id: "go-grpc-sql:302"
language: go
project: grpc-sql
version: "1.0.0"
description: "SQL injection sink reachable via gRPC GetUser method"
entrypoints:
  - "grpc:UserService.GetUser"
sinks:
  - id: "SqlInjection::GetUser"
    path: "main.(*userServer).GetUser"
    kind: "custom"
    location:
      file: main.go
      line: 35
    notes: "database/sql.Query with string concatenation"
environment:
  os_image: "golang:1.22-alpine"
  runtime:
    go: "1.22"
  source_date_epoch: 1730000000
  resource_limits:
    cpu: "2"
    memory: "2Gi"
build:
  command: "go build -o outputs/app ."
  source_date_epoch: 1730000000
  outputs:
    artifact_path: outputs/app
    sbom_path: outputs/sbom.cdx.json
    coverage_path: outputs/coverage.json
    traces_dir: outputs/traces
    attestation_path: outputs/attestation.json
test:
  command: "go test -v ./..."
  expected_coverage: []
  expected_traces: []
ground_truth:
  summary: "SQL injection reachable"
  evidence_files:
    - "../benchmark/truth/go-grpc-sql.json"
sandbox:
  network: loopback
  privileges: rootless
redaction:
  pii: false
  policy: "benchmark-default/v1"