{ "schema_version": "1.0", "metadata": { "description": "Nyx benchmark ground truth", "created": "2026-03-20", "corpus_size": 567 }, "cases": [ { "case_id": "js-sqli-001", "file": "javascript/sqli/sqli_concat.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [ "js.code_exec.eval" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "concat", "eval-proxy" ], "disabled": false, "notes": "eval used as proxy for SQL query; analogue tier because real SQL sink is not modeled directly" }, { "case_id": "js-sqli-002", "file": "javascript/sqli/sqli_template.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [ "js.code_exec.eval" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "template-literal", "eval-proxy" ], "disabled": false, "notes": "eval used as proxy for SQL query with template literal interpolation" }, { "case_id": "js-cmdi-001", "file": "javascript/cmdi/cmdi_direct.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "js.cmdi.exec" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "child_process" ], "disabled": false, "notes": "Direct flow from req.query.cmd to exec()" }, { "case_id": "js-cmdi-002", "file": "javascript/cmdi/cmdi_indirect.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "js.cmdi.exec" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "indirect", "concat", "child_process" ], "disabled": false, "notes": "Indirect flow via string concat to exec()" }, { "case_id": "js-xss-001", "file": "javascript/xss/xss_reflected.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "innerHTML", "reflected" ], "disabled": false, "notes": "Reflected XSS via innerHTML assignment; taint-based detection (no AST pattern for innerHTML)" }, { "case_id": "js-xss-002", "file": "javascript/xss/xss_document_write.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "js.xss.document_write" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "document-write" ], "disabled": false, "notes": "XSS via document.write with user-controlled content" }, { "case_id": "js-xss-003", "file": "javascript/xss/xss_location.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-601", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "js.xss.location_assign" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "open-redirect", "location-href" ], "disabled": false, "notes": "Open redirect via location.href assignment" }, { "case_id": "js-ssrf-001", "file": "javascript/ssrf/ssrf_fetch.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "fetch", "ssrf" ], "disabled": false, "notes": "SSRF via fetch() with user-controlled URL" }, { "case_id": "js-path_traversal-001", "file": "javascript/path_traversal/path_traversal.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "sendFile", "path-traversal" ], "disabled": false, "notes": "Path traversal via res.sendFile with user-controlled path" }, { "case_id": "js-code_injection-001", "file": "javascript/code_injection/code_injection.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "code_injection", "cwe": "CWE-94", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "js.code_exec.eval" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "eval", "code-injection" ], "disabled": false, "notes": "Code injection via eval() with user-controlled expression" }, { "case_id": "js-code_injection-002", "file": "javascript/code_injection/code_injection_indirect.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "code_injection", "cwe": "CWE-94", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "new-function", "indirect", "code-injection" ], "disabled": false, "notes": "Code injection via new Function() with user-controlled template" }, { "case_id": "js-safe-001", "file": "javascript/safe/safe_constant.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "constant", "no-source" ], "disabled": false, "notes": "Constant string argument to exec; no user-controlled data" }, { "case_id": "js-safe-002", "file": "javascript/safe/safe_dominated.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "allowlist", "dominated-check" ], "disabled": false, "notes": "User input dominated by allowlist check before reaching exec()" }, { "case_id": "js-safe-003", "file": "javascript/safe/safe_interprocedural.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "dompurify", "interprocedural" ], "disabled": false, "notes": "DOMPurify sanitizer applied via helper function before innerHTML" }, { "case_id": "js-safe-004", "file": "javascript/safe/safe_non_security_sink.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "non-security-sink", "console-log" ], "disabled": false, "notes": "User input flows to console.log and length computation, not a security sink" }, { "case_id": "js-safe-005", "file": "javascript/safe/safe_reassigned.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "reassignment", "killed-taint" ], "disabled": false, "notes": "Tainted variable reassigned to constant before reaching innerHTML" }, { "case_id": "js-safe-006", "file": "javascript/safe/safe_sanitized.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "dompurify" ], "disabled": false, "notes": "DOMPurify.sanitize applied inline before innerHTML assignment" }, { "case_id": "js-safe-007", "file": "javascript/safe/safe_type_check.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "type-check", "typeof-guard" ], "disabled": false, "notes": "typeof check guards eval(); only numbers reach the sink" }, { "case_id": "js-safe-008", "file": "javascript/safe/safe_validated.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "allowlist", "validated" ], "disabled": false, "notes": "Allowlist validation before exec(); only permitted commands reach sink" }, { "case_id": "py-sqli-001", "file": "python/sqli/sqli_concat.py", "language": "python", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "state-resource-leak" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 8, 8 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "concat", "cursor-execute" ], "disabled": false, "notes": "SQL injection via string concat in cursor.execute()" }, { "case_id": "py-sqli-002", "file": "python/sqli/sqli_format.py", "language": "python", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.sqli.execute_format" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow", "state-resource-leak" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 8, 8 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "format-string", "cursor-execute" ], "disabled": false, "notes": "SQL injection via % format operator in cursor.execute()" }, { "case_id": "py-cmdi-001", "file": "python/cmdi/cmdi_direct.py", "language": "python", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.cmdi.os_system" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "os-system" ], "disabled": false, "notes": "Direct command injection via os.system()" }, { "case_id": "py-cmdi-002", "file": "python/cmdi/cmdi_indirect.py", "language": "python", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.cmdi.subprocess_shell" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 7, 7 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "indirect", "subprocess", "shell-true" ], "disabled": false, "notes": "Command injection via subprocess.run with shell=True" }, { "case_id": "py-xss-001", "file": "python/xss/xss_reflected.py", "language": "python", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "reflected", "make-response" ], "disabled": false, "notes": "Reflected XSS via make_response with unescaped user input in HTML" }, { "case_id": "py-xss-002", "file": "python/xss/xss_template_string.py", "language": "python", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.xss.jinja_from_string" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow", "taint-template-injection" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "jinja2", "template-injection" ], "disabled": false, "notes": "Server-side template injection via jinja2.Template with user-controlled string" }, { "case_id": "py-ssrf-001", "file": "python/ssrf/ssrf_requests.py", "language": "python", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cfg-unguarded-sink" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "requests-get", "ssrf" ], "disabled": false, "notes": "SSRF via requests.get() with user-controlled URL" }, { "case_id": "py-path_traversal-001", "file": "python/path_traversal/path_traversal.py", "language": "python", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "send-file", "path-traversal" ], "disabled": false, "notes": "Path traversal via send_file() with user-controlled path" }, { "case_id": "py-path_traversal-no-relative-to", "file": "python/path_traversal/path_traversal_no_relative_to.py", "language": "python", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 11, 11 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "path-traversal", "regression-guard" ], "disabled": false, "notes": "Negative companion to safe_relative_to_validator: no relative_to() validator on filepath, taint must propagate to send_file" }, { "case_id": "py-deser-001", "file": "python/deser/deser_pickle.py", "language": "python", "is_vulnerable": true, "vuln_class": "deser", "cwe": "CWE-502", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.deser.pickle_loads" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "pickle", "deserialization" ], "disabled": false, "notes": "Insecure deserialization via pickle.loads with user-controlled data" }, { "case_id": "py-code_injection-001", "file": "python/code_injection/code_injection.py", "language": "python", "is_vulnerable": true, "vuln_class": "code_injection", "cwe": "CWE-94", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.code_exec.eval" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "eval", "code-injection" ], "disabled": false, "notes": "Code injection via eval() with user-controlled expression" }, { "case_id": "py-code_injection-002", "file": "python/code_injection/code_injection_exec.py", "language": "python", "is_vulnerable": true, "vuln_class": "code_injection", "cwe": "CWE-94", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.code_exec.exec" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "exec", "code-injection" ], "disabled": false, "notes": "Code injection via exec() with user-controlled code string" }, { "case_id": "py-safe-001", "file": "python/safe/safe_constant.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "constant", "no-source" ], "disabled": false, "notes": "Constant string argument to os.system; no user-controlled data" }, { "case_id": "py-safe-002", "file": "python/safe/safe_dominated.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "allowlist", "dominated-check" ], "disabled": false, "notes": "User input dominated by allowlist membership check before os.system()" }, { "case_id": "py-safe-003", "file": "python/safe/safe_interprocedural.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "shlex-quote", "interprocedural" ], "disabled": false, "notes": "shlex.quote sanitizer applied via helper function before os.system()" }, { "case_id": "py-safe-004", "file": "python/safe/safe_non_security_sink.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "non-security-sink", "logging" ], "disabled": false, "notes": "User input flows to logging.info and length computation, not a security sink" }, { "case_id": "py-safe-005", "file": "python/safe/safe_reassigned.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "reassignment", "killed-taint" ], "disabled": false, "notes": "Tainted variable reassigned to constant before reaching os.system()" }, { "case_id": "py-safe-006", "file": "python/safe/safe_sanitized.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "shlex-quote" ], "disabled": false, "notes": "shlex.quote sanitizer applied inline before os.system()" }, { "case_id": "py-safe-007", "file": "python/safe/safe_type_check.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "type-check", "isinstance-guard" ], "disabled": false, "notes": "isinstance check guards cursor.execute(); only ints reach the sink" }, { "case_id": "py-safe-008", "file": "python/safe/safe_validated.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "allowlist", "validated" ], "disabled": false, "notes": "Allowlist validation before os.system(); only permitted commands reach sink" }, { "case_id": "java-sqli-001", "file": "java/sqli/SqliConcat.java", "language": "java", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "java.sqli.execute_concat" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow", "state-resource-leak" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 6, 6 ] ], "tags": [ "concat", "executeQuery" ], "disabled": false, "notes": "SQL injection via string concat in executeQuery()" }, { "case_id": "java-sqli-002", "file": "java/sqli/SqliFormat.java", "language": "java", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "java.sqli.execute_concat" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow", "state-resource-leak" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 6, 6 ] ], "tags": [ "string-format", "executeQuery" ], "disabled": false, "notes": "SQL injection via String.format in executeQuery()" }, { "case_id": "java-cmdi-001", "file": "java/cmdi/CmdiDirect.java", "language": "java", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "java.cmdi.runtime_exec" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "runtime-exec" ], "disabled": false, "notes": "Direct command injection via Runtime.exec()" }, { "case_id": "java-cmdi-002", "file": "java/cmdi/CmdiIndirect.java", "language": "java", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "java.cmdi.runtime_exec" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "indirect", "concat", "runtime-exec" ], "disabled": false, "notes": "Indirect command injection via string concat to Runtime.exec()" }, { "case_id": "java-xss-001", "file": "java/xss/XssReflected.java", "language": "java", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "java.xss.getwriter_print" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 8, 8 ] ], "expected_source_lines": [ [ 6, 6 ] ], "tags": [ "reflected", "getwriter-println" ], "disabled": false, "notes": "Reflected XSS via getWriter().println() with unescaped user input" }, { "case_id": "java-ssrf-001", "file": "java/ssrf/SsrfRequest.java", "language": "java", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "state-resource-leak" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 8, 8 ] ], "expected_source_lines": [ [ 7, 7 ] ], "tags": [ "url-connection", "ssrf" ], "disabled": false, "notes": "SSRF via URL.openConnection() with user-controlled URL" }, { "case_id": "java-ssrf-002", "file": "java/ssrf/SsrfHttpClient.java", "language": "java", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 7, 7 ] ], "tags": [ "http-client", "ssrf" ], "disabled": false, "notes": "SSRF via HttpClient.send() with user-controlled URL" }, { "case_id": "java-path_traversal-001", "file": "java/path_traversal/PathTraversal.java", "language": "java", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "state-resource-leak" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 7, 7 ] ], "expected_source_lines": [ [ 6, 6 ] ], "tags": [ "file-input-stream", "path-traversal" ], "disabled": false, "notes": "Path traversal via FileInputStream with user-controlled path" }, { "case_id": "java-deser-001", "file": "java/deser/DeserOis.java", "language": "java", "is_vulnerable": true, "vuln_class": "deser", "cwe": "CWE-502", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "java.deser.readobject" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 7, 7 ] ], "expected_source_lines": [ [ 6, 6 ] ], "tags": [ "object-input-stream", "deserialization" ], "disabled": false, "notes": "Insecure deserialization via ObjectInputStream.readObject()" }, { "case_id": "java-deser-002", "file": "java/deser/DeserSource.java", "language": "java", "is_vulnerable": true, "vuln_class": "deser", "cwe": "CWE-502", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "java.deser.readobject", "java.cmdi.runtime_exec" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 7, 8 ] ], "expected_source_lines": [ [ 6, 6 ] ], "tags": [ "deser-to-exec", "chained" ], "disabled": false, "notes": "Deserialized object flows to Runtime.exec(); both readObject and exec patterns should match" }, { "case_id": "java-code_injection-001", "file": "java/code_injection/CodeInjection.java", "language": "java", "is_vulnerable": true, "vuln_class": "code_injection", "cwe": "CWE-94", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "java.reflection.class_forname" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "reflection", "class-forname" ], "disabled": false, "notes": "Code injection via Class.forName() with user-controlled class name" }, { "case_id": "java-safe-001", "file": "java/safe/SafeConstant.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "constant", "no-source" ], "disabled": false, "notes": "Constant string in executeQuery(); no user-controlled data" }, { "case_id": "java-safe-002", "file": "java/safe/SafeDominated.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "allowlist", "dominated-check" ], "disabled": false, "notes": "User input dominated by allowlist Set.contains() check before Runtime.exec()" }, { "case_id": "java-safe-003", "file": "java/safe/SafeInterprocedural.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "html-escape", "interprocedural" ], "disabled": false, "notes": "HtmlUtils.htmlEscape sanitizer applied via helper method before getWriter().println()" }, { "case_id": "java-safe-004", "file": "java/safe/SafeNonSecuritySink.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "non-security-sink", "logger" ], "disabled": false, "notes": "User input flows to Logger.info and length computation; output is String.valueOf(len)" }, { "case_id": "java-safe-005", "file": "java/safe/SafeReassigned.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "reassignment", "killed-taint" ], "disabled": false, "notes": "Tainted variable reassigned to constant 'Guest' before reaching getWriter().println()" }, { "case_id": "java-safe-006", "file": "java/safe/SafeSanitized.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "html-escape" ], "disabled": false, "notes": "HtmlUtils.htmlEscape sanitizer applied inline before getWriter().println()" }, { "case_id": "java-safe-007", "file": "java/safe/SafeTypeCheck.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "type-check", "regex-guard" ], "disabled": false, "notes": "Regex matches(\"\\\\d+\") check guards executeQuery(); only numeric strings reach the sink" }, { "case_id": "java-safe-008", "file": "java/safe/SafeValidated.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "allowlist", "validated" ], "disabled": false, "notes": "Allowlist validation before Runtime.exec(); only permitted commands reach sink" }, { "case_id": "go-sqli-001", "file": "go/sqli/sqli_concat.go", "language": "go", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "go.sqli.query_concat" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow", "state-resource-leak" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 11, 11 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "concat", "db-query" ], "disabled": false, "notes": "SQL injection via string concat in db.Query()" }, { "case_id": "go-sqli-002", "file": "go/sqli/sqli_sprintf.go", "language": "go", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "go.sqli.query_concat" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow", "state-resource-leak" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 12, 12 ] ], "expected_source_lines": [ [ 10, 10 ] ], "tags": [ "sprintf", "db-exec" ], "disabled": false, "notes": "SQL injection via fmt.Sprintf in db.Exec()" }, { "case_id": "go-sqli-003", "file": "go/sqli/sqli_queryrow.go", "language": "go", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "go.sqli.query_concat" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow", "state-resource-leak" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 12, 12 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "concat", "db-queryrow" ], "disabled": false, "notes": "SQL injection via string concat in db.QueryRow()" }, { "case_id": "go-sqli-004", "file": "go/sqli/sqli_for_range.go", "language": "go", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 17, 17 ] ], "expected_source_lines": [ [ 15, 15 ] ], "tags": [ "sqli", "goqu", "for-range" ], "disabled": false, "notes": "CVE-Hunt session 6 regression guard: Go for-range loop binding inherits taint from iterable; goqu.L(p) is SQL_QUERY sink. Pins src/cfg/literals.rs def_use Kind::For range_clause arm + src/labels/go.rs goqu.L sink." }, { "case_id": "go-sqli-safe-001", "file": "go/safe/safe_sqli_for_range_allowlist.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sqli", "goqu", "for-range", "safe", "negative" ], "disabled": false, "notes": "CVE-Hunt session 6 negative pair: same for-range shape as go-sqli-004 but binding is allowlisted before reaching goqu.I (typed identifier, not raw SQL)." }, { "case_id": "go-cmdi-001", "file": "go/cmdi/cmdi_direct.go", "language": "go", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "go.cmdi.exec_command" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow", "state-unauthed-access" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "direct", "exec-command" ], "disabled": false, "notes": "Direct command injection via exec.Command()" }, { "case_id": "go-cmdi-002", "file": "go/cmdi/cmdi_indirect.go", "language": "go", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "go.cmdi.exec_command" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow", "state-unauthed-access" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 11, 11 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "indirect", "concat", "exec-command", "shell" ], "disabled": false, "notes": "Indirect command injection via string concat to exec.Command(\"sh\", \"-c\", cmd)" }, { "case_id": "go-cmdi-003", "file": "go/cmdi_env/cmdi_env.go", "language": "go", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "language_specific", "match_mode": "rule_match", "expected_rule_ids": [ "go.cmdi.exec_command" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "env-source", "exec-command", "shell" ], "disabled": false, "notes": "Command injection via os.Getenv source flowing to exec.Command; language_specific tier because env-var source pattern is Go-specific" }, { "case_id": "go-cmdi-004", "file": "go/cmdi/cmdi_unvalidated_queue_element.go", "language": "go", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "go.cmdi.exec_command" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow", "state-unauthed-access" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 13, 13 ] ], "expected_source_lines": [ [ 12, 12 ] ], "tags": [ "container-element", "index-read", "exec-command", "pointer-w5" ], "disabled": false, "notes": "Tainted user input pushed into a slice via append(); unsanitised element re-read with cmds[0] flows to exec.Command. Exercises W5 subscript-read recognition + W2 container ELEM cell flow." }, { "case_id": "go-xss-001", "file": "go/xss/xss_fprintf.go", "language": "go", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "fmt-fprintf", "response-writer" ], "disabled": false, "notes": "XSS via fmt.Fprintf to ResponseWriter with unescaped user input" }, { "case_id": "go-xss-002", "file": "go/xss/xss_template_html.go", "language": "go", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 11, 11 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "template-html", "unsafe-cast" ], "disabled": false, "notes": "XSS via template.HTML() cast bypassing html/template auto-escaping" }, { "case_id": "go-ssrf-001", "file": "go/ssrf/ssrf_http_get.go", "language": "go", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 8, 8 ] ], "tags": [ "http-get", "ssrf" ], "disabled": false, "notes": "SSRF via http.Get() with user-controlled URL" }, { "case_id": "go-path_traversal-001", "file": "go/path_traversal/path_traversal.go", "language": "go", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "state-unauthed-access" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "os-readfile", "path-traversal" ], "disabled": false, "notes": "Path traversal via os.ReadFile() with user-controlled path" }, { "case_id": "go-fmt_string-001", "file": "go/fmt_string/fmt_injection.go", "language": "go", "is_vulnerable": true, "vuln_class": "fmt_string", "cwe": "CWE-134", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "fmt-fprintf", "format-string-injection" ], "disabled": false, "notes": "Format string injection via user-controlled format arg to fmt.Fprintf()" }, { "case_id": "go-safe-001", "file": "go/safe/safe_constant.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "constant", "no-source" ], "disabled": false, "notes": "Constant string arguments to exec.Command; no user-controlled data" }, { "case_id": "go-safe-002", "file": "go/safe/safe_dominated.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "state-unauthed-access" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "allowlist", "dominated-check", "map-lookup" ], "disabled": false, "notes": "User input dominated by map allowlist check before exec.Command()" }, { "case_id": "go-safe-003", "file": "go/safe/safe_interprocedural.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "state-unauthed-access" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "filepath-clean", "interprocedural" ], "disabled": false, "notes": "filepath.Clean sanitizer applied via helper function before os.ReadFile(); auth guard present" }, { "case_id": "go-safe-004", "file": "go/safe/safe_non_security_sink.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "non-security-sink", "log-printf" ], "disabled": false, "notes": "User input flows to log.Printf and length output; no security-sensitive sink" }, { "case_id": "go-safe-005", "file": "go/safe/safe_reassigned.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "reassignment", "killed-taint" ], "disabled": false, "notes": "Tainted variable reassigned to constant 'Guest' before reaching fmt.Fprintf()" }, { "case_id": "go-safe-006", "file": "go/safe/safe_sanitized.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "state-unauthed-access" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "filepath-clean" ], "disabled": false, "notes": "filepath.Clean sanitizer applied inline before os.ReadFile(); auth guard present" }, { "case_id": "go-safe-007", "file": "go/safe/safe_type_check.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "type-check", "strconv-atoi-guard" ], "disabled": false, "notes": "strconv.Atoi check guards db.Query(); only valid integers reach the sink" }, { "case_id": "go-safe-008", "file": "go/safe/safe_validated.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "state-unauthed-access" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "allowlist", "validated", "map-lookup" ], "disabled": false, "notes": "Allowlist map validation before exec.Command(); only permitted commands reach sink" }, { "case_id": "go-safe-009", "file": "go/safe/safe_validated_queue_element.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "go.cmdi.exec_command", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "validated", "container-element", "index-read", "pointer-w4-w5" ], "disabled": false, "notes": "validate() sanitises before append(); cmds[0] re-read carries the validated_must bit through the W4 ELEM cell + W5 subscript synth, suppressing the cmdi finding." }, { "case_id": "php-sqli-001", "file": "php/sqli/sqli_concat.php", "language": "php", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "php.sqli.query_concat" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow", "state-resource-leak" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 4, 4 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "concat", "mysqli-query" ], "disabled": false, "notes": "SQL injection via string concat in mysqli->query()" }, { "case_id": "php-sqli-002", "file": "php/sqli/sqli_sprintf.php", "language": "php", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "php.sqli.query_concat" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow", "state-resource-leak" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 4, 4 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "sprintf", "mysqli-query" ], "disabled": false, "notes": "SQL injection via sprintf in mysqli->query()" }, { "case_id": "php-cmdi-001", "file": "php/cmdi/cmdi_direct.php", "language": "php", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "php.cmdi.system" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "direct", "system" ], "disabled": false, "notes": "Direct command injection via system()" }, { "case_id": "php-cmdi-002", "file": "php/cmdi/cmdi_indirect.php", "language": "php", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "php.cmdi.system" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "indirect", "shell-exec", "concat" ], "disabled": false, "notes": "Indirect command injection via shell_exec(); taint-based since shell_exec is not directly an AST pattern" }, { "case_id": "php-xss-001", "file": "php/xss/xss_reflected.php", "language": "php", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "echo", "reflected" ], "disabled": false, "notes": "Reflected XSS via echo with unescaped user input in HTML" }, { "case_id": "php-ssrf-001", "file": "php/ssrf/ssrf_curl.php", "language": "php", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "file-get-contents", "ssrf" ], "disabled": false, "notes": "SSRF via file_get_contents() with user-controlled URL" }, { "case_id": "php-ssrf-002", "file": "php/ssrf/ssrf_class_method_fopen.php", "language": "php", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 15, 15 ] ], "expected_source_lines": [ [ 14, 14 ] ], "tags": [ "fopen", "ssrf", "class-method" ], "disabled": false, "notes": "Regression: PHP class-method body taint analysis (declaration_list mapped to Kind::Block) + fopen as PHP SSRF sink" }, { "case_id": "php-path_traversal-001", "file": "php/path_traversal/path_traversal.php", "language": "php", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "php.path.include_variable" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "include", "path-traversal" ], "disabled": false, "notes": "Path traversal / RFI via include() with user-controlled path" }, { "case_id": "php-path_traversal-002", "file": "php/path_traversal/path_traversal_copy.php", "language": "php", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 4, 4 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "copy", "path-traversal" ], "disabled": false, "notes": "Path traversal via copy() with user-controlled source path" }, { "case_id": "php-deser-002", "file": "php/deser/deser_unserialize_allowed_true.php", "language": "php", "is_vulnerable": true, "vuln_class": "deser", "cwe": "CWE-502", "provenance": "real-repo-precision-2026-04-28", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "php.deser.unserialize" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 8, 8 ] ], "expected_source_lines": [ [ 7, 7 ] ], "tags": [ "real-repo-precision-2026-04-28", "unserialize", "allowed_classes", "true-default" ], "disabled": false, "notes": "Vulnerable counterpart to php-safe-017: allowed_classes => true is the unsafe default. Pattern must still fire." }, { "case_id": "php-path_traversal-003", "file": "php/path_traversal/path_traversal_concat.php", "language": "php", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-98", "provenance": "real-repo-precision-2026-04-28", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "php.path.include_variable" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "real-repo-precision-2026-04-28", "include", "concat", "user-input" ], "disabled": false, "notes": "Vulnerable counterpart to php-safe-018: included variable is built from concatenation of $_GET inside the function \u2014 not a parameter pass-through. Pattern must still fire." }, { "case_id": "php-deser-001", "file": "php/deser/deser_unserialize.php", "language": "php", "is_vulnerable": true, "vuln_class": "deser", "cwe": "CWE-502", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "php.deser.unserialize" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "unserialize", "deserialization" ], "disabled": false, "notes": "Insecure deserialization via unserialize() with user-controlled POST data" }, { "case_id": "php-code_injection-001", "file": "php/code_injection/code_injection.php", "language": "php", "is_vulnerable": true, "vuln_class": "code_injection", "cwe": "CWE-94", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "php.code_exec.eval" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "eval", "code-injection" ], "disabled": false, "notes": "Code injection via eval() with user-controlled code" }, { "case_id": "php-code_injection-002", "file": "php/code_injection/code_injection_assert.php", "language": "php", "is_vulnerable": true, "vuln_class": "code_injection", "cwe": "CWE-94", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "php.code_exec.assert_string" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "assert", "code-injection" ], "disabled": false, "notes": "Code injection via assert() with string argument (PHP < 8.0 evaluates as code)" }, { "case_id": "php-safe-001", "file": "php/safe/safe_constant.