id: "java-spring-guarded:202"
language: java
project: spring-guarded
version: "1.0.0"
description: "Java deserialization guarded by ALLOW_DESER flag (unreachable by default)"
entrypoints:
  - "POST /api/upload"
sinks:
  - id: "JavaDeserializeGuarded::handleRequest"
    path: "bench.reachability.App.handleRequest"
    kind: "custom"
    location:
      file: src/App.java
      line: 9
    notes: "ObjectInputStream gated by ALLOW_DESER"
environment:
  os_image: "eclipse-temurin:21-jdk"
  runtime:
    java: "21"
  source_date_epoch: 1730000000
build:
  command: "./build/build.sh"
  source_date_epoch: 1730000000
  outputs:
    artifact_path: outputs/binary.tar.gz
    sbom_path: outputs/sbom.cdx.json
    coverage_path: outputs/coverage.json
    traces_dir: outputs/traces
test:
  command: "./build/build.sh"
  expected_coverage: []
  expected_traces: []
  env:
    JAVA_TOOL_OPTIONS: "-ea"
ground_truth:
  summary: "Guard blocks deserialization unless ALLOW_DESER=true"
  evidence_files:
    - "../benchmark/truth/java-spring-guarded.json"