{ "@type": "https://stellaops.dev/predicates/proof-of-exposure@v1", "evidence": { "graphHash": "blake3:e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3", "sbomRef": "cas://scanner-artifacts/sbom.cdx.json" }, "metadata": { "analyzer": { "name": "stellaops-scanner", "toolchainDigest": "sha256:456789012345678901234567890123456789012345678901234567890123", "version": "1.2.0" }, "generatedAt": "2025-12-23T11:30:00.000Z", "policy": { "evaluatedAt": "2025-12-23T11:28:00.000Z", "policyDigest": "sha256:789012345678901234567890123456789012345678901234567890123456", "policyId": "prod-release-v42" }, "reproSteps": [ "1. Build container image from Dockerfile (commit: def456)", "2. Run scanner with config: etc/scanner.yaml", "3. Extract reachability graph with maxDepth=10, maxPaths=3", "4. Resolve CVE-2023-12345 to vulnerable symbols" ] }, "schema": "stellaops.dev/poe@v1", "subject": { "buildId": "gnu-build-id:7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d", "componentRef": "pkg:maven/com.example/vulnerable-lib@1.5.0", "imageDigest": "sha256:def456789012345678901234567890123456789012345678901234567890", "vulnId": "CVE-2023-12345" }, "subgraph": { "edges": [ { "confidence": 0.98, "from": "sym:java:com.example.api.UserController.getUser", "to": "sym:java:com.example.service.UserService.fetchUser" }, { "confidence": 0.95, "from": "sym:java:com.example.service.UserService.fetchUser", "to": "sym:java:com.example.util.XmlParser.parse" }, { "confidence": 0.92, "from": "sym:java:com.example.util.XmlParser.parse", "to": "sym:java:com.vulnerable.XXEVulnerableParser.parseXml" }, { "confidence": 0.97, "from": "sym:java:com.example.api.UserController.updateUser", "to": "sym:java:com.example.service.UserService.updateProfile" }, { "confidence": 0.94, "from": "sym:java:com.example.service.UserService.updateProfile", "to": "sym:java:com.example.util.XmlParser.parse" }, { "confidence": 0.96, "from": "sym:java:com.example.api.AdminController.importUsers", "to": "sym:java:com.example.service.ImportService.processXml" }, { "confidence": 0.93, "from": "sym:java:com.example.service.ImportService.processXml", "to": "sym:java:com.example.util.XmlParser.parseStream" }, { "confidence": 0.91, "from": "sym:java:com.example.util.XmlParser.parseStream", "to": "sym:java:com.vulnerable.XXEVulnerableParser.parseXml" }, { "confidence": 0.89, "from": "sym:java:com.example.api.UserController.getUser", "to": "sym:java:com.example.cache.CacheService.getCachedUser" }, { "confidence": 0.87, "from": "sym:java:com.example.cache.CacheService.getCachedUser", "to": "sym:java:com.example.serialization.Deserializer.fromXml" }, { "confidence": 0.85, "from": "sym:java:com.example.serialization.Deserializer.fromXml", "to": "sym:java:com.example.util.XmlParser.parse" }, { "confidence": 0.88, "from": "sym:java:com.example.api.AdminController.importUsers", "to": "sym:java:com.example.validation.XmlValidator.validate" }, { "confidence": 0.86, "from": "sym:java:com.example.validation.XmlValidator.validate", "to": "sym:java:com.vulnerable.XXEVulnerableParser.parseXml" }, { "confidence": 0.90, "from": "sym:java:com.example.service.UserService.fetchUser", "to": "sym:java:com.example.logging.AuditLogger.logAccess" }, { "confidence": 0.84, "from": "sym:java:com.example.logging.AuditLogger.logAccess", "to": "sym:java:com.example.util.XmlParser.parseConfig" }, { "confidence": 0.82, "from": "sym:java:com.example.util.XmlParser.parseConfig", "to": "sym:java:com.vulnerable.XXEVulnerableParser.parseXml" }, { "confidence": 0.95, "from": "sym:java:com.example.service.ImportService.processXml", "to": "sym:java:com.example.transform.XsltTransformer.transform" }, { "confidence": 0.88, "from": "sym:java:com.example.transform.XsltTransformer.transform", "to": "sym:java:com.vulnerable.XXEVulnerableParser.parseXml" } ], "entryRefs": [ "sym:java:com.example.api.UserController.getUser", "sym:java:com.example.api.UserController.updateUser", "sym:java:com.example.api.AdminController.importUsers" ], "nodes": [ { "addr": "0x501000", "file": "UserController.java", "id": "sym:java:com.example.api.UserController.getUser", "line": 