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "constant", "no-source" ], "disabled": false, "notes": "Constant string argument to system(); no user-controlled data" }, { "case_id": "php-safe-002", "file": "php/safe/safe_dominated.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "allowlist", "dominated-check", "in-array" ], "disabled": false, "notes": "User input dominated by in_array allowlist check before system()" }, { "case_id": "php-safe-003", "file": "php/safe/safe_interprocedural.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "htmlspecialchars", "interprocedural" ], "disabled": false, "notes": "htmlspecialchars sanitizer applied via helper function before echo" }, { "case_id": "php-safe-004", "file": "php/safe/safe_non_security_sink.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "non-security-sink", "error-log" ], "disabled": false, "notes": "User input flows to error_log and strlen; echo outputs only the length integer" }, { "case_id": "php-safe-005", "file": "php/safe/safe_reassigned.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "reassignment", "killed-taint" ], "disabled": false, "notes": "Tainted variable reassigned to constant 'Guest' before reaching echo" }, { "case_id": "php-safe-006", "file": "php/safe/safe_sanitized.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "htmlspecialchars" ], "disabled": false, "notes": "htmlspecialchars sanitizer applied inline before echo" }, { "case_id": "php-safe-007", "file": "php/safe/safe_type_check.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "type-check", "is-numeric-guard" ], "disabled": false, "notes": "is_numeric check guards mysqli->query(); only numeric strings reach the sink" }, { "case_id": "php-safe-008", "file": "php/safe/safe_validated.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "allowlist", "validated", "in-array" ], "disabled": false, "notes": "Allowlist in_array validation before system(); only permitted commands reach sink" }, { "case_id": "js-ssrf-002", "file": "javascript/ssrf/ssrf_axios.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cfg-unguarded-sink" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "axios", "ssrf" ], "disabled": false, "notes": "SSRF via bare axios() call with user-controlled URL" }, { "case_id": "js-ssrf-003", "file": "javascript/ssrf/ssrf_http_get_chained.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cfg-unguarded-sink" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "http", "ssrf", "chained-call" ], "disabled": false, "notes": "Regression guard for the chained-method-call inner-gate fix (2026-04-27): http.get(url, cb).on('error', cb) must classify as SSRF on the inner http.get even though the outer .on swallows classification." }, { "case_id": "js-ssrf-safe-002", "file": "javascript/ssrf/safe_http_get_hardcoded_chained.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "http", "ssrf-safe", "chained-call", "negative" ], "disabled": false, "notes": "Precision guard: chained-call inner-gate fix must NOT fire on http.get('http://internal-health.localhost/...').on(...) with a hardcoded literal URL." }, { "case_id": "js-path_traversal-ternary-source-001", "file": "javascript/path_traversal/path_traversal_ternary_source.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cfg-unguarded-sink" ], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "path_traversal", "ternary-as-value", "source-classification" ], "disabled": false, "notes": "Regression guard for the ternary-RHS source-classification fix in src/cfg/conditions.rs::lower_ternary_branch (2026-05-04). Pre-fix, push_node only did suffix/prefix matching on the branch text, so req.query.lng did not classify as a Source (rule matcher is req.query, neither matches req.query.lng). Both ternary branches lowered to labelless Assign-with-empty-uses, the join phi saw no taint, and downstream sinks missed the flow. Motivated by GHSA-jfgf-83c5-2c4m / CVE-2026-42353." }, { "case_id": "js-safe-ternary-const-branches", "file": "javascript/safe/safe_ternary_const_branches.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "ternary-as-value", "source-classification", "negative" ], "disabled": false, "notes": "Precision guard: ternary-RHS source-classification fix must NOT synthesise a Source label when both branches are constant strings. Pins the conservative gate inside lower_ternary_branch." }, { "case_id": "py-ssrf-002", "file": "python/ssrf/ssrf_httpx_post.py", "language": "python", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cfg-unguarded-sink" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "httpx", "ssrf" ], "disabled": false, "notes": "SSRF via httpx.post() with user-controlled URL" }, { "case_id": "go-ssrf-002", "file": "go/ssrf/ssrf_new_request.go", "language": "go", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cfg-unguarded-sink" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 8, 8 ] ], "tags": [ "http-client", "ssrf" ], "disabled": false, "notes": "SSRF via http.NewRequest() with user-controlled URL" }, { "case_id": "ruby-ssrf-001", "file": "ruby/ssrf/ssrf_httparty.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cfg-unguarded-sink" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "httparty", "ssrf" ], "disabled": false, "notes": "SSRF via HTTParty.get() with user-controlled URL" }, { "case_id": "ruby-ssrf-003", "file": "ruby/ssrf/ssrf_open_uri.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cfg-unguarded-sink" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "open-uri", "ssrf" ], "disabled": false, "notes": "SSRF via OpenURI.open_uri() with user-controlled URL \u2014 canonical low-level URI fetcher; CarrierWave / Paperclip / similar gems route SSRF-vulnerable downloads through it" }, { "case_id": "js-ssrf-safe-001", "file": "javascript/ssrf/safe_ssrf_hardcoded.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "hardcoded", "ssrf", "no-source" ], "disabled": false, "notes": "Hardcoded URL to axios(); no user-controlled data" }, { "case_id": "py-ssrf-safe-001", "file": "python/ssrf/safe_ssrf_constant.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "constant", "ssrf", "no-source" ], "disabled": false, "notes": "Constant URL to requests.get(); no user-controlled data" }, { "case_id": "go-ssrf-safe-001", "file": "go/ssrf/safe_ssrf_hardcoded.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "hardcoded", "ssrf", "no-source" ], "disabled": false, "notes": "Hardcoded URL to http.Get(); no user-controlled data" }, { "case_id": "php-ssrf-safe-001", "file": "php/ssrf/safe_ssrf_hardcoded.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "hardcoded", "ssrf", "no-source" ], "disabled": false, "notes": "Hardcoded URL to file_get_contents(); no user-controlled data" }, { "case_id": "ruby-safe-001", "file": "ruby/safe/safe_constant.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "constant", "no-source" ], "disabled": false, "notes": "Constant string argument to system(); no user-controlled data" }, { "case_id": "ruby-safe-002", "file": "ruby/safe/safe_dominated.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "allowlist", "dominated-check", "include" ], "disabled": false, "notes": "Allowlist guard dominates system() call; taint should be suppressed" }, { "case_id": "ruby-safe-003", "file": "ruby/safe/safe_interprocedural.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "shellwords-escape", "interprocedural" ], "disabled": false, "notes": "Shellwords.escape called via helper function; interprocedural sanitization" }, { "case_id": "ruby-safe-004", "file": "ruby/safe/safe_non_security_sink.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "non-security-sink", "logger" ], "disabled": false, "notes": "Logger.info is not a security-sensitive sink" }, { "case_id": "ruby-safe-005", "file": "ruby/safe/safe_reassigned.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "reassignment", "killed-taint" ], "disabled": false, "notes": "Tainted variable reassigned to constant before reaching sink" }, { "case_id": "ruby-safe-006", "file": "ruby/safe/safe_sanitized.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "shellwords-escape" ], "disabled": false, "notes": "Shellwords.escape sanitizes user input before system() call" }, { "case_id": "ruby-safe-007", "file": "ruby/safe/safe_type_check.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "type-check", "is-a-guard" ], "disabled": false, "notes": "Type check guard (is_a? Integer) dominates SQL execution" }, { "case_id": "ruby-safe-008", "file": "ruby/safe/safe_validated.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "allowlist", "validated" ], "disabled": false, "notes": "Allowlist validation before system() call" }, { "case_id": "ruby-safe-009", "file": "ruby/safe/safe_kernel_open_file_namespaced.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "kernel-open", "file-open", "regression", "no-source" ], "disabled": false, "notes": "Negative regression for Ruby =open exact-matcher: File.open with a hardcoded path must not fire the bare-open CMDI rule (or any taint rule); pairs with ruby-cmdi-003" }, { "case_id": "ruby-ssrf-safe-001", "file": "ruby/ssrf/safe_ssrf_hardcoded.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "hardcoded", "ssrf", "no-source" ], "disabled": false, "notes": "Hardcoded URL to HTTParty.get(); no user-controlled data" }, { "case_id": "ruby-cmdi-001", "file": "ruby/cmdi/cmdi_system.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rb.cmdi.system_interp" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "system", "cmdi" ], "disabled": false, "notes": "Command injection via system() with user-controlled argument" }, { "case_id": "ruby-cmdi-002", "file": "ruby/cmdi/cmdi_backtick.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "rb.cmdi.backtick" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "backtick", "cmdi" ], "disabled": false, "notes": "Command injection via backtick interpolation with user-controlled data" }, { "case_id": "ruby-cmdi-003", "file": "ruby/cmdi/cmdi_kernel_open.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 11, 11 ] ], "expected_source_lines": [ [ 10, 10 ] ], "tags": [ "kernel-open", "cmdi", "regression" ], "disabled": false, "notes": "CVE-2020-8130 regression: bare Kernel#open(path) interprets a leading | as a shell pipe; the =open exact-matcher distinguishes it from File.open / IO.open / URI.open" }, { "case_id": "ruby-code_injection-001", "file": "ruby/code_injection/code_injection_eval.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "code_injection", "cwe": "CWE-94", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rb.code_exec.eval" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "eval", "code-injection" ], "disabled": false, "notes": "Code injection via eval() with user-controlled expression" }, { "case_id": "ruby-deser-001", "file": "ruby/deser/deser_marshal.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "deser", "cwe": "CWE-502", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rb.deser.marshal_load" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "marshal", "deserialization" ], "disabled": false, "notes": "Insecure deserialization via Marshal.load() with user-controlled data" }, { "case_id": "ruby-deser-002", "file": "ruby/deser/deser_yaml.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "deser", "cwe": "CWE-502", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rb.deser.yaml_load" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "yaml", "deserialization" ], "disabled": false, "notes": "Insecure deserialization via YAML.load() with user-controlled data" }, { "case_id": "ruby-path_traversal-001", "file": "ruby/path_traversal/path_traversal_send_file.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "send-file", "path-traversal" ], "disabled": false, "notes": "Path traversal via send_file() with user-controlled path" }, { "case_id": "ruby-path_traversal-002", "file": "ruby/path_traversal/path_traversal_yaml_load_file_read.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 4, 4 ] ], "expected_source_lines": [ [ 7, 7 ] ], "tags": [ "wrapper-sink", "path-traversal" ], "disabled": false, "notes": "Path traversal via cross-fn helper that wraps File.read inside YAML.safe_load (the `outer(File.read(x))` shape used in real Ruby helpers \u2014 rswag CVE-2023-38337 chain). Regression guard for the inner-call fallback fix in src/cfg/mod.rs::push_node so a wrapper around an FILE_IO sink continues to surface in summary extraction." }, { "case_id": "ruby-sqli-001", "file": "ruby/sqli/sqli_find_by_sql.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "find-by-sql", "sqli" ], "disabled": false, "notes": "SQL injection via find_by_sql() with string concatenation" }, { "case_id": "ruby-sqli-002", "file": "ruby/sqli/sqli_execute.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "execute", "sqli" ], "disabled": false, "notes": "SQL injection via ActiveRecord execute() with string concatenation" }, { "case_id": "ruby-ssrf-002", "file": "ruby/ssrf/ssrf_net_http.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cfg-unguarded-sink" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "net-http", "ssrf" ], "disabled": false, "notes": "SSRF via Net::HTTP.get() with user-controlled URL" }, { "case_id": "ruby-xss-001", "file": "ruby/xss/xss_html_safe.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "html-safe", "xss" ], "disabled": false, "notes": "XSS via html_safe on user-controlled input" }, { "case_id": "ruby-xss-002", "file": "ruby/xss/xss_raw.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 3, 3 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "raw", "xss" ], "disabled": false, "notes": "XSS via raw() on user-controlled input" }, { "case_id": "js-xss-react-001", "file": "javascript/xss/xss_react_dangerously.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "react", "dangerouslySetInnerHTML", "xss" ], "disabled": false, "notes": "React XSS via dangerouslySetInnerHTML with user-controlled content" }, { "case_id": "js-safe-parseInt-001", "file": "javascript/safe/safe_parseInt.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "parseInt", "type-coercion", "sanitizer" ], "disabled": false, "notes": "parseInt sanitizes user input \u2014 should produce no taint finding" }, { "case_id": "py-cmdi-popen-001", "file": "python/cmdi/cmdi_popen_shell.py", "language": "python", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "state-resource-leak" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "subprocess", "popen", "shell-true", "gated-sink" ], "disabled": false, "notes": "Command injection via subprocess.Popen with shell=True" }, { "case_id": "py-safe-int-001", "file": "python/safe/safe_int_cast.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "int", "type-coercion", "sanitizer" ], "disabled": false, "notes": "int() type coercion sanitizes user input \u2014 should produce no taint finding" }, { "case_id": "java-sqli-stmt-001", "file": "java/sqli/sqli_statement_vs_prepared.java", "language": "java", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "state-resource-leak" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 11, 11 ] ], "expected_source_lines": [ [ 7, 7 ] ], "tags": [ "statement", "executeQuery", "string-concat" ], "disabled": false, "notes": "SQL injection via raw Statement.executeQuery with string concatenation" }, { "case_id": "java-safe-prepared-001", "file": "java/safe/safe_prepared_statement.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "prepareStatement", "parameterized", "sanitizer" ], "disabled": false, "notes": "prepareStatement sanitizes SQL input \u2014 should produce no SQL taint finding" }, { "case_id": "java-sqli-stmt-execute-002", "file": "java/sqli/sqli_statement_execute_chained.java", "language": "java", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 36, 36 ] ], "expected_source_lines": [ [ 25, 25 ] ], "tags": [ "statement", "execute", "createStatement", "string-concat", "ghsa-h8cj" ], "disabled": false, "notes": "Regression guard for GHSA-h8cj-hpmg-636v engine fixes: createStatement is typed as DatabaseConnection; Statement.execute(query) resolves as SQL_QUERY sink via DatabaseConnection.execute label; helper-summary type-facts threading carries the sink across the executeDbQuery boundary." }, { "case_id": "java-safe-stmt-execute-validated", "file": "java/safe/safe_statement_execute_pattern_validated.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "Pattern", "matcher", "matches", "validator", "ghsa-h8cj" ], "disabled": false, "notes": "Regression guard for GHSA-h8cj-hpmg-636v patched form: Pattern.matcher(value).matches() chain on a PATTERN-named receiver classifies as ValidationCall, short-circuit `||` cond chain preserves validated_must to the implicit return, and helper-summary validated_params_to_return suppresses the SQL_QUERY sink at the caller." }, { "case_id": "go-safe-atoi-001", "file": "go/safe/safe_strconv_atoi.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "strconv", "Atoi", "type-conversion", "sanitizer" ], "disabled": false, "notes": "strconv.Atoi sanitizes user input \u2014 should produce no taint finding" }, { "case_id": "go-xss-gin-001", "file": "go/xss/xss_gin_source.go", "language": "go", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "gin", "xss", "formvalue" ], "disabled": false, "notes": "XSS via r.FormValue flowing to fmt.Fprintf response writer" }, { "case_id": "php-safe-filter-001", "file": "php/safe/safe_filter_input.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "filter_input", "sanitizer" ], "disabled": false, "notes": "filter_input sanitizes user input \u2014 should produce no taint finding" }, { "case_id": "php-safe-camelcase-validator-001", "file": "php/safe/safe_camelcase_validator_negated.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "validator", "camelcase", "negated", "class-method" ], "disabled": false, "notes": "Regression: camelCase `isSafeRemoteUrl` validator + `if (!validator($x))` early-return narrowing in PHP class method" }, { "case_id": "php-sqli-pdo-001", "file": "php/sqli/sqli_pdo_raw.php", "language": "php", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 2, 2 ] ], "tags": [ "pdo", "raw-query", "sqli" ], "disabled": false, "notes": "SQL injection via raw PDO query with string concatenation" }, { "case_id": "ruby-safe-strong-params-001", "file": "ruby/safe/safe_strong_params.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "strong-params", "permit", "require", "rails" ], "disabled": false, "notes": "Rails strong parameters (permit/require) sanitize user input \u2014 safe pattern" }, { "case_id": "ruby-sqli-raw-001", "file": "ruby/sqli/sqli_raw_connection.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 4, 6 ] ], "expected_source_lines": [ [ 3, 3 ] ], "tags": [ "connection-execute", "raw-sql", "sqli" ], "disabled": true, "notes": "SQL injection via ActiveRecord connection.execute \u2014 disabled: multi-line call expression not resolved by SSA lowering for Ruby class methods" }, { "case_id": "py-cmdi-cross-001", "file": "python/cmdi/cross_propagation/", "language": "python", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "py.cmdi.os_system" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "cross-file", "ssa-summary", "propagation" ], "disabled": false, "notes": "Cross-file taint propagation: env source \u2192 wrapper function \u2192 os.system sink" }, { "case_id": "py-cmdi-cross-002", "file": "python/cmdi/cross_source/", "language": "python", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "py.cmdi.subprocess" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "cross-file", "ssa-summary", "source-detection" ], "disabled": false, "notes": "Cross-file source detection: read_input() returns env source \u2192 subprocess.call sink" }, { "case_id": "py-cmdi-cross-003", "file": "python/cmdi/cross_sanitizer/", "language": "python", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "py.cmdi.os_system" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "cross-file", "ssa-summary", "wrong-sanitizer" ], "disabled": false, "notes": "Cross-file wrong-cap sanitizer: HTML sanitizer does not strip SHELL_ESCAPE caps \u2192 os.system still vulnerable" }, { "case_id": "py-cmdi-cross-004", "file": "python/cmdi/cross_indirect_sink/", "language": "python", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "py.cmdi.os_system" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 6, 6 ] ], "expected_call_site_lines": [ [ 7, 7 ] ], "tags": [ "cross-file", "helper-function", "sink-in-helper" ], "disabled": false, "notes": "Cross-file sink-in-helper: app.py line 6 reads env source, line 7 calls run_cmd() (cross-file call), helper.py line 5 is the real os.system sink. Phase 3 attribution must report helper.py:5 as the primary location (not app.py:7) and include app.py:7 in flow_steps as a Call step." }, { "case_id": "js-xss-cross-001", "file": "javascript/xss/cross_propagation/", "language": "javascript", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "js.xss.document_write" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "cross-file", "ssa-summary", "propagation" ], "disabled": false, "notes": "Cross-file taint propagation: req.query \u2192 render wrapper \u2192 document.write XSS sink" }, { "case_id": "go-cmdi-cross-001", "file": "go/cmdi/cross_source/", "language": "go", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "go.cmdi.exec_command", "state-unauthed-access" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "cross-file", "ssa-summary", "source-detection" ], "disabled": false, "notes": "Cross-file source detection: GetUserInput returns request param \u2192 exec.Command sink" }, { "case_id": "go-path_traversal-cross-001", "file": "go/path_traversal/cross_sanitizer/", "language": "go", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "go.path_traversal.readfile", "state-unauthed-access" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 11, 11 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "cross-file", "ssa-summary", "wrong-sanitizer" ], "disabled": false, "notes": "Cross-file wrong-cap sanitizer: HTML sanitizer does not strip FILE_IO caps \u2192 os.ReadFile still vulnerable" }, { "case_id": "c-cmdi-001", "file": "c/cmdi/cmdi_system.c", "language": "c", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "c.cmdi.system" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to system()" }, { "case_id": "c-cmdi-002", "file": "c/cmdi/cmdi_popen.c", "language": "c", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "c.cmdi.popen" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to popen()" }, { "case_id": "c-cmdi-003", "file": "c/cmdi/cmdi_exec.c", "language": "c", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "c.cmdi.execvp", "cfg-unguarded-sink" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to execvp()" }, { "case_id": "c-cmdi-004", "file": "c/cmdi/cmdi_fgets.c", "language": "c", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "c.cmdi.system" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 7, 7 ] ], "expected_source_lines": [ [ 6, 6 ] ], "tags": [ "stdin", "fgets" ], "disabled": false, "notes": "Flow from fgets(stdin) to system()" }, { "case_id": "c-path-001", "file": "c/path_traversal/path_traversal_fopen.c", "language": "c", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "c.file_io.fopen" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to fopen()" }, { "case_id": "c-path-002", "file": "c/path_traversal/path_traversal_open.c", "language": "c", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "c.file_io.open" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to open()" }, { "case_id": "c-fmt-001", "file": "c/fmt_string/fmt_printf.c", "language": "c", "is_vulnerable": true, "vuln_class": "fmt_string", "cwe": "CWE-134", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "c.fmt_string.printf" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to printf() as format string" }, { "case_id": "c-fmt-002", "file": "c/fmt_string/fmt_fprintf.c", "language": "c", "is_vulnerable": true, "vuln_class": "fmt_string", "cwe": "CWE-134", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "c.fmt_string.fprintf" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to fprintf() as format string" }, { "case_id": "c-ssrf-001", "file": "c/ssrf/ssrf_curl.c", "language": "c", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "c.ssrf.curl_easy_perform" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 8, 8 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "curl" ], "disabled": false, "notes": "Direct flow from getenv to curl_easy_perform()" }, { "case_id": "c-buf-001", "file": "c/buffer_overflow/buffer_sprintf.c", "language": "c", "is_vulnerable": true, "vuln_class": "buffer_overflow", "cwe": "CWE-120", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "c.buffer.sprintf" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 8, 8 ] ], "expected_source_lines": [ [ 6, 6 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to unbounded sprintf()" }, { "case_id": "c-buf-002", "file": "c/buffer_overflow/buffer_strcpy.c", "language": "c", "is_vulnerable": true, "vuln_class": "buffer_overflow", "cwe": "CWE-120", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "c.buffer.strcpy" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 7, 7 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to strcpy()" }, { "case_id": "c-buf-003", "file": "c/buffer_overflow/buffer_strcat.c", "language": "c", "is_vulnerable": true, "vuln_class": "buffer_overflow", "cwe": "CWE-120", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "c.buffer.strcat" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 7, 7 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to strcat()" }, { "case_id": "c-buf-005", "file": "c/buffer_overflow/buffer_strcpy_user_arg.c", "language": "c", "is_vulnerable": true, "vuln_class": "buffer_overflow", "cwe": "CWE-120", "provenance": "real-repo-precision-2026-04-28", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "c.memory.strcpy" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": null, "tags": [ "direct", "argv", "real-repo-precision-2026-04-28" ], "disabled": false, "notes": "Vulnerable counterpart to c-safe-017: argv[1] is a non-literal source so Layer D does not suppress; pattern rule fires." }, { "case_id": "c-safe-001", "file": "c/safe/safe_constant.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "constant", "no-source" ], "disabled": false, "notes": "Constant string passed to system() \u2014 no taint source" }, { "case_id": "c-safe-002", "file": "c/safe/safe_sanitized_snprintf.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-120", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "sanitized", "snprintf" ], "disabled": false, "notes": "Input sanitized through snprintf bounded formatting" }, { "case_id": "c-safe-003", "file": "c/safe/safe_atoi.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-134", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "sanitized", "atoi" ], "disabled": false, "notes": "Input sanitized through atoi() type conversion" }, { "case_id": "c-safe-004", "file": "c/safe/safe_reassigned.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "reassigned" ], "disabled": false, "notes": "Tainted variable reassigned to constant before use" }, { "case_id": "c-safe-005", "file": "c/safe/safe_strncpy.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-120", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "sanitized", "strncpy" ], "disabled": false, "notes": "Input sanitized through bounded strncpy" }, { "case_id": "c-safe-006", "file": "c/safe/safe_validated.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "validated", "path-check" ], "disabled": false, "notes": "Path validated against traversal before fopen" }, { "case_id": "c-safe-007", "file": "c/safe/safe_strtol.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-134", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "sanitized", "strtol" ], "disabled": false, "notes": "Input sanitized through strtol() type conversion" }, { "case_id": "c-safe-008", "file": "c/safe/safe_sanitize_func.