mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-12 19:55:14 +02:00
41128177d2
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures * feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests * feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements * feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles * feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing * feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling * feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures * feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration * feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests * feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic * feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection * feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements * feat: Enable auth-state analysis by default and update relevant tests in benchmark config * test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test * docs: update CHANGELOG.md * feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers * feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers * feat: Implement per-index array slot tracking in symbolic heap with overflow collapse * feat: Add implicit definition handling for uninitialized declarations in SSA value allocation * feat: Refactor function parameters and constants for improved clarity and maintainability * refactor: Reorder module imports and improve formatting for consistency * refactor: Fix formatting erorrs * refactor: Fix clippy warnings * refactor: Fix fmt warnings (again) * chore: Update dependencies and improve feature configuration * Add comprehensive tests for undertested modules (#36) (COPILOT) * Add comprehensive tests for undertested modules Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083 * Add comprehensive tests for ext, project, walk, and errors modules Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> * chore: Update dependencies and improve feature configuration * fix: formatting errors in new tests * chore: Update license list in about.toml * chore: made functions input inline * chore: updated cfg graph to take up the full page * chore: add Prettier configuration and update code formatting * Add frontend test suite with Vitest (111 tests) (#37) * Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7 * ci: add frontend test step to CI workflow Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> * chore: simplify array initialization in test files for consistency * ran typecheck * feat: add AnalysisWorkspace component and integrate it into CfgViewerPage * feat: update routing in AppLayout and improve empty state message in ExplorerPage * feat: enhance scan progress tracking with additional metrics and stages * feat: update license information and add license check script * feat: implement cross-file symbolic execution with callee body persistence * feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering * feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions * feat: enhance resource tracking with proxy method summaries and improve finding extraction * feat: add terminal function exit detection for accurate resource leak analysis * feat: add warnings for loops and functions without bodies to improve error recovery * feat: update lambda expression handling to ensure proper function classification and control flow * feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling * feat: add inline return taint analysis and regression tests for improved security checks * feat: add engine version management and migration handling for database schema updates * feat: enhance first_call_ident to skip nested function bodies and add regression tests * feat: enhance callee name resolution with two-segment normalization and disambiguation * feat: add cross-file context flags and debug assertions for taint analysis * feat: refactor taint analysis structure to unify context handling and improve clarity * feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests * docs: updated CHANGELOG.md * fmt: formatting fixes * fix: fixed frontend formatting and lint warnings * fix: optimized ci * fix: optimized ci * Add comprehensive multi-file test coverage to Nyx (#38) * Initial checklist for multi-file test suite expansion Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23 Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> * Add 12 new multi-file test fixtures with TP/TN/near-miss coverage Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23 Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> * deleted root repo * rebuilt to test for regressions --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> Co-authored-by: elipeter <elicpeter@gmail.com> * feat: enhance import alias resolution and taint tracking * feat: implement security hardening with CSRF protection and path validation * feat: add support for import alias bindings in Python, PHP, and Rust * feat: enhance CFG analysis modes and improve code readability * feat: add detection for parameterized SQL queries to enhance security * feat: add safe internal redirect handling and enhance session destroy validation * feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads * feat: enhance taint detection by adding support for inline source member expressions in call arguments * feat: implement pre-emission of Source nodes for inline source member expressions in call arguments * feat: add support for Throw statement in control flow and error handling * feat: add debug and echo endpoints with potential information leakage * feat: implement internal redirect suppression and enhance taint detection * feat: implement module alias tracking for dynamic dispatch in JS/TS * feat: add authorization analysis module with Express support * feat: add authorization analysis module with Express support * feat: add tests for admin guard requirements and clean checks in authorization analysis * feat: integrate Koa and Fastify frameworks into authorization analysis * feat: add Flask and Django support to authorization analysis module * feat: add support for Rails and Sinatra frameworks in authorization analysis * feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis * feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis * feat: add support for Rails and Sinatra in authorization analysis * chore: add .DS_Store to .gitignore * refactor: simplify conditional checks and improve readability in multiple files * refactor: update usage of Option methods for improved clarity and consistency * refactor: improve code readability by simplifying conditional checks and formatting * refactor: improve code formatting and readability by simplifying conditional checks * refactor: simplify conditional checks and improve readability in multiple files * refactor: simplify conditional checks in axum.rs for improved readability * feat: add CodeQL analysis configuration for enhanced security scanning * test: add comprehensive tests for `src/output.rs` SARIF builder (#39) * chore: start test coverage improvement work Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423 Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> * test: add comprehensive tests for src/output.rs SARIF builder Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423 Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> * refactor: improve code formatting and readability in output.rs --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com> Co-authored-by: elipeter <elicpeter@gmail.com> * refactor: improve code formatting and readability in output.rs * Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * refactor: enhance triage file path handling with improved error management and validation * refactor: updated func summaries for richer detail * refactor: update SSA summary extraction to use canonical FuncKey for distinct entries * refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution * refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls * refactor: implement new Flask routes for safe and unsafe shell command execution * refactor: separate receiver handling in SSA operations and enhance taint propagation * refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments * refactor: implement auth decorator extraction and classification for multiple languages * refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation * refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic * refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior * refactor: standardize default struct initialization across multiple files * feat: add scripts for formatting checks and auto-fixes with test summaries * refactor: simplify character splitting and enhance namespace qualifier handling * refactor: improve documentation clarity and enhance code readability in resolver logic * refactor: replace default struct initialization with explicit field assignments for clarity * feat: enhance anonymous function naming by deriving context-based bindings * refactor: streamline match expressions for improved readability and performance * refactor: streamline match expressions for improved readability and performance * refactor: replace loop with while let for improved clarity and performance * feat: add SSA constant propagation support to analysis context for improved accuracy * feat: add SSA constant propagation support to analysis context for improved accuracy * feat: implement shell metacharacter validation and bounded-length checks in Rust analysis * feat: add static map analysis for command injection suppression and type safety * refactor: simplify match statements and reduce line breaks for improved readability * feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the primary sink source-location through function summaries. Swap SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a backward-compatible cap_sites() helper and serde defaults so pre-phase-1 on-disk rows continue to deserialise cleanly. Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the locator in for the persisted pass-1 path, while pass-2 intra-file transient summaries fall back to cap-only sites (behavior unchanged). Merge: GlobalSummaries::insert now unions sink sites with (file_rel, line, col, cap) dedup via shared union_param_sink_sites helper. Database: JSON-serialised summary columns carry the new shape automatically; no schema change needed. Phase 2 will consume SinkSite in build_taint_diag() to overwrite the caller-site Finding.line with the callee's sink line when resolved via summary. Phase 1 keeps behavior unchanged: scanning tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the same (wrong) line 10 finding. Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink sites, legacy-JSON default handling for both summary types, and merge dedup. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding Plumb Phase 1's SinkSite through the event pipeline into Findings, no output change yet. SsaTaintEvent gains `primary_sink_site: Option<SinkSite>`; when the main or callback sink-emission path has non-empty `param_to_sink_sites`, filter to sites whose `(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per distinct site — the multi-primary collapse keeps each downstream Finding single-primary. Resolution: ResolvedSummary and SinkInfo gain mirror `param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink` (SSA + callback paths) and `FuncSummary.param_to_sink` (global paths). Label, local-summary, and interop resolution paths leave the field empty — they only ever had cap-level info to begin with. Finding: new `primary_location: Option<SinkLocation>` with `file_rel/line/col`. `ssa_events_to_findings` maps `event.primary_sink_site` → `Finding.primary_location`, filtering cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never leaks to formatters. Dedup key extended with the primary location so multi-site events aren't collapsed back together. Invariants (debug_assert!): * every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps != ∅` — enforced by the pick_primary_sink_sites* filters; * every populated Finding.primary_location has `line != 0` AND non-empty `file_rel` — the cap-only → None translation upstream guarantees this. Deliberately independent of `uses_summary`: that flag tracks whether the *taint chain* used a summary, whereas primary attribution requires only that the *sink* itself was summary-resolved. A local source reaching a cross-file sink produces `uses_summary=false` alongside a populated primary_location — documented on Finding.primary_location, covered by `cross_file_sink_finding_carries_primary_location`. build_taint_diag, SARIF/JSON/explanation formatters, and the benchmark scorer remain untouched: finding.line still comes from `cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10 and the benchmark's rs-cmdi-003 row still shows FN in the LOC column. Tests: `cross_file_sink_finding_carries_primary_location` (proves plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and `cross_file_sink_cap_only_site_leaves_primary_location_none` (regression guard against cap-only sites surfacing). All 1566 lib tests + integration tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(output): phase 3/5 consume primary sink location in diag + SARIF When a finding's primary_location (populated in phase 2 from a callee summary's SinkSite) names the dangerous instruction inside a callee body, attribute the diagnostic line to that location instead of the caller's call site. The call site is demoted to a Call step in flow_steps, and a synthetic Sink step at the primary location is appended so analysts still see the full trace. Changes: - Add scan_root parameter to build_taint_diag so file_rel can be resolved back to an absolute path via a shared resolve_file_rel helper. Empty file_rel (single-file scans where namespace == "") resolves to the file under analysis. - Extend SinkLocation with snippet, carried from the upstream SinkSite so the formatter needs no second file read. - Relax the ssa_events_to_findings debug_assert to allow empty file_rel, which is valid when scan root equals the file itself. - SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[]; locations[0] already reflects the primary sink position via the updated diag line/col. Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs now reports line 5 (Command::new) as the primary sink, with the call site at line 10 visible in flow_steps. Two expect.json fixtures updated (must_match line_range widened): - javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is the real sink inside run()). - rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new inside the closure). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(bench): phase 4/5 validate primary sink attribution across corpus Extend the benchmark scorer and ground truth to lock in phase 3's primary-location behavior, and add fixtures that exercise the new capability end-to-end. Scorer (tests/benchmark_test.rs): - Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on Case. When present, score_location_level additionally requires at least one flow_step in the finding's evidence trace to fall within ±2 of the call-site range. When absent, the check is skipped — fully forward-compatible with existing fixtures. - Retain ±2 tolerance on expected_sink_lines (compared against the now-primary Diag.line post-phase-3). Ground truth edits: - rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the transform::wrap call site (a cross-file propagator, not a sink); line 9 is Command::new, the real sink. The ±2 tolerance happened to mask this stale attribution but it was semantically wrong — phase 4 is the right time to correct it. Also adds expected_call_site_lines [8,8] so the new field is exercised on an existing cross-file case. - rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call). This fixture's sink (Command::new inside run_cmd at line 5) was the motivating case for phases 1-3; adding the call-site assertion guards against regression to caller-line attribution. New fixtures: - rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both takes two tainted params and invokes two Command sinks on consecutive lines. Locks in that primary line lands inside the helper (lines 5-6), not at the caller (line 12). Notes document that SinkSite is currently one-per-callee so both findings today collapse onto the first sink; expected_sink_lines=[5,6] and expected_call_site_lines=[12,12] stay valid either way. - python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross- 004): sink os.system lives in helper.py (cross-file), caller in app.py reads env source and calls run_cmd. Verifies phase 3's cross-file primary attribution: Diag.path = helper.py, Diag.line = 5, with app.py:7 recorded in flow_steps as a Call step. Acceptance: - `cargo test --test benchmark_test -- --ignored --nocapture` passes. - rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are TP/TP/TP. - Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994 F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on 264 pre-phase-4, delta is the +2 new cases both resolving TP). - Full `cargo test` green (1566 lib tests + all integration tests). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(taint): phase 5/5 lock Finding.primary_location contract via regression test Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three emission stages (pick_primary_sink_sites → emit_ssa_taint_events → ssa_events_to_findings) against a minimal caller SSA body. Asserts the resulting Finding.primary_location is exactly that triple. The existing integration tests in src/taint/tests.rs cover the coarse FuncSummary path end-to-end through analyse_file. This test locks in the lower-level SSA-side plumbing so a future refactor that silently drops the site between pick → emit → findings fails here rather than only at the benchmark layer. Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003 remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4). Closes the primary sink-location attribution feature (phases 1-5/5): * Phase 1 — SinkSite data model on summaries. * Phase 2 — SinkSite threaded into SsaTaintEvent and Finding. * Phase 3 — diag + SARIF consume primary_location. * Phase 4 — benchmark validates primary_call_site_lines across corpus. * Phase 5 — regression test locks the event→finding contract. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * refactor: clean up formatting and improve readability in multiple files * refactor: simplify type definition for deduplication key in findings * test(harness): add must_not_match expectation for FP regression guards Extends ExpectedFinding with must_not_match field that asserts a diagnostic must NOT fire — presence is a hard failure. Non-consuming scan so it coexists with must_match entries on the same rule_id. Adds forbidden_violations accumulator and updates summary line. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules * feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking * feat: update switch statement handling to improve control flow analysis * feat: implement promisify alias handling for JS/TS to enhance taint tracking * feat: enhance taint tracking by refining expectation handling and adding mode filtering * feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters * feat: update taint tracking rules to enforce full mode matching and improve flow analysis * feat: enhance Ruby subshell handling to improve taint tracking and flow analysis * feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding * feat: refine framework detection and update expectation handling for Echo and Sinatra * feat: implement max_count for taint tracking expectations and deduplicate findings * feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files * feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity * feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files * feat: add structural invariant checks for SSA bodies * feat: ensure deterministic phi emission order using BTreeSet * feat: enhance handling of terminators to ensure authoritative flow through successor edges * feat: enhance Goto terminator handling to ensure all successors are marked executable * feat: refactor code for improved readability and organization * feat: simplify predicate checks and enhance readability in SSA handling * feat: implement per-file parse timeout and enhance file size handling * feat: migrate analysis engine toggles from environment variables to configuration file * feat: remove unnecessary whitespace in hostile_input_tests.rs * feat: remove unnecessary whitespace in hostile_input_tests.rs * feat: update dependencies and enhance documentation on language maturity * feat: enhance security headers and improve request body limits * feat: implement sink capability bits for deduplication and enhance evidence tagging * feat: implement dynamic activation handling for gated sinks and enhance validation logic * feat: enhance configuration documentation and clarify inline analysis cache behavior * feat: implement panic recovery during analysis to continue scans past errors * feat: add expectations configuration for taint analysis and performance metrics * feat: enhance error handling and logging during file reading and mutex locking * feat: add cross-file body loading tests and plumbing for CF-1 phase * feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures * feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality * feat: enhance classification span handling in CFG and AST for improved source attribution * feat: add new Express routes for handling user input and telemetry data * feat: implement ternary expression handling in CFG with diamond structure for JS/TS * feat: implement Phase CF-3 abstract-domain transfer channels in summaries * feat: add support for string-prefix transfer in cross-file calls and update tests * docs: reduce RESULTS.md doc size * feat: implement Phase CF-4 per-return-path summary decomposition with tests * feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization * feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests * feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests * refactor: update comments and documentation for clarity and consistency * style: format code for consistency and readability * refactor: simplify verdict handling and improve edge checking logic * refactor: optimize path and identifier collection by avoiding unnecessary cloning * chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults * refactor: update documentation and improve clarity in configuration files * refactor: update documentation and improve clarity in configuration files * feat: add JS/TS pass-2 convergence tests and expectations configuration * feat: add Phase 5 regression tests for inline cache origin attribution and update related logic * feat: implement Phase 7 deduplication and alternative path linking for taint findings * feat: implement structural DFS index for anonymous functions and update naming conventions * feat: add Phase 8 regression tests for container-element taint in JS and Python * feat: add engine-depth profiles and explain-engine option for CLI * feat: update expectations and add new README fixtures for multi-file scan regression * feat: implement Phase 11 callback-alias and factory patterns with regression tests * feat: implement Terminator::Switch for multi-way dispatch and add regression tests * feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants * refactor: extract cfg and ssa_transfer to submodules * refactor: cargo fmt * refactor: remove unnecessary blank line in cfg_tests.rs * refactor: remove unnecessary planning file * chore: update Rust version to 1.88 and bump dependencies in Cargo files * feat: enhance triage UI with new layout and controls, update README for clarity * feat: enhance triage UI with new layout and controls, update README for clarity * chore: remove outdated section from README for version 0.5.0 * docs: improve clarity and consistency in README content * chore: add "GPL-3.0-or-later" to license options in about.toml * chore: update license handling in about.toml and check-licenses.mjs * style: format code for improved readability in TriagePage component * style: format code for improved readability in TriagePage component * chore: enhance license handling and improve body_id scoping in seed lookup * feat: introduce owner and parent body IDs for enhanced seed scoping * feat: implement direction-aware engine provenance with new CLI flag for strict CI gating * feat: add Undef SSA operation for improved control-flow handling * style: improve code formatting for consistency and readability in multiple files * feat: add 16-function chain SCC across multiple files for enhanced analysis * style: simplify code formatting for improved readability in multiple files * fix: update CapHitReason default implementation and improve README clarity * docs: enhance README with detailed explanations of taint analysis and limitations * docs: refine README for clarity and consistency in taint analysis section * style: improve code formatting for better readability in NewScanModal and scans * fix: update cargo-about command to use --offline for deterministic license generation * fix: update cargo-about command to use --offline for deterministic license generation * ci: add step to prime cargo registry cache for deterministic license generation * feat: add support for non-sink collections in authorization analysis * feat: enhance authorization checks with row-level ownership equality and binding tracking * feat: implement self-scoped user handling and enhance ownership checks * refactor: simplify assertions and formatting in authorization analysis tests * fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure * docs: update AI disclosure section for clarity and conciseness * feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure * feat: enhance authorization analysis with SSA-derived variable type classification * feat: implement auth_finding_to_diag function for enhanced security diagnostics * feat: add args_value_refs to CallSite struct for enhanced argument tracking * feat: add args_value_refs to CallSite struct for enhanced argument tracking * feat: add direction-aware engine provenance with LossDirection classification and new CLI flag * feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks * feat: enhance error message handling in cli_validation_tests for better Windows compatibility * feat: optimize release profile settings in Cargo.toml and update CodeQL configuration * feat: enhance release build process with SBOM generation and SLSA provenance * feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries * feat: introduce PathFact handling for path safety checks and rejection logic * feat: introduce PathFact handling for path safety checks and rejection logic * feat: update benchmark data and enhance path sanitization logic with new safety checks * feat: document AI assistance in frontend UI development and human review process * feat: add return path facts for enhanced path safety checks and update documentation * chore: update release date for version 0.5.0 in CHANGELOG.md * chore: clean up ci.yml by removing outdated comments and clarifying steps * feat: implement cross-language path sanitizers and validators for enhanced security * feat: enhance SSA value usage tracking by including block terminators and improve path safety checks * feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases * refactor: simplify conditional formatting and improve code readability in executor and lower modules * feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues * feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers * feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers * feat: add transform classifiers for Java, Go, and Ruby with corresponding tests * refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
11570 lines
No EOL
307 KiB
JSON
11570 lines
No EOL
307 KiB
JSON
{
|
|
"schema_version": "1.0",
|
|
"metadata": {
|
|
"description": "Nyx benchmark ground truth",
|
|
"created": "2026-03-20",
|
|
"corpus_size": 363
|
|
},
|
|
"cases": [
|
|
{
|
|
"case_id": "js-sqli-001",
|
|
"file": "javascript/sqli/sqli_concat.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"js.code_exec.eval"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"concat",
|
|
"eval-proxy"
|
|
],
|
|
"disabled": false,
|
|
"notes": "eval used as proxy for SQL query; analogue tier because real SQL sink is not modeled directly"
|
|
},
|
|
{
|
|
"case_id": "js-sqli-002",
|
|
"file": "javascript/sqli/sqli_template.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"js.code_exec.eval"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"template-literal",
|
|
"eval-proxy"
|
|
],
|
|
"disabled": false,
|
|
"notes": "eval used as proxy for SQL query with template literal interpolation"
|
|
},
|
|
{
|
|
"case_id": "js-cmdi-001",
|
|
"file": "javascript/cmdi/cmdi_direct.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"js.cmdi.exec"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"child_process"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from req.query.cmd to exec()"
|
|
},
|
|
{
|
|
"case_id": "js-cmdi-002",
|
|
"file": "javascript/cmdi/cmdi_indirect.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"js.cmdi.exec"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"indirect",
|
|
"concat",
|
|
"child_process"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Indirect flow via string concat to exec()"
|
|
},
|
|
{
|
|
"case_id": "js-xss-001",
|
|
"file": "javascript/xss/xss_reflected.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"innerHTML",
|
|
"reflected"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Reflected XSS via innerHTML assignment; taint-based detection (no AST pattern for innerHTML)"
|
|
},
|
|
{
|
|
"case_id": "js-xss-002",
|
|
"file": "javascript/xss/xss_document_write.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"js.xss.document_write"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"document-write"
|
|
],
|
|
"disabled": false,
|
|
"notes": "XSS via document.write with user-controlled content"
|
|
},
|
|
{
|
|
"case_id": "js-xss-003",
|
|
"file": "javascript/xss/xss_location.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-601",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"js.xss.location_assign"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"open-redirect",
|
|
"location-href"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Open redirect via location.href assignment"
|
|
},
|
|
{
|
|
"case_id": "js-ssrf-001",
|
|
"file": "javascript/ssrf/ssrf_fetch.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"fetch",
|
|
"ssrf"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SSRF via fetch() with user-controlled URL"
|
|
},
|
|
{
|
|
"case_id": "js-path_traversal-001",
|
|
"file": "javascript/path_traversal/path_traversal.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"sendFile",
|
|
"path-traversal"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Path traversal via res.sendFile with user-controlled path"
|
|
},
|
|
{
|
|
"case_id": "js-code_injection-001",
|
|
"file": "javascript/code_injection/code_injection.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "code_injection",
|
|
"cwe": "CWE-94",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"js.code_exec.eval"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"eval",
|
|
"code-injection"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Code injection via eval() with user-controlled expression"
|
|
},
|
|
{
|
|
"case_id": "js-code_injection-002",
|
|
"file": "javascript/code_injection/code_injection_indirect.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "code_injection",
|
|
"cwe": "CWE-94",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"new-function",
|
|
"indirect",
|
|
"code-injection"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Code injection via new Function() with user-controlled template"
|
|
},
|
|
{
|
|
"case_id": "js-safe-001",
|
|
"file": "javascript/safe/safe_constant.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"constant",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Constant string argument to exec; no user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "js-safe-002",
|
|
"file": "javascript/safe/safe_dominated.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"allowlist",
|
|
"dominated-check"
|
|
],
|
|
"disabled": false,
|
|
"notes": "User input dominated by allowlist check before reaching exec()"
|
|
},
|
|
{
|
|
"case_id": "js-safe-003",
|
|
"file": "javascript/safe/safe_interprocedural.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"dompurify",
|
|
"interprocedural"
|
|
],
|
|
"disabled": false,
|
|
"notes": "DOMPurify sanitizer applied via helper function before innerHTML"
|
|
},
|
|
{
|
|
"case_id": "js-safe-004",
|
|
"file": "javascript/safe/safe_non_security_sink.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"non-security-sink",
|
|
"console-log"
|
|
],
|
|
"disabled": false,
|
|
"notes": "User input flows to console.log and length computation, not a security sink"
|
|
},
|
|
{
|
|
"case_id": "js-safe-005",
|
|
"file": "javascript/safe/safe_reassigned.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"reassignment",
|
|
"killed-taint"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Tainted variable reassigned to constant before reaching innerHTML"
|
|
},
|
|
{
|
|
"case_id": "js-safe-006",
|
|
"file": "javascript/safe/safe_sanitized.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"dompurify"
|
|
],
|
|
"disabled": false,
|
|
"notes": "DOMPurify.sanitize applied inline before innerHTML assignment"
|
|
},
|
|
{
|
|
"case_id": "js-safe-007",
|
|
"file": "javascript/safe/safe_type_check.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"type-check",
|
|
"typeof-guard"
|
|
],
|
|
"disabled": false,
|
|
"notes": "typeof check guards eval(); only numbers reach the sink"
|
|
},
|
|
{
|
|
"case_id": "js-safe-008",
|
|
"file": "javascript/safe/safe_validated.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"allowlist",
|
|
"validated"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Allowlist validation before exec(); only permitted commands reach sink"
|
|
},
|
|
{
|
|
"case_id": "py-sqli-001",
|
|
"file": "python/sqli/sqli_concat.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"state-resource-leak"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"concat",
|
|
"cursor-execute"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SQL injection via string concat in cursor.execute()"
|
|
},
|
|
{
|
|
"case_id": "py-sqli-002",
|
|
"file": "python/sqli/sqli_format.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"py.sqli.execute_format"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow",
|
|
"state-resource-leak"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"format-string",
|
|
"cursor-execute"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SQL injection via % format operator in cursor.execute()"
|
|
},
|
|
{
|
|
"case_id": "py-cmdi-001",
|
|
"file": "python/cmdi/cmdi_direct.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"py.cmdi.os_system"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"os-system"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct command injection via os.system()"
|
|
},
|
|
{
|
|
"case_id": "py-cmdi-002",
|
|
"file": "python/cmdi/cmdi_indirect.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"py.cmdi.subprocess_shell"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"indirect",
|
|
"subprocess",
|
|
"shell-true"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Command injection via subprocess.run with shell=True"
|
|
},
|
|
{
|
|
"case_id": "py-xss-001",
|
|
"file": "python/xss/xss_reflected.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"reflected",
|
|
"make-response"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Reflected XSS via make_response with unescaped user input in HTML"
|
|
},
|
|
{
|
|
"case_id": "py-xss-002",
|
|
"file": "python/xss/xss_template_string.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"py.xss.jinja_from_string"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"jinja2",
|
|
"template-injection"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Server-side template injection via jinja2.Template with user-controlled string"
|
|
},
|
|
{
|
|
"case_id": "py-ssrf-001",
|
|
"file": "python/ssrf/ssrf_requests.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cfg-unguarded-sink"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"requests-get",
|
|
"ssrf"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SSRF via requests.get() with user-controlled URL"
|
|
},
|
|
{
|
|
"case_id": "py-path_traversal-001",
|
|
"file": "python/path_traversal/path_traversal.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"send-file",
|
|
"path-traversal"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Path traversal via send_file() with user-controlled path"
|
|
},
|
|
{
|
|
"case_id": "py-deser-001",
|
|
"file": "python/deser/deser_pickle.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "deser",
|
|
"cwe": "CWE-502",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"py.deser.pickle_loads"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"pickle",
|
|
"deserialization"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Insecure deserialization via pickle.loads with user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "py-code_injection-001",
|
|
"file": "python/code_injection/code_injection.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "code_injection",
|
|
"cwe": "CWE-94",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"py.code_exec.eval"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"eval",
|
|
"code-injection"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Code injection via eval() with user-controlled expression"
|
|
},
|
|
{
|
|
"case_id": "py-code_injection-002",
|
|
"file": "python/code_injection/code_injection_exec.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "code_injection",
|
|
"cwe": "CWE-94",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"py.code_exec.exec"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"exec",
|
|
"code-injection"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Code injection via exec() with user-controlled code string"
|
|
},
|
|
{
|
|
"case_id": "py-safe-001",
|
|
"file": "python/safe/safe_constant.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"constant",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Constant string argument to os.system; no user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "py-safe-002",
|
|
"file": "python/safe/safe_dominated.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"allowlist",
|
|
"dominated-check"
|
|
],
|
|
"disabled": false,
|
|
"notes": "User input dominated by allowlist membership check before os.system()"
|
|
},
|
|
{
|
|
"case_id": "py-safe-003",
|
|
"file": "python/safe/safe_interprocedural.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"shlex-quote",
|
|
"interprocedural"
|
|
],
|
|
"disabled": false,
|
|
"notes": "shlex.quote sanitizer applied via helper function before os.system()"
|
|
},
|
|
{
|
|
"case_id": "py-safe-004",
|
|
"file": "python/safe/safe_non_security_sink.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"non-security-sink",
|
|
"logging"
|
|
],
|
|
"disabled": false,
|
|
"notes": "User input flows to logging.info and length computation, not a security sink"
|
|
},
|
|
{
|
|
"case_id": "py-safe-005",
|
|
"file": "python/safe/safe_reassigned.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"reassignment",
|
|
"killed-taint"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Tainted variable reassigned to constant before reaching os.system()"
|
|
},
|
|
{
|
|
"case_id": "py-safe-006",
|
|
"file": "python/safe/safe_sanitized.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"shlex-quote"
|
|
],
|
|
"disabled": false,
|
|
"notes": "shlex.quote sanitizer applied inline before os.system()"
|
|
},
|
|
{
|
|
"case_id": "py-safe-007",
|
|
"file": "python/safe/safe_type_check.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"type-check",
|
|
"isinstance-guard"
|
|
],
|
|
"disabled": false,
|
|
"notes": "isinstance check guards cursor.execute(); only ints reach the sink"
|
|
},
|
|
{
|
|
"case_id": "py-safe-008",
|
|
"file": "python/safe/safe_validated.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"allowlist",
|
|
"validated"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Allowlist validation before os.system(); only permitted commands reach sink"
|
|
},
|
|
{
|
|
"case_id": "java-sqli-001",
|
|
"file": "java/sqli/SqliConcat.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"java.sqli.execute_concat"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow",
|
|
"state-resource-leak"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"tags": [
|
|
"concat",
|
|
"executeQuery"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SQL injection via string concat in executeQuery()"
|
|
},
|
|
{
|
|
"case_id": "java-sqli-002",
|
|
"file": "java/sqli/SqliFormat.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"java.sqli.execute_concat"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow",
|
|
"state-resource-leak"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"tags": [
|
|
"string-format",
|
|
"executeQuery"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SQL injection via String.format in executeQuery()"
|
|
},
|
|
{
|
|
"case_id": "java-cmdi-001",
|
|
"file": "java/cmdi/CmdiDirect.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"java.cmdi.runtime_exec"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"runtime-exec"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct command injection via Runtime.exec()"
|
|
},
|
|
{
|
|
"case_id": "java-cmdi-002",
|
|
"file": "java/cmdi/CmdiIndirect.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"java.cmdi.runtime_exec"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"indirect",
|
|
"concat",
|
|
"runtime-exec"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Indirect command injection via string concat to Runtime.exec()"
|
|
},
|
|
{
|
|
"case_id": "java-xss-001",
|
|
"file": "java/xss/XssReflected.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"java.xss.getwriter_print"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"tags": [
|
|
"reflected",
|
|
"getwriter-println"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Reflected XSS via getWriter().println() with unescaped user input"