45, "moduleHash": "sha256:123456789012345678901234567890123456789012345678901234567890", "symbol": "com.example.api.UserController.getUser(String)" }, { "addr": "0x501100", "file": "UserController.java", "id": "sym:java:com.example.api.UserController.updateUser", "line": 67, "moduleHash": "sha256:123456789012345678901234567890123456789012345678901234567890", "symbol": "com.example.api.UserController.updateUser(String, UserData)" }, { "addr": "0x502000", "file": "AdminController.java", "id": "sym:java:com.example.api.AdminController.importUsers", "line": 89, "moduleHash": "sha256:123456789012345678901234567890123456789012345678901234567890", "symbol": "com.example.api.AdminController.importUsers(InputStream)" }, { "addr": "0x503000", "file": "UserService.java", "id": "sym:java:com.example.service.UserService.fetchUser", "line": 34, "moduleHash": "sha256:234567890123456789012345678901234567890123456789012345678901", "symbol": "com.example.service.UserService.fetchUser(String)" }, { "addr": "0x503100", "file": "UserService.java", "id": "sym:java:com.example.service.UserService.updateProfile", "line": 78, "moduleHash": "sha256:234567890123456789012345678901234567890123456789012345678901", "symbol": "com.example.service.UserService.updateProfile(String, UserData)" }, { "addr": "0x504000", "file": "ImportService.java", "id": "sym:java:com.example.service.ImportService.processXml", "line": 56, "moduleHash": "sha256:234567890123456789012345678901234567890123456789012345678901", "symbol": "com.example.service.ImportService.processXml(InputStream)" }, { "addr": "0x505000", "file": "XmlParser.java", "id": "sym:java:com.example.util.XmlParser.parse", "line": 112, "moduleHash": "sha256:345678901234567890123456789012345678901234567890123456789012", "symbol": "com.example.util.XmlParser.parse(String)" }, { "addr": "0x505100", "file": "XmlParser.java", "id": "sym:java:com.example.util.XmlParser.parseStream", "line": 145, "moduleHash": "sha256:345678901234567890123456789012345678901234567890123456789012", "symbol": "com.example.util.XmlParser.parseStream(InputStream)" }, { "addr": "0x505200", "file": "XmlParser.java", "id": "sym:java:com.example.util.XmlParser.parseConfig", "line": 178, "moduleHash": "sha256:345678901234567890123456789012345678901234567890123456789012", "symbol": "com.example.util.XmlParser.parseConfig(File)" }, { "addr": "0x506000", "file": "XXEVulnerableParser.java", "id": "sym:java:com.vulnerable.XXEVulnerableParser.parseXml", "line": 67, "moduleHash": "sha256:456789012345678901234567890123456789012345678901234567890123", "symbol": "com.vulnerable.XXEVulnerableParser.parseXml(InputSource)" }, { "addr": "0x507000", "file": "CacheService.java", "id": "sym:java:com.example.cache.CacheService.getCachedUser", "line": 89, "moduleHash": "sha256:234567890123456789012345678901234567890123456789012345678901", "symbol": "com.example.cache.CacheService.getCachedUser(String)" }, { "addr": "0x508000", "file": "Deserializer.java", "id": "sym:java:com.example.serialization.Deserializer.fromXml", "line": 123, "moduleHash": "sha256:345678901234567890123456789012345678901234567890123456789012", "symbol": "com.example.serialization.Deserializer.fromXml(String)" }, { "addr": "0x509000", "file": "XmlValidator.java", "id": "sym:java:com.example.validation.XmlValidator.validate", "line": 45, "moduleHash": "sha256:345678901234567890123456789012345678901234567890123456789012", "symbol": "com.example.validation.XmlValidator.validate(InputStream)" }, { "addr": "0x50A000", "file": "AuditLogger.java", "id": "sym:java:com.example.logging.AuditLogger.logAccess", "line": 78, "moduleHash": "sha256:234567890123456789012345678901234567890123456789012345678901", "symbol": "com.example.logging.AuditLogger.logAccess(String, String)" }, { "addr": "0x50B000", "file": "XsltTransformer.java", "id": "sym:java:com.example.transform.XsltTransformer.transform", "line": 134, "moduleHash": "sha256:345678901234567890123456789012345678901234567890123456789012", "symbol": "com.example.transform.XsltTransformer.transform(Document)" } ], "sinkRefs": [ "sym:java:com.vulnerable.XXEVulnerableParser.parseXml" ] } }