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-134", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "sanitized", "custom-function" ], "disabled": false, "notes": "Input sanitized through sanitize_input() helper" }, { "case_id": "cpp-cmdi-001", "file": "cpp/cmdi/cmdi_system.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cpp.cmdi.system" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to system()" }, { "case_id": "cpp-cmdi-002", "file": "cpp/cmdi/cmdi_popen.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cpp.cmdi.popen" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to popen()" }, { "case_id": "cpp-cmdi-003", "file": "cpp/cmdi/cmdi_getline.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cpp.cmdi.system" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 8, 8 ] ], "expected_source_lines": [ [ 7, 7 ] ], "tags": [ "stdin", "getline" ], "disabled": false, "notes": "Flow from std::getline(cin) to system()" }, { "case_id": "cpp-cmdi-004", "file": "cpp/cmdi/cmdi_exec.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cpp.cmdi.execvp", "cfg-unguarded-sink" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to execvp()" }, { "case_id": "cpp-cmdi-005", "file": "cpp/cmdi/cmdi_stl_vector_string.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 17, 17 ] ], "expected_source_lines": [ [ 12, 12 ] ], "tags": [ "stl-container", "c_str-passthrough", "cpp-precision-2026-04-26" ], "disabled": false, "notes": "Tainted env var stored in std::vector, read via front() and converted via c_str(); flow must reach system()" }, { "case_id": "cpp-cmdi-006", "file": "cpp/cmdi/cmdi_lambda_passthrough.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 16, 16 ] ], "expected_source_lines": [ [ 14, 14 ] ], "tags": [ "lambda", "passthrough", "cpp-precision-2026-04-26" ], "disabled": false, "notes": "Tainted input passed through identity-lambda echo into system(); default Call-arg propagation carries the taint." }, { "case_id": "cpp-cmdi-007", "file": "cpp/cmdi/cmdi_class_inline_method.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 20, 27 ] ], "expected_source_lines": [ [ 25, 25 ] ], "tags": [ "class-method", "inline-definition", "cpp-precision-2026-04-26" ], "disabled": false, "notes": "Inline member-function definition; tainted arg flows through Inner::run into system(). Pinned by Phase 4 KINDS additions for class_specifier." }, { "case_id": "cpp-path-001", "file": "cpp/path_traversal/path_traversal_fopen.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cpp.file_io.fopen" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to fopen()" }, { "case_id": "cpp-path-002", "file": "cpp/path_traversal/path_traversal_open.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cpp.file_io.open" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 7, 7 ] ], "expected_source_lines": [ [ 6, 6 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to open()" }, { "case_id": "cpp-fmt-001", "file": "cpp/fmt_string/fmt_printf.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "fmt_string", "cwe": "CWE-134", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cpp.fmt_string.printf" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to printf() as format string" }, { "case_id": "cpp-fmt-002", "file": "cpp/fmt_string/fmt_fprintf.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "fmt_string", "cwe": "CWE-134", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cpp.fmt_string.fprintf" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to fprintf() as format string" }, { "case_id": "cpp-ssrf-001", "file": "cpp/ssrf/ssrf_curl.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cpp.ssrf.curl_easy_perform" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 8, 8 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "curl" ], "disabled": false, "notes": "Direct flow from getenv to curl_easy_perform()" }, { "case_id": "cpp-ssrf-002", "file": "cpp/ssrf/ssrf_connect.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cpp.ssrf.connect" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 13, 13 ] ], "expected_source_lines": [ [ 6, 6 ] ], "tags": [ "direct", "socket" ], "disabled": false, "notes": "Direct flow from getenv to connect()" }, { "case_id": "cpp-ssrf-003", "file": "cpp/ssrf/ssrf_builder_user_host.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 24, 24 ] ], "expected_source_lines": [ [ 23, 23 ] ], "tags": [ "builder-chain", "fluent-api", "cpp-precision-2026-04-26" ], "disabled": false, "notes": "Tainted host through fluent Socket::builder().host(h).port(p).connect() chain; terminal connect() must fire." }, { "case_id": "cpp-buf-001", "file": "cpp/buffer_overflow/buffer_sprintf.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "buffer_overflow", "cwe": "CWE-120", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cpp.buffer.sprintf" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 8, 8 ] ], "expected_source_lines": [ [ 6, 6 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to unbounded sprintf()" }, { "case_id": "cpp-buf-002", "file": "cpp/buffer_overflow/buffer_strcpy.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "buffer_overflow", "cwe": "CWE-120", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cpp.buffer.strcpy" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 7, 7 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "getenv" ], "disabled": false, "notes": "Direct flow from getenv to strcpy()" }, { "case_id": "cpp-safe-001", "file": "cpp/safe/safe_constant.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "constant", "no-source" ], "disabled": false, "notes": "Constant string passed to system() \u2014 no taint source" }, { "case_id": "cpp-safe-002", "file": "cpp/safe/safe_snprintf.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-120", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "sanitized", "snprintf" ], "disabled": false, "notes": "Input sanitized through snprintf bounded formatting" }, { "case_id": "cpp-safe-003", "file": "cpp/safe/safe_stoi.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-134", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "sanitized", "stoi" ], "disabled": false, "notes": "Input sanitized through std::stoi() type conversion" }, { "case_id": "cpp-safe-004", "file": "cpp/safe/safe_reassigned.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "reassigned" ], "disabled": false, "notes": "Tainted variable reassigned to constant before use" }, { "case_id": "cpp-safe-005", "file": "cpp/safe/safe_strncpy.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-120", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "sanitized", "strncpy" ], "disabled": false, "notes": "Input sanitized through bounded strncpy" }, { "case_id": "cpp-safe-006", "file": "cpp/safe/safe_validated.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "validated", "path-check" ], "disabled": false, "notes": "Path validated against traversal before fopen" }, { "case_id": "cpp-safe-007", "file": "cpp/safe/safe_sanitize_func.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-134", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "sanitized", "custom-function" ], "disabled": false, "notes": "Input sanitized through sanitize_input() helper" }, { "case_id": "cpp-safe-008", "file": "cpp/safe/safe_strtol.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-134", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "sanitized", "strtol" ], "disabled": false, "notes": "Input sanitized through strtol() type conversion (C-style)" }, { "case_id": "cpp-safe-017", "file": "cpp/safe/safe_stl_vector_int.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "sanitized", "stl-container", "cpp-precision-2026-04-26" ], "disabled": false, "notes": "stoi sanitises tainted env var before push_back / front; downstream system() must be TN" }, { "case_id": "cpp-safe-018", "file": "cpp/safe/safe_builder_const_host.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "safe", "builder-chain", "constant-host", "cpp-precision-2026-04-26" ], "disabled": false, "notes": "Builder chain with hardcoded host literal; terminal connect() must NOT fire (no taint on chain)." }, { "case_id": "cpp-safe-019", "file": "cpp/safe/safe_reinterpret_cast_byte_pointer.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-704", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "cpp.memory.reinterpret_cast" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "safe", "reinterpret-cast", "byte-pointer", "real-repo-precision-2026-05-01" ], "disabled": false, "notes": "Layer E: reinterpret_cast targets that are well-defined-by-aliasing-rules (byte pointer / void* / uintptr_t / sockaddr family) must NOT fire cpp.memory.reinterpret_cast. Distilled from bitcoin leveldb/serialization/socket shapes." }, { "case_id": "cpp-buf-003", "file": "cpp/buffer_overflow/buffer_reinterpret_cast_struct_alias.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "buffer_overflow", "cwe": "CWE-704", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "cpp.memory.reinterpret_cast" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 12, 12 ] ], "expected_source_lines": null, "tags": [ "vuln", "reinterpret-cast", "strict-aliasing", "real-repo-precision-2026-05-01" ], "disabled": false, "notes": "reinterpret_cast(buf) genuinely violates [basic.lval]/11 strict aliasing \u2014 the pattern must continue to fire because the user-defined struct target is not in the byte-pointer / void* / sockaddr safe set." }, { "case_id": "rs-cmdi-001", "file": "rust/cmdi/cmdi_command.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.cmdi.command" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "env-var" ], "disabled": false, "notes": "Direct flow from env::var to Command::new().arg()" }, { "case_id": "rs-cmdi-002", "file": "rust/cmdi/cmdi_command_output.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.cmdi.command" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "env-var" ], "disabled": false, "notes": "Direct flow from env::var to Command::new().output()" }, { "case_id": "rs-cmdi-003", "file": "rust/cmdi/cmdi_indirect.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.cmdi.command" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 10, 10 ] ], "expected_call_site_lines": [ [ 10, 10 ] ], "tags": [ "indirect", "helper-function" ], "disabled": false, "notes": "Taint flows through helper function to Command. Engine attributes intra-file helper sinks at the call site (line 10), not the inner Command::new (line 5); see locator-policy comment in src/ast.rs." }, { "case_id": "rs-cmdi-004", "file": "rust/cmdi/cmdi_args.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.cmdi.command" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "env-var", "args" ], "disabled": false, "notes": "Direct flow from env::var to Command.args()" }, { "case_id": "rs-path-001", "file": "rust/path_traversal/path_read.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.file_io.read_to_string" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "env-var" ], "disabled": false, "notes": "Direct flow from env::var to fs::read_to_string()" }, { "case_id": "rs-path-002", "file": "rust/path_traversal/path_write.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.file_io.write" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "env-var" ], "disabled": false, "notes": "Direct flow from env::var to fs::write()" }, { "case_id": "rs-path-003", "file": "rust/path_traversal/path_file_open.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.file_io.File" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "env-var" ], "disabled": false, "notes": "Direct flow from env::var to File::open()" }, { "case_id": "rs-path-004", "file": "rust/path_traversal/path_file_create.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.file_io.File" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "direct", "env-var" ], "disabled": false, "notes": "Direct flow from env::var to File::create()" }, { "case_id": "rs-ssrf-001", "file": "rust/ssrf/ssrf_reqwest.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.ssrf.reqwest" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "direct", "env-var" ], "disabled": false, "notes": "Direct flow from env::var to reqwest::get()" }, { "case_id": "rs-ssrf-002", "file": "rust/ssrf/ssrf_indirect.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.ssrf.reqwest" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 8, 8 ] ], "tags": [ "indirect", "helper-function" ], "disabled": false, "notes": "Taint flows through helper function to reqwest::get(). Engine attributes intra-file helper sinks at the call site (line 9), not the inner reqwest::get (line 4); see locator-policy comment in src/ast.rs." }, { "case_id": "rs-safe-001", "file": "rust/safe/safe_constant.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "constant", "no-source" ], "disabled": false, "notes": "Constant args passed to Command \u2014 no taint source" }, { "case_id": "rs-safe-002", "file": "rust/safe/safe_sanitized_shell.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "sanitized", "shell-escape" ], "disabled": false, "notes": "Input sanitized through sanitize_shell() before Command" }, { "case_id": "rs-safe-003", "file": "rust/safe/safe_reassigned.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "reassigned" ], "disabled": false, "notes": "Tainted variable not used \u2014 constant passed to Command" }, { "case_id": "rs-safe-004", "file": "rust/safe/safe_validated.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "validated", "path-check" ], "disabled": false, "notes": "Path validated against traversal before fs::read_to_string" }, { "case_id": "rs-safe-005", "file": "rust/safe/safe_hardcoded_url.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "constant", "no-source" ], "disabled": false, "notes": "Hardcoded URL passed to reqwest::get \u2014 no taint source" }, { "case_id": "rs-safe-006", "file": "rust/safe/safe_type_check.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "type-check", "parse" ], "disabled": false, "notes": "Input parsed to u32 before constructing path \u2014 type-safe" }, { "case_id": "rs-safe-007", "file": "rust/safe/safe_interprocedural.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "interprocedural", "sanitize-wrapper" ], "disabled": false, "notes": "Input sanitized through interprocedural sanitize_input() call chain" }, { "case_id": "rs-safe-008", "file": "rust/safe/safe_dominated.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "validated", "dominated" ], "disabled": false, "notes": "Input validated with allowlist check before Command" }, { "case_id": "rs-safe-009", "file": "rust/safe/safe_shell_metachar.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "validated", "shell-metachar" ], "disabled": false, "notes": "Input rejected when containing shell metacharacters before Command" }, { "case_id": "rs-sqli-002", "file": "rust/sqli/sqli_metachar_gate_wrong_sink.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 13, 13 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "sqli", "shell-metachar-gate" ], "disabled": false, "notes": "Shell-metachar rejection is not a SQL sanitizer; SQL injection must still fire" }, { "case_id": "rs-sqli-format-named-arg", "file": "rust/sqli/sqli_format_named_arg.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "sqli", "format-named-arg" ], "disabled": false, "notes": "Named-arg `{user}` capture in format!() interpolates env::var into a SQL query without sanitisation. Regression guard for the format-string named-arg lifting fix (CVE-2025-53549 motivated)." }, { "case_id": "rs-cmdi-005", "file": "rust/cmdi/cmdi_format_macro.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.cmdi.command" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 7, 7 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "format-macro", "env-var" ], "disabled": false, "notes": "Tainted input interpolated via format!() into sh -c" }, { "case_id": "rs-cmdi-006", "file": "rust/cmdi/cmdi_match_source.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.cmdi.command" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 6, 6 ] ], "tags": [ "match-expression", "env-var" ], "disabled": false, "notes": "env::var bound via match expression then used as Command program name" }, { "case_id": "rs-cmdi-007", "file": "rust/cmdi/cmdi_string_concat.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.cmdi.command" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 7, 7 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "string-concat", "binary-op" ], "disabled": false, "notes": "Tainted &str concatenated via + into sh -c argument" }, { "case_id": "rs-cmdi-008", "file": "rust/cmdi/cmdi_static_map_dangerous.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.cmdi.command" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 14, 14 ] ], "expected_source_lines": [ [ 6, 6 ] ], "tags": [ "hashmap", "static-lookup", "dangerous-literal" ], "disabled": false, "notes": "Static HashMap where one inserted value carries shell metacharacters \u2014 finite-set suppression must NOT clear this sink" }, { "case_id": "rs-cmdi-009", "file": "rust/cmdi/cmdi_indirect_multisink.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.cmdi.command" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 12, 12 ] ], "expected_source_lines": [ [ 10, 11 ] ], "expected_call_site_lines": [ [ 12, 12 ] ], "tags": [ "indirect", "helper-function", "multisink" ], "disabled": false, "notes": "Helper run_both takes two tainted params and invokes two Command sinks on consecutive lines (5, 6). Engine attributes intra-file helper sinks at the call site (line 12), not the inner Command::new (lines 5/6); see locator-policy comment in src/ast.rs." }, { "case_id": "rs-cmdi-cross-001", "file": "rust/cmdi/cross_propagation/", "language": "rust", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.cmdi.command" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 7, 7 ] ], "expected_call_site_lines": [ [ 8, 8 ] ], "tags": [ "cross-file", "propagation" ], "disabled": false, "notes": "Cross-file taint: main.rs line 7 env::var \u2192 transform::wrap at line 8 \u2192 Command::new at line 9. Sink is the top-level Command::new; transform::wrap is a cross-file propagator, not a sink." }, { "case_id": "rs-path-005", "file": "rust/path_traversal/path_remove.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.file_io.remove_file" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "filesystem", "remove", "known-gap" ], "disabled": false, "notes": "fs::remove_file not in Rust sink rules \u2014 known FN coverage" }, { "case_id": "rs-ssrf-003", "file": "rust/ssrf/ssrf_client_builder.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.ssrf.reqwest" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 4, 4 ] ], "tags": [ "builder-chain", "known-gap" ], "disabled": false, "notes": "reqwest::Client::new().get(url).send() \u2014 builder chain not matched by reqwest::get/Client.execute sinks" }, { "case_id": "rs-sqli-001", "file": "rust/sqli/sqli_rusqlite_format.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.sqli.rusqlite" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 8, 8 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "rusqlite", "format-macro", "known-gap" ], "disabled": false, "notes": "rusqlite::Connection.execute not in Rust sink rules \u2014 SQLi class has no Rust coverage" }, { "case_id": "rs-deser-001", "file": "rust/deser/deser_serde_yaml.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "deser", "cwe": "CWE-502", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.deser.serde_yaml" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 8, 8 ] ], "tags": [ "serde", "yaml", "known-gap" ], "disabled": false, "notes": "serde_yaml::from_str not in Rust sink rules \u2014 deserialization class has no Rust coverage" }, { "case_id": "rs-xss-001", "file": "rust/xss/axum_html/", "language": "rust", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "rust.xss.axum_html" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 4, 4 ] ], "expected_source_lines": [ [ 3, 3 ] ], "tags": [ "framework", "axum", "html" ], "disabled": false, "notes": "Axum Path \u2192 Html(format!(...)) \u2014 requires framework rules (Cargo.toml present)" }, { "case_id": "rs-safe-009", "file": "rust/safe/safe_match_guard.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "match-guard", "validated" ], "disabled": false, "notes": "Match guard restricts input to ASCII alphanumeric before Command" }, { "case_id": "rs-safe-010", "file": "rust/safe/safe_static_map_lookup.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "hashmap", "static-lookup" ], "disabled": false, "notes": "Tainted key indexes static HashMap \u2014 value is hardcoded, not tainted" }, { "case_id": "rs-safe-011", "file": "rust/safe/safe_parsed_port.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "type-parse", "u16" ], "disabled": false, "notes": "Input parsed to u16 before use as Command arg \u2014 type-narrowed" }, { "case_id": "rs-safe-fileio-int-uid", "file": "rust/safe/safe_parsed_uid_path.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "type-parse", "u32", "fileio-suppress" ], "disabled": false, "notes": "Tainted username parsed to u32 (uid) before use as PathBuf component \u2014 digits cannot contain `..` or `/`, so the FILE_IO sink suppresses on type alone. Regression guard for the type-only FILE_IO suppression and int-producing-callee leaf-stop." }, { "case_id": "rs-safe-format-named-arg-sanitized", "file": "rust/safe/safe_format_string_sanitized.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "format-named-arg", "sanitized" ], "disabled": false, "notes": "Named-arg `{safe}` reads sanitized value; sanitize_shell strips shell metachars before format!() interpolation reaches Command::new. Regression guard that named-arg lifting still respects sanitiser-dominated flows." }, { "case_id": "rs-safe-012", "file": "rust/safe/safe_path_contains_dotdot.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-regression", "path-sanitizer" ], "disabled": false, "notes": "Intraprocedural .contains(\"..\") + .starts_with('/') rejection \u2014 PathFact narrows dotdot and absolute axes on the sanitised branch" }, { "case_id": "rs-safe-015", "file": "rust/safe/safe_path_is_absolute.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-regression", "path-sanitizer" ], "disabled": false, "notes": "Path::new(x).is_absolute() rejection + .contains(\"..\") \u2014 PathFact narrows both axes via typed check and substring rejection" }, { "case_id": "rs-path-006", "file": "rust/traversal/traversal_no_sanitizer.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 11, 11 ] ], "expected_source_lines": [ [ 10, 10 ] ], "tags": [ "pathfact-regression", "negative-guard" ], "disabled": false, "notes": "No sanitiser applied \u2014 PathFact stays Top, FILE_IO sink must fire (guards against over-suppression)" }, { "case_id": "rs-safe-cross-001", "file": "rust/cmdi/cross_sanitizer/", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "cross-file", "sanitizer" ], "disabled": false, "notes": "Cross-file: sanitize_shell in sanitizer.rs clears SHELL_ESCAPE cap before Command" }, { "case_id": "js-interproc-safe-001", "file": "javascript/interprocedural/interproc_sanitizer_wrap.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "interprocedural", "sanitizer-wrapper" ], "disabled": false, "notes": "XSS safe: input sanitized through encodeURIComponent wrapper function" }, { "case_id": "py-interproc-safe-001", "file": "python/interprocedural/interproc_sanitizer_wrap.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "interprocedural", "sanitizer-wrapper" ], "disabled": false, "notes": "XSS safe: input sanitized through html.escape wrapper function" }, { "case_id": "java-interproc-safe-001", "file": "java/interprocedural/InterprocSanitizerWrap.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "interprocedural", "sanitizer-wrapper" ], "disabled": false, "notes": "XSS safe: input sanitized through HtmlUtils.htmlEscape wrapper" }, { "case_id": "go-interproc-safe-001", "file": "go/interprocedural/interproc_sanitizer_wrap.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "interprocedural", "sanitizer-wrapper" ], "disabled": false, "notes": "XSS safe: input sanitized through html.EscapeString wrapper function" }, { "case_id": "php-interproc-safe-001", "file": "php/interprocedural/interproc_sanitizer_wrap.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "interprocedural", "sanitizer-wrapper" ], "disabled": false, "notes": "XSS safe: input sanitized through htmlspecialchars wrapper function" }, { "case_id": "rb-interproc-safe-001", "file": "ruby/interprocedural/interproc_sanitizer_wrap.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "interprocedural", "sanitizer-wrapper" ], "disabled": false, "notes": "XSS safe: input sanitized through CGI.escapeHTML wrapper function" }, { "case_id": "js-interproc-001", "file": "javascript/interprocedural/interproc_taint_propagation.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "js.cmdi.exec" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 12, 12 ] ], "expected_source_lines": [ [ 10, 10 ] ], "tags": [ "interprocedural", "taint-propagation" ], "disabled": false, "notes": "Taint flows through buildCommand() helper to exec()" }, { "case_id": "py-interproc-001", "file": "python/interprocedural/interproc_taint_propagation.py", "language": "python", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "py.cmdi.system" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 8, 8 ] ], "tags": [ "interprocedural", "taint-propagation" ], "disabled": false, "notes": "Taint flows through build_command() helper to os.system()" }, { "case_id": "java-interproc-001", "file": "java/interprocedural/InterprocTaintPropagation.java", "language": "java", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "java.sqli.executeQuery" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 12, 12 ] ], "expected_source_lines": [ [ 10, 10 ] ], "tags": [ "interprocedural", "taint-propagation" ], "disabled": false, "notes": "Taint flows through buildQuery() helper to executeQuery()" }, { "case_id": "go-interproc-001", "file": "go/interprocedural/interproc_taint_propagation.go", "language": "go", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "go.sqli.query" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 16, 16 ] ], "expected_source_lines": [ [ 14, 14 ] ], "tags": [ "interprocedural", "taint-propagation" ], "disabled": false, "notes": "Taint flows through buildQuery() helper to db.Query()" }, { "case_id": "php-interproc-001", "file": "php/interprocedural/interproc_taint_propagation.php", "language": "php", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "php.sqli.mysqli_query" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 7, 7 ] ], "tags": [ "interprocedural", "taint-propagation" ], "disabled": false, "notes": "Taint flows through build_query() helper to mysqli_query()" }, { "case_id": "rb-interproc-001", "file": "ruby/interprocedural/interproc_taint_propagation.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "ruby.sqli.select_all" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 8, 8 ] ], "tags": [ "interprocedural", "taint-propagation" ], "disabled": false, "notes": "Taint flows through build_query() helper to select_all()" }, { "case_id": "js-pathprune-safe-001", "file": "javascript/path_pruning/safe_early_return.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "path-pruning", "early-return", "allowlist" ], "disabled": false, "notes": "Command execution gated by allowlist check with early return" }, { "case_id": "py-pathprune-safe-001", "file": "python/path_pruning/safe_early_return.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "path-pruning", "early-return", "allowlist" ], "disabled": false, "notes": "Command execution gated by allowlist check with early return" }, { "case_id": "go-pathprune-safe-001", "file": "go/path_pruning/safe_early_return.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "state-unauthed-access" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "path-pruning", "early-return", "allowlist" ], "disabled": false, "notes": "Command execution gated by allowlist check with early return" }, { "case_id": "ts-xss-001", "file": "typescript/xss/xss_typed_innerhtml.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "innerHTML", "typed-express", "reflected" ], "disabled": false, "notes": "Baseline TS XSS: typed Express handler flows req.query into innerHTML" }, { "case_id": "ts-xss-002", "file": "typescript/xss/xss_as_any_cast.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "ts.quality.as_any" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 7, 7 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "as-any", "type-assertion", "innerHTML" ], "disabled": false, "notes": "TS-specific: taint must flow through `as any` and chained assertions (as_expression\u2192Kind::Seq)" }, { "case_id": "ts-xss-003", "file": "typescript/xss/xss_generic_identity.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 11, 11 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "generics", "interprocedural", "innerHTML" ], "disabled": false, "notes": "Tests Phase 11 inline context-sensitivity through generic identity function" }, { "case_id": "ts-xss-004", "file": "typescript/xss/xss_optional_chain_source.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 7, 7 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "optional-chain", "adversarial-source", "innerHTML" ], "disabled": false, "notes": "Adversarial: optional-chained source `req?.query?.name`. Tests whether the source matcher survives optional_chain_expression nodes. Expected FN until optional chaining is lowered to member access in labeling" }, { "case_id": "ts-xss-005", "file": "typescript/xss/xss_dangerously_set_inner_html.tsx", "language": "typescript", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 10 ] ], "expected_source_lines": [ [ 7, 7 ] ], "tags": [ "tsx", "jsx", "dangerouslySetInnerHTML" ], "disabled": false, "notes": "TSX fixture: user bio flows into `dangerouslySetInnerHTML` and is sent via res.send. Exercises TSX grammar wiring (LANGUAGE_TSX) and confirms taint propagation through JSX expressions" }, { "case_id": "ts-sqli-001", "file": "typescript/sqli/sqli_template_literal.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "sqli", "pg", "template-literal" ], "disabled": false, "notes": "Template-literal SQL via pg Pool.query; exact SQL_QUERY sink match" }, { "case_id": "ts-sqli-002", "file": "typescript/sqli/sqli_prisma_raw.