git.stella-ops.org/datasets/reachability/samples/csharp/dead-code/ground-truth.json

{
  "schema": "ground-truth-v1",
  "sampleId": "sample:csharp:dead-code:001",
  "generatedAt": "2025-12-13T12:00:00Z",
  "generator": {
    "name": "manual-annotation",
    "version": "1.0.0",
    "annotator": "scanner-guild"
  },
  "targets": [
    {
      "symbolId": "sym:csharp:JsonConvert.DeserializeObject",
      "display": "Newtonsoft.Json.JsonConvert.DeserializeObject<T>(string, JsonSerializerSettings)",
      "purl": "pkg:nuget/Newtonsoft.Json@13.0.1",
      "expected": {
        "latticeState": "CU",
        "bucket": "unreachable",
        "reachable": false,
        "confidence": 0.95,
        "pathLength": null,
        "path": null
      },
      "reasoning": "DeserializeObject referenced in deprecated LegacyParser class but LegacyParser is never instantiated - new SafeParser uses System.Text.Json instead"
    },
    {
      "symbolId": "sym:csharp:LegacyParser.ParseJson",
      "display": "SampleApp.LegacyParser.ParseJson(string)",
      "purl": "pkg:generic/SampleApp@1.0.0",
      "expected": {
        "latticeState": "SU",
        "bucket": "unreachable",
        "reachable": false,
        "confidence": 0.90,
        "pathLength": null,
        "path": null
      },
      "reasoning": "LegacyParser.ParseJson exists but LegacyParser is never instantiated - replaced by SafeParser"
    },
    {
      "symbolId": "sym:csharp:SafeParser.ParseJson",
      "display": "SampleApp.SafeParser.ParseJson(string)",
      "purl": "pkg:generic/SampleApp@1.0.0",
      "expected": {
        "latticeState": "SR",
        "bucket": "direct",
        "reachable": true,
        "confidence": 0.95,
        "pathLength": 2,
        "path": [
          "sym:csharp:Program.Main",
          "sym:csharp:SafeParser.ParseJson"
        ]
      },
      "reasoning": "SafeParser.ParseJson is the active implementation called from Main"
    }
  ],
  "entryPoints": [
    {
      "symbolId": "sym:csharp:Program.Main",
      "display": "SampleApp.Program.Main(string[])",
      "phase": "runtime",
      "source": "manifest"
    }
  ],
  "expectedUncertainty": {
    "states": [],
    "aggregateTier": "T4",
    "riskScore": 0.0
  },
  "expectedGateDecisions": [
    {
      "vulnId": "CVE-2024-21907",
      "targetSymbol": "sym:csharp:JsonConvert.DeserializeObject",
      "requestedStatus": "not_affected",
      "expectedDecision": "allow",
      "expectedReason": "CU state allows not_affected - confirmed unreachable"
    },
    {
      "vulnId": "CVE-2024-21907",
      "targetSymbol": "sym:csharp:JsonConvert.DeserializeObject",
      "requestedStatus": "affected",
      "expectedDecision": "warn",
      "expectedReason": "Marking as affected when CU suggests false positive"
    }
  ]
}