id: "js-express-blog:001"
language: js
project: express-blog
version: "1.0.0"
description: Minimal blog API with an unsafe deserializer sink.
repository: "https://example.org/express-blog"
entrypoints:
  - "POST /api/posts"
sinks:
  - id: "Deserializer::parse"
    path: "src/deserializer.js::parse"
    kind: deserialization
    location:
      file: src/deserializer.js
      line: 42
    notes: "JSON.parse on user input without guards"
environment:
  os_image: "ubuntu:24.04"
  runtime:
    node: "20.11.0"
  source_date_epoch: 1730000000
build:
  command: "./build/build.sh"
  source_date_epoch: 1730000000
  outputs:
    artifact_path: outputs/binary.tar.gz
    sbom_path: outputs/sbom.cdx.json
    coverage_path: outputs/coverage.json
    traces_dir: outputs/traces
  env:
    NODE_ENV: production
test:
  command: "npm test"
  expected_coverage:
    - outputs/coverage.json
  expected_traces:
    - outputs/traces/traces.json
  env:
    NODE_ENV: test
ground_truth:
  summary: "Unit test test_reachable_deserialization hits the sink"
  evidence_files:
    - truth/truth.yaml
  notes: "FEATURE_JSON_ENABLED must be true for reachability"