|
|
},
|
|
{
|
|
"case_id": "java-ssrf-001",
|
|
"file": "java/ssrf/SsrfRequest.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"state-resource-leak"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"tags": [
|
|
"url-connection",
|
|
"ssrf"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SSRF via URL.openConnection() with user-controlled URL"
|
|
},
|
|
{
|
|
"case_id": "java-ssrf-002",
|
|
"file": "java/ssrf/SsrfHttpClient.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"tags": [
|
|
"http-client",
|
|
"ssrf"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SSRF via HttpClient.send() with user-controlled URL"
|
|
},
|
|
{
|
|
"case_id": "java-path_traversal-001",
|
|
"file": "java/path_traversal/PathTraversal.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"state-resource-leak"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"tags": [
|
|
"file-input-stream",
|
|
"path-traversal"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Path traversal via FileInputStream with user-controlled path"
|
|
},
|
|
{
|
|
"case_id": "java-deser-001",
|
|
"file": "java/deser/DeserOis.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "deser",
|
|
"cwe": "CWE-502",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"java.deser.readobject"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"tags": [
|
|
"object-input-stream",
|
|
"deserialization"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Insecure deserialization via ObjectInputStream.readObject()"
|
|
},
|
|
{
|
|
"case_id": "java-deser-002",
|
|
"file": "java/deser/DeserSource.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "deser",
|
|
"cwe": "CWE-502",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"java.deser.readobject",
|
|
"java.cmdi.runtime_exec"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
7,
|
|
8
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"tags": [
|
|
"deser-to-exec",
|
|
"chained"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Deserialized object flows to Runtime.exec(); both readObject and exec patterns should match"
|
|
},
|
|
{
|
|
"case_id": "java-code_injection-001",
|
|
"file": "java/code_injection/CodeInjection.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "code_injection",
|
|
"cwe": "CWE-94",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"java.reflection.class_forname"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"reflection",
|
|
"class-forname"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Code injection via Class.forName() with user-controlled class name"
|
|
},
|
|
{
|
|
"case_id": "java-safe-001",
|
|
"file": "java/safe/SafeConstant.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"constant",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Constant string in executeQuery(); no user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "java-safe-002",
|
|
"file": "java/safe/SafeDominated.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"allowlist",
|
|
"dominated-check"
|
|
],
|
|
"disabled": false,
|
|
"notes": "User input dominated by allowlist Set.contains() check before Runtime.exec()"
|
|
},
|
|
{
|
|
"case_id": "java-safe-003",
|
|
"file": "java/safe/SafeInterprocedural.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"html-escape",
|
|
"interprocedural"
|
|
],
|
|
"disabled": false,
|
|
"notes": "HtmlUtils.htmlEscape sanitizer applied via helper method before getWriter().println()"
|
|
},
|
|
{
|
|
"case_id": "java-safe-004",
|
|
"file": "java/safe/SafeNonSecuritySink.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"non-security-sink",
|
|
"logger"
|
|
],
|
|
"disabled": false,
|
|
"notes": "User input flows to Logger.info and length computation; output is String.valueOf(len)"
|
|
},
|
|
{
|
|
"case_id": "java-safe-005",
|
|
"file": "java/safe/SafeReassigned.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"reassignment",
|
|
"killed-taint"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Tainted variable reassigned to constant 'Guest' before reaching getWriter().println()"
|
|
},
|
|
{
|
|
"case_id": "java-safe-006",
|
|
"file": "java/safe/SafeSanitized.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"html-escape"
|
|
],
|
|
"disabled": false,
|
|
"notes": "HtmlUtils.htmlEscape sanitizer applied inline before getWriter().println()"
|
|
},
|
|
{
|
|
"case_id": "java-safe-007",
|
|
"file": "java/safe/SafeTypeCheck.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"type-check",
|
|
"regex-guard"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Regex matches(\"\\\\d+\") check guards executeQuery(); only numeric strings reach the sink"
|
|
},
|
|
{
|
|
"case_id": "java-safe-008",
|
|
"file": "java/safe/SafeValidated.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"allowlist",
|
|
"validated"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Allowlist validation before Runtime.exec(); only permitted commands reach sink"
|
|
},
|
|
{
|
|
"case_id": "go-sqli-001",
|
|
"file": "go/sqli/sqli_concat.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"go.sqli.query_concat"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow",
|
|
"state-resource-leak"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
11,
|
|
11
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"concat",
|
|
"db-query"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SQL injection via string concat in db.Query()"
|
|
},
|
|
{
|
|
"case_id": "go-sqli-002",
|
|
"file": "go/sqli/sqli_sprintf.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"go.sqli.query_concat"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow",
|
|
"state-resource-leak"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
12,
|
|
12
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"tags": [
|
|
"sprintf",
|
|
"db-exec"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SQL injection via fmt.Sprintf in db.Exec()"
|
|
},
|
|
{
|
|
"case_id": "go-sqli-003",
|
|
"file": "go/sqli/sqli_queryrow.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"go.sqli.query_concat"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow",
|
|
"state-resource-leak"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
12,
|
|
12
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"concat",
|
|
"db-queryrow"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SQL injection via string concat in db.QueryRow()"
|
|
},
|
|
{
|
|
"case_id": "go-cmdi-001",
|
|
"file": "go/cmdi/cmdi_direct.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"go.cmdi.exec_command"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow",
|
|
"state-unauthed-access"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"exec-command"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct command injection via exec.Command()"
|
|
},
|
|
{
|
|
"case_id": "go-cmdi-002",
|
|
"file": "go/cmdi/cmdi_indirect.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"go.cmdi.exec_command"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow",
|
|
"state-unauthed-access"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
11,
|
|
11
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"indirect",
|
|
"concat",
|
|
"exec-command",
|
|
"shell"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Indirect command injection via string concat to exec.Command(\"sh\", \"-c\", cmd)"
|
|
},
|
|
{
|
|
"case_id": "go-cmdi-003",
|
|
"file": "go/cmdi_env/cmdi_env.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "language_specific",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"go.cmdi.exec_command"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"env-source",
|
|
"exec-command",
|
|
"shell"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Command injection via os.Getenv source flowing to exec.Command; language_specific tier because env-var source pattern is Go-specific"
|
|
},
|
|
{
|
|
"case_id": "go-xss-001",
|
|
"file": "go/xss/xss_fprintf.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"fmt-fprintf",
|
|
"response-writer"
|
|
],
|
|
"disabled": false,
|
|
"notes": "XSS via fmt.Fprintf to ResponseWriter with unescaped user input"
|
|
},
|
|
{
|
|
"case_id": "go-xss-002",
|
|
"file": "go/xss/xss_template_html.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
11,
|
|
11
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"template-html",
|
|
"unsafe-cast"
|
|
],
|
|
"disabled": false,
|
|
"notes": "XSS via template.HTML() cast bypassing html/template auto-escaping"
|
|
},
|
|
{
|
|
"case_id": "go-ssrf-001",
|
|
"file": "go/ssrf/ssrf_http_get.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"tags": [
|
|
"http-get",
|
|
"ssrf"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SSRF via http.Get() with user-controlled URL"
|
|
},
|
|
{
|
|
"case_id": "go-path_traversal-001",
|
|
"file": "go/path_traversal/path_traversal.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"state-unauthed-access"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"os-readfile",
|
|
"path-traversal"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Path traversal via os.ReadFile() with user-controlled path"
|
|
},
|
|
{
|
|
"case_id": "go-fmt_string-001",
|
|
"file": "go/fmt_string/fmt_injection.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "fmt_string",
|
|
"cwe": "CWE-134",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"fmt-fprintf",
|
|
"format-string-injection"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Format string injection via user-controlled format arg to fmt.Fprintf()"
|
|
},
|
|
{
|
|
"case_id": "go-safe-001",
|
|
"file": "go/safe/safe_constant.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"constant",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Constant string arguments to exec.Command; no user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "go-safe-002",
|
|
"file": "go/safe/safe_dominated.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"state-unauthed-access"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"allowlist",
|
|
"dominated-check",
|
|
"map-lookup"
|
|
],
|
|
"disabled": false,
|
|
"notes": "User input dominated by map allowlist check before exec.Command()"
|
|
},
|
|
{
|
|
"case_id": "go-safe-003",
|
|
"file": "go/safe/safe_interprocedural.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"state-unauthed-access"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"filepath-clean",
|
|
"interprocedural"
|
|
],
|
|
"disabled": false,
|
|
"notes": "filepath.Clean sanitizer applied via helper function before os.ReadFile(); auth guard present"
|
|
},
|
|
{
|
|
"case_id": "go-safe-004",
|
|
"file": "go/safe/safe_non_security_sink.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"non-security-sink",
|
|
"log-printf"
|
|
],
|
|
"disabled": false,
|
|
"notes": "User input flows to log.Printf and length output; no security-sensitive sink"
|
|
},
|
|
{
|
|
"case_id": "go-safe-005",
|
|
"file": "go/safe/safe_reassigned.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"reassignment",
|
|
"killed-taint"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Tainted variable reassigned to constant 'Guest' before reaching fmt.Fprintf()"
|
|
},
|
|
{
|
|
"case_id": "go-safe-006",
|
|
"file": "go/safe/safe_sanitized.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"state-unauthed-access"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"filepath-clean"
|
|
],
|
|
"disabled": false,
|
|
"notes": "filepath.Clean sanitizer applied inline before os.ReadFile(); auth guard present"
|
|
},
|
|
{
|
|
"case_id": "go-safe-007",
|
|
"file": "go/safe/safe_type_check.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"type-check",
|
|
"strconv-atoi-guard"
|
|
],
|
|
"disabled": false,
|
|
"notes": "strconv.Atoi check guards db.Query(); only valid integers reach the sink"
|
|
},
|
|
{
|
|
"case_id": "go-safe-008",
|
|
"file": "go/safe/safe_validated.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"state-unauthed-access"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"allowlist",
|
|
"validated",
|
|
"map-lookup"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Allowlist map validation before exec.Command(); only permitted commands reach sink"
|
|
},
|
|
{
|
|
"case_id": "php-sqli-001",
|
|
"file": "php/sqli/sqli_concat.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"php.sqli.query_concat"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow",
|
|
"state-resource-leak"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"concat",
|
|
"mysqli-query"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SQL injection via string concat in mysqli->query()"
|
|
},
|
|
{
|
|
"case_id": "php-sqli-002",
|
|
"file": "php/sqli/sqli_sprintf.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"php.sqli.query_concat"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow",
|
|
"state-resource-leak"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"sprintf",
|
|
"mysqli-query"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SQL injection via sprintf in mysqli->query()"
|
|
},
|
|
{
|
|
"case_id": "php-cmdi-001",
|
|
"file": "php/cmdi/cmdi_direct.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"php.cmdi.system"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"system"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct command injection via system()"
|
|
},
|
|
{
|
|
"case_id": "php-cmdi-002",
|
|
"file": "php/cmdi/cmdi_indirect.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"php.cmdi.system"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"indirect",
|
|
"shell-exec",
|
|
"concat"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Indirect command injection via shell_exec(); taint-based since shell_exec is not directly an AST pattern"
|
|
},
|
|
{
|
|
"case_id": "php-xss-001",
|
|
"file": "php/xss/xss_reflected.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"echo",
|
|
"reflected"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Reflected XSS via echo with unescaped user input in HTML"
|
|
},
|
|
{
|
|
"case_id": "php-ssrf-001",
|
|
"file": "php/ssrf/ssrf_curl.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"file-get-contents",
|
|
"ssrf"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SSRF via file_get_contents() with user-controlled URL"
|
|
},
|
|
{
|
|
"case_id": "php-path_traversal-001",
|
|
"file": "php/path_traversal/path_traversal.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"php.path.include_variable"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"include",
|
|
"path-traversal"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Path traversal / RFI via include() with user-controlled path"
|
|
},
|
|
{
|
|
"case_id": "php-path_traversal-002",
|
|
"file": "php/path_traversal/path_traversal_copy.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"copy",
|
|
"path-traversal"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Path traversal via copy() with user-controlled source path"
|
|
},
|
|
{
|
|
"case_id": "php-deser-001",
|
|
"file": "php/deser/deser_unserialize.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "deser",
|
|
"cwe": "CWE-502",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"php.deser.unserialize"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"unserialize",
|
|
"deserialization"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Insecure deserialization via unserialize() with user-controlled POST data"
|
|
},
|
|
{
|
|
"case_id": "php-code_injection-001",
|
|
"file": "php/code_injection/code_injection.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "code_injection",
|
|
"cwe": "CWE-94",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"php.code_exec.eval"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"eval",
|
|
"code-injection"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Code injection via eval() with user-controlled code"
|
|
},
|
|
{
|
|
"case_id": "php-code_injection-002",
|
|
"file": "php/code_injection/code_injection_assert.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "code_injection",
|
|
"cwe": "CWE-94",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"php.code_exec.assert_string"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"assert",
|
|
"code-injection"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Code injection via assert() with string argument (PHP < 8.0 evaluates as code)"
|
|
},
|
|
{
|
|
"case_id": "php-safe-001",
|
|
"file": "php/safe/safe_constant.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"constant",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Constant string argument to system(); no user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "php-safe-002",
|
|
"file": "php/safe/safe_dominated.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"allowlist",
|
|
"dominated-check",
|
|
"in-array"
|
|
],
|
|
"disabled": false,
|
|
"notes": "User input dominated by in_array allowlist check before system()"
|
|
},
|
|
{
|
|
"case_id": "php-safe-003",
|
|
"file": "php/safe/safe_interprocedural.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"htmlspecialchars",
|
|
"interprocedural"
|
|
],
|
|
"disabled": false,
|
|
"notes": "htmlspecialchars sanitizer applied via helper function before echo"
|
|
},
|
|
{
|
|
"case_id": "php-safe-004",
|
|
"file": "php/safe/safe_non_security_sink.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"non-security-sink",
|
|
"error-log"
|
|
],
|
|
"disabled": false,
|
|
"notes": "User input flows to error_log and strlen; echo outputs only the length integer"
|
|
},
|
|
{
|
|
"case_id": "php-safe-005",
|
|
"file": "php/safe/safe_reassigned.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"reassignment",
|
|
"killed-taint"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Tainted variable reassigned to constant 'Guest' before reaching echo"
|
|
},
|
|
{
|
|
"case_id": "php-safe-006",
|
|
"file": "php/safe/safe_sanitized.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"htmlspecialchars"
|
|
],
|
|
"disabled": false,
|
|
"notes": "htmlspecialchars sanitizer applied inline before echo"
|
|
},
|
|
{
|
|
"case_id": "php-safe-007",
|
|
"file": "php/safe/safe_type_check.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"type-check",
|
|
"is-numeric-guard"
|
|
],
|
|
"disabled": false,
|
|
"notes": "is_numeric check guards mysqli->query(); only numeric strings reach the sink"
|
|
},
|
|
{
|
|
"case_id": "php-safe-008",
|
|
"file": "php/safe/safe_validated.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"allowlist",
|
|
"validated",
|
|
"in-array"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Allowlist in_array validation before system(); only permitted commands reach sink"
|
|
},
|
|
{
|
|
"case_id": "js-ssrf-002",
|
|
"file": "javascript/ssrf/ssrf_axios.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cfg-unguarded-sink"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"axios",
|
|
"ssrf"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SSRF via bare axios() call with user-controlled URL"
|
|
},
|
|
{
|
|
"case_id": "py-ssrf-002",
|
|
"file": "python/ssrf/ssrf_httpx_post.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cfg-unguarded-sink"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"httpx",
|
|
"ssrf"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SSRF via httpx.post() with user-controlled URL"
|
|
},
|
|
{
|
|
"case_id": "go-ssrf-002",
|
|
"file": "go/ssrf/ssrf_new_request.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cfg-unguarded-sink"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"tags": [
|
|
"http-client",
|
|
"ssrf"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SSRF via http.NewRequest() with user-controlled URL"
|
|
},
|
|
{
|
|
"case_id": "ruby-ssrf-001",
|
|
"file": "ruby/ssrf/ssrf_httparty.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cfg-unguarded-sink"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"httparty",
|
|
"ssrf"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SSRF via HTTParty.get() with user-controlled URL"
|
|
},
|
|
{
|
|
"case_id": "js-ssrf-safe-001",
|
|
"file": "javascript/ssrf/safe_ssrf_hardcoded.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"hardcoded",
|
|
"ssrf",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Hardcoded URL to axios(); no user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "py-ssrf-safe-001",
|
|
"file": "python/ssrf/safe_ssrf_constant.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"constant",
|
|
"ssrf",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Constant URL to requests.get(); no user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "go-ssrf-safe-001",
|
|
"file": "go/ssrf/safe_ssrf_hardcoded.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"hardcoded",
|
|
"ssrf",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Hardcoded URL to http.Get(); no user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "php-ssrf-safe-001",
|
|
"file": "php/ssrf/safe_ssrf_hardcoded.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"hardcoded",
|
|
"ssrf",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Hardcoded URL to file_get_contents(); no user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "ruby-safe-001",
|
|
"file": "ruby/safe/safe_constant.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"constant",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Constant string argument to system(); no user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "ruby-safe-002",