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "sqli", "prisma", "queryRawUnsafe" ], "disabled": false, "notes": "Prisma $queryRawUnsafe \u2014 TS-specific ORM sink" }, { "case_id": "ts-sqli-003", "file": "typescript/sqli/sqli_db_query_concat.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cfg-unguarded-sink" ], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "sqli", "real-repo-precision-2026-04-29", "regression-guard" ], "disabled": false, "notes": "Vulnerable counterpart for ts-safe-017 \u2014 bare `connection.query(`SELECT...`)` and chained `db.query(SQL).then(...)` (Promise method, not ORM accessor) must still fire as SQL_QUERY sinks even after the ORM-chain recogniser landed." }, { "case_id": "ts-cmdi-001", "file": "typescript/cmdi/cmdi_exec_template.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 8, 8 ] ], "tags": [ "cmdi", "child_process", "template-literal" ], "disabled": false, "notes": "Destructured exec with template literal command from req.body" }, { "case_id": "ts-cmdi-002", "file": "typescript/cmdi/cmdi_async_wrapper.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 11, 11 ] ], "expected_source_lines": [ [ 10, 10 ] ], "tags": [ "cmdi", "async", "promisify", "execAsync" ], "disabled": false, "notes": "promisify-wrapped exec (execAsync) \u2014 TS rules enumerate execAsync as a command sink" }, { "case_id": "ts-ssrf-001", "file": "typescript/ssrf/ssrf_axios_user_url.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 8, 8 ] ], "expected_source_lines": [ [ 7, 7 ] ], "tags": [ "ssrf", "axios" ], "disabled": false, "notes": "axios.get with req.query.url \u2014 baseline TS SSRF" }, { "case_id": "ts-ssrf-002", "file": "typescript/ssrf/ssrf_fastify_fetch.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 8, 8 ] ], "tags": [ "ssrf", "fastify", "framework-rules", "adversarial-framework" ], "disabled": false, "notes": "Fastify framework route \u2014 exercises framework_rules(ctx) source detection for request.query. Expected FN when framework context is not detected from a single file (no package.json)" }, { "case_id": "ts-ssrf-003", "file": "typescript/ssrf/ssrf_encoded_host.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 7, 7 ] ], "tags": [ "ssrf", "axios", "url-encode", "adversarial-fn-guard" ], "disabled": false, "notes": "Regression guard for prefix-locked SSRF suppression: encodeURIComponent is applied to the HOST (not path), so the template prefix 'https://' does not lock the destination. Must still fire as SSRF \u2014 proves the StringFact host check does not over-suppress when the attacker controls the authority component" }, { "case_id": "ts-code_injection-001", "file": "typescript/code_injection/code_exec_eval.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "code_injection", "cwe": "CWE-94", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "ts.code_exec.eval" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "eval", "code-injection" ], "disabled": false, "notes": "Classic eval + user input; AST pattern ts.code_exec.eval applies" }, { "case_id": "ts-code_injection-002", "file": "typescript/code_injection/code_exec_new_function.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "code_injection", "cwe": "CWE-94", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "ts.code_exec.new_function" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "new-function", "code-injection" ], "disabled": false, "notes": "new Function(body) \u2014 AST pattern ts.code_exec.new_function" }, { "case_id": "ts-open_redirect-001", "file": "typescript/open_redirect/location_href.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-601", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "ts.xss.location_assign" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "open-redirect", "location-href" ], "disabled": false, "notes": "Open redirect via location.href = userUrl" }, { "case_id": "ts-path_traversal-001", "file": "typescript/path_traversal/path_traversal_sendfile.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 6 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "path-traversal", "sendFile" ], "disabled": false, "notes": "res.sendFile with unsanitized req.query.path" }, { "case_id": "ts-crypto-001", "file": "typescript/crypto/weak_hash_md5.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "crypto", "cwe": "CWE-327", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "ts.crypto.weak_hash_import" ], "allowed_alternative_rule_ids": [ "ts.crypto.weak_hash" ], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 4, 4 ] ], "expected_source_lines": null, "tags": [ "crypto", "weak-hash", "md5" ], "disabled": false, "notes": "md5() imported from the md5 package \u2014 AST pattern ts.crypto.weak_hash_import" }, { "case_id": "ts-secrets-001", "file": "typescript/secrets/fallback_secret.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "secrets", "cwe": "CWE-798", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "ts.secrets.fallback_secret" ], "allowed_alternative_rule_ids": [ "ts.secrets.hardcoded_secret" ], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 5, 5 ] ], "expected_source_lines": null, "tags": [ "secrets", "fallback-env" ], "disabled": false, "notes": "process.env.KEY || 'hardcoded' \u2014 AST pattern ts.secrets.fallback_secret" }, { "case_id": "ts-insecure_config-001", "file": "typescript/insecure_config/reject_unauthorized.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "insecure_config", "cwe": "CWE-295", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "ts.config.reject_unauthorized" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 4, 4 ] ], "expected_source_lines": null, "tags": [ "tls", "reject-unauthorized" ], "disabled": false, "notes": "TLS verification disabled \u2014 AST pattern" }, { "case_id": "ts-insecure_config-002", "file": "typescript/insecure_config/cookie_httponly.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "insecure_config", "cwe": "CWE-1004", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "ts.config.insecure_session_httponly" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": null, "tags": [ "cookies", "httpOnly" ], "disabled": false, "notes": "session cookie httpOnly: false \u2014 AST pattern" }, { "case_id": "ts-prototype-001", "file": "typescript/prototype/proto_assignment.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "prototype", "cwe": "CWE-1321", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "ts.prototype.proto_assignment" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 4, 4 ] ], "expected_source_lines": null, "tags": [ "prototype-pollution" ], "disabled": false, "notes": "__proto__ write \u2014 AST pattern" }, { "case_id": "ts-interproc-001", "file": "typescript/interprocedural/interproc_class_method.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 17, 17 ] ], "expected_source_lines": [ [ 15, 15 ] ], "tags": [ "cmdi", "class-method", "interprocedural" ], "disabled": false, "notes": "Class method builder: Runner.build concatenates tainted target, caller passes result to exec. Stresses intra-file class-method call resolution" }, { "case_id": "ts-type_system-001", "file": "typescript/type_system/discriminated_union_narrow.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cfg-unguarded-sink" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 13, 13 ] ], "expected_source_lines": [ [ 12, 12 ] ], "tags": [ "discriminated-union", "narrowing", "cmdi" ], "disabled": false, "notes": "TS discriminated-union narrowing (kind === 'ping') does not sanitize \u2014 a.target is still user-controlled. Guards against the FP of treating `kind` guards as security sanitizers" }, { "case_id": "ts-type_system-002", "file": "typescript/type_system/interface_dispatch.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ], [ 20, 20 ] ], "expected_source_lines": [ [ 19, 19 ] ], "tags": [ "interface", "dispatch", "adversarial-interprocedural", "cmdi" ], "disabled": false, "notes": "Interface-typed receiver `impl: Runner` \u2192 resolve to ShellRunner.run \u2192 exec. Tests intra-file method resolution through interface types; expected FN if only normalized callee-name matching is used" }, { "case_id": "ts-type_system-003", "file": "typescript/type_system/decorator_passthrough.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "language_specific", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 15, 15 ], [ 23, 23 ] ], "expected_source_lines": [ [ 23, 23 ] ], "tags": [ "decorator", "adversarial-decorator", "cmdi" ], "disabled": false, "notes": "Method decorator wraps Service.run; the undecorated body still contains exec(cmd). Tests whether decorator syntax interferes with class-method extraction. Expected FN if decorator parsing derails summary extraction" }, { "case_id": "ts-safe-001", "file": "typescript/safe/safe_dompurify.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "dompurify" ], "disabled": false, "notes": "DOMPurify.sanitize inline before innerHTML" }, { "case_id": "ts-safe-002", "file": "typescript/safe/safe_number_coerce.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "type-coercion", "Number" ], "disabled": false, "notes": "Number() coercion sanitizes SQL integer interpolation; Number is in TS sanitizer rules with Cap::all()" }, { "case_id": "ts-safe-003", "file": "typescript/safe/safe_encode_uri.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "url-encode", "ssrf", "adversarial-fp" ], "disabled": false, "notes": "Semantically safe: user term is URL-encoded into a fixed-host URL; no SSRF possible. Known Nyx weak spot \u2014 encodeURIComponent is Cap::URL_ENCODE while axios sink is Cap::SSRF, so cap mismatch may yield FP. Documents the cap-overlap limitation" }, { "case_id": "ts-safe-004", "file": "typescript/safe/safe_hardcoded_url.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "no-source", "hardcoded" ], "disabled": false, "notes": "Hardcoded URL, no user input; should be a clean TN" }, { "case_id": "ts-safe-005", "file": "typescript/safe/safe_validator_escape.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "validator" ], "disabled": false, "notes": "validator.escape sanitizes XSS payload before innerHTML" }, { "case_id": "ts-safe-006", "file": "typescript/safe/safe_typeof_guard.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "ts.code_exec.eval" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "type-check", "typeof", "eval" ], "disabled": false, "notes": "typeof === 'number' guards eval; only numbers reach sink. Forbidden ts.code_exec.eval here because the taint flow is gated \u2014 pattern-only detection would be an FP" }, { "case_id": "ts-safe-007", "file": "typescript/safe/safe_interproc_sanitizer.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "sanitizer", "interprocedural", "dompurify", "adversarial-fp" ], "disabled": false, "notes": "DOMPurify wrapped in cleanHtml() helper. Known JS weak spot (js-interproc-safe-001 is an FP); documents whether TS handling matches" }, { "case_id": "ts-safe-008", "file": "typescript/safe/safe_constant_query.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "constant", "no-source" ], "disabled": false, "notes": "Compile-time constant SQL; no user input; should TN" }, { "case_id": "ts-safe-009", "file": "typescript/safe/safe_parameterized.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "parameterized", "sqli", "adversarial-fp" ], "disabled": false, "notes": "Parameterized pg query: SQL string is constant, id flows as $1 placeholder value. Semantically safe but taint still reaches pool.query call; known Nyx limitation \u2014 positional args aren't distinguished for SQL_QUERY sink" }, { "case_id": "ts-safe-010", "file": "typescript/safe/safe_jsx_text.tsx", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "tsx", "jsx", "auto-escape" ], "disabled": false, "notes": "TSX fixture: user bio rendered as JSX text child. React auto-escapes JSX text so this is semantically safe. Guards against over-flagging JSX expressions now that TSX grammar is wired" }, { "case_id": "cve-py-2023-48022-vulnerable", "file": "cve_corpus/python/CVE-2023-48022/vulnerable.py", "language": "python", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.cmdi.os_system" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 31, 31 ] ], "expected_source_lines": [ [ 26, 27 ] ], "tags": [ "cve", "ray", "rce", "flask" ], "disabled": false, "notes": "CVE-2023-48022: Ray dashboard job-submission RCE via shell-interpreted entrypoint in os.system. Apache-2.0" }, { "case_id": "cve-py-2023-48022-patched", "file": "cve_corpus/python/CVE-2023-48022/patched.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.cmdi.os_system", "py.cmdi.subprocess_shell", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "ray", "patched", "negative" ], "disabled": false, "notes": "CVE-2023-48022 patched counterpart: shlex.split + subprocess.Popen(shell=False); regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-js-2019-14939-vulnerable", "file": "cve_corpus/javascript/CVE-2019-14939/vulnerable.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "code_exec", "cwe": "CWE-94", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "js.code_exec.eval" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 30, 30 ] ], "expected_source_lines": [ [ 23, 25 ] ], "tags": [ "cve", "mongo-express", "rce", "express", "eval" ], "disabled": false, "notes": "CVE-2019-14939: mongo-express /checkValid evaluated req.body.document with eval(); RCE on the admin interface. MIT" }, { "case_id": "cve-js-2019-14939-patched", "file": "cve_corpus/javascript/CVE-2019-14939/patched.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "js.code_exec.eval", "js.code_exec.new_function", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "mongo-express", "patched", "negative" ], "disabled": false, "notes": "CVE-2019-14939 patched counterpart: EJSON.parse replaces eval; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-js-2025-64430-vulnerable", "file": "cve_corpus/javascript/CVE-2025-64430/vulnerable.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "parse-server", "ssrf", "express", "http-get" ], "notes": "CVE-2025-64430: Parse Server file router fetched user-supplied Parse.File _source.uri via http.get, allowing SSRF. Apache-2.0" }, { "case_id": "cve-js-2025-64430-patched", "file": "cve_corpus/javascript/CVE-2025-64430/patched.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "parse-server", "patched", "negative" ], "notes": "CVE-2025-64430 patched counterpart: URI-backed file upload removed entirely; no http.get on user input" }, { "case_id": "cve-js-2023-22621-vulnerable", "file": "cve_corpus/javascript/CVE-2023-22621/vulnerable.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "code_exec", "cwe": "CWE-1336", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "strapi", "code_exec", "ssti", "lodash", "template" ], "notes": "CVE-2023-22621: Strapi <=4.5.5 sendTemplatedEmail compiled lodash _.template on attacker-controlled email-template body (admin panel), enabling SSTI -> RCE via <% ... %> evaluate blocks. MIT" }, { "case_id": "cve-js-2023-22621-patched", "file": "cve_corpus/javascript/CVE-2023-22621/patched.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "strapi", "patched", "negative" ], "notes": "CVE-2023-22621 patched counterpart: _.template called with { interpolate: , evaluate: false, escape: false } so the lodash evaluate block compiler is disabled." }, { "case_id": "cve-js-2026-42353-vulnerable", "file": "cve_corpus/javascript/CVE-2026-42353/vulnerable.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "i18next-http-middleware", "path_traversal", "ssrf", "ternary-as-value" ], "disabled": false, "notes": "CVE-2026-42353 / GHSA-jfgf-83c5-2c4m: i18next-http-middleware <3.9.3 getResourcesHandler forwards user-controlled lng/ns into i18next.services.backendConnector.load(...) without sanitisation. Paired with i18next-fs-backend the unsanitised values reach readFileSync(filename) (path traversal); paired with i18next-http-backend they reach an outgoing HTTP request URL (SSRF). MIT. Enabled 2026-05-04 after the array-method validator-callback narrowing (`try_array_method_validator_callback_narrowing` in src/taint/ssa_transfer/mod.rs) closed the dual gap that previously made the patched counterpart fire." }, { "case_id": "cve-js-2026-42353-patched", "file": "cve_corpus/javascript/CVE-2026-42353/patched.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "i18next-http-middleware", "patched", "negative" ], "disabled": false, "notes": "CVE-2026-42353 patched counterpart: utils.isSafeIdentifier denylist applied via languages.filter(isSafeIdentifier) before forwarding to backend. Enabled 2026-05-04: array-method validator-callback narrowing recognises `.filter()` shapes and strips the receiver-derived caps from the call result." }, { "case_id": "cve-ts-2023-26159-vulnerable", "file": "cve_corpus/typescript/CVE-2023-26159/vulnerable.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 32, 32 ] ], "expected_source_lines": [ [ 27, 28 ] ], "tags": [ "cve", "follow-redirects", "ssrf", "express", "axios" ], "disabled": false, "notes": "CVE-2023-26159: follow-redirects leaked Authorization across cross-origin redirects; caller-side pattern is SSRF via unvalidated user URL into HTTP client. MIT" }, { "case_id": "cve-ts-2023-26159-patched", "file": "cve_corpus/typescript/CVE-2023-26159/patched.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "follow-redirects", "patched", "negative" ], "disabled": false, "notes": "CVE-2023-26159 patched counterpart: URL allowlist check guards axios.get; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-ts-ghsa-4x48-cgf9-q33f-vulnerable", "file": "cve_corpus/typescript/GHSA-4x48-cgf9-q33f/vulnerable.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 51, 51 ] ], "expected_source_lines": [ [ 50, 50 ] ], "tags": [ "cve", "novu", "ssrf", "vulnerable" ], "disabled": false, "notes": "GHSA-4x48-cgf9-q33f: Novu conditions-filter webhook bypassed validateUrlSsrf; raw axios.post(child.webhookUrl) is the cross-function SSRF sink. MIT-licensed libs/application-generic package." }, { "case_id": "cve-ts-ghsa-4x48-cgf9-q33f-patched", "file": "cve_corpus/typescript/GHSA-4x48-cgf9-q33f/patched.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "novu", "patched", "negative" ], "disabled": false, "notes": "GHSA-4x48-cgf9-q33f patched: validateUrlSsrf(child.webhookUrl) followed by `if (ssrfError) throw` guards the axios.post call; regression guard for the indirect-validator branch narrowing + summary all_validated propagation." }, { "case_id": "cve-py-2017-18342-vulnerable", "file": "cve_corpus/python/CVE-2017-18342/vulnerable.py", "language": "python", "is_vulnerable": true, "vuln_class": "deserialization", "cwe": "CWE-502", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.deser.yaml_load" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 30, 30 ] ], "expected_source_lines": [ [ 26, 26 ] ], "tags": [ "cve", "pyyaml", "deserialization", "flask" ], "disabled": false, "notes": "CVE-2017-18342: PyYAML yaml.load default loader instantiated arbitrary Python objects from !!python/object tags; RCE on any app passing untrusted YAML. MIT" }, { "case_id": "cve-py-2017-18342-patched", "file": "cve_corpus/python/CVE-2017-18342/patched.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.deser.yaml_load", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "pyyaml", "patched", "negative" ], "disabled": false, "notes": "CVE-2017-18342 patched counterpart: yaml.safe_load replaces yaml.load; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-py-2025-69662-vulnerable", "file": "cve_corpus/python/CVE-2025-69662/vulnerable.py", "language": "python", "is_vulnerable": true, "vuln_class": "sql_injection", "cwe": "CWE-89", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.sqli.text_format" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 43, 44 ] ], "expected_source_lines": [ [ 35, 35 ] ], "tags": [ "cve", "geopandas", "sql_injection", "flask", "sqlalchemy" ], "disabled": false, "notes": "CVE-2025-69662: geopandas to_postgis() interpolated GeoDataFrame's geometry column name into Find_SRID probe via f-string; SQL injection on user-uploaded layer. BSD-3-Clause" }, { "case_id": "cve-py-2025-69662-patched", "file": "cve_corpus/python/CVE-2025-69662/patched.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.sqli.text_format", "py.sqli.execute_format", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "geopandas", "patched", "negative" ], "disabled": false, "notes": "CVE-2025-69662 patched counterpart: text(...).bindparams() replaces f-string interpolation; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-py-2026-33626-vulnerable", "file": "cve_corpus/python/CVE-2026-33626/vulnerable.py", "language": "python", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 49, 49 ] ], "expected_source_lines": [ [ 43, 43 ] ], "tags": [ "cve", "lmdeploy", "ssrf", "flask", "requests" ], "disabled": false, "notes": "CVE-2026-33626: LMDeploy vision-language image loader fetched user-supplied URLs via requests.Session().get without private-IP guard; SSRF / cloud-metadata exfil. Apache-2.0" }, { "case_id": "cve-py-2026-33626-patched", "file": "cve_corpus/python/CVE-2026-33626/patched.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "lmdeploy", "patched", "negative" ], "disabled": false, "notes": "CVE-2026-33626 patched counterpart: _is_safe_url private-IP allowlist gate replaces scheme-only check; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-py-2024-23334-vulnerable", "file": "cve_corpus/python/CVE-2024-23334/vulnerable.py", "language": "python", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 61, 61 ] ], "expected_source_lines": [ [ 45, 45 ] ], "tags": [ "cve", "aiohttp", "path-traversal", "positive" ], "disabled": false, "notes": "CVE-2024-23334: aiohttp StaticResource symlink-bypass — relative_to(self._directory) check gated to the non-follow_symlinks arm; FileResponse(filepath) reachable from request.match_info on follow_symlinks=True. Apache-2.0" }, { "case_id": "cve-py-2024-23334-patched", "file": "cve_corpus/python/CVE-2024-23334/patched.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "aiohttp", "patched", "negative" ], "disabled": false, "notes": "CVE-2024-23334 patched counterpart: relative_to(self._directory) recognised as a receiver-side FILE_IO validator on both follow_symlinks arms; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-py-2023-6568-vulnerable", "file": "cve_corpus/python/CVE-2023-6568/vulnerable.py", "language": "python", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.xss.make_response_format" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "LOW", "expected_category": "Security", "expected_sink_lines": [ [ 45, 45 ] ], "expected_source_lines": [ [ 41, 41 ] ], "tags": [ "cve", "mlflow", "xss", "positive" ], "disabled": false, "notes": "CVE-2023-6568: mlflow auth create_user reflected attacker-controlled Content-Type request header into make_response f-string — reflected XSS. Apache-2.0" }, { "case_id": "cve-py-2023-6568-patched", "file": "cve_corpus/python/CVE-2023-6568/patched.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.xss.make_response_format", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "mlflow", "patched", "negative" ], "disabled": false, "notes": "CVE-2023-6568 patched counterpart: f-string interpolation replaced with static string; no tainted source reaches make_response and the AST f-string trigger is gone, so neither rule fires" }, { "case_id": "cve-py-2024-21513-vulnerable", "file": "cve_corpus/python/CVE-2024-21513/vulnerable.py", "language": "python", "is_vulnerable": true, "vuln_class": "code_exec", "cwe": "CWE-94", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.code_exec.eval" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 42, 42 ] ], "expected_source_lines": [], "tags": [ "cve", "langchain", "code-exec", "positive" ], "disabled": false, "notes": "CVE-2024-21513: langchain_experimental VectorSQLDatabaseChain ran every SQL query result through eval() via _try_eval; attacker-controlled DB rows -> RCE. MIT" }, { "case_id": "cve-py-2024-21513-patched", "file": "cve_corpus/python/CVE-2024-21513/patched.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.code_exec.eval" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "langchain", "patched", "negative" ], "disabled": false, "notes": "CVE-2024-21513 patched counterpart: _try_eval helper deleted and get_result_from_sqldb returns raw result with no eval; py.code_exec.eval silent" }, { "case_id": "cve-php-2017-9841-vulnerable", "file": "cve_corpus/php/CVE-2017-9841/vulnerable.php", "language": "php", "is_vulnerable": true, "vuln_class": "code_exec", "cwe": "CWE-94", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "php.code_exec.eval" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 22, 22 ] ], "expected_source_lines": [ [ 21, 21 ] ], "tags": [ "cve", "phpunit", "rce", "eval", "stdin" ], "disabled": false, "notes": "CVE-2017-9841: PHPUnit Util/PHP/eval-stdin.php fed php://input to eval(); mass-scanned for webshell deployment. BSD-3-Clause" }, { "case_id": "cve-php-2017-9841-patched", "file": "cve_corpus/php/CVE-2017-9841/patched.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "php.code_exec.eval", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "phpunit", "patched", "negative" ], "disabled": false, "notes": "CVE-2017-9841 patched counterpart: stub rejects non-CLI SAPI and removes the eval sink entirely; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-php-2018-15133-vulnerable", "file": "cve_corpus/php/CVE-2018-15133/vulnerable.php", "language": "php", "is_vulnerable": true, "vuln_class": "deserialization", "cwe": "CWE-502", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "php.deser.unserialize" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 26, 26 ] ], "expected_source_lines": [ [ 24, 24 ] ], "tags": [ "cve", "laravel", "deserialization", "cookie" ], "disabled": false, "notes": "CVE-2018-15133: Laravel <= 5.6.29 unserialized a cookie-borne payload without HMAC verification; known gadget chains reached arbitrary code when APP_KEY leaked. MIT" }, { "case_id": "cve-php-2018-15133-patched", "file": "cve_corpus/php/CVE-2018-15133/patched.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "php.deser.unserialize", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "laravel", "patched", "negative" ], "disabled": false, "notes": "CVE-2018-15133 patched counterpart: HMAC-verified JSON cookie replaces PHP-serialized payload; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-php-2026-33486-vulnerable", "file": "cve_corpus/php/CVE-2026-33486/vulnerable.php", "language": "php", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 44, 44 ] ], "expected_source_lines": [ [ 40, 40 ] ], "tags": [ "cve", "roadiz", "ssrf", "lfi" ], "disabled": false, "notes": "CVE-2026-33486: roadiz/documents DownloadedFile::fromUrl passes the URL parameter to fopen() without scheme allowlist or host validation; file:// payloads read host filesystem. MIT" }, { "case_id": "cve-php-2026-33486-patched", "file": "cve_corpus/php/CVE-2026-33486/patched.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "roadiz", "patched", "negative" ], "disabled": false, "notes": "CVE-2026-33486 patched counterpart: isSafeRemoteUrl early-return validates scheme/host before fopen; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-rb-2013-0156-vulnerable", "file": "cve_corpus/ruby/CVE-2013-0156/vulnerable.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "deserialization", "cwe": "CWE-502", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "rb.deser.yaml_load" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 28, 28 ] ], "expected_source_lines": [], "tags": [ "cve", "rails", "deserialization", "params" ], "disabled": false, "notes": "CVE-2013-0156: Rails XML params parser round-tripped tagged YAML through YAML.load, instantiating arbitrary Ruby objects; unauthenticated RCE on every affected Rails app. MIT" }, { "case_id": "cve-rb-2013-0156-patched", "file": "cve_corpus/ruby/CVE-2013-0156/patched.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rb.deser.yaml_load", "rb.deser.marshal_load", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "rails", "patched", "negative" ], "disabled": false, "notes": "CVE-2013-0156 patched counterpart: params decoded as JSON, no YAML loader on untrusted input; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-rb-2020-8130-vulnerable", "file": "cve_corpus/ruby/CVE-2020-8130/vulnerable.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 39, 39 ] ], "expected_source_lines": [], "tags": [ "cve", "rake", "cmdi", "kernel-open" ], "disabled": false, "notes": "CVE-2020-8130: Rake::FileList#egrep opened each filename via Kernel#open, which interprets a leading | as a shell command. Attacker-supplied filenames (build-config / job-runner inputs) thereby achieved arbitrary command execution. Fixed in v12.3.3 by switching to File.open. MIT" }, { "case_id": "cve-rb-2020-8130-patched", "file": "cve_corpus/ruby/CVE-2020-8130/patched.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "rake", "patched", "negative" ], "disabled": false, "notes": "CVE-2020-8130 patched counterpart: open(fn, ...) replaced with File.open(fn, ...); File.open never pipes a leading |. Fixture additionally hardcodes the filename + pattern (patched-fix simplification) so the regression guard is class-clean \u2014 see vulnerable.rb header for rationale." }, { "case_id": "cve-rb-2021-21288-vulnerable", "file": "cve_corpus/ruby/CVE-2021-21288/vulnerable.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 64, 64 ] ], "expected_source_lines": [ [ 64, 64 ] ], "tags": [ "cve", "carrierwave", "ssrf", "open-uri" ], "disabled": false, "notes": "CVE-2021-21288: CarrierWave Downloader::Base#download passed an attacker-controlled URL straight into OpenURI.open_uri (only host-normalised via process_uri). open-uri follows redirects without an allowlist, so any uploader exposing a remote_url field reached internal services / cloud metadata / file:// URIs. Fixed in 2.1.1 / 1.3.2 by routing through SsrfFilter.get. MIT" }, { "case_id": "cve-rb-2021-21288-patched", "file": "cve_corpus/ruby/CVE-2021-21288/patched.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "carrierwave", "patched", "negative" ], "disabled": false, "notes": "CVE-2021-21288 patched counterpart: OpenURI.open_uri replaced with SsrfFilter.get(uri, ...) which validates the resolved host against private IP ranges before issuing the request. The upstream skip_ssrf_protection? escape hatch (default returns false) is omitted as a patched-fix simplification." }, { "case_id": "cve-rb-2023-38337-vulnerable", "file": "cve_corpus/ruby/CVE-2023-38337/vulnerable.