{
  "schema": "ground-truth-v1",
  "sampleId": "sample:java:vulnerable-log4j:001",
  "generatedAt": "2025-12-13T12:00:00Z",
  "generator": {
    "name": "manual-annotation",
    "version": "1.0.0",
    "annotator": "security-team"
  },
  "targets": [
    {
      "symbolId": "sym:java:log4j.JndiLookup.lookup",
      "display": "org.apache.logging.log4j.core.lookup.JndiLookup.lookup(LogEvent, String)",
      "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
      "expected": {
        "latticeState": "CR",
        "bucket": "runtime",
        "reachable": true,
        "confidence": 0.98,
        "pathLength": 4,
        "path": [
          "sym:java:HttpRequestHandler.handle",
          "sym:java:LogManager.getLogger",
          "sym:java:Logger.info",
          "sym:java:log4j.JndiLookup.lookup"
        ]
      },
      "reasoning": "Confirmed reachable via runtime probe - HTTP request handler logs user-controlled input which triggers JNDI lookup via message substitution"
    },
    {
      "symbolId": "sym:java:log4j.JndiManager.lookup",
      "display": "org.apache.logging.log4j.core.net.JndiManager.lookup(String)",
      "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
      "expected": {
        "latticeState": "CU",
        "bucket": "unreachable",
        "reachable": false,
        "confidence": 0.92,
        "pathLength": null,
        "path": null
      },
      "reasoning": "JndiManager.lookup is present in log4j-core but the direct JndiManager usage path is not exercised - only JndiLookup wrapper is used"
    },
    {
      "symbolId": "sym:java:log4j.ScriptLookup.lookup",
      "display": "org.apache.logging.log4j.core.lookup.ScriptLookup.lookup(LogEvent, String)",
      "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
      "expected": {
        "latticeState": "SU",
        "bucket": "unreachable",
        "reachable": false,
        "confidence": 0.85,
        "pathLength": null,
        "path": null
      },
      "reasoning": "ScriptLookup exists in log4j-core but is disabled by default and no configuration enables it"
    }
  ],
  "entryPoints": [
    {
      "symbolId": "sym:java:HttpRequestHandler.handle",
      "display": "com.example.app.HttpRequestHandler.handle(HttpExchange)",
      "phase": "runtime",
      "source": "servlet"
    },
    {
      "symbolId": "sym:java:Application.main",
      "display": "com.example.app.Application.main(String[])",
      "phase": "main",
      "source": "manifest"
    }
  ],
  "expectedUncertainty": {
    "states": [],
    "aggregateTier": "T4",
    "riskScore": 0.0
  },
  "expectedGateDecisions": [
    {
      "vulnId": "CVE-2021-44228",
      "targetSymbol": "sym:java:log4j.JndiLookup.lookup",
      "requestedStatus": "not_affected",
      "expectedDecision": "block",
      "expectedBlockedBy": "LatticeState",
      "expectedReason": "CR state blocks not_affected - runtime evidence confirms reachability"
    },
    {
      "vulnId": "CVE-2021-44228",
      "targetSymbol": "sym:java:log4j.JndiLookup.lookup",
      "requestedStatus": "affected",
      "expectedDecision": "allow"
    },
    {
      "vulnId": "CVE-2021-44228",
      "targetSymbol": "sym:java:log4j.JndiManager.lookup",
      "requestedStatus": "not_affected",
      "expectedDecision": "allow",
      "expectedReason": "CU state allows not_affected - confirmed unreachable"
    },
    {
      "vulnId": "CVE-2021-44228",
      "targetSymbol": "sym:java:log4j.ScriptLookup.lookup",
      "requestedStatus": "not_affected",
      "expectedDecision": "warn",
      "expectedReason": "SU state allows not_affected but with warning - static analysis only, no runtime confirmation"
    }
  ]
}