|
|
"file": "ruby/safe/safe_dominated.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"allowlist",
|
|
"dominated-check",
|
|
"include"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Allowlist guard dominates system() call; taint should be suppressed"
|
|
},
|
|
{
|
|
"case_id": "ruby-safe-003",
|
|
"file": "ruby/safe/safe_interprocedural.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"shellwords-escape",
|
|
"interprocedural"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Shellwords.escape called via helper function; interprocedural sanitization"
|
|
},
|
|
{
|
|
"case_id": "ruby-safe-004",
|
|
"file": "ruby/safe/safe_non_security_sink.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"non-security-sink",
|
|
"logger"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Logger.info is not a security-sensitive sink"
|
|
},
|
|
{
|
|
"case_id": "ruby-safe-005",
|
|
"file": "ruby/safe/safe_reassigned.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"reassignment",
|
|
"killed-taint"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Tainted variable reassigned to constant before reaching sink"
|
|
},
|
|
{
|
|
"case_id": "ruby-safe-006",
|
|
"file": "ruby/safe/safe_sanitized.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"shellwords-escape"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Shellwords.escape sanitizes user input before system() call"
|
|
},
|
|
{
|
|
"case_id": "ruby-safe-007",
|
|
"file": "ruby/safe/safe_type_check.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"type-check",
|
|
"is-a-guard"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Type check guard (is_a? Integer) dominates SQL execution"
|
|
},
|
|
{
|
|
"case_id": "ruby-safe-008",
|
|
"file": "ruby/safe/safe_validated.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"allowlist",
|
|
"validated"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Allowlist validation before system() call"
|
|
},
|
|
{
|
|
"case_id": "ruby-ssrf-safe-001",
|
|
"file": "ruby/ssrf/safe_ssrf_hardcoded.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"hardcoded",
|
|
"ssrf",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Hardcoded URL to HTTParty.get(); no user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "ruby-cmdi-001",
|
|
"file": "ruby/cmdi/cmdi_system.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rb.cmdi.system_interp"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"system",
|
|
"cmdi"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Command injection via system() with user-controlled argument"
|
|
},
|
|
{
|
|
"case_id": "ruby-cmdi-002",
|
|
"file": "ruby/cmdi/cmdi_backtick.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"rb.cmdi.backtick"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"backtick",
|
|
"cmdi"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Command injection via backtick interpolation with user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "ruby-code_injection-001",
|
|
"file": "ruby/code_injection/code_injection_eval.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "code_injection",
|
|
"cwe": "CWE-94",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rb.code_exec.eval"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"eval",
|
|
"code-injection"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Code injection via eval() with user-controlled expression"
|
|
},
|
|
{
|
|
"case_id": "ruby-deser-001",
|
|
"file": "ruby/deser/deser_marshal.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "deser",
|
|
"cwe": "CWE-502",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rb.deser.marshal_load"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"marshal",
|
|
"deserialization"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Insecure deserialization via Marshal.load() with user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "ruby-deser-002",
|
|
"file": "ruby/deser/deser_yaml.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "deser",
|
|
"cwe": "CWE-502",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rb.deser.yaml_load"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"yaml",
|
|
"deserialization"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Insecure deserialization via YAML.load() with user-controlled data"
|
|
},
|
|
{
|
|
"case_id": "ruby-path_traversal-001",
|
|
"file": "ruby/path_traversal/path_traversal_send_file.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"send-file",
|
|
"path-traversal"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Path traversal via send_file() with user-controlled path"
|
|
},
|
|
{
|
|
"case_id": "ruby-sqli-001",
|
|
"file": "ruby/sqli/sqli_find_by_sql.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"find-by-sql",
|
|
"sqli"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SQL injection via find_by_sql() with string concatenation"
|
|
},
|
|
{
|
|
"case_id": "ruby-sqli-002",
|
|
"file": "ruby/sqli/sqli_execute.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"execute",
|
|
"sqli"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SQL injection via ActiveRecord execute() with string concatenation"
|
|
},
|
|
{
|
|
"case_id": "ruby-ssrf-002",
|
|
"file": "ruby/ssrf/ssrf_net_http.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cfg-unguarded-sink"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"net-http",
|
|
"ssrf"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SSRF via Net::HTTP.get() with user-controlled URL"
|
|
},
|
|
{
|
|
"case_id": "ruby-xss-001",
|
|
"file": "ruby/xss/xss_html_safe.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"html-safe",
|
|
"xss"
|
|
],
|
|
"disabled": false,
|
|
"notes": "XSS via html_safe on user-controlled input"
|
|
},
|
|
{
|
|
"case_id": "ruby-xss-002",
|
|
"file": "ruby/xss/xss_raw.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"raw",
|
|
"xss"
|
|
],
|
|
"disabled": false,
|
|
"notes": "XSS via raw() on user-controlled input"
|
|
},
|
|
{
|
|
"case_id": "js-xss-react-001",
|
|
"file": "javascript/xss/xss_react_dangerously.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"react",
|
|
"dangerouslySetInnerHTML",
|
|
"xss"
|
|
],
|
|
"disabled": false,
|
|
"notes": "React XSS via dangerouslySetInnerHTML with user-controlled content"
|
|
},
|
|
{
|
|
"case_id": "js-safe-parseInt-001",
|
|
"file": "javascript/safe/safe_parseInt.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"parseInt",
|
|
"type-coercion",
|
|
"sanitizer"
|
|
],
|
|
"disabled": false,
|
|
"notes": "parseInt sanitizes user input \u2014 should produce no taint finding"
|
|
},
|
|
{
|
|
"case_id": "py-cmdi-popen-001",
|
|
"file": "python/cmdi/cmdi_popen_shell.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"state-resource-leak"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"subprocess",
|
|
"popen",
|
|
"shell-true",
|
|
"gated-sink"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Command injection via subprocess.Popen with shell=True"
|
|
},
|
|
{
|
|
"case_id": "py-safe-int-001",
|
|
"file": "python/safe/safe_int_cast.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"int",
|
|
"type-coercion",
|
|
"sanitizer"
|
|
],
|
|
"disabled": false,
|
|
"notes": "int() type coercion sanitizes user input \u2014 should produce no taint finding"
|
|
},
|
|
{
|
|
"case_id": "java-sqli-stmt-001",
|
|
"file": "java/sqli/sqli_statement_vs_prepared.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"state-resource-leak"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
11,
|
|
11
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"tags": [
|
|
"statement",
|
|
"executeQuery",
|
|
"string-concat"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SQL injection via raw Statement.executeQuery with string concatenation"
|
|
},
|
|
{
|
|
"case_id": "java-safe-prepared-001",
|
|
"file": "java/safe/safe_prepared_statement.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"prepareStatement",
|
|
"parameterized",
|
|
"sanitizer"
|
|
],
|
|
"disabled": false,
|
|
"notes": "prepareStatement sanitizes SQL input \u2014 should produce no SQL taint finding"
|
|
},
|
|
{
|
|
"case_id": "go-safe-atoi-001",
|
|
"file": "go/safe/safe_strconv_atoi.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"strconv",
|
|
"Atoi",
|
|
"type-conversion",
|
|
"sanitizer"
|
|
],
|
|
"disabled": false,
|
|
"notes": "strconv.Atoi sanitizes user input \u2014 should produce no taint finding"
|
|
},
|
|
{
|
|
"case_id": "go-xss-gin-001",
|
|
"file": "go/xss/xss_gin_source.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"gin",
|
|
"xss",
|
|
"formvalue"
|
|
],
|
|
"disabled": false,
|
|
"notes": "XSS via r.FormValue flowing to fmt.Fprintf response writer"
|
|
},
|
|
{
|
|
"case_id": "php-safe-filter-001",
|
|
"file": "php/safe/safe_filter_input.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"filter_input",
|
|
"sanitizer"
|
|
],
|
|
"disabled": false,
|
|
"notes": "filter_input sanitizes user input \u2014 should produce no taint finding"
|
|
},
|
|
{
|
|
"case_id": "php-sqli-pdo-001",
|
|
"file": "php/sqli/sqli_pdo_raw.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
2,
|
|
2
|
|
]
|
|
],
|
|
"tags": [
|
|
"pdo",
|
|
"raw-query",
|
|
"sqli"
|
|
],
|
|
"disabled": false,
|
|
"notes": "SQL injection via raw PDO query with string concatenation"
|
|
},
|
|
{
|
|
"case_id": "ruby-safe-strong-params-001",
|
|
"file": "ruby/safe/safe_strong_params.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"strong-params",
|
|
"permit",
|
|
"require",
|
|
"rails"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Rails strong parameters (permit/require) sanitize user input \u2014 safe pattern"
|
|
},
|
|
{
|
|
"case_id": "ruby-sqli-raw-001",
|
|
"file": "ruby/sqli/sqli_raw_connection.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
4,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"tags": [
|
|
"connection-execute",
|
|
"raw-sql",
|
|
"sqli"
|
|
],
|
|
"disabled": true,
|
|
"notes": "SQL injection via ActiveRecord connection.execute \u2014 disabled: multi-line call expression not resolved by SSA lowering for Ruby class methods"
|
|
},
|
|
{
|
|
"case_id": "py-cmdi-cross-001",
|
|
"file": "python/cmdi/cross_propagation/",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"py.cmdi.os_system"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"cross-file",
|
|
"ssa-summary",
|
|
"propagation"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Cross-file taint propagation: env source \u2192 wrapper function \u2192 os.system sink"
|
|
},
|
|
{
|
|
"case_id": "py-cmdi-cross-002",
|
|
"file": "python/cmdi/cross_source/",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"py.cmdi.subprocess"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"cross-file",
|
|
"ssa-summary",
|
|
"source-detection"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Cross-file source detection: read_input() returns env source \u2192 subprocess.call sink"
|
|
},
|
|
{
|
|
"case_id": "py-cmdi-cross-003",
|
|
"file": "python/cmdi/cross_sanitizer/",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"py.cmdi.os_system"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"cross-file",
|
|
"ssa-summary",
|
|
"wrong-sanitizer"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Cross-file wrong-cap sanitizer: HTML sanitizer does not strip SHELL_ESCAPE caps \u2192 os.system still vulnerable"
|
|
},
|
|
{
|
|
"case_id": "py-cmdi-cross-004",
|
|
"file": "python/cmdi/cross_indirect_sink/",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"py.cmdi.os_system"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_call_site_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"tags": [
|
|
"cross-file",
|
|
"helper-function",
|
|
"sink-in-helper"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Cross-file sink-in-helper: app.py line 6 reads env source, line 7 calls run_cmd() (cross-file call), helper.py line 5 is the real os.system sink. Phase 3 attribution must report helper.py:5 as the primary location (not app.py:7) and include app.py:7 in flow_steps as a Call step."
|
|
},
|
|
{
|
|
"case_id": "js-xss-cross-001",
|
|
"file": "javascript/xss/cross_propagation/",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"js.xss.document_write"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"cross-file",
|
|
"ssa-summary",
|
|
"propagation"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Cross-file taint propagation: req.query \u2192 render wrapper \u2192 document.write XSS sink"
|
|
},
|
|
{
|
|
"case_id": "go-cmdi-cross-001",
|
|
"file": "go/cmdi/cross_source/",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"go.cmdi.exec_command",
|
|
"state-unauthed-access"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"cross-file",
|
|
"ssa-summary",
|
|
"source-detection"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Cross-file source detection: GetUserInput returns request param \u2192 exec.Command sink"
|
|
},
|
|
{
|
|
"case_id": "go-path_traversal-cross-001",
|
|
"file": "go/path_traversal/cross_sanitizer/",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"go.path_traversal.readfile",
|
|
"state-unauthed-access"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
11,
|
|
11
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"cross-file",
|
|
"ssa-summary",
|
|
"wrong-sanitizer"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Cross-file wrong-cap sanitizer: HTML sanitizer does not strip FILE_IO caps \u2192 os.ReadFile still vulnerable"
|
|
},
|
|
{
|
|
"case_id": "c-cmdi-001",
|
|
"file": "c/cmdi/cmdi_system.c",
|
|
"language": "c",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"c.cmdi.system"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to system()"
|
|
},
|
|
{
|
|
"case_id": "c-cmdi-002",
|
|
"file": "c/cmdi/cmdi_popen.c",
|
|
"language": "c",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"c.cmdi.popen"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to popen()"
|
|
},
|
|
{
|
|
"case_id": "c-cmdi-003",
|
|
"file": "c/cmdi/cmdi_exec.c",
|
|
"language": "c",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"c.cmdi.execvp"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to execvp()"
|
|
},
|
|
{
|
|
"case_id": "c-cmdi-004",
|
|
"file": "c/cmdi/cmdi_fgets.c",
|
|
"language": "c",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"c.cmdi.system"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"tags": [
|
|
"stdin",
|
|
"fgets"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Flow from fgets(stdin) to system()"
|
|
},
|
|
{
|
|
"case_id": "c-path-001",
|
|
"file": "c/path_traversal/path_traversal_fopen.c",
|
|
"language": "c",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"c.file_io.fopen"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to fopen()"
|
|
},
|
|
{
|
|
"case_id": "c-path-002",
|
|
"file": "c/path_traversal/path_traversal_open.c",
|
|
"language": "c",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"c.file_io.open"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to open()"
|
|
},
|
|
{
|
|
"case_id": "c-fmt-001",
|
|
"file": "c/fmt_string/fmt_printf.c",
|
|
"language": "c",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "fmt_string",
|
|
"cwe": "CWE-134",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"c.fmt_string.printf"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to printf() as format string"
|
|
},
|
|
{
|
|
"case_id": "c-fmt-002",
|
|
"file": "c/fmt_string/fmt_fprintf.c",
|
|
"language": "c",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "fmt_string",
|
|
"cwe": "CWE-134",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"c.fmt_string.fprintf"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to fprintf() as format string"
|
|
},
|
|
{
|
|
"case_id": "c-ssrf-001",
|
|
"file": "c/ssrf/ssrf_curl.c",
|
|
"language": "c",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"c.ssrf.curl_easy_perform"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"curl"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to curl_easy_perform()"
|
|
},
|
|
{
|
|
"case_id": "c-buf-001",
|
|
"file": "c/buffer_overflow/buffer_sprintf.c",
|
|
"language": "c",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "buffer_overflow",
|
|
"cwe": "CWE-120",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"c.buffer.sprintf"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to unbounded sprintf()"
|
|
},
|
|
{
|
|
"case_id": "c-buf-002",
|
|
"file": "c/buffer_overflow/buffer_strcpy.c",
|
|
"language": "c",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "buffer_overflow",
|
|
"cwe": "CWE-120",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"c.buffer.strcpy"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to strcpy()"
|
|
},
|
|
{
|
|
"case_id": "c-buf-003",
|
|
"file": "c/buffer_overflow/buffer_strcat.c",
|
|
"language": "c",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "buffer_overflow",
|
|
"cwe": "CWE-120",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"c.buffer.strcat"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to strcat()"
|
|
},
|
|
{
|
|
"case_id": "c-safe-001",
|
|
"file": "c/safe/safe_constant.c",
|
|
"language": "c",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"constant",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Constant string passed to system() \u2014 no taint source"
|
|
},
|
|
{
|
|
"case_id": "c-safe-002",
|
|
"file": "c/safe/safe_sanitized_snprintf.c",
|
|
"language": "c",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-120",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"sanitized",
|
|
"snprintf"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input sanitized through snprintf bounded formatting"
|
|
},
|
|
{
|
|
"case_id": "c-safe-003",
|
|
"file": "c/safe/safe_atoi.c",
|
|
"language": "c",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-134",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"sanitized",
|
|
"atoi"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input sanitized through atoi() type conversion"
|
|
},
|
|
{
|
|
"case_id": "c-safe-004",
|
|
"file": "c/safe/safe_reassigned.c",
|
|
"language": "c",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"reassigned"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Tainted variable reassigned to constant before use"
|
|
},
|
|
{
|
|
"case_id": "c-safe-005",
|
|
"file": "c/safe/safe_strncpy.c",
|
|
"language": "c",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-120",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"sanitized",
|
|
"strncpy"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input sanitized through bounded strncpy"
|
|
},
|
|
{
|
|
"case_id": "c-safe-006",
|
|
"file": "c/safe/safe_validated.c",
|
|
"language": "c",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"validated",
|
|
"path-check"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Path validated against traversal before fopen"
|
|
},
|
|
{
|
|
"case_id": "c-safe-007",
|
|
"file": "c/safe/safe_strtol.c",
|
|
"language": "c",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-134",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"sanitized",
|
|
"strtol"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input sanitized through strtol() type conversion"
|
|
},
|
|
{
|
|
"case_id": "c-safe-008",
|
|
"file": "c/safe/safe_sanitize_func.c",
|
|
"language": "c",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-134",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"sanitized",
|
|
"custom-function"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input sanitized through sanitize_input() helper"
|
|
},
|
|
{
|
|
"case_id": "cpp-cmdi-001",
|
|
"file": "cpp/cmdi/cmdi_system.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cpp.cmdi.system"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to system()"
|
|
},
|
|
{
|
|
"case_id": "cpp-cmdi-002",
|
|
"file": "cpp/cmdi/cmdi_popen.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cpp.cmdi.popen"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to popen()"
|
|
},
|
|
{
|
|
"case_id": "cpp-cmdi-003",
|
|
"file": "cpp/cmdi/cmdi_getline.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cpp.cmdi.system"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"tags": [
|
|
"stdin",
|
|
"getline"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Flow from std::getline(cin) to system()"
|
|
},
|
|
{
|
|
"case_id": "cpp-cmdi-004",
|
|
"file": "cpp/cmdi/cmdi_exec.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cpp.cmdi.execvp"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to execvp()"
|
|
},
|
|
{
|
|
"case_id": "cpp-path-001",
|
|
"file": "cpp/path_traversal/path_traversal_fopen.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cpp.file_io.fopen"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to fopen()"
|
|
},
|
|
{
|
|
"case_id": "cpp-path-002",
|
|
"file": "cpp/path_traversal/path_traversal_open.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cpp.file_io.open"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to open()"
|
|
},
|
|
{
|
|
"case_id": "cpp-fmt-001",
|
|
"file": "cpp/fmt_string/fmt_printf.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "fmt_string",
|
|
"cwe": "CWE-134",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cpp.fmt_string.printf"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to printf() as format string"
