git.stella-ops.org/tests/reachability/PoE/Fixtures/multi-path-java.poe.golden.json

{
  "@type": "https://stellaops.dev/predicates/proof-of-exposure@v1",
  "evidence": {
    "graphHash": "blake3:e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3",
    "sbomRef": "cas://scanner-artifacts/sbom.cdx.json"
  },
  "metadata": {
    "analyzer": {
      "name": "stellaops-scanner",
      "toolchainDigest": "sha256:456789012345678901234567890123456789012345678901234567890123",
      "version": "1.2.0"
    },
    "generatedAt": "2025-12-23T11:30:00.000Z",
    "policy": {
      "evaluatedAt": "2025-12-23T11:28:00.000Z",
      "policyDigest": "sha256:789012345678901234567890123456789012345678901234567890123456",
      "policyId": "prod-release-v42"
    },
    "reproSteps": [
      "1. Build container image from Dockerfile (commit: def456)",
      "2. Run scanner with config: etc/scanner.yaml",
      "3. Extract reachability graph with maxDepth=10, maxPaths=3",
      "4. Resolve CVE-2023-12345 to vulnerable symbols"
    ]
  },
  "schema": "stellaops.dev/poe@v1",
  "subject": {
    "buildId": "gnu-build-id:7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d",
    "componentRef": "pkg:maven/com.example/vulnerable-lib@1.5.0",
    "imageDigest": "sha256:def456789012345678901234567890123456789012345678901234567890",
    "vulnId": "CVE-2023-12345"
  },
  "subgraph": {
    "edges": [
      {
        "confidence": 0.98,
        "from": "sym:java:com.example.api.UserController.getUser",
        "to": "sym:java:com.example.service.UserService.fetchUser"
      },
      {
        "confidence": 0.95,
        "from": "sym:java:com.example.service.UserService.fetchUser",
        "to": "sym:java:com.example.util.XmlParser.parse"
      },
      {
        "confidence": 0.92,
        "from": "sym:java:com.example.util.XmlParser.parse",
        "to": "sym:java:com.vulnerable.XXEVulnerableParser.parseXml"
      },
      {
        "confidence": 0.97,
        "from": "sym:java:com.example.api.UserController.updateUser",
        "to": "sym:java:com.example.service.UserService.updateProfile"
      },
      {
        "confidence": 0.94,
        "from": "sym:java:com.example.service.UserService.updateProfile",
        "to": "sym:java:com.example.util.XmlParser.parse"
      },
      {
        "confidence": 0.96,
        "from": "sym:java:com.example.api.AdminController.importUsers",
        "to": "sym:java:com.example.service.ImportService.processXml"
      },
      {
        "confidence": 0.93,
        "from": "sym:java:com.example.service.ImportService.processXml",
        "to": "sym:java:com.example.util.XmlParser.parseStream"
      },
      {
        "confidence": 0.91,
        "from": "sym:java:com.example.util.XmlParser.parseStream",
        "to": "sym:java:com.vulnerable.XXEVulnerableParser.parseXml"
      },
      {
        "confidence": 0.89,
        "from": "sym:java:com.example.api.UserController.getUser",
        "to": "sym:java:com.example.cache.CacheService.getCachedUser"
      },
      {
        "confidence": 0.87,
        "from": "sym:java:com.example.cache.CacheService.getCachedUser",
        "to": "sym:java:com.example.serialization.Deserializer.fromXml"
      },
      {
        "confidence": 0.85,
        "from": "sym:java:com.example.serialization.Deserializer.fromXml",
        "to": "sym:java:com.example.util.XmlParser.parse"
      },
      {
        "confidence": 0.88,
        "from": "sym:java:com.example.api.AdminController.importUsers",
        "to": "sym:java:com.example.validation.XmlValidator.validate"
      },
      {
        "confidence": 0.86,
        "from": "sym:java:com.example.validation.XmlValidator.validate",
        "to": "sym:java:com.vulnerable.XXEVulnerableParser.parseXml"
      },
      {
        "confidence": 0.90,
        "from": "sym:java:com.example.service.UserService.fetchUser",
        "to": "sym:java:com.example.logging.AuditLogger.logAccess"
      },
      {
        "confidence": 0.84,
        "from": "sym:java:com.example.logging.AuditLogger.logAccess",
        "to": "sym:java:com.example.util.XmlParser.parseConfig"
      },
      {
        "confidence": 0.82,
        "from": "sym:java:com.example.util.XmlParser.parseConfig",
        "to": "sym:java:com.vulnerable.XXEVulnerableParser.parseXml"
      },
      {
        "confidence": 0.95,
        "from": "sym:java:com.example.service.ImportService.processXml",
        "to": "sym:java:com.example.transform.XsltTransformer.transform"
      },
      {
        "confidence": 0.88,
        "from": "sym:java:com.example.transform.XsltTransformer.transform",
        "to": "sym:java:com.vulnerable.XXEVulnerableParser.parseXml"
      }
    ],
    "entryRefs": [
      "sym:java:com.example.api.UserController.getUser",
      "sym:java:com.example.api.UserController.updateUser",
      "sym:java:com.example.api.AdminController.importUsers"
    ],
    "nodes": [
      {
        "addr": "0x501000",
        "file": "UserController.java",
        "id": "sym:java:com.example.api.UserController.getUser",
