109 lines
3.6 KiB
JSON
109 lines
3.6 KiB
JSON
{
|
|
"schema": "ground-truth-v1",
|
|
"sampleId": "sample:java:vulnerable-log4j:001",
|
|
"generatedAt": "2025-12-13T12:00:00Z",
|
|
"generator": {
|
|
"name": "manual-annotation",
|
|
"version": "1.0.0",
|
|
"annotator": "security-team"
|
|
},
|
|
"targets": [
|
|
{
|
|
"symbolId": "sym:java:log4j.JndiLookup.lookup",
|
|
"display": "org.apache.logging.log4j.core.lookup.JndiLookup.lookup(LogEvent, String)",
|
|
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
|
|
"expected": {
|
|
"latticeState": "CR",
|
|
"bucket": "runtime",
|
|
"reachable": true,
|
|
"confidence": 0.98,
|
|
"pathLength": 4,
|
|
"path": [
|
|
"sym:java:HttpRequestHandler.handle",
|
|
"sym:java:LogManager.getLogger",
|
|
"sym:java:Logger.info",
|
|
"sym:java:log4j.JndiLookup.lookup"
|
|
]
|
|
},
|
|
"reasoning": "Confirmed reachable via runtime probe - HTTP request handler logs user-controlled input which triggers JNDI lookup via message substitution"
|
|
},
|
|
{
|
|
"symbolId": "sym:java:log4j.JndiManager.lookup",
|
|
"display": "org.apache.logging.log4j.core.net.JndiManager.lookup(String)",
|
|
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
|
|
"expected": {
|
|
"latticeState": "CU",
|
|
"bucket": "unreachable",
|
|
"reachable": false,
|
|
"confidence": 0.92,
|
|
"pathLength": null,
|
|
"path": null
|
|
},
|
|
"reasoning": "JndiManager.lookup is present in log4j-core but the direct JndiManager usage path is not exercised - only JndiLookup wrapper is used"
|
|
},
|
|
{
|
|
"symbolId": "sym:java:log4j.ScriptLookup.lookup",
|
|
"display": "org.apache.logging.log4j.core.lookup.ScriptLookup.lookup(LogEvent, String)",
|
|
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
|
|
"expected": {
|
|
"latticeState": "SU",
|
|
"bucket": "unreachable",
|
|
"reachable": false,
|
|
"confidence": 0.85,
|
|
"pathLength": null,
|
|
"path": null
|
|
},
|
|
"reasoning": "ScriptLookup exists in log4j-core but is disabled by default and no configuration enables it"
|
|
}
|
|
],
|
|
"entryPoints": [
|
|
{
|
|
"symbolId": "sym:java:HttpRequestHandler.handle",
|
|
"display": "com.example.app.HttpRequestHandler.handle(HttpExchange)",
|
|
"phase": "runtime",
|
|
"source": "servlet"
|
|
},
|
|
{
|
|
"symbolId": "sym:java:Application.main",
|
|
"display": "com.example.app.Application.main(String[])",
|
|
"phase": "main",
|
|
"source": "manifest"
|
|
}
|
|
],
|
|
"expectedUncertainty": {
|
|
"states": [],
|
|
"aggregateTier": "T4",
|
|
"riskScore": 0.0
|
|
},
|
|
"expectedGateDecisions": [
|
|
{
|
|
"vulnId": "CVE-2021-44228",
|
|
"targetSymbol": "sym:java:log4j.JndiLookup.lookup",
|
|
"requestedStatus": "not_affected",
|
|
"expectedDecision": "block",
|
|
"expectedBlockedBy": "LatticeState",
|
|
"expectedReason": "CR state blocks not_affected - runtime evidence confirms reachability"
|
|
},
|
|
{
|
|
"vulnId": "CVE-2021-44228",
|
|
"targetSymbol": "sym:java:log4j.JndiLookup.lookup",
|
|
"requestedStatus": "affected",
|
|
"expectedDecision": "allow"
|
|
},
|
|
{
|
|
"vulnId": "CVE-2021-44228",
|
|
"targetSymbol": "sym:java:log4j.JndiManager.lookup",
|
|
"requestedStatus": "not_affected",
|
|
"expectedDecision": "allow",
|
|
"expectedReason": "CU state allows not_affected - confirmed unreachable"
|
|
},
|
|
{
|
|
"vulnId": "CVE-2021-44228",
|
|
"targetSymbol": "sym:java:log4j.ScriptLookup.lookup",
|
|
"requestedStatus": "not_affected",
|
|
"expectedDecision": "warn",
|
|
"expectedReason": "SU state allows not_affected but with warning - static analysis only, no runtime confirmation"
|
|
}
|
|
]
|
|
}
|