-CVE-2024-12345",
"category": "severity-levels/medium",
"description": "JSON parsing DoS via deeply nested objects - Medium severity (CVSS 5.3), unreachable",
"tags": ["medium", "denial-of-service", "unreachable", "json"],
"cve_id": "CVE-2024-12345",
"cwe_id": "CWE-400",
"affected_package": {
"purl": "pkg:nuget/Newtonsoft.Json@12.0.3",
"ecosystem": "nuget",
"name": "Newtonsoft.Json",
"version": "12.0.3",
"vendor": "Newtonsoft"
},
"scenario": {
"base_cvss": 5.3,
"kev_listed": false,
"exploit_maturity": "unproven",
"reachability": "unreachable",
"vex_status": null
},
"expected_outcome": {
"stella_score_min": 2.0,
"stella_score_max": 4.0,
"action": "backlog"
},
"notes": "Medium severity but unreachable code path significantly reduces risk. No known exploits."
}

30
bench/golden-corpus/severity-levels/medium/json-dos-CVE-2024-12345/expected-score.json Normal file
View File

@@ -0,0 +1,30 @@
{
"schema_version": "stellaops.golden.expected/v1",
"case_id": "medium-json-dos-CVE-2024-12345",
"determinism_salt": "frozen-2025-01-15T00:00:00Z",
"score_hash": "sha256:b2c3d4e5f6a789012345678901234567890123456789012345678901234bcde",
"stella_score": 3.2,
"scoring_factors": {
"base_cvss": 5.3,
"temporal_cvss": 5.0,
"environmental_cvss": 3.2,
"kev_multiplier": 1.0,
"exploit_maturity_adjustment": -0.3,
"reachability_adjustment": -1.8,
"vex_adjustment": 0.0
},
"flags": {
"kev_listed": false,
"exploit_maturity": "unproven",
"reachability_status": "unreachable",
"vex_status": null
},
"action_recommendation": "backlog",
"action_rationale": "Medium severity (CVSS 5.3) but code path is unreachable. No known exploits. Add to backlog for eventual cleanup.",
"expected_assertions": {
"score_ge": 2.0,
"score_le": 4.0,
"kev_flag_true": false,
"reachability_unreachable": true
}
}

30
bench/golden-corpus/vex-scenarios/affected/action-required/case.json Normal file
View File

@@ -0,0 +1,30 @@
{
"schema_version": "stellaops.golden.case/v1",
"case_id": "vex-affected-action-required",
"category": "vex-scenarios/affected",
"description": "High severity CVE with VEX status affected - action required",
"tags": ["vex", "affected", "action-required"],
"cve_id": "CVE-2023-99997",
"cwe_id": "CWE-89",
"affected_package": {
"purl": "pkg:nuget/DatabaseLib@3.0.0",
"ecosystem": "nuget",
"name": "DatabaseLib",
"version": "3.0.0",
"vendor": "Example"
},
"scenario": {
"base_cvss": 8.5,
"kev_listed": false,
"exploit_maturity": "proof-of-concept",
"reachability": "reachable",
"vex_status": "affected",
"vex_action_statement": "Upgrade to version 3.1.0 or later"
},
"expected_outcome": {
"stella_score_min": 7.5,
"stella_score_max": 9.0,
"action": "remediate-soon"
},
"notes": "VEX confirms affected status with recommended action. Score reflects confirmed exploitability."
}

29
bench/golden-corpus/vex-scenarios/affected/action-required/expected-score.json Normal file
View File

@@ -0,0 +1,29 @@
{
"schema_version": "stellaops.golden.expected/v1",
"case_id": "vex-affected-action-required",
"determinism_salt": "frozen-2025-01-15T00:00:00Z",
"score_hash": "sha256:e5f6a7b8c9d01234567890123456789012345678901234567890123456ef01",
"stella_score": 8.2,
"scoring_factors": {
"base_cvss": 8.5,
"temporal_cvss": 8.0,
"environmental_cvss": 8.2,
"kev_multiplier": 1.0,
"exploit_maturity_adjustment": -0.3,
"reachability_adjustment": 0.0,
"vex_adjustment": 0.0
},
"flags": {
"kev_listed": false,
"exploit_maturity": "proof-of-concept",
"reachability_status": "reachable",
"vex_status": "affected"
},
"action_recommendation": "remediate-soon",
"action_rationale": "VEX confirms affected status. High severity SQL injection (CVSS 8.5), reachable. Upgrade to 3.1.0+ as recommended.",
"expected_assertions": {
"score_ge": 7.5,
"score_le": 9.0,
"vex_status_is": "affected"
}
}

23
bench/golden-corpus/vex-scenarios/affected/action-required/vex.openvex.json Normal file
View File

@@ -0,0 +1,23 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://stellaops.io/vex/golden-corpus/vex-affected-action-required",
"author": "StellaOps Golden Corpus",
"timestamp": "2025-01-15T00:00:00Z",
"version": 1,
"statements": [
{
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-2023-99997",
"name": "CVE-2023-99997"
},
"products": [
{
"@id": "pkg:nuget/DatabaseLib@3.0.0"
}
],
"status": "affected",
"action_statement": "Upgrade to version 3.1.0 or later to remediate this vulnerability.",
"action_statement_timestamp": "2025-01-15T00:00:00Z"
}
]
}

29
bench/golden-corpus/vex-scenarios/fixed/remediated/case.json Normal file
View File

@@ -0,0 +1,29 @@
{
"schema_version": "stellaops.golden.case/v1",
"case_id": "vex-fixed-remediated",
"category": "vex-scenarios/fixed",
"description": "Previously critical CVE now fixed - version updated",
"tags": ["vex", "fixed", "remediated"],
"cve_id": "CVE-2021-44228",
"cwe_id": "CWE-917",
"affected_package": {
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1",
"ecosystem": "maven",
"name": "log4j-core",
"version": "2.17.1",
"vendor": "Apache"
},
"scenario": {
"base_cvss": 10.0,
"kev_listed": true,
"exploit_maturity": "weaponized",
"reachability": "reachable",
"vex_status": "fixed"
},
"expected_outcome": {
"stella_score_min": 0.0,
"stella_score_max": 0.0,
"action": "no-action-required"
},
"notes": "Log4Shell was critical but version 2.17.1 includes the fix. VEX marks as fixed."
}

28
bench/golden-corpus/vex-scenarios/fixed/remediated/expected-score.json Normal file
View File

@@ -0,0 +1,28 @@
{
"schema_version": "stellaops.golden.expected/v1",
"case_id": "vex-fixed-remediated",
"determinism_salt": "frozen-2025-01-15T00:00:00Z",
"score_hash": "sha256:f6a7b8c9d0e12345678901234567890123456789012345678901234567f012",
"stella_score": 0.0,
"scoring_factors": {
"base_cvss": 10.0,
"temporal_cvss": 10.0,
"environmental_cvss": 0.0,
"kev_multiplier": 1.0,
"exploit_maturity_adjustment": 0.0,
"reachability_adjustment": 0.0,
"vex_adjustment": -10.0
},
"flags": {
"kev_listed": true,
"exploit_maturity": "weaponized",
"reachability_status": "reachable",
"vex_status": "fixed"
},
"action_recommendation": "no-action-required",
"action_rationale": "VEX status is fixed. Version 2.17.1 contains the complete remediation for Log4Shell.",
"expected_assertions": {
"score_eq": 0.0,
"vex_status_is": "fixed"
}
}

22
bench/golden-corpus/vex-scenarios/fixed/remediated/vex.openvex.json Normal file
View File

@@ -0,0 +1,22 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://stellaops.io/vex/golden-corpus/vex-fixed-remediated",
"author": "StellaOps Golden Corpus",
"timestamp": "2025-01-15T00:00:00Z",
"version": 1,
"statements": [
{
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
"name": "CVE-2021-44228"
},
"products": [
{
"@id": "pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1"
}
],
"status": "fixed",
"impact_statement": "This version (2.17.1) contains the complete fix for Log4Shell. JNDI lookups are disabled by default."
}
]
}

30
bench/golden-corpus/vex-scenarios/not-affected/component-not-present/case.json Normal file
View File

@@ -0,0 +1,30 @@
{
"schema_version": "stellaops.golden.case/v1",
"case_id": "vex-not-affected-component-not-present",
"category": "vex-scenarios/not-affected",
"description": "High severity CVE marked not_affected - vulnerable component not present",
"tags": ["vex", "not-affected", "component-not-present"],
"cve_id": "CVE-2023-99998",
"cwe_id": "CWE-79",
"affected_package": {
"purl": "pkg:nuget/VulnerableLib@2.0.0",
"ecosystem": "nuget",
"name": "VulnerableLib",
"version": "2.0.0",
"vendor": "Example"
},
"scenario": {
"base_cvss": 8.0,
"kev_listed": false,
"exploit_maturity": "proof-of-concept",
"reachability": "unknown",
"vex_status": "not_affected",
"vex_justification": "component_not_present"
},
"expected_outcome": {
"stella_score_min": 0.0,
"stella_score_max": 1.0,
"action": "no-action-required"
},
"notes": "VEX statement declares not_affected due to component_not_present. Score should be minimal/zero."
}

29
bench/golden-corpus/vex-scenarios/not-affected/component-not-present/expected-score.json Normal file
View File

@@ -0,0 +1,29 @@
{
"schema_version": "stellaops.golden.expected/v1",
"case_id": "vex-not-affected-component-not-present",
"determinism_salt": "frozen-2025-01-15T00:00:00Z",
"score_hash": "sha256:d4e5f6a7b8c90123456789012345678901234567890123456789012345def0",
"stella_score": 0.0,
"scoring_factors": {
"base_cvss": 8.0,
"temporal_cvss": 7.5,
"environmental_cvss": 0.0,
"kev_multiplier": 1.0,
"exploit_maturity_adjustment": -0.5,
"reachability_adjustment": 0.0,
"vex_adjustment": -8.0
},
"flags": {
"kev_listed": false,
"exploit_maturity": "proof-of-concept",
"reachability_status": "unknown",
"vex_status": "not_affected",
"vex_justification": "component_not_present"
},
"action_recommendation": "no-action-required",
"action_rationale": "VEX statement declares not_affected with justification component_not_present. No remediation needed.",
"expected_assertions": {
"score_eq": 0.0,
"vex_status_is": "not_affected"
}
}

23
bench/golden-corpus/vex-scenarios/not-affected/component-not-present/vex.openvex.json Normal file
View File

@@ -0,0 +1,23 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://stellaops.io/vex/golden-corpus/vex-not-affected-component-not-present",
"author": "StellaOps Golden Corpus",
"timestamp": "2025-01-15T00:00:00Z",
"version": 1,
"statements": [
{
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-2023-99998",
"name": "CVE-2023-99998"
},
"products": [
{
"@id": "pkg:nuget/VulnerableLib@2.0.0"
}
],
"status": "not_affected",
"justification": "component_not_present",
"impact_statement": "The vulnerable component (specific module) is not included in this build configuration."
}
]
}

29
bench/golden-corpus/vex-scenarios/under-investigation/pending-analysis/case.json Normal file
View File

@@ -0,0 +1,29 @@
{
"schema_version": "stellaops.golden.case/v1",
"case_id": "vex-under-investigation",
"category": "vex-scenarios/under-investigation",
"description": "New CVE being investigated - status pending analysis",
"tags": ["vex", "under-investigation", "pending"],
"cve_id": "CVE-2025-00001",
"cwe_id": "CWE-787",
"affected_package": {
"purl": "pkg:nuget/NewLib@1.0.0",
"ecosystem": "nuget",
"name": "NewLib",
"version": "1.0.0",
"vendor": "Example"
},
"scenario": {
"base_cvss": 7.8,
"kev_listed": false,
"exploit_maturity": "unproven",
"reachability": "unknown",
"vex_status": "under_investigation"
},
"expected_outcome": {
"stella_score_min": 5.0,
"stella_score_max": 8.0,
"action": "monitor"
},
"notes": "Newly disclosed CVE under investigation. Score based on base CVSS until VEX is updated."
}

29
bench/golden-corpus/vex-scenarios/under-investigation/pending-analysis/expected-score.json Normal file
View File

@@ -0,0 +1,29 @@
{
"schema_version": "stellaops.golden.expected/v1",
"case_id": "vex-under-investigation",
"determinism_salt": "frozen-2025-01-15T00:00:00Z",
"score_hash": "sha256:a7b8c9d0e1f23456789012345678901234567890123456789012345678a123",
"stella_score": 6.5,
"scoring_factors": {
"base_cvss": 7.8,
"temporal_cvss": 7.0,
"environmental_cvss": 6.5,
"kev_multiplier": 1.0,
"exploit_maturity_adjustment": -0.5,
"reachability_adjustment": -0.3,
"vex_adjustment": 0.0
},
"flags": {
"kev_listed": false,
"exploit_maturity": "unproven",
"reachability_status": "unknown",
"vex_status": "under_investigation"
},
"action_recommendation": "monitor",
"action_rationale": "VEX status is under_investigation. Monitor for updates. Scoring based on base CVSS with uncertainty adjustments.",
"expected_assertions": {
"score_ge": 5.0,
"score_le": 8.0,
"vex_status_is": "under_investigation"
}
}

22
bench/golden-corpus/vex-scenarios/under-investigation/pending-analysis/vex.openvex.json Normal file
View File

@@ -0,0 +1,22 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://stellaops.io/vex/golden-corpus/vex-under-investigation",
"author": "StellaOps Golden Corpus",
"timestamp": "2025-01-15T00:00:00Z",
"version": 1,
"statements": [
{
"vulnerability": {
"@id": "https://nvd.nist.gov/vuln/detail/CVE-2025-00001",
"name": "CVE-2025-00001"
},
"products": [
{
"@id": "pkg:nuget/NewLib@1.0.0"
}
],
"status": "under_investigation",
"status_notes": "Security team is analyzing impact. Update expected within 48 hours."
}
]
}