8768c27f30
- Introduced `ReachabilityState`, `RuntimeHit`, `ExploitabilitySignal`, `ReachabilitySignal`, `SignalEnvelope`, `SignalType`, `TrustSignal`, and `UnknownSymbolSignal` records to define various signal types and their properties. - Implemented JSON serialization attributes for proper data interchange. - Created project files for the new signal contracts library and corresponding test projects. - Added deterministic test fixtures for micro-interaction testing. - Included cryptographic keys for secure operations with cosign.
101 lines
3.8 KiB
JSON
101 lines
3.8 KiB
JSON
{
|
|
"schemaVersion": "graph.inspect.v1",
|
|
"tenant": "acme-dev",
|
|
"artifactDigest": "sha256:8f2c1f4c8f9d4c3bb2efc0a9d0a35d4492a0bba4f3c1a2b9d5c7e1f4a8c6b2d1",
|
|
"sbomDigest": "sha256:1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d",
|
|
"collectedAt": "2025-12-04T15:30:00Z",
|
|
"components": [
|
|
{
|
|
"purl": "pkg:maven/org.example/foo@1.2.3",
|
|
"version": "1.2.3",
|
|
"scopes": [
|
|
"runtime"
|
|
],
|
|
"relationships": [
|
|
{
|
|
"type": "contains",
|
|
"targetPurl": "pkg:docker/library/alpine@3.19.0",
|
|
"scope": "runtime",
|
|
"evidenceHash": "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcd",
|
|
"source": "scanner.sbom.v1"
|
|
},
|
|
{
|
|
"type": "depends_on",
|
|
"targetPurl": "pkg:npm/lodash@4.17.21",
|
|
"scope": "runtime",
|
|
"evidenceHash": "89abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345",
|
|
"source": "concelier.linkset.v1"
|
|
}
|
|
],
|
|
"advisories": [
|
|
{
|
|
"advisoryId": "CVE-2024-1111",
|
|
"source": "ghsa",
|
|
"status": "affected",
|
|
"severity": "HIGH",
|
|
"cvss": {
|
|
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
"score": 9.8
|
|
},
|
|
"justification": "exploitable_in_default_config",
|
|
"justificationSummary": "Unauthenticated RCE in JSON parser; no mitigations applied.",
|
|
"linksetDigest": "abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcd",
|
|
"evidenceHash": "fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210",
|
|
"modifiedAt": "2025-11-30T12:00:00Z",
|
|
"provenance": {
|
|
"source": "concelier.linkset.v1",
|
|
"collectedAt": "2025-11-30T11:55:00Z",
|
|
"eventOffset": 4421,
|
|
"linksetDigest": "abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcd",
|
|
"evidenceHash": "fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210"
|
|
}
|
|
}
|
|
],
|
|
"vexStatements": [
|
|
{
|
|
"statementId": "VEX-2025-0001",
|
|
"source": "excitor.vex.v1",
|
|
"status": "not_affected",
|
|
"justification": "component_not_present",
|
|
"impactStatement": "Library excluded from production image; only used in tests.",
|
|
"knownExploited": false,
|
|
"issuedAt": "2025-12-01T08:00:00Z",
|
|
"expiresAt": "2026-12-01T00:00:00Z",
|
|
"evidenceHash": "0f1e2d3c4b5a69788796a5b4c3d2e1f00f1e2d3c4b5a69788796a5b4c3d2e1f0",
|
|
"provenance": {
|
|
"source": "excitor.overlay.v1",
|
|
"collectedAt": "2025-12-01T08:00:00Z",
|
|
"eventOffset": 171,
|
|
"evidenceHash": "0f1e2d3c4b5a69788796a5b4c3d2e1f00f1e2d3c4b5a69788796a5b4c3d2e1f0"
|
|
}
|
|
}
|
|
],
|
|
"provenance": {
|
|
"source": "concelier.linkset.v1",
|
|
"collectedAt": "2025-12-04T15:29:00Z",
|
|
"eventOffset": 5123,
|
|
"linksetDigest": "abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcd",
|
|
"evidenceHash": "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcd"
|
|
}
|
|
},
|
|
{
|
|
"purl": "pkg:npm/lodash@4.17.21",
|
|
"scopes": [],
|
|
"relationships": [],
|
|
"advisories": [],
|
|
"vexStatements": [],
|
|
"provenance": {
|
|
"source": "concelier.linkset.v1",
|
|
"collectedAt": "2025-12-04T15:29:00Z",
|
|
"eventOffset": 6000,
|
|
"linksetDigest": "abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcd",
|
|
"evidenceHash": "89abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345"
|
|
}
|
|
}
|
|
],
|
|
"links": {
|
|
"sbomObservationEventId": "obs-2025-11-22-001",
|
|
"linksetDigest": "abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcd"
|
|
}
|
|
}
|