|
|
},
|
|
{
|
|
"case_id": "cpp-fmt-002",
|
|
"file": "cpp/fmt_string/fmt_fprintf.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "fmt_string",
|
|
"cwe": "CWE-134",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cpp.fmt_string.fprintf"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to fprintf() as format string"
|
|
},
|
|
{
|
|
"case_id": "cpp-ssrf-001",
|
|
"file": "cpp/ssrf/ssrf_curl.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cpp.ssrf.curl_easy_perform"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"curl"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to curl_easy_perform()"
|
|
},
|
|
{
|
|
"case_id": "cpp-ssrf-002",
|
|
"file": "cpp/ssrf/ssrf_connect.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cpp.ssrf.connect"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
13,
|
|
13
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"socket"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to connect()"
|
|
},
|
|
{
|
|
"case_id": "cpp-buf-001",
|
|
"file": "cpp/buffer_overflow/buffer_sprintf.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "buffer_overflow",
|
|
"cwe": "CWE-120",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cpp.buffer.sprintf"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to unbounded sprintf()"
|
|
},
|
|
{
|
|
"case_id": "cpp-buf-002",
|
|
"file": "cpp/buffer_overflow/buffer_strcpy.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "buffer_overflow",
|
|
"cwe": "CWE-120",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cpp.buffer.strcpy"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"getenv"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from getenv to strcpy()"
|
|
},
|
|
{
|
|
"case_id": "cpp-safe-001",
|
|
"file": "cpp/safe/safe_constant.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"constant",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Constant string passed to system() \u2014 no taint source"
|
|
},
|
|
{
|
|
"case_id": "cpp-safe-002",
|
|
"file": "cpp/safe/safe_snprintf.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-120",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"sanitized",
|
|
"snprintf"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input sanitized through snprintf bounded formatting"
|
|
},
|
|
{
|
|
"case_id": "cpp-safe-003",
|
|
"file": "cpp/safe/safe_stoi.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-134",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"sanitized",
|
|
"stoi"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input sanitized through std::stoi() type conversion"
|
|
},
|
|
{
|
|
"case_id": "cpp-safe-004",
|
|
"file": "cpp/safe/safe_reassigned.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"reassigned"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Tainted variable reassigned to constant before use"
|
|
},
|
|
{
|
|
"case_id": "cpp-safe-005",
|
|
"file": "cpp/safe/safe_strncpy.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-120",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"sanitized",
|
|
"strncpy"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input sanitized through bounded strncpy"
|
|
},
|
|
{
|
|
"case_id": "cpp-safe-006",
|
|
"file": "cpp/safe/safe_validated.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"validated",
|
|
"path-check"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Path validated against traversal before fopen"
|
|
},
|
|
{
|
|
"case_id": "cpp-safe-007",
|
|
"file": "cpp/safe/safe_sanitize_func.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-134",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"sanitized",
|
|
"custom-function"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input sanitized through sanitize_input() helper"
|
|
},
|
|
{
|
|
"case_id": "cpp-safe-008",
|
|
"file": "cpp/safe/safe_strtol.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-134",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"sanitized",
|
|
"strtol"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input sanitized through strtol() type conversion (C-style)"
|
|
},
|
|
{
|
|
"case_id": "rs-cmdi-001",
|
|
"file": "rust/cmdi/cmdi_command.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.cmdi.command"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"env-var"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from env::var to Command::new().arg()"
|
|
},
|
|
{
|
|
"case_id": "rs-cmdi-002",
|
|
"file": "rust/cmdi/cmdi_command_output.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.cmdi.command"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"env-var"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from env::var to Command::new().output()"
|
|
},
|
|
{
|
|
"case_id": "rs-cmdi-003",
|
|
"file": "rust/cmdi/cmdi_indirect.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.cmdi.command"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"expected_call_site_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"tags": [
|
|
"indirect",
|
|
"helper-function"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Taint flows through helper function to Command"
|
|
},
|
|
{
|
|
"case_id": "rs-cmdi-004",
|
|
"file": "rust/cmdi/cmdi_args.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.cmdi.command"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"env-var",
|
|
"args"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from env::var to Command.args()"
|
|
},
|
|
{
|
|
"case_id": "rs-path-001",
|
|
"file": "rust/path_traversal/path_read.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.file_io.read_to_string"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"env-var"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from env::var to fs::read_to_string()"
|
|
},
|
|
{
|
|
"case_id": "rs-path-002",
|
|
"file": "rust/path_traversal/path_write.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.file_io.write"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"env-var"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from env::var to fs::write()"
|
|
},
|
|
{
|
|
"case_id": "rs-path-003",
|
|
"file": "rust/path_traversal/path_file_open.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.file_io.File"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"env-var"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from env::var to File::open()"
|
|
},
|
|
{
|
|
"case_id": "rs-path-004",
|
|
"file": "rust/path_traversal/path_file_create.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.file_io.File"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"env-var"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from env::var to File::create()"
|
|
},
|
|
{
|
|
"case_id": "rs-ssrf-001",
|
|
"file": "rust/ssrf/ssrf_reqwest.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.ssrf.reqwest"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"direct",
|
|
"env-var"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Direct flow from env::var to reqwest::get()"
|
|
},
|
|
{
|
|
"case_id": "rs-ssrf-002",
|
|
"file": "rust/ssrf/ssrf_indirect.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.ssrf.reqwest"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"tags": [
|
|
"indirect",
|
|
"helper-function"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Taint flows through helper function to reqwest::get()"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-001",
|
|
"file": "rust/safe/safe_constant.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"constant",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Constant args passed to Command \u2014 no taint source"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-002",
|
|
"file": "rust/safe/safe_sanitized_shell.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"sanitized",
|
|
"shell-escape"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input sanitized through sanitize_shell() before Command"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-003",
|
|
"file": "rust/safe/safe_reassigned.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"reassigned"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Tainted variable not used \u2014 constant passed to Command"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-004",
|
|
"file": "rust/safe/safe_validated.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"validated",
|
|
"path-check"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Path validated against traversal before fs::read_to_string"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-005",
|
|
"file": "rust/safe/safe_hardcoded_url.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"constant",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Hardcoded URL passed to reqwest::get \u2014 no taint source"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-006",
|
|
"file": "rust/safe/safe_type_check.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"type-check",
|
|
"parse"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input parsed to u32 before constructing path \u2014 type-safe"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-007",
|
|
"file": "rust/safe/safe_interprocedural.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"interprocedural",
|
|
"sanitize-wrapper"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input sanitized through interprocedural sanitize_input() call chain"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-008",
|
|
"file": "rust/safe/safe_dominated.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"validated",
|
|
"dominated"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input validated with allowlist check before Command"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-009",
|
|
"file": "rust/safe/safe_shell_metachar.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"validated",
|
|
"shell-metachar"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input rejected when containing shell metacharacters before Command"
|
|
},
|
|
{
|
|
"case_id": "rs-sqli-002",
|
|
"file": "rust/sqli/sqli_metachar_gate_wrong_sink.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "MEDIUM",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
13,
|
|
13
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"sqli",
|
|
"shell-metachar-gate"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Shell-metachar rejection is not a SQL sanitizer; SQL injection must still fire"
|
|
},
|
|
{
|
|
"case_id": "rs-cmdi-005",
|
|
"file": "rust/cmdi/cmdi_format_macro.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.cmdi.command"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"format-macro",
|
|
"env-var"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Tainted input interpolated via format!() into sh -c"
|
|
},
|
|
{
|
|
"case_id": "rs-cmdi-006",
|
|
"file": "rust/cmdi/cmdi_match_source.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.cmdi.command"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"tags": [
|
|
"match-expression",
|
|
"env-var"
|
|
],
|
|
"disabled": false,
|
|
"notes": "env::var bound via match expression then used as Command program name"
|
|
},
|
|
{
|
|
"case_id": "rs-cmdi-007",
|
|
"file": "rust/cmdi/cmdi_string_concat.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.cmdi.command"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"string-concat",
|
|
"binary-op"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Tainted &str concatenated via + into sh -c argument"
|
|
},
|
|
{
|
|
"case_id": "rs-cmdi-008",
|
|
"file": "rust/cmdi/cmdi_static_map_dangerous.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.cmdi.command"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
14,
|
|
14
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"tags": [
|
|
"hashmap",
|
|
"static-lookup",
|
|
"dangerous-literal"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Static HashMap where one inserted value carries shell metacharacters \u2014 finite-set suppression must NOT clear this sink"
|
|
},
|
|
{
|
|
"case_id": "rs-cmdi-009",
|
|
"file": "rust/cmdi/cmdi_indirect_multisink.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.cmdi.command"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
10,
|
|
11
|
|
]
|
|
],
|
|
"expected_call_site_lines": [
|
|
[
|
|
12,
|
|
12
|
|
]
|
|
],
|
|
"tags": [
|
|
"indirect",
|
|
"helper-function",
|
|
"multisink"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Helper run_both takes two tainted params and invokes two Command sinks on consecutive lines (5, 6). Phase 3 attribution must land each finding's primary line inside the helper, not at the call site (line 12). NOTE: the summary currently stores one SinkSite per callee so both findings may collapse onto the same helper line today \u2014 the \u00b12 sink range and the call-site assertion guard against regression to caller-attribution regardless."
|
|
},
|
|
{
|
|
"case_id": "rs-cmdi-cross-001",
|
|
"file": "rust/cmdi/cross_propagation/",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.cmdi.command"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"expected_call_site_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"tags": [
|
|
"cross-file",
|
|
"propagation"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Cross-file taint: main.rs line 7 env::var \u2192 transform::wrap at line 8 \u2192 Command::new at line 9. Sink is the top-level Command::new; transform::wrap is a cross-file propagator, not a sink."
|
|
},
|
|
{
|
|
"case_id": "rs-path-005",
|
|
"file": "rust/path_traversal/path_remove.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.file_io.remove_file"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"filesystem",
|
|
"remove",
|
|
"known-gap"
|
|
],
|
|
"disabled": false,
|
|
"notes": "fs::remove_file not in Rust sink rules \u2014 known FN coverage"
|
|
},
|
|
{
|
|
"case_id": "rs-ssrf-003",
|
|
"file": "rust/ssrf/ssrf_client_builder.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.ssrf.reqwest"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"tags": [
|
|
"builder-chain",
|
|
"known-gap"
|
|
],
|
|
"disabled": false,
|
|
"notes": "reqwest::Client::new().get(url).send() \u2014 builder chain not matched by reqwest::get/Client.execute sinks"
|
|
},
|
|
{
|
|
"case_id": "rs-sqli-001",
|
|
"file": "rust/sqli/sqli_rusqlite_format.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.sqli.rusqlite"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"rusqlite",
|
|
"format-macro",
|
|
"known-gap"
|
|
],
|
|
"disabled": false,
|
|
"notes": "rusqlite::Connection.execute not in Rust sink rules \u2014 SQLi class has no Rust coverage"
|
|
},
|
|
{
|
|
"case_id": "rs-deser-001",
|
|
"file": "rust/deser/deser_serde_yaml.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "deser",
|
|
"cwe": "CWE-502",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.deser.serde_yaml"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"tags": [
|
|
"serde",
|
|
"yaml",
|
|
"known-gap"
|
|
],
|
|
"disabled": false,
|
|
"notes": "serde_yaml::from_str not in Rust sink rules \u2014 deserialization class has no Rust coverage"
|
|
},
|
|
{
|
|
"case_id": "rs-xss-001",
|
|
"file": "rust/xss/axum_html/",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"rust.xss.axum_html"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
3,
|
|
3
|
|
]
|
|
],
|
|
"tags": [
|
|
"framework",
|
|
"axum",
|
|
"html"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Axum Path<String> \u2192 Html(format!(...)) \u2014 requires framework rules (Cargo.toml present)"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-009",
|
|
"file": "rust/safe/safe_match_guard.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"match-guard",
|
|
"validated"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Match guard restricts input to ASCII alphanumeric before Command"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-010",
|
|
"file": "rust/safe/safe_static_map_lookup.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"hashmap",
|
|
"static-lookup"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Tainted key indexes static HashMap \u2014 value is hardcoded, not tainted"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-011",
|
|
"file": "rust/safe/safe_parsed_port.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"type-parse",
|
|
"u16"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Input parsed to u16 before use as Command arg \u2014 type-narrowed"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-012",
|
|
"file": "rust/safe/safe_path_contains_dotdot.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-regression",
|
|
"path-sanitizer"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Intraprocedural .contains(\"..\") + .starts_with('/') rejection \u2014 PathFact narrows dotdot and absolute axes on the sanitised branch"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-015",
|
|
"file": "rust/safe/safe_path_is_absolute.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-regression",
|
|
"path-sanitizer"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Path::new(x).is_absolute() rejection + .contains(\"..\") \u2014 PathFact narrows both axes via typed check and substring rejection"
|
|
},
|
|
{
|
|
"case_id": "rs-path-006",
|
|
"file": "rust/traversal/traversal_no_sanitizer.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "MEDIUM",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
11,
|
|
11
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"tags": [
|
|
"pathfact-regression",
|
|
"negative-guard"
|
|
],
|
|
"disabled": false,
|
|
"notes": "No sanitiser applied \u2014 PathFact stays Top, FILE_IO sink must fire (guards against over-suppression)"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-cross-001",
|
|
"file": "rust/cmdi/cross_sanitizer/",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"cross-file",
|
|
"sanitizer"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Cross-file: sanitize_shell in sanitizer.rs clears SHELL_ESCAPE cap before Command"
|
|
},
|
|
{
|
|
"case_id": "js-interproc-safe-001",
|
|
"file": "javascript/interprocedural/interproc_sanitizer_wrap.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"interprocedural",
|
|
"sanitizer-wrapper"
|
|
],
|
|
"disabled": false,
|
|
"notes": "XSS safe: input sanitized through encodeURIComponent wrapper function"
|
|
},
|
|
{
|
|
"case_id": "py-interproc-safe-001",
|
|
"file": "python/interprocedural/interproc_sanitizer_wrap.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"interprocedural",
|
|
"sanitizer-wrapper"
|
|
],
|
|
"disabled": false,
|
|
"notes": "XSS safe: input sanitized through html.escape wrapper function"
|
|
},
|
|
{
|
|
"case_id": "java-interproc-safe-001",
|
|
"file": "java/interprocedural/InterprocSanitizerWrap.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"interprocedural",
|
|
"sanitizer-wrapper"
|
|
],
|
|
"disabled": false,
|
|
"notes": "XSS safe: input sanitized through HtmlUtils.htmlEscape wrapper"
|
|
},
|
|
{
|
|
"case_id": "go-interproc-safe-001",
|
|
"file": "go/interprocedural/interproc_sanitizer_wrap.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"interprocedural",
|
|
"sanitizer-wrapper"
|
|
],
|
|
"disabled": false,
|
|
"notes": "XSS safe: input sanitized through html.EscapeString wrapper function"
|
|
},
|
|
{
|
|
"case_id": "php-interproc-safe-001",
|
|
"file": "php/interprocedural/interproc_sanitizer_wrap.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"interprocedural",
|
|
"sanitizer-wrapper"
|
|
],
|
|
"disabled": false,
|
|
"notes": "XSS safe: input sanitized through htmlspecialchars wrapper function"
|
|
},
|
|
{
|
|
"case_id": "rb-interproc-safe-001",
|
|
"file": "ruby/interprocedural/interproc_sanitizer_wrap.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"interprocedural",
|
|
"sanitizer-wrapper"
|
|
],
|
|
"disabled": false,
|
|
"notes": "XSS safe: input sanitized through CGI.escapeHTML wrapper function"
|
|
},
|
|
{
|
|
"case_id": "js-interproc-001",
|
|
"file": "javascript/interprocedural/interproc_taint_propagation.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"js.cmdi.exec"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
12,
|
|
12
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"tags": [
|
|
"interprocedural",
|
|
"taint-propagation"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Taint flows through buildCommand() helper to exec()"
|
|
},
|
|
{
|
|
"case_id": "py-interproc-001",
|
|
"file": "python/interprocedural/interproc_taint_propagation.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"py.cmdi.system"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"tags": [
|
|
"interprocedural",
|
|
"taint-propagation"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Taint flows through build_command() helper to os.system()"
|
|
},
|
|
{
|
|
"case_id": "java-interproc-001",
|
|
"file": "java/interprocedural/InterprocTaintPropagation.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"java.sqli.executeQuery"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
12,
|
|
12
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"tags": [
|
|
"interprocedural",
|
|
"taint-propagation"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Taint flows through buildQuery() helper to executeQuery()"
|
|
},
|
|
{
|
|
"case_id": "go-interproc-001",
|
|
"file": "go/interprocedural/interproc_taint_propagation.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"go.sqli.query"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
16,
|
|
16
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
14,
|
|
14
|
|
]
|
|
],
|
|
"tags": [
|
|
"interprocedural",
|
|
"taint-propagation"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Taint flows through buildQuery() helper to db.Query()"
|
|
},
|
|
{
|
|
"case_id": "php-interproc-001",
|
|
"file": "php/interprocedural/interproc_taint_propagation.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"php.sqli.mysqli_query"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"tags": [
|
|
"interprocedural",
|
|
"taint-propagation"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Taint flows through build_query() helper to mysqli_query()"
|
|
},
|
|
{
|
|
"case_id": "rb-interproc-001",
|
|
"file": "ruby/interprocedural/interproc_taint_propagation.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"ruby.sqli.select_all"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"tags": [
|
|
"interprocedural",
|
|
"taint-propagation"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Taint flows through build_query() helper to select_all()"
|
|
},
|
|
{
|
|
"case_id": "js-pathprune-safe-001",
|
|
"file": "javascript/path_pruning/safe_early_return.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"path-pruning",
|
|
"early-return",
|
|
"allowlist"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Command execution gated by allowlist check with early return"
|
|
},
|
|
{
|
|
"case_id": "py-pathprune-safe-001",
|
|
"file": "python/path_pruning/safe_early_return.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"path-pruning",
|
|
"early-return",
|
|
"allowlist"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Command execution gated by allowlist check with early return"
|
|
},
|
|
{
|
|
"case_id": "go-pathprune-safe-001",
|
|
"file": "go/path_pruning/safe_early_return.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"state-unauthed-access"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"path-pruning",
|
|
"early-return",
|
|
"allowlist"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Command execution gated by allowlist check with early return"
|
|
},
|
|
{
|
|
"case_id": "ts-xss-001",
|
|
"file": "typescript/xss/xss_typed_innerhtml.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"innerHTML",
|
|
"typed-express",
|
|
"reflected"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Baseline TS XSS: typed Express handler flows req.query into innerHTML"
|
|
},
|
|
{
|
|
"case_id": "ts-xss-002",
|
|
"file": "typescript/xss/xss_as_any_cast.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"ts.quality.as_any"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"as-any",
|
|
"type-assertion",
|
|
"innerHTML"
|
|
],
|
|
"disabled": false,
|
|
"notes": "TS-specific: taint must flow through `as any` and chained assertions (as_expression\u2192Kind::Seq)"
|
|
},
|
|
{
|
|
"case_id": "ts-xss-003",
|
|
"file": "typescript/xss/xss_generic_identity.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
11,
|
|
11
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"generics",
|
|
"interprocedural",
|
|
"innerHTML"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Tests Phase 11 inline context-sensitivity through generic identity<T> function"
|
|
},
|
|
{
|
|
"case_id": "ts-xss-004",
|
|
"file": "typescript/xss/xss_optional_chain_source.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"optional-chain",
|
|
"adversarial-source",
|
|
"innerHTML"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Adversarial: optional-chained source `req?.query?.name`. Tests whether the source matcher survives optional_chain_expression nodes. Expected FN until optional chaining is lowered to member access in labeling"
|
|
},
|
|
{
|
|
"case_id": "ts-xss-005",
|
|
"file": "typescript/xss/xss_dangerously_set_inner_html.tsx",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
9,
|
|
10
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"tags": [
|
|
"tsx",
|
|
"jsx",
|
|
"dangerouslySetInnerHTML"
|
|
],
|
|
"disabled": false,
|
|
"notes": "TSX fixture: user bio flows into `dangerouslySetInnerHTML` and is sent via res.send. Exercises TSX grammar wiring (LANGUAGE_TSX) and confirms taint propagation through JSX expressions"
|
|
},
|
|
{
|
|
"case_id": "ts-sqli-001",
|
|
"file": "typescript/sqli/sqli_template_literal.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"sqli",
|
|
"pg",
|
|
"template-literal"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Template-literal SQL via pg Pool.query; exact SQL_QUERY sink match"
|
|
},
|
|
{
|
|
"case_id": "ts-sqli-002",
|
|
"file": "typescript/sqli/sqli_prisma_raw.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"tags": [
|
|
"sqli",
|
|
"prisma",
|
|
"queryRawUnsafe"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Prisma $queryRawUnsafe \u2014 TS-specific ORM sink"
|
|
},
|
|
{
|
|
"case_id": "ts-cmdi-001",
|
|
"file": "typescript/cmdi/cmdi_exec_template.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"tags": [
|
|
"cmdi",
|
|
"child_process",
|
|
"template-literal"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Destructured exec with template literal command from req.body"
|
|
},
|
|
{
|
|
"case_id": "ts-cmdi-002",
|
|
"file": "typescript/cmdi/cmdi_async_wrapper.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
11,
|
|
11
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"tags": [
|
|
"cmdi",
|
|
"async",
|
|
"promisify",
|
|
"execAsync"
|
|
],
|
|
"disabled": false,
|
|
"notes": "promisify-wrapped exec (execAsync) \u2014 TS rules enumerate execAsync as a command sink"
|
|
},
|
|
{
|
|
"case_id": "ts-ssrf-001",
|
|
"file": "typescript/ssrf/ssrf_axios_user_url.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"tags": [
|
|
"ssrf",
|
|
"axios"
|
|
],
|
|
"disabled": false,
|
|
"notes": "axios.get with req.query.url \u2014 baseline TS SSRF"
|
|
},
|
|
{
|
|
"case_id": "ts-ssrf-002",
|
|
"file": "typescript/ssrf/ssrf_fastify_fetch.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"tags": [
|
|
"ssrf",
|
|
"fastify",
|
|
"framework-rules",
|
|
"adversarial-framework"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Fastify framework route \u2014 exercises framework_rules(ctx) source detection for request.query. Expected FN when framework context is not detected from a single file (no package.json)"
|
|
},
|
|
{
|
|
"case_id": "ts-ssrf-003",
|
|
"file": "typescript/ssrf/ssrf_encoded_host.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"tags": [
|
|
"ssrf",
|
|
"axios",
|
|
"url-encode",
|
|
"adversarial-fn-guard"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Regression guard for prefix-locked SSRF suppression: encodeURIComponent is applied to the HOST (not path), so the template prefix 'https://' does not lock the destination. Must still fire as SSRF \u2014 proves the StringFact host check does not over-suppress when the attacker controls the authority component"
|
|
},
|
|
{
|
|
"case_id": "ts-code_injection-001",
|
|
"file": "typescript/code_injection/code_exec_eval.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "code_injection",
|
|
"cwe": "CWE-94",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"ts.code_exec.eval"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"eval",
|
|
"code-injection"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Classic eval + user input; AST pattern ts.code_exec.eval applies"
|
|
},
|
|
{
|
|
"case_id": "ts-code_injection-002",
|
|
"file": "typescript/code_injection/code_exec_new_function.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "code_injection",
|
|
"cwe": "CWE-94",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"ts.code_exec.new_function"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"new-function",
|
|
"code-injection"
|
|
],
|
|
"disabled": false,
|
|
"notes": "new Function(body) \u2014 AST pattern ts.code_exec.new_function"
|
|
},
|
|
{
|
|
"case_id": "ts-open_redirect-001",
|
|
"file": "typescript/open_redirect/location_href.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-601",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"ts.xss.location_assign"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "MEDIUM",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"open-redirect",
|
|
"location-href"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Open redirect via location.href = userUrl"
|
|
},
|
|
{
|
|
"case_id": "ts-path_traversal-001",
|
|
"file": "typescript/path_traversal/path_traversal_sendfile.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"tags": [
|
|
"path-traversal",
|
|
"sendFile"
|
|
],
|
|
"disabled": false,
|
|
"notes": "res.sendFile with unsanitized req.query.path"
|
|
},
|
|
{
|
|
"case_id": "ts-crypto-001",
|
|
"file": "typescript/crypto/weak_hash_md5.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "crypto",
|
|
"cwe": "CWE-327",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"ts.crypto.weak_hash_import"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"ts.crypto.weak_hash"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "MEDIUM",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"crypto",
|
|
"weak-hash",
|
|
"md5"
|
|
],
|
|
"disabled": false,
|
|
"notes": "md5() imported from the md5 package \u2014 AST pattern ts.crypto.weak_hash_import"
|
|
},
|
|
{
|
|
"case_id": "ts-secrets-001",
|
|
"file": "typescript/secrets/fallback_secret.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "secrets",
|
|
"cwe": "CWE-798",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"ts.secrets.fallback_secret"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"ts.secrets.hardcoded_secret"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "MEDIUM",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
5,
|
|
5
|
|
]
|
|
],
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"secrets",
|
|
"fallback-env"
|
|
],
|
|
"disabled": false,
|
|
"notes": "process.env.KEY || 'hardcoded' \u2014 AST pattern ts.secrets.fallback_secret"
|
|
},
|
|
{
|
|
"case_id": "ts-insecure_config-001",
|
|
"file": "typescript/insecure_config/reject_unauthorized.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "insecure_config",
|
|
"cwe": "CWE-295",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"ts.config.reject_unauthorized"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "MEDIUM",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"tls",
|
|
"reject-unauthorized"
|
|
],
|
|
"disabled": false,
|
|
"notes": "TLS verification disabled \u2014 AST pattern"
|
|
},
|
|
{
|
|
"case_id": "ts-insecure_config-002",
|
|
"file": "typescript/insecure_config/cookie_httponly.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "insecure_config",
|
|
"cwe": "CWE-1004",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"ts.config.insecure_session_httponly"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "MEDIUM",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
9,
|
|
9
|
|
]
|
|
],
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"cookies",
|
|
"httpOnly"
|
|
],
|
|
"disabled": false,
|
|
"notes": "session cookie httpOnly: false \u2014 AST pattern"
|
|
},
|
|
{
|
|
"case_id": "ts-prototype-001",
|
|
"file": "typescript/prototype/proto_assignment.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "prototype",
|
|
"cwe": "CWE-1321",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"ts.prototype.proto_assignment"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "MEDIUM",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
4,
|
|
4
|
|
]
|
|
],
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"prototype-pollution"
|
|
],
|
|
"disabled": false,
|
|
"notes": "__proto__ write \u2014 AST pattern"
|
|
},
|
|
{
|
|
"case_id": "ts-interproc-001",
|
|
"file": "typescript/interprocedural/interproc_class_method.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
17,
|
|
17
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
15,
|
|
15
|
|
]
|
|
],
|
|
"tags": [
|
|
"cmdi",
|
|
"class-method",
|
|
"interprocedural"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Class method builder: Runner.build concatenates tainted target, caller passes result to exec. Stresses intra-file class-method call resolution"
|
|
},
|
|
{
|
|
"case_id": "ts-type_system-001",
|
|
"file": "typescript/type_system/discriminated_union_narrow.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"cfg-unguarded-sink"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
13,
|
|
13
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
12,
|
|
12
|
|
]
|
|
],
|
|
"tags": [
|
|
"discriminated-union",
|
|
"narrowing",
|
|
"cmdi"
|
|
],
|
|
"disabled": false,
|
|
"notes": "TS discriminated-union narrowing (kind === 'ping') does not sanitize \u2014 a.target is still user-controlled. Guards against the FP of treating `kind` guards as security sanitizers"
|
|
},
|
|
{
|
|
"case_id": "ts-type_system-002",
|
|
"file": "typescript/type_system/interface_dispatch.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
10,
|
|
10
|
|
],
|
|
[
|
|
20,
|
|
20
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
19,
|
|
19
|
|
]
|
|
],
|
|
"tags": [
|
|
"interface",
|
|
"dispatch",
|
|
"adversarial-interprocedural",
|
|
"cmdi"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Interface-typed receiver `impl: Runner` \u2192 resolve to ShellRunner.run \u2192 exec. Tests intra-file method resolution through interface types; expected FN if only normalized callee-name matching is used"
|
|
},
|
|
{
|
|
"case_id": "ts-type_system-003",
|
|
"file": "typescript/type_system/decorator_passthrough.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "language_specific",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
15,
|
|
15
|
|
],
|
|
[
|
|
23,
|
|
23
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
23,
|
|
23
|
|
]
|
|
],
|
|
"tags": [
|
|
"decorator",
|
|
"adversarial-decorator",
|
|
"cmdi"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Method decorator wraps Service.run; the undecorated body still contains exec(cmd). Tests whether decorator syntax interferes with class-method extraction. Expected FN if decorator parsing derails summary extraction"
|
|
},
|
|
{
|
|
"case_id": "ts-safe-001",
|
|
"file": "typescript/safe/safe_dompurify.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"dompurify"
|
|
],
|
|
"disabled": false,
|
|
"notes": "DOMPurify.sanitize inline before innerHTML"
|
|
},
|
|
{
|
|
"case_id": "ts-safe-002",
|
|
"file": "typescript/safe/safe_number_coerce.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"type-coercion",
|
|
"Number"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Number() coercion sanitizes SQL integer interpolation; Number is in TS sanitizer rules with Cap::all()"
|
|
},
|
|
{
|
|
"case_id": "ts-safe-003",
|
|
"file": "typescript/safe/safe_encode_uri.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"url-encode",
|
|
"ssrf",
|
|
"adversarial-fp"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Semantically safe: user term is URL-encoded into a fixed-host URL; no SSRF possible. Known Nyx weak spot \u2014 encodeURIComponent is Cap::URL_ENCODE while axios sink is Cap::SSRF, so cap mismatch may yield FP. Documents the cap-overlap limitation"
|
|
},
|
|
{
|
|
"case_id": "ts-safe-004",
|
|
"file": "typescript/safe/safe_hardcoded_url.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"no-source",
|
|
"hardcoded"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Hardcoded URL, no user input; should be a clean TN"
|
|
},
|
|
{
|
|
"case_id": "ts-safe-005",
|
|
"file": "typescript/safe/safe_validator_escape.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"validator"
|
|
],
|
|
"disabled": false,
|
|
"notes": "validator.escape sanitizes XSS payload before innerHTML"
|
|
},
|
|
{
|
|
"case_id": "ts-safe-006",
|
|
"file": "typescript/safe/safe_typeof_guard.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"ts.code_exec.eval"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"type-check",
|
|
"typeof",
|
|
"eval"
|
|
],
|
|
"disabled": false,
|
|
"notes": "typeof === 'number' guards eval; only numbers reach sink. Forbidden ts.code_exec.eval here because the taint flow is gated \u2014 pattern-only detection would be an FP"
|
|
},
|
|
{
|
|
"case_id": "ts-safe-007",
|
|
"file": "typescript/safe/safe_interproc_sanitizer.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"sanitizer",
|
|
"interprocedural",
|
|
"dompurify",
|
|
"adversarial-fp"
|
|
],
|
|
"disabled": false,
|
|
"notes": "DOMPurify wrapped in cleanHtml() helper. Known JS weak spot (js-interproc-safe-001 is an FP); documents whether TS handling matches"
|
|
},
|
|
{
|
|
"case_id": "ts-safe-008",
|
|
"file": "typescript/safe/safe_constant_query.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"constant",
|
|
"no-source"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Compile-time constant SQL; no user input; should TN"
|
|
},
|
|
{
|
|
"case_id": "ts-safe-009",
|
|
"file": "typescript/safe/safe_parameterized.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"parameterized",
|
|
"sqli",
|
|
"adversarial-fp"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Parameterized pg query: SQL string is constant, id flows as $1 placeholder value. Semantically safe but taint still reaches pool.query call; known Nyx limitation \u2014 positional args aren't distinguished for SQL_QUERY sink"
|
|
},
|
|
{
|
|
"case_id": "ts-safe-010",
|
|
"file": "typescript/safe/safe_jsx_text.tsx",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"tsx",
|
|
"jsx",
|
|
"auto-escape"
|
|
],
|
|
"disabled": false,
|
|
"notes": "TSX fixture: user bio rendered as JSX text child. React auto-escapes JSX text so this is semantically safe. Guards against over-flagging JSX expressions now that TSX grammar is wired"
|
|
},
|
|
{
|
|
"case_id": "cve-py-2023-48022-vulnerable",
|
|
"file": "cve_corpus/python/CVE-2023-48022/vulnerable.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"py.cmdi.os_system"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
31,
|
|
31
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
26,
|
|
27
|
|
]
|
|
],
|
|
"tags": [
|
|
"cve",
|
|
"ray",
|
|
"rce",
|
|
"flask"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2023-48022: Ray dashboard job-submission RCE via shell-interpreted entrypoint in os.system. Apache-2.0"
|
|
},
|
|
{
|
|
"case_id": "cve-py-2023-48022-patched",
|
|
"file": "cve_corpus/python/CVE-2023-48022/patched.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"py.cmdi.os_system",
|
|
"py.cmdi.subprocess_shell",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"ray",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2023-48022 patched counterpart: shlex.split + subprocess.Popen(shell=False); regression guard that Nyx does not refire on the fix"
|
|
},
|
|
{
|
|
"case_id": "cve-js-2019-14939-vulnerable",
|
|
"file": "cve_corpus/javascript/CVE-2019-14939/vulnerable.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "code_exec",
|
|
"cwe": "CWE-94",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"js.code_exec.eval"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
30,
|
|
30
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
23,
|
|
25
|
|
]
|
|
],
|
|
"tags": [
|
|
"cve",
|
|
"mongo-express",
|
|
"rce",
|
|
"express",
|
|
"eval"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2019-14939: mongo-express /checkValid evaluated req.body.document with eval(); RCE on the admin interface. MIT"
|
|
},
|
|
{
|
|
"case_id": "cve-js-2019-14939-patched",
|
|
"file": "cve_corpus/javascript/CVE-2019-14939/patched.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"js.code_exec.eval",
|
|
"js.code_exec.new_function",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"mongo-express",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2019-14939 patched counterpart: EJSON.parse replaces eval; regression guard that Nyx does not refire on the fix"
|
|
},
|
|
{
|
|
"case_id": "cve-ts-2023-26159-vulnerable",
|
|
"file": "cve_corpus/typescript/CVE-2023-26159/vulnerable.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "ssrf",
|
|
"cwe": "CWE-918",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
32,
|
|
32
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
27,
|
|
28
|
|
]
|
|
],
|
|
"tags": [
|
|
"cve",
|
|
"follow-redirects",
|
|
"ssrf",
|
|
"express",
|
|
"axios"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2023-26159: follow-redirects leaked Authorization across cross-origin redirects; caller-side pattern is SSRF via unvalidated user URL into HTTP client. MIT"
|
|
},
|
|
{
|
|
"case_id": "cve-ts-2023-26159-patched",
|
|
"file": "cve_corpus/typescript/CVE-2023-26159/patched.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"follow-redirects",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2023-26159 patched counterpart: URL allowlist check guards axios.get; regression guard that Nyx does not refire on the fix"
|
|
},
|
|
{
|
|
"case_id": "cve-py-2017-18342-vulnerable",
|
|
"file": "cve_corpus/python/CVE-2017-18342/vulnerable.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "deserialization",
|
|
"cwe": "CWE-502",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"py.deser.yaml_load"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
30,
|
|
30
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
26,
|
|
26
|
|
]
|
|
],
|
|
"tags": [
|
|
"cve",
|
|
"pyyaml",
|
|
"deserialization",
|
|
"flask"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2017-18342: PyYAML yaml.load default loader instantiated arbitrary Python objects from !!python/object tags; RCE on any app passing untrusted YAML. MIT"
|
|
},
|
|
{
|
|
"case_id": "cve-py-2017-18342-patched",
|
|
"file": "cve_corpus/python/CVE-2017-18342/patched.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"py.deser.yaml_load",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"pyyaml",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2017-18342 patched counterpart: yaml.safe_load replaces yaml.load; regression guard that Nyx does not refire on the fix"
|
|
},
|
|
{
|
|
"case_id": "cve-php-2017-9841-vulnerable",
|
|
"file": "cve_corpus/php/CVE-2017-9841/vulnerable.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "code_exec",
|
|
"cwe": "CWE-94",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"php.code_exec.eval"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
22,
|
|
22
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
21,
|
|
21
|
|
]
|
|
],
|
|
"tags": [
|
|
"cve",
|
|
"phpunit",
|
|
"rce",
|
|
"eval",
|
|
"stdin"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2017-9841: PHPUnit Util/PHP/eval-stdin.php fed php://input to eval(); mass-scanned for webshell deployment. BSD-3-Clause"
|
|
},
|
|
{
|
|
"case_id": "cve-php-2017-9841-patched",
|
|
"file": "cve_corpus/php/CVE-2017-9841/patched.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"php.code_exec.eval",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"phpunit",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2017-9841 patched counterpart: stub rejects non-CLI SAPI and removes the eval sink entirely; regression guard that Nyx does not refire on the fix"
|
|
},
|
|
{
|
|
"case_id": "cve-php-2018-15133-vulnerable",
|
|
"file": "cve_corpus/php/CVE-2018-15133/vulnerable.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "deserialization",
|
|
"cwe": "CWE-502",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"php.deser.unserialize"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
26,
|
|
26
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
24,
|
|
24
|
|
]
|
|
],
|
|
"tags": [
|
|
"cve",
|
|
"laravel",
|
|
"deserialization",
|
|
"cookie"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2018-15133: Laravel <= 5.6.29 unserialized a cookie-borne payload without HMAC verification; known gadget chains reached arbitrary code when APP_KEY leaked. MIT"
|
|
},
|
|
{
|
|
"case_id": "cve-php-2018-15133-patched",
|
|
"file": "cve_corpus/php/CVE-2018-15133/patched.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"php.deser.unserialize",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"laravel",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2018-15133 patched counterpart: HMAC-verified JSON cookie replaces PHP-serialized payload; regression guard that Nyx does not refire on the fix"
|
|
},
|
|
{
|
|
"case_id": "cve-rb-2013-0156-vulnerable",
|
|
"file": "cve_corpus/ruby/CVE-2013-0156/vulnerable.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "deserialization",
|
|
"cwe": "CWE-502",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"rb.deser.yaml_load"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
28,
|
|
28
|
|
]
|
|
],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"rails",
|
|
"deserialization",
|
|
"params"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2013-0156: Rails XML params parser round-tripped tagged YAML through YAML.load, instantiating arbitrary Ruby objects; unauthenticated RCE on every affected Rails app. MIT"
|
|
},
|
|
{
|
|
"case_id": "cve-rb-2013-0156-patched",
|
|
"file": "cve_corpus/ruby/CVE-2013-0156/patched.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"rb.deser.yaml_load",
|
|
"rb.deser.marshal_load",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"rails",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2013-0156 patched counterpart: params decoded as JSON, no YAML loader on untrusted input; regression guard that Nyx does not refire on the fix"
|
|
},
|
|
{
|
|
"case_id": "cve-java-2015-7501-vulnerable",
|
|
"file": "cve_corpus/java/CVE-2015-7501/vulnerable.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "deserialization",
|
|
"cwe": "CWE-502",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"java.deser.readobject"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
35,
|
|
35
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
34,
|
|
34
|
|
]
|
|
],
|
|
"tags": [
|
|
"cve",
|
|
"commons-collections",
|
|
"deserialization",
|
|
"servlet"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2015-7501: Apache Commons Collections InvokerTransformer chain drove RCE on any app reading attacker-controlled bytes through ObjectInputStream.readObject. Apache-2.0"
|
|
},
|
|
{
|
|
"case_id": "cve-java-2015-7501-patched",
|
|
"file": "cve_corpus/java/CVE-2015-7501/patched.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"java.deser.readobject",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"commons-collections",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2015-7501 patched counterpart: Jackson JSON codec replaces native Java deserialization; no ObjectInputStream on the request path; regression guard"
|
|
},
|
|
{
|
|
"case_id": "cve-go-2022-30323-vulnerable",
|
|
"file": "cve_corpus/go/CVE-2022-30323/vulnerable.go",
|
|
"language": "go",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"go.cmdi.exec_command"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
34,
|
|
34
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
30,
|
|
30
|
|
]
|
|
],
|
|
"tags": [
|
|
"cve",
|
|
"go-getter",
|
|
"cmdi",
|
|
"git"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2022-30323: hashicorp/go-getter forwarded user URLs into `git clone` argv, letting `ext::`/`upload-pack=` aliases reach a shell; affected Terraform, Packer, Nomad, Vault. MPL-2.0"
|
|
},
|
|
{
|
|
"case_id": "cve-go-2022-30323-patched",
|
|
"file": "cve_corpus/go/CVE-2022-30323/patched.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"go.cmdi.exec_command",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"go-getter",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2022-30323 patched counterpart: scheme allowlist + in-process go-git clone removes the exec.Command path; regression guard that Nyx does not refire on the fix"
|
|
},
|
|
{
|
|
"case_id": "cve-c-2016-3714-vulnerable",
|
|
"file": "cve_corpus/c/CVE-2016-3714/vulnerable.c",
|
|
"language": "c",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"c.cmdi.system"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
34,
|
|
34
|
|
]
|
|
],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"imagemagick",
|
|
"imagetragick",
|
|
"cmdi"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2016-3714 (ImageTragick): ImageMagick delegate policies substituted user-controlled filenames into shell templates passed to system(), enabling unauthenticated RCE via crafted MVG/MSL uploads. ImageMagick License"
|
|
},
|
|
{
|
|
"case_id": "cve-c-2016-3714-patched",
|
|
"file": "cve_corpus/c/CVE-2016-3714/patched.c",
|
|
"language": "c",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"c.cmdi.system",
|
|
"c.cmdi.popen",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"imagemagick",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2016-3714 patched counterpart: in-process coder + basename check removes the system() path; regression guard that Nyx does not refire on the fix"
|
|
},
|
|
{
|
|
"case_id": "cve-c-2019-18634-vulnerable",
|
|
"file": "cve_corpus/c/CVE-2019-18634/vulnerable.c",
|
|
"language": "c",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "memory_safety",
|
|
"cwe": "CWE-120",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"c.memory.strcpy"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
39,
|
|
39
|
|
]
|
|
],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"sudo",
|
|
"pwfeedback",
|
|
"stack-overflow"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2019-18634: sudo pwfeedback stack buffer overflow in getln() when a long stdin token spilled past the feedback buffer; local root on Linux/macOS sudoers with pwfeedback enabled. ISC"
|
|
},
|
|
{
|
|
"case_id": "cve-c-2019-18634-patched",
|
|
"file": "cve_corpus/c/CVE-2019-18634/patched.c",
|
|
"language": "c",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"c.memory.strcpy",
|
|
"c.memory.strcat",
|
|
"c.memory.sprintf",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"sudo",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2019-18634 patched counterpart: bounded copy routine replaces the strcpy sink; regression guard that Nyx does not refire on the fix"
|
|
},
|
|
{
|
|
"case_id": "cve-cpp-2019-13132-vulnerable",
|
|
"file": "cve_corpus/cpp/CVE-2019-13132/vulnerable.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "memory_safety",
|
|
"cwe": "CWE-120",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"cpp.memory.strcpy"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
32,
|
|
32
|
|
]
|
|
],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"libzmq",
|
|
"zmtp",
|
|
"stack-overflow"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2019-13132: ZeroMQ libzmq v2 decoder trusted attacker-supplied metadata length and copied peer bytes into a fixed on-stack buffer, enabling unauthenticated RCE on curve-disabled sockets. MPL-2.0"
|
|
},
|
|
{
|
|
"case_id": "cve-cpp-2019-13132-patched",
|
|
"file": "cve_corpus/cpp/CVE-2019-13132/patched.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"cpp.memory.strcpy",
|
|
"cpp.memory.strcat",
|
|
"cpp.memory.sprintf",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"libzmq",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2019-13132 patched counterpart: bounded std::string assign + hard cap removes the strcpy sink; regression guard that Nyx does not refire on the fix"
|
|
},
|
|
{
|
|
"case_id": "cve-cpp-2022-1941-vulnerable",
|
|
"file": "cve_corpus/cpp/CVE-2022-1941/vulnerable.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "memory_safety",
|
|
"cwe": "CWE-120",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"cpp.memory.strcpy"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
37,
|
|
37
|
|
]
|
|
],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"protobuf",
|
|
"parse-context",
|
|
"heap-overflow"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2022-1941: Protocol Buffers C++ ParseContext copied unknown-field bytes into a backing buffer without clamping the declared length, causing OOB read/write in any binary decoding untrusted protobufs. BSD-3-Clause"
|
|
},
|
|
{
|
|
"case_id": "cve-cpp-2022-1941-patched",
|
|
"file": "cve_corpus/cpp/CVE-2022-1941/patched.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"cpp.memory.strcpy",
|
|
"cpp.memory.strcat",
|
|
"cpp.memory.sprintf",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"protobuf",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2022-1941 patched counterpart: bounded std::string assign + MAX_LABEL cap removes the strcpy sink; regression guard that Nyx does not refire on the fix"
|
|
},
|
|
{
|
|
"case_id": "cve-java-2017-12629-vulnerable",
|
|
"file": "cve_corpus/java/CVE-2017-12629/vulnerable.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"java.cmdi.runtime_exec"
|
|
],
|
|
"allowed_alternative_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
33,
|
|
33
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
29,
|
|
29
|
|
]
|
|
],
|
|
"tags": [
|
|
"cve",
|
|
"solr",
|
|
"xslt",
|
|
"rce"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2017-12629: Apache Solr XSLT response writer evaluated attacker-supplied stylesheets that reached Runtime.exec via XPath Java-binding extensions; unauthenticated RCE on any exposed Solr node. Apache-2.0"
|
|
},
|
|
{
|
|
"case_id": "cve-java-2017-12629-patched",
|
|
"file": "cve_corpus/java/CVE-2017-12629/patched.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"java.cmdi.runtime_exec",
|
|
"java.reflection.class_forname",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"solr",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2017-12629 patched counterpart: transformer name allowlist + in-process secure TransformerFactory removes the Runtime.exec path; regression guard that Nyx does not refire on the fix"
|
|
},
|
|
{
|
|
"case_id": "rs-auth-001",
|
|
"file": "rust/auth/actix_scoped_write_missing.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "auth",
|
|
"cwe": "CWE-862",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"rs.auth.missing_ownership_check"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
17,
|
|
17
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
16,
|
|
16
|
|
]
|
|
],
|
|
"tags": [
|
|
"auth",
|
|
"actix",
|
|
"scoped-id",
|
|
"positive"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Actix handler mutates `project_service::update(project_id, \u2026)` with a path-bound scoped id, no ownership check"
|
|
},
|
|
{
|
|
"case_id": "rs-auth-002",
|
|
"file": "rust/auth/true_positive_missing_check.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "auth",
|
|
"cwe": "CWE-862",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"rs.auth.missing_ownership_check"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
13,
|
|
13
|
|
]
|
|
],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"auth",
|
|
"realtime",
|
|
"scoped-id",
|
|
"positive",
|
|
"phase-a-control"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Authenticated handler that publishes against a group_id with no membership check \u2014 the positive control for the auth-rule FP-remediation work"
|
|
},
|
|
{
|
|
"case_id": "rs-auth-003",
|
|
"file": "rust/auth/row_ownership_no_early_exit.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "auth",
|
|
"cwe": "CWE-862",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"rs.auth.missing_ownership_check"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
28,
|
|
28
|
|
]
|
|
],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"auth",
|
|
"row-ownership",
|
|
"regression-guard",
|
|
"positive"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Equality compared but no early exit \u2014 the check is ineffective so the downstream read on doc_id must still flag (A2 regression guard)"
|
|
},
|
|
{
|
|
"case_id": "rs-auth-101",
|
|
"file": "rust/auth/hashmap_local_noise.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"rs.auth.missing_ownership_check"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"auth",
|
|
"negative",
|
|
"phase-a1",
|
|
"noise-budget-zero"
|
|
],
|
|
"disabled": false,
|
|
"notes": "P0: HashMap/HashSet method calls on locally-constructed bindings \u2014 never an authorization decision (Phase A1 fix)"
|
|
},
|
|
{
|
|
"case_id": "rs-auth-102",
|
|
"file": "rust/auth/helper_scoped_params.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"rs.auth.missing_ownership_check"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"auth",
|
|
"negative",
|
|
"phase-a1",
|
|
"noise-budget-zero"
|
|
],
|
|
"disabled": false,
|
|
"notes": "P4 (partial): library helper whose internal work is `result.insert(..)` on a locally-constructed HashSet \u2014 never a sink (Phase A1 fix)"
|
|
},
|
|
{
|
|
"case_id": "rs-auth-103",
|
|
"file": "rust/auth/row_ownership_equality.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"rs.auth.missing_ownership_check"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"auth",
|
|
"negative",
|
|
"phase-a2",
|
|
"noise-budget-zero"
|
|
],
|
|
"disabled": false,
|
|
"notes": "P3: row-level ownership equality (`if owner_id != user.id { return ... }`) covers downstream column reads on the same row (Phase A2 fix)"
|
|
},
|
|
{
|
|
"case_id": "rs-auth-104",
|
|
"file": "rust/auth/self_scoped_user.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"rs.auth.missing_ownership_check"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"auth",
|
|
"negative",
|
|
"phase-a3",
|
|
"noise-budget-zero"
|
|
],
|
|
"disabled": false,
|
|
"notes": "P5: `let user = require_auth(..).await?` binds the actor \u2014 `user.id` is self, not a scoped foreign id (Phase A3 fix)"
|
|
},
|
|
{
|
|
"case_id": "rs-auth-105",
|
|
"file": "rust/auth/db_connection_type_inferred.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"rs.auth.missing_ownership_check"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"auth",
|
|
"negative",
|
|
"phase-b2",
|
|
"noise-budget-zero"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Phase B2: `rusqlite::Connection::open` infers `DatabaseConnection` type via SSA constructor_type; the handler logs only the caller's own id"
|
|
},
|
|
{
|
|
"case_id": "rs-auth-106",
|
|
"file": "rust/auth/sql_join_acl.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"rs.auth.missing_ownership_check"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"auth",
|
|
"negative",
|
|
"phase-b3",
|
|
"noise-budget-zero"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Phase B3: SELECT through `group_members` ACL JOIN with `WHERE gm.user_id = ?1` makes every returned row membership-gated"
|
|
},
|
|
{
|
|
"case_id": "rs-auth-107",
|
|
"file": "rust/auth/transitive_helper.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"rs.auth.missing_ownership_check"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"auth",
|
|
"negative",
|
|
"phase-b4",
|
|
"noise-budget-zero"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Phase B4: `validate_target` helper internally calls `require_membership(group_id, user.id)` \u2014 handler-level call lifts the auth check transparently"
|
|
},
|
|
{
|
|
"case_id": "rs-safe-014",
|
|
"file": "rust/safe/safe_option_sanitizer.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-regression",
|
|
"path-sanitizer",
|
|
"variant-wrapper"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Option-returning sanitizer: `sanitize_path(s) -> Option<String>` with match-arm Some-binding extraction. Per-return-path PathFact decomposition + structural variant unwrapping closes the FP."
|
|
},
|
|
{
|
|
"case_id": "rs-safe-016",
|
|
"file": "rust/safe/safe_cross_function_dotdot.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-regression",
|
|
"path-sanitizer",
|
|
"cross-function"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Cross-function bool-returning validator with `if !validate(&raw) { return; }` rejection. Per-return-path summary lifts the helper's `dotdot/absolute` narrowing across the call boundary."
|
|
},
|
|
{
|
|
"case_id": "cve-rs-2018-20997-vulnerable",
|
|
"file": "cve_corpus/rust/CVE-2018-20997/vulnerable.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "MEDIUM",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"cve",
|
|
"tar-rs",
|
|
"zip-slip"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2018-20997 / RUSTSEC-2018-0003: tar-rs zip-slip vulnerability \u2014 entry path interpolated into File::create without `..` rejection. MIT OR Apache-2.0"
|
|
},
|
|
{
|
|
"case_id": "cve-rs-2018-20997-patched",
|
|
"file": "cve_corpus/rust/CVE-2018-20997/patched.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"tar-rs",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2018-20997 patched counterpart: `sanitize_path` rejects `..` traversal and absolute paths. Regression guard that Nyx does not refire on the fix."
|
|
},
|
|
{
|
|
"case_id": "cve-rs-2022-36113-vulnerable",
|
|
"file": "cve_corpus/rust/CVE-2022-36113/vulnerable.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "path_traversal",
|
|
"cwe": "CWE-22",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "MEDIUM",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"cve",
|
|
"cargo",
|
|
"symlink"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2022-36113: cargo `.cargo-ok` symlink follow \u2014 crate name interpolated into File::create without separator/dotdot rejection. MIT OR Apache-2.0"
|
|
},
|
|
{
|
|
"case_id": "cve-rs-2022-36113-patched",
|
|
"file": "cve_corpus/rust/CVE-2022-36113/patched.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"cargo",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2022-36113 patched counterpart: `sanitize_crate_name` + `OpenOptions::create_new`. Regression guard that Nyx does not refire on the fix."
|
|
},
|
|
{
|
|
"case_id": "cve-rs-2024-24576-vulnerable",
|
|
"file": "cve_corpus/rust/CVE-2024-24576/vulnerable.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "cmdi",
|
|
"cwe": "CWE-78",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "MEDIUM",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"cve",
|
|
"rust-stdlib",
|
|
"batbadbut"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2024-24576 / RUSTSEC-2024-0003: BatBadBut \u2014 argument injection into Windows .bat via `Command::new(...).arg`. MIT OR Apache-2.0"
|
|
},
|
|
{
|
|
"case_id": "cve-rs-2024-24576-patched",
|
|
"file": "cve_corpus/rust/CVE-2024-24576/patched.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "real_cve",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "file_presence",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cve",
|
|
"rust-stdlib",
|
|
"patched",
|
|
"negative"
|
|
],
|
|
"disabled": false,
|
|
"notes": "CVE-2024-24576 patched counterpart: cmd.exe-aware allowlist filters argv before reaching update.bat. Regression guard that Nyx does not refire on the fix."
|
|
},
|
|
{
|
|
"case_id": "py-safe-014",
|
|
"file": "python/safe/safe_direct_path_sanitizer.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"direct-return"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Python equivalent of rs-safe-014: direct-return sanitiser with `\"..\" in s` / `s.startswith(...)` rejection chain returning empty string."
|
|
},
|
|
{
|
|
"case_id": "py-safe-016",
|
|
"file": "python/safe/safe_cross_function_dotdot.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"cross-function"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Python equivalent of rs-safe-016: cross-function bool-returning validator with `if not validate(raw): return` rejection."
|
|
},
|
|
{
|
|
"case_id": "js-safe-014",
|
|
"file": "javascript/safe/safe_direct_path_sanitizer.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"direct-return"
|
|
],
|
|
"disabled": false,
|
|
"notes": "JS direct-return sanitiser. Standalone `nyx scan --index off` is clean, but the benchmark harness (single-thread + state/auth analysis enabled) reproduces a FP \u2014 diverges from production scan path. Disabled until benchmark/binary parity is re-established."
|
|
},
|
|
{
|
|
"case_id": "ts-safe-014",
|
|
"file": "typescript/safe/safe_direct_path_sanitizer.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"direct-return"
|
|
],
|
|
"disabled": false,
|
|
"notes": "TypeScript equivalent of rs-safe-014: direct-return sanitiser with `s.includes('..')` / `s.startsWith(...)` rejection."
|
|
},
|
|
{
|
|
"case_id": "go-safe-015",
|
|
"file": "go/safe/safe_tuple_path_sanitizer.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"tuple-return"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Go tuple-returning sanitiser. Standalone scan is clean; benchmark harness (single-thread, state/auth) reports FP. Disabled pending parity investigation."
|
|
},
|
|
{
|
|
"case_id": "go-safe-016",
|
|
"file": "go/safe/safe_cross_function_dotdot.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"cross-function"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Go cross-function validator. Standalone scan clean; benchmark harness reports FP. Disabled pending parity investigation."
|
|
},
|
|
{
|
|
"case_id": "java-safe-014",
|
|
"file": "java/safe/SafeDirectPathSanitizer.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"direct-return"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Java equivalent of rs-safe-014: direct-return sanitiser with `.contains` / `.startsWith` rejection."
|
|
},
|
|
{
|
|
"case_id": "java-safe-015",
|
|
"file": "java/safe/SafeOptionalPathSanitizer.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"optional-return"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Java equivalent of rs-safe-014: `Optional<String>`-returning sanitiser with `Optional.empty()` failure sentinel."
|
|
},
|
|
{
|
|
"case_id": "java-safe-016",
|
|
"file": "java/safe/SafeCrossFunctionDotdot.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"cross-function"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Java equivalent of rs-safe-016: cross-function bool-returning validator with `if (!validate(...)) return` rejection."
|
|
},
|
|
{
|
|
"case_id": "rb-safe-014",
|
|
"file": "ruby/safe/safe_direct_path_sanitizer.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"direct-return"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Ruby equivalent of rs-safe-014: direct-return sanitiser with `include?` / `start_with?` rejection."
|
|
},
|
|
{
|
|
"case_id": "rb-safe-015",
|
|
"file": "ruby/safe/safe_nil_path_sanitizer.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"nil-sentinel"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Ruby equivalent of rs-safe-014 with explicit nil failure sentinel."
|
|
},
|
|
{
|
|
"case_id": "rb-safe-016",
|
|
"file": "ruby/safe/safe_cross_function_dotdot.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"cross-function"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Ruby equivalent of rs-safe-016: cross-function bool-returning validator with `return unless validate(...)` rejection."
|
|
},
|
|
{
|
|
"case_id": "php-safe-014",
|
|
"file": "php/safe/safe_direct_path_sanitizer.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"direct-return"
|
|
],
|
|
"disabled": false,
|
|
"notes": "PHP equivalent of rs-safe-014: direct-return sanitiser with `strpos !== false` / leading-char rejection."
|
|
},
|
|
{
|
|
"case_id": "php-safe-015",
|
|
"file": "php/safe/safe_nullable_path_sanitizer.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"nullable-return"
|
|
],
|
|
"disabled": false,
|
|
"notes": "PHP equivalent of rs-safe-014: `?string` nullable-returning sanitiser with explicit null failure sentinel."
|
|
},
|
|
{
|
|
"case_id": "php-safe-016",
|
|
"file": "php/safe/safe_cross_function_dotdot.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"cross-function"
|
|
],
|
|
"disabled": false,
|
|
"notes": "PHP equivalent of rs-safe-016: cross-function bool-returning validator."
|
|
},
|
|
{
|
|
"case_id": "c-safe-014",
|
|
"file": "c/safe/safe_direct_path_sanitizer.c",
|
|
"language": "c",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"direct-return"
|
|
],
|
|
"disabled": false,
|
|
"notes": "C direct-return sanitiser. Standalone scan clean; benchmark harness reports FP. Disabled pending parity investigation (Preview-tier C scanning is best-effort already)."
|
|
},
|
|
{
|
|
"case_id": "c-safe-015",
|
|
"file": "c/safe/safe_status_code_sanitizer.c",
|
|
"language": "c",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"status-code"
|
|
],
|
|
"disabled": false,
|
|
"notes": "C status-code idiom sanitiser. Standalone scan clean; benchmark harness reports FP. Disabled."
|
|
},
|
|
{
|
|
"case_id": "c-safe-016",
|
|
"file": "c/safe/safe_cross_function_dotdot.c",
|
|
"language": "c",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"cross-function"
|
|
],
|
|
"disabled": false,
|
|
"notes": "C cross-function validator. Standalone scan clean; benchmark harness reports FP. Disabled."
|
|
},
|
|
{
|
|
"case_id": "cpp-safe-014",
|
|
"file": "cpp/safe/safe_direct_path_sanitizer.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"direct-return"
|
|
],
|
|
"disabled": false,
|
|
"notes": "C++ equivalent of rs-safe-014: direct-return sanitiser using std::string::find."
|
|
},
|
|
{
|
|
"case_id": "cpp-safe-015",
|
|
"file": "cpp/safe/safe_optional_path_sanitizer.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"optional-return"
|
|
],
|
|
"disabled": false,
|
|
"notes": "C++ equivalent of rs-safe-014: `std::optional<std::string>`-returning sanitiser."
|
|
},
|
|
{
|
|
"case_id": "cpp-safe-016",
|
|
"file": "cpp/safe/safe_cross_function_dotdot.cpp",
|
|
"language": "cpp",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"cross-function"
|
|
],
|
|
"disabled": false,
|
|
"notes": "C++ equivalent of rs-safe-016: cross-function bool-returning validator."
|
|
},
|
|
{
|
|
"case_id": "py-safe-015",
|
|
"file": "python/safe/safe_optional_path_sanitizer.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"optional-sentinel"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Python `Optional[str]`-returning sanitiser with None failure sentinel. Disabled: per-language non-data-return propagation through Optional unwrap is incomplete; deferred follow-up."
|
|
},
|
|
{
|
|
"case_id": "go-safe-014",
|
|
"file": "go/safe/safe_direct_path_sanitizer.go",
|
|
"language": "go",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"direct-return"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Go direct-return sanitiser; tuple-returning go-safe-015 is the language-natural form which fires clean. Direct form deferred (helper return-fact join not yet wired for Go)."
|
|
},
|
|
{
|
|
"case_id": "js-safe-015",
|
|
"file": "javascript/safe/safe_null_path_sanitizer.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"null-sentinel"
|
|
],
|
|
"disabled": false,
|
|
"notes": "JS null-returning sanitiser; deferred while the JS two-level solver per-return-path summary lifting is being completed."
|
|
},
|
|
{
|
|
"case_id": "js-safe-016",
|
|
"file": "javascript/safe/safe_cross_function_dotdot.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"cross-function"
|
|
],
|
|
"disabled": false,
|
|
"notes": "JS cross-function bool validator; per-language helper-summary lifting for the bool-returning helper shape is deferred."
|
|
},
|
|
{
|
|
"case_id": "ts-safe-015",
|
|
"file": "typescript/safe/safe_null_path_sanitizer.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"null-sentinel"
|
|
],
|
|
"disabled": false,
|
|
"notes": "TS nullable-returning sanitiser; deferred \u2014 same reason as js-safe-015."
|
|
},
|
|
{
|
|
"case_id": "ts-safe-016",
|
|
"file": "typescript/safe/safe_cross_function_dotdot.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": null,
|
|
"expected_sink_lines": null,
|
|
"expected_source_lines": null,
|
|
"tags": [
|
|
"pathfact-cross-language",
|
|
"path-sanitizer",
|
|
"cross-function"
|
|
],
|
|
"disabled": false,
|
|
"notes": "TS cross-function bool validator; deferred \u2014 same reason as js-safe-016."
|
|
},
|
|
{
|
|
"case_id": "py-auth-decorator-001",
|
|
"file": "python/safe/safe_login_required_decorator.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-862",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"state-unauthed-access",
|
|
"cfg-auth-gap",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": "NONE",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Flask @login_required decorator must suppress auth findings"
|
|
},
|
|
{
|
|
"case_id": "py-auth-decorator-vuln-001",
|
|
"file": "python/auth/vuln_no_auth_decorator.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "auth",
|
|
"cwe": "CWE-862",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"cfg-auth-gap"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
11,
|
|
11
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Same shape but missing decorator \u2014 auth-gap fires"
|
|
},
|
|
{
|
|
"case_id": "java-preauth-001",
|
|
"file": "java/auth/SafePreAuthorize.java",
|
|
"language": "java",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-862",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"state-unauthed-access",
|
|
"cfg-auth-gap",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": "NONE",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Spring @PreAuthorize annotation must suppress auth findings"
|
|
},
|
|
{
|
|
"case_id": "java-preauth-vuln-001",
|
|
"file": "java/auth/VulnNoPreAuthorize.java",
|
|
"language": "java",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
13,
|
|
13
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
11,
|
|
11
|
|
]
|
|
],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Servlet doGet without auth \u2014 taint flow fires"
|
|
},
|
|
{
|
|
"case_id": "php-isgranted-001",
|
|
"file": "php/auth/safe_isgranted.php",
|
|
"language": "php",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-862",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"state-unauthed-access",
|
|
"cfg-auth-gap",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": "NONE",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Symfony #[IsGranted] attribute must suppress auth findings"
|
|
},
|
|
{
|
|
"case_id": "php-isgranted-vuln-001",
|
|
"file": "php/auth/vuln_no_isgranted.php",
|
|
"language": "php",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
7,
|
|
7
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
6,
|
|
6
|
|
]
|
|
],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Top-level handler without IsGranted \u2014 taint flow fires"
|
|
},
|
|
{
|
|
"case_id": "ruby-before-action-001",
|
|
"file": "ruby/auth/safe_before_action.rb",
|
|
"language": "ruby",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-862",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"state-unauthed-access",
|
|
"cfg-auth-gap",
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": "NONE",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Rails before_action :authenticate_user must suppress auth findings"
|
|
},
|
|
{
|
|
"case_id": "js-allowlist-dispatch-001",
|
|
"file": "javascript/safe/safe_switch_dispatch.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-78",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow",
|
|
"state-unauthed-access"
|
|
],
|
|
"expected_severity": "NONE",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Allowlist-then-exec pattern \u2014 engine must recognise membership check"
|
|
},
|
|
{
|
|
"case_id": "ts-iife-closure-001",
|
|
"file": "typescript/safe/safe_iife_closure_sanitizer.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": "NONE",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "IIFE wrapper around handler with encodeURIComponent \u2014 must be cleared"
|
|
},
|
|
{
|
|
"case_id": "ts-iife-closure-vuln-001",
|
|
"file": "typescript/xss/vuln_iife_closure_no_sanitizer.ts",
|
|
"language": "typescript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
16,
|
|
16
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
14,
|
|
14
|
|
]
|
|
],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "IIFE wrapper without sanitizer \u2014 taint must propagate through closure"
|
|
},
|
|
{
|
|
"case_id": "py-validator-sentinel-001",
|
|
"file": "python/safe/safe_validator_sentinel.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow",
|
|
"state-unauthed-access",
|
|
"cfg-auth-gap"
|
|
],
|
|
"expected_severity": "NONE",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Cross-fn validator with empty-string sentinel + decorator"
|
|
},
|
|
{
|
|
"case_id": "py-validator-sentinel-vuln-001",
|
|
"file": "python/sqli/vuln_validator_sentinel_bypass.py",
|
|
"language": "python",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "sqli",
|
|
"cwe": "CWE-89",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
22,
|
|
22
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
17,
|
|
17
|
|
]
|
|
],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Same shape with inverted sentinel check \u2014 SQLi fires"
|
|
},
|
|
{
|
|
"case_id": "py-context-sanitize-001",
|
|
"file": "python/safe/safe_with_context_sanitize.py",
|
|
"language": "python",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-22",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow",
|
|
"state-unauthed-access",
|
|
"cfg-auth-gap"
|
|
],
|
|
"expected_severity": "NONE",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "with-block resource around sanitised path read + decorator auth"
|
|
},
|
|
{
|
|
"case_id": "js-destructure-sanitize-001",
|
|
"file": "javascript/safe/safe_object_destructure_sanitize.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"expected_severity": "NONE",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Destructured field flows through encodeURIComponent before HTML sink"
|
|
},
|
|
{
|
|
"case_id": "js-destructure-vuln-001",
|
|
"file": "javascript/xss/vuln_object_destructure_no_sanitize.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": true,
|
|
"vuln_class": "xss",
|
|
"cwe": "CWE-79",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "analogue",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [
|
|
"taint-unsanitised-flow"
|
|
],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [],
|
|
"expected_severity": "HIGH",
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [
|
|
[
|
|
10,
|
|
10
|
|
]
|
|
],
|
|
"expected_source_lines": [
|
|
[
|
|
8,
|
|
8
|
|
]
|
|
],
|
|
"tags": [
|
|
"precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Destructured field straight into template-literal HTML sink"
|
|
},
|
|
{
|
|
"case_id": "rs-auth-realrepo-001",
|
|
"file": "rust/auth/self_actor_uid_copy.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"rs.auth.missing_ownership_check"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"auth",
|
|
"negative",
|
|
"real-repo-precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "`let user = match require_auth() { Ok(u) => u, ... }; let uid = user.id; query(.., &[uid])` — transitive copy of self-actor id (website/handlers/accounts.rs)"
|
|
},
|
|
{
|
|
"case_id": "rs-auth-realrepo-002",
|
|
"file": "rust/auth/require_resource_role_helper.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"rs.auth.missing_ownership_check"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"auth",
|
|
"negative",
|
|
"real-repo-precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "`require_trip_member(..)` recognised structurally as `require_<resource>_<role>` (website/handlers/activities.rs)"
|
|
},
|
|
{
|
|
"case_id": "rs-auth-realrepo-003",
|
|
"file": "rust/auth/self_publish_email.rs",
|
|
"language": "rust",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"rs.auth.missing_ownership_check"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"auth",
|
|
"negative",
|
|
"real-repo-precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "`realtime::publish_to_user(&user.email, ..)` — self-channel publish with email as self-identity field (website/handlers/social.rs)"
|
|
},
|
|
{
|
|
"case_id": "js-safe-realrepo-001",
|
|
"file": "javascript/safe/safe_dom_globals_and_methods.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"js.auth.missing_ownership_check"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"auth",
|
|
"negative",
|
|
"real-repo-precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Browser DOM globals (`document`, `window`, `localStorage`) and DOM-API methods (`addEventListener`, `appendChild`, `getElementById`) are non-data-layer (website/public/app/core/app.js)"
|
|
},
|
|
{
|
|
"case_id": "js-safe-realrepo-002",
|
|
"file": "javascript/safe/safe_happy_path_error_check.js",
|
|
"language": "javascript",
|
|
"is_vulnerable": false,
|
|
"vuln_class": "safe",
|
|
"cwe": "N/A",
|
|
"provenance": "synthetic",
|
|
"equivalence_tier": "exact",
|
|
"match_mode": "rule_match",
|
|
"expected_rule_ids": [],
|
|
"allowed_alternative_rule_ids": [],
|
|
"forbidden_rule_ids": [
|
|
"cfg-error-fallthrough"
|
|
],
|
|
"expected_severity": null,
|
|
"expected_category": "Security",
|
|
"expected_sink_lines": [],
|
|
"expected_source_lines": [],
|
|
"tags": [
|
|
"cfg",
|
|
"negative",
|
|
"real-repo-precision-2026-04-25"
|
|
],
|
|
"disabled": false,
|
|
"notes": "Happy-path `if (!data.error && Array.isArray(...))` and body-mentioning-err do not fire `cfg-error-fallthrough` (website/public/app/core/app.js)"
|
|
}
|
|
]
|
|
} |