45 lines
1.1 KiB
YAML
45 lines
1.1 KiB
YAML
id: "js-express-blog:001"
|
|
language: js
|
|
project: express-blog
|
|
version: "1.0.0"
|
|
description: Minimal blog API with an unsafe deserializer sink.
|
|
repository: "https://example.org/express-blog"
|
|
entrypoints:
|
|
- "POST /api/posts"
|
|
sinks:
|
|
- id: "Deserializer::parse"
|
|
path: "src/deserializer.js::parse"
|
|
kind: deserialization
|
|
location:
|
|
file: src/deserializer.js
|
|
line: 42
|
|
notes: "JSON.parse on user input without guards"
|
|
environment:
|
|
os_image: "ubuntu:24.04"
|
|
runtime:
|
|
node: "20.11.0"
|
|
source_date_epoch: 1730000000
|
|
build:
|
|
command: "./build/build.sh"
|
|
source_date_epoch: 1730000000
|
|
outputs:
|
|
artifact_path: outputs/binary.tar.gz
|
|
sbom_path: outputs/sbom.cdx.json
|
|
coverage_path: outputs/coverage.json
|
|
traces_dir: outputs/traces
|
|
env:
|
|
NODE_ENV: production
|
|
test:
|
|
command: "npm test"
|
|
expected_coverage:
|
|
- outputs/coverage.json
|
|
expected_traces:
|
|
- outputs/traces/traces.json
|
|
env:
|
|
NODE_ENV: test
|
|
ground_truth:
|
|
summary: "Unit test test_reachable_deserialization hits the sink"
|
|
evidence_files:
|
|
- truth/truth.yaml
|
|
notes: "FEATURE_JSON_ENABLED must be true for reachability"
|