        "line": 45,
        "moduleHash": "sha256:123456789012345678901234567890123456789012345678901234567890",
        "symbol": "com.example.api.UserController.getUser(String)"
      },
      {
        "addr": "0x501100",
        "file": "UserController.java",
        "id": "sym:java:com.example.api.UserController.updateUser",
        "line": 67,
        "moduleHash": "sha256:123456789012345678901234567890123456789012345678901234567890",
        "symbol": "com.example.api.UserController.updateUser(String, UserData)"
      },
      {
        "addr": "0x502000",
        "file": "AdminController.java",
        "id": "sym:java:com.example.api.AdminController.importUsers",
        "line": 89,
        "moduleHash": "sha256:123456789012345678901234567890123456789012345678901234567890",
        "symbol": "com.example.api.AdminController.importUsers(InputStream)"
      },
      {
        "addr": "0x503000",
        "file": "UserService.java",
        "id": "sym:java:com.example.service.UserService.fetchUser",
        "line": 34,
        "moduleHash": "sha256:234567890123456789012345678901234567890123456789012345678901",
        "symbol": "com.example.service.UserService.fetchUser(String)"
      },
      {
        "addr": "0x503100",
        "file": "UserService.java",
        "id": "sym:java:com.example.service.UserService.updateProfile",
        "line": 78,
        "moduleHash": "sha256:234567890123456789012345678901234567890123456789012345678901",
        "symbol": "com.example.service.UserService.updateProfile(String, UserData)"
      },
      {
        "addr": "0x504000",
        "file": "ImportService.java",
        "id": "sym:java:com.example.service.ImportService.processXml",
        "line": 56,
        "moduleHash": "sha256:234567890123456789012345678901234567890123456789012345678901",
        "symbol": "com.example.service.ImportService.processXml(InputStream)"
      },
      {
        "addr": "0x505000",
        "file": "XmlParser.java",
        "id": "sym:java:com.example.util.XmlParser.parse",
        "line": 112,
        "moduleHash": "sha256:345678901234567890123456789012345678901234567890123456789012",
        "symbol": "com.example.util.XmlParser.parse(String)"
      },
      {
        "addr": "0x505100",
        "file": "XmlParser.java",
        "id": "sym:java:com.example.util.XmlParser.parseStream",
        "line": 145,
        "moduleHash": "sha256:345678901234567890123456789012345678901234567890123456789012",
        "symbol": "com.example.util.XmlParser.parseStream(InputStream)"
      },
      {
        "addr": "0x505200",
        "file": "XmlParser.java",
        "id": "sym:java:com.example.util.XmlParser.parseConfig",
        "line": 178,
        "moduleHash": "sha256:345678901234567890123456789012345678901234567890123456789012",
        "symbol": "com.example.util.XmlParser.parseConfig(File)"
      },
      {
        "addr": "0x506000",
        "file": "XXEVulnerableParser.java",
        "id": "sym:java:com.vulnerable.XXEVulnerableParser.parseXml",
        "line": 67,
        "moduleHash": "sha256:456789012345678901234567890123456789012345678901234567890123",
        "symbol": "com.vulnerable.XXEVulnerableParser.parseXml(InputSource)"
      },
      {
        "addr": "0x507000",
        "file": "CacheService.java",
        "id": "sym:java:com.example.cache.CacheService.getCachedUser",
        "line": 89,
        "moduleHash": "sha256:234567890123456789012345678901234567890123456789012345678901",
        "symbol": "com.example.cache.CacheService.getCachedUser(String)"
      },
      {
        "addr": "0x508000",
        "file": "Deserializer.java",
        "id": "sym:java:com.example.serialization.Deserializer.fromXml",
        "line": 123,
        "moduleHash": "sha256:345678901234567890123456789012345678901234567890123456789012",
        "symbol": "com.example.serialization.Deserializer.fromXml(String)"
      },
      {
        "addr": "0x509000",
        "file": "XmlValidator.java",
        "id": "sym:java:com.example.validation.XmlValidator.validate",
        "line": 45,
        "moduleHash": "sha256:345678901234567890123456789012345678901234567890123456789012",
        "symbol": "com.example.validation.XmlValidator.validate(InputStream)"
      },
      {
        "addr": "0x50A000",
        "file": "AuditLogger.java",
        "id": "sym:java:com.example.logging.AuditLogger.logAccess",
        "line": 78,
        "moduleHash": "sha256:234567890123456789012345678901234567890123456789012345678901",
        "symbol": "com.example.logging.AuditLogger.logAccess(String, String)"
      },
      {
        "addr": "0x50B000",
        "file": "XsltTransformer.java",
        "id": "sym:java:com.example.transform.XsltTransformer.transform",
        "line": 134,
        "moduleHash": "sha256:345678901234567890123456789012345678901234567890123456789012",
        "symbol": "com.example.transform.XsltTransformer.transform(Document)"
      }
    ],
    "sinkRefs": [
      "sym:java:com.vulnerable.XXEVulnerableParser.parseXml"
    ]
  }
}