536f6249a6
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
46 lines
1.2 KiB
JSON
46 lines
1.2 KiB
JSON
{
|
|
"id": "java-log4j-CVE-2021-44228-log4shell",
|
|
"cve": "CVE-2021-44228",
|
|
"description": "STUB: Replace with accurate description and threat model for the specific CVE/case.",
|
|
"threat_model": {
|
|
"entry_points": [
|
|
"STUB: define concrete inputs"
|
|
],
|
|
"preconditions": [
|
|
"STUB: feature flags / modules / protocols enabled"
|
|
],
|
|
"privilege_boundary": [
|
|
"STUB: describe boundary (if any)"
|
|
]
|
|
},
|
|
"ground_truth": {
|
|
"reachable_variant": {
|
|
"status": "affected",
|
|
"evidence": {
|
|
"symbols": [
|
|
"sym://java:java.c#sink"
|
|
],
|
|
"paths": [
|
|
[
|
|
"sym://net:handler#read",
|
|
"sym://java:java.c#entry",
|
|
"sym://java:java.c#sink"
|
|
]
|
|
],
|
|
"runtime_proof": "traces.runtime.jsonl: lines 1-5"
|
|
}
|
|
},
|
|
"unreachable_variant": {
|
|
"status": "not_affected",
|
|
"justification": "vulnerable_code_not_in_execute_path",
|
|
"evidence": {
|
|
"pruning_reason": [
|
|
"STUB: feature disabled, module absent, or policy denies"
|
|
],
|
|
"blocked_edges": [
|
|
"sym://java:java.c#entry -> sym://java:java.c#sink"
|
|
]
|
|
}
|
|
}
|
|
}
|
|
} |