apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-06 19:35:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/tests/benchmark/ground_truth.json
Eli Peter fb698d2c27
Performance and precision pass (#64)
2026-05-04 19:58:04 -04:00

17796 lines
No EOL
521 KiB
JSON
Raw Blame History

{
"schema_version": "1.0",
"metadata": {
"description": "Nyx benchmark ground truth",
"created": "2026-03-20",
"corpus_size": 567
},
"cases": [
{
"case_id": "js-sqli-001",
"file": "javascript/sqli/sqli_concat.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [
"js.code_exec.eval"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"concat",
"eval-proxy"
],
"disabled": false,
"notes": "eval used as proxy for SQL query; analogue tier because real SQL sink is not modeled directly"
},
{
"case_id": "js-sqli-002",
"file": "javascript/sqli/sqli_template.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [
"js.code_exec.eval"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"template-literal",
"eval-proxy"
],
"disabled": false,
"notes": "eval used as proxy for SQL query with template literal interpolation"
},
{
"case_id": "js-cmdi-001",
"file": "javascript/cmdi/cmdi_direct.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"js.cmdi.exec"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"child_process"
],
"disabled": false,
"notes": "Direct flow from req.query.cmd to exec()"
},
{
"case_id": "js-cmdi-002",
"file": "javascript/cmdi/cmdi_indirect.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"js.cmdi.exec"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"indirect",
"concat",
"child_process"
],
"disabled": false,
"notes": "Indirect flow via string concat to exec()"
},
{
"case_id": "js-xss-001",
"file": "javascript/xss/xss_reflected.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"innerHTML",
"reflected"
],
"disabled": false,
"notes": "Reflected XSS via innerHTML assignment; taint-based detection (no AST pattern for innerHTML)"
},
{
"case_id": "js-xss-002",
"file": "javascript/xss/xss_document_write.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"js.xss.document_write"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"document-write"
],
"disabled": false,
"notes": "XSS via document.write with user-controlled content"
},
{
"case_id": "js-xss-003",
"file": "javascript/xss/xss_location.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-601",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"js.xss.location_assign"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"open-redirect",
"location-href"
],
"disabled": false,
"notes": "Open redirect via location.href assignment"
},
{
"case_id": "js-ssrf-001",
"file": "javascript/ssrf/ssrf_fetch.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"fetch",
"ssrf"
],
"disabled": false,
"notes": "SSRF via fetch() with user-controlled URL"
},
{
"case_id": "js-path_traversal-001",
"file": "javascript/path_traversal/path_traversal.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"sendFile",
"path-traversal"
],
"disabled": false,
"notes": "Path traversal via res.sendFile with user-controlled path"
},
{
"case_id": "js-code_injection-001",
"file": "javascript/code_injection/code_injection.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "code_injection",
"cwe": "CWE-94",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"js.code_exec.eval"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"eval",
"code-injection"
],
"disabled": false,
"notes": "Code injection via eval() with user-controlled expression"
},
{
"case_id": "js-code_injection-002",
"file": "javascript/code_injection/code_injection_indirect.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "code_injection",
"cwe": "CWE-94",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"new-function",
"indirect",
"code-injection"
],
"disabled": false,
"notes": "Code injection via new Function() with user-controlled template"
},
{
"case_id": "js-safe-001",
"file": "javascript/safe/safe_constant.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"constant",
"no-source"
],
"disabled": false,
"notes": "Constant string argument to exec; no user-controlled data"
},
{
"case_id": "js-safe-002",
"file": "javascript/safe/safe_dominated.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"allowlist",
"dominated-check"
],
"disabled": false,
"notes": "User input dominated by allowlist check before reaching exec()"
},
{
"case_id": "js-safe-003",
"file": "javascript/safe/safe_interprocedural.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"dompurify",
"interprocedural"
],
"disabled": false,
"notes": "DOMPurify sanitizer applied via helper function before innerHTML"
},
{
"case_id": "js-safe-004",
"file": "javascript/safe/safe_non_security_sink.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"non-security-sink",
"console-log"
],
"disabled": false,
"notes": "User input flows to console.log and length computation, not a security sink"
},
{
"case_id": "js-safe-005",
"file": "javascript/safe/safe_reassigned.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"reassignment",
"killed-taint"
],
"disabled": false,
"notes": "Tainted variable reassigned to constant before reaching innerHTML"
},
{
"case_id": "js-safe-006",
"file": "javascript/safe/safe_sanitized.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"dompurify"
],
"disabled": false,
"notes": "DOMPurify.sanitize applied inline before innerHTML assignment"
},
{
"case_id": "js-safe-007",
"file": "javascript/safe/safe_type_check.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"type-check",
"typeof-guard"
],
"disabled": false,
"notes": "typeof check guards eval(); only numbers reach the sink"
},
{
"case_id": "js-safe-008",
"file": "javascript/safe/safe_validated.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"allowlist",
"validated"
],
"disabled": false,
"notes": "Allowlist validation before exec(); only permitted commands reach sink"
},
{
"case_id": "py-sqli-001",
"file": "python/sqli/sqli_concat.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"state-resource-leak"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
8,
8
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"concat",
"cursor-execute"
],
"disabled": false,
"notes": "SQL injection via string concat in cursor.execute()"
},
{
"case_id": "py-sqli-002",
"file": "python/sqli/sqli_format.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.sqli.execute_format"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow",
"state-resource-leak"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
8,
8
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"format-string",
"cursor-execute"
],
"disabled": false,
"notes": "SQL injection via % format operator in cursor.execute()"
},
{
"case_id": "py-cmdi-001",
"file": "python/cmdi/cmdi_direct.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.cmdi.os_system"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"os-system"
],
"disabled": false,
"notes": "Direct command injection via os.system()"
},
{
"case_id": "py-cmdi-002",
"file": "python/cmdi/cmdi_indirect.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.cmdi.subprocess_shell"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
7,
7
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"indirect",
"subprocess",
"shell-true"
],
"disabled": false,
"notes": "Command injection via subprocess.run with shell=True"
},
{
"case_id": "py-xss-001",
"file": "python/xss/xss_reflected.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"reflected",
"make-response"
],
"disabled": false,
"notes": "Reflected XSS via make_response with unescaped user input in HTML"
},
{
"case_id": "py-xss-002",
"file": "python/xss/xss_template_string.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.xss.jinja_from_string"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"jinja2",
"template-injection"
],
"disabled": false,
"notes": "Server-side template injection via jinja2.Template with user-controlled string"
},
{
"case_id": "py-ssrf-001",
"file": "python/ssrf/ssrf_requests.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cfg-unguarded-sink"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"requests-get",
"ssrf"
],
"disabled": false,
"notes": "SSRF via requests.get() with user-controlled URL"
},
{
"case_id": "py-path_traversal-001",
"file": "python/path_traversal/path_traversal.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"send-file",
"path-traversal"
],
"disabled": false,
"notes": "Path traversal via send_file() with user-controlled path"
},
{
"case_id": "py-path_traversal-no-relative-to",
"file": "python/path_traversal/path_traversal_no_relative_to.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
11,
11
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"path-traversal",
"regression-guard"
],
"disabled": false,
"notes": "Negative companion to safe_relative_to_validator: no relative_to() validator on filepath, taint must propagate to send_file"
},
{
"case_id": "py-deser-001",
"file": "python/deser/deser_pickle.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "deser",
"cwe": "CWE-502",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.deser.pickle_loads"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"pickle",
"deserialization"
],
"disabled": false,
"notes": "Insecure deserialization via pickle.loads with user-controlled data"
},
{
"case_id": "py-code_injection-001",
"file": "python/code_injection/code_injection.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "code_injection",
"cwe": "CWE-94",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.code_exec.eval"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"eval",
"code-injection"
],
"disabled": false,
"notes": "Code injection via eval() with user-controlled expression"
},
{
"case_id": "py-code_injection-002",
"file": "python/code_injection/code_injection_exec.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "code_injection",
"cwe": "CWE-94",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.code_exec.exec"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"exec",
"code-injection"
],
"disabled": false,
"notes": "Code injection via exec() with user-controlled code string"
},
{
"case_id": "py-safe-001",
"file": "python/safe/safe_constant.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"constant",
"no-source"
],
"disabled": false,
"notes": "Constant string argument to os.system; no user-controlled data"
},
{
"case_id": "py-safe-002",
"file": "python/safe/safe_dominated.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"allowlist",
"dominated-check"
],
"disabled": false,
"notes": "User input dominated by allowlist membership check before os.system()"
},
{
"case_id": "py-safe-003",
"file": "python/safe/safe_interprocedural.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"shlex-quote",
"interprocedural"
],
"disabled": false,
"notes": "shlex.quote sanitizer applied via helper function before os.system()"
},
{
"case_id": "py-safe-004",
"file": "python/safe/safe_non_security_sink.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"non-security-sink",
"logging"
],
"disabled": false,
"notes": "User input flows to logging.info and length computation, not a security sink"
},
{
"case_id": "py-safe-005",
"file": "python/safe/safe_reassigned.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"reassignment",
"killed-taint"
],
"disabled": false,
"notes": "Tainted variable reassigned to constant before reaching os.system()"
},
{
"case_id": "py-safe-006",
"file": "python/safe/safe_sanitized.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"shlex-quote"
],
"disabled": false,
"notes": "shlex.quote sanitizer applied inline before os.system()"
},
{
"case_id": "py-safe-007",
"file": "python/safe/safe_type_check.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"type-check",
"isinstance-guard"
],
"disabled": false,
"notes": "isinstance check guards cursor.execute(); only ints reach the sink"
},
{
"case_id": "py-safe-008",
"file": "python/safe/safe_validated.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"allowlist",
"validated"
],
"disabled": false,
"notes": "Allowlist validation before os.system(); only permitted commands reach sink"
},
{
"case_id": "java-sqli-001",
"file": "java/sqli/SqliConcat.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"java.sqli.execute_concat"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow",
"state-resource-leak"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
6,
6
]
],
"tags": [
"concat",
"executeQuery"
],
"disabled": false,
"notes": "SQL injection via string concat in executeQuery()"
},
{
"case_id": "java-sqli-002",
"file": "java/sqli/SqliFormat.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"java.sqli.execute_concat"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow",
"state-resource-leak"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
6,
6
]
],
"tags": [
"string-format",
"executeQuery"
],
"disabled": false,
"notes": "SQL injection via String.format in executeQuery()"
},
{
"case_id": "java-cmdi-001",
"file": "java/cmdi/CmdiDirect.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"java.cmdi.runtime_exec"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"runtime-exec"
],
"disabled": false,
"notes": "Direct command injection via Runtime.exec()"
},
{
"case_id": "java-cmdi-002",
"file": "java/cmdi/CmdiIndirect.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"java.cmdi.runtime_exec"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"indirect",
"concat",
"runtime-exec"
],
"disabled": false,
"notes": "Indirect command injection via string concat to Runtime.exec()"
},
{
"case_id": "java-xss-001",
"file": "java/xss/XssReflected.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"java.xss.getwriter_print"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
8,
8
]
],
"expected_source_lines": [
[
6,
6
]
],
"tags": [
"reflected",
"getwriter-println"
],
"disabled": false,
"notes": "Reflected XSS via getWriter().println() with unescaped user input"
},
{
"case_id": "java-ssrf-001",
"file": "java/ssrf/SsrfRequest.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"state-resource-leak"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
8,
8
]
],
"expected_source_lines": [
[
7,
7
]
],
"tags": [
"url-connection",
"ssrf"
],
"disabled": false,
"notes": "SSRF via URL.openConnection() with user-controlled URL"
},
{
"case_id": "java-ssrf-002",
"file": "java/ssrf/SsrfHttpClient.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
7,
7
]
],
"tags": [
"http-client",
"ssrf"
],
"disabled": false,
"notes": "SSRF via HttpClient.send() with user-controlled URL"
},
{
"case_id": "java-path_traversal-001",
"file": "java/path_traversal/PathTraversal.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"state-resource-leak"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
7,
7
]
],
"expected_source_lines": [
[
6,
6
]
],
"tags": [
"file-input-stream",
"path-traversal"
],
"disabled": false,
"notes": "Path traversal via FileInputStream with user-controlled path"
},
{
"case_id": "java-deser-001",
"file": "java/deser/DeserOis.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "deser",
"cwe": "CWE-502",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"java.deser.readobject"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
7,
7
]
],
"expected_source_lines": [
[
6,
6
]
],
"tags": [
"object-input-stream",
"deserialization"
],
"disabled": false,
"notes": "Insecure deserialization via ObjectInputStream.readObject()"
},
{
"case_id": "java-deser-002",
"file": "java/deser/DeserSource.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "deser",
"cwe": "CWE-502",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"java.deser.readobject",
"java.cmdi.runtime_exec"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
7,
8
]
],
"expected_source_lines": [
[
6,
6
]
],
"tags": [
"deser-to-exec",
"chained"
],
"disabled": false,
"notes": "Deserialized object flows to Runtime.exec(); both readObject and exec patterns should match"
},
{
"case_id": "java-code_injection-001",
"file": "java/code_injection/CodeInjection.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "code_injection",
"cwe": "CWE-94",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"java.reflection.class_forname"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"reflection",
"class-forname"
],
"disabled": false,
"notes": "Code injection via Class.forName() with user-controlled class name"
},
{
"case_id": "java-safe-001",
"file": "java/safe/SafeConstant.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"constant",
"no-source"
],
"disabled": false,
"notes": "Constant string in executeQuery(); no user-controlled data"
},
{
"case_id": "java-safe-002",
"file": "java/safe/SafeDominated.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"allowlist",
"dominated-check"
],
"disabled": false,
"notes": "User input dominated by allowlist Set.contains() check before Runtime.exec()"
},
{
"case_id": "java-safe-003",
"file": "java/safe/SafeInterprocedural.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"html-escape",
"interprocedural"
],
"disabled": false,
"notes": "HtmlUtils.htmlEscape sanitizer applied via helper method before getWriter().println()"
},
{
"case_id": "java-safe-004",
"file": "java/safe/SafeNonSecuritySink.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"non-security-sink",
"logger"
],
"disabled": false,
"notes": "User input flows to Logger.info and length computation; output is String.valueOf(len)"
},
{
"case_id": "java-safe-005",
"file": "java/safe/SafeReassigned.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"reassignment",
"killed-taint"
],
"disabled": false,
"notes": "Tainted variable reassigned to constant 'Guest' before reaching getWriter().println()"
},
{
"case_id": "java-safe-006",
"file": "java/safe/SafeSanitized.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"html-escape"
],
"disabled": false,
"notes": "HtmlUtils.htmlEscape sanitizer applied inline before getWriter().println()"
},
{
"case_id": "java-safe-007",
"file": "java/safe/SafeTypeCheck.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"type-check",
"regex-guard"
],
"disabled": false,
"notes": "Regex matches(\"\\\\d+\") check guards executeQuery(); only numeric strings reach the sink"
},
{
"case_id": "java-safe-008",
"file": "java/safe/SafeValidated.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"allowlist",
"validated"
],
"disabled": false,
"notes": "Allowlist validation before Runtime.exec(); only permitted commands reach sink"
},
{
"case_id": "go-sqli-001",
"file": "go/sqli/sqli_concat.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"go.sqli.query_concat"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow",
"state-resource-leak"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
11,
11
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"concat",
"db-query"
],
"disabled": false,
"notes": "SQL injection via string concat in db.Query()"
},
{
"case_id": "go-sqli-002",
"file": "go/sqli/sqli_sprintf.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"go.sqli.query_concat"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow",
"state-resource-leak"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
12,
12
]
],
"expected_source_lines": [
[
10,
10
]
],
"tags": [
"sprintf",
"db-exec"
],
"disabled": false,
"notes": "SQL injection via fmt.Sprintf in db.Exec()"
},
{
"case_id": "go-sqli-003",
"file": "go/sqli/sqli_queryrow.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"go.sqli.query_concat"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow",
"state-resource-leak"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
12,
12
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"concat",
"db-queryrow"
],
"disabled": false,
"notes": "SQL injection via string concat in db.QueryRow()"
},
{
"case_id": "go-sqli-004",
"file": "go/sqli/sqli_for_range.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
17,
17
]
],
"expected_source_lines": [
[
15,
15
]
],
"tags": [
"sqli",
"goqu",
"for-range"
],
"disabled": false,
"notes": "CVE-Hunt session 6 regression guard: Go for-range loop binding inherits taint from iterable; goqu.L(p) is SQL_QUERY sink. Pins src/cfg/literals.rs def_use Kind::For range_clause arm + src/labels/go.rs goqu.L sink."
},
{
"case_id": "go-sqli-safe-001",
"file": "go/safe/safe_sqli_for_range_allowlist.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sqli",
"goqu",
"for-range",
"safe",
"negative"
],
"disabled": false,
"notes": "CVE-Hunt session 6 negative pair: same for-range shape as go-sqli-004 but binding is allowlisted before reaching goqu.I (typed identifier, not raw SQL)."
},
{
"case_id": "go-cmdi-001",
"file": "go/cmdi/cmdi_direct.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"go.cmdi.exec_command"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow",
"state-unauthed-access"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"direct",
"exec-command"
],
"disabled": false,
"notes": "Direct command injection via exec.Command()"
},
{
"case_id": "go-cmdi-002",
"file": "go/cmdi/cmdi_indirect.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"go.cmdi.exec_command"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow",
"state-unauthed-access"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
11,
11
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"indirect",
"concat",
"exec-command",
"shell"
],
"disabled": false,
"notes": "Indirect command injection via string concat to exec.Command(\"sh\", \"-c\", cmd)"
},
{
"case_id": "go-cmdi-003",
"file": "go/cmdi_env/cmdi_env.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "language_specific",
"match_mode": "rule_match",
"expected_rule_ids": [
"go.cmdi.exec_command"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"env-source",
"exec-command",
"shell"
],
"disabled": false,
"notes": "Command injection via os.Getenv source flowing to exec.Command; language_specific tier because env-var source pattern is Go-specific"
},
{
"case_id": "go-cmdi-004",
"file": "go/cmdi/cmdi_unvalidated_queue_element.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"go.cmdi.exec_command"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow",
"state-unauthed-access"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
13,
13
]
],
"expected_source_lines": [
[
12,
12
]
],
"tags": [
"container-element",
"index-read",
"exec-command",
"pointer-w5"
],
"disabled": false,
"notes": "Tainted user input pushed into a slice via append(); unsanitised element re-read with cmds[0] flows to exec.Command. Exercises W5 subscript-read recognition + W2 container ELEM cell flow."
},
{
"case_id": "go-xss-001",
"file": "go/xss/xss_fprintf.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"fmt-fprintf",
"response-writer"
],
"disabled": false,
"notes": "XSS via fmt.Fprintf to ResponseWriter with unescaped user input"
},
{
"case_id": "go-xss-002",
"file": "go/xss/xss_template_html.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
11,
11
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"template-html",
"unsafe-cast"
],
"disabled": false,
"notes": "XSS via template.HTML() cast bypassing html/template auto-escaping"
},
{
"case_id": "go-ssrf-001",
"file": "go/ssrf/ssrf_http_get.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
8,
8
]
],
"tags": [
"http-get",
"ssrf"
],
"disabled": false,
"notes": "SSRF via http.Get() with user-controlled URL"
},
{
"case_id": "go-path_traversal-001",
"file": "go/path_traversal/path_traversal.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"state-unauthed-access"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"os-readfile",
"path-traversal"
],
"disabled": false,
"notes": "Path traversal via os.ReadFile() with user-controlled path"
},
{
"case_id": "go-fmt_string-001",
"file": "go/fmt_string/fmt_injection.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "fmt_string",
"cwe": "CWE-134",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"fmt-fprintf",
"format-string-injection"
],
"disabled": false,
"notes": "Format string injection via user-controlled format arg to fmt.Fprintf()"
},
{
"case_id": "go-safe-001",
"file": "go/safe/safe_constant.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"constant",
"no-source"
],
"disabled": false,
"notes": "Constant string arguments to exec.Command; no user-controlled data"
},
{
"case_id": "go-safe-002",
"file": "go/safe/safe_dominated.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"state-unauthed-access"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"allowlist",
"dominated-check",
"map-lookup"
],
"disabled": false,
"notes": "User input dominated by map allowlist check before exec.Command()"
},
{
"case_id": "go-safe-003",
"file": "go/safe/safe_interprocedural.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"state-unauthed-access"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"filepath-clean",
"interprocedural"
],
"disabled": false,
"notes": "filepath.Clean sanitizer applied via helper function before os.ReadFile(); auth guard present"
},
{
"case_id": "go-safe-004",
"file": "go/safe/safe_non_security_sink.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"non-security-sink",
"log-printf"
],
"disabled": false,
"notes": "User input flows to log.Printf and length output; no security-sensitive sink"
},
{
"case_id": "go-safe-005",
"file": "go/safe/safe_reassigned.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"reassignment",
"killed-taint"
],
"disabled": false,
"notes": "Tainted variable reassigned to constant 'Guest' before reaching fmt.Fprintf()"
},
{
"case_id": "go-safe-006",
"file": "go/safe/safe_sanitized.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"state-unauthed-access"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"filepath-clean"
],
"disabled": false,
"notes": "filepath.Clean sanitizer applied inline before os.ReadFile(); auth guard present"
},
{
"case_id": "go-safe-007",
"file": "go/safe/safe_type_check.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"type-check",
"strconv-atoi-guard"
],
"disabled": false,
"notes": "strconv.Atoi check guards db.Query(); only valid integers reach the sink"
},
{
"case_id": "go-safe-008",
"file": "go/safe/safe_validated.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"state-unauthed-access"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"allowlist",
"validated",
"map-lookup"
],
"disabled": false,
"notes": "Allowlist map validation before exec.Command(); only permitted commands reach sink"
},
{
"case_id": "go-safe-009",
"file": "go/safe/safe_validated_queue_element.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"go.cmdi.exec_command",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"validated",
"container-element",
"index-read",
"pointer-w4-w5"
],
"disabled": false,
"notes": "validate() sanitises before append(); cmds[0] re-read carries the validated_must bit through the W4 ELEM cell + W5 subscript synth, suppressing the cmdi finding."
},
{
"case_id": "php-sqli-001",
"file": "php/sqli/sqli_concat.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"php.sqli.query_concat"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow",
"state-resource-leak"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
4,
4
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"concat",
"mysqli-query"
],
"disabled": false,
"notes": "SQL injection via string concat in mysqli->query()"
},
{
"case_id": "php-sqli-002",
"file": "php/sqli/sqli_sprintf.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"php.sqli.query_concat"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow",
"state-resource-leak"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
4,
4
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"sprintf",
"mysqli-query"
],
"disabled": false,
"notes": "SQL injection via sprintf in mysqli->query()"
},
{
"case_id": "php-cmdi-001",
"file": "php/cmdi/cmdi_direct.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"php.cmdi.system"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"direct",
"system"
],
"disabled": false,
"notes": "Direct command injection via system()"
},
{
"case_id": "php-cmdi-002",
"file": "php/cmdi/cmdi_indirect.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"php.cmdi.system"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"indirect",
"shell-exec",
"concat"
],
"disabled": false,
"notes": "Indirect command injection via shell_exec(); taint-based since shell_exec is not directly an AST pattern"
},
{
"case_id": "php-xss-001",
"file": "php/xss/xss_reflected.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"echo",
"reflected"
],
"disabled": false,
"notes": "Reflected XSS via echo with unescaped user input in HTML"
},
{
"case_id": "php-ssrf-001",
"file": "php/ssrf/ssrf_curl.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"file-get-contents",
"ssrf"
],
"disabled": false,
"notes": "SSRF via file_get_contents() with user-controlled URL"
},
{
"case_id": "php-ssrf-002",
"file": "php/ssrf/ssrf_class_method_fopen.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
15,
15
]
],
"expected_source_lines": [
[
14,
14
]
],
"tags": [
"fopen",
"ssrf",
"class-method"
],
"disabled": false,
"notes": "Regression: PHP class-method body taint analysis (declaration_list mapped to Kind::Block) + fopen as PHP SSRF sink"
},
{
"case_id": "php-path_traversal-001",
"file": "php/path_traversal/path_traversal.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"php.path.include_variable"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"include",
"path-traversal"
],
"disabled": false,
"notes": "Path traversal / RFI via include() with user-controlled path"
},
{
"case_id": "php-path_traversal-002",
"file": "php/path_traversal/path_traversal_copy.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
4,
4
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"copy",
"path-traversal"
],
"disabled": false,
"notes": "Path traversal via copy() with user-controlled source path"
},
{
"case_id": "php-deser-002",
"file": "php/deser/deser_unserialize_allowed_true.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "deser",
"cwe": "CWE-502",
"provenance": "real-repo-precision-2026-04-28",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"php.deser.unserialize"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
8,
8
]
],
"expected_source_lines": [
[
7,
7
]
],
"tags": [
"real-repo-precision-2026-04-28",
"unserialize",
"allowed_classes",
"true-default"
],
"disabled": false,
"notes": "Vulnerable counterpart to php-safe-017: allowed_classes => true is the unsafe default. Pattern must still fire."
},
{
"case_id": "php-path_traversal-003",
"file": "php/path_traversal/path_traversal_concat.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-98",
"provenance": "real-repo-precision-2026-04-28",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"php.path.include_variable"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"real-repo-precision-2026-04-28",
"include",
"concat",
"user-input"
],
"disabled": false,
"notes": "Vulnerable counterpart to php-safe-018: included variable is built from concatenation of $_GET inside the function \u2014 not a parameter pass-through. Pattern must still fire."
},
{
"case_id": "php-deser-001",
"file": "php/deser/deser_unserialize.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "deser",
"cwe": "CWE-502",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"php.deser.unserialize"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"unserialize",
"deserialization"
],
"disabled": false,
"notes": "Insecure deserialization via unserialize() with user-controlled POST data"
},
{
"case_id": "php-code_injection-001",
"file": "php/code_injection/code_injection.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "code_injection",
"cwe": "CWE-94",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"php.code_exec.eval"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"eval",
"code-injection"
],
"disabled": false,
"notes": "Code injection via eval() with user-controlled code"
},
{
"case_id": "php-code_injection-002",
"file": "php/code_injection/code_injection_assert.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "code_injection",
"cwe": "CWE-94",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"php.code_exec.assert_string"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"assert",
"code-injection"
],
"disabled": false,
"notes": "Code injection via assert() with string argument (PHP < 8.0 evaluates as code)"
},
{
"case_id": "php-safe-001",
"file": "php/safe/safe_constant.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"constant",
"no-source"
],
"disabled": false,
"notes": "Constant string argument to system(); no user-controlled data"
},
{
"case_id": "php-safe-002",
"file": "php/safe/safe_dominated.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"allowlist",
"dominated-check",
"in-array"
],
"disabled": false,
"notes": "User input dominated by in_array allowlist check before system()"
},
{
"case_id": "php-safe-003",
"file": "php/safe/safe_interprocedural.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"htmlspecialchars",
"interprocedural"
],
"disabled": false,
"notes": "htmlspecialchars sanitizer applied via helper function before echo"
},
{
"case_id": "php-safe-004",
"file": "php/safe/safe_non_security_sink.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"non-security-sink",
"error-log"
],
"disabled": false,
"notes": "User input flows to error_log and strlen; echo outputs only the length integer"
},
{
"case_id": "php-safe-005",
"file": "php/safe/safe_reassigned.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"reassignment",
"killed-taint"
],
"disabled": false,
"notes": "Tainted variable reassigned to constant 'Guest' before reaching echo"
},
{
"case_id": "php-safe-006",
"file": "php/safe/safe_sanitized.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"htmlspecialchars"
],
"disabled": false,
"notes": "htmlspecialchars sanitizer applied inline before echo"
},
{
"case_id": "php-safe-007",
"file": "php/safe/safe_type_check.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"type-check",
"is-numeric-guard"
],
"disabled": false,
"notes": "is_numeric check guards mysqli->query(); only numeric strings reach the sink"
},
{
"case_id": "php-safe-008",
"file": "php/safe/safe_validated.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"allowlist",
"validated",
"in-array"
],
"disabled": false,
"notes": "Allowlist in_array validation before system(); only permitted commands reach sink"
},
{
"case_id": "js-ssrf-002",
"file": "javascript/ssrf/ssrf_axios.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cfg-unguarded-sink"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"axios",
"ssrf"
],
"disabled": false,
"notes": "SSRF via bare axios() call with user-controlled URL"
},
{
"case_id": "js-ssrf-003",
"file": "javascript/ssrf/ssrf_http_get_chained.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cfg-unguarded-sink"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"http",
"ssrf",
"chained-call"
],
"disabled": false,
"notes": "Regression guard for the chained-method-call inner-gate fix (2026-04-27): http.get(url, cb).on('error', cb) must classify as SSRF on the inner http.get even though the outer .on swallows classification."
},
{
"case_id": "js-ssrf-safe-002",
"file": "javascript/ssrf/safe_http_get_hardcoded_chained.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"http",
"ssrf-safe",
"chained-call",
"negative"
],
"disabled": false,
"notes": "Precision guard: chained-call inner-gate fix must NOT fire on http.get('http://internal-health.localhost/...').on(...) with a hardcoded literal URL."
},
{
"case_id": "js-path_traversal-ternary-source-001",
"file": "javascript/path_traversal/path_traversal_ternary_source.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cfg-unguarded-sink"
],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"path_traversal",
"ternary-as-value",
"source-classification"
],
"disabled": false,
"notes": "Regression guard for the ternary-RHS source-classification fix in src/cfg/conditions.rs::lower_ternary_branch (2026-05-04). Pre-fix, push_node only did suffix/prefix matching on the branch text, so req.query.lng did not classify as a Source (rule matcher is req.query, neither matches req.query.lng). Both ternary branches lowered to labelless Assign-with-empty-uses, the join phi saw no taint, and downstream sinks missed the flow. Motivated by GHSA-jfgf-83c5-2c4m / CVE-2026-42353."
},
{
"case_id": "js-safe-ternary-const-branches",
"file": "javascript/safe/safe_ternary_const_branches.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"ternary-as-value",
"source-classification",
"negative"
],
"disabled": false,
"notes": "Precision guard: ternary-RHS source-classification fix must NOT synthesise a Source label when both branches are constant strings. Pins the conservative gate inside lower_ternary_branch."
},
{
"case_id": "py-ssrf-002",
"file": "python/ssrf/ssrf_httpx_post.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cfg-unguarded-sink"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"httpx",
"ssrf"
],
"disabled": false,
"notes": "SSRF via httpx.post() with user-controlled URL"
},
{
"case_id": "go-ssrf-002",
"file": "go/ssrf/ssrf_new_request.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cfg-unguarded-sink"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
8,
8
]
],
"tags": [
"http-client",
"ssrf"
],
"disabled": false,
"notes": "SSRF via http.NewRequest() with user-controlled URL"
},
{
"case_id": "ruby-ssrf-001",
"file": "ruby/ssrf/ssrf_httparty.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cfg-unguarded-sink"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"httparty",
"ssrf"
],
"disabled": false,
"notes": "SSRF via HTTParty.get() with user-controlled URL"
},
{
"case_id": "ruby-ssrf-003",
"file": "ruby/ssrf/ssrf_open_uri.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cfg-unguarded-sink"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"open-uri",
"ssrf"
],
"disabled": false,
"notes": "SSRF via OpenURI.open_uri() with user-controlled URL \u2014 canonical low-level URI fetcher; CarrierWave / Paperclip / similar gems route SSRF-vulnerable downloads through it"
},
{
"case_id": "js-ssrf-safe-001",
"file": "javascript/ssrf/safe_ssrf_hardcoded.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"hardcoded",
"ssrf",
"no-source"
],
"disabled": false,
"notes": "Hardcoded URL to axios(); no user-controlled data"
},
{
"case_id": "py-ssrf-safe-001",
"file": "python/ssrf/safe_ssrf_constant.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"constant",
"ssrf",
"no-source"
],
"disabled": false,
"notes": "Constant URL to requests.get(); no user-controlled data"
},
{
"case_id": "go-ssrf-safe-001",
"file": "go/ssrf/safe_ssrf_hardcoded.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"hardcoded",
"ssrf",
"no-source"
],
"disabled": false,
"notes": "Hardcoded URL to http.Get(); no user-controlled data"
},
{
"case_id": "php-ssrf-safe-001",
"file": "php/ssrf/safe_ssrf_hardcoded.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"hardcoded",
"ssrf",
"no-source"
],
"disabled": false,
"notes": "Hardcoded URL to file_get_contents(); no user-controlled data"
},
{
"case_id": "ruby-safe-001",
"file": "ruby/safe/safe_constant.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"constant",
"no-source"
],
"disabled": false,
"notes": "Constant string argument to system(); no user-controlled data"
},
{
"case_id": "ruby-safe-002",
"file": "ruby/safe/safe_dominated.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"allowlist",
"dominated-check",
"include"
],
"disabled": false,
"notes": "Allowlist guard dominates system() call; taint should be suppressed"
},
{
"case_id": "ruby-safe-003",
"file": "ruby/safe/safe_interprocedural.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"shellwords-escape",
"interprocedural"
],
"disabled": false,
"notes": "Shellwords.escape called via helper function; interprocedural sanitization"
},
{
"case_id": "ruby-safe-004",
"file": "ruby/safe/safe_non_security_sink.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"non-security-sink",
"logger"
],
"disabled": false,
"notes": "Logger.info is not a security-sensitive sink"
},
{
"case_id": "ruby-safe-005",
"file": "ruby/safe/safe_reassigned.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"reassignment",
"killed-taint"
],
"disabled": false,
"notes": "Tainted variable reassigned to constant before reaching sink"
},
{
"case_id": "ruby-safe-006",
"file": "ruby/safe/safe_sanitized.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"shellwords-escape"
],
"disabled": false,
"notes": "Shellwords.escape sanitizes user input before system() call"
},
{
"case_id": "ruby-safe-007",
"file": "ruby/safe/safe_type_check.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"type-check",
"is-a-guard"
],
"disabled": false,
"notes": "Type check guard (is_a? Integer) dominates SQL execution"
},
{
"case_id": "ruby-safe-008",
"file": "ruby/safe/safe_validated.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"allowlist",
"validated"
],
"disabled": false,
"notes": "Allowlist validation before system() call"
},
{
"case_id": "ruby-safe-009",
"file": "ruby/safe/safe_kernel_open_file_namespaced.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"kernel-open",
"file-open",
"regression",
"no-source"
],
"disabled": false,
"notes": "Negative regression for Ruby =open exact-matcher: File.open with a hardcoded path must not fire the bare-open CMDI rule (or any taint rule); pairs with ruby-cmdi-003"
},
{
"case_id": "ruby-ssrf-safe-001",
"file": "ruby/ssrf/safe_ssrf_hardcoded.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"hardcoded",
"ssrf",
"no-source"
],
"disabled": false,
"notes": "Hardcoded URL to HTTParty.get(); no user-controlled data"
},
{
"case_id": "ruby-cmdi-001",
"file": "ruby/cmdi/cmdi_system.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rb.cmdi.system_interp"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"system",
"cmdi"
],
"disabled": false,
"notes": "Command injection via system() with user-controlled argument"
},
{
"case_id": "ruby-cmdi-002",
"file": "ruby/cmdi/cmdi_backtick.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"rb.cmdi.backtick"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"backtick",
"cmdi"
],
"disabled": false,
"notes": "Command injection via backtick interpolation with user-controlled data"
},
{
"case_id": "ruby-cmdi-003",
"file": "ruby/cmdi/cmdi_kernel_open.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
11,
11
]
],
"expected_source_lines": [
[
10,
10
]
],
"tags": [
"kernel-open",
"cmdi",
"regression"
],
"disabled": false,
"notes": "CVE-2020-8130 regression: bare Kernel#open(path) interprets a leading | as a shell pipe; the =open exact-matcher distinguishes it from File.open / IO.open / URI.open"
},
{
"case_id": "ruby-code_injection-001",
"file": "ruby/code_injection/code_injection_eval.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "code_injection",
"cwe": "CWE-94",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rb.code_exec.eval"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"eval",
"code-injection"
],
"disabled": false,
"notes": "Code injection via eval() with user-controlled expression"
},
{
"case_id": "ruby-deser-001",
"file": "ruby/deser/deser_marshal.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "deser",
"cwe": "CWE-502",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rb.deser.marshal_load"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"marshal",
"deserialization"
],
"disabled": false,
"notes": "Insecure deserialization via Marshal.load() with user-controlled data"
},
{
"case_id": "ruby-deser-002",
"file": "ruby/deser/deser_yaml.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "deser",
"cwe": "CWE-502",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rb.deser.yaml_load"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"yaml",
"deserialization"
],
"disabled": false,
"notes": "Insecure deserialization via YAML.load() with user-controlled data"
},
{
"case_id": "ruby-path_traversal-001",
"file": "ruby/path_traversal/path_traversal_send_file.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"send-file",
"path-traversal"
],
"disabled": false,
"notes": "Path traversal via send_file() with user-controlled path"
},
{
"case_id": "ruby-path_traversal-002",
"file": "ruby/path_traversal/path_traversal_yaml_load_file_read.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
4,
4
]
],
"expected_source_lines": [
[
7,
7
]
],
"tags": [
"wrapper-sink",
"path-traversal"
],
"disabled": false,
"notes": "Path traversal via cross-fn helper that wraps File.read inside YAML.safe_load (the `outer(File.read(x))` shape used in real Ruby helpers \u2014 rswag CVE-2023-38337 chain). Regression guard for the inner-call fallback fix in src/cfg/mod.rs::push_node so a wrapper around an FILE_IO sink continues to surface in summary extraction."
},
{
"case_id": "ruby-sqli-001",
"file": "ruby/sqli/sqli_find_by_sql.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"find-by-sql",
"sqli"
],
"disabled": false,
"notes": "SQL injection via find_by_sql() with string concatenation"
},
{
"case_id": "ruby-sqli-002",
"file": "ruby/sqli/sqli_execute.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"execute",
"sqli"
],
"disabled": false,
"notes": "SQL injection via ActiveRecord execute() with string concatenation"
},
{
"case_id": "ruby-ssrf-002",
"file": "ruby/ssrf/ssrf_net_http.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cfg-unguarded-sink"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"net-http",
"ssrf"
],
"disabled": false,
"notes": "SSRF via Net::HTTP.get() with user-controlled URL"
},
{
"case_id": "ruby-xss-001",
"file": "ruby/xss/xss_html_safe.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"html-safe",
"xss"
],
"disabled": false,
"notes": "XSS via html_safe on user-controlled input"
},
{
"case_id": "ruby-xss-002",
"file": "ruby/xss/xss_raw.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
3,
3
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"raw",
"xss"
],
"disabled": false,
"notes": "XSS via raw() on user-controlled input"
},
{
"case_id": "js-xss-react-001",
"file": "javascript/xss/xss_react_dangerously.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"react",
"dangerouslySetInnerHTML",
"xss"
],
"disabled": false,
"notes": "React XSS via dangerouslySetInnerHTML with user-controlled content"
},
{
"case_id": "js-safe-parseInt-001",
"file": "javascript/safe/safe_parseInt.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"parseInt",
"type-coercion",
"sanitizer"
],
"disabled": false,
"notes": "parseInt sanitizes user input \u2014 should produce no taint finding"
},
{
"case_id": "py-cmdi-popen-001",
"file": "python/cmdi/cmdi_popen_shell.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"state-resource-leak"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"subprocess",
"popen",
"shell-true",
"gated-sink"
],
"disabled": false,
"notes": "Command injection via subprocess.Popen with shell=True"
},
{
"case_id": "py-safe-int-001",
"file": "python/safe/safe_int_cast.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"int",
"type-coercion",
"sanitizer"
],
"disabled": false,
"notes": "int() type coercion sanitizes user input \u2014 should produce no taint finding"
},
{
"case_id": "java-sqli-stmt-001",
"file": "java/sqli/sqli_statement_vs_prepared.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"state-resource-leak"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
11,
11
]
],
"expected_source_lines": [
[
7,
7
]
],
"tags": [
"statement",
"executeQuery",
"string-concat"
],
"disabled": false,
"notes": "SQL injection via raw Statement.executeQuery with string concatenation"
},
{
"case_id": "java-safe-prepared-001",
"file": "java/safe/safe_prepared_statement.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"prepareStatement",
"parameterized",
"sanitizer"
],
"disabled": false,
"notes": "prepareStatement sanitizes SQL input \u2014 should produce no SQL taint finding"
},
{
"case_id": "java-sqli-stmt-execute-002",
"file": "java/sqli/sqli_statement_execute_chained.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
36,
36
]
],
"expected_source_lines": [
[
25,
25
]
],
"tags": [
"statement",
"execute",
"createStatement",
"string-concat",
"ghsa-h8cj"
],
"disabled": false,
"notes": "Regression guard for GHSA-h8cj-hpmg-636v engine fixes: createStatement is typed as DatabaseConnection; Statement.execute(query) resolves as SQL_QUERY sink via DatabaseConnection.execute label; helper-summary type-facts threading carries the sink across the executeDbQuery boundary."
},
{
"case_id": "java-safe-stmt-execute-validated",
"file": "java/safe/safe_statement_execute_pattern_validated.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"Pattern",
"matcher",
"matches",
"validator",
"ghsa-h8cj"
],
"disabled": false,
"notes": "Regression guard for GHSA-h8cj-hpmg-636v patched form: Pattern.matcher(value).matches() chain on a PATTERN-named receiver classifies as ValidationCall, short-circuit `||` cond chain preserves validated_must to the implicit return, and helper-summary validated_params_to_return suppresses the SQL_QUERY sink at the caller."
},
{
"case_id": "go-safe-atoi-001",
"file": "go/safe/safe_strconv_atoi.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"strconv",
"Atoi",
"type-conversion",
"sanitizer"
],
"disabled": false,
"notes": "strconv.Atoi sanitizes user input \u2014 should produce no taint finding"
},
{
"case_id": "go-xss-gin-001",
"file": "go/xss/xss_gin_source.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"gin",
"xss",
"formvalue"
],
"disabled": false,
"notes": "XSS via r.FormValue flowing to fmt.Fprintf response writer"
},
{
"case_id": "php-safe-filter-001",
"file": "php/safe/safe_filter_input.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"filter_input",
"sanitizer"
],
"disabled": false,
"notes": "filter_input sanitizes user input \u2014 should produce no taint finding"
},
{
"case_id": "php-safe-camelcase-validator-001",
"file": "php/safe/safe_camelcase_validator_negated.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"validator",
"camelcase",
"negated",
"class-method"
],
"disabled": false,
"notes": "Regression: camelCase `isSafeRemoteUrl` validator + `if (!validator($x))` early-return narrowing in PHP class method"
},
{
"case_id": "php-sqli-pdo-001",
"file": "php/sqli/sqli_pdo_raw.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
2,
2
]
],
"tags": [
"pdo",
"raw-query",
"sqli"
],
"disabled": false,
"notes": "SQL injection via raw PDO query with string concatenation"
},
{
"case_id": "ruby-safe-strong-params-001",
"file": "ruby/safe/safe_strong_params.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"strong-params",
"permit",
"require",
"rails"
],
"disabled": false,
"notes": "Rails strong parameters (permit/require) sanitize user input \u2014 safe pattern"
},
{
"case_id": "ruby-sqli-raw-001",
"file": "ruby/sqli/sqli_raw_connection.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
4,
6
]
],
"expected_source_lines": [
[
3,
3
]
],
"tags": [
"connection-execute",
"raw-sql",
"sqli"
],
"disabled": true,
"notes": "SQL injection via ActiveRecord connection.execute \u2014 disabled: multi-line call expression not resolved by SSA lowering for Ruby class methods"
},
{
"case_id": "py-cmdi-cross-001",
"file": "python/cmdi/cross_propagation/",
"language": "python",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"py.cmdi.os_system"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"cross-file",
"ssa-summary",
"propagation"
],
"disabled": false,
"notes": "Cross-file taint propagation: env source \u2192 wrapper function \u2192 os.system sink"
},
{
"case_id": "py-cmdi-cross-002",
"file": "python/cmdi/cross_source/",
"language": "python",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"py.cmdi.subprocess"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"cross-file",
"ssa-summary",
"source-detection"
],
"disabled": false,
"notes": "Cross-file source detection: read_input() returns env source \u2192 subprocess.call sink"
},
{
"case_id": "py-cmdi-cross-003",
"file": "python/cmdi/cross_sanitizer/",
"language": "python",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"py.cmdi.os_system"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"cross-file",
"ssa-summary",
"wrong-sanitizer"
],
"disabled": false,
"notes": "Cross-file wrong-cap sanitizer: HTML sanitizer does not strip SHELL_ESCAPE caps \u2192 os.system still vulnerable"
},
{
"case_id": "py-cmdi-cross-004",
"file": "python/cmdi/cross_indirect_sink/",
"language": "python",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"py.cmdi.os_system"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
6,
6
]
],
"expected_call_site_lines": [
[
7,
7
]
],
"tags": [
"cross-file",
"helper-function",
"sink-in-helper"
],
"disabled": false,
"notes": "Cross-file sink-in-helper: app.py line 6 reads env source, line 7 calls run_cmd() (cross-file call), helper.py line 5 is the real os.system sink. Phase 3 attribution must report helper.py:5 as the primary location (not app.py:7) and include app.py:7 in flow_steps as a Call step."
},
{
"case_id": "js-xss-cross-001",
"file": "javascript/xss/cross_propagation/",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"js.xss.document_write"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"cross-file",
"ssa-summary",
"propagation"
],
"disabled": false,
"notes": "Cross-file taint propagation: req.query \u2192 render wrapper \u2192 document.write XSS sink"
},
{
"case_id": "go-cmdi-cross-001",
"file": "go/cmdi/cross_source/",
"language": "go",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"go.cmdi.exec_command",
"state-unauthed-access"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"cross-file",
"ssa-summary",
"source-detection"
],
"disabled": false,
"notes": "Cross-file source detection: GetUserInput returns request param \u2192 exec.Command sink"
},
{
"case_id": "go-path_traversal-cross-001",
"file": "go/path_traversal/cross_sanitizer/",
"language": "go",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"go.path_traversal.readfile",
"state-unauthed-access"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
11,
11
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"cross-file",
"ssa-summary",
"wrong-sanitizer"
],
"disabled": false,
"notes": "Cross-file wrong-cap sanitizer: HTML sanitizer does not strip FILE_IO caps \u2192 os.ReadFile still vulnerable"
},
{
"case_id": "c-cmdi-001",
"file": "c/cmdi/cmdi_system.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"c.cmdi.system"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to system()"
},
{
"case_id": "c-cmdi-002",
"file": "c/cmdi/cmdi_popen.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"c.cmdi.popen"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to popen()"
},
{
"case_id": "c-cmdi-003",
"file": "c/cmdi/cmdi_exec.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"c.cmdi.execvp"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to execvp()"
},
{
"case_id": "c-cmdi-004",
"file": "c/cmdi/cmdi_fgets.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"c.cmdi.system"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
7,
7
]
],
"expected_source_lines": [
[
6,
6
]
],
"tags": [
"stdin",
"fgets"
],
"disabled": false,
"notes": "Flow from fgets(stdin) to system()"
},
{
"case_id": "c-path-001",
"file": "c/path_traversal/path_traversal_fopen.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"c.file_io.fopen"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to fopen()"
},
{
"case_id": "c-path-002",
"file": "c/path_traversal/path_traversal_open.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"c.file_io.open"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to open()"
},
{
"case_id": "c-fmt-001",
"file": "c/fmt_string/fmt_printf.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "fmt_string",
"cwe": "CWE-134",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"c.fmt_string.printf"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to printf() as format string"
},
{
"case_id": "c-fmt-002",
"file": "c/fmt_string/fmt_fprintf.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "fmt_string",
"cwe": "CWE-134",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"c.fmt_string.fprintf"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to fprintf() as format string"
},
{
"case_id": "c-ssrf-001",
"file": "c/ssrf/ssrf_curl.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"c.ssrf.curl_easy_perform"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
8,
8
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"curl"
],
"disabled": false,
"notes": "Direct flow from getenv to curl_easy_perform()"
},
{
"case_id": "c-buf-001",
"file": "c/buffer_overflow/buffer_sprintf.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "buffer_overflow",
"cwe": "CWE-120",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"c.buffer.sprintf"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
8,
8
]
],
"expected_source_lines": [
[
6,
6
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to unbounded sprintf()"
},
{
"case_id": "c-buf-002",
"file": "c/buffer_overflow/buffer_strcpy.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "buffer_overflow",
"cwe": "CWE-120",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"c.buffer.strcpy"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
7,
7
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to strcpy()"
},
{
"case_id": "c-buf-003",
"file": "c/buffer_overflow/buffer_strcat.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "buffer_overflow",
"cwe": "CWE-120",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"c.buffer.strcat"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
7,
7
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to strcat()"
},
{
"case_id": "c-buf-005",
"file": "c/buffer_overflow/buffer_strcpy_user_arg.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "buffer_overflow",
"cwe": "CWE-120",
"provenance": "real-repo-precision-2026-04-28",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"c.memory.strcpy"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": null,
"tags": [
"direct",
"argv",
"real-repo-precision-2026-04-28"
],
"disabled": false,
"notes": "Vulnerable counterpart to c-safe-017: argv[1] is a non-literal source so Layer D does not suppress; pattern rule fires."
},
{
"case_id": "c-safe-001",
"file": "c/safe/safe_constant.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"constant",
"no-source"
],
"disabled": false,
"notes": "Constant string passed to system() \u2014 no taint source"
},
{
"case_id": "c-safe-002",
"file": "c/safe/safe_sanitized_snprintf.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-120",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"sanitized",
"snprintf"
],
"disabled": false,
"notes": "Input sanitized through snprintf bounded formatting"
},
{
"case_id": "c-safe-003",
"file": "c/safe/safe_atoi.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-134",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"sanitized",
"atoi"
],
"disabled": false,
"notes": "Input sanitized through atoi() type conversion"
},
{
"case_id": "c-safe-004",
"file": "c/safe/safe_reassigned.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"reassigned"
],
"disabled": false,
"notes": "Tainted variable reassigned to constant before use"
},
{
"case_id": "c-safe-005",
"file": "c/safe/safe_strncpy.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-120",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"sanitized",
"strncpy"
],
"disabled": false,
"notes": "Input sanitized through bounded strncpy"
},
{
"case_id": "c-safe-006",
"file": "c/safe/safe_validated.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"validated",
"path-check"
],
"disabled": false,
"notes": "Path validated against traversal before fopen"
},
{
"case_id": "c-safe-007",
"file": "c/safe/safe_strtol.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-134",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"sanitized",
"strtol"
],
"disabled": false,
"notes": "Input sanitized through strtol() type conversion"
},
{
"case_id": "c-safe-008",
"file": "c/safe/safe_sanitize_func.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-134",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"sanitized",
"custom-function"
],
"disabled": false,
"notes": "Input sanitized through sanitize_input() helper"
},
{
"case_id": "cpp-cmdi-001",
"file": "cpp/cmdi/cmdi_system.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cpp.cmdi.system"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to system()"
},
{
"case_id": "cpp-cmdi-002",
"file": "cpp/cmdi/cmdi_popen.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cpp.cmdi.popen"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to popen()"
},
{
"case_id": "cpp-cmdi-003",
"file": "cpp/cmdi/cmdi_getline.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cpp.cmdi.system"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
8,
8
]
],
"expected_source_lines": [
[
7,
7
]
],
"tags": [
"stdin",
"getline"
],
"disabled": false,
"notes": "Flow from std::getline(cin) to system()"
},
{
"case_id": "cpp-cmdi-004",
"file": "cpp/cmdi/cmdi_exec.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cpp.cmdi.execvp"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to execvp()"
},
{
"case_id": "cpp-cmdi-005",
"file": "cpp/cmdi/cmdi_stl_vector_string.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
17,
17
]
],
"expected_source_lines": [
[
12,
12
]
],
"tags": [
"stl-container",
"c_str-passthrough",
"cpp-precision-2026-04-26"
],
"disabled": false,
"notes": "Tainted env var stored in std::vector<std::string>, read via front() and converted via c_str(); flow must reach system()"
},
{
"case_id": "cpp-cmdi-006",
"file": "cpp/cmdi/cmdi_lambda_passthrough.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
16,
16
]
],
"expected_source_lines": [
[
14,
14
]
],
"tags": [
"lambda",
"passthrough",
"cpp-precision-2026-04-26"
],
"disabled": false,
"notes": "Tainted input passed through identity-lambda echo into system(); default Call-arg propagation carries the taint."
},
{
"case_id": "cpp-cmdi-007",
"file": "cpp/cmdi/cmdi_class_inline_method.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
20,
27
]
],
"expected_source_lines": [
[
25,
25
]
],
"tags": [
"class-method",
"inline-definition",
"cpp-precision-2026-04-26"
],
"disabled": false,
"notes": "Inline member-function definition; tainted arg flows through Inner::run into system(). Pinned by Phase 4 KINDS additions for class_specifier."
},
{
"case_id": "cpp-path-001",
"file": "cpp/path_traversal/path_traversal_fopen.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cpp.file_io.fopen"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to fopen()"
},
{
"case_id": "cpp-path-002",
"file": "cpp/path_traversal/path_traversal_open.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cpp.file_io.open"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
7,
7
]
],
"expected_source_lines": [
[
6,
6
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to open()"
},
{
"case_id": "cpp-fmt-001",
"file": "cpp/fmt_string/fmt_printf.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "fmt_string",
"cwe": "CWE-134",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cpp.fmt_string.printf"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to printf() as format string"
},
{
"case_id": "cpp-fmt-002",
"file": "cpp/fmt_string/fmt_fprintf.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "fmt_string",
"cwe": "CWE-134",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cpp.fmt_string.fprintf"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to fprintf() as format string"
},
{
"case_id": "cpp-ssrf-001",
"file": "cpp/ssrf/ssrf_curl.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cpp.ssrf.curl_easy_perform"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
8,
8
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"curl"
],
"disabled": false,
"notes": "Direct flow from getenv to curl_easy_perform()"
},
{
"case_id": "cpp-ssrf-002",
"file": "cpp/ssrf/ssrf_connect.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cpp.ssrf.connect"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
13,
13
]
],
"expected_source_lines": [
[
6,
6
]
],
"tags": [
"direct",
"socket"
],
"disabled": false,
"notes": "Direct flow from getenv to connect()"
},
{
"case_id": "cpp-ssrf-003",
"file": "cpp/ssrf/ssrf_builder_user_host.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
24,
24
]
],
"expected_source_lines": [
[
23,
23
]
],
"tags": [
"builder-chain",
"fluent-api",
"cpp-precision-2026-04-26"
],
"disabled": false,
"notes": "Tainted host through fluent Socket::builder().host(h).port(p).connect() chain; terminal connect() must fire."
},
{
"case_id": "cpp-buf-001",
"file": "cpp/buffer_overflow/buffer_sprintf.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "buffer_overflow",
"cwe": "CWE-120",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cpp.buffer.sprintf"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
8,
8
]
],
"expected_source_lines": [
[
6,
6
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to unbounded sprintf()"
},
{
"case_id": "cpp-buf-002",
"file": "cpp/buffer_overflow/buffer_strcpy.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "buffer_overflow",
"cwe": "CWE-120",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cpp.buffer.strcpy"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
7,
7
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"getenv"
],
"disabled": false,
"notes": "Direct flow from getenv to strcpy()"
},
{
"case_id": "cpp-safe-001",
"file": "cpp/safe/safe_constant.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"constant",
"no-source"
],
"disabled": false,
"notes": "Constant string passed to system() \u2014 no taint source"
},
{
"case_id": "cpp-safe-002",
"file": "cpp/safe/safe_snprintf.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-120",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"sanitized",
"snprintf"
],
"disabled": false,
"notes": "Input sanitized through snprintf bounded formatting"
},
{
"case_id": "cpp-safe-003",
"file": "cpp/safe/safe_stoi.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-134",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"sanitized",
"stoi"
],
"disabled": false,
"notes": "Input sanitized through std::stoi() type conversion"
},
{
"case_id": "cpp-safe-004",
"file": "cpp/safe/safe_reassigned.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"reassigned"
],
"disabled": false,
"notes": "Tainted variable reassigned to constant before use"
},
{
"case_id": "cpp-safe-005",
"file": "cpp/safe/safe_strncpy.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-120",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"sanitized",
"strncpy"
],
"disabled": false,
"notes": "Input sanitized through bounded strncpy"
},
{
"case_id": "cpp-safe-006",
"file": "cpp/safe/safe_validated.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"validated",
"path-check"
],
"disabled": false,
"notes": "Path validated against traversal before fopen"
},
{
"case_id": "cpp-safe-007",
"file": "cpp/safe/safe_sanitize_func.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-134",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"sanitized",
"custom-function"
],
"disabled": false,
"notes": "Input sanitized through sanitize_input() helper"
},
{
"case_id": "cpp-safe-008",
"file": "cpp/safe/safe_strtol.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-134",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"sanitized",
"strtol"
],
"disabled": false,
"notes": "Input sanitized through strtol() type conversion (C-style)"
},
{
"case_id": "cpp-safe-017",
"file": "cpp/safe/safe_stl_vector_int.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"sanitized",
"stl-container",
"cpp-precision-2026-04-26"
],
"disabled": false,
"notes": "stoi sanitises tainted env var before push_back / front; downstream system() must be TN"
},
{
"case_id": "cpp-safe-018",
"file": "cpp/safe/safe_builder_const_host.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"safe",
"builder-chain",
"constant-host",
"cpp-precision-2026-04-26"
],
"disabled": false,
"notes": "Builder chain with hardcoded host literal; terminal connect() must NOT fire (no taint on chain)."
},
{
"case_id": "cpp-safe-019",
"file": "cpp/safe/safe_reinterpret_cast_byte_pointer.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-704",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"cpp.memory.reinterpret_cast"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"safe",
"reinterpret-cast",
"byte-pointer",
"real-repo-precision-2026-05-01"
],
"disabled": false,
"notes": "Layer E: reinterpret_cast<T> targets that are well-defined-by-aliasing-rules (byte pointer / void* / uintptr_t / sockaddr family) must NOT fire cpp.memory.reinterpret_cast. Distilled from bitcoin leveldb/serialization/socket shapes."
},
{
"case_id": "cpp-buf-003",
"file": "cpp/buffer_overflow/buffer_reinterpret_cast_struct_alias.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "buffer_overflow",
"cwe": "CWE-704",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"cpp.memory.reinterpret_cast"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
12,
12
]
],
"expected_source_lines": null,
"tags": [
"vuln",
"reinterpret-cast",
"strict-aliasing",
"real-repo-precision-2026-05-01"
],
"disabled": false,
"notes": "reinterpret_cast<UserStruct*>(buf) genuinely violates [basic.lval]/11 strict aliasing \u2014 the pattern must continue to fire because the user-defined struct target is not in the byte-pointer / void* / sockaddr safe set."
},
{
"case_id": "rs-cmdi-001",
"file": "rust/cmdi/cmdi_command.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.cmdi.command"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"env-var"
],
"disabled": false,
"notes": "Direct flow from env::var to Command::new().arg()"
},
{
"case_id": "rs-cmdi-002",
"file": "rust/cmdi/cmdi_command_output.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.cmdi.command"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"env-var"
],
"disabled": false,
"notes": "Direct flow from env::var to Command::new().output()"
},
{
"case_id": "rs-cmdi-003",
"file": "rust/cmdi/cmdi_indirect.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.cmdi.command"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
10,
10
]
],
"expected_call_site_lines": [
[
10,
10
]
],
"tags": [
"indirect",
"helper-function"
],
"disabled": false,
"notes": "Taint flows through helper function to Command. Engine attributes intra-file helper sinks at the call site (line 10), not the inner Command::new (line 5); see locator-policy comment in src/ast.rs."
},
{
"case_id": "rs-cmdi-004",
"file": "rust/cmdi/cmdi_args.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.cmdi.command"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"env-var",
"args"
],
"disabled": false,
"notes": "Direct flow from env::var to Command.args()"
},
{
"case_id": "rs-path-001",
"file": "rust/path_traversal/path_read.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.file_io.read_to_string"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"env-var"
],
"disabled": false,
"notes": "Direct flow from env::var to fs::read_to_string()"
},
{
"case_id": "rs-path-002",
"file": "rust/path_traversal/path_write.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.file_io.write"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"env-var"
],
"disabled": false,
"notes": "Direct flow from env::var to fs::write()"
},
{
"case_id": "rs-path-003",
"file": "rust/path_traversal/path_file_open.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.file_io.File"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"env-var"
],
"disabled": false,
"notes": "Direct flow from env::var to File::open()"
},
{
"case_id": "rs-path-004",
"file": "rust/path_traversal/path_file_create.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.file_io.File"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"direct",
"env-var"
],
"disabled": false,
"notes": "Direct flow from env::var to File::create()"
},
{
"case_id": "rs-ssrf-001",
"file": "rust/ssrf/ssrf_reqwest.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.ssrf.reqwest"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"direct",
"env-var"
],
"disabled": false,
"notes": "Direct flow from env::var to reqwest::get()"
},
{
"case_id": "rs-ssrf-002",
"file": "rust/ssrf/ssrf_indirect.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.ssrf.reqwest"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
8,
8
]
],
"tags": [
"indirect",
"helper-function"
],
"disabled": false,
"notes": "Taint flows through helper function to reqwest::get(). Engine attributes intra-file helper sinks at the call site (line 9), not the inner reqwest::get (line 4); see locator-policy comment in src/ast.rs."
},
{
"case_id": "rs-safe-001",
"file": "rust/safe/safe_constant.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"constant",
"no-source"
],
"disabled": false,
"notes": "Constant args passed to Command \u2014 no taint source"
},
{
"case_id": "rs-safe-002",
"file": "rust/safe/safe_sanitized_shell.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"sanitized",
"shell-escape"
],
"disabled": false,
"notes": "Input sanitized through sanitize_shell() before Command"
},
{
"case_id": "rs-safe-003",
"file": "rust/safe/safe_reassigned.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"reassigned"
],
"disabled": false,
"notes": "Tainted variable not used \u2014 constant passed to Command"
},
{
"case_id": "rs-safe-004",
"file": "rust/safe/safe_validated.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"validated",
"path-check"
],
"disabled": false,
"notes": "Path validated against traversal before fs::read_to_string"
},
{
"case_id": "rs-safe-005",
"file": "rust/safe/safe_hardcoded_url.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"constant",
"no-source"
],
"disabled": false,
"notes": "Hardcoded URL passed to reqwest::get \u2014 no taint source"
},
{
"case_id": "rs-safe-006",
"file": "rust/safe/safe_type_check.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"type-check",
"parse"
],
"disabled": false,
"notes": "Input parsed to u32 before constructing path \u2014 type-safe"
},
{
"case_id": "rs-safe-007",
"file": "rust/safe/safe_interprocedural.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"interprocedural",
"sanitize-wrapper"
],
"disabled": false,
"notes": "Input sanitized through interprocedural sanitize_input() call chain"
},
{
"case_id": "rs-safe-008",
"file": "rust/safe/safe_dominated.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"validated",
"dominated"
],
"disabled": false,
"notes": "Input validated with allowlist check before Command"
},
{
"case_id": "rs-safe-009",
"file": "rust/safe/safe_shell_metachar.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"validated",
"shell-metachar"
],
"disabled": false,
"notes": "Input rejected when containing shell metacharacters before Command"
},
{
"case_id": "rs-sqli-002",
"file": "rust/sqli/sqli_metachar_gate_wrong_sink.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
13,
13
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"sqli",
"shell-metachar-gate"
],
"disabled": false,
"notes": "Shell-metachar rejection is not a SQL sanitizer; SQL injection must still fire"
},
{
"case_id": "rs-sqli-format-named-arg",
"file": "rust/sqli/sqli_format_named_arg.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"sqli",
"format-named-arg"
],
"disabled": false,
"notes": "Named-arg `{user}` capture in format!() interpolates env::var into a SQL query without sanitisation. Regression guard for the format-string named-arg lifting fix (CVE-2025-53549 motivated)."
},
{
"case_id": "rs-cmdi-005",
"file": "rust/cmdi/cmdi_format_macro.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.cmdi.command"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
7,
7
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"format-macro",
"env-var"
],
"disabled": false,
"notes": "Tainted input interpolated via format!() into sh -c"
},
{
"case_id": "rs-cmdi-006",
"file": "rust/cmdi/cmdi_match_source.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.cmdi.command"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
6,
6
]
],
"tags": [
"match-expression",
"env-var"
],
"disabled": false,
"notes": "env::var bound via match expression then used as Command program name"
},
{
"case_id": "rs-cmdi-007",
"file": "rust/cmdi/cmdi_string_concat.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.cmdi.command"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
7,
7
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"string-concat",
"binary-op"
],
"disabled": false,
"notes": "Tainted &str concatenated via + into sh -c argument"
},
{
"case_id": "rs-cmdi-008",
"file": "rust/cmdi/cmdi_static_map_dangerous.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.cmdi.command"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
14,
14
]
],
"expected_source_lines": [
[
6,
6
]
],
"tags": [
"hashmap",
"static-lookup",
"dangerous-literal"
],
"disabled": false,
"notes": "Static HashMap where one inserted value carries shell metacharacters \u2014 finite-set suppression must NOT clear this sink"
},
{
"case_id": "rs-cmdi-009",
"file": "rust/cmdi/cmdi_indirect_multisink.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.cmdi.command"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
12,
12
]
],
"expected_source_lines": [
[
10,
11
]
],
"expected_call_site_lines": [
[
12,
12
]
],
"tags": [
"indirect",
"helper-function",
"multisink"
],
"disabled": false,
"notes": "Helper run_both takes two tainted params and invokes two Command sinks on consecutive lines (5, 6). Engine attributes intra-file helper sinks at the call site (line 12), not the inner Command::new (lines 5/6); see locator-policy comment in src/ast.rs."
},
{
"case_id": "rs-cmdi-cross-001",
"file": "rust/cmdi/cross_propagation/",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.cmdi.command"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
7,
7
]
],
"expected_call_site_lines": [
[
8,
8
]
],
"tags": [
"cross-file",
"propagation"
],
"disabled": false,
"notes": "Cross-file taint: main.rs line 7 env::var \u2192 transform::wrap at line 8 \u2192 Command::new at line 9. Sink is the top-level Command::new; transform::wrap is a cross-file propagator, not a sink."
},
{
"case_id": "rs-path-005",
"file": "rust/path_traversal/path_remove.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.file_io.remove_file"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"filesystem",
"remove",
"known-gap"
],
"disabled": false,
"notes": "fs::remove_file not in Rust sink rules \u2014 known FN coverage"
},
{
"case_id": "rs-ssrf-003",
"file": "rust/ssrf/ssrf_client_builder.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.ssrf.reqwest"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
4,
4
]
],
"tags": [
"builder-chain",
"known-gap"
],
"disabled": false,
"notes": "reqwest::Client::new().get(url).send() \u2014 builder chain not matched by reqwest::get/Client.execute sinks"
},
{
"case_id": "rs-sqli-001",
"file": "rust/sqli/sqli_rusqlite_format.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.sqli.rusqlite"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
8,
8
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"rusqlite",
"format-macro",
"known-gap"
],
"disabled": false,
"notes": "rusqlite::Connection.execute not in Rust sink rules \u2014 SQLi class has no Rust coverage"
},
{
"case_id": "rs-deser-001",
"file": "rust/deser/deser_serde_yaml.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "deser",
"cwe": "CWE-502",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.deser.serde_yaml"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
8,
8
]
],
"tags": [
"serde",
"yaml",
"known-gap"
],
"disabled": false,
"notes": "serde_yaml::from_str not in Rust sink rules \u2014 deserialization class has no Rust coverage"
},
{
"case_id": "rs-xss-001",
"file": "rust/xss/axum_html/",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"rust.xss.axum_html"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
4,
4
]
],
"expected_source_lines": [
[
3,
3
]
],
"tags": [
"framework",
"axum",
"html"
],
"disabled": false,
"notes": "Axum Path<String> \u2192 Html(format!(...)) \u2014 requires framework rules (Cargo.toml present)"
},
{
"case_id": "rs-safe-009",
"file": "rust/safe/safe_match_guard.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"match-guard",
"validated"
],
"disabled": false,
"notes": "Match guard restricts input to ASCII alphanumeric before Command"
},
{
"case_id": "rs-safe-010",
"file": "rust/safe/safe_static_map_lookup.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"hashmap",
"static-lookup"
],
"disabled": false,
"notes": "Tainted key indexes static HashMap \u2014 value is hardcoded, not tainted"
},
{
"case_id": "rs-safe-011",
"file": "rust/safe/safe_parsed_port.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"type-parse",
"u16"
],
"disabled": false,
"notes": "Input parsed to u16 before use as Command arg \u2014 type-narrowed"
},
{
"case_id": "rs-safe-fileio-int-uid",
"file": "rust/safe/safe_parsed_uid_path.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"type-parse",
"u32",
"fileio-suppress"
],
"disabled": false,
"notes": "Tainted username parsed to u32 (uid) before use as PathBuf component \u2014 digits cannot contain `..` or `/`, so the FILE_IO sink suppresses on type alone. Regression guard for the type-only FILE_IO suppression and int-producing-callee leaf-stop."
},
{
"case_id": "rs-safe-format-named-arg-sanitized",
"file": "rust/safe/safe_format_string_sanitized.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"format-named-arg",
"sanitized"
],
"disabled": false,
"notes": "Named-arg `{safe}` reads sanitized value; sanitize_shell strips shell metachars before format!() interpolation reaches Command::new. Regression guard that named-arg lifting still respects sanitiser-dominated flows."
},
{
"case_id": "rs-safe-012",
"file": "rust/safe/safe_path_contains_dotdot.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-regression",
"path-sanitizer"
],
"disabled": false,
"notes": "Intraprocedural .contains(\"..\") + .starts_with('/') rejection \u2014 PathFact narrows dotdot and absolute axes on the sanitised branch"
},
{
"case_id": "rs-safe-015",
"file": "rust/safe/safe_path_is_absolute.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-regression",
"path-sanitizer"
],
"disabled": false,
"notes": "Path::new(x).is_absolute() rejection + .contains(\"..\") \u2014 PathFact narrows both axes via typed check and substring rejection"
},
{
"case_id": "rs-path-006",
"file": "rust/traversal/traversal_no_sanitizer.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
11,
11
]
],
"expected_source_lines": [
[
10,
10
]
],
"tags": [
"pathfact-regression",
"negative-guard"
],
"disabled": false,
"notes": "No sanitiser applied \u2014 PathFact stays Top, FILE_IO sink must fire (guards against over-suppression)"
},
{
"case_id": "rs-safe-cross-001",
"file": "rust/cmdi/cross_sanitizer/",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"cross-file",
"sanitizer"
],
"disabled": false,
"notes": "Cross-file: sanitize_shell in sanitizer.rs clears SHELL_ESCAPE cap before Command"
},
{
"case_id": "js-interproc-safe-001",
"file": "javascript/interprocedural/interproc_sanitizer_wrap.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"interprocedural",
"sanitizer-wrapper"
],
"disabled": false,
"notes": "XSS safe: input sanitized through encodeURIComponent wrapper function"
},
{
"case_id": "py-interproc-safe-001",
"file": "python/interprocedural/interproc_sanitizer_wrap.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"interprocedural",
"sanitizer-wrapper"
],
"disabled": false,
"notes": "XSS safe: input sanitized through html.escape wrapper function"
},
{
"case_id": "java-interproc-safe-001",
"file": "java/interprocedural/InterprocSanitizerWrap.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"interprocedural",
"sanitizer-wrapper"
],
"disabled": false,
"notes": "XSS safe: input sanitized through HtmlUtils.htmlEscape wrapper"
},
{
"case_id": "go-interproc-safe-001",
"file": "go/interprocedural/interproc_sanitizer_wrap.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"interprocedural",
"sanitizer-wrapper"
],
"disabled": false,
"notes": "XSS safe: input sanitized through html.EscapeString wrapper function"
},
{
"case_id": "php-interproc-safe-001",
"file": "php/interprocedural/interproc_sanitizer_wrap.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"interprocedural",
"sanitizer-wrapper"
],
"disabled": false,
"notes": "XSS safe: input sanitized through htmlspecialchars wrapper function"
},
{
"case_id": "rb-interproc-safe-001",
"file": "ruby/interprocedural/interproc_sanitizer_wrap.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"interprocedural",
"sanitizer-wrapper"
],
"disabled": false,
"notes": "XSS safe: input sanitized through CGI.escapeHTML wrapper function"
},
{
"case_id": "js-interproc-001",
"file": "javascript/interprocedural/interproc_taint_propagation.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"js.cmdi.exec"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
12,
12
]
],
"expected_source_lines": [
[
10,
10
]
],
"tags": [
"interprocedural",
"taint-propagation"
],
"disabled": false,
"notes": "Taint flows through buildCommand() helper to exec()"
},
{
"case_id": "py-interproc-001",
"file": "python/interprocedural/interproc_taint_propagation.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"py.cmdi.system"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
8,
8
]
],
"tags": [
"interprocedural",
"taint-propagation"
],
"disabled": false,
"notes": "Taint flows through build_command() helper to os.system()"
},
{
"case_id": "java-interproc-001",
"file": "java/interprocedural/InterprocTaintPropagation.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"java.sqli.executeQuery"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
12,
12
]
],
"expected_source_lines": [
[
10,
10
]
],
"tags": [
"interprocedural",
"taint-propagation"
],
"disabled": false,
"notes": "Taint flows through buildQuery() helper to executeQuery()"
},
{
"case_id": "go-interproc-001",
"file": "go/interprocedural/interproc_taint_propagation.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"go.sqli.query"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
16,
16
]
],
"expected_source_lines": [
[
14,
14
]
],
"tags": [
"interprocedural",
"taint-propagation"
],
"disabled": false,
"notes": "Taint flows through buildQuery() helper to db.Query()"
},
{
"case_id": "php-interproc-001",
"file": "php/interprocedural/interproc_taint_propagation.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"php.sqli.mysqli_query"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
7,
7
]
],
"tags": [
"interprocedural",
"taint-propagation"
],
"disabled": false,
"notes": "Taint flows through build_query() helper to mysqli_query()"
},
{
"case_id": "rb-interproc-001",
"file": "ruby/interprocedural/interproc_taint_propagation.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"ruby.sqli.select_all"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
8,
8
]
],
"tags": [
"interprocedural",
"taint-propagation"
],
"disabled": false,
"notes": "Taint flows through build_query() helper to select_all()"
},
{
"case_id": "js-pathprune-safe-001",
"file": "javascript/path_pruning/safe_early_return.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"path-pruning",
"early-return",
"allowlist"
],
"disabled": false,
"notes": "Command execution gated by allowlist check with early return"
},
{
"case_id": "py-pathprune-safe-001",
"file": "python/path_pruning/safe_early_return.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"path-pruning",
"early-return",
"allowlist"
],
"disabled": false,
"notes": "Command execution gated by allowlist check with early return"
},
{
"case_id": "go-pathprune-safe-001",
"file": "go/path_pruning/safe_early_return.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"state-unauthed-access"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"path-pruning",
"early-return",
"allowlist"
],
"disabled": false,
"notes": "Command execution gated by allowlist check with early return"
},
{
"case_id": "ts-xss-001",
"file": "typescript/xss/xss_typed_innerhtml.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"innerHTML",
"typed-express",
"reflected"
],
"disabled": false,
"notes": "Baseline TS XSS: typed Express handler flows req.query into innerHTML"
},
{
"case_id": "ts-xss-002",
"file": "typescript/xss/xss_as_any_cast.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"ts.quality.as_any"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
7,
7
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"as-any",
"type-assertion",
"innerHTML"
],
"disabled": false,
"notes": "TS-specific: taint must flow through `as any` and chained assertions (as_expression\u2192Kind::Seq)"
},
{
"case_id": "ts-xss-003",
"file": "typescript/xss/xss_generic_identity.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
11,
11
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"generics",
"interprocedural",
"innerHTML"
],
"disabled": false,
"notes": "Tests Phase 11 inline context-sensitivity through generic identity<T> function"
},
{
"case_id": "ts-xss-004",
"file": "typescript/xss/xss_optional_chain_source.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
7,
7
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"optional-chain",
"adversarial-source",
"innerHTML"
],
"disabled": false,
"notes": "Adversarial: optional-chained source `req?.query?.name`. Tests whether the source matcher survives optional_chain_expression nodes. Expected FN until optional chaining is lowered to member access in labeling"
},
{
"case_id": "ts-xss-005",
"file": "typescript/xss/xss_dangerously_set_inner_html.tsx",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
10
]
],
"expected_source_lines": [
[
7,
7
]
],
"tags": [
"tsx",
"jsx",
"dangerouslySetInnerHTML"
],
"disabled": false,
"notes": "TSX fixture: user bio flows into `dangerouslySetInnerHTML` and is sent via res.send. Exercises TSX grammar wiring (LANGUAGE_TSX) and confirms taint propagation through JSX expressions"
},
{
"case_id": "ts-sqli-001",
"file": "typescript/sqli/sqli_template_literal.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"sqli",
"pg",
"template-literal"
],
"disabled": false,
"notes": "Template-literal SQL via pg Pool.query; exact SQL_QUERY sink match"
},
{
"case_id": "ts-sqli-002",
"file": "typescript/sqli/sqli_prisma_raw.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"sqli",
"prisma",
"queryRawUnsafe"
],
"disabled": false,
"notes": "Prisma $queryRawUnsafe \u2014 TS-specific ORM sink"
},
{
"case_id": "ts-sqli-003",
"file": "typescript/sqli/sqli_db_query_concat.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cfg-unguarded-sink"
],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"sqli",
"real-repo-precision-2026-04-29",
"regression-guard"
],
"disabled": false,
"notes": "Vulnerable counterpart for ts-safe-017 \u2014 bare `connection.query(`SELECT...`)` and chained `db.query(SQL).then(...)` (Promise method, not ORM accessor) must still fire as SQL_QUERY sinks even after the ORM-chain recogniser landed."
},
{
"case_id": "ts-cmdi-001",
"file": "typescript/cmdi/cmdi_exec_template.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
8,
8
]
],
"tags": [
"cmdi",
"child_process",
"template-literal"
],
"disabled": false,
"notes": "Destructured exec with template literal command from req.body"
},
{
"case_id": "ts-cmdi-002",
"file": "typescript/cmdi/cmdi_async_wrapper.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
11,
11
]
],
"expected_source_lines": [
[
10,
10
]
],
"tags": [
"cmdi",
"async",
"promisify",
"execAsync"
],
"disabled": false,
"notes": "promisify-wrapped exec (execAsync) \u2014 TS rules enumerate execAsync as a command sink"
},
{
"case_id": "ts-ssrf-001",
"file": "typescript/ssrf/ssrf_axios_user_url.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
8,
8
]
],
"expected_source_lines": [
[
7,
7
]
],
"tags": [
"ssrf",
"axios"
],
"disabled": false,
"notes": "axios.get with req.query.url \u2014 baseline TS SSRF"
},
{
"case_id": "ts-ssrf-002",
"file": "typescript/ssrf/ssrf_fastify_fetch.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
8,
8
]
],
"tags": [
"ssrf",
"fastify",
"framework-rules",
"adversarial-framework"
],
"disabled": false,
"notes": "Fastify framework route \u2014 exercises framework_rules(ctx) source detection for request.query. Expected FN when framework context is not detected from a single file (no package.json)"
},
{
"case_id": "ts-ssrf-003",
"file": "typescript/ssrf/ssrf_encoded_host.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
7,
7
]
],
"tags": [
"ssrf",
"axios",
"url-encode",
"adversarial-fn-guard"
],
"disabled": false,
"notes": "Regression guard for prefix-locked SSRF suppression: encodeURIComponent is applied to the HOST (not path), so the template prefix 'https://' does not lock the destination. Must still fire as SSRF \u2014 proves the StringFact host check does not over-suppress when the attacker controls the authority component"
},
{
"case_id": "ts-code_injection-001",
"file": "typescript/code_injection/code_exec_eval.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "code_injection",
"cwe": "CWE-94",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"ts.code_exec.eval"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"eval",
"code-injection"
],
"disabled": false,
"notes": "Classic eval + user input; AST pattern ts.code_exec.eval applies"
},
{
"case_id": "ts-code_injection-002",
"file": "typescript/code_injection/code_exec_new_function.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "code_injection",
"cwe": "CWE-94",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"ts.code_exec.new_function"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"new-function",
"code-injection"
],
"disabled": false,
"notes": "new Function(body) \u2014 AST pattern ts.code_exec.new_function"
},
{
"case_id": "ts-open_redirect-001",
"file": "typescript/open_redirect/location_href.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-601",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"ts.xss.location_assign"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"open-redirect",
"location-href"
],
"disabled": false,
"notes": "Open redirect via location.href = userUrl"
},
{
"case_id": "ts-path_traversal-001",
"file": "typescript/path_traversal/path_traversal_sendfile.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
6
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"path-traversal",
"sendFile"
],
"disabled": false,
"notes": "res.sendFile with unsanitized req.query.path"
},
{
"case_id": "ts-crypto-001",
"file": "typescript/crypto/weak_hash_md5.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "crypto",
"cwe": "CWE-327",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"ts.crypto.weak_hash_import"
],
"allowed_alternative_rule_ids": [
"ts.crypto.weak_hash"
],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
4,
4
]
],
"expected_source_lines": null,
"tags": [
"crypto",
"weak-hash",
"md5"
],
"disabled": false,
"notes": "md5() imported from the md5 package \u2014 AST pattern ts.crypto.weak_hash_import"
},
{
"case_id": "ts-secrets-001",
"file": "typescript/secrets/fallback_secret.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "secrets",
"cwe": "CWE-798",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"ts.secrets.fallback_secret"
],
"allowed_alternative_rule_ids": [
"ts.secrets.hardcoded_secret"
],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
5
]
],
"expected_source_lines": null,
"tags": [
"secrets",
"fallback-env"
],
"disabled": false,
"notes": "process.env.KEY || 'hardcoded' \u2014 AST pattern ts.secrets.fallback_secret"
},
{
"case_id": "ts-insecure_config-001",
"file": "typescript/insecure_config/reject_unauthorized.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "insecure_config",
"cwe": "CWE-295",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"ts.config.reject_unauthorized"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
4,
4
]
],
"expected_source_lines": null,
"tags": [
"tls",
"reject-unauthorized"
],
"disabled": false,
"notes": "TLS verification disabled \u2014 AST pattern"
},
{
"case_id": "ts-insecure_config-002",
"file": "typescript/insecure_config/cookie_httponly.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "insecure_config",
"cwe": "CWE-1004",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"ts.config.insecure_session_httponly"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": null,
"tags": [
"cookies",
"httpOnly"
],
"disabled": false,
"notes": "session cookie httpOnly: false \u2014 AST pattern"
},
{
"case_id": "ts-prototype-001",
"file": "typescript/prototype/proto_assignment.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "prototype",
"cwe": "CWE-1321",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"ts.prototype.proto_assignment"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
4,
4
]
],
"expected_source_lines": null,
"tags": [
"prototype-pollution"
],
"disabled": false,
"notes": "__proto__ write \u2014 AST pattern"
},
{
"case_id": "ts-interproc-001",
"file": "typescript/interprocedural/interproc_class_method.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
17,
17
]
],
"expected_source_lines": [
[
15,
15
]
],
"tags": [
"cmdi",
"class-method",
"interprocedural"
],
"disabled": false,
"notes": "Class method builder: Runner.build concatenates tainted target, caller passes result to exec. Stresses intra-file class-method call resolution"
},
{
"case_id": "ts-type_system-001",
"file": "typescript/type_system/discriminated_union_narrow.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cfg-unguarded-sink"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
13,
13
]
],
"expected_source_lines": [
[
12,
12
]
],
"tags": [
"discriminated-union",
"narrowing",
"cmdi"
],
"disabled": false,
"notes": "TS discriminated-union narrowing (kind === 'ping') does not sanitize \u2014 a.target is still user-controlled. Guards against the FP of treating `kind` guards as security sanitizers"
},
{
"case_id": "ts-type_system-002",
"file": "typescript/type_system/interface_dispatch.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
],
[
20,
20
]
],
"expected_source_lines": [
[
19,
19
]
],
"tags": [
"interface",
"dispatch",
"adversarial-interprocedural",
"cmdi"
],
"disabled": false,
"notes": "Interface-typed receiver `impl: Runner` \u2192 resolve to ShellRunner.run \u2192 exec. Tests intra-file method resolution through interface types; expected FN if only normalized callee-name matching is used"
},
{
"case_id": "ts-type_system-003",
"file": "typescript/type_system/decorator_passthrough.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "language_specific",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
15,
15
],
[
23,
23
]
],
"expected_source_lines": [
[
23,
23
]
],
"tags": [
"decorator",
"adversarial-decorator",
"cmdi"
],
"disabled": false,
"notes": "Method decorator wraps Service.run; the undecorated body still contains exec(cmd). Tests whether decorator syntax interferes with class-method extraction. Expected FN if decorator parsing derails summary extraction"
},
{
"case_id": "ts-safe-001",
"file": "typescript/safe/safe_dompurify.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"dompurify"
],
"disabled": false,
"notes": "DOMPurify.sanitize inline before innerHTML"
},
{
"case_id": "ts-safe-002",
"file": "typescript/safe/safe_number_coerce.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"type-coercion",
"Number"
],
"disabled": false,
"notes": "Number() coercion sanitizes SQL integer interpolation; Number is in TS sanitizer rules with Cap::all()"
},
{
"case_id": "ts-safe-003",
"file": "typescript/safe/safe_encode_uri.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"url-encode",
"ssrf",
"adversarial-fp"
],
"disabled": false,
"notes": "Semantically safe: user term is URL-encoded into a fixed-host URL; no SSRF possible. Known Nyx weak spot \u2014 encodeURIComponent is Cap::URL_ENCODE while axios sink is Cap::SSRF, so cap mismatch may yield FP. Documents the cap-overlap limitation"
},
{
"case_id": "ts-safe-004",
"file": "typescript/safe/safe_hardcoded_url.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"no-source",
"hardcoded"
],
"disabled": false,
"notes": "Hardcoded URL, no user input; should be a clean TN"
},
{
"case_id": "ts-safe-005",
"file": "typescript/safe/safe_validator_escape.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"validator"
],
"disabled": false,
"notes": "validator.escape sanitizes XSS payload before innerHTML"
},
{
"case_id": "ts-safe-006",
"file": "typescript/safe/safe_typeof_guard.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"ts.code_exec.eval"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"type-check",
"typeof",
"eval"
],
"disabled": false,
"notes": "typeof === 'number' guards eval; only numbers reach sink. Forbidden ts.code_exec.eval here because the taint flow is gated \u2014 pattern-only detection would be an FP"
},
{
"case_id": "ts-safe-007",
"file": "typescript/safe/safe_interproc_sanitizer.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"sanitizer",
"interprocedural",
"dompurify",
"adversarial-fp"
],
"disabled": false,
"notes": "DOMPurify wrapped in cleanHtml() helper. Known JS weak spot (js-interproc-safe-001 is an FP); documents whether TS handling matches"
},
{
"case_id": "ts-safe-008",
"file": "typescript/safe/safe_constant_query.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"constant",
"no-source"
],
"disabled": false,
"notes": "Compile-time constant SQL; no user input; should TN"
},
{
"case_id": "ts-safe-009",
"file": "typescript/safe/safe_parameterized.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"parameterized",
"sqli",
"adversarial-fp"
],
"disabled": false,
"notes": "Parameterized pg query: SQL string is constant, id flows as $1 placeholder value. Semantically safe but taint still reaches pool.query call; known Nyx limitation \u2014 positional args aren't distinguished for SQL_QUERY sink"
},
{
"case_id": "ts-safe-010",
"file": "typescript/safe/safe_jsx_text.tsx",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"tsx",
"jsx",
"auto-escape"
],
"disabled": false,
"notes": "TSX fixture: user bio rendered as JSX text child. React auto-escapes JSX text so this is semantically safe. Guards against over-flagging JSX expressions now that TSX grammar is wired"
},
{
"case_id": "cve-py-2023-48022-vulnerable",
"file": "cve_corpus/python/CVE-2023-48022/vulnerable.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.cmdi.os_system"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
31,
31
]
],
"expected_source_lines": [
[
26,
27
]
],
"tags": [
"cve",
"ray",
"rce",
"flask"
],
"disabled": false,
"notes": "CVE-2023-48022: Ray dashboard job-submission RCE via shell-interpreted entrypoint in os.system. Apache-2.0"
},
{
"case_id": "cve-py-2023-48022-patched",
"file": "cve_corpus/python/CVE-2023-48022/patched.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.cmdi.os_system",
"py.cmdi.subprocess_shell",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"ray",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2023-48022 patched counterpart: shlex.split + subprocess.Popen(shell=False); regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-js-2019-14939-vulnerable",
"file": "cve_corpus/javascript/CVE-2019-14939/vulnerable.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "code_exec",
"cwe": "CWE-94",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"js.code_exec.eval"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
30,
30
]
],
"expected_source_lines": [
[
23,
25
]
],
"tags": [
"cve",
"mongo-express",
"rce",
"express",
"eval"
],
"disabled": false,
"notes": "CVE-2019-14939: mongo-express /checkValid evaluated req.body.document with eval(); RCE on the admin interface. MIT"
},
{
"case_id": "cve-js-2019-14939-patched",
"file": "cve_corpus/javascript/CVE-2019-14939/patched.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"js.code_exec.eval",
"js.code_exec.new_function",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"mongo-express",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2019-14939 patched counterpart: EJSON.parse replaces eval; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-js-2025-64430-vulnerable",
"file": "cve_corpus/javascript/CVE-2025-64430/vulnerable.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"parse-server",
"ssrf",
"express",
"http-get"
],
"notes": "CVE-2025-64430: Parse Server file router fetched user-supplied Parse.File _source.uri via http.get, allowing SSRF. Apache-2.0"
},
{
"case_id": "cve-js-2025-64430-patched",
"file": "cve_corpus/javascript/CVE-2025-64430/patched.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"parse-server",
"patched",
"negative"
],
"notes": "CVE-2025-64430 patched counterpart: URI-backed file upload removed entirely; no http.get on user input"
},
{
"case_id": "cve-js-2023-22621-vulnerable",
"file": "cve_corpus/javascript/CVE-2023-22621/vulnerable.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "code_exec",
"cwe": "CWE-1336",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"strapi",
"code_exec",
"ssti",
"lodash",
"template"
],
"notes": "CVE-2023-22621: Strapi <=4.5.5 sendTemplatedEmail compiled lodash _.template on attacker-controlled email-template body (admin panel), enabling SSTI -> RCE via <% ... %> evaluate blocks. MIT"
},
{
"case_id": "cve-js-2023-22621-patched",
"file": "cve_corpus/javascript/CVE-2023-22621/patched.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"strapi",
"patched",
"negative"
],
"notes": "CVE-2023-22621 patched counterpart: _.template called with { interpolate: <strict regex>, evaluate: false, escape: false } so the lodash evaluate block compiler is disabled."
},
{
"case_id": "cve-js-2026-42353-vulnerable",
"file": "cve_corpus/javascript/CVE-2026-42353/vulnerable.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"i18next-http-middleware",
"path_traversal",
"ssrf",
"ternary-as-value"
],
"disabled": false,
"notes": "CVE-2026-42353 / GHSA-jfgf-83c5-2c4m: i18next-http-middleware <3.9.3 getResourcesHandler forwards user-controlled lng/ns into i18next.services.backendConnector.load(...) without sanitisation. Paired with i18next-fs-backend the unsanitised values reach readFileSync(filename) (path traversal); paired with i18next-http-backend they reach an outgoing HTTP request URL (SSRF). MIT. Enabled 2026-05-04 after the array-method validator-callback narrowing (`try_array_method_validator_callback_narrowing` in src/taint/ssa_transfer/mod.rs) closed the dual gap that previously made the patched counterpart fire."
},
{
"case_id": "cve-js-2026-42353-patched",
"file": "cve_corpus/javascript/CVE-2026-42353/patched.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"i18next-http-middleware",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2026-42353 patched counterpart: utils.isSafeIdentifier denylist applied via languages.filter(isSafeIdentifier) before forwarding to backend. Enabled 2026-05-04: array-method validator-callback narrowing recognises `<arr>.filter(<is*/has*Valid|isSafe>)` shapes and strips the receiver-derived caps from the call result."
},
{
"case_id": "cve-ts-2023-26159-vulnerable",
"file": "cve_corpus/typescript/CVE-2023-26159/vulnerable.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
32,
32
]
],
"expected_source_lines": [
[
27,
28
]
],
"tags": [
"cve",
"follow-redirects",
"ssrf",
"express",
"axios"
],
"disabled": false,
"notes": "CVE-2023-26159: follow-redirects leaked Authorization across cross-origin redirects; caller-side pattern is SSRF via unvalidated user URL into HTTP client. MIT"
},
{
"case_id": "cve-ts-2023-26159-patched",
"file": "cve_corpus/typescript/CVE-2023-26159/patched.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"follow-redirects",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2023-26159 patched counterpart: URL allowlist check guards axios.get; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-ts-ghsa-4x48-cgf9-q33f-vulnerable",
"file": "cve_corpus/typescript/GHSA-4x48-cgf9-q33f/vulnerable.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
51,
51
]
],
"expected_source_lines": [
[
50,
50
]
],
"tags": [
"cve",
"novu",
"ssrf",
"vulnerable"
],
"disabled": false,
"notes": "GHSA-4x48-cgf9-q33f: Novu conditions-filter webhook bypassed validateUrlSsrf; raw axios.post(child.webhookUrl) is the cross-function SSRF sink. MIT-licensed libs/application-generic package."
},
{
"case_id": "cve-ts-ghsa-4x48-cgf9-q33f-patched",
"file": "cve_corpus/typescript/GHSA-4x48-cgf9-q33f/patched.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"novu",
"patched",
"negative"
],
"disabled": false,
"notes": "GHSA-4x48-cgf9-q33f patched: validateUrlSsrf(child.webhookUrl) followed by `if (ssrfError) throw` guards the axios.post call; regression guard for the indirect-validator branch narrowing + summary all_validated propagation."
},
{
"case_id": "cve-py-2017-18342-vulnerable",
"file": "cve_corpus/python/CVE-2017-18342/vulnerable.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "deserialization",
"cwe": "CWE-502",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.deser.yaml_load"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
30,
30
]
],
"expected_source_lines": [
[
26,
26
]
],
"tags": [
"cve",
"pyyaml",
"deserialization",
"flask"
],
"disabled": false,
"notes": "CVE-2017-18342: PyYAML yaml.load default loader instantiated arbitrary Python objects from !!python/object tags; RCE on any app passing untrusted YAML. MIT"
},
{
"case_id": "cve-py-2017-18342-patched",
"file": "cve_corpus/python/CVE-2017-18342/patched.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.deser.yaml_load",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"pyyaml",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2017-18342 patched counterpart: yaml.safe_load replaces yaml.load; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-py-2025-69662-vulnerable",
"file": "cve_corpus/python/CVE-2025-69662/vulnerable.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "sql_injection",
"cwe": "CWE-89",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.sqli.text_format"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
43,
44
]
],
"expected_source_lines": [
[
35,
35
]
],
"tags": [
"cve",
"geopandas",
"sql_injection",
"flask",
"sqlalchemy"
],
"disabled": false,
"notes": "CVE-2025-69662: geopandas to_postgis() interpolated GeoDataFrame's geometry column name into Find_SRID probe via f-string; SQL injection on user-uploaded layer. BSD-3-Clause"
},
{
"case_id": "cve-py-2025-69662-patched",
"file": "cve_corpus/python/CVE-2025-69662/patched.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.sqli.text_format",
"py.sqli.execute_format",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"geopandas",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2025-69662 patched counterpart: text(...).bindparams() replaces f-string interpolation; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-py-2026-33626-vulnerable",
"file": "cve_corpus/python/CVE-2026-33626/vulnerable.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
49,
49
]
],
"expected_source_lines": [
[
43,
43
]
],
"tags": [
"cve",
"lmdeploy",
"ssrf",
"flask",
"requests"
],
"disabled": false,
"notes": "CVE-2026-33626: LMDeploy vision-language image loader fetched user-supplied URLs via requests.Session().get without private-IP guard; SSRF / cloud-metadata exfil. Apache-2.0"
},
{
"case_id": "cve-py-2026-33626-patched",
"file": "cve_corpus/python/CVE-2026-33626/patched.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"lmdeploy",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2026-33626 patched counterpart: _is_safe_url private-IP allowlist gate replaces scheme-only check; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-py-2024-23334-vulnerable",
"file": "cve_corpus/python/CVE-2024-23334/vulnerable.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
61,
61
]
],
"expected_source_lines": [
[
45,
45
]
],
"tags": [
"cve",
"aiohttp",
"path-traversal",
"positive"
],
"disabled": false,
"notes": "CVE-2024-23334: aiohttp StaticResource symlink-bypass — relative_to(self._directory) check gated to the non-follow_symlinks arm; FileResponse(filepath) reachable from request.match_info on follow_symlinks=True. Apache-2.0"
},
{
"case_id": "cve-py-2024-23334-patched",
"file": "cve_corpus/python/CVE-2024-23334/patched.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"aiohttp",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2024-23334 patched counterpart: relative_to(self._directory) recognised as a receiver-side FILE_IO validator on both follow_symlinks arms; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-py-2023-6568-vulnerable",
"file": "cve_corpus/python/CVE-2023-6568/vulnerable.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.xss.make_response_format"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "LOW",
"expected_category": "Security",
"expected_sink_lines": [
[
45,
45
]
],
"expected_source_lines": [
[
41,
41
]
],
"tags": [
"cve",
"mlflow",
"xss",
"positive"
],
"disabled": false,
"notes": "CVE-2023-6568: mlflow auth create_user reflected attacker-controlled Content-Type request header into make_response f-string — reflected XSS. Apache-2.0"
},
{
"case_id": "cve-py-2023-6568-patched",
"file": "cve_corpus/python/CVE-2023-6568/patched.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.xss.make_response_format",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"mlflow",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2023-6568 patched counterpart: f-string interpolation replaced with static string; no tainted source reaches make_response and the AST f-string trigger is gone, so neither rule fires"
},
{
"case_id": "cve-py-2024-21513-vulnerable",
"file": "cve_corpus/python/CVE-2024-21513/vulnerable.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "code_exec",
"cwe": "CWE-94",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.code_exec.eval"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
42,
42
]
],
"expected_source_lines": [],
"tags": [
"cve",
"langchain",
"code-exec",
"positive"
],
"disabled": false,
"notes": "CVE-2024-21513: langchain_experimental VectorSQLDatabaseChain ran every SQL query result through eval() via _try_eval; attacker-controlled DB rows -> RCE. MIT"
},
{
"case_id": "cve-py-2024-21513-patched",
"file": "cve_corpus/python/CVE-2024-21513/patched.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.code_exec.eval"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"langchain",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2024-21513 patched counterpart: _try_eval helper deleted and get_result_from_sqldb returns raw result with no eval; py.code_exec.eval silent"
},
{
"case_id": "cve-php-2017-9841-vulnerable",
"file": "cve_corpus/php/CVE-2017-9841/vulnerable.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "code_exec",
"cwe": "CWE-94",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"php.code_exec.eval"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
22,
22
]
],
"expected_source_lines": [
[
21,
21
]
],
"tags": [
"cve",
"phpunit",
"rce",
"eval",
"stdin"
],
"disabled": false,
"notes": "CVE-2017-9841: PHPUnit Util/PHP/eval-stdin.php fed php://input to eval(); mass-scanned for webshell deployment. BSD-3-Clause"
},
{
"case_id": "cve-php-2017-9841-patched",
"file": "cve_corpus/php/CVE-2017-9841/patched.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"php.code_exec.eval",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"phpunit",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2017-9841 patched counterpart: stub rejects non-CLI SAPI and removes the eval sink entirely; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-php-2018-15133-vulnerable",
"file": "cve_corpus/php/CVE-2018-15133/vulnerable.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "deserialization",
"cwe": "CWE-502",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"php.deser.unserialize"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
26,
26
]
],
"expected_source_lines": [
[
24,
24
]
],
"tags": [
"cve",
"laravel",
"deserialization",
"cookie"
],
"disabled": false,
"notes": "CVE-2018-15133: Laravel <= 5.6.29 unserialized a cookie-borne payload without HMAC verification; known gadget chains reached arbitrary code when APP_KEY leaked. MIT"
},
{
"case_id": "cve-php-2018-15133-patched",
"file": "cve_corpus/php/CVE-2018-15133/patched.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"php.deser.unserialize",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"laravel",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2018-15133 patched counterpart: HMAC-verified JSON cookie replaces PHP-serialized payload; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-php-2026-33486-vulnerable",
"file": "cve_corpus/php/CVE-2026-33486/vulnerable.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
44,
44
]
],
"expected_source_lines": [
[
40,
40
]
],
"tags": [
"cve",
"roadiz",
"ssrf",
"lfi"
],
"disabled": false,
"notes": "CVE-2026-33486: roadiz/documents DownloadedFile::fromUrl passes the URL parameter to fopen() without scheme allowlist or host validation; file:// payloads read host filesystem. MIT"
},
{
"case_id": "cve-php-2026-33486-patched",
"file": "cve_corpus/php/CVE-2026-33486/patched.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"roadiz",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2026-33486 patched counterpart: isSafeRemoteUrl early-return validates scheme/host before fopen; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-rb-2013-0156-vulnerable",
"file": "cve_corpus/ruby/CVE-2013-0156/vulnerable.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "deserialization",
"cwe": "CWE-502",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"rb.deser.yaml_load"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
28,
28
]
],
"expected_source_lines": [],
"tags": [
"cve",
"rails",
"deserialization",
"params"
],
"disabled": false,
"notes": "CVE-2013-0156: Rails XML params parser round-tripped tagged YAML through YAML.load, instantiating arbitrary Ruby objects; unauthenticated RCE on every affected Rails app. MIT"
},
{
"case_id": "cve-rb-2013-0156-patched",
"file": "cve_corpus/ruby/CVE-2013-0156/patched.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rb.deser.yaml_load",
"rb.deser.marshal_load",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"rails",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2013-0156 patched counterpart: params decoded as JSON, no YAML loader on untrusted input; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-rb-2020-8130-vulnerable",
"file": "cve_corpus/ruby/CVE-2020-8130/vulnerable.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
39,
39
]
],
"expected_source_lines": [],
"tags": [
"cve",
"rake",
"cmdi",
"kernel-open"
],
"disabled": false,
"notes": "CVE-2020-8130: Rake::FileList#egrep opened each filename via Kernel#open, which interprets a leading | as a shell command. Attacker-supplied filenames (build-config / job-runner inputs) thereby achieved arbitrary command execution. Fixed in v12.3.3 by switching to File.open. MIT"
},
{
"case_id": "cve-rb-2020-8130-patched",
"file": "cve_corpus/ruby/CVE-2020-8130/patched.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"rake",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2020-8130 patched counterpart: open(fn, ...) replaced with File.open(fn, ...); File.open never pipes a leading |. Fixture additionally hardcodes the filename + pattern (patched-fix simplification) so the regression guard is class-clean \u2014 see vulnerable.rb header for rationale."
},
{
"case_id": "cve-rb-2021-21288-vulnerable",
"file": "cve_corpus/ruby/CVE-2021-21288/vulnerable.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
64,
64
]
],
"expected_source_lines": [
[
64,
64
]
],
"tags": [
"cve",
"carrierwave",
"ssrf",
"open-uri"
],
"disabled": false,
"notes": "CVE-2021-21288: CarrierWave Downloader::Base#download passed an attacker-controlled URL straight into OpenURI.open_uri (only host-normalised via process_uri). open-uri follows redirects without an allowlist, so any uploader exposing a remote_url field reached internal services / cloud metadata / file:// URIs. Fixed in 2.1.1 / 1.3.2 by routing through SsrfFilter.get. MIT"
},
{
"case_id": "cve-rb-2021-21288-patched",
"file": "cve_corpus/ruby/CVE-2021-21288/patched.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"carrierwave",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2021-21288 patched counterpart: OpenURI.open_uri replaced with SsrfFilter.get(uri, ...) which validates the resolved host against private IP ranges before issuing the request. The upstream skip_ssrf_protection? escape hatch (default returns false) is omitted as a patched-fix simplification."
},
{
"case_id": "cve-rb-2023-38337-vulnerable",
"file": "cve_corpus/ruby/CVE-2023-38337/vulnerable.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
58,
58
]
],
"expected_source_lines": [
[
54,
54
]
],
"tags": [
"cve",
"rswag",
"path_traversal",
"rack-middleware"
],
"notes": "CVE-2023-38337: rswag-api Rack middleware concatenated env['PATH_INFO'] into the swagger root path with no validation; GET /../config/secrets.yml served arbitrary YAML/JSON files. Fixed in 2.10.1 by File.expand_path + start_with? rooted-path check. MIT"
},
{
"case_id": "cve-rb-2023-38337-patched",
"file": "cve_corpus/ruby/CVE-2023-38337/patched.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"rswag",
"patched",
"negative"
],
"notes": "CVE-2023-38337 patched counterpart: filename = File.expand_path(File.join(root, path)); unless filename.start_with?(root); return reject; end. Stays clean once Nyx recognises the canonicalize+rooted-path pattern."
},
{
"case_id": "cve-java-2015-7501-vulnerable",
"file": "cve_corpus/java/CVE-2015-7501/vulnerable.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "deserialization",
"cwe": "CWE-502",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"java.deser.readobject"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
35,
35
]
],
"expected_source_lines": [
[
34,
34
]
],
"tags": [
"cve",
"commons-collections",
"deserialization",
"servlet"
],
"disabled": false,
"notes": "CVE-2015-7501: Apache Commons Collections InvokerTransformer chain drove RCE on any app reading attacker-controlled bytes through ObjectInputStream.readObject. Apache-2.0"
},
{
"case_id": "cve-java-2015-7501-patched",
"file": "cve_corpus/java/CVE-2015-7501/patched.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"java.deser.readobject",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"commons-collections",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2015-7501 patched counterpart: Jackson JSON codec replaces native Java deserialization; no ObjectInputStream on the request path; regression guard"
},
{
"case_id": "cve-go-2022-30323-vulnerable",
"file": "cve_corpus/go/CVE-2022-30323/vulnerable.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"go.cmdi.exec_command"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
34,
34
]
],
"expected_source_lines": [
[
30,
30
]
],
"tags": [
"cve",
"go-getter",
"cmdi",
"git"
],
"disabled": false,
"notes": "CVE-2022-30323: hashicorp/go-getter forwarded user URLs into `git clone` argv, letting `ext::`/`upload-pack=` aliases reach a shell; affected Terraform, Packer, Nomad, Vault. MPL-2.0"
},
{
"case_id": "cve-go-2022-30323-patched",
"file": "cve_corpus/go/CVE-2022-30323/patched.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"go.cmdi.exec_command",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"go-getter",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2022-30323 patched counterpart: scheme allowlist + in-process go-git clone removes the exec.Command path; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-go-2023-3188-vulnerable",
"file": "cve_corpus/go/CVE-2023-3188/vulnerable.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
85,
85
]
],
"expected_source_lines": [
[
84,
84
]
],
"tags": [
"cve",
"owncast",
"ssrf",
"fediverse"
],
"disabled": false,
"notes": "CVE-2023-3188: Owncast 0.0.x webfinger SSRF \u2014 `account` parsed off the @-delimited handle reaches `http.DefaultClient.Get(requestURL.String())` with no host validation. Engine detects via cross-function taint flow (handler \u2192 GetWebfingerLinks param 0 \u2192 http.DefaultClient.Get SSRF sink). MIT."
},
{
"case_id": "cve-go-2023-3188-patched",
"file": "cve_corpus/go/CVE-2023-3188/patched.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"owncast",
"ssrf",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2023-3188 patched counterpart: `IsHostnameInternal` early-return + redirect-blocked `*http.Client`. Regression guard that Nyx does not refire on the fix; the local-client sink (`client.Get`) is intentionally not on the SSRF matcher list."
},
{
"case_id": "cve-go-2024-31450-vulnerable",
"file": "cve_corpus/go/CVE-2024-31450/vulnerable.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
72,
72
]
],
"expected_source_lines": [
[
64,
64
]
],
"tags": [
"cve",
"owncast",
"path_traversal",
"emoji"
],
"disabled": false,
"notes": "CVE-2024-31450: Owncast 0.1.2 emoji-delete API joined a body-supplied filename to the emoji directory and called `os.Remove` without `filepath.Base`. Fixed in 0.1.3 with `filepath.IsLocal(targetPath)` early return."
},
{
"case_id": "cve-go-2024-31450-patched",
"file": "cve_corpus/go/CVE-2024-31450/patched.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"owncast",
"path_traversal",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2024-31450 patched counterpart: `filepath.IsLocal(targetPath)` early-return. Regression guard."
},
{
"case_id": "cve-go-2026-41422-vulnerable",
"file": "cve_corpus/go/CVE-2026-41422/vulnerable.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
46,
46
]
],
"expected_source_lines": [
[
32,
32
]
],
"tags": [
"cve",
"daptin",
"sqli",
"goqu",
"for-range",
"gin"
],
"disabled": false,
"notes": "CVE-2026-41422 / GHSA-rw2c-8rfq-gwfv: daptin /aggregate/:typename endpoint loops `c.QueryArray(\"column\")` into `goqu.L(project)` (raw SQL literal builder). Fixed in v0.11.4 by replacing goqu.L with parseAggExpr (allowlist + typed goqu.I/COUNT/SUM constructors)."
},
{
"case_id": "cve-go-2026-41422-patched",
"file": "cve_corpus/go/CVE-2026-41422/patched.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"daptin",
"sqli",
"goqu",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2026-41422 patched counterpart: aggregate function allowlist + typed goqu.I/COUNT/SUM constructors. Regression guard."
},
{
"case_id": "go-ssrf-004",
"file": "go/ssrf/ssrf_default_client_get.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "ssrf",
"cwe": "CWE-918",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
13,
13
]
],
"expected_source_lines": [
[
12,
12
]
],
"tags": [
"ssrf",
"default-client",
"regression"
],
"disabled": false,
"notes": "CVE-Hunt session 2 regression: `http.DefaultClient.Get` was not on the Go SSRF matcher list; pin so a future revert can't quietly drop the matcher."
},
{
"case_id": "go-ssrf-safe-002",
"file": "go/ssrf/safe_ssrf_default_client_get.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"ssrf",
"default-client",
"safe",
"negative"
],
"disabled": false,
"notes": "CVE-Hunt session 2 negative pair: hard-coded URL handed to `http.DefaultClient.Get`; new matcher must not over-fire on constant-URL calls."
},
{
"case_id": "go-path-002",
"file": "go/path_traversal/path_traversal_remove.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
19,
19
]
],
"expected_source_lines": [
[
17,
17
]
],
"tags": [
"path-traversal",
"os-remove",
"regression"
],
"disabled": false,
"notes": "CVE-Hunt session 2 regression: `os.Remove` and the rest of the mutating-fs family (`os.WriteFile`, `os.RemoveAll`) were missing from the Go FILE_IO matcher list; pin against a future revert."
},
{
"case_id": "go-path-safe-002",
"file": "go/path_traversal/safe_path_traversal_remove.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"path-traversal",
"os-remove",
"safe",
"negative"
],
"disabled": false,
"notes": "CVE-Hunt session 2 negative pair: `filepath.Base` cleanses traversal segments before the join; new os.Remove matcher must not over-fire on cleansed flows."
},
{
"case_id": "go-path-003",
"file": "go/path_traversal/path_traversal_ifinit.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
29,
29
]
],
"expected_source_lines": [
[
27,
27
]
],
"tags": [
"path-traversal",
"if-init",
"regression"
],
"disabled": false,
"notes": "CVE-Hunt session 4 regression: tree-sitter `if_statement.initializer` was skipped by the Kind::If CFG arm; side-effecting calls inside `if x := f(); x != 0 { }` were invisible to taint. Pins the lowering fix that maps Owncast CVE-2024-31450's exact init shape."
},
{
"case_id": "go-path-safe-003",
"file": "go/path_traversal/safe_path_traversal_ifinit.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"path-traversal",
"if-init",
"safe",
"negative"
],
"disabled": false,
"notes": "CVE-Hunt session 4 negative pair: same if-init shape as go-path-003, but `filepath.Base` sanitizes the user-controlled name before the os.Remove sink. Verifies the new init lowering doesn't over-fire when the sanitizer dominates."
},
{
"case_id": "cve-c-2016-3714-vulnerable",
"file": "cve_corpus/c/CVE-2016-3714/vulnerable.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"c.cmdi.system"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
34,
34
]
],
"expected_source_lines": [],
"tags": [
"cve",
"imagemagick",
"imagetragick",
"cmdi"
],
"disabled": false,
"notes": "CVE-2016-3714 (ImageTragick): ImageMagick delegate policies substituted user-controlled filenames into shell templates passed to system(), enabling unauthenticated RCE via crafted MVG/MSL uploads. ImageMagick License"
},
{
"case_id": "cve-c-2016-3714-patched",
"file": "cve_corpus/c/CVE-2016-3714/patched.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"c.cmdi.system",
"c.cmdi.popen",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"imagemagick",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2016-3714 patched counterpart: in-process coder + basename check removes the system() path; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-c-2019-18634-vulnerable",
"file": "cve_corpus/c/CVE-2019-18634/vulnerable.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "memory_safety",
"cwe": "CWE-120",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"c.memory.strcpy"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
39,
39
]
],
"expected_source_lines": [],
"tags": [
"cve",
"sudo",
"pwfeedback",
"stack-overflow"
],
"disabled": false,
"notes": "CVE-2019-18634: sudo pwfeedback stack buffer overflow in getln() when a long stdin token spilled past the feedback buffer; local root on Linux/macOS sudoers with pwfeedback enabled. ISC"
},
{
"case_id": "cve-c-2019-18634-patched",
"file": "cve_corpus/c/CVE-2019-18634/patched.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"c.memory.strcpy",
"c.memory.strcat",
"c.memory.sprintf",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"sudo",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2019-18634 patched counterpart: bounded copy routine replaces the strcpy sink; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-c-2017-1000117-vulnerable",
"file": "cve_corpus/c/CVE-2017-1000117/vulnerable.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-88",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"c.cmdi.execvp"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
87,
87
]
],
"expected_source_lines": [
[
92,
92
]
],
"tags": [
"cve",
"git",
"argv-injection",
"cmdi"
],
"disabled": true,
"disabled_reason": "C taint engine does not propagate taint through C array-element writes (`args[i] = ssh_host;`) and has no `c.cmdi.exec*` AST pattern; even if such a pattern were added it would also fire on the patched fixture (precision miss) because the CVE is sanitised by a pre-call dash-prefix guard the engine does not classify as a validator. Three-layer deep fix tracked in CVE_DEFERRED.md.",
"notes": "CVE-2017-1000117 (git ssh:// argv injection): pre-2.7.6 git accepted `ssh://-oProxyCommand=...@host/repo` URLs and pushed the URL host as an argv element to ssh, where a leading dash was treated as an option flag. GPL-2.0"
},
{
"case_id": "cve-c-2017-1000117-patched",
"file": "cve_corpus/c/CVE-2017-1000117/patched.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"c.cmdi.system",
"c.cmdi.popen",
"c.cmdi.execvp",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"git",
"patched",
"negative"
],
"disabled": true,
"disabled_reason": "Paired with cve-c-2017-1000117-vulnerable; precision side requires sanitizer recognition of the upstream `if (ssh_host[0] == '-') die(...)` guard so that adding any `c.cmdi.execvp` AST pattern would not also fire on the patched fixture.",
"notes": "CVE-2017-1000117 patched counterpart: dash-prefix gate added before argv assembly; regression guard that Nyx does not refire on the fix once the deferral lands"
},
{
"case_id": "cve-cpp-2019-13132-vulnerable",
"file": "cve_corpus/cpp/CVE-2019-13132/vulnerable.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "memory_safety",
"cwe": "CWE-120",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"cpp.memory.strcpy"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
32,
32
]
],
"expected_source_lines": [],
"tags": [
"cve",
"libzmq",
"zmtp",
"stack-overflow"
],
"disabled": false,
"notes": "CVE-2019-13132: ZeroMQ libzmq v2 decoder trusted attacker-supplied metadata length and copied peer bytes into a fixed on-stack buffer, enabling unauthenticated RCE on curve-disabled sockets. MPL-2.0"
},
{
"case_id": "cve-cpp-2019-13132-patched",
"file": "cve_corpus/cpp/CVE-2019-13132/patched.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"cpp.memory.strcpy",
"cpp.memory.strcat",
"cpp.memory.sprintf",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"libzmq",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2019-13132 patched counterpart: bounded std::string assign + hard cap removes the strcpy sink; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-cpp-2022-1941-vulnerable",
"file": "cve_corpus/cpp/CVE-2022-1941/vulnerable.cpp",
"language": "cpp",
"is_vulnerable": true,
"vuln_class": "memory_safety",
"cwe": "CWE-120",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"cpp.memory.strcpy"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
37,
37
]
],
"expected_source_lines": [],
"tags": [
"cve",
"protobuf",
"parse-context",
"heap-overflow"
],
"disabled": false,
"notes": "CVE-2022-1941: Protocol Buffers C++ ParseContext copied unknown-field bytes into a backing buffer without clamping the declared length, causing OOB read/write in any binary decoding untrusted protobufs. BSD-3-Clause"
},
{
"case_id": "cve-cpp-2022-1941-patched",
"file": "cve_corpus/cpp/CVE-2022-1941/patched.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"cpp.memory.strcpy",
"cpp.memory.strcat",
"cpp.memory.sprintf",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"protobuf",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2022-1941 patched counterpart: bounded std::string assign + MAX_LABEL cap removes the strcpy sink; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-java-2017-12629-vulnerable",
"file": "cve_corpus/java/CVE-2017-12629/vulnerable.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"java.cmdi.runtime_exec"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
33,
33
]
],
"expected_source_lines": [
[
29,
29
]
],
"tags": [
"cve",
"solr",
"xslt",
"rce"
],
"disabled": false,
"notes": "CVE-2017-12629: Apache Solr XSLT response writer evaluated attacker-supplied stylesheets that reached Runtime.exec via XPath Java-binding extensions; unauthenticated RCE on any exposed Solr node. Apache-2.0"
},
{
"case_id": "cve-java-2017-12629-patched",
"file": "cve_corpus/java/CVE-2017-12629/patched.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"java.cmdi.runtime_exec",
"java.reflection.class_forname",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"solr",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2017-12629 patched counterpart: transformer name allowlist + in-process secure TransformerFactory removes the Runtime.exec path; regression guard that Nyx does not refire on the fix"
},
{
"case_id": "cve-java-2022-1471-vulnerable",
"file": "cve_corpus/java/CVE-2022-1471/vulnerable.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "deserialization",
"cwe": "CWE-502",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"java.deser.snakeyaml_unsafe_constructor"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
38,
38
]
],
"expected_source_lines": [
[
34,
34
]
],
"tags": [
"cve",
"snakeyaml",
"deserialization",
"servlet"
],
"disabled": false,
"notes": "CVE-2022-1471: SnakeYAML <2.0 default Constructor accepts arbitrary class tags (`!!javax.script.ScriptEngineManager`, `!!java.net.URLClassLoader`, ...) reaching RCE on apps that load attacker-controlled YAML. Apache-2.0"
},
{
"case_id": "cve-java-2022-1471-patched",
"file": "cve_corpus/java/CVE-2022-1471/patched.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"java.deser.snakeyaml_unsafe_constructor",
"java.deser.readobject",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"snakeyaml",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2022-1471 patched counterpart: explicit SafeConstructor argument restricts the YAML tag handler set to primitives + standard collections; regression guard that Nyx does not refire on the safe form"
},
{
"case_id": "cve-java-2022-42889-vulnerable",
"file": "cve_corpus/java/CVE-2022-42889/vulnerable.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "code_exec",
"cwe": "CWE-94",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"java.code_exec.text4shell_interpolator"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
40,
40
]
],
"expected_source_lines": [
[
35,
35
]
],
"tags": [
"cve",
"commons-text",
"text4shell",
"code-exec",
"servlet"
],
"disabled": false,
"notes": "CVE-2022-42889 (Text4Shell): Apache Commons Text 1.5..1.9 StringSubstitutor.createInterpolator() enables script:/dns:/url: lookups; ${script:js:...} reaches the JSR-223 ScriptEngineManager. Apache-2.0"
},
{
"case_id": "cve-java-2022-42889-patched",
"file": "cve_corpus/java/CVE-2022-42889/patched.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"java.code_exec.text4shell_interpolator",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"commons-text",
"text4shell",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2022-42889 patched counterpart: substitutor built directly with `new StringSubstitutor()` so the lookup map is empty; ${...} pass-through. No script/dns/url evaluation."
},
{
"case_id": "cve-java-ghsa-h8cj-hpmg-636v-vulnerable",
"file": "cve_corpus/java/GHSA-h8cj-hpmg-636v/vulnerable.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
62,
62
]
],
"expected_source_lines": [
[
43,
43
]
],
"tags": [
"cve",
"appsmith",
"sqli",
"vulnerable"
],
"disabled": false,
"notes": "GHSA-h8cj-hpmg-636v / Appsmith FilterDataServiceCE.dropTable: tableName from a request flows through `\"DROP TABLE \" + tableName + \";\"` and `executeDbQuery(query)` to `Statement.execute(query)` on the in-memory H2 filter db. Apache-2.0"
},
{
"case_id": "cve-java-ghsa-h8cj-hpmg-636v-patched",
"file": "cve_corpus/java/GHSA-h8cj-hpmg-636v/patched.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"appsmith",
"sqli",
"patched",
"negative"
],
"disabled": false,
"notes": "GHSA-h8cj-hpmg-636v patched counterpart: dropTable now calls validateFilterTempTableName(tableName) which rejects any value that does not match `^tbl_[A-Z]{16}$` via FILTER_TEMP_TABLE_NAME_PATTERN.matcher(tableName).matches(). Regression guard that Nyx recognises the Java Pattern.matcher(value).matches() chain as a regex-allowlist validator and that the helper-summary `validated_params_to_return` lift suppresses the SQL_QUERY flow at the call site."
},
{
"case_id": "rs-auth-001",
"file": "rust/auth/actix_scoped_write_missing.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-862",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"rs.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
17,
17
]
],
"expected_source_lines": [
[
16,
16
]
],
"tags": [
"auth",
"actix",
"scoped-id",
"positive"
],
"disabled": false,
"notes": "Actix handler mutates `project_service::update(project_id, \u2026)` with a path-bound scoped id, no ownership check"
},
{
"case_id": "rs-auth-002",
"file": "rust/auth/true_positive_missing_check.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-862",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"rs.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
13,
13
]
],
"expected_source_lines": [],
"tags": [
"auth",
"realtime",
"scoped-id",
"positive",
"phase-a-control"
],
"disabled": false,
"notes": "Authenticated handler that publishes against a group_id with no membership check \u2014 the positive control for the auth-rule FP-remediation work"
},
{
"case_id": "rs-auth-003",
"file": "rust/auth/row_ownership_no_early_exit.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-862",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"rs.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
28,
28
]
],
"expected_source_lines": [],
"tags": [
"auth",
"row-ownership",
"regression-guard",
"positive"
],
"disabled": false,
"notes": "Equality compared but no early exit \u2014 the check is ineffective so the downstream read on doc_id must still flag (A2 regression guard)"
},
{
"case_id": "rs-auth-101",
"file": "rust/auth/hashmap_local_noise.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"phase-a1",
"noise-budget-zero"
],
"disabled": false,
"notes": "P0: HashMap/HashSet method calls on locally-constructed bindings \u2014 never an authorization decision (Phase A1 fix)"
},
{
"case_id": "rs-auth-102",
"file": "rust/auth/helper_scoped_params.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"phase-a1",
"noise-budget-zero"
],
"disabled": false,
"notes": "P4 (partial): library helper whose internal work is `result.insert(..)` on a locally-constructed HashSet \u2014 never a sink (Phase A1 fix)"
},
{
"case_id": "rs-auth-103",
"file": "rust/auth/row_ownership_equality.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"phase-a2",
"noise-budget-zero"
],
"disabled": false,
"notes": "P3: row-level ownership equality (`if owner_id != user.id { return ... }`) covers downstream column reads on the same row (Phase A2 fix)"
},
{
"case_id": "rs-auth-104",
"file": "rust/auth/self_scoped_user.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"phase-a3",
"noise-budget-zero"
],
"disabled": false,
"notes": "P5: `let user = require_auth(..).await?` binds the actor \u2014 `user.id` is self, not a scoped foreign id (Phase A3 fix)"
},
{
"case_id": "rs-auth-105",
"file": "rust/auth/db_connection_type_inferred.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"phase-b2",
"noise-budget-zero"
],
"disabled": false,
"notes": "Phase B2: `rusqlite::Connection::open` infers `DatabaseConnection` type via SSA constructor_type; the handler logs only the caller's own id"
},
{
"case_id": "rs-auth-106",
"file": "rust/auth/sql_join_acl.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"phase-b3",
"noise-budget-zero"
],
"disabled": false,
"notes": "Phase B3: SELECT through `group_members` ACL JOIN with `WHERE gm.user_id = ?1` makes every returned row membership-gated"
},
{
"case_id": "rs-auth-107",
"file": "rust/auth/transitive_helper.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"phase-b4",
"noise-budget-zero"
],
"disabled": false,
"notes": "Phase B4: `validate_target` helper internally calls `require_membership(group_id, user.id)` \u2014 handler-level call lifts the auth check transparently"
},
{
"case_id": "rs-auth-108",
"file": "rust/auth/row_fetch_then_authorize.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"phase-a4",
"real-repo-precision-2026-04-27",
"noise-budget-zero"
],
"disabled": false,
"notes": "Phase A4: row-level fetch-then-authorize idiom. `let community = Community::read(pool, req.community_id)?;` followed by `check_community_user_action(&user, &community, ...)?;` \u2014 the structural recogniser admits the `check_<resource>_<role>_action` shape and the row-fetch exemption back-dates coverage of the read"
},
{
"case_id": "rs-auth-109",
"file": "rust/auth/predicate_role_check.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"phase-a4",
"real-repo-precision-2026-04-27",
"noise-budget-zero"
],
"disabled": false,
"notes": "Phase A4: `is_<role>_or_<role>` predicate auth shape (lemmy `is_mod_or_admin`). Structural recogniser admits boolean predicate forms when every conjunct is a known auth role"
},
{
"case_id": "rs-auth-110",
"file": "rust/auth/unsafe_row_fetch_no_authz.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-285",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"rs.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "Medium",
"expected_category": "Security",
"expected_sink_lines": [
[
24,
25
]
],
"expected_source_lines": [],
"tags": [
"auth",
"positive",
"phase-a4",
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "Phase A4 regression guard: row fetched by user-supplied id without any authorization function naming the resulting row \u2014 the row-fetch exemption must NOT fire"
},
{
"case_id": "rs-auth-realrepo-006",
"file": "rust/auth/safe_row_population_reverse_walk.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-27",
"noise-budget-zero"
],
"disabled": false,
"notes": "Row-population reverse-walk: lemmy `community/transfer.rs` shape \u2014 `let community = Community::read(pool, data.community_id); check_community_user_action(&user, &community, ..); CommunityActions::delete_mods_for_community(pool, data.community_id);` \u2014 the auth check on the fetched row must materially cover downstream re-uses of the request id"
},
{
"case_id": "rs-auth-realrepo-007",
"file": "rust/auth/safe_row_fetch_multiline_let.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-27",
"noise-budget-zero"
],
"disabled": false,
"notes": "Multi-line `let X =\\n CALL(..)?;` \u2014 `row_population_data` records the call's start line so `op.line` matches and the row-fetch exemption fires (lemmy `comment/lock.rs:31`)"
},
{
"case_id": "rs-auth-realrepo-008",
"file": "rust/auth/unsafe_row_population_no_check.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-285",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"rs.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "High",
"expected_category": "Security",
"expected_sink_lines": [
[
37,
43
]
],
"expected_source_lines": [],
"tags": [
"auth",
"positive",
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "Negative counterpart for the row-population reverse-walk: same fetch-then-mutate shape but no auth check on the fetched row \u2014 the reverse-walk has nothing to anchor to and the mutation by id must still flag"
},
{
"case_id": "rs-safe-014",
"file": "rust/safe/safe_option_sanitizer.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-regression",
"path-sanitizer",
"variant-wrapper"
],
"disabled": false,
"notes": "Option-returning sanitizer: `sanitize_path(s) -> Option<String>` with match-arm Some-binding extraction. Per-return-path PathFact decomposition + structural variant unwrapping closes the FP."
},
{
"case_id": "rs-safe-016",
"file": "rust/safe/safe_cross_function_dotdot.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-regression",
"path-sanitizer",
"cross-function"
],
"disabled": false,
"notes": "Cross-function bool-returning validator with `if !validate(&raw) { return; }` rejection. Per-return-path summary lifts the helper's `dotdot/absolute` narrowing across the call boundary."
},
{
"case_id": "cve-rs-2018-20997-vulnerable",
"file": "cve_corpus/rust/CVE-2018-20997/vulnerable.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"cve",
"tar-rs",
"zip-slip"
],
"disabled": false,
"notes": "CVE-2018-20997 / RUSTSEC-2018-0003: tar-rs zip-slip vulnerability \u2014 entry path interpolated into File::create without `..` rejection. MIT OR Apache-2.0"
},
{
"case_id": "cve-rs-2018-20997-patched",
"file": "cve_corpus/rust/CVE-2018-20997/patched.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"tar-rs",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2018-20997 patched counterpart: `sanitize_path` rejects `..` traversal and absolute paths. Regression guard that Nyx does not refire on the fix."
},
{
"case_id": "cve-rs-2022-36113-vulnerable",
"file": "cve_corpus/rust/CVE-2022-36113/vulnerable.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"cve",
"cargo",
"symlink"
],
"disabled": false,
"notes": "CVE-2022-36113: cargo `.cargo-ok` symlink follow \u2014 crate name interpolated into File::create without separator/dotdot rejection. MIT OR Apache-2.0"
},
{
"case_id": "cve-rs-2022-36113-patched",
"file": "cve_corpus/rust/CVE-2022-36113/patched.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"cargo",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2022-36113 patched counterpart: `sanitize_crate_name` + `OpenOptions::create_new`. Regression guard that Nyx does not refire on the fix."
},
{
"case_id": "cve-rs-2024-24576-vulnerable",
"file": "cve_corpus/rust/CVE-2024-24576/vulnerable.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"cve",
"rust-stdlib",
"batbadbut"
],
"disabled": false,
"notes": "CVE-2024-24576 / RUSTSEC-2024-0003: BatBadBut \u2014 argument injection into Windows .bat via `Command::new(...).arg`. MIT OR Apache-2.0"
},
{
"case_id": "cve-rs-2024-24576-patched",
"file": "cve_corpus/rust/CVE-2024-24576/patched.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"rust-stdlib",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2024-24576 patched counterpart: cmd.exe-aware allowlist filters argv before reaching update.bat. Regression guard that Nyx does not refire on the fix."
},
{
"case_id": "cve-rs-2023-42456-vulnerable",
"file": "cve_corpus/rust/CVE-2023-42456/vulnerable.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "path_traversal",
"cwe": "CWE-22",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"cve",
"sudo-rs",
"path-traversal"
],
"disabled": false,
"notes": "CVE-2023-42456 / RUSTSEC-2023-0069: sudo-rs SessionRecordFile::open_for_user pushed an untrusted username into a PathBuf, letting a local attacker with a `../../bin/cp`-style username corrupt files. Apache-2.0"
},
{
"case_id": "cve-rs-2023-42456-patched",
"file": "cve_corpus/rust/CVE-2023-42456/patched.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"sudo-rs",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2023-42456 patched counterpart: open_for_user takes UserId (u32) instead of &str, so the path component is provably digits-only and cannot contain `..` or `/`. Regression guard for the type-only FILE_IO suppression."
},
{
"case_id": "cve-rs-2024-32884-vulnerable",
"file": "cve_corpus/rust/CVE-2024-32884/vulnerable.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"cve",
"gitoxide",
"ssh-option-smuggling"
],
"disabled": false,
"notes": "CVE-2024-32884 / RUSTSEC-2024-0335: gix-transport SSH program invocation built `format!(\"{user}@{host}\")` and fed the result to ssh's argv, so a `ssh://-Fattackerconfig@host/path` URL smuggled `-F` onto ssh's CLI. Apache-2.0 OR MIT"
},
{
"case_id": "cve-rs-2024-32884-patched",
"file": "cve_corpus/rust/CVE-2024-32884/patched.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"gitoxide",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2024-32884 patched counterpart: sanitize_shell rejects host/user components beginning with `-` before they reach ssh's argv (mirrors gix-url::host_argument_safe). Regression guard."
},
{
"case_id": "cve-rs-2025-53549-vulnerable",
"file": "cve_corpus/rust/CVE-2025-53549/vulnerable.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "sql_injection",
"cwe": "CWE-89",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"cve",
"matrix-rust-sdk",
"sql-injection"
],
"disabled": false,
"notes": "CVE-2025-53549 / RUSTSEC-2025-0043: matrix-sdk-sqlite SqliteEventCacheStore::find_event_with_relations interpolated relation-type filter strings into a format!()'d SQL query via hand-rolled `\"f\"` quoting, letting any room member inject SQL through the relation type. Apache-2.0"
},
{
"case_id": "cve-rs-2025-53549-patched",
"file": "cve_corpus/rust/CVE-2025-53549/patched.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"matrix-rust-sdk",
"patched",
"negative"
],
"disabled": false,
"notes": "CVE-2025-53549 patched counterpart: filters bind through params_from_iter to `?` placeholders rather than format!()-spliced bytes. Regression guard."
},
{
"case_id": "py-safe-014",
"file": "python/safe/safe_direct_path_sanitizer.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"direct-return"
],
"disabled": false,
"notes": "Python equivalent of rs-safe-014: direct-return sanitiser with `\"..\" in s` / `s.startswith(...)` rejection chain returning empty string."
},
{
"case_id": "py-safe-relative-to-validator",
"file": "python/safe/safe_relative_to_validator.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"path-validator",
"relative-to",
"receiver-side"
],
"disabled": false,
"notes": "Pathlib relative_to(base) raise-on-escape pattern recognised as a receiver-side FILE_IO validator; canonical Python path-containment idiom (CVE-2024-23334 patched fixture)"
},
{
"case_id": "py-safe-022",
"file": "python/safe/safe_canonicalise_rooted_startswith.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"canonicalise-and-rooted",
"opaque-prefix-lock",
"negated-form"
],
"disabled": false,
"notes": "Pins `os.path.realpath` + `if not target.startswith(<non-literal>)` shape (rswag CVE-2023-38337 sibling). Combined dotdot=No (from realpath) + opaque PrefixLock (from non-literal startswith guard) suppresses FILE_IO under is_path_traversal_safe with the negated-form polarity flip."
},
{
"case_id": "py-safe-016",
"file": "python/safe/safe_cross_function_dotdot.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"cross-function"
],
"disabled": false,
"notes": "Python equivalent of rs-safe-016: cross-function bool-returning validator with `if not validate(raw): return` rejection."
},
{
"case_id": "js-safe-014",
"file": "javascript/safe/safe_direct_path_sanitizer.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"direct-return"
],
"disabled": false,
"notes": "JS direct-return sanitiser. Standalone `nyx scan --index off` is clean, but the benchmark harness (single-thread + state/auth analysis enabled) reproduces a FP \u2014 diverges from production scan path. Disabled until benchmark/binary parity is re-established."
},
{
"case_id": "js-safe-021",
"file": "javascript/safe/safe_canonicalise_rooted_startsWith.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"canonicalise-and-rooted",
"opaque-prefix-lock",
"negated-form"
],
"disabled": false,
"notes": "Pins `path.resolve` + `if (!target.startsWith(<non-literal>))` shape (rswag CVE-2023-38337 sibling). Combined dotdot=No (from path.resolve) + opaque PrefixLock (from non-literal startsWith guard) suppresses FILE_IO under is_path_traversal_safe with the negated-form polarity flip."
},
{
"case_id": "js-safe-022",
"file": "javascript/safe/safe_env_empty_fallback.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"js.secrets.fallback_secret"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"secrets",
"empty-fallback",
"real-repo-precision-2026-05-01"
],
"disabled": false,
"notes": "Empty-string fallback (`process.env.X || \"\"`) is not a hardcoded secret. JS counterpart of ts-safe-020. Engine fix: pattern-level regex (#match? @fallback \"[^\\\"']\") in src/patterns/javascript.rs."
},
{
"case_id": "ts-safe-014",
"file": "typescript/safe/safe_direct_path_sanitizer.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"direct-return"
],
"disabled": false,
"notes": "TypeScript equivalent of rs-safe-014: direct-return sanitiser with `s.includes('..')` / `s.startsWith(...)` rejection."
},
{
"case_id": "go-safe-015",
"file": "go/safe/safe_tuple_path_sanitizer.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"tuple-return"
],
"disabled": false,
"notes": "Go tuple-returning sanitiser. Standalone scan is clean; benchmark harness (single-thread, state/auth) reports FP. Disabled pending parity investigation."
},
{
"case_id": "go-safe-016",
"file": "go/safe/safe_cross_function_dotdot.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"cross-function"
],
"disabled": false,
"notes": "Go cross-function validator. Standalone scan clean; benchmark harness reports FP. Disabled pending parity investigation."
},
{
"case_id": "java-safe-014",
"file": "java/safe/SafeDirectPathSanitizer.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"direct-return"
],
"disabled": false,
"notes": "Java equivalent of rs-safe-014: direct-return sanitiser with `.contains` / `.startsWith` rejection."
},
{
"case_id": "java-safe-015",
"file": "java/safe/SafeOptionalPathSanitizer.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"optional-return"
],
"disabled": false,
"notes": "Java equivalent of rs-safe-014: `Optional<String>`-returning sanitiser with `Optional.empty()` failure sentinel."
},
{
"case_id": "java-safe-016",
"file": "java/safe/SafeCrossFunctionDotdot.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"cross-function"
],
"disabled": false,
"notes": "Java equivalent of rs-safe-016: cross-function bool-returning validator with `if (!validate(...)) return` rejection."
},
{
"case_id": "rb-safe-014",
"file": "ruby/safe/safe_direct_path_sanitizer.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"direct-return"
],
"disabled": false,
"notes": "Ruby equivalent of rs-safe-014: direct-return sanitiser with `include?` / `start_with?` rejection."
},
{
"case_id": "rb-safe-021",
"file": "ruby/safe/safe_canonicalise_rooted_unless.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"canonicalise-and-rooted",
"opaque-prefix-lock"
],
"disabled": false,
"notes": "Pins `File.expand_path` + `unless filename.start_with? <non-literal>` shape (rswag CVE-2023-38337 patched). Combined dotdot=No (from expand_path) + opaque PrefixLock (from non-literal start_with? guard) suppresses FILE_IO under is_path_traversal_safe."
},
{
"case_id": "rb-safe-015",
"file": "ruby/safe/safe_nil_path_sanitizer.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"nil-sentinel"
],
"disabled": false,
"notes": "Ruby equivalent of rs-safe-014 with explicit nil failure sentinel."
},
{
"case_id": "rb-safe-016",
"file": "ruby/safe/safe_cross_function_dotdot.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"cross-function"
],
"disabled": false,
"notes": "Ruby equivalent of rs-safe-016: cross-function bool-returning validator with `return unless validate(...)` rejection."
},
{
"case_id": "php-safe-014",
"file": "php/safe/safe_direct_path_sanitizer.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"direct-return"
],
"disabled": false,
"notes": "PHP equivalent of rs-safe-014: direct-return sanitiser with `strpos !== false` / leading-char rejection."
},
{
"case_id": "php-safe-015",
"file": "php/safe/safe_nullable_path_sanitizer.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"nullable-return"
],
"disabled": false,
"notes": "PHP equivalent of rs-safe-014: `?string` nullable-returning sanitiser with explicit null failure sentinel."
},
{
"case_id": "php-safe-016",
"file": "php/safe/safe_cross_function_dotdot.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"cross-function"
],
"disabled": false,
"notes": "PHP equivalent of rs-safe-016: cross-function bool-returning validator."
},
{
"case_id": "php-safe-017",
"file": "php/safe/safe_unserialize_allowed_classes.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-502",
"provenance": "real-repo-precision-2026-04-28",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"php.deser.unserialize",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"real-repo-precision-2026-04-28",
"unserialize",
"allowed_classes"
],
"disabled": false,
"notes": "PHP 7+ structural mitigation against object injection \u2014 unserialize($x, ['allowed_classes' => ...]) with false / array literal / class constant must not fire php.deser.unserialize. Distilled from nextcloud lib/private/Profiler/FileProfilerStorage.php and apps/dav CustomPropertiesBackend."
},
{
"case_id": "php-safe-018",
"file": "php/safe/safe_include_param_passthrough.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-98",
"provenance": "real-repo-precision-2026-04-28",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"php.path.include_variable",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"real-repo-precision-2026-04-28",
"include",
"param-passthrough",
"autoloader"
],
"disabled": false,
"notes": "Composer-style autoloader: closure / method takes a file path parameter and `include`s it. Pattern rule is heuristic without taint and over-fires; suppress when included variable is a formal parameter of the immediately enclosing function with no reassignment. Distilled from nextcloud composer/ClassLoader.php (32 copies), Router.php, Installer.php, Template/Base.php."
},
{
"case_id": "php-safe-019",
"file": "php/safe/safe_md5_sha1_non_crypto_use.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-327",
"provenance": "real-repo-precision-2026-05-01",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"php.crypto.md5",
"php.crypto.sha1"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"real-repo-precision-2026-05-01",
"weak-hash",
"non-crypto-use",
"etag",
"cache-key"
],
"disabled": false,
"notes": "md5() / sha1() pervasively used for non-cryptographic purposes \u2014 ETag generation, cache-key / array-index hashing, dedup fingerprints, content-addressed identifier derivation. Layer F suppression recognises the consuming context (variable LHS, member-access LHS, subscript LHS, array element key, lookup-verb argument, return-from-method, hash-as-index) and refuses to fire. Distilled from nextcloud apps/dav CalDavBackend, contactsinteraction Card, Files/Cache, theming Util / CommonThemeTrait, encryption KeyManager; phpmyadmin src/Controllers/Database/StructureController, Controllers/Table/{RelationController, SearchController, ZoomSearchController}, src/Display/Results, Database/MultiTableQuery, Favorites/RecentFavoriteTables."
},
{
"case_id": "php-crypto-001",
"file": "php/crypto/crypto_md5_password_hash.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "crypto",
"cwe": "CWE-327",
"provenance": "real-repo-precision-2026-05-01",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"php.crypto.md5",
"php.crypto.sha1"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"real-repo-precision-2026-05-01",
"weak-hash",
"credential-storage"
],
"disabled": false,
"notes": "Vulnerable counterpart to php-safe-019: md5 / sha1 used to store / sign / digest credentials, tokens, signatures. Consumer names contain crypto-keyword substrings (`password`, `token`, `signature`, `pw_hash`, `digest`) so Layer F suppression refuses to fire."
},
{
"case_id": "php-safe-020",
"file": "php/safe/safe_serializable_magic_method_unserialize.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-502",
"provenance": "real-repo-precision-2026-05-03",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"php.deser.unserialize",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"real-repo-precision-2026-05-03",
"unserialize",
"serializable",
"magic-method"
],
"disabled": false,
"notes": "Serializable::unserialize($input) magic-method body — the legacy PHP Serializable interface contract (deprecated since PHP 8.1). PHP itself drives invocation; the body's \\unserialize($x) call is part of the deserialization machinery and cannot be removed without breaking the interface. Distilled from joomla/administrator/components/com_finder/src/Indexer/Result.php:488 + libraries/src/Input/{Cli,Input}.php."
},
{
"case_id": "php-deser-003",
"file": "php/deser/deser_unserialize_method_named_unserialize_with_user_input.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "deser",
"cwe": "CWE-502",
"provenance": "real-repo-precision-2026-05-03",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"php.deser.unserialize"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"real-repo-precision-2026-05-03",
"unserialize",
"magic-method-name-only",
"recall-guard"
],
"disabled": false,
"notes": "Recall guard for the Serializable magic-method recogniser. Method is named `unserialize` but (a) calls \\unserialize on user input from $_GET, not the formal parameter, OR (b) wraps the parameter in trim() before passing it through. The recogniser deliberately requires bare-parameter pass-through, so both shapes must keep firing."
},
{
"case_id": "c-safe-014",
"file": "c/safe/safe_direct_path_sanitizer.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"direct-return"
],
"disabled": false,
"notes": "C direct-return sanitiser. Standalone scan clean; benchmark harness reports FP. Disabled pending parity investigation (Preview-tier C scanning is best-effort already)."
},
{
"case_id": "c-safe-015",
"file": "c/safe/safe_status_code_sanitizer.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"status-code"
],
"disabled": false,
"notes": "C status-code idiom sanitiser. Standalone scan clean; benchmark harness reports FP. Disabled."
},
{
"case_id": "c-safe-016",
"file": "c/safe/safe_cross_function_dotdot.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"cross-function"
],
"disabled": false,
"notes": "C cross-function validator. Standalone scan clean; benchmark harness reports FP. Disabled."
},
{
"case_id": "c-safe-017",
"file": "c/safe/safe_strcpy_literal_src.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-120",
"provenance": "real-repo-precision-2026-04-28",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"c.memory.strcpy",
"c.memory.strcat"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"literal-source",
"ternary-literal",
"real-repo-precision-2026-04-28"
],
"disabled": false,
"notes": "Postgres `pg_prewarm/autoprewarm.c` + `formatting.c::DCH_a_m` shape \u2014 strcpy/strcat with string-literal or ternary-of-literals source. Layer D suppression (src/ast.rs::is_c_buffer_call_literal_safe)."
},
{
"case_id": "c-safe-018",
"file": "c/safe/safe_sprintf_bounded_format.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-120",
"provenance": "real-repo-precision-2026-04-28",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"c.memory.sprintf"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"bounded-format",
"real-repo-precision-2026-04-28"
],
"disabled": false,
"notes": "Postgres `datetime.c::EncodeDateTime` shape \u2014 sprintf with literal format string containing only width/precision-bounded specifiers. Layer D suppression."
},
{
"case_id": "c-safe-realrepo-019",
"file": "c/safe/safe_struct_field_subbuffer_alloc.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo-precision-2026-05-03",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"state-resource-leak",
"state-resource-leak-possible",
"cfg-resource-leak"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"resource-lifecycle",
"negative",
"real-repo-precision-2026-05-03"
],
"disabled": false,
"notes": "curl/lib/dynhds.c::entry_new shape \u2014 sub-buffer alias `e->name = (char*)e + sizeof(*e)` and local-into-field ownership transfer `m->buf = ptr`. Field-LHS in apply_assignment moves the RHS to MOVED but does not seed the field as a separately-tracked resource. Engine fix: src/state/transfer.rs::apply_assignment SAFE-FOR-FIELD-LHS gate. Closes the dominant `state-resource-leak` FP cluster on curl/openssl/postgres/git (~165 findings across 6 repos)."
},
{
"case_id": "c-vuln-realrepo-019",
"file": "c/safe/vuln_local_leak_no_field_assign.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "resource",
"cwe": "CWE-401",
"provenance": "real-repo-precision-2026-05-03",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"state-resource-leak"
],
"allowed_alternative_rule_ids": [
"cfg-resource-leak"
],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"resource-lifecycle",
"leak",
"real-repo-precision-2026-05-03"
],
"disabled": false,
"notes": "Recall guard for the apply_assignment field-LHS gate. Plain local-to-local alias copy (`char *cursor = buf;`) without field-LHS must still flag a leak when the resource never reaches a release call or out-parameter."
},
{
"case_id": "cpp-safe-014",
"file": "cpp/safe/safe_direct_path_sanitizer.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"direct-return"
],
"disabled": false,
"notes": "C++ equivalent of rs-safe-014: direct-return sanitiser using std::string::find."
},
{
"case_id": "cpp-safe-015",
"file": "cpp/safe/safe_optional_path_sanitizer.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"optional-return"
],
"disabled": false,
"notes": "C++ equivalent of rs-safe-014: `std::optional<std::string>`-returning sanitiser."
},
{
"case_id": "cpp-safe-016",
"file": "cpp/safe/safe_cross_function_dotdot.cpp",
"language": "cpp",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"cross-function"
],
"disabled": false,
"notes": "C++ equivalent of rs-safe-016: cross-function bool-returning validator."
},
{
"case_id": "py-safe-015",
"file": "python/safe/safe_optional_path_sanitizer.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"optional-sentinel"
],
"disabled": false,
"notes": "Python `Optional[str]`-returning sanitiser with None failure sentinel. Disabled: per-language non-data-return propagation through Optional unwrap is incomplete; deferred follow-up."
},
{
"case_id": "go-safe-014",
"file": "go/safe/safe_direct_path_sanitizer.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"direct-return"
],
"disabled": false,
"notes": "Go direct-return sanitiser; tuple-returning go-safe-015 is the language-natural form which fires clean. Direct form deferred (helper return-fact join not yet wired for Go)."
},
{
"case_id": "js-safe-015",
"file": "javascript/safe/safe_null_path_sanitizer.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"null-sentinel"
],
"disabled": false,
"notes": "JS null-returning sanitiser; deferred while the JS two-level solver per-return-path summary lifting is being completed."
},
{
"case_id": "js-safe-016",
"file": "javascript/safe/safe_cross_function_dotdot.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"cross-function"
],
"disabled": false,
"notes": "JS cross-function bool validator; per-language helper-summary lifting for the bool-returning helper shape is deferred."
},
{
"case_id": "ts-safe-015",
"file": "typescript/safe/safe_null_path_sanitizer.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"null-sentinel"
],
"disabled": false,
"notes": "TS nullable-returning sanitiser; deferred \u2014 same reason as js-safe-015."
},
{
"case_id": "ts-safe-016",
"file": "typescript/safe/safe_cross_function_dotdot.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": null,
"expected_source_lines": null,
"tags": [
"pathfact-cross-language",
"path-sanitizer",
"cross-function"
],
"disabled": false,
"notes": "TS cross-function bool validator; deferred \u2014 same reason as js-safe-016."
},
{
"case_id": "ts-safe-017",
"file": "typescript/safe/safe_strapi_db_query_chain.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-89",
"provenance": "real-repo-distilled",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"cfg-unguarded-sink",
"taint-unsanitised-flow"
],
"expected_severity": "NONE",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"real-repo-precision-2026-04-29",
"strapi",
"orm-chain"
],
"disabled": false,
"notes": "Strapi-style ORM accessor: `<obj>.db.query(MODEL_UID).<orm_method>(...)`; the `db.query` call's literal model UID + the ORM-method outer chain (findOne/findMany/create/update/delete/count) prove the chain is parameterised. Synthesised same-node Sanitizer(SQL_QUERY) suppresses cfg-unguarded-sink and taint-unsanitised-flow."
},
{
"case_id": "ts-safe-018",
"file": "typescript/safe/safe_indirect_validator.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow",
"cfg-unguarded-sink"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"indirect-validator",
"ssrf",
"negative"
],
"disabled": false,
"notes": "Indirect-validator branch narrowing \u2014 `const err = validateUrlSsrf(target); if (err) throw \u2026;` should suppress the downstream axios.get sink. Pinned by tests/lib::indirect_validator_narrowing_marks_arg_validated."
},
{
"case_id": "ts-safe-019",
"file": "typescript/safe/safe_helper_with_validator.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"helper-summary",
"ssrf",
"negative"
],
"disabled": false,
"notes": "Helper-summary all_validated propagation \u2014 when a helper's body validates the param via `validateXxx`, the per-param probe's all_validated event should be skipped during summary extraction so callers don't refire the cross-fn SSRF. Pinned by tests/lib::helper_with_validator_does_not_propagate_to_caller_via_summary."
},
{
"case_id": "ts-safe-020",
"file": "typescript/safe/safe_env_empty_fallback.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"ts.secrets.fallback_secret"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"secrets",
"empty-fallback",
"real-repo-precision-2026-05-01"
],
"disabled": false,
"notes": "Empty-string fallback (`process.env.X || \"\"`) is not a hardcoded secret. Distilled from /Users/elipeter/oss/cal.com/apps/api/v2/src/modules/stripe/utils/newStripeInstance.ts and ~30 sibling cal.com calendar/stripe/sendgrid integration files. Engine fix: pattern-level regex (#match? @fallback \"[^\\\"']\") in src/patterns/typescript.rs."
},
{
"case_id": "ts-safe-021",
"file": "typescript/safe/safe_validated_helper_chain.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"validated-flow",
"helper-validator",
"summary-propagation",
"cve-2026-25544"
],
"disabled": false,
"notes": "Validated-flow propagation through helper chains. `sanitize` validates its first parameter via a regex allowlist; `buildQuery` interpolates the sanitised result into a SQL fragment; the handler hands the fragment to `db.execute`. Pinned by `SsaFuncSummary::validated_params_to_return` + `propagate_validated_params_to_return` (CVE-2026-25544 deep fix)."
},
{
"case_id": "ts-safe-022",
"file": "typescript/safe/safe_jest_test_callback_no_handler.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"jest",
"arrow-no-formals",
"closure-capture",
"auto-seed-precision",
"real-repo-precision-2026-05-03"
],
"disabled": false,
"notes": "Jest-style nested arrow callbacks (`describe('…', () => { it('…', async () => { const body = await res.json(); … }) })`) bubble inner-scope free vars (`body`, `userId`, `server.post`) up to the outer arrow as synthetic Params. Before the fix, JS/TS auto-seed treated every Param whose var_name matched a handler-name (`userId`) as a real formal of the outer arrow and seeded it as `Source(UserInput)`, producing 934 phantom `taint-unsanitised-flow` findings on outline alone. Engine fix: `lower_to_ssa_with_params` now signals `with_params=true` to `lower_to_ssa_inner`, which makes the synthetic-externals classifier always exclude formals (even when the formal list is empty, e.g. arrow `() => {…}`) — bubbled-up free vars become synthetic and the auto-seed pass skips them. Distilled from /Users/elipeter/oss/outline/server/routes/api/comments/comments.test.ts."
},
{
"case_id": "ts-sqli-realrepo-arrow-002",
"file": "typescript/sqli/sqli_arrow_handler_param.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [
"cfg-unguarded-sink"
],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [[8, 8]],
"expected_source_lines": [[7, 7]],
"tags": [
"sqli",
"arrow-handler",
"auto-seed-positive",
"real-repo-precision-2026-05-03"
],
"disabled": false,
"notes": "Arrow with REAL handler-named formal (`userId`) MUST still auto-seed and trigger taint flow into `db.exec(\"… ${userId}\")`. Pins the auto-seed positive path so the FP fix in ts-safe-022 does not over-suppress real handlers."
},
{
"case_id": "js-safe-jest-callback-001",
"file": "javascript/safe/safe_jest_test_callback_no_handler.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"jest",
"arrow-no-formals",
"closure-capture",
"auto-seed-precision",
"real-repo-precision-2026-05-03"
],
"disabled": false,
"notes": "JavaScript counterpart of ts-safe-022. Same Jest-style nested arrow callback shape, ensures the auto-seed precision fix applies to .js files too (auto_seed_handler_params is on for both Lang::JavaScript and Lang::TypeScript)."
},
{
"case_id": "py-auth-decorator-001",
"file": "python/safe/safe_login_required_decorator.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-862",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"state-unauthed-access",
"cfg-auth-gap",
"taint-unsanitised-flow"
],
"expected_severity": "NONE",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "Flask @login_required decorator must suppress auth findings"
},
{
"case_id": "py-auth-decorator-vuln-001",
"file": "python/auth/vuln_no_auth_decorator.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-862",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [
"cfg-auth-gap"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
11,
11
]
],
"expected_source_lines": [
[
8,
8
]
],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "Same shape but missing decorator \u2014 auth-gap fires"
},
{
"case_id": "java-preauth-001",
"file": "java/auth/SafePreAuthorize.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-862",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"state-unauthed-access",
"cfg-auth-gap",
"taint-unsanitised-flow"
],
"expected_severity": "NONE",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "Spring @PreAuthorize annotation must suppress auth findings"
},
{
"case_id": "java-preauth-vuln-001",
"file": "java/auth/VulnNoPreAuthorize.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
13,
13
]
],
"expected_source_lines": [
[
11,
11
]
],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "Servlet doGet without auth \u2014 taint flow fires"
},
{
"case_id": "php-isgranted-001",
"file": "php/auth/safe_isgranted.php",
"language": "php",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-862",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"state-unauthed-access",
"cfg-auth-gap",
"taint-unsanitised-flow"
],
"expected_severity": "NONE",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "Symfony #[IsGranted] attribute must suppress auth findings"
},
{
"case_id": "php-isgranted-vuln-001",
"file": "php/auth/vuln_no_isgranted.php",
"language": "php",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
7,
7
]
],
"expected_source_lines": [
[
6,
6
]
],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "Top-level handler without IsGranted \u2014 taint flow fires"
},
{
"case_id": "ruby-before-action-001",
"file": "ruby/auth/safe_before_action.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-862",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"state-unauthed-access",
"cfg-auth-gap",
"taint-unsanitised-flow"
],
"expected_severity": "NONE",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "Rails before_action :authenticate_user must suppress auth findings"
},
{
"case_id": "js-allowlist-dispatch-001",
"file": "javascript/safe/safe_switch_dispatch.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow",
"state-unauthed-access"
],
"expected_severity": "NONE",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "Allowlist-then-exec pattern \u2014 engine must recognise membership check"
},
{
"case_id": "ts-iife-closure-001",
"file": "typescript/safe/safe_iife_closure_sanitizer.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": "NONE",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "IIFE wrapper around handler with encodeURIComponent \u2014 must be cleared"
},
{
"case_id": "ts-iife-closure-vuln-001",
"file": "typescript/xss/vuln_iife_closure_no_sanitizer.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
16,
16
]
],
"expected_source_lines": [
[
14,
14
]
],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "IIFE wrapper without sanitizer \u2014 taint must propagate through closure"
},
{
"case_id": "py-validator-sentinel-001",
"file": "python/safe/safe_validator_sentinel.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow",
"state-unauthed-access",
"cfg-auth-gap"
],
"expected_severity": "NONE",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "Cross-fn validator with empty-string sentinel + decorator"
},
{
"case_id": "py-validator-sentinel-vuln-001",
"file": "python/sqli/vuln_validator_sentinel_bypass.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
22,
22
]
],
"expected_source_lines": [
[
17,
17
]
],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "Same shape with inverted sentinel check \u2014 SQLi fires"
},
{
"case_id": "py-context-sanitize-001",
"file": "python/safe/safe_with_context_sanitize.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-22",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow",
"state-unauthed-access",
"cfg-auth-gap"
],
"expected_severity": "NONE",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "with-block resource around sanitised path read + decorator auth"
},
{
"case_id": "js-destructure-sanitize-001",
"file": "javascript/safe/safe_object_destructure_sanitize.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": "NONE",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "Destructured field flows through encodeURIComponent before HTML sink"
},
{
"case_id": "js-destructure-vuln-001",
"file": "javascript/xss/vuln_object_destructure_no_sanitize.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "xss",
"cwe": "CWE-79",
"provenance": "synthetic",
"equivalence_tier": "analogue",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
10,
10
]
],
"expected_source_lines": [
[
8,
8
]
],
"tags": [
"precision-2026-04-25"
],
"disabled": false,
"notes": "Destructured field straight into template-literal HTML sink"
},
{
"case_id": "rs-auth-realrepo-001",
"file": "rust/auth/self_actor_uid_copy.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-25"
],
"disabled": false,
"notes": "`let user = match require_auth() { Ok(u) => u, ... }; let uid = user.id; query(.., &[uid])` \u2014 transitive copy of self-actor id (website/handlers/accounts.rs)"
},
{
"case_id": "rs-auth-realrepo-002",
"file": "rust/auth/require_resource_role_helper.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-25"
],
"disabled": false,
"notes": "`require_trip_member(..)` recognised structurally as `require_<resource>_<role>` (website/handlers/activities.rs)"
},
{
"case_id": "rs-auth-realrepo-003",
"file": "rust/auth/self_publish_email.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-25"
],
"disabled": false,
"notes": "`realtime::publish_to_user(&user.email, ..)` \u2014 self-channel publish with email as self-identity field (website/handlers/social.rs)"
},
{
"case_id": "rs-auth-typed-extractors-001",
"file": "rust/auth/safe_typed_path_int_extractor.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"typed-extractors-2026-04-25"
],
"disabled": false,
"notes": "Phase 5: Axum `Path<i64>` is a framework-validated numeric extractor; the parameter cannot carry an injection payload nor bypass ownership, so the rule must not flag."
},
{
"case_id": "rs-auth-dto-int-field-001",
"file": "rust/auth/safe_dto_int_field_axum.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"typed-extractors-phase6-2026-04-25"
],
"disabled": false,
"notes": "Phase 6: Axum `Json<UpdateDoc>` whose `doc_id` field is `i64`. DTO field-level taint exempts `dto.doc_id` member-access subject; numeric DTO fields cannot bypass ownership."
},
{
"case_id": "rs-auth-dto-string-field-001",
"file": "rust/auth/unsafe_dto_string_field_axum.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-639",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"rs.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"positive",
"typed-extractors-phase6-2026-04-25"
],
"disabled": false,
"notes": "Phase 6 negative-control: DTO whose `doc_id` field is `String` must NOT be exempted \u2014 String DTO fields can carry injection payloads, so the auth rule must continue to fire."
},
{
"case_id": "js-safe-realrepo-001",
"file": "javascript/safe/safe_dom_globals_and_methods.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"js.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-25"
],
"disabled": false,
"notes": "Browser DOM globals (`document`, `window`, `localStorage`) and DOM-API methods (`addEventListener`, `appendChild`, `getElementById`) are non-data-layer (website/public/app/core/app.js)"
},
{
"case_id": "js-safe-realrepo-002",
"file": "javascript/safe/safe_happy_path_error_check.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"cfg-error-fallthrough"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cfg",
"negative",
"real-repo-precision-2026-04-25"
],
"disabled": false,
"notes": "Happy-path `if (!data.error && Array.isArray(...))` and body-mentioning-err do not fire `cfg-error-fallthrough` (website/public/app/core/app.js)"
},
{
"case_id": "js-safe-realrepo-006",
"file": "javascript/safe/safe_localised_gherkin_regex.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"panic-guard",
"negative",
"real-repo-precision-2026-04-29"
],
"disabled": false,
"notes": "Panic guard: CodeMirror Gherkin tokenizer ships a long localised regex inside a boolean sub-condition. Naive byte-slice truncation in CFG condition-text (`t[..MAX_CONDITION_TEXT_LEN]`) panicked when byte 256 landed inside a multi-byte UTF-8 character (Gurmukhi `\u0a16`). Engine fix: src/utils/snippet.rs::truncate_at_char_boundary applied at three CFG sites + two symex display sites (gogs public/plugins/codemirror-5.17.0/mode/gherkin/gherkin.js:107)."
},
{
"case_id": "go-safe-realrepo-001",
"file": "go/safe/safe_error_log_only_function.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"cfg-error-fallthrough"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cfg",
"negative",
"real-repo-precision-2026-04-25"
],
"disabled": false,
"notes": "`if err != nil { log() }` whose if is the LAST statement in the function \u2014 no fallthrough sink possible (gin/debug.go:debugPrintError)"
},
{
"case_id": "go-cmdi-realrepo-001",
"file": "go/cmdi/vuln_error_log_then_sink.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "cmdi",
"cwe": "CWE-78",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"cfg-error-fallthrough"
],
"allowed_alternative_rule_ids": [
"cfg-unguarded-sink",
"go.sqli.query_concat",
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [
[
14,
14
]
],
"expected_source_lines": [],
"tags": [
"cfg",
"positive",
"real-repo-precision-2026-04-25"
],
"disabled": false,
"notes": "Vulnerable counterpart: `if err { log() } sink()` \u2014 error logged then fallthrough to sink. Pins that the False-edge-only walk does NOT silence the rule for real fallthrough."
},
{
"case_id": "java-safe-realrepo-001",
"file": "java/safe/SafeLoggerIsEnabled.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"cfg-error-fallthrough"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cfg",
"negative",
"real-repo-precision-2026-04-25"
],
"disabled": false,
"notes": "`if (logger.isErrorEnabled()) { print() } more_code()` \u2014 `isErrorEnabled` is a logging-state method, not an error variable; rule must reject camelCase names containing `err` (spring-boot/SpringApplication.java:854)"
},
{
"case_id": "go-safe-realrepo-002",
"file": "go/safe/safe_method_receiver_mutex.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"state-resource-leak",
"state-resource-leak-possible",
"cfg-resource-leak"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"state",
"negative",
"real-repo-precision-2026-04-25"
],
"disabled": false,
"notes": "Go method receiver `c *Context` with internal `c.mu.Lock`/`defer c.mu.Unlock` is NOT a leakable resource \u2014 the proxy-receiver extractor previously took the root identifier of multi-segment callees (`c.writer.header().set` \u2192 `c`) and section 2b's exception-path heuristic ran on Go (gin/context.go:Set/Get/MustGet)"
},
{
"case_id": "go-safe-fieldproj-phase3",
"file": "go/safe/safe_chained_receiver_field_proj.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"state-resource-leak",
"state-resource-leak-possible",
"cfg-resource-leak"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"state",
"negative",
"field-projections-phase3-2026-04-25"
],
"disabled": false,
"notes": "Phase 3 of the field-projections rollout: chained-receiver method calls (`c.writer.header.set(...)`) must NOT mark the chain root `c` as proxy-acquired. The single-dot band-aid in state/transfer.rs is replaced by chain_proxies tracking that records each receiver chain as its own entity."
},
{
"case_id": "go-safe-realrepo-003",
"file": "go/safe/safe_const_bound_id.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"go.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-25"
],
"disabled": false,
"notes": "`id := \"id\"; c.AddParam(id, value)` \u2014 const-bound local must not count as a scoped-identifier subject (gin/context_test.go:TestContextAddParam)"
},
{
"case_id": "go-safe-realrepo-004",
"file": "go/safe/safe_chained_call_response_header.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"go.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "`w.Header().Get(constName)` and `r.URL.Query().Get(name)` \u2014 chained-call receiver returns an opaque value (http.Header / url.Values map); the verb-name fallback (Get matches the read indicator) must not auto-classify these as DbCrossTenantRead. Closes the minio cmd/api-response.go cluster (~70 hits)."
},
{
"case_id": "go-safe-realrepo-005",
"file": "go/safe/safe_self_method_receiver.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"go.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "`func (c *Cache) ...` with `c.foo()` / `c.Fs.Create(...)` intra-struct dispatches \u2014 Go method receivers must seed `non_sink_vars` so the verb-name fallback doesn't fire on bare-receiver internal calls. Closes the hugo cache/filecache.go cluster (~48 hits)."
},
{
"case_id": "go-safe-realrepo-006",
"file": "go/safe/safe_test_helper_fatal.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"cfg-error-fallthrough"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cfg",
"negative",
"real-repo-precision-2026-04-29"
],
"disabled": false,
"notes": "`if err != nil { c.Fatalf(...) }` / `os.Exit` / `log.Fatalf` / `panic(err)` are documented terminators (Goexit-class). cfg-error-fallthrough must walk through them as terminating paths. Closes the minio test-file cluster (49+34+12+11+9+7+7 hits across xl-storage_test.go, erasure-healing_test.go, format-erasure_test.go, \u2026). Engine fix: src/cfg_analysis/error_handling.rs::call_never_returns."
},
{
"case_id": "go-safe-realrepo-016",
"file": "go/safe/safe_inner_call_close_in_arg.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [
"state-resource-leak-possible"
],
"forbidden_rule_ids": [
"state-resource-leak"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"resource-lifecycle",
"negative",
"real-repo-precision-2026-05-02"
],
"disabled": false,
"notes": "`require.NoError(t, f.Close())` and `errs = append(errs, f.Close())` shapes \u2014 the inner-call release was invisible because the CFG's per-statement Call node carries the OUTER callee. Engine fix: src/state/transfer.rs::apply_call now walks info.arg_callees after the direct-release branch and marks the bare-receiver SymbolId CLOSED. Closes 9+ hits across prometheus tsdb test files."
},
{
"case_id": "go-safe-realrepo-017",
"file": "go/safe/safe_struct_field_resource_owned_by_struct.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"state-resource-leak",
"state-resource-leak-possible",
"cfg-resource-leak"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"resource-lifecycle",
"negative",
"real-repo-precision-2026-05-02"
],
"disabled": false,
"notes": "`b.cpuprof = os.Create(...)` shape \u2014 member-expression LHS is an ownership transfer to the containing struct, not a local acquisition. Closure responsibility belongs to a paired `stopProfiling()` method. Engine fix: src/state/transfer.rs::apply_call gates the acquire on !define_is_field_lhs; src/cfg_analysis/resources.rs::run mirrors the gate. Closes the prometheus cmd/promtool/tsdb.go::startProfiling cluster (4 findings on b.cpuprof, b.memprof, b.blockprof, b.mtxprof)."
},
{
"case_id": "go-vuln-realrepo-018",
"file": "go/safe/vuln_resource_leak_no_close.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "resource",
"cwe": "CWE-404",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"state-resource-leak"
],
"allowed_alternative_rule_ids": [
"cfg-resource-leak",
"state-resource-leak-possible"
],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"resource-lifecycle",
"positive",
"real-repo-precision-2026-05-02"
],
"disabled": false,
"notes": "Recall guard for the inner-call-arg / member-LHS fixes. Bare-identifier `f := os.OpenFile(...)` with no `f.Close()` anywhere must still fire the resource-leak rule."
},
{
"case_id": "go-auth-realrepo-001",
"file": "go/auth/vuln_repo_findbyid_no_auth.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-639",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"go.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"positive",
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "Vulnerable counterpart pinning the chained-call suppression: bare-identifier receivers (`repo.Find(id)` / `repo.Save(id, val)`) are still classified as canonical data-layer sinks and must continue firing the ownership check."
},
{
"case_id": "go-safe-realrepo-018",
"file": "go/safe/safe_ctx_context_helper.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"go.auth.missing_ownership_check"
],
"expected_severity": "NONE",
"expected_category": "N/A",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-05-03"
],
"disabled": false,
"notes": "Distilled from gitea/services/packages/packages.go::AddFileToExistingPackage. Layer-1 type-aware Go param filter drops ctx context.Context, plus Layer-2 narrowing of the Go framework-request-name allow-list closes the ~1900 missing_ownership_check FP cluster on backend helpers."
},
{
"case_id": "go-auth-realrepo-002",
"file": "go/auth/vuln_apicontext_findbyid.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-639",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"go.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"positive",
"real-repo-precision-2026-05-03"
],
"disabled": false,
"notes": "Recall guard for the 2026-05-03 Go DAO-helper precision pass. After id-like scalar params are dropped from unit.params for non-route units, this fixture pins recall via gin route registration: r.GET(/items/:id, GetByID) promotes the unit to RouteHandler; function_params_route_handler keeps id-like scalar params and the rule fires on the bare-receiver DAO call."
},
{
"case_id": "go-safe-realrepo-019",
"file": "go/safe/safe_dao_helper_id_scalar.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"go.auth.missing_ownership_check"
],
"expected_severity": "NONE",
"expected_category": "N/A",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-05-03"
],
"disabled": false,
"notes": "Distilled from gitea models/actions/{run,run_job,runner,...}.go DAO helpers (~957 FPs). Pattern: (ctx context.Context, repoID, runID int64) signatures with bounded scalar id-like params calling internal DB helpers. Engine fix in src/auth_analysis/extract/common.rs::collect_param_names Go arm drops id-like scalar names from unit.params for non-route units (mirrors Python typed_parameter filter)."
},
{
"case_id": "py-auth-realrepo-001",
"file": "python/safe/safe_django_migration_token.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.auth.token_override_without_validation"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "Distilled from saleor/account/migrations/0021_unique_token.py: Django RunPython callback writes user-token field but has no user reach (params apps, schema_editor)."
},
{
"case_id": "py-auth-realrepo-002",
"file": "python/safe/safe_pytest_conftest_marker.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.auth.token_override_without_validation",
"py.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "Distilled from saleor/conftest.py: pytest collection hook with item.add_marker; no user reach but legacy heuristics flagged it."
},
{
"case_id": "py-auth-realrepo-003",
"file": "python/safe/safe_celery_task_no_user_input.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "Distilled from saleor/discount/tasks.py:handle_promotion_toggle: zero-arg Celery task; id-shaped subjects come from internal computation, not user input."
},
{
"case_id": "py-auth-realrepo-004",
"file": "python/auth/vuln_token_override_django_handler.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-863",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.auth.token_override_without_validation"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
18,
18
]
],
"expected_source_lines": [
[
15,
15
]
],
"tags": [
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "Vulnerable counterpart to realrepo-001..003: Django view accepts attacker-supplied token + email, overrides token-bound user.email without validating expiry/recipient."
},
{
"case_id": "ts-auth-realrepo-001",
"file": "typescript/auth/safe_session_user_id_copy.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"js.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "Distilled from cal.com Next.js handlers (apps/web/app/.../api-keys/page.tsx): `const userId = session.user.id` is a self-actor-id copy through a session-scoped chain. Closes a 10+ FP cluster (fix: src/auth_analysis/extract/common.rs::value_is_self_scoped_session_id_chain + JS variable_declarator dispatch)."
},
{
"case_id": "ts-auth-realrepo-002",
"file": "typescript/auth/vuln_target_user_id_no_check.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-639",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"js.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
12,
12
]
],
"expected_source_lines": [],
"tags": [
"auth",
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "Vulnerable counterpart to ts-auth-realrepo-001: `targetUserId` is a foreign id parameter (route-handed, not a session copy) \u2014 the rule must still fire on the qualified prisma.apiKey.deleteMany call. Updated 2026-05-03: pre-fix used bare `deleteApiKeysFromUserId(userId)` whose `delete` verb-prefix match fired despite no receiver evidence; post `receiver_is_simple_chain` gating, the fixture uses a qualified ORM call to test the canonical detection path."
},
{
"case_id": "js-auth-realrepo-001",
"file": "javascript/auth/safe_req_user_id_copy.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"js.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "Express handler shape: `const userId = req.user.id` is a self-actor-id copy through the session-scoped `req.user` chain (passport / express-session)."
},
{
"case_id": "ts-auth-realrepo-003",
"file": "typescript/auth/safe_destructured_session_user.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"js.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "Destructure shapes: `const { user } = ctx.session` / `const { user } = await getServerSession()` / `const { user: me } = ctx.session` / `const { id } = req.user`. cal.com NextAuth idiom \u2014 destructured local IS the actor (or actor's id), not a foreign tenant id."
},
{
"case_id": "ts-auth-realrepo-004",
"file": "typescript/auth/safe_trpc_ctx_user_options.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"js.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "TRPC handler Options-typed parameter cluster (~105 cal.com findings). File-level pre-scan recognises `type GetOptions = { ctx: { user: NonNullable<TrpcSessionUser> } }` aliases; param annotations referencing those aliases populate `self_scoped_session_bases[ctx.user]` per-unit. Bare `ctx.user` is NOT added to the static session-base list (would over-suppress non-TRPC code)."
},
{
"case_id": "ts-auth-realrepo-005",
"file": "typescript/auth/vuln_trpc_ctx_input_id_no_check.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-639",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"js.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "Regression guard: same TRPC handler shape as ts-auth-realrepo-004 but the SQL parameter is `input.targetUserId` (request body field), not `ctx.user.id`. The TRPC ctx self-actor exemption must apply ONLY to ctx.user.<id-like> subjects, never to other paths in the same param."
},
{
"case_id": "ts-auth-realrepo-006",
"file": "typescript/auth/safe_local_collection_receiver.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"js.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-29"
],
"disabled": false,
"notes": "Excalidraw `Map<K, V>` / `Set<T>` / `WeakMap` / `WeakSet` / `Array<T>` / `T[]` / `readonly T[]` receivers \u2014 direct annotation, same-file `type X = Map<...>` aliasing, and inline `new Map()` constructor. SSA `constructor_type` JS/TS arm + `cfg::params::ts_type_to_local_collection` + `cfg::dto::collect_type_alias_local_collections` route every shape through `TypeKind::LocalCollection` \u2192 `SinkClass::InMemoryLocal`, suppressing missing-ownership."
},
{
"case_id": "ts-auth-realrepo-007",
"file": "typescript/auth/vuln_local_collection_does_not_blanket_suppress.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-639",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"js.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"real-repo-precision-2026-04-29"
],
"disabled": false,
"notes": "Vulnerable counterpart to ts-auth-realrepo-006: `prisma.user.findUnique` / `prisma.user.update` with attacker-supplied id and no preceding auth check. Receiver is NOT a tracked Map / Set / Array, so the LocalCollection fix must NOT suppress this \u2014 proves the type-aware suppression doesn't blanket-cover real DB clients that share method names (`get`, `find`, `update`) with JS containers."
},
{
"case_id": "rs-auth-realrepo-009",
"file": "rust/auth/safe_local_user_view_extractor.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-27",
"noise-budget-zero"
],
"disabled": false,
"notes": "Lemmy `LocalUserView` extractor: `is_self_actor_type_text`'s structural <PREFIX>User<SUFFIX?> recogniser accepts the type, so `local_user_view.person.id` reads of the actor's own id pass `is_actor_context_subject` and the missing-ownership rule does not fire."
},
{
"case_id": "rs-auth-realrepo-010",
"file": "rust/auth/unsafe_local_user_view_extractor.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-285",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"rs.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "High",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"positive",
"real-repo-precision-2026-04-27"
],
"disabled": false,
"notes": "Negative counterpart for the LocalUserView recogniser: handler takes the typed extractor but mutates a row by `req.target_user_id` (foreign id) without any ownership check \u2014 must still flag. Guards against an over-broad recogniser that would treat any handler with a self-actor extractor as authorised by default."
},
{
"case_id": "rs-auth-realrepo-011",
"file": "rust/auth/safe_param_type_segment_idents.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-29",
"noise-budget-zero"
],
"disabled": false,
"notes": "Rust `parameter` arm in `collect_param_names` keeps type-segment idents (`std`, `path`, `Path`) out of `unit.params` so `dst: &std::path::Path` doesn't gate `unit_has_user_input_evidence` open via the framework-name allow-list (`path`). Surfaced from meilisearch/index-scheduler/scheduler/process_snapshot_creation.rs::remove_tasks where `dst: &std::path::Path` made every `db.delete(task.uid)` fire missing-ownership-check."
},
{
"case_id": "rs-auth-realrepo-012",
"file": "rust/auth/safe_local_collection_param_types.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-04-29",
"noise-budget-zero"
],
"disabled": false,
"notes": "Rust function-parameter type annotations naming an in-memory container (`RoaringBitmap`, `HashMap<K,V>`, `HashSet<T>`, `BTreeSet<T>`) classify the receiver as `TypeKind::LocalCollection` \u2192 `SinkClass::InMemoryLocal`, suppressing the verb-name dispatch's DbMutation classification. Surfaced from meilisearch/index-scheduler/scheduler/enterprise_edition/network.rs::balance_shards (`unsharded: RoaringBitmap`). Mirrors the JS/TS `ts_type_to_local_collection` fix from 2026-04-29."
},
{
"case_id": "rs-auth-realrepo-013",
"file": "rust/auth/unsafe_handler_local_collection_does_not_blanket_suppress.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-285",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"rs.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "High",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"positive",
"real-repo-precision-2026-04-29"
],
"disabled": false,
"notes": "Negative-counterpart guard for the LocalCollection / parameter-name fixes: handler takes a HashMap typed param (in-memory bookkeeping) but ALSO calls `db.update_owner(req.target_user_id, ...)` (real DbMutation). The cache mutation must not blanket-suppress the persistent-store mutation \u2014 the rule must still fire on `db.update_owner`."
},
{
"case_id": "rs-auth-realrepo-014",
"file": "rust/auth/safe_actix_guarded_data_extractor.rs",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"negative",
"real-repo-precision-2026-05-02",
"noise-budget-zero"
],
"disabled": false,
"notes": "Meilisearch `GuardedData<ActionPolicy<{ actions::KEYS_GET }>, Data<AuthController>>` typed extractor on actix-web routes registered via `#[routes::path(..)]` attribute macros (no `.route()` builder, so `collect_routes` doesn't attach the handler). The new typed-extractor fallback pass in `actix_web::extract` walks every Function-kind unit and applies `guard_calls_for_handler`; the `Guarded`-prefix `policy_guard_names` recogniser injects `AuthCheckKind::Other` with `is_route_level: true`, so `auth_check_covers_subject`'s route-level short-circuit suppresses missing-ownership-check on path-derived sinks."
},
{
"case_id": "rs-auth-realrepo-015",
"file": "rust/auth/unsafe_actix_no_guarded_data_extractor.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-285",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"rs.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "Medium",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"positive",
"real-repo-precision-2026-05-02"
],
"disabled": false,
"notes": "Negative-counterpart guard for the `GuardedData` typed-extractor recogniser: same handler shape but the wrapper is replaced by a bare `Data<AuthController>` (no policy enforcement implied). An over-broad `policy_guard_names` recogniser would silence this; the Guarded-prefix matcher must NOT fire on bare `Data<...>`, so the rule still flags the path-derived `uid` flowing into `auth_controller.get_key`."
},
{
"case_id": "rs-auth-realrepo-016",
"file": "rust/safe/safe_non_web_rust_project",
"language": "rust",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "",
"provenance": "real-repo-precision-2026-05-02",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rs.auth.missing_ownership_check",
"rs.auth.stale_authorization",
"rs.auth.token_override_without_validation"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"shape-safe",
"real-repo-precision-2026-05-02"
],
"disabled": false,
"notes": "Real-repo precision guard distilled from zed (desktop GUI / DAP debugger / agent) crates: `<thing>_id` parameters on internal helpers AND `session.foo` chains on debug-session handles must NOT count as user-input evidence in a Rust project whose Cargo.toml names no web framework. `lang_has_web_framework(\"rust\")` returns Some(false) and the gate suppresses both step-2 (context_inputs) and step-3 (param-name) heuristics."
},
{
"case_id": "rs-auth-realrepo-017",
"file": "rust/auth/unsafe_actix_web_project_no_check",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-285",
"provenance": "real-repo-precision-2026-05-02",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"rs.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "High",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"positive",
"real-repo-precision-2026-05-02"
],
"disabled": false,
"notes": "Regression counterpart to `rs-auth-realrepo-016`: same helper shape with no upstream auth check, but the project's manifest names `actix-web` so `lang_has_web_framework(\"rust\")` returns Some(true) and the param-name arm of `unit_has_user_input_evidence` stays on. Asserts the project-level web-framework gate doesn't silence findings in real Rust web projects."
},
{
"case_id": "ruby-safe-ar-query-shapes-001",
"file": "ruby/safe/safe_active_record_query_shapes.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "",
"provenance": "real-repo-precision-2026-04-27",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"cfg-unguarded-sink",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"active-record",
"rails",
"sqli",
"shape-safe",
"real-repo-precision"
],
"disabled": false,
"notes": "ActiveRecord query methods (where/order/group/having/joins/pluck) with parameter-safe arg-0 shapes (hash, symbol, array, parameterised string) \u2014 Rails escapes the values, no SQLi exposure."
},
{
"case_id": "ruby-sqli-where-string-interp-001",
"file": "ruby/sqli/sqli_where_string_interpolation.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "real-repo-precision-2026-04-27",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
8,
8
]
],
"tags": [
"active-record",
"rails",
"sqli",
"string-interpolation",
"real-repo-precision"
],
"disabled": false,
"notes": "Counterpart to safe_active_record_query_shapes \u2014 same method becomes a real SQLi sink when arg 0 is a string with #{...} interpolation. Engine must keep flagging this even though the safe-shape fixtures suppress SQL_QUERY at the same callee."
},
{
"case_id": "ruby-sqli-where-chained-interp-001",
"file": "ruby/sqli/sqli_where_chained_interpolation.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "real-repo-precision-2026-04-27",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
8,
8
]
],
"tags": [
"active-record",
"rails",
"sqli",
"string-interpolation",
"chained",
"real-repo-precision"
],
"disabled": false,
"notes": "Chained shape: Model.where(\"...#{x}...\").preload(...).to_a. CFG collapses chained calls into one node whose outermost callee is .to_a (no args). The shape suppressor walks the receiver chain to reach the inner where(...) \u2014 chain-walking only suppresses SAFE shapes, so this dangerous form must still fire."
},
{
"case_id": "ruby-safe-post-fetch-ownership-001",
"file": "ruby/safe/safe_post_fetch_ownership_check.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "",
"provenance": "real-repo-precision-2026-04-27",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rb.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"rails",
"auth",
"post-fetch-check",
"real-repo-precision"
],
"disabled": false,
"notes": "Rails canonical \"load by id, then check ownership\" idiom \u2014 row-fetch exemption (row_population_data reverse-walk in auth_check_covers_subject) closes the gap when the per-record permission check appears textually after the fetch."
},
{
"case_id": "ruby-auth-missing-post-fetch-001",
"file": "ruby/auth/auth_missing_post_fetch_check.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-639",
"provenance": "real-repo-precision-2026-04-27",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"rb.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
12,
12
]
],
"expected_source_lines": [],
"tags": [
"rails",
"auth",
"missing-ownership",
"real-repo-precision"
],
"disabled": false,
"notes": "Counterpart to safe_post_fetch_ownership_check \u2014 same controller shape but the per-record permission check is omitted, so the row-fetch exemption does not fire. Engine must keep flagging this even though the safe-shape fixtures train the exemption on the same Issue.find(params[:id]) pattern."
},
{
"case_id": "ruby-safe-rails-private-callback-helper-001",
"file": "ruby/safe/safe_rails_private_callback_helper.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "",
"provenance": "real-repo-precision-2026-05-03",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rb.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"rails",
"auth",
"private-callback-helper",
"real-repo-precision"
],
"disabled": false,
"notes": "Mastodon-shape: `set_account` private helper invoked via `before_action :set_account`. Rails extractor + collect_top_level_units now skip private + callback-target methods so the row fetch in the helper is not flagged as a missing-ownership unit; the public action that triggers the callback owns the auth context."
},
{
"case_id": "ruby-safe-rails-callback-helper-no-private-001",
"file": "ruby/safe/safe_rails_callback_helper_no_private.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "",
"provenance": "real-repo-precision-2026-05-03",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"rb.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": null,
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"rails",
"auth",
"callback-target-no-private",
"real-repo-precision"
],
"disabled": false,
"notes": "Sister fixture to safe_rails_private_callback_helper \u2014 the `set_widget` helper carries no `private` directive but is registered via `before_action :set_widget`. Callback-target name suppression alone (independent of visibility) must skip the helper unit."
},
{
"case_id": "java-safe-realrepo-keycloak-001",
"file": "java/safe/SafeJpaParameterizedExecute.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo-precision-2026-04-28",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"cfg-unguarded-sink",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"jpa",
"parameterized-execute",
"real-repo-precision-2026-04-28"
],
"disabled": false,
"notes": "JPA executeUpdate()/executeQuery() with zero args after createQuery(LITERAL) is parameterised; engine synthesises same-node Sanitizer(SQL_QUERY) so reflexive dominance suppresses cfg-unguarded-sink. Distilled from keycloak/JpaEventStoreProvider.java."
},
{
"case_id": "java-sqli-realrepo-keycloak-001",
"file": "java/sqli/SqliJpaCreateQueryConcat.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "real-repo-precision-2026-04-28",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"cfg-unguarded-sink"
],
"allowed_alternative_rule_ids": [
"taint-unsanitised-flow"
],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
18,
18
]
],
"expected_source_lines": [],
"tags": [
"jpa",
"concat",
"real-repo-precision-2026-04-28"
],
"disabled": false,
"notes": "Concatenated SQL passed to em.createQuery(...) \u2014 receiver-chain walk sees binary_expression at arg 0, refuses to synthesise sanitizer, structural sink fires. Regression guard for the JPA parameterised-execute fix."
},
{
"case_id": "java-safe-realrepo-openmrs-001",
"file": "java/safe/SafeJpaCriteriaQuery.java",
"language": "java",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo-precision-2026-05-03",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"cfg-unguarded-sink",
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"jpa",
"criteria-api",
"real-repo-precision-2026-05-03"
],
"disabled": false,
"notes": "JPA Criteria API: cb.createQuery(Foo.class) returns CriteriaQuery; session.createQuery(cq)/em.createQuery(cq) is safe by construction (parameterized SQL emitted). Engine maps CriteriaBuilder.createQuery via receiver-text recogniser to TypeKind::JpaCriteriaQuery, then sink_args_jpa_criteria_query_safe suppresses cfg-unguarded-sink at the executor site. Distilled from openmrs HibernateCohortDAO."
},
{
"case_id": "py-auth-realrepo-005",
"file": "python/safe/safe_fastapi_route_dependencies_auth.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"fastapi",
"real-repo-precision-2026-04-29"
],
"disabled": false,
"notes": "Distilled from airflow api_fastapi/core_api/routes/public/connections.py: FastAPI route decorator carries `dependencies=[Depends(requires_access_connection(method=\"DELETE\"))]`; the Flask extractor's new `dependencies=` kwarg walker plus inject_middleware_auth subject synthesis recognises the auth gate."
},
{
"case_id": "py-auth-realrepo-007",
"file": "python/safe/safe_fastapi_route_level_row_fetch.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"fastapi",
"real-repo-precision-2026-04-29"
],
"disabled": false,
"notes": "Distilled from airflow api_fastapi/core_api/routes/public/dag_run.py: FastAPI route decorator carries `dependencies=[Depends(requires_access_dag(method=\"GET\"))]`; the route-level guard must cover not only direct path-param subjects (filter_by(dag_id=dag_id)) but also row-variable receivers (`dag.cleanup_runs(...)` after `dag = session.scalar(select(DagModel)...)`). Pinned by the `is_route_level` short-circuit in `auth_check_covers_subject` plus the kind-aware `function_params_route_handler` that includes id-like Python typed params (`dag_id: str`) in `unit.params`."
},
{
"case_id": "py-auth-realrepo-006",
"file": "python/safe/safe_pytest_sqlalchemy_session.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.auth.missing_ownership_check",
"py.auth.token_override_without_validation"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"pytest",
"real-repo-precision-2026-04-29"
],
"disabled": false,
"notes": "Distilled from airflow tests/unit/models/test_backfill.py: pytest test methods with SQLAlchemy `session` fixture and `session.commit()` calls. Bare `session.<sqlalchemy_verb>` no longer counts as auth Session evidence; only `session.<identity_field>` (user/user_id/...) does."
},
{
"case_id": "py-auth-realrepo-007",
"file": "python/auth/vuln_fastapi_route_no_dependencies.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-862",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
25,
25
]
],
"expected_source_lines": [],
"tags": [
"auth",
"fastapi",
"real-repo-precision-2026-04-29"
],
"disabled": false,
"notes": "Vulnerable counterpart to py-auth-realrepo-005: same FastAPI route shape but no `dependencies=[Depends(...)]` keyword arg. Regression guard: the dependency-injection recogniser must not blanket-suppress every FastAPI route. Updated 2026-05-03: pre-fix recall came from a member_chain quirk where `select(Connection).filter_by(...)` reduced to bare callee `filter_by` and prefix-matched the `filter` read indicator. Post `receiver_is_simple_chain` gating, the fixture uses a qualified `Connection.objects.filter(id=connection_id).delete()` shape — SQLAlchemy `select().filter_by(...)` chained-call detection is a deferred deep fix."
},
{
"case_id": "js-data_exfil-001",
"file": "javascript/data_exfil/exfil_fetch_cookie_body.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
9
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"data_exfil",
"fetch",
"cookie"
],
"disabled": false,
"notes": "Cookie source flows into fetch body at hardcoded URL; DATA_EXFIL must fire and SSRF must not."
},
{
"case_id": "js-data_exfil-002",
"file": "javascript/data_exfil/exfil_fetch_external_destination.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
9
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"data_exfil",
"fetch",
"cookie",
"external-destination"
],
"disabled": false,
"notes": "Cookie source flows into fetch body at attacker-controlled host; DATA_EXFIL fires, SSRF does not."
},
{
"case_id": "js-data_exfil-003",
"file": "javascript/data_exfil/exfil_xhr_send_header.js",
"language": "javascript",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
8,
8
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"data_exfil",
"xhr",
"header"
],
"disabled": false,
"notes": "Authorization header source flows into XMLHttpRequest.send body at hardcoded URL."
},
{
"case_id": "ts-data_exfil-001",
"file": "typescript/data_exfil/exfil_fetch_cookie_body.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
9
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"data_exfil",
"fetch",
"cookie"
],
"disabled": false,
"notes": "TypeScript variant of js-data_exfil-001."
},
{
"case_id": "ts-data_exfil-002",
"file": "typescript/data_exfil/exfil_fetch_header_body.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
6,
9
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"data_exfil",
"fetch",
"header"
],
"disabled": false,
"notes": "Authorization header flows into fetch body at hardcoded URL."
},
{
"case_id": "py-data_exfil-001",
"file": "python/data_exfil/exfil_requests_post_env_dict.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
14,
14
]
],
"expected_source_lines": [
[
12,
13
]
],
"tags": [
"data_exfil",
"requests",
"env",
"container"
],
"disabled": false,
"notes": "Env-config secrets accumulate into a dict, then flow as the json kwarg of requests.post; container-taint round-trip."
},
{
"case_id": "py-data_exfil-002",
"file": "python/data_exfil/exfil_httpx_async_post_env.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
12,
15
]
],
"expected_source_lines": [
[
11,
11
]
],
"tags": [
"data_exfil",
"httpx",
"async",
"env"
],
"disabled": false,
"notes": "Env-config secret flows into httpx.AsyncClient().post json kwarg via the type-qualified HttpClient.post matcher."
},
{
"case_id": "java-data_exfil-001",
"file": "java/data_exfil/DataExfilJdkHttpClient.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
16,
20
]
],
"expected_source_lines": [
[
13,
14
]
],
"tags": [
"data_exfil",
"jdk-httpclient",
"cookie"
],
"disabled": false,
"notes": "Servlet cookie value flows through BodyPublishers.ofString into HttpClient.send body."
},
{
"case_id": "java-data_exfil-002",
"file": "java/data_exfil/DataExfilOkHttp.java",
"language": "java",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
15,
21
]
],
"expected_source_lines": [
[
13,
13
]
],
"tags": [
"data_exfil",
"okhttp",
"session"
],
"disabled": false,
"notes": "HttpSession attribute wraps via RequestBody.create and binds to OkHttp Request.Builder.post; chain-normalized newCall.execute fires DATA_EXFIL."
},
{
"case_id": "go-data_exfil-001",
"file": "go/data_exfil/exfil_http_post_cookie_body.go",
"language": "go",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
12,
12
]
],
"expected_source_lines": [
[
10,
11
]
],
"tags": [
"data_exfil",
"http-post",
"cookie"
],
"disabled": false,
"notes": "Cookie value flows via strings.NewReader into http.Post body at hardcoded URL."
},
{
"case_id": "rs-data_exfil-001",
"file": "rust/data_exfil/exfil_reqwest_form_env.rs",
"language": "rust",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
5,
8
]
],
"expected_source_lines": [
[
5,
5
]
],
"tags": [
"data_exfil",
"reqwest",
"form",
"env"
],
"disabled": false,
"notes": "env::var secret flows into reqwest .form() body chain via the form.send body-bind matcher."
},
{
"case_id": "rb-data_exfil-001",
"file": "ruby/data_exfil/exfil_net_http_post_cookie.rb",
"language": "ruby",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "HIGH",
"expected_category": "Security",
"expected_sink_lines": [
[
9,
9
]
],
"expected_source_lines": [
[
7,
7
]
],
"tags": [
"data_exfil",
"net-http",
"cookie"
],
"disabled": false,
"notes": "request.cookies value flows into Net::HTTP.post body at hardcoded URL."
},
{
"case_id": "c-data_exfil-001",
"file": "c/data_exfil/exfil_curl_postfields_env.c",
"language": "c",
"is_vulnerable": true,
"vuln_class": "data_exfil",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-data-exfiltration"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
14,
14
]
],
"expected_source_lines": [
[
9,
9
]
],
"tags": [
"data_exfil",
"curl",
"gated-sink",
"env"
],
"disabled": false,
"notes": "getenv secret flows into curl_easy_setopt CURLOPT_POSTFIELDS body; gated-sink fires only at the body-binding setopt."
},
{
"case_id": "js-safe-data_exfil-001",
"file": "javascript/safe/safe_data_exfil_sanitizer_wrap.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-data-exfiltration"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"data_exfil",
"safe",
"sanitizer-wrap"
],
"disabled": false,
"notes": "Cookie source routed through default forwarding-wrapper sanitizer (logEvent); DATA_EXFIL must not fire."
},
{
"case_id": "js-safe-data_exfil-002",
"file": "javascript/safe/safe_data_exfil_user_input_echo.js",
"language": "javascript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-data-exfiltration"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"data_exfil",
"safe",
"user-input-gate"
],
"disabled": false,
"notes": "Plain user input echoed into fetch body at fixed URL; sensitivity-gate suppresses Plain-tier sources for Cap::DATA_EXFIL."
},
{
"case_id": "py-safe-data_exfil-001",
"file": "python/safe/safe_data_exfil_user_input_echo.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-data-exfiltration"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"data_exfil",
"safe",
"user-input-gate"
],
"disabled": false,
"notes": "Flask form-field echoed into requests.post json at fixed URL; sensitivity-gate suppresses Plain-tier user input."
},
{
"case_id": "go-safe-data_exfil-001",
"file": "go/safe/safe_data_exfil_user_input_echo.go",
"language": "go",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-data-exfiltration"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"data_exfil",
"safe",
"user-input-gate"
],
"disabled": false,
"notes": "FormValue plain user input echoed into http.Post body at fixed URL; sensitivity-gate suppresses Plain-tier sources."
},
{
"case_id": "rb-safe-data_exfil-001",
"file": "ruby/safe/safe_data_exfil_user_input_echo.rb",
"language": "ruby",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-data-exfiltration"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"data_exfil",
"safe",
"user-input-gate"
],
"disabled": false,
"notes": "params plain user input echoed into RestClient.post body at fixed URL; sensitivity-gate suppresses Plain-tier sources."
},
{
"case_id": "c-safe-data_exfil-001",
"file": "c/safe/safe_data_exfil_user_input_echo.c",
"language": "c",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "CWE-201",
"provenance": "synthetic",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-data-exfiltration"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"data_exfil",
"safe",
"user-input-gate"
],
"disabled": false,
"notes": "fgets stdin user input echoed into curl_easy_setopt CURLOPT_POSTFIELDS at fixed URL; sensitivity-gate suppresses Plain-tier sources."
},
{
"case_id": "py-auth-realrepo-008",
"file": "python/safe/safe_django_orm_caller_scoped_entity.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"django",
"real-repo-precision-2026-05-02"
],
"disabled": false,
"notes": "Distilled from sentry api/helpers/environments.py::get_environments and api/endpoints/organization_releases.py::_filter_releases_by_query. `<entity>.id` for a unit param named after a scope-bearing domain entity (organization, project, ...) is the ownership scope inherited from the caller, not a user-controlled target. Pinned by is_caller_scope_entity_subject in src/auth_analysis/checks.rs. Also exercises the keyword_argument-key fix in extract_value_refs (Environment.objects.filter(organization_id=...) \u2014 the kwarg key `organization_id` is the ORM column name, not a subject)."
},
{
"case_id": "py-auth-realrepo-009",
"file": "python/auth/vuln_user_id_param_no_auth.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-862",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
16,
16
],
[
20,
20
]
],
"expected_source_lines": [],
"tags": [
"auth",
"django",
"real-repo-precision-2026-05-02"
],
"disabled": false,
"notes": "Vulnerable counterpart to py-auth-realrepo-008: helper takes a user-supplied `project_id` (id-like name) and queries Project.objects.filter(id=project_id) without any preceding ownership check. Regression guard: the caller-scope-entity exemption must NOT suppress when the param is itself an id-like user input."
},
{
"case_id": "py-auth-realrepo-010",
"file": "python/safe/safe_mock_patch_test_method.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.auth.missing_ownership_check",
"py.auth.token_override_without_validation"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"pytest",
"real-repo-precision-2026-05-02"
],
"disabled": false,
"notes": "Distilled from airflow providers/google/tests/unit/google/cloud/hooks/test_dlp.py: pytest test method decorated with `@mock.patch(\"...\")` was being attached as a Flask `PATCH` route handler because bare_method_name(\"mock.patch\") == \"patch\". Fix: parse_flask_route_decorator short-circuits on known test-framework decorator vocabulary (mock.patch, unittest.mock.patch, monkeypatch.setattr, pytest.mark.parametrize)."
},
{
"case_id": "py-auth-realrepo-011",
"file": "python/safe/safe_bare_callee_no_receiver.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"django",
"real-repo-precision-2026-05-03"
],
"disabled": false,
"notes": "Distilled from sentry tasks/statistical_detectors.py:743 (`org_ids = list({p.organization_id for p in projects})`), utils/query.py:90 (`events = list(method(...))`), api/helpers/group_index/delete.py (bare `delete_group_list`, `create_audit_entry`), seer/autofix/coding_agent.py (bare `update_coding_agent_state`). Bare-identifier callees `list`, `filter`, `update`, `create`, `add` are Python builtins or locally-defined helpers, not DB / ORM operations. Fix: classify_sink_class verb-name fallback now requires `receiver_is_simple_chain` (callee contains a non-chained `.`). Regression guard for: bare callees must not classify as DbCrossTenantRead / DbMutation."
},
{
"case_id": "py-auth-realrepo-012",
"file": "python/safe/safe_local_set_update_no_orm.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.auth.missing_ownership_check"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"django",
"real-repo-precision-2026-05-04"
],
"disabled": false,
"notes": "Distilled from sentry api/helpers/teams.py::get_teams: bare-callee Python container constructors (`set()`, `dict()`, `defaultdict()`, `Counter()`, `list()`) bind a non-sink local collection. Subsequent `.update(..)` / `.add(..)` / item assignment must classify as InMemoryLocal, suppressing the false `py.auth.missing_ownership_check` finding. Fix: AuthAnalysisRules::is_non_sink_constructor_callee accepts bare callees matching non_sink_receiver_types; Python defaults populated with `set`/`dict`/`list`/`tuple`/`frozenset`/`defaultdict`/`OrderedDict`/`Counter`/`deque`/`ChainMap`/`namedtuple`; collect_non_sink_binding falls through to `left`/`right` field names; assignment / assignment_expression arm in collect_unit_state now wires the recogniser."
},
{
"case_id": "py-auth-realrepo-013",
"file": "python/auth/vuln_local_set_with_user_id_query.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-862",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
22,
22
],
[
28,
28
]
],
"expected_source_lines": [],
"tags": [
"auth",
"django",
"real-repo-precision-2026-05-04"
],
"disabled": false,
"notes": "Vulnerable counterpart to py-auth-realrepo-012: same bare-`set()` / `dict()` local container shape, but the helper *also* runs an id-targeted ORM `Project.objects.filter(id=team_id)` query whose filter param is a user-supplied id (no caller-scope-entity exemption applies). Recall guard: bare-callee constructor recogniser must only suppress the InMemoryLocal `.add` / `.update` calls — the id-targeted ORM filter must still fire `py.auth.missing_ownership_check`."
},
{
"case_id": "py-auth-realrepo-014",
"file": "python/auth/vuln_fastapi_route_no_dependencies_sqla.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-862",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
27,
27
]
],
"expected_source_lines": [],
"tags": [
"auth",
"fastapi",
"sqlalchemy",
"real-repo-precision-2026-05-04"
],
"disabled": false,
"notes": "Distilled from airflow `airflow-core/src/airflow/api_fastapi/core_api/routes/public/connections.py`: `session.scalar(select(Connection).filter_by(conn_id=connection_id))` queryset chain. Pre-fix the chain reduced via `member_chain` to bare `[\"filter_by\"]` (Python tree-sitter `call` nodes use a `function` field not traversed by the Ruby/JS-style logic) and was suppressed by `receiver_is_simple_chain`'s bare-callee guard, blocking recall. Fix: (1) `member_chain` now traverses Python `call`'s `function` field; (2) the parent attribute branch appends `()` to last segment when its `object` is a call so `select(X).filter_by(...)` produces `[\"select()\", \"filter_by\"]`; (3) `AuthAnalysisRules::chain_root_is_db_query_builder` + per-language `db_query_builder_roots` (Python: `select`, `query`) anchors the chained-call shape to `DbCrossTenantRead`. Recall guard: missing_ownership_check must still fire on this airflow-style queryset chain when no `Depends(...)` auth dependency is declared."
},
{
"case_id": "py-auth-realrepo-015",
"file": "python/safe/safe_fastapi_route_security_scopes.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "auth",
"cwe": "CWE-862",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.auth.missing_ownership_check",
"py.auth.token_override_without_validation"
],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"fastapi",
"security",
"real-repo-precision-2026-05-04"
],
"disabled": false,
"notes": "Distilled from airflow `airflow-core/src/airflow/api_fastapi/execution_api/routes/task_instances.py:101-117`: `dependencies=[Security(require_auth, scopes=[\"token:execution\", \"token:workload\"])]`. Pre-fix `is_depends_callee` only matched `Depends`, so `Security(...)` was ignored and the route fired `missing_ownership_check` even with the auth dep declared. Even after recognising the marker, `require_auth` is registered as a `LoginGuard`, which `has_prior_subject_auth` filters out. Fix: (1) `is_dep_marker_callee` recognises `Security` / `fastapi.Security` / `fastapi.params.Security`; (2) `unwrap_depends_call` returns `(CallSite, is_scoped_security)` and skips `keyword_argument` children when finding the first positional; (3) `inject_middleware_auth` promotes a scoped Security wrapper from `LoginGuard` to `AuthCheckKind::Other` so the route counts as authorized. Precision guard: route must NOT fire ownership / token-override findings when carrying a scoped `Security(...)` route-level dep."
},
{
"case_id": "py-auth-realrepo-016",
"file": "python/auth/vuln_fastapi_route_security_no_scopes.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-862",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
34,
34
]
],
"expected_source_lines": [],
"tags": [
"auth",
"fastapi",
"security",
"real-repo-precision-2026-05-04"
],
"disabled": false,
"notes": "Recall counterpart to py-auth-realrepo-015. `Security(require_auth, scopes=[])` with an empty scope list is NOT promoted to `Other` — the OAuth2 scope semantic only fires when scopes is non-empty, so the wrapper falls back to bare login classification. Recall guard: `missing_ownership_check` must still fire on this id-targeted ORM filter; without conservative scope-emptiness gating, every empty-scopes route would over-suppress."
},
{
"case_id": "py-auth-realrepo-017",
"file": "python/safe/safe_fastapi_router_level_security_scopes.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "auth",
"cwe": "CWE-862",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.auth.missing_ownership_check",
"py.auth.token_override_without_validation"
],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"fastapi",
"router-level-security",
"real-repo-precision-2026-05-04"
],
"disabled": false,
"notes": "Distilled from airflow `airflow-core/src/airflow/api_fastapi/execution_api/routes/task_instances.py:89-318`: `ti_id_router = VersionedAPIRouter(dependencies=[Security(require_auth, scopes=[\"ti:self\"])])` declares the auth dep once at the router constructor; every `@ti_id_router.<verb>(...)` route inherits it at runtime. Pre-fix the FastAPI dep extractor only walked the per-route decorator's `dependencies=[...]` kwarg; router-constructor `dependencies=` was dropped, so every attached route without inline deps fired `missing_ownership_check` + `token_override_without_validation` despite being authorized. Fix: `collect_router_level_dependencies` walks module-level `<router> = APIRouter(...)` / `VersionedAPIRouter(...)` / `FastAPI(...)` assignments and captures `dependencies=[...]` keyed by the router var name; `router_prefix_from_decorator` extracts the receiver from `@<router>.<verb>(...)` and merges router-level deps into the per-route middleware list. A scoped Security wrapper additionally synthesises matching `TokenExpiry` + `TokenRecipient` checks (the JWT-validation semantics — JWT signature includes expiry, scopes encode recipient binding) so the token-override rule recognises the route too. Precision guard: route must NOT fire ownership / token-override findings."
},
{
"case_id": "py-auth-realrepo-018",
"file": "python/auth/vuln_fastapi_router_no_dependencies.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-862",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
35,
35
]
],
"expected_source_lines": [],
"tags": [
"auth",
"fastapi",
"router-level-security",
"real-repo-precision-2026-05-04"
],
"disabled": false,
"notes": "Recall counterpart to py-auth-realrepo-017. Bare `router = VersionedAPIRouter()` with no `dependencies=` kwarg — attached routes that do not supply inline deps are genuinely unauthorized. The router-level extractor must NOT enter a fake key for routers without router-level deps; the gate (`if deps.is_empty() { continue; }` in `collect_router_level_dependencies`) ensures absence is preserved. Recall guard: `missing_ownership_check` must still fire on the id-targeted write."
},
{
"case_id": "py-auth-realrepo-019",
"file": "python/safe/safe_caller_scope_helper_under_authorized_route.py",
"language": "python",
"is_vulnerable": false,
"vuln_class": "auth",
"cwe": "CWE-862",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"py.auth.missing_ownership_check",
"py.auth.token_override_without_validation"
],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"auth",
"fastapi",
"caller-scope-ipa",
"real-repo-precision-2026-05-04"
],
"disabled": false,
"notes": "Distilled from airflow `airflow-core/src/airflow/api_fastapi/execution_api/routes/task_instances.py:516-628`: the route handler `ti_update_state` is route-level authorized via the `ti_id_router = APIRouter(dependencies=[Security(require_auth, scopes=[\"ti:self\"])])` declaration (closed by session-0010), then delegates the `session.add(...)` sink to a private helper `_create_state_update`. Pre-fix the helper fired both `missing_ownership_check` and `token_override_without_validation` because `check_ownership_gaps` is scoped per AnalysisUnit — the caller's route-level auth check did not propagate to the callee. Phase 1 caller-scope IPA fix (`apply_caller_scope_propagation` in `src/auth_analysis/mod.rs`) walks the call graph DOWN: when every in-file caller of a helper carries route-level non-Login auth, the helper inherits those checks via synthetic `is_route_level=true` AuthChecks anchored at the callee's start line. Soundness: requires every caller authorized; refuses on dead helpers, mixed-caller helpers, login-only routes."
},
{
"case_id": "py-auth-realrepo-020",
"file": "python/auth/vuln_caller_scope_helper_under_bare_route.py",
"language": "python",
"is_vulnerable": true,
"vuln_class": "auth",
"cwe": "CWE-862",
"provenance": "real-repo",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"py.auth.missing_ownership_check"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
31,
31
]
],
"expected_source_lines": [],
"tags": [
"auth",
"fastapi",
"caller-scope-ipa",
"real-repo-precision-2026-05-04"
],
"disabled": false,
"notes": "Recall counterpart to py-auth-realrepo-019. Same shape but bare `router = APIRouter()` (no Security dep at the boundary). The helper `_create_state_update` is reached from a route handler with no authorization; `apply_caller_scope_propagation`'s soundness rule refuses to authorize the helper because no caller carries route-level non-Login auth. Recall guard: `missing_ownership_check` must still fire on the helper's `session.add` sink."
},
{
"case_id": "cve-ts-2026-25544-vulnerable",
"file": "cve_corpus/typescript/CVE-2026-25544/vulnerable.ts",
"language": "typescript",
"is_vulnerable": true,
"vuln_class": "sqli",
"cwe": "CWE-89",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "rule_match",
"expected_rule_ids": [
"taint-unsanitised-flow"
],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [],
"expected_severity": "MEDIUM",
"expected_category": "Security",
"expected_sink_lines": [
[
80,
81
]
],
"expected_source_lines": [
[
73,
73
]
],
"tags": [
"cve",
"payload",
"sqli",
"vulnerable"
],
"disabled": false,
"notes": "CVE-2026-25544: Payload `sanitizeValue` SQL injection via Postgres jsonb_path_exists template-string interpolation. Vulnerable form (`@payloadcms/drizzle@v3.72.0`, MIT) lets attacker-controlled JSON-query value escape the surrounding SQL string literal because `sanitizeValue` only double-quotes it without escaping `\\`/`\"`. Enabled after validated-flow propagation landed via `SsaFuncSummary.validated_params_to_return` + `propagate_validated_params_to_return`."
},
{
"case_id": "cve-ts-2026-25544-patched",
"file": "cve_corpus/typescript/CVE-2026-25544/patched.ts",
"language": "typescript",
"is_vulnerable": false,
"vuln_class": "safe",
"cwe": "N/A",
"provenance": "real_cve",
"equivalence_tier": "exact",
"match_mode": "file_presence",
"expected_rule_ids": [],
"allowed_alternative_rule_ids": [],
"forbidden_rule_ids": [
"taint-unsanitised-flow"
],
"expected_severity": null,
"expected_category": "Security",
"expected_sink_lines": [],
"expected_source_lines": [],
"tags": [
"cve",
"payload",
"safe",
"patched"
],
"disabled": false,
"notes": "Patched form of `sanitizeValue` from `@payloadcms/drizzle@v3.73.0` (MIT). Enabled after validated-flow propