up

tests/reachability/fixtures/patch-oracles/INDEX.json

@@ -0,0 +1,32 @@
+{
+  "version": "1.0",
+  "schema": "patch-oracle/v1",
+  "generated_at": "2025-12-13T00:00:00Z",
+  "description": "Patch-oracle fixtures for CI graph validation. Each oracle defines expected functions/edges that must be present (or absent) in generated reachability graphs.",
+  "oracles": [
+    {
+      "id": "curl-CVE-2023-38545-socks5-heap-reachable",
+      "case_ref": "curl-CVE-2023-38545-socks5-heap",
+      "variant": "reachable",
+      "path": "cases/curl-CVE-2023-38545-socks5-heap/reachable.oracle.json"
+    },
+    {
+      "id": "curl-CVE-2023-38545-socks5-heap-unreachable",
+      "case_ref": "curl-CVE-2023-38545-socks5-heap",
+      "variant": "unreachable",
+      "path": "cases/curl-CVE-2023-38545-socks5-heap/unreachable.oracle.json"
+    },
+    {
+      "id": "java-log4j-CVE-2021-44228-log4shell-reachable",
+      "case_ref": "java-log4j-CVE-2021-44228-log4shell",
+      "variant": "reachable",
+      "path": "cases/java-log4j-CVE-2021-44228-log4shell/reachable.oracle.json"
+    },
+    {
+      "id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset-reachable",
+      "case_ref": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
+      "variant": "reachable",
+      "path": "cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/reachable.oracle.json"
+    }
+  ]
+}

tests/reachability/fixtures/patch-oracles/cases/curl-CVE-2023-38545-socks5-heap/reachable.oracle.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "patch-oracle/v1",
+  "id": "curl-CVE-2023-38545-socks5-heap-reachable",
+  "case_ref": "curl-CVE-2023-38545-socks5-heap",
+  "variant": "reachable",
+  "description": "Validates that the SOCKS5 heap overflow vulnerability path is reachable from network handler to vulnerable sink",
+  "expected_functions": [
+    {
+      "symbol_id": "sym://net:handler#read",
+      "kind": "entrypoint",
+      "required": true,
+      "reason": "Network read handler is the entry point for external data"
+    },
+    {
+      "symbol_id": "sym://curl:curl.c#entry",
+      "kind": "function",
+      "required": true,
+      "reason": "SOCKS5 protocol handling entry point"
+    },
+    {
+      "symbol_id": "sym://curl:curl.c#sink",
+      "kind": "function",
+      "required": true,
+      "reason": "Vulnerable buffer handling function"
+    }
+  ],
+  "expected_edges": [
+    {
+      "from": "sym://net:handler#read",
+      "to": "sym://curl:curl.c#entry",
+      "kind": "call",
+      "min_confidence": 0.8,
+      "required": true,
+      "reason": "Data flows from network handler to SOCKS5 handler"
+    },
+    {
+      "from": "sym://curl:curl.c#entry",
+      "to": "sym://curl:curl.c#sink",
+      "kind": "call",
+      "min_confidence": 0.8,
+      "required": true,
+      "reason": "SOCKS5 handler invokes vulnerable buffer function"
+    }
+  ],
+  "expected_roots": [
+    {
+      "id": "sym://net:handler#read",
+      "phase": "runtime",
+      "required": true,
+      "reason": "Network handler is the runtime entry point"
+    }
+  ],
+  "min_confidence": 0.5,
+  "strict_mode": false,
+  "created_at": "2025-12-13T00:00:00Z"
+}

tests/reachability/fixtures/patch-oracles/cases/curl-CVE-2023-38545-socks5-heap/unreachable.oracle.json

@@ -0,0 +1,32 @@
+{
+  "schema_version": "patch-oracle/v1",
+  "id": "curl-CVE-2023-38545-socks5-heap-unreachable",
+  "case_ref": "curl-CVE-2023-38545-socks5-heap",
+  "variant": "unreachable",
+  "description": "Validates that the SOCKS5 heap overflow vulnerability path is NOT reachable when SOCKS5 is disabled",
+  "expected_functions": [
+    {
+      "symbol_id": "sym://net:handler#read",
+      "kind": "entrypoint",
+      "required": true,
+      "reason": "Network read handler still exists but cannot reach vulnerable code"
+    }
+  ],
+  "expected_edges": [],
+  "forbidden_functions": [
+    {
+      "symbol_id": "sym://curl:curl.c#sink",
+      "reason": "Vulnerable sink should not be in call graph when SOCKS5 disabled"
+    }
+  ],
+  "forbidden_edges": [
+    {
+      "from": "sym://curl:curl.c#entry",
+      "to": "sym://curl:curl.c#sink",
+      "reason": "This edge should not exist when SOCKS5 is disabled"
+    }
+  ],
+  "min_confidence": 0.5,
+  "strict_mode": false,
+  "created_at": "2025-12-13T00:00:00Z"
+}

tests/reachability/fixtures/patch-oracles/cases/dotnet-kestrel-CVE-2023-44487-http2-rapid-reset/reachable.oracle.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "patch-oracle/v1",
+  "id": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset-reachable",
+  "case_ref": "dotnet-kestrel-CVE-2023-44487-http2-rapid-reset",
+  "variant": "reachable",
+  "description": "Validates that the HTTP/2 Rapid Reset DoS vulnerability path is reachable",
+  "expected_functions": [
+    {
+      "symbol_id": "sym://dotnet:Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http2.Http2Connection#ProcessRequestsAsync",
+      "lang": "dotnet",
+      "kind": "method",
+      "required": true,
+      "reason": "HTTP/2 connection handler entry point"
+    },
+    {
+      "symbol_id": "sym://dotnet:Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http2.Http2Stream#*",
+      "lang": "dotnet",
+      "kind": "method",
+      "required": true,
+      "reason": "HTTP/2 stream management affected by rapid reset"
+    }
+  ],
+  "expected_edges": [
+    {
+      "from": "sym://dotnet:Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http2.Http2Connection#ProcessRequestsAsync",
+      "to": "sym://dotnet:Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http2.Http2Stream#*",
+      "kind": "call",
+      "min_confidence": 0.7,
+      "required": true,
+      "reason": "Connection handler creates/manages streams"
+    }
+  ],
+  "expected_roots": [
+    {
+      "id": "sym://dotnet:Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http2.Http2Connection#ProcessRequestsAsync",
+      "phase": "runtime",
+      "required": true,
+      "reason": "HTTP/2 processing is a runtime entry point"
+    }
+  ],
+  "min_confidence": 0.5,
+  "strict_mode": false,
+  "created_at": "2025-12-13T00:00:00Z"
+}

tests/reachability/fixtures/patch-oracles/cases/java-log4j-CVE-2021-44228-log4shell/reachable.oracle.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "patch-oracle/v1",
+  "id": "java-log4j-CVE-2021-44228-log4shell-reachable",
+  "case_ref": "java-log4j-CVE-2021-44228-log4shell",
+  "variant": "reachable",
+  "description": "Validates that the Log4Shell JNDI injection path is reachable from logger to JNDI lookup",
+  "expected_functions": [
+    {
+      "symbol_id": "sym://java:org.apache.logging.log4j.core.Logger#logMessage",
+      "lang": "java",
+      "kind": "method",
+      "required": true,
+      "reason": "Logger entry point that processes user-controlled format strings"
+    },
+    {
+      "symbol_id": "sym://java:org.apache.logging.log4j.core.pattern.MessagePatternConverter#format",
+      "lang": "java",
+      "kind": "method",
+      "required": true,
+      "reason": "Pattern converter that triggers lookup substitution"
+    },
+    {
+      "symbol_id": "sym://java:org.apache.logging.log4j.core.lookup.StrSubstitutor#replace",
+      "lang": "java",
+      "kind": "method",
+      "required": true,
+      "reason": "String substitution that invokes lookups"
+    },
+    {
+      "symbol_id": "sym://java:org.apache.logging.log4j.core.lookup.JndiLookup#lookup",
+      "lang": "java",
+      "kind": "method",
+      "required": true,
+      "reason": "Vulnerable JNDI lookup method"
+    }
+  ],
+  "expected_edges": [
+    {
+      "from": "sym://java:org.apache.logging.log4j.core.Logger#logMessage",
+      "to": "sym://java:org.apache.logging.log4j.core.pattern.MessagePatternConverter#format",
+      "kind": "call",
+      "required": true,
+      "reason": "Logger delegates to pattern converter"
+    },
+    {
+      "from": "sym://java:org.apache.logging.log4j.core.lookup.StrSubstitutor#replace",
+      "to": "sym://java:org.apache.logging.log4j.core.lookup.JndiLookup#lookup",
+      "kind": "call",
+      "required": true,
+      "reason": "String substitution invokes JNDI lookup"
+    }
+  ],
+  "expected_roots": [
+    {
+      "id": "sym://java:org.apache.logging.log4j.core.Logger#*",
+      "phase": "runtime",
+      "required": true,
+      "reason": "Logger methods are runtime entry points"
+    }
+  ],
+  "min_confidence": 0.6,
+  "strict_mode": false,
+  "created_at": "2025-12-13T00:00:00Z"
+}

tests/reachability/fixtures/patch-oracles/schema/patch-oracle-v1.json

@@ -0,0 +1,179 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "stellaops:patch-oracle/v1",
+  "title": "Patch Oracle Schema v1",
+  "description": "Defines expected functions/edges for reachability graph validation. CI fails when expected elements are missing.",
+  "type": "object",
+  "properties": {
+    "schema_version": {
+      "type": "string",
+      "const": "patch-oracle/v1",
+      "description": "Schema version identifier"
+    },
+    "id": {
+      "type": "string",
+      "description": "Unique oracle identifier (e.g., 'curl-CVE-2023-38545-socks5-heap-reachable')"
+    },
+    "case_ref": {
+      "type": "string",
+      "description": "Reference to parent reachbench case (e.g., 'curl-CVE-2023-38545-socks5-heap')"
+    },
+    "variant": {
+      "type": "string",
+      "enum": ["reachable", "unreachable"],
+      "description": "Which variant this oracle applies to"
+    },
+    "description": {
+      "type": "string",
+      "description": "Human-readable description of what this oracle validates"
+    },
+    "expected_functions": {
+      "type": "array",
+      "description": "Functions that MUST be present in the generated graph",
+      "items": {
+        "$ref": "#/definitions/expected_function"
+      }
+    },
+    "expected_edges": {
+      "type": "array",
+      "description": "Edges that MUST be present in the generated graph",
+      "items": {
+        "$ref": "#/definitions/expected_edge"
+      }
+    },
+    "expected_roots": {
+      "type": "array",
+      "description": "Root nodes that MUST be present in the generated graph",
+      "items": {
+        "$ref": "#/definitions/expected_root"
+      }
+    },
+    "forbidden_functions": {
+      "type": "array",
+      "description": "Functions that MUST NOT be present (for unreachable variants)",
+      "items": {
+        "$ref": "#/definitions/expected_function"
+      }
+    },
+    "forbidden_edges": {
+      "type": "array",
+      "description": "Edges that MUST NOT be present (for unreachable variants)",
+      "items": {
+        "$ref": "#/definitions/expected_edge"
+      }
+    },
+    "min_confidence": {
+      "type": "number",
+      "minimum": 0.0,
+      "maximum": 1.0,
+      "default": 0.5,
+      "description": "Minimum confidence threshold for edge matching"
+    },
+    "strict_mode": {
+      "type": "boolean",
+      "default": false,
+      "description": "If true, extra functions/edges not in oracle cause failure"
+    },
+    "created_at": {
+      "type": "string",
+      "format": "date-time",
+      "description": "When this oracle was created"
+    },
+    "updated_at": {
+      "type": "string",
+      "format": "date-time",
+      "description": "When this oracle was last updated"
+    }
+  },
+  "required": ["schema_version", "id", "case_ref", "variant"],
+  "definitions": {
+    "expected_function": {
+      "type": "object",
+      "properties": {
+        "symbol_id": {
+          "type": "string",
+          "description": "Expected symbol ID (exact match or pattern with '*' wildcards)"
+        },
+        "lang": {
+          "type": "string",
+          "description": "Expected language (optional, for filtering)"
+        },
+        "kind": {
+          "type": "string",
+          "description": "Expected node kind (e.g., 'function', 'method', 'entrypoint')"
+        },
+        "purl_pattern": {
+          "type": "string",
+          "description": "Expected purl pattern (optional, supports wildcards)"
+        },
+        "required": {
+          "type": "boolean",
+          "default": true,
+          "description": "If true, missing this function fails CI"
+        },
+        "reason": {
+          "type": "string",
+          "description": "Why this function is expected (for documentation)"
+        }
+      },
+      "required": ["symbol_id"]
+    },
+    "expected_edge": {
+      "type": "object",
+      "properties": {
+        "from": {
+          "type": "string",
+          "description": "Source node symbol ID (exact match or pattern)"
+        },
+        "to": {
+          "type": "string",
+          "description": "Target node symbol ID (exact match or pattern)"
+        },
+        "kind": {
+          "type": "string",
+          "description": "Expected edge kind (e.g., 'call', 'plt', 'indirect')"
+        },
+        "min_confidence": {
+          "type": "number",
+          "minimum": 0.0,
+          "maximum": 1.0,
+          "description": "Minimum confidence for this specific edge"
+        },
+        "required": {
+          "type": "boolean",
+          "default": true,
+          "description": "If true, missing this edge fails CI"
+        },
+        "reason": {
+          "type": "string",
+          "description": "Why this edge is expected (for documentation)"
+        }
+      },
+      "required": ["from", "to"]
+    },
+    "expected_root": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "description": "Root node ID (exact match or pattern)"
+        },
+        "phase": {
+          "type": "string",
+          "enum": ["load", "init", "main", "runtime", "fini"],
+          "description": "Expected execution phase"
+        },
+        "required": {
+          "type": "boolean",
+          "default": true,
+          "description": "If true, missing this root fails CI"
+        },
+        "reason": {
+          "type": "string",
+          "description": "Why this root is expected"
+        }
+      },
+      "required": ["id"]
+    }
+  }
+}