git.stella-ops.org/tests/reachability/PoE/Fixtures/log4j-cve-2021-44228.poe.golden.json

{
  "@type": "https://stellaops.dev/predicates/proof-of-exposure@v1",
  "evidence": {
    "graphHash": "blake3:a1b2c3d4e5f6789012345678901234567890123456789012345678901234",
    "sbomRef": "cas://scanner-artifacts/sbom.cdx.json"
  },
  "metadata": {
    "analyzer": {
      "name": "stellaops-scanner",
      "toolchainDigest": "sha256:def456789012345678901234567890123456789012345678901234567890",
      "version": "1.2.0"
    },
    "generatedAt": "2025-12-23T10:00:00.000Z",
    "policy": {
      "evaluatedAt": "2025-12-23T09:58:00.000Z",
      "policyDigest": "sha256:abc123456789012345678901234567890123456789012345678901234567",
      "policyId": "prod-release-v42"
    },
    "reproSteps": [
      "1. Build container image from Dockerfile (commit: abc123)",
      "2. Run scanner with config: etc/scanner.yaml",
      "3. Extract reachability graph with maxDepth=10",
      "4. Resolve CVE-2021-44228 to vulnerable symbols"
    ]
  },
  "schema": "stellaops.dev/poe@v1",
  "subject": {
    "buildId": "gnu-build-id:5f0c7c3c4d5e6f7a8b9c0d1e2f3a4b5c",
    "componentRef": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
    "imageDigest": "sha256:abc123def456789012345678901234567890123456789012345678901234",
    "vulnId": "CVE-2021-44228"
  },
  "subgraph": {
    "edges": [
      {
        "confidence": 0.98,
        "from": "sym:java:com.example.GreetingService.greet",
        "to": "sym:java:com.example.GreetingService.processRequest"
      },
      {
        "confidence": 0.95,
        "from": "sym:java:com.example.GreetingService.processRequest",
        "to": "sym:java:org.apache.logging.log4j.Logger.error"
      },
      {
        "confidence": 0.92,
        "from": "sym:java:org.apache.logging.log4j.Logger.error",
        "to": "sym:java:org.apache.logging.log4j.core.lookup.JndiLookup.lookup"
      }
    ],
    "entryRefs": [
      "sym:java:com.example.GreetingService.greet"
    ],
    "nodes": [
      {
        "addr": "0x401000",
        "file": "GreetingService.java",
        "id": "sym:java:com.example.GreetingService.greet",
        "line": 42,
        "moduleHash": "sha256:abc123456789012345678901234567890123456789012345678901234567",
        "symbol": "com.example.GreetingService.greet(String)"
      },
      {
        "addr": "0x401100",
        "file": "GreetingService.java",
        "id": "sym:java:com.example.GreetingService.processRequest",
        "line": 58,
        "moduleHash": "sha256:abc123456789012345678901234567890123456789012345678901234567",
        "symbol": "com.example.GreetingService.processRequest(String)"
      },
      {
        "addr": "0x402000",
        "file": "Logger.java",
        "id": "sym:java:org.apache.logging.log4j.Logger.error",
        "line": 128,
        "moduleHash": "sha256:def456789012345678901234567890123456789012345678901234567890",
        "symbol": "org.apache.logging.log4j.Logger.error(String)"
      },
      {
        "addr": "0x403000",
        "file": "JndiLookup.java",
        "id": "sym:java:org.apache.logging.log4j.core.lookup.JndiLookup.lookup",
        "line": 56,
        "moduleHash": "sha256:def456789012345678901234567890123456789012345678901234567890",
        "symbol": "org.apache.logging.log4j.core.lookup.JndiLookup.lookup(LogEvent, String)"
      }
    ],
    "sinkRefs": [
      "sym:java:org.apache.logging.log4j.core.lookup.JndiLookup.lookup"
    ]
  }
}