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 76, 80 ] ], "expected_call_site_lines": [ [ 58, 58 ] ], "expected_source_lines": [ [ 54, 54 ] ], "tags": [ "cve", "rswag", "path_traversal", "rack-middleware" ], "notes": "CVE-2023-38337: rswag-api Rack middleware concatenated env['PATH_INFO'] into the swagger root path with no validation; GET /../config/secrets.yml served arbitrary YAML/JSON files. Fixed in 2.10.1 by File.expand_path + start_with? rooted-path check. After multi-hop attribution lands (2026-05-10 session 0008 from_chain flag), engine reports the deeper File.read sink at line 76 (load_yaml arm) or line 80 (load_json arm); the call site for parse_file remains at line 58 and is asserted via expected_call_site_lines. MIT" }, { "case_id": "cve-rb-2023-38337-patched", "file": "cve_corpus/ruby/CVE-2023-38337/patched.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "rswag", "patched", "negative" ], "notes": "CVE-2023-38337 patched counterpart: filename = File.expand_path(File.join(root, path)); unless filename.start_with?(root); return reject; end. Stays clean once Nyx recognises the canonicalize+rooted-path pattern." }, { "case_id": "cve-java-2015-7501-vulnerable", "file": "cve_corpus/java/CVE-2015-7501/vulnerable.java", "language": "java", "is_vulnerable": true, "vuln_class": "deserialization", "cwe": "CWE-502", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "java.deser.readobject" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 35, 35 ] ], "expected_source_lines": [ [ 34, 34 ] ], "tags": [ "cve", "commons-collections", "deserialization", "servlet" ], "disabled": false, "notes": "CVE-2015-7501: Apache Commons Collections InvokerTransformer chain drove RCE on any app reading attacker-controlled bytes through ObjectInputStream.readObject. Apache-2.0" }, { "case_id": "cve-java-2015-7501-patched", "file": "cve_corpus/java/CVE-2015-7501/patched.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "java.deser.readobject", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "commons-collections", "patched", "negative" ], "disabled": false, "notes": "CVE-2015-7501 patched counterpart: Jackson JSON codec replaces native Java deserialization; no ObjectInputStream on the request path; regression guard" }, { "case_id": "cve-go-2022-30323-vulnerable", "file": "cve_corpus/go/CVE-2022-30323/vulnerable.go", "language": "go", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "go.cmdi.exec_command" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 34, 34 ] ], "expected_source_lines": [ [ 30, 30 ] ], "tags": [ "cve", "go-getter", "cmdi", "git" ], "disabled": false, "notes": "CVE-2022-30323: hashicorp/go-getter forwarded user URLs into `git clone` argv, letting `ext::`/`upload-pack=` aliases reach a shell; affected Terraform, Packer, Nomad, Vault. MPL-2.0" }, { "case_id": "cve-go-2022-30323-patched", "file": "cve_corpus/go/CVE-2022-30323/patched.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "go.cmdi.exec_command", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "go-getter", "patched", "negative" ], "disabled": false, "notes": "CVE-2022-30323 patched counterpart: scheme allowlist + in-process go-git clone removes the exec.Command path; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-go-2023-3188-vulnerable", "file": "cve_corpus/go/CVE-2023-3188/vulnerable.go", "language": "go", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 85, 85 ] ], "expected_source_lines": [ [ 84, 84 ] ], "tags": [ "cve", "owncast", "ssrf", "fediverse" ], "disabled": false, "notes": "CVE-2023-3188: Owncast 0.0.x webfinger SSRF \u2014 `account` parsed off the @-delimited handle reaches `http.DefaultClient.Get(requestURL.String())` with no host validation. Engine detects via cross-function taint flow (handler \u2192 GetWebfingerLinks param 0 \u2192 http.DefaultClient.Get SSRF sink). MIT." }, { "case_id": "cve-go-2023-3188-patched", "file": "cve_corpus/go/CVE-2023-3188/patched.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "owncast", "ssrf", "patched", "negative" ], "disabled": false, "notes": "CVE-2023-3188 patched counterpart: `IsHostnameInternal` early-return + redirect-blocked `*http.Client`. Regression guard that Nyx does not refire on the fix; the local-client sink (`client.Get`) is intentionally not on the SSRF matcher list." }, { "case_id": "cve-go-2024-31450-vulnerable", "file": "cve_corpus/go/CVE-2024-31450/vulnerable.go", "language": "go", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 72, 72 ] ], "expected_source_lines": [ [ 64, 64 ] ], "tags": [ "cve", "owncast", "path_traversal", "emoji" ], "disabled": false, "notes": "CVE-2024-31450: Owncast 0.1.2 emoji-delete API joined a body-supplied filename to the emoji directory and called `os.Remove` without `filepath.Base`. Fixed in 0.1.3 with `filepath.IsLocal(targetPath)` early return." }, { "case_id": "cve-go-2024-31450-patched", "file": "cve_corpus/go/CVE-2024-31450/patched.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "owncast", "path_traversal", "patched", "negative" ], "disabled": false, "notes": "CVE-2024-31450 patched counterpart: `filepath.IsLocal(targetPath)` early-return. Regression guard." }, { "case_id": "cve-go-2026-41422-vulnerable", "file": "cve_corpus/go/CVE-2026-41422/vulnerable.go", "language": "go", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 46, 46 ] ], "expected_source_lines": [ [ 32, 32 ] ], "tags": [ "cve", "daptin", "sqli", "goqu", "for-range", "gin" ], "disabled": false, "notes": "CVE-2026-41422 / GHSA-rw2c-8rfq-gwfv: daptin /aggregate/:typename endpoint loops `c.QueryArray(\"column\")` into `goqu.L(project)` (raw SQL literal builder). Fixed in v0.11.4 by replacing goqu.L with parseAggExpr (allowlist + typed goqu.I/COUNT/SUM constructors)." }, { "case_id": "cve-go-2026-41422-patched", "file": "cve_corpus/go/CVE-2026-41422/patched.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "daptin", "sqli", "goqu", "patched", "negative" ], "disabled": false, "notes": "CVE-2026-41422 patched counterpart: aggregate function allowlist + typed goqu.I/COUNT/SUM constructors. Regression guard." }, { "case_id": "go-ssrf-004", "file": "go/ssrf/ssrf_default_client_get.go", "language": "go", "is_vulnerable": true, "vuln_class": "ssrf", "cwe": "CWE-918", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 13, 13 ] ], "expected_source_lines": [ [ 12, 12 ] ], "tags": [ "ssrf", "default-client", "regression" ], "disabled": false, "notes": "CVE-Hunt session 2 regression: `http.DefaultClient.Get` was not on the Go SSRF matcher list; pin so a future revert can't quietly drop the matcher." }, { "case_id": "go-ssrf-safe-002", "file": "go/ssrf/safe_ssrf_default_client_get.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "ssrf", "default-client", "safe", "negative" ], "disabled": false, "notes": "CVE-Hunt session 2 negative pair: hard-coded URL handed to `http.DefaultClient.Get`; new matcher must not over-fire on constant-URL calls." }, { "case_id": "go-path-002", "file": "go/path_traversal/path_traversal_remove.go", "language": "go", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 19, 19 ] ], "expected_source_lines": [ [ 17, 17 ] ], "tags": [ "path-traversal", "os-remove", "regression" ], "disabled": false, "notes": "CVE-Hunt session 2 regression: `os.Remove` and the rest of the mutating-fs family (`os.WriteFile`, `os.RemoveAll`) were missing from the Go FILE_IO matcher list; pin against a future revert." }, { "case_id": "go-path-safe-002", "file": "go/path_traversal/safe_path_traversal_remove.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "path-traversal", "os-remove", "safe", "negative" ], "disabled": false, "notes": "CVE-Hunt session 2 negative pair: `filepath.Base` cleanses traversal segments before the join; new os.Remove matcher must not over-fire on cleansed flows." }, { "case_id": "go-path-003", "file": "go/path_traversal/path_traversal_ifinit.go", "language": "go", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 29, 29 ] ], "expected_source_lines": [ [ 27, 27 ] ], "tags": [ "path-traversal", "if-init", "regression" ], "disabled": false, "notes": "CVE-Hunt session 4 regression: tree-sitter `if_statement.initializer` was skipped by the Kind::If CFG arm; side-effecting calls inside `if x := f(); x != 0 { }` were invisible to taint. Pins the lowering fix that maps Owncast CVE-2024-31450's exact init shape." }, { "case_id": "go-path-safe-003", "file": "go/path_traversal/safe_path_traversal_ifinit.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "path-traversal", "if-init", "safe", "negative" ], "disabled": false, "notes": "CVE-Hunt session 4 negative pair: same if-init shape as go-path-003, but `filepath.Base` sanitizes the user-controlled name before the os.Remove sink. Verifies the new init lowering doesn't over-fire when the sanitizer dominates." }, { "case_id": "cve-c-2016-3714-vulnerable", "file": "cve_corpus/c/CVE-2016-3714/vulnerable.c", "language": "c", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "c.cmdi.system" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 34, 34 ] ], "expected_source_lines": [], "tags": [ "cve", "imagemagick", "imagetragick", "cmdi" ], "disabled": false, "notes": "CVE-2016-3714 (ImageTragick): ImageMagick delegate policies substituted user-controlled filenames into shell templates passed to system(), enabling unauthenticated RCE via crafted MVG/MSL uploads. ImageMagick License" }, { "case_id": "cve-c-2016-3714-patched", "file": "cve_corpus/c/CVE-2016-3714/patched.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "c.cmdi.system", "c.cmdi.popen", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "imagemagick", "patched", "negative" ], "disabled": false, "notes": "CVE-2016-3714 patched counterpart: in-process coder + basename check removes the system() path; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-c-2019-18634-vulnerable", "file": "cve_corpus/c/CVE-2019-18634/vulnerable.c", "language": "c", "is_vulnerable": true, "vuln_class": "memory_safety", "cwe": "CWE-120", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "c.memory.strcpy" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 39, 39 ] ], "expected_source_lines": [], "tags": [ "cve", "sudo", "pwfeedback", "stack-overflow" ], "disabled": false, "notes": "CVE-2019-18634: sudo pwfeedback stack buffer overflow in getln() when a long stdin token spilled past the feedback buffer; local root on Linux/macOS sudoers with pwfeedback enabled. ISC" }, { "case_id": "cve-c-2019-18634-patched", "file": "cve_corpus/c/CVE-2019-18634/patched.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "c.memory.strcpy", "c.memory.strcat", "c.memory.sprintf", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "sudo", "patched", "negative" ], "disabled": false, "notes": "CVE-2019-18634 patched counterpart: bounded copy routine replaces the strcpy sink; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-c-2017-1000117-vulnerable", "file": "cve_corpus/c/CVE-2017-1000117/vulnerable.c", "language": "c", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-88", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "c.cmdi.execvp" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 95, 95 ] ], "expected_source_lines": [ [ 95, 95 ] ], "tags": [ "cve", "git", "argv-injection", "cmdi" ], "disabled": false, "notes": "CVE-2017-1000117 (git ssh:// argv injection): pre-2.7.6 git accepted `ssh://-oProxyCommand=...@host/repo` URLs and pushed the URL host as an argv element to ssh, where a leading dash was treated as an option flag. GPL-2.0" }, { "case_id": "cve-c-2017-1000117-patched", "file": "cve_corpus/c/CVE-2017-1000117/patched.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "c.cmdi.system", "c.cmdi.popen", "c.cmdi.execvp", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "git", "patched", "negative" ], "disabled": false, "notes": "CVE-2017-1000117 patched counterpart: dash-prefix gate added before argv assembly; regression guard that Nyx does not refire on the fix once the deferral lands" }, { "case_id": "cve-cpp-2019-13132-vulnerable", "file": "cve_corpus/cpp/CVE-2019-13132/vulnerable.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "memory_safety", "cwe": "CWE-120", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "cpp.memory.strcpy" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 32, 32 ] ], "expected_source_lines": [], "tags": [ "cve", "libzmq", "zmtp", "stack-overflow" ], "disabled": false, "notes": "CVE-2019-13132: ZeroMQ libzmq v2 decoder trusted attacker-supplied metadata length and copied peer bytes into a fixed on-stack buffer, enabling unauthenticated RCE on curve-disabled sockets. MPL-2.0" }, { "case_id": "cve-cpp-2019-13132-patched", "file": "cve_corpus/cpp/CVE-2019-13132/patched.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "cpp.memory.strcpy", "cpp.memory.strcat", "cpp.memory.sprintf", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "libzmq", "patched", "negative" ], "disabled": false, "notes": "CVE-2019-13132 patched counterpart: bounded std::string assign + hard cap removes the strcpy sink; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-cpp-2022-1941-vulnerable", "file": "cve_corpus/cpp/CVE-2022-1941/vulnerable.cpp", "language": "cpp", "is_vulnerable": true, "vuln_class": "memory_safety", "cwe": "CWE-120", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "cpp.memory.strcpy" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 37, 37 ] ], "expected_source_lines": [], "tags": [ "cve", "protobuf", "parse-context", "heap-overflow" ], "disabled": false, "notes": "CVE-2022-1941: Protocol Buffers C++ ParseContext copied unknown-field bytes into a backing buffer without clamping the declared length, causing OOB read/write in any binary decoding untrusted protobufs. BSD-3-Clause" }, { "case_id": "cve-cpp-2022-1941-patched", "file": "cve_corpus/cpp/CVE-2022-1941/patched.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "cpp.memory.strcpy", "cpp.memory.strcat", "cpp.memory.sprintf", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "protobuf", "patched", "negative" ], "disabled": false, "notes": "CVE-2022-1941 patched counterpart: bounded std::string assign + MAX_LABEL cap removes the strcpy sink; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-java-2017-12629-vulnerable", "file": "cve_corpus/java/CVE-2017-12629/vulnerable.java", "language": "java", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "java.cmdi.runtime_exec" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 33, 33 ] ], "expected_source_lines": [ [ 29, 29 ] ], "tags": [ "cve", "solr", "xslt", "rce" ], "disabled": false, "notes": "CVE-2017-12629: Apache Solr XSLT response writer evaluated attacker-supplied stylesheets that reached Runtime.exec via XPath Java-binding extensions; unauthenticated RCE on any exposed Solr node. Apache-2.0" }, { "case_id": "cve-java-2017-12629-patched", "file": "cve_corpus/java/CVE-2017-12629/patched.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "java.cmdi.runtime_exec", "java.reflection.class_forname", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "solr", "patched", "negative" ], "disabled": false, "notes": "CVE-2017-12629 patched counterpart: transformer name allowlist + in-process secure TransformerFactory removes the Runtime.exec path; regression guard that Nyx does not refire on the fix" }, { "case_id": "cve-java-2022-1471-vulnerable", "file": "cve_corpus/java/CVE-2022-1471/vulnerable.java", "language": "java", "is_vulnerable": true, "vuln_class": "deserialization", "cwe": "CWE-502", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "java.deser.snakeyaml_unsafe_constructor" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 38, 38 ] ], "expected_source_lines": [ [ 34, 34 ] ], "tags": [ "cve", "snakeyaml", "deserialization", "servlet" ], "disabled": false, "notes": "CVE-2022-1471: SnakeYAML <2.0 default Constructor accepts arbitrary class tags (`!!javax.script.ScriptEngineManager`, `!!java.net.URLClassLoader`, ...) reaching RCE on apps that load attacker-controlled YAML. Apache-2.0" }, { "case_id": "cve-java-2022-1471-patched", "file": "cve_corpus/java/CVE-2022-1471/patched.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "java.deser.snakeyaml_unsafe_constructor", "java.deser.readobject", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "snakeyaml", "patched", "negative" ], "disabled": false, "notes": "CVE-2022-1471 patched counterpart: explicit SafeConstructor argument restricts the YAML tag handler set to primitives + standard collections; regression guard that Nyx does not refire on the safe form" }, { "case_id": "cve-java-2022-42889-vulnerable", "file": "cve_corpus/java/CVE-2022-42889/vulnerable.java", "language": "java", "is_vulnerable": true, "vuln_class": "code_exec", "cwe": "CWE-94", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "java.code_exec.text4shell_interpolator" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 40, 40 ] ], "expected_source_lines": [ [ 35, 35 ] ], "tags": [ "cve", "commons-text", "text4shell", "code-exec", "servlet" ], "disabled": false, "notes": "CVE-2022-42889 (Text4Shell): Apache Commons Text 1.5..1.9 StringSubstitutor.createInterpolator() enables script:/dns:/url: lookups; ${script:js:...} reaches the JSR-223 ScriptEngineManager. Apache-2.0" }, { "case_id": "cve-java-2022-42889-patched", "file": "cve_corpus/java/CVE-2022-42889/patched.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "java.code_exec.text4shell_interpolator", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "commons-text", "text4shell", "patched", "negative" ], "disabled": false, "notes": "CVE-2022-42889 patched counterpart: substitutor built directly with `new StringSubstitutor()` so the lookup map is empty; ${...} pass-through. No script/dns/url evaluation." }, { "case_id": "cve-java-ghsa-h8cj-hpmg-636v-vulnerable", "file": "cve_corpus/java/GHSA-h8cj-hpmg-636v/vulnerable.java", "language": "java", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 62, 62 ] ], "expected_source_lines": [ [ 43, 43 ] ], "tags": [ "cve", "appsmith", "sqli", "vulnerable" ], "disabled": false, "notes": "GHSA-h8cj-hpmg-636v / Appsmith FilterDataServiceCE.dropTable: tableName from a request flows through `\"DROP TABLE \" + tableName + \";\"` and `executeDbQuery(query)` to `Statement.execute(query)` on the in-memory H2 filter db. Apache-2.0" }, { "case_id": "cve-java-ghsa-h8cj-hpmg-636v-patched", "file": "cve_corpus/java/GHSA-h8cj-hpmg-636v/patched.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "appsmith", "sqli", "patched", "negative" ], "disabled": false, "notes": "GHSA-h8cj-hpmg-636v patched counterpart: dropTable now calls validateFilterTempTableName(tableName) which rejects any value that does not match `^tbl_[A-Z]{16}$` via FILTER_TEMP_TABLE_NAME_PATTERN.matcher(tableName).matches(). Regression guard that Nyx recognises the Java Pattern.matcher(value).matches() chain as a regex-allowlist validator and that the helper-summary `validated_params_to_return` lift suppresses the SQL_QUERY flow at the call site." }, { "case_id": "rs-auth-001", "file": "rust/auth/actix_scoped_write_missing.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-862", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "rs.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 17, 17 ] ], "expected_source_lines": [ [ 16, 16 ] ], "tags": [ "auth", "actix", "scoped-id", "positive" ], "disabled": false, "notes": "Actix handler mutates `project_service::update(project_id, \u2026)` with a path-bound scoped id, no ownership check" }, { "case_id": "rs-auth-002", "file": "rust/auth/true_positive_missing_check.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-862", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "rs.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 13, 13 ] ], "expected_source_lines": [], "tags": [ "auth", "realtime", "scoped-id", "positive", "phase-a-control" ], "disabled": false, "notes": "Authenticated handler that publishes against a group_id with no membership check \u2014 the positive control for the auth-rule FP-remediation work" }, { "case_id": "rs-auth-003", "file": "rust/auth/row_ownership_no_early_exit.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-862", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "rs.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 28, 28 ] ], "expected_source_lines": [], "tags": [ "auth", "row-ownership", "regression-guard", "positive" ], "disabled": false, "notes": "Equality compared but no early exit \u2014 the check is ineffective so the downstream read on doc_id must still flag (A2 regression guard)" }, { "case_id": "rs-auth-101", "file": "rust/auth/hashmap_local_noise.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "phase-a1", "noise-budget-zero" ], "disabled": false, "notes": "P0: HashMap/HashSet method calls on locally-constructed bindings \u2014 never an authorization decision (Phase A1 fix)" }, { "case_id": "rs-auth-102", "file": "rust/auth/helper_scoped_params.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "phase-a1", "noise-budget-zero" ], "disabled": false, "notes": "P4 (partial): library helper whose internal work is `result.insert(..)` on a locally-constructed HashSet \u2014 never a sink (Phase A1 fix)" }, { "case_id": "rs-auth-103", "file": "rust/auth/row_ownership_equality.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "phase-a2", "noise-budget-zero" ], "disabled": false, "notes": "P3: row-level ownership equality (`if owner_id != user.id { return ... }`) covers downstream column reads on the same row (Phase A2 fix)" }, { "case_id": "rs-auth-104", "file": "rust/auth/self_scoped_user.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "phase-a3", "noise-budget-zero" ], "disabled": false, "notes": "P5: `let user = require_auth(..).await?` binds the actor \u2014 `user.id` is self, not a scoped foreign id (Phase A3 fix)" }, { "case_id": "rs-auth-105", "file": "rust/auth/db_connection_type_inferred.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "phase-b2", "noise-budget-zero" ], "disabled": false, "notes": "Phase B2: `rusqlite::Connection::open` infers `DatabaseConnection` type via SSA constructor_type; the handler logs only the caller's own id" }, { "case_id": "rs-auth-106", "file": "rust/auth/sql_join_acl.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "phase-b3", "noise-budget-zero" ], "disabled": false, "notes": "Phase B3: SELECT through `group_members` ACL JOIN with `WHERE gm.user_id = ?1` makes every returned row membership-gated" }, { "case_id": "rs-auth-107", "file": "rust/auth/transitive_helper.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "phase-b4", "noise-budget-zero" ], "disabled": false, "notes": "Phase B4: `validate_target` helper internally calls `require_membership(group_id, user.id)` \u2014 handler-level call lifts the auth check transparently" }, { "case_id": "rs-auth-108", "file": "rust/auth/row_fetch_then_authorize.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "phase-a4", "real-repo-precision-2026-04-27", "noise-budget-zero" ], "disabled": false, "notes": "Phase A4: row-level fetch-then-authorize idiom. `let community = Community::read(pool, req.community_id)?;` followed by `check_community_user_action(&user, &community, ...)?;` \u2014 the structural recogniser admits the `check___action` shape and the row-fetch exemption back-dates coverage of the read" }, { "case_id": "rs-auth-109", "file": "rust/auth/predicate_role_check.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "phase-a4", "real-repo-precision-2026-04-27", "noise-budget-zero" ], "disabled": false, "notes": "Phase A4: `is__or_` predicate auth shape (lemmy `is_mod_or_admin`). Structural recogniser admits boolean predicate forms when every conjunct is a known auth role" }, { "case_id": "rs-auth-110", "file": "rust/auth/unsafe_row_fetch_no_authz.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-285", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "rs.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "Medium", "expected_category": "Security", "expected_sink_lines": [ [ 24, 25 ] ], "expected_source_lines": [], "tags": [ "auth", "positive", "phase-a4", "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "Phase A4 regression guard: row fetched by user-supplied id without any authorization function naming the resulting row \u2014 the row-fetch exemption must NOT fire" }, { "case_id": "rs-auth-realrepo-006", "file": "rust/auth/safe_row_population_reverse_walk.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-27", "noise-budget-zero" ], "disabled": false, "notes": "Row-population reverse-walk: lemmy `community/transfer.rs` shape \u2014 `let community = Community::read(pool, data.community_id); check_community_user_action(&user, &community, ..); CommunityActions::delete_mods_for_community(pool, data.community_id);` \u2014 the auth check on the fetched row must materially cover downstream re-uses of the request id" }, { "case_id": "rs-auth-realrepo-007", "file": "rust/auth/safe_row_fetch_multiline_let.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-27", "noise-budget-zero" ], "disabled": false, "notes": "Multi-line `let X =\\n CALL(..)?;` \u2014 `row_population_data` records the call's start line so `op.line` matches and the row-fetch exemption fires (lemmy `comment/lock.rs:31`)" }, { "case_id": "rs-auth-realrepo-008", "file": "rust/auth/unsafe_row_population_no_check.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-285", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "rs.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "High", "expected_category": "Security", "expected_sink_lines": [ [ 37, 43 ] ], "expected_source_lines": [], "tags": [ "auth", "positive", "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "Negative counterpart for the row-population reverse-walk: same fetch-then-mutate shape but no auth check on the fetched row \u2014 the reverse-walk has nothing to anchor to and the mutation by id must still flag" }, { "case_id": "rs-safe-014", "file": "rust/safe/safe_option_sanitizer.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-regression", "path-sanitizer", "variant-wrapper" ], "disabled": false, "notes": "Option-returning sanitizer: `sanitize_path(s) -> Option` with match-arm Some-binding extraction. Per-return-path PathFact decomposition + structural variant unwrapping closes the FP." }, { "case_id": "rs-safe-016", "file": "rust/safe/safe_cross_function_dotdot.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-regression", "path-sanitizer", "cross-function" ], "disabled": false, "notes": "Cross-function bool-returning validator with `if !validate(&raw) { return; }` rejection. Per-return-path summary lifts the helper's `dotdot/absolute` narrowing across the call boundary." }, { "case_id": "cve-rs-2018-20997-vulnerable", "file": "cve_corpus/rust/CVE-2018-20997/vulnerable.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "cve", "tar-rs", "zip-slip" ], "disabled": false, "notes": "CVE-2018-20997 / RUSTSEC-2018-0003: tar-rs zip-slip vulnerability \u2014 entry path interpolated into File::create without `..` rejection. MIT OR Apache-2.0" }, { "case_id": "cve-rs-2018-20997-patched", "file": "cve_corpus/rust/CVE-2018-20997/patched.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "tar-rs", "patched", "negative" ], "disabled": false, "notes": "CVE-2018-20997 patched counterpart: `sanitize_path` rejects `..` traversal and absolute paths. Regression guard that Nyx does not refire on the fix." }, { "case_id": "cve-rs-2022-36113-vulnerable", "file": "cve_corpus/rust/CVE-2022-36113/vulnerable.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "cve", "cargo", "symlink" ], "disabled": false, "notes": "CVE-2022-36113: cargo `.cargo-ok` symlink follow \u2014 crate name interpolated into File::create without separator/dotdot rejection. MIT OR Apache-2.0" }, { "case_id": "cve-rs-2022-36113-patched", "file": "cve_corpus/rust/CVE-2022-36113/patched.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "cargo", "patched", "negative" ], "disabled": false, "notes": "CVE-2022-36113 patched counterpart: `sanitize_crate_name` + `OpenOptions::create_new`. Regression guard that Nyx does not refire on the fix." }, { "case_id": "cve-rs-2024-24576-vulnerable", "file": "cve_corpus/rust/CVE-2024-24576/vulnerable.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "cve", "rust-stdlib", "batbadbut" ], "disabled": false, "notes": "CVE-2024-24576 / RUSTSEC-2024-0003: BatBadBut \u2014 argument injection into Windows .bat via `Command::new(...).arg`. MIT OR Apache-2.0" }, { "case_id": "cve-rs-2024-24576-patched", "file": "cve_corpus/rust/CVE-2024-24576/patched.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "rust-stdlib", "patched", "negative" ], "disabled": false, "notes": "CVE-2024-24576 patched counterpart: cmd.exe-aware allowlist filters argv before reaching update.bat. Regression guard that Nyx does not refire on the fix." }, { "case_id": "cve-rs-2023-42456-vulnerable", "file": "cve_corpus/rust/CVE-2023-42456/vulnerable.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "path_traversal", "cwe": "CWE-22", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "cve", "sudo-rs", "path-traversal" ], "disabled": false, "notes": "CVE-2023-42456 / RUSTSEC-2023-0069: sudo-rs SessionRecordFile::open_for_user pushed an untrusted username into a PathBuf, letting a local attacker with a `../../bin/cp`-style username corrupt files. Apache-2.0" }, { "case_id": "cve-rs-2023-42456-patched", "file": "cve_corpus/rust/CVE-2023-42456/patched.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "sudo-rs", "patched", "negative" ], "disabled": false, "notes": "CVE-2023-42456 patched counterpart: open_for_user takes UserId (u32) instead of &str, so the path component is provably digits-only and cannot contain `..` or `/`. Regression guard for the type-only FILE_IO suppression." }, { "case_id": "cve-rs-2024-32884-vulnerable", "file": "cve_corpus/rust/CVE-2024-32884/vulnerable.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "cve", "gitoxide", "ssh-option-smuggling" ], "disabled": false, "notes": "CVE-2024-32884 / RUSTSEC-2024-0335: gix-transport SSH program invocation built `format!(\"{user}@{host}\")` and fed the result to ssh's argv, so a `ssh://-Fattackerconfig@host/path` URL smuggled `-F` onto ssh's CLI. Apache-2.0 OR MIT" }, { "case_id": "cve-rs-2024-32884-patched", "file": "cve_corpus/rust/CVE-2024-32884/patched.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "gitoxide", "patched", "negative" ], "disabled": false, "notes": "CVE-2024-32884 patched counterpart: sanitize_shell rejects host/user components beginning with `-` before they reach ssh's argv (mirrors gix-url::host_argument_safe). Regression guard." }, { "case_id": "cve-rs-2025-53549-vulnerable", "file": "cve_corpus/rust/CVE-2025-53549/vulnerable.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "sql_injection", "cwe": "CWE-89", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "cve", "matrix-rust-sdk", "sql-injection" ], "disabled": false, "notes": "CVE-2025-53549 / RUSTSEC-2025-0043: matrix-sdk-sqlite SqliteEventCacheStore::find_event_with_relations interpolated relation-type filter strings into a format!()'d SQL query via hand-rolled `\"f\"` quoting, letting any room member inject SQL through the relation type. Apache-2.0" }, { "case_id": "cve-rs-2025-53549-patched", "file": "cve_corpus/rust/CVE-2025-53549/patched.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "matrix-rust-sdk", "patched", "negative" ], "disabled": false, "notes": "CVE-2025-53549 patched counterpart: filters bind through params_from_iter to `?` placeholders rather than format!()-spliced bytes. Regression guard." }, { "case_id": "py-safe-014", "file": "python/safe/safe_direct_path_sanitizer.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "direct-return" ], "disabled": false, "notes": "Python equivalent of rs-safe-014: direct-return sanitiser with `\"..\" in s` / `s.startswith(...)` rejection chain returning empty string." }, { "case_id": "py-safe-relative-to-validator", "file": "python/safe/safe_relative_to_validator.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "path-validator", "relative-to", "receiver-side" ], "disabled": false, "notes": "Pathlib relative_to(base) raise-on-escape pattern recognised as a receiver-side FILE_IO validator; canonical Python path-containment idiom (CVE-2024-23334 patched fixture)" }, { "case_id": "py-safe-022", "file": "python/safe/safe_canonicalise_rooted_startswith.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "canonicalise-and-rooted", "opaque-prefix-lock", "negated-form" ], "disabled": false, "notes": "Pins `os.path.realpath` + `if not target.startswith()` shape (rswag CVE-2023-38337 sibling). Combined dotdot=No (from realpath) + opaque PrefixLock (from non-literal startswith guard) suppresses FILE_IO under is_path_traversal_safe with the negated-form polarity flip." }, { "case_id": "py-safe-016", "file": "python/safe/safe_cross_function_dotdot.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "cross-function" ], "disabled": false, "notes": "Python equivalent of rs-safe-016: cross-function bool-returning validator with `if not validate(raw): return` rejection." }, { "case_id": "js-safe-014", "file": "javascript/safe/safe_direct_path_sanitizer.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "direct-return" ], "disabled": false, "notes": "JS direct-return sanitiser. Standalone `nyx scan --index off` is clean, but the benchmark harness (single-thread + state/auth analysis enabled) reproduces a FP \u2014 diverges from production scan path. Disabled until benchmark/binary parity is re-established." }, { "case_id": "js-safe-021", "file": "javascript/safe/safe_canonicalise_rooted_startsWith.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "canonicalise-and-rooted", "opaque-prefix-lock", "negated-form" ], "disabled": false, "notes": "Pins `path.resolve` + `if (!target.startsWith())` shape (rswag CVE-2023-38337 sibling). Combined dotdot=No (from path.resolve) + opaque PrefixLock (from non-literal startsWith guard) suppresses FILE_IO under is_path_traversal_safe with the negated-form polarity flip." }, { "case_id": "js-safe-022", "file": "javascript/safe/safe_env_empty_fallback.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "js.secrets.fallback_secret" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "secrets", "empty-fallback", "real-repo-precision-2026-05-01" ], "disabled": false, "notes": "Empty-string fallback (`process.env.X || \"\"`) is not a hardcoded secret. JS counterpart of ts-safe-020. Engine fix: pattern-level regex (#match? @fallback \"[^\\\"']\") in src/patterns/javascript.rs." }, { "case_id": "ts-safe-014", "file": "typescript/safe/safe_direct_path_sanitizer.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "direct-return" ], "disabled": false, "notes": "TypeScript equivalent of rs-safe-014: direct-return sanitiser with `s.includes('..')` / `s.startsWith(...)` rejection." }, { "case_id": "go-safe-015", "file": "go/safe/safe_tuple_path_sanitizer.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "tuple-return" ], "disabled": false, "notes": "Go tuple-returning sanitiser. Standalone scan is clean; benchmark harness (single-thread, state/auth) reports FP. Disabled pending parity investigation." }, { "case_id": "go-safe-016", "file": "go/safe/safe_cross_function_dotdot.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "cross-function" ], "disabled": false, "notes": "Go cross-function validator. Standalone scan clean; benchmark harness reports FP. Disabled pending parity investigation." }, { "case_id": "java-safe-014", "file": "java/safe/SafeDirectPathSanitizer.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "direct-return" ], "disabled": false, "notes": "Java equivalent of rs-safe-014: direct-return sanitiser with `.contains` / `.startsWith` rejection." }, { "case_id": "java-safe-015", "file": "java/safe/SafeOptionalPathSanitizer.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "optional-return" ], "disabled": false, "notes": "Java equivalent of rs-safe-014: `Optional`-returning sanitiser with `Optional.empty()` failure sentinel." }, { "case_id": "java-safe-016", "file": "java/safe/SafeCrossFunctionDotdot.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "cross-function" ], "disabled": false, "notes": "Java equivalent of rs-safe-016: cross-function bool-returning validator with `if (!validate(...)) return` rejection." }, { "case_id": "rb-safe-014", "file": "ruby/safe/safe_direct_path_sanitizer.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "direct-return" ], "disabled": false, "notes": "Ruby equivalent of rs-safe-014: direct-return sanitiser with `include?` / `start_with?` rejection." }, { "case_id": "rb-safe-021", "file": "ruby/safe/safe_canonicalise_rooted_unless.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "canonicalise-and-rooted", "opaque-prefix-lock" ], "disabled": false, "notes": "Pins `File.expand_path` + `unless filename.start_with? ` shape (rswag CVE-2023-38337 patched). Combined dotdot=No (from expand_path) + opaque PrefixLock (from non-literal start_with? guard) suppresses FILE_IO under is_path_traversal_safe." }, { "case_id": "rb-safe-015", "file": "ruby/safe/safe_nil_path_sanitizer.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "nil-sentinel" ], "disabled": false, "notes": "Ruby equivalent of rs-safe-014 with explicit nil failure sentinel." }, { "case_id": "rb-safe-016", "file": "ruby/safe/safe_cross_function_dotdot.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "cross-function" ], "disabled": false, "notes": "Ruby equivalent of rs-safe-016: cross-function bool-returning validator with `return unless validate(...)` rejection." }, { "case_id": "php-safe-014", "file": "php/safe/safe_direct_path_sanitizer.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "direct-return" ], "disabled": false, "notes": "PHP equivalent of rs-safe-014: direct-return sanitiser with `strpos !== false` / leading-char rejection." }, { "case_id": "php-safe-015", "file": "php/safe/safe_nullable_path_sanitizer.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "nullable-return" ], "disabled": false, "notes": "PHP equivalent of rs-safe-014: `?string` nullable-returning sanitiser with explicit null failure sentinel." }, { "case_id": "php-safe-016", "file": "php/safe/safe_cross_function_dotdot.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "cross-function" ], "disabled": false, "notes": "PHP equivalent of rs-safe-016: cross-function bool-returning validator." }, { "case_id": "php-safe-017", "file": "php/safe/safe_unserialize_allowed_classes.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-502", "provenance": "real-repo-precision-2026-04-28", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "php.deser.unserialize", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "real-repo-precision-2026-04-28", "unserialize", "allowed_classes" ], "disabled": false, "notes": "PHP 7+ structural mitigation against object injection \u2014 unserialize($x, ['allowed_classes' => ...]) with false / array literal / class constant must not fire php.deser.unserialize. Distilled from nextcloud lib/private/Profiler/FileProfilerStorage.php and apps/dav CustomPropertiesBackend." }, { "case_id": "php-safe-018", "file": "php/safe/safe_include_param_passthrough.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-98", "provenance": "real-repo-precision-2026-04-28", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "php.path.include_variable", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "real-repo-precision-2026-04-28", "include", "param-passthrough", "autoloader" ], "disabled": false, "notes": "Composer-style autoloader: closure / method takes a file path parameter and `include`s it. Pattern rule is heuristic without taint and over-fires; suppress when included variable is a formal parameter of the immediately enclosing function with no reassignment. Distilled from nextcloud composer/ClassLoader.php (32 copies), Router.php, Installer.php, Template/Base.php." }, { "case_id": "php-safe-019", "file": "php/safe/safe_md5_sha1_non_crypto_use.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-327", "provenance": "real-repo-precision-2026-05-01", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "php.crypto.md5", "php.crypto.sha1" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "real-repo-precision-2026-05-01", "weak-hash", "non-crypto-use", "etag", "cache-key" ], "disabled": false, "notes": "md5() / sha1() pervasively used for non-cryptographic purposes \u2014 ETag generation, cache-key / array-index hashing, dedup fingerprints, content-addressed identifier derivation. Layer F suppression recognises the consuming context (variable LHS, member-access LHS, subscript LHS, array element key, lookup-verb argument, return-from-method, hash-as-index) and refuses to fire. Distilled from nextcloud apps/dav CalDavBackend, contactsinteraction Card, Files/Cache, theming Util / CommonThemeTrait, encryption KeyManager; phpmyadmin src/Controllers/Database/StructureController, Controllers/Table/{RelationController, SearchController, ZoomSearchController}, src/Display/Results, Database/MultiTableQuery, Favorites/RecentFavoriteTables." }, { "case_id": "php-crypto-001", "file": "php/crypto/crypto_md5_password_hash.php", "language": "php", "is_vulnerable": true, "vuln_class": "crypto", "cwe": "CWE-327", "provenance": "real-repo-precision-2026-05-01", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "php.crypto.md5", "php.crypto.sha1" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "real-repo-precision-2026-05-01", "weak-hash", "credential-storage" ], "disabled": false, "notes": "Vulnerable counterpart to php-safe-019: md5 / sha1 used to store / sign / digest credentials, tokens, signatures. Consumer names contain crypto-keyword substrings (`password`, `token`, `signature`, `pw_hash`, `digest`) so Layer F suppression refuses to fire." }, { "case_id": "php-safe-020", "file": "php/safe/safe_serializable_magic_method_unserialize.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-502", "provenance": "real-repo-precision-2026-05-03", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "php.deser.unserialize", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "real-repo-precision-2026-05-03", "unserialize", "serializable", "magic-method" ], "disabled": false, "notes": "Serializable::unserialize($input) magic-method body — the legacy PHP Serializable interface contract (deprecated since PHP 8.1). PHP itself drives invocation; the body's \\unserialize($x) call is part of the deserialization machinery and cannot be removed without breaking the interface. Distilled from joomla/administrator/components/com_finder/src/Indexer/Result.php:488 + libraries/src/Input/{Cli,Input}.php." }, { "case_id": "php-deser-003", "file": "php/deser/deser_unserialize_method_named_unserialize_with_user_input.php", "language": "php", "is_vulnerable": true, "vuln_class": "deser", "cwe": "CWE-502", "provenance": "real-repo-precision-2026-05-03", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "php.deser.unserialize" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "real-repo-precision-2026-05-03", "unserialize", "magic-method-name-only", "recall-guard" ], "disabled": false, "notes": "Recall guard for the Serializable magic-method recogniser. Method is named `unserialize` but (a) calls \\unserialize on user input from $_GET, not the formal parameter, OR (b) wraps the parameter in trim() before passing it through. The recogniser deliberately requires bare-parameter pass-through, so both shapes must keep firing." }, { "case_id": "c-safe-014", "file": "c/safe/safe_direct_path_sanitizer.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "direct-return" ], "disabled": false, "notes": "C direct-return sanitiser. Standalone scan clean; benchmark harness reports FP. Disabled pending parity investigation (Preview-tier C scanning is best-effort already)." }, { "case_id": "c-safe-015", "file": "c/safe/safe_status_code_sanitizer.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "status-code" ], "disabled": false, "notes": "C status-code idiom sanitiser. Standalone scan clean; benchmark harness reports FP. Disabled." }, { "case_id": "c-safe-016", "file": "c/safe/safe_cross_function_dotdot.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "cross-function" ], "disabled": false, "notes": "C cross-function validator. Standalone scan clean; benchmark harness reports FP. Disabled." }, { "case_id": "c-safe-017", "file": "c/safe/safe_strcpy_literal_src.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-120", "provenance": "real-repo-precision-2026-04-28", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "c.memory.strcpy", "c.memory.strcat" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "literal-source", "ternary-literal", "real-repo-precision-2026-04-28" ], "disabled": false, "notes": "Postgres `pg_prewarm/autoprewarm.c` + `formatting.c::DCH_a_m` shape \u2014 strcpy/strcat with string-literal or ternary-of-literals source. Layer D suppression (src/ast.rs::is_c_buffer_call_literal_safe)." }, { "case_id": "c-safe-018", "file": "c/safe/safe_sprintf_bounded_format.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-120", "provenance": "real-repo-precision-2026-04-28", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "c.memory.sprintf" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "bounded-format", "real-repo-precision-2026-04-28" ], "disabled": false, "notes": "Postgres `datetime.c::EncodeDateTime` shape \u2014 sprintf with literal format string containing only width/precision-bounded specifiers. Layer D suppression." }, { "case_id": "c-safe-realrepo-019", "file": "c/safe/safe_struct_field_subbuffer_alloc.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo-precision-2026-05-03", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "state-resource-leak", "state-resource-leak-possible", "cfg-resource-leak" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "resource-lifecycle", "negative", "real-repo-precision-2026-05-03" ], "disabled": false, "notes": "curl/lib/dynhds.c::entry_new shape \u2014 sub-buffer alias `e->name = (char*)e + sizeof(*e)` and local-into-field ownership transfer `m->buf = ptr`. Field-LHS in apply_assignment moves the RHS to MOVED but does not seed the field as a separately-tracked resource. Engine fix: src/state/transfer.rs::apply_assignment SAFE-FOR-FIELD-LHS gate. Closes the dominant `state-resource-leak` FP cluster on curl/openssl/postgres/git (~165 findings across 6 repos)." }, { "case_id": "c-vuln-realrepo-019", "file": "c/safe/vuln_local_leak_no_field_assign.c", "language": "c", "is_vulnerable": true, "vuln_class": "resource", "cwe": "CWE-401", "provenance": "real-repo-precision-2026-05-03", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "state-resource-leak" ], "allowed_alternative_rule_ids": [ "cfg-resource-leak" ], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "resource-lifecycle", "leak", "real-repo-precision-2026-05-03" ], "disabled": false, "notes": "Recall guard for the apply_assignment field-LHS gate. Plain local-to-local alias copy (`char *cursor = buf;`) without field-LHS must still flag a leak when the resource never reaches a release call or out-parameter." }, { "case_id": "cpp-safe-014", "file": "cpp/safe/safe_direct_path_sanitizer.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "direct-return" ], "disabled": false, "notes": "C++ equivalent of rs-safe-014: direct-return sanitiser using std::string::find." }, { "case_id": "cpp-safe-015", "file": "cpp/safe/safe_optional_path_sanitizer.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "optional-return" ], "disabled": false, "notes": "C++ equivalent of rs-safe-014: `std::optional`-returning sanitiser." }, { "case_id": "cpp-safe-016", "file": "cpp/safe/safe_cross_function_dotdot.cpp", "language": "cpp", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "cross-function" ], "disabled": false, "notes": "C++ equivalent of rs-safe-016: cross-function bool-returning validator." }, { "case_id": "py-safe-015", "file": "python/safe/safe_optional_path_sanitizer.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "optional-sentinel" ], "disabled": false, "notes": "Python `Optional[str]`-returning sanitiser with None failure sentinel. Disabled: per-language non-data-return propagation through Optional unwrap is incomplete; deferred follow-up." }, { "case_id": "go-safe-014", "file": "go/safe/safe_direct_path_sanitizer.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "direct-return" ], "disabled": false, "notes": "Go direct-return sanitiser; tuple-returning go-safe-015 is the language-natural form which fires clean. Direct form deferred (helper return-fact join not yet wired for Go)." }, { "case_id": "js-safe-015", "file": "javascript/safe/safe_null_path_sanitizer.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "null-sentinel" ], "disabled": false, "notes": "JS null-returning sanitiser; deferred while the JS two-level solver per-return-path summary lifting is being completed." }, { "case_id": "js-safe-016", "file": "javascript/safe/safe_cross_function_dotdot.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "cross-function" ], "disabled": false, "notes": "JS cross-function bool validator; per-language helper-summary lifting for the bool-returning helper shape is deferred." }, { "case_id": "ts-safe-015", "file": "typescript/safe/safe_null_path_sanitizer.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "null-sentinel" ], "disabled": false, "notes": "TS nullable-returning sanitiser; deferred \u2014 same reason as js-safe-015." }, { "case_id": "ts-safe-016", "file": "typescript/safe/safe_cross_function_dotdot.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": null, "expected_source_lines": null, "tags": [ "pathfact-cross-language", "path-sanitizer", "cross-function" ], "disabled": false, "notes": "TS cross-function bool validator; deferred \u2014 same reason as js-safe-016." }, { "case_id": "ts-safe-017", "file": "typescript/safe/safe_strapi_db_query_chain.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-89", "provenance": "real-repo-distilled", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "cfg-unguarded-sink", "taint-unsanitised-flow" ], "expected_severity": "NONE", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "real-repo-precision-2026-04-29", "strapi", "orm-chain" ], "disabled": false, "notes": "Strapi-style ORM accessor: `.db.query(MODEL_UID).(...)`; the `db.query` call's literal model UID + the ORM-method outer chain (findOne/findMany/create/update/delete/count) prove the chain is parameterised. Synthesised same-node Sanitizer(SQL_QUERY) suppresses cfg-unguarded-sink and taint-unsanitised-flow." }, { "case_id": "ts-safe-018", "file": "typescript/safe/safe_indirect_validator.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow", "cfg-unguarded-sink" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "indirect-validator", "ssrf", "negative" ], "disabled": false, "notes": "Indirect-validator branch narrowing \u2014 `const err = validateUrlSsrf(target); if (err) throw \u2026;` should suppress the downstream axios.get sink. Pinned by tests/lib::indirect_validator_narrowing_marks_arg_validated." }, { "case_id": "ts-safe-019", "file": "typescript/safe/safe_helper_with_validator.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "helper-summary", "ssrf", "negative" ], "disabled": false, "notes": "Helper-summary all_validated propagation \u2014 when a helper's body validates the param via `validateXxx`, the per-param probe's all_validated event should be skipped during summary extraction so callers don't refire the cross-fn SSRF. Pinned by tests/lib::helper_with_validator_does_not_propagate_to_caller_via_summary." }, { "case_id": "ts-safe-020", "file": "typescript/safe/safe_env_empty_fallback.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "ts.secrets.fallback_secret" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "secrets", "empty-fallback", "real-repo-precision-2026-05-01" ], "disabled": false, "notes": "Empty-string fallback (`process.env.X || \"\"`) is not a hardcoded secret. Distilled from /Users/elipeter/oss/cal.com/apps/api/v2/src/modules/stripe/utils/newStripeInstance.ts and ~30 sibling cal.com calendar/stripe/sendgrid integration files. Engine fix: pattern-level regex (#match? @fallback \"[^\\\"']\") in src/patterns/typescript.rs." }, { "case_id": "ts-safe-021", "file": "typescript/safe/safe_validated_helper_chain.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "validated-flow", "helper-validator", "summary-propagation", "cve-2026-25544" ], "disabled": false, "notes": "Validated-flow propagation through helper chains. `sanitize` validates its first parameter via a regex allowlist; `buildQuery` interpolates the sanitised result into a SQL fragment; the handler hands the fragment to `db.execute`. Pinned by `SsaFuncSummary::validated_params_to_return` + `propagate_validated_params_to_return` (CVE-2026-25544 deep fix)." }, { "case_id": "ts-safe-022", "file": "typescript/safe/safe_jest_test_callback_no_handler.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "jest", "arrow-no-formals", "closure-capture", "auto-seed-precision", "real-repo-precision-2026-05-03" ], "disabled": false, "notes": "Jest-style nested arrow callbacks (`describe('…', () => { it('…', async () => { const body = await res.json(); … }) })`) bubble inner-scope free vars (`body`, `userId`, `server.post`) up to the outer arrow as synthetic Params. Before the fix, JS/TS auto-seed treated every Param whose var_name matched a handler-name (`userId`) as a real formal of the outer arrow and seeded it as `Source(UserInput)`, producing 934 phantom `taint-unsanitised-flow` findings on outline alone. Engine fix: `lower_to_ssa_with_params` now signals `with_params=true` to `lower_to_ssa_inner`, which makes the synthetic-externals classifier always exclude formals (even when the formal list is empty, e.g. arrow `() => {…}`) — bubbled-up free vars become synthetic and the auto-seed pass skips them. Distilled from /Users/elipeter/oss/outline/server/routes/api/comments/comments.test.ts." }, { "case_id": "ts-sqli-realrepo-arrow-002", "file": "typescript/sqli/sqli_arrow_handler_param.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [ "cfg-unguarded-sink" ], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [[8, 8]], "expected_source_lines": [[7, 7]], "tags": [ "sqli", "arrow-handler", "auto-seed-positive", "real-repo-precision-2026-05-03" ], "disabled": false, "notes": "Arrow with REAL handler-named formal (`userId`) MUST still auto-seed and trigger taint flow into `db.exec(\"… ${userId}\")`. Pins the auto-seed positive path so the FP fix in ts-safe-022 does not over-suppress real handlers." }, { "case_id": "js-safe-jest-callback-001", "file": "javascript/safe/safe_jest_test_callback_no_handler.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "jest", "arrow-no-formals", "closure-capture", "auto-seed-precision", "real-repo-precision-2026-05-03" ], "disabled": false, "notes": "JavaScript counterpart of ts-safe-022. Same Jest-style nested arrow callback shape, ensures the auto-seed precision fix applies to .js files too (auto_seed_handler_params is on for both Lang::JavaScript and Lang::TypeScript)." }, { "case_id": "py-auth-decorator-001", "file": "python/safe/safe_login_required_decorator.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-862", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "state-unauthed-access", "cfg-auth-gap", "taint-unsanitised-flow" ], "expected_severity": "NONE", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "Flask @login_required decorator must suppress auth findings" }, { "case_id": "py-auth-decorator-vuln-001", "file": "python/auth/vuln_no_auth_decorator.py", "language": "python", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-862", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [ "cfg-auth-gap" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 11, 11 ] ], "expected_source_lines": [ [ 8, 8 ] ], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "Same shape but missing decorator \u2014 auth-gap fires" }, { "case_id": "java-preauth-001", "file": "java/auth/SafePreAuthorize.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-862", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "state-unauthed-access", "cfg-auth-gap", "taint-unsanitised-flow" ], "expected_severity": "NONE", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "Spring @PreAuthorize annotation must suppress auth findings" }, { "case_id": "java-preauth-vuln-001", "file": "java/auth/VulnNoPreAuthorize.java", "language": "java", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 13, 13 ] ], "expected_source_lines": [ [ 11, 11 ] ], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "Servlet doGet without auth \u2014 taint flow fires" }, { "case_id": "php-isgranted-001", "file": "php/auth/safe_isgranted.php", "language": "php", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-862", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "state-unauthed-access", "cfg-auth-gap", "taint-unsanitised-flow" ], "expected_severity": "NONE", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "Symfony #[IsGranted] attribute must suppress auth findings" }, { "case_id": "php-isgranted-vuln-001", "file": "php/auth/vuln_no_isgranted.php", "language": "php", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 7, 7 ] ], "expected_source_lines": [ [ 6, 6 ] ], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "Top-level handler without IsGranted \u2014 taint flow fires" }, { "case_id": "ruby-before-action-001", "file": "ruby/auth/safe_before_action.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-862", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "state-unauthed-access", "cfg-auth-gap", "taint-unsanitised-flow" ], "expected_severity": "NONE", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "Rails before_action :authenticate_user must suppress auth findings" }, { "case_id": "js-allowlist-dispatch-001", "file": "javascript/safe/safe_switch_dispatch.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow", "state-unauthed-access" ], "expected_severity": "NONE", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "Allowlist-then-exec pattern \u2014 engine must recognise membership check" }, { "case_id": "ts-iife-closure-001", "file": "typescript/safe/safe_iife_closure_sanitizer.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": "NONE", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "IIFE wrapper around handler with encodeURIComponent \u2014 must be cleared" }, { "case_id": "ts-iife-closure-vuln-001", "file": "typescript/xss/vuln_iife_closure_no_sanitizer.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 16, 16 ] ], "expected_source_lines": [ [ 14, 14 ] ], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "IIFE wrapper without sanitizer \u2014 taint must propagate through closure" }, { "case_id": "py-validator-sentinel-001", "file": "python/safe/safe_validator_sentinel.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow", "state-unauthed-access", "cfg-auth-gap" ], "expected_severity": "NONE", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "Cross-fn validator with empty-string sentinel + decorator" }, { "case_id": "py-validator-sentinel-vuln-001", "file": "python/sqli/vuln_validator_sentinel_bypass.py", "language": "python", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 22, 22 ] ], "expected_source_lines": [ [ 17, 17 ] ], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "Same shape with inverted sentinel check \u2014 SQLi fires" }, { "case_id": "py-context-sanitize-001", "file": "python/safe/safe_with_context_sanitize.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-22", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow", "state-unauthed-access", "cfg-auth-gap" ], "expected_severity": "NONE", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "with-block resource around sanitised path read + decorator auth" }, { "case_id": "js-destructure-sanitize-001", "file": "javascript/safe/safe_object_destructure_sanitize.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": "NONE", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "Destructured field flows through encodeURIComponent before HTML sink" }, { "case_id": "js-destructure-vuln-001", "file": "javascript/xss/vuln_object_destructure_no_sanitize.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "xss", "cwe": "CWE-79", "provenance": "synthetic", "equivalence_tier": "analogue", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 10, 10 ] ], "expected_source_lines": [ [ 8, 8 ] ], "tags": [ "precision-2026-04-25" ], "disabled": false, "notes": "Destructured field straight into template-literal HTML sink" }, { "case_id": "rs-auth-realrepo-001", "file": "rust/auth/self_actor_uid_copy.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-25" ], "disabled": false, "notes": "`let user = match require_auth() { Ok(u) => u, ... }; let uid = user.id; query(.., &[uid])` \u2014 transitive copy of self-actor id (website/handlers/accounts.rs)" }, { "case_id": "rs-auth-realrepo-002", "file": "rust/auth/require_resource_role_helper.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-25" ], "disabled": false, "notes": "`require_trip_member(..)` recognised structurally as `require__` (website/handlers/activities.rs)" }, { "case_id": "rs-auth-realrepo-003", "file": "rust/auth/self_publish_email.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-25" ], "disabled": false, "notes": "`realtime::publish_to_user(&user.email, ..)` \u2014 self-channel publish with email as self-identity field (website/handlers/social.rs)" }, { "case_id": "rs-auth-typed-extractors-001", "file": "rust/auth/safe_typed_path_int_extractor.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "typed-extractors-2026-04-25" ], "disabled": false, "notes": "Phase 5: Axum `Path` is a framework-validated numeric extractor; the parameter cannot carry an injection payload nor bypass ownership, so the rule must not flag." }, { "case_id": "rs-auth-dto-int-field-001", "file": "rust/auth/safe_dto_int_field_axum.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "typed-extractors-phase6-2026-04-25" ], "disabled": false, "notes": "Phase 6: Axum `Json` whose `doc_id` field is `i64`. DTO field-level taint exempts `dto.doc_id` member-access subject; numeric DTO fields cannot bypass ownership." }, { "case_id": "rs-auth-dto-string-field-001", "file": "rust/auth/unsafe_dto_string_field_axum.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-639", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "rs.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "positive", "typed-extractors-phase6-2026-04-25" ], "disabled": false, "notes": "Phase 6 negative-control: DTO whose `doc_id` field is `String` must NOT be exempted \u2014 String DTO fields can carry injection payloads, so the auth rule must continue to fire." }, { "case_id": "js-safe-realrepo-001", "file": "javascript/safe/safe_dom_globals_and_methods.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "js.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-25" ], "disabled": false, "notes": "Browser DOM globals (`document`, `window`, `localStorage`) and DOM-API methods (`addEventListener`, `appendChild`, `getElementById`) are non-data-layer (website/public/app/core/app.js)" }, { "case_id": "js-safe-realrepo-002", "file": "javascript/safe/safe_happy_path_error_check.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "cfg-error-fallthrough" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cfg", "negative", "real-repo-precision-2026-04-25" ], "disabled": false, "notes": "Happy-path `if (!data.error && Array.isArray(...))` and body-mentioning-err do not fire `cfg-error-fallthrough` (website/public/app/core/app.js)" }, { "case_id": "js-safe-realrepo-006", "file": "javascript/safe/safe_localised_gherkin_regex.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "panic-guard", "negative", "real-repo-precision-2026-04-29" ], "disabled": false, "notes": "Panic guard: CodeMirror Gherkin tokenizer ships a long localised regex inside a boolean sub-condition. Naive byte-slice truncation in CFG condition-text (`t[..MAX_CONDITION_TEXT_LEN]`) panicked when byte 256 landed inside a multi-byte UTF-8 character (Gurmukhi `\u0a16`). Engine fix: src/utils/snippet.rs::truncate_at_char_boundary applied at three CFG sites + two symex display sites (gogs public/plugins/codemirror-5.17.0/mode/gherkin/gherkin.js:107)." }, { "case_id": "go-safe-realrepo-001", "file": "go/safe/safe_error_log_only_function.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "cfg-error-fallthrough" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cfg", "negative", "real-repo-precision-2026-04-25" ], "disabled": false, "notes": "`if err != nil { log() }` whose if is the LAST statement in the function \u2014 no fallthrough sink possible (gin/debug.go:debugPrintError)" }, { "case_id": "go-cmdi-realrepo-001", "file": "go/cmdi/vuln_error_log_then_sink.go", "language": "go", "is_vulnerable": true, "vuln_class": "cmdi", "cwe": "CWE-78", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "cfg-error-fallthrough" ], "allowed_alternative_rule_ids": [ "cfg-unguarded-sink", "go.sqli.query_concat", "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [ [ 14, 14 ] ], "expected_source_lines": [], "tags": [ "cfg", "positive", "real-repo-precision-2026-04-25" ], "disabled": false, "notes": "Vulnerable counterpart: `if err { log() } sink()` \u2014 error logged then fallthrough to sink. Pins that the False-edge-only walk does NOT silence the rule for real fallthrough." }, { "case_id": "java-safe-realrepo-001", "file": "java/safe/SafeLoggerIsEnabled.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "cfg-error-fallthrough" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cfg", "negative", "real-repo-precision-2026-04-25" ], "disabled": false, "notes": "`if (logger.isErrorEnabled()) { print() } more_code()` \u2014 `isErrorEnabled` is a logging-state method, not an error variable; rule must reject camelCase names containing `err` (spring-boot/SpringApplication.java:854)" }, { "case_id": "go-safe-realrepo-002", "file": "go/safe/safe_method_receiver_mutex.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "state-resource-leak", "state-resource-leak-possible", "cfg-resource-leak" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "state", "negative", "real-repo-precision-2026-04-25" ], "disabled": false, "notes": "Go method receiver `c *Context` with internal `c.mu.Lock`/`defer c.mu.Unlock` is NOT a leakable resource \u2014 the proxy-receiver extractor previously took the root identifier of multi-segment callees (`c.writer.header().set` \u2192 `c`) and section 2b's exception-path heuristic ran on Go (gin/context.go:Set/Get/MustGet)" }, { "case_id": "go-safe-fieldproj-phase3", "file": "go/safe/safe_chained_receiver_field_proj.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "state-resource-leak", "state-resource-leak-possible", "cfg-resource-leak" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "state", "negative", "field-projections-phase3-2026-04-25" ], "disabled": false, "notes": "Phase 3 of the field-projections rollout: chained-receiver method calls (`c.writer.header.set(...)`) must NOT mark the chain root `c` as proxy-acquired. The single-dot band-aid in state/transfer.rs is replaced by chain_proxies tracking that records each receiver chain as its own entity." }, { "case_id": "go-safe-realrepo-003", "file": "go/safe/safe_const_bound_id.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "go.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-25" ], "disabled": false, "notes": "`id := \"id\"; c.AddParam(id, value)` \u2014 const-bound local must not count as a scoped-identifier subject (gin/context_test.go:TestContextAddParam)" }, { "case_id": "go-safe-realrepo-004", "file": "go/safe/safe_chained_call_response_header.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "go.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "`w.Header().Get(constName)` and `r.URL.Query().Get(name)` \u2014 chained-call receiver returns an opaque value (http.Header / url.Values map); the verb-name fallback (Get matches the read indicator) must not auto-classify these as DbCrossTenantRead. Closes the minio cmd/api-response.go cluster (~70 hits)." }, { "case_id": "go-safe-realrepo-005", "file": "go/safe/safe_self_method_receiver.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "go.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "`func (c *Cache) ...` with `c.foo()` / `c.Fs.Create(...)` intra-struct dispatches \u2014 Go method receivers must seed `non_sink_vars` so the verb-name fallback doesn't fire on bare-receiver internal calls. Closes the hugo cache/filecache.go cluster (~48 hits)." }, { "case_id": "go-safe-realrepo-006", "file": "go/safe/safe_test_helper_fatal.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "cfg-error-fallthrough" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cfg", "negative", "real-repo-precision-2026-04-29" ], "disabled": false, "notes": "`if err != nil { c.Fatalf(...) }` / `os.Exit` / `log.Fatalf` / `panic(err)` are documented terminators (Goexit-class). cfg-error-fallthrough must walk through them as terminating paths. Closes the minio test-file cluster (49+34+12+11+9+7+7 hits across xl-storage_test.go, erasure-healing_test.go, format-erasure_test.go, \u2026). Engine fix: src/cfg_analysis/error_handling.rs::call_never_returns." }, { "case_id": "go-safe-realrepo-016", "file": "go/safe/safe_inner_call_close_in_arg.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [ "state-resource-leak-possible" ], "forbidden_rule_ids": [ "state-resource-leak" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "resource-lifecycle", "negative", "real-repo-precision-2026-05-02" ], "disabled": false, "notes": "`require.NoError(t, f.Close())` and `errs = append(errs, f.Close())` shapes \u2014 the inner-call release was invisible because the CFG's per-statement Call node carries the OUTER callee. Engine fix: src/state/transfer.rs::apply_call now walks info.arg_callees after the direct-release branch and marks the bare-receiver SymbolId CLOSED. Closes 9+ hits across prometheus tsdb test files." }, { "case_id": "go-safe-realrepo-017", "file": "go/safe/safe_struct_field_resource_owned_by_struct.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "state-resource-leak", "state-resource-leak-possible", "cfg-resource-leak" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "resource-lifecycle", "negative", "real-repo-precision-2026-05-02" ], "disabled": false, "notes": "`b.cpuprof = os.Create(...)` shape \u2014 member-expression LHS is an ownership transfer to the containing struct, not a local acquisition. Closure responsibility belongs to a paired `stopProfiling()` method. Engine fix: src/state/transfer.rs::apply_call gates the acquire on !define_is_field_lhs; src/cfg_analysis/resources.rs::run mirrors the gate. Closes the prometheus cmd/promtool/tsdb.go::startProfiling cluster (4 findings on b.cpuprof, b.memprof, b.blockprof, b.mtxprof)." }, { "case_id": "go-vuln-realrepo-018", "file": "go/safe/vuln_resource_leak_no_close.go", "language": "go", "is_vulnerable": true, "vuln_class": "resource", "cwe": "CWE-404", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "state-resource-leak" ], "allowed_alternative_rule_ids": [ "cfg-resource-leak", "state-resource-leak-possible" ], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "resource-lifecycle", "positive", "real-repo-precision-2026-05-02" ], "disabled": false, "notes": "Recall guard for the inner-call-arg / member-LHS fixes. Bare-identifier `f := os.OpenFile(...)` with no `f.Close()` anywhere must still fire the resource-leak rule." }, { "case_id": "go-auth-realrepo-001", "file": "go/auth/vuln_repo_findbyid_no_auth.go", "language": "go", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-639", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "go.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "positive", "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "Vulnerable counterpart pinning the chained-call suppression: bare-identifier receivers (`repo.Find(id)` / `repo.Save(id, val)`) are still classified as canonical data-layer sinks and must continue firing the ownership check." }, { "case_id": "go-safe-realrepo-018", "file": "go/safe/safe_ctx_context_helper.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "go.auth.missing_ownership_check" ], "expected_severity": "NONE", "expected_category": "N/A", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-05-03" ], "disabled": false, "notes": "Distilled from gitea/services/packages/packages.go::AddFileToExistingPackage. Layer-1 type-aware Go param filter drops ctx context.Context, plus Layer-2 narrowing of the Go framework-request-name allow-list closes the ~1900 missing_ownership_check FP cluster on backend helpers." }, { "case_id": "go-auth-realrepo-002", "file": "go/auth/vuln_apicontext_findbyid.go", "language": "go", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-639", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "go.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "positive", "real-repo-precision-2026-05-03" ], "disabled": false, "notes": "Recall guard for the 2026-05-03 Go DAO-helper precision pass. After id-like scalar params are dropped from unit.params for non-route units, this fixture pins recall via gin route registration: r.GET(/items/:id, GetByID) promotes the unit to RouteHandler; function_params_route_handler keeps id-like scalar params and the rule fires on the bare-receiver DAO call." }, { "case_id": "go-safe-realrepo-019", "file": "go/safe/safe_dao_helper_id_scalar.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "go.auth.missing_ownership_check" ], "expected_severity": "NONE", "expected_category": "N/A", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-05-03" ], "disabled": false, "notes": "Distilled from gitea models/actions/{run,run_job,runner,...}.go DAO helpers (~957 FPs). Pattern: (ctx context.Context, repoID, runID int64) signatures with bounded scalar id-like params calling internal DB helpers. Engine fix in src/auth_analysis/extract/common.rs::collect_param_names Go arm drops id-like scalar names from unit.params for non-route units (mirrors Python typed_parameter filter)." }, { "case_id": "py-auth-realrepo-001", "file": "python/safe/safe_django_migration_token.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.auth.token_override_without_validation" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "Distilled from saleor/account/migrations/0021_unique_token.py: Django RunPython callback writes user-token field but has no user reach (params apps, schema_editor)." }, { "case_id": "py-auth-realrepo-002", "file": "python/safe/safe_pytest_conftest_marker.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.auth.token_override_without_validation", "py.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "Distilled from saleor/conftest.py: pytest collection hook with item.add_marker; no user reach but legacy heuristics flagged it." }, { "case_id": "py-auth-realrepo-003", "file": "python/safe/safe_celery_task_no_user_input.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "Distilled from saleor/discount/tasks.py:handle_promotion_toggle: zero-arg Celery task; id-shaped subjects come from internal computation, not user input." }, { "case_id": "py-auth-realrepo-004", "file": "python/auth/vuln_token_override_django_handler.py", "language": "python", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-863", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.auth.token_override_without_validation" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 18, 18 ] ], "expected_source_lines": [ [ 15, 15 ] ], "tags": [ "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "Vulnerable counterpart to realrepo-001..003: Django view accepts attacker-supplied token + email, overrides token-bound user.email without validating expiry/recipient." }, { "case_id": "ts-auth-realrepo-001", "file": "typescript/auth/safe_session_user_id_copy.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "js.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "Distilled from cal.com Next.js handlers (apps/web/app/.../api-keys/page.tsx): `const userId = session.user.id` is a self-actor-id copy through a session-scoped chain. Closes a 10+ FP cluster (fix: src/auth_analysis/extract/common.rs::value_is_self_scoped_session_id_chain + JS variable_declarator dispatch)." }, { "case_id": "ts-auth-realrepo-002", "file": "typescript/auth/vuln_target_user_id_no_check.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-639", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "js.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 12, 12 ] ], "expected_source_lines": [], "tags": [ "auth", "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "Vulnerable counterpart to ts-auth-realrepo-001: `targetUserId` is a foreign id parameter (route-handed, not a session copy) \u2014 the rule must still fire on the qualified prisma.apiKey.deleteMany call. Updated 2026-05-03: pre-fix used bare `deleteApiKeysFromUserId(userId)` whose `delete` verb-prefix match fired despite no receiver evidence; post `receiver_is_simple_chain` gating, the fixture uses a qualified ORM call to test the canonical detection path." }, { "case_id": "js-auth-realrepo-001", "file": "javascript/auth/safe_req_user_id_copy.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "js.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "Express handler shape: `const userId = req.user.id` is a self-actor-id copy through the session-scoped `req.user` chain (passport / express-session)." }, { "case_id": "ts-auth-realrepo-003", "file": "typescript/auth/safe_destructured_session_user.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "js.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "Destructure shapes: `const { user } = ctx.session` / `const { user } = await getServerSession()` / `const { user: me } = ctx.session` / `const { id } = req.user`. cal.com NextAuth idiom \u2014 destructured local IS the actor (or actor's id), not a foreign tenant id." }, { "case_id": "ts-auth-realrepo-004", "file": "typescript/auth/safe_trpc_ctx_user_options.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "js.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "TRPC handler Options-typed parameter cluster (~105 cal.com findings). File-level pre-scan recognises `type GetOptions = { ctx: { user: NonNullable } }` aliases; param annotations referencing those aliases populate `self_scoped_session_bases[ctx.user]` per-unit. Bare `ctx.user` is NOT added to the static session-base list (would over-suppress non-TRPC code)." }, { "case_id": "ts-auth-realrepo-005", "file": "typescript/auth/vuln_trpc_ctx_input_id_no_check.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-639", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "js.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "Regression guard: same TRPC handler shape as ts-auth-realrepo-004 but the SQL parameter is `input.targetUserId` (request body field), not `ctx.user.id`. The TRPC ctx self-actor exemption must apply ONLY to ctx.user. subjects, never to other paths in the same param." }, { "case_id": "ts-auth-realrepo-006", "file": "typescript/auth/safe_local_collection_receiver.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "js.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-29" ], "disabled": false, "notes": "Excalidraw `Map` / `Set` / `WeakMap` / `WeakSet` / `Array` / `T[]` / `readonly T[]` receivers \u2014 direct annotation, same-file `type X = Map<...>` aliasing, and inline `new Map()` constructor. SSA `constructor_type` JS/TS arm + `cfg::params::ts_type_to_local_collection` + `cfg::dto::collect_type_alias_local_collections` route every shape through `TypeKind::LocalCollection` \u2192 `SinkClass::InMemoryLocal`, suppressing missing-ownership." }, { "case_id": "ts-auth-realrepo-007", "file": "typescript/auth/vuln_local_collection_does_not_blanket_suppress.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-639", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "js.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "real-repo-precision-2026-04-29" ], "disabled": false, "notes": "Vulnerable counterpart to ts-auth-realrepo-006: `prisma.user.findUnique` / `prisma.user.update` with attacker-supplied id and no preceding auth check. Receiver is NOT a tracked Map / Set / Array, so the LocalCollection fix must NOT suppress this \u2014 proves the type-aware suppression doesn't blanket-cover real DB clients that share method names (`get`, `find`, `update`) with JS containers." }, { "case_id": "rs-auth-realrepo-009", "file": "rust/auth/safe_local_user_view_extractor.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-27", "noise-budget-zero" ], "disabled": false, "notes": "Lemmy `LocalUserView` extractor: `is_self_actor_type_text`'s structural User recogniser accepts the type, so `local_user_view.person.id` reads of the actor's own id pass `is_actor_context_subject` and the missing-ownership rule does not fire." }, { "case_id": "rs-auth-realrepo-010", "file": "rust/auth/unsafe_local_user_view_extractor.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-285", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "rs.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "High", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "positive", "real-repo-precision-2026-04-27" ], "disabled": false, "notes": "Negative counterpart for the LocalUserView recogniser: handler takes the typed extractor but mutates a row by `req.target_user_id` (foreign id) without any ownership check \u2014 must still flag. Guards against an over-broad recogniser that would treat any handler with a self-actor extractor as authorised by default." }, { "case_id": "rs-auth-realrepo-011", "file": "rust/auth/safe_param_type_segment_idents.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-29", "noise-budget-zero" ], "disabled": false, "notes": "Rust `parameter` arm in `collect_param_names` keeps type-segment idents (`std`, `path`, `Path`) out of `unit.params` so `dst: &std::path::Path` doesn't gate `unit_has_user_input_evidence` open via the framework-name allow-list (`path`). Surfaced from meilisearch/index-scheduler/scheduler/process_snapshot_creation.rs::remove_tasks where `dst: &std::path::Path` made every `db.delete(task.uid)` fire missing-ownership-check." }, { "case_id": "rs-auth-realrepo-012", "file": "rust/auth/safe_local_collection_param_types.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-04-29", "noise-budget-zero" ], "disabled": false, "notes": "Rust function-parameter type annotations naming an in-memory container (`RoaringBitmap`, `HashMap`, `HashSet`, `BTreeSet`) classify the receiver as `TypeKind::LocalCollection` \u2192 `SinkClass::InMemoryLocal`, suppressing the verb-name dispatch's DbMutation classification. Surfaced from meilisearch/index-scheduler/scheduler/enterprise_edition/network.rs::balance_shards (`unsharded: RoaringBitmap`). Mirrors the JS/TS `ts_type_to_local_collection` fix from 2026-04-29." }, { "case_id": "rs-auth-realrepo-013", "file": "rust/auth/unsafe_handler_local_collection_does_not_blanket_suppress.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-285", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "rs.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "High", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "positive", "real-repo-precision-2026-04-29" ], "disabled": false, "notes": "Negative-counterpart guard for the LocalCollection / parameter-name fixes: handler takes a HashMap typed param (in-memory bookkeeping) but ALSO calls `db.update_owner(req.target_user_id, ...)` (real DbMutation). The cache mutation must not blanket-suppress the persistent-store mutation \u2014 the rule must still fire on `db.update_owner`." }, { "case_id": "rs-auth-realrepo-014", "file": "rust/auth/safe_actix_guarded_data_extractor.rs", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "negative", "real-repo-precision-2026-05-02", "noise-budget-zero" ], "disabled": false, "notes": "Meilisearch `GuardedData, Data>` typed extractor on actix-web routes registered via `#[routes::path(..)]` attribute macros (no `.route()` builder, so `collect_routes` doesn't attach the handler). The new typed-extractor fallback pass in `actix_web::extract` walks every Function-kind unit and applies `guard_calls_for_handler`; the `Guarded`-prefix `policy_guard_names` recogniser injects `AuthCheckKind::Other` with `is_route_level: true`, so `auth_check_covers_subject`'s route-level short-circuit suppresses missing-ownership-check on path-derived sinks." }, { "case_id": "rs-auth-realrepo-015", "file": "rust/auth/unsafe_actix_no_guarded_data_extractor.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-285", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "rs.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "Medium", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "positive", "real-repo-precision-2026-05-02" ], "disabled": false, "notes": "Negative-counterpart guard for the `GuardedData` typed-extractor recogniser: same handler shape but the wrapper is replaced by a bare `Data` (no policy enforcement implied). An over-broad `policy_guard_names` recogniser would silence this; the Guarded-prefix matcher must NOT fire on bare `Data<...>`, so the rule still flags the path-derived `uid` flowing into `auth_controller.get_key`." }, { "case_id": "rs-auth-realrepo-016", "file": "rust/safe/safe_non_web_rust_project", "language": "rust", "is_vulnerable": false, "vuln_class": "safe", "cwe": "", "provenance": "real-repo-precision-2026-05-02", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rs.auth.missing_ownership_check", "rs.auth.stale_authorization", "rs.auth.token_override_without_validation" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "shape-safe", "real-repo-precision-2026-05-02" ], "disabled": false, "notes": "Real-repo precision guard distilled from zed (desktop GUI / DAP debugger / agent) crates: `_id` parameters on internal helpers AND `session.foo` chains on debug-session handles must NOT count as user-input evidence in a Rust project whose Cargo.toml names no web framework. `lang_has_web_framework(\"rust\")` returns Some(false) and the gate suppresses both step-2 (context_inputs) and step-3 (param-name) heuristics." }, { "case_id": "rs-auth-realrepo-017", "file": "rust/auth/unsafe_actix_web_project_no_check", "language": "rust", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-285", "provenance": "real-repo-precision-2026-05-02", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "rs.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "High", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "positive", "real-repo-precision-2026-05-02" ], "disabled": false, "notes": "Regression counterpart to `rs-auth-realrepo-016`: same helper shape with no upstream auth check, but the project's manifest names `actix-web` so `lang_has_web_framework(\"rust\")` returns Some(true) and the param-name arm of `unit_has_user_input_evidence` stays on. Asserts the project-level web-framework gate doesn't silence findings in real Rust web projects." }, { "case_id": "ruby-safe-ar-query-shapes-001", "file": "ruby/safe/safe_active_record_query_shapes.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "", "provenance": "real-repo-precision-2026-04-27", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "cfg-unguarded-sink", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "active-record", "rails", "sqli", "shape-safe", "real-repo-precision" ], "disabled": false, "notes": "ActiveRecord query methods (where/order/group/having/joins/pluck) with parameter-safe arg-0 shapes (hash, symbol, array, parameterised string) \u2014 Rails escapes the values, no SQLi exposure." }, { "case_id": "ruby-sqli-where-string-interp-001", "file": "ruby/sqli/sqli_where_string_interpolation.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "real-repo-precision-2026-04-27", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 8, 8 ] ], "tags": [ "active-record", "rails", "sqli", "string-interpolation", "real-repo-precision" ], "disabled": false, "notes": "Counterpart to safe_active_record_query_shapes \u2014 same method becomes a real SQLi sink when arg 0 is a string with #{...} interpolation. Engine must keep flagging this even though the safe-shape fixtures suppress SQL_QUERY at the same callee." }, { "case_id": "ruby-sqli-where-chained-interp-001", "file": "ruby/sqli/sqli_where_chained_interpolation.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "real-repo-precision-2026-04-27", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 8, 8 ] ], "tags": [ "active-record", "rails", "sqli", "string-interpolation", "chained", "real-repo-precision" ], "disabled": false, "notes": "Chained shape: Model.where(\"...#{x}...\").preload(...).to_a. CFG collapses chained calls into one node whose outermost callee is .to_a (no args). The shape suppressor walks the receiver chain to reach the inner where(...) \u2014 chain-walking only suppresses SAFE shapes, so this dangerous form must still fire." }, { "case_id": "ruby-safe-post-fetch-ownership-001", "file": "ruby/safe/safe_post_fetch_ownership_check.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "", "provenance": "real-repo-precision-2026-04-27", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rb.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "rails", "auth", "post-fetch-check", "real-repo-precision" ], "disabled": false, "notes": "Rails canonical \"load by id, then check ownership\" idiom \u2014 row-fetch exemption (row_population_data reverse-walk in auth_check_covers_subject) closes the gap when the per-record permission check appears textually after the fetch." }, { "case_id": "ruby-auth-missing-post-fetch-001", "file": "ruby/auth/auth_missing_post_fetch_check.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-639", "provenance": "real-repo-precision-2026-04-27", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "rb.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 12, 12 ] ], "expected_source_lines": [], "tags": [ "rails", "auth", "missing-ownership", "real-repo-precision" ], "disabled": false, "notes": "Counterpart to safe_post_fetch_ownership_check \u2014 same controller shape but the per-record permission check is omitted, so the row-fetch exemption does not fire. Engine must keep flagging this even though the safe-shape fixtures train the exemption on the same Issue.find(params[:id]) pattern." }, { "case_id": "ruby-safe-rails-private-callback-helper-001", "file": "ruby/safe/safe_rails_private_callback_helper.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "", "provenance": "real-repo-precision-2026-05-03", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rb.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "rails", "auth", "private-callback-helper", "real-repo-precision" ], "disabled": false, "notes": "Mastodon-shape: `set_account` private helper invoked via `before_action :set_account`. Rails extractor + collect_top_level_units now skip private + callback-target methods so the row fetch in the helper is not flagged as a missing-ownership unit; the public action that triggers the callback owns the auth context." }, { "case_id": "ruby-safe-rails-callback-helper-no-private-001", "file": "ruby/safe/safe_rails_callback_helper_no_private.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "", "provenance": "real-repo-precision-2026-05-03", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "rb.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": null, "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "rails", "auth", "callback-target-no-private", "real-repo-precision" ], "disabled": false, "notes": "Sister fixture to safe_rails_private_callback_helper \u2014 the `set_widget` helper carries no `private` directive but is registered via `before_action :set_widget`. Callback-target name suppression alone (independent of visibility) must skip the helper unit." }, { "case_id": "java-safe-realrepo-keycloak-001", "file": "java/safe/SafeJpaParameterizedExecute.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo-precision-2026-04-28", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "cfg-unguarded-sink", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "jpa", "parameterized-execute", "real-repo-precision-2026-04-28" ], "disabled": false, "notes": "JPA executeUpdate()/executeQuery() with zero args after createQuery(LITERAL) is parameterised; engine synthesises same-node Sanitizer(SQL_QUERY) so reflexive dominance suppresses cfg-unguarded-sink. Distilled from keycloak/JpaEventStoreProvider.java." }, { "case_id": "java-sqli-realrepo-keycloak-001", "file": "java/sqli/SqliJpaCreateQueryConcat.java", "language": "java", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "real-repo-precision-2026-04-28", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "cfg-unguarded-sink" ], "allowed_alternative_rule_ids": [ "taint-unsanitised-flow" ], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 18, 18 ] ], "expected_source_lines": [], "tags": [ "jpa", "concat", "real-repo-precision-2026-04-28" ], "disabled": false, "notes": "Concatenated SQL passed to em.createQuery(...) \u2014 receiver-chain walk sees binary_expression at arg 0, refuses to synthesise sanitizer, structural sink fires. Regression guard for the JPA parameterised-execute fix." }, { "case_id": "java-safe-realrepo-openmrs-001", "file": "java/safe/SafeJpaCriteriaQuery.java", "language": "java", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo-precision-2026-05-03", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "cfg-unguarded-sink", "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "jpa", "criteria-api", "real-repo-precision-2026-05-03" ], "disabled": false, "notes": "JPA Criteria API: cb.createQuery(Foo.class) returns CriteriaQuery; session.createQuery(cq)/em.createQuery(cq) is safe by construction (parameterized SQL emitted). Engine maps CriteriaBuilder.createQuery via receiver-text recogniser to TypeKind::JpaCriteriaQuery, then sink_args_jpa_criteria_query_safe suppresses cfg-unguarded-sink at the executor site. Distilled from openmrs HibernateCohortDAO." }, { "case_id": "py-auth-realrepo-005", "file": "python/safe/safe_fastapi_route_dependencies_auth.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "fastapi", "real-repo-precision-2026-04-29" ], "disabled": false, "notes": "Distilled from airflow api_fastapi/core_api/routes/public/connections.py: FastAPI route decorator carries `dependencies=[Depends(requires_access_connection(method=\"DELETE\"))]`; the Flask extractor's new `dependencies=` kwarg walker plus inject_middleware_auth subject synthesis recognises the auth gate." }, { "case_id": "py-auth-realrepo-007", "file": "python/safe/safe_fastapi_route_level_row_fetch.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "fastapi", "real-repo-precision-2026-04-29" ], "disabled": false, "notes": "Distilled from airflow api_fastapi/core_api/routes/public/dag_run.py: FastAPI route decorator carries `dependencies=[Depends(requires_access_dag(method=\"GET\"))]`; the route-level guard must cover not only direct path-param subjects (filter_by(dag_id=dag_id)) but also row-variable receivers (`dag.cleanup_runs(...)` after `dag = session.scalar(select(DagModel)...)`). Pinned by the `is_route_level` short-circuit in `auth_check_covers_subject` plus the kind-aware `function_params_route_handler` that includes id-like Python typed params (`dag_id: str`) in `unit.params`." }, { "case_id": "py-auth-realrepo-006", "file": "python/safe/safe_pytest_sqlalchemy_session.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.auth.missing_ownership_check", "py.auth.token_override_without_validation" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "pytest", "real-repo-precision-2026-04-29" ], "disabled": false, "notes": "Distilled from airflow tests/unit/models/test_backfill.py: pytest test methods with SQLAlchemy `session` fixture and `session.commit()` calls. Bare `session.` no longer counts as auth Session evidence; only `session.` (user/user_id/...) does." }, { "case_id": "py-auth-realrepo-007", "file": "python/auth/vuln_fastapi_route_no_dependencies.py", "language": "python", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-862", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 25, 25 ] ], "expected_source_lines": [], "tags": [ "auth", "fastapi", "real-repo-precision-2026-04-29" ], "disabled": false, "notes": "Vulnerable counterpart to py-auth-realrepo-005: same FastAPI route shape but no `dependencies=[Depends(...)]` keyword arg. Regression guard: the dependency-injection recogniser must not blanket-suppress every FastAPI route. Updated 2026-05-03: pre-fix recall came from a member_chain quirk where `select(Connection).filter_by(...)` reduced to bare callee `filter_by` and prefix-matched the `filter` read indicator. Post `receiver_is_simple_chain` gating, the fixture uses a qualified `Connection.objects.filter(id=connection_id).delete()` shape — SQLAlchemy `select().filter_by(...)` chained-call detection is a deferred deep fix." }, { "case_id": "js-data_exfil-001", "file": "javascript/data_exfil/exfil_fetch_cookie_body.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "data_exfil", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-data-exfiltration" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 9 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "data_exfil", "fetch", "cookie" ], "disabled": false, "notes": "Cookie source flows into fetch body at hardcoded URL; DATA_EXFIL must fire and SSRF must not." }, { "case_id": "js-data_exfil-002", "file": "javascript/data_exfil/exfil_fetch_external_destination.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "data_exfil", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-data-exfiltration" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 9 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "data_exfil", "fetch", "cookie", "external-destination" ], "disabled": false, "notes": "Cookie source flows into fetch body at attacker-controlled host; DATA_EXFIL fires, SSRF does not." }, { "case_id": "js-data_exfil-003", "file": "javascript/data_exfil/exfil_xhr_send_header.js", "language": "javascript", "is_vulnerable": true, "vuln_class": "data_exfil", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-data-exfiltration" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 8, 8 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "data_exfil", "xhr", "header" ], "disabled": false, "notes": "Authorization header source flows into XMLHttpRequest.send body at hardcoded URL." }, { "case_id": "ts-data_exfil-001", "file": "typescript/data_exfil/exfil_fetch_cookie_body.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "data_exfil", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-data-exfiltration" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 6, 9 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "data_exfil", "fetch", "cookie" ], "disabled": false, "notes": "TypeScript variant of js-data_exfil-001." }, { "case_id": "ts-data_exfil-002", "file": "typescript/data_exfil/exfil_fetch_header_body.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "data_exfil", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-data-exfiltration" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 6, 9 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "data_exfil", "fetch", "header" ], "disabled": false, "notes": "Authorization header flows into fetch body at hardcoded URL." }, { "case_id": "py-data_exfil-001", "file": "python/data_exfil/exfil_requests_post_env_dict.py", "language": "python", "is_vulnerable": true, "vuln_class": "data_exfil", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-data-exfiltration" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 14, 14 ] ], "expected_source_lines": [ [ 12, 13 ] ], "tags": [ "data_exfil", "requests", "env", "container" ], "disabled": false, "notes": "Env-config secrets accumulate into a dict, then flow as the json kwarg of requests.post; container-taint round-trip." }, { "case_id": "py-data_exfil-002", "file": "python/data_exfil/exfil_httpx_async_post_env.py", "language": "python", "is_vulnerable": true, "vuln_class": "data_exfil", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-data-exfiltration" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 12, 15 ] ], "expected_source_lines": [ [ 11, 11 ] ], "tags": [ "data_exfil", "httpx", "async", "env" ], "disabled": false, "notes": "Env-config secret flows into httpx.AsyncClient().post json kwarg via the type-qualified HttpClient.post matcher." }, { "case_id": "java-data_exfil-001", "file": "java/data_exfil/DataExfilJdkHttpClient.java", "language": "java", "is_vulnerable": true, "vuln_class": "data_exfil", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-data-exfiltration" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 16, 20 ] ], "expected_source_lines": [ [ 13, 14 ] ], "tags": [ "data_exfil", "jdk-httpclient", "cookie" ], "disabled": false, "notes": "Servlet cookie value flows through BodyPublishers.ofString into HttpClient.send body." }, { "case_id": "java-data_exfil-002", "file": "java/data_exfil/DataExfilOkHttp.java", "language": "java", "is_vulnerable": true, "vuln_class": "data_exfil", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-data-exfiltration" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 15, 21 ] ], "expected_source_lines": [ [ 13, 13 ] ], "tags": [ "data_exfil", "okhttp", "session" ], "disabled": false, "notes": "HttpSession attribute wraps via RequestBody.create and binds to OkHttp Request.Builder.post; chain-normalized newCall.execute fires DATA_EXFIL." }, { "case_id": "go-data_exfil-001", "file": "go/data_exfil/exfil_http_post_cookie_body.go", "language": "go", "is_vulnerable": true, "vuln_class": "data_exfil", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-data-exfiltration" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 12, 12 ] ], "expected_source_lines": [ [ 10, 11 ] ], "tags": [ "data_exfil", "http-post", "cookie" ], "disabled": false, "notes": "Cookie value flows via strings.NewReader into http.Post body at hardcoded URL." }, { "case_id": "rs-data_exfil-001", "file": "rust/data_exfil/exfil_reqwest_form_env.rs", "language": "rust", "is_vulnerable": true, "vuln_class": "data_exfil", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-data-exfiltration" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 5, 8 ] ], "expected_source_lines": [ [ 5, 5 ] ], "tags": [ "data_exfil", "reqwest", "form", "env" ], "disabled": false, "notes": "env::var secret flows into reqwest .form() body chain via the form.send body-bind matcher." }, { "case_id": "rb-data_exfil-001", "file": "ruby/data_exfil/exfil_net_http_post_cookie.rb", "language": "ruby", "is_vulnerable": true, "vuln_class": "data_exfil", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-data-exfiltration" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "HIGH", "expected_category": "Security", "expected_sink_lines": [ [ 9, 9 ] ], "expected_source_lines": [ [ 7, 7 ] ], "tags": [ "data_exfil", "net-http", "cookie" ], "disabled": false, "notes": "request.cookies value flows into Net::HTTP.post body at hardcoded URL." }, { "case_id": "c-data_exfil-001", "file": "c/data_exfil/exfil_curl_postfields_env.c", "language": "c", "is_vulnerable": true, "vuln_class": "data_exfil", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-data-exfiltration" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 14, 14 ] ], "expected_source_lines": [ [ 9, 9 ] ], "tags": [ "data_exfil", "curl", "gated-sink", "env" ], "disabled": false, "notes": "getenv secret flows into curl_easy_setopt CURLOPT_POSTFIELDS body; gated-sink fires only at the body-binding setopt." }, { "case_id": "js-safe-data_exfil-001", "file": "javascript/safe/safe_data_exfil_sanitizer_wrap.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-data-exfiltration" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "data_exfil", "safe", "sanitizer-wrap" ], "disabled": false, "notes": "Cookie source routed through default forwarding-wrapper sanitizer (logEvent); DATA_EXFIL must not fire." }, { "case_id": "js-safe-data_exfil-002", "file": "javascript/safe/safe_data_exfil_user_input_echo.js", "language": "javascript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-data-exfiltration" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "data_exfil", "safe", "user-input-gate" ], "disabled": false, "notes": "Plain user input echoed into fetch body at fixed URL; sensitivity-gate suppresses Plain-tier sources for Cap::DATA_EXFIL." }, { "case_id": "py-safe-data_exfil-001", "file": "python/safe/safe_data_exfil_user_input_echo.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-data-exfiltration" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "data_exfil", "safe", "user-input-gate" ], "disabled": false, "notes": "Flask form-field echoed into requests.post json at fixed URL; sensitivity-gate suppresses Plain-tier user input." }, { "case_id": "go-safe-data_exfil-001", "file": "go/safe/safe_data_exfil_user_input_echo.go", "language": "go", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-data-exfiltration" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "data_exfil", "safe", "user-input-gate" ], "disabled": false, "notes": "FormValue plain user input echoed into http.Post body at fixed URL; sensitivity-gate suppresses Plain-tier sources." }, { "case_id": "rb-safe-data_exfil-001", "file": "ruby/safe/safe_data_exfil_user_input_echo.rb", "language": "ruby", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-data-exfiltration" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "data_exfil", "safe", "user-input-gate" ], "disabled": false, "notes": "params plain user input echoed into RestClient.post body at fixed URL; sensitivity-gate suppresses Plain-tier sources." }, { "case_id": "c-safe-data_exfil-001", "file": "c/safe/safe_data_exfil_user_input_echo.c", "language": "c", "is_vulnerable": false, "vuln_class": "safe", "cwe": "CWE-201", "provenance": "synthetic", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-data-exfiltration" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "data_exfil", "safe", "user-input-gate" ], "disabled": false, "notes": "fgets stdin user input echoed into curl_easy_setopt CURLOPT_POSTFIELDS at fixed URL; sensitivity-gate suppresses Plain-tier sources." }, { "case_id": "py-auth-realrepo-008", "file": "python/safe/safe_django_orm_caller_scoped_entity.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "django", "real-repo-precision-2026-05-02" ], "disabled": false, "notes": "Distilled from sentry api/helpers/environments.py::get_environments and api/endpoints/organization_releases.py::_filter_releases_by_query. `.id` for a unit param named after a scope-bearing domain entity (organization, project, ...) is the ownership scope inherited from the caller, not a user-controlled target. Pinned by is_caller_scope_entity_subject in src/auth_analysis/checks.rs. Also exercises the keyword_argument-key fix in extract_value_refs (Environment.objects.filter(organization_id=...) \u2014 the kwarg key `organization_id` is the ORM column name, not a subject)." }, { "case_id": "py-auth-realrepo-009", "file": "python/auth/vuln_user_id_param_no_auth.py", "language": "python", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-862", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 16, 16 ], [ 20, 20 ] ], "expected_source_lines": [], "tags": [ "auth", "django", "real-repo-precision-2026-05-02" ], "disabled": false, "notes": "Vulnerable counterpart to py-auth-realrepo-008: helper takes a user-supplied `project_id` (id-like name) and queries Project.objects.filter(id=project_id) without any preceding ownership check. Regression guard: the caller-scope-entity exemption must NOT suppress when the param is itself an id-like user input." }, { "case_id": "py-auth-realrepo-010", "file": "python/safe/safe_mock_patch_test_method.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.auth.missing_ownership_check", "py.auth.token_override_without_validation" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "pytest", "real-repo-precision-2026-05-02" ], "disabled": false, "notes": "Distilled from airflow providers/google/tests/unit/google/cloud/hooks/test_dlp.py: pytest test method decorated with `@mock.patch(\"...\")` was being attached as a Flask `PATCH` route handler because bare_method_name(\"mock.patch\") == \"patch\". Fix: parse_flask_route_decorator short-circuits on known test-framework decorator vocabulary (mock.patch, unittest.mock.patch, monkeypatch.setattr, pytest.mark.parametrize)." }, { "case_id": "py-auth-realrepo-011", "file": "python/safe/safe_bare_callee_no_receiver.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "django", "real-repo-precision-2026-05-03" ], "disabled": false, "notes": "Distilled from sentry tasks/statistical_detectors.py:743 (`org_ids = list({p.organization_id for p in projects})`), utils/query.py:90 (`events = list(method(...))`), api/helpers/group_index/delete.py (bare `delete_group_list`, `create_audit_entry`), seer/autofix/coding_agent.py (bare `update_coding_agent_state`). Bare-identifier callees `list`, `filter`, `update`, `create`, `add` are Python builtins or locally-defined helpers, not DB / ORM operations. Fix: classify_sink_class verb-name fallback now requires `receiver_is_simple_chain` (callee contains a non-chained `.`). Regression guard for: bare callees must not classify as DbCrossTenantRead / DbMutation." }, { "case_id": "py-auth-realrepo-012", "file": "python/safe/safe_local_set_update_no_orm.py", "language": "python", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.auth.missing_ownership_check" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "django", "real-repo-precision-2026-05-04" ], "disabled": false, "notes": "Distilled from sentry api/helpers/teams.py::get_teams: bare-callee Python container constructors (`set()`, `dict()`, `defaultdict()`, `Counter()`, `list()`) bind a non-sink local collection. Subsequent `.update(..)` / `.add(..)` / item assignment must classify as InMemoryLocal, suppressing the false `py.auth.missing_ownership_check` finding. Fix: AuthAnalysisRules::is_non_sink_constructor_callee accepts bare callees matching non_sink_receiver_types; Python defaults populated with `set`/`dict`/`list`/`tuple`/`frozenset`/`defaultdict`/`OrderedDict`/`Counter`/`deque`/`ChainMap`/`namedtuple`; collect_non_sink_binding falls through to `left`/`right` field names; assignment / assignment_expression arm in collect_unit_state now wires the recogniser." }, { "case_id": "py-auth-realrepo-013", "file": "python/auth/vuln_local_set_with_user_id_query.py", "language": "python", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-862", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 22, 22 ], [ 28, 28 ] ], "expected_source_lines": [], "tags": [ "auth", "django", "real-repo-precision-2026-05-04" ], "disabled": false, "notes": "Vulnerable counterpart to py-auth-realrepo-012: same bare-`set()` / `dict()` local container shape, but the helper *also* runs an id-targeted ORM `Project.objects.filter(id=team_id)` query whose filter param is a user-supplied id (no caller-scope-entity exemption applies). Recall guard: bare-callee constructor recogniser must only suppress the InMemoryLocal `.add` / `.update` calls — the id-targeted ORM filter must still fire `py.auth.missing_ownership_check`." }, { "case_id": "py-auth-realrepo-014", "file": "python/auth/vuln_fastapi_route_no_dependencies_sqla.py", "language": "python", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-862", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 27, 27 ] ], "expected_source_lines": [], "tags": [ "auth", "fastapi", "sqlalchemy", "real-repo-precision-2026-05-04" ], "disabled": false, "notes": "Distilled from airflow `airflow-core/src/airflow/api_fastapi/core_api/routes/public/connections.py`: `session.scalar(select(Connection).filter_by(conn_id=connection_id))` queryset chain. Pre-fix the chain reduced via `member_chain` to bare `[\"filter_by\"]` (Python tree-sitter `call` nodes use a `function` field not traversed by the Ruby/JS-style logic) and was suppressed by `receiver_is_simple_chain`'s bare-callee guard, blocking recall. Fix: (1) `member_chain` now traverses Python `call`'s `function` field; (2) the parent attribute branch appends `()` to last segment when its `object` is a call so `select(X).filter_by(...)` produces `[\"select()\", \"filter_by\"]`; (3) `AuthAnalysisRules::chain_root_is_db_query_builder` + per-language `db_query_builder_roots` (Python: `select`, `query`) anchors the chained-call shape to `DbCrossTenantRead`. Recall guard: missing_ownership_check must still fire on this airflow-style queryset chain when no `Depends(...)` auth dependency is declared." }, { "case_id": "py-auth-realrepo-015", "file": "python/safe/safe_fastapi_route_security_scopes.py", "language": "python", "is_vulnerable": false, "vuln_class": "auth", "cwe": "CWE-862", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.auth.missing_ownership_check", "py.auth.token_override_without_validation" ], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "fastapi", "security", "real-repo-precision-2026-05-04" ], "disabled": false, "notes": "Distilled from airflow `airflow-core/src/airflow/api_fastapi/execution_api/routes/task_instances.py:101-117`: `dependencies=[Security(require_auth, scopes=[\"token:execution\", \"token:workload\"])]`. Pre-fix `is_depends_callee` only matched `Depends`, so `Security(...)` was ignored and the route fired `missing_ownership_check` even with the auth dep declared. Even after recognising the marker, `require_auth` is registered as a `LoginGuard`, which `has_prior_subject_auth` filters out. Fix: (1) `is_dep_marker_callee` recognises `Security` / `fastapi.Security` / `fastapi.params.Security`; (2) `unwrap_depends_call` returns `(CallSite, is_scoped_security)` and skips `keyword_argument` children when finding the first positional; (3) `inject_middleware_auth` promotes a scoped Security wrapper from `LoginGuard` to `AuthCheckKind::Other` so the route counts as authorized. Precision guard: route must NOT fire ownership / token-override findings when carrying a scoped `Security(...)` route-level dep." }, { "case_id": "py-auth-realrepo-016", "file": "python/auth/vuln_fastapi_route_security_no_scopes.py", "language": "python", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-862", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 34, 34 ] ], "expected_source_lines": [], "tags": [ "auth", "fastapi", "security", "real-repo-precision-2026-05-04" ], "disabled": false, "notes": "Recall counterpart to py-auth-realrepo-015. `Security(require_auth, scopes=[])` with an empty scope list is NOT promoted to `Other` — the OAuth2 scope semantic only fires when scopes is non-empty, so the wrapper falls back to bare login classification. Recall guard: `missing_ownership_check` must still fire on this id-targeted ORM filter; without conservative scope-emptiness gating, every empty-scopes route would over-suppress." }, { "case_id": "py-auth-realrepo-017", "file": "python/safe/safe_fastapi_router_level_security_scopes.py", "language": "python", "is_vulnerable": false, "vuln_class": "auth", "cwe": "CWE-862", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.auth.missing_ownership_check", "py.auth.token_override_without_validation" ], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "fastapi", "router-level-security", "real-repo-precision-2026-05-04" ], "disabled": false, "notes": "Distilled from airflow `airflow-core/src/airflow/api_fastapi/execution_api/routes/task_instances.py:89-318`: `ti_id_router = VersionedAPIRouter(dependencies=[Security(require_auth, scopes=[\"ti:self\"])])` declares the auth dep once at the router constructor; every `@ti_id_router.(...)` route inherits it at runtime. Pre-fix the FastAPI dep extractor only walked the per-route decorator's `dependencies=[...]` kwarg; router-constructor `dependencies=` was dropped, so every attached route without inline deps fired `missing_ownership_check` + `token_override_without_validation` despite being authorized. Fix: `collect_router_level_dependencies` walks module-level ` = APIRouter(...)` / `VersionedAPIRouter(...)` / `FastAPI(...)` assignments and captures `dependencies=[...]` keyed by the router var name; `router_prefix_from_decorator` extracts the receiver from `@.(...)` and merges router-level deps into the per-route middleware list. A scoped Security wrapper additionally synthesises matching `TokenExpiry` + `TokenRecipient` checks (the JWT-validation semantics — JWT signature includes expiry, scopes encode recipient binding) so the token-override rule recognises the route too. Precision guard: route must NOT fire ownership / token-override findings." }, { "case_id": "py-auth-realrepo-018", "file": "python/auth/vuln_fastapi_router_no_dependencies.py", "language": "python", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-862", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 35, 35 ] ], "expected_source_lines": [], "tags": [ "auth", "fastapi", "router-level-security", "real-repo-precision-2026-05-04" ], "disabled": false, "notes": "Recall counterpart to py-auth-realrepo-017. Bare `router = VersionedAPIRouter()` with no `dependencies=` kwarg — attached routes that do not supply inline deps are genuinely unauthorized. The router-level extractor must NOT enter a fake key for routers without router-level deps; the gate (`if deps.is_empty() { continue; }` in `collect_router_level_dependencies`) ensures absence is preserved. Recall guard: `missing_ownership_check` must still fire on the id-targeted write." }, { "case_id": "py-auth-realrepo-019", "file": "python/safe/safe_caller_scope_helper_under_authorized_route.py", "language": "python", "is_vulnerable": false, "vuln_class": "auth", "cwe": "CWE-862", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "py.auth.missing_ownership_check", "py.auth.token_override_without_validation" ], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "auth", "fastapi", "caller-scope-ipa", "real-repo-precision-2026-05-04" ], "disabled": false, "notes": "Distilled from airflow `airflow-core/src/airflow/api_fastapi/execution_api/routes/task_instances.py:516-628`: the route handler `ti_update_state` is route-level authorized via the `ti_id_router = APIRouter(dependencies=[Security(require_auth, scopes=[\"ti:self\"])])` declaration (closed by session-0010), then delegates the `session.add(...)` sink to a private helper `_create_state_update`. Pre-fix the helper fired both `missing_ownership_check` and `token_override_without_validation` because `check_ownership_gaps` is scoped per AnalysisUnit — the caller's route-level auth check did not propagate to the callee. Phase 1 caller-scope IPA fix (`apply_caller_scope_propagation` in `src/auth_analysis/mod.rs`) walks the call graph DOWN: when every in-file caller of a helper carries route-level non-Login auth, the helper inherits those checks via synthetic `is_route_level=true` AuthChecks anchored at the callee's start line. Soundness: requires every caller authorized; refuses on dead helpers, mixed-caller helpers, login-only routes." }, { "case_id": "py-auth-realrepo-020", "file": "python/auth/vuln_caller_scope_helper_under_bare_route.py", "language": "python", "is_vulnerable": true, "vuln_class": "auth", "cwe": "CWE-862", "provenance": "real-repo", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "py.auth.missing_ownership_check" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 31, 31 ] ], "expected_source_lines": [], "tags": [ "auth", "fastapi", "caller-scope-ipa", "real-repo-precision-2026-05-04" ], "disabled": false, "notes": "Recall counterpart to py-auth-realrepo-019. Same shape but bare `router = APIRouter()` (no Security dep at the boundary). The helper `_create_state_update` is reached from a route handler with no authorization; `apply_caller_scope_propagation`'s soundness rule refuses to authorize the helper because no caller carries route-level non-Login auth. Recall guard: `missing_ownership_check` must still fire on the helper's `session.add` sink." }, { "case_id": "cve-ts-2026-25544-vulnerable", "file": "cve_corpus/typescript/CVE-2026-25544/vulnerable.ts", "language": "typescript", "is_vulnerable": true, "vuln_class": "sqli", "cwe": "CWE-89", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "rule_match", "expected_rule_ids": [ "taint-unsanitised-flow" ], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [], "expected_severity": "MEDIUM", "expected_category": "Security", "expected_sink_lines": [ [ 80, 81 ] ], "expected_source_lines": [ [ 73, 73 ] ], "tags": [ "cve", "payload", "sqli", "vulnerable" ], "disabled": false, "notes": "CVE-2026-25544: Payload `sanitizeValue` SQL injection via Postgres jsonb_path_exists template-string interpolation. Vulnerable form (`@payloadcms/drizzle@v3.72.0`, MIT) lets attacker-controlled JSON-query value escape the surrounding SQL string literal because `sanitizeValue` only double-quotes it without escaping `\\`/`\"`. Enabled after validated-flow propagation landed via `SsaFuncSummary.validated_params_to_return` + `propagate_validated_params_to_return`." }, { "case_id": "cve-ts-2026-25544-patched", "file": "cve_corpus/typescript/CVE-2026-25544/patched.ts", "language": "typescript", "is_vulnerable": false, "vuln_class": "safe", "cwe": "N/A", "provenance": "real_cve", "equivalence_tier": "exact", "match_mode": "file_presence", "expected_rule_ids": [], "allowed_alternative_rule_ids": [], "forbidden_rule_ids": [ "taint-unsanitised-flow" ], "expected_severity": null, "expected_category": "Security", "expected_sink_lines": [], "expected_source_lines": [], "tags": [ "cve", "payload", "safe", "patched" ], "disabled": false, "notes": "Patched form of `sanitizeValue` from `@payloadcms/drizzle@v3.73.0` (MIT). Enabled after validated-flow propagation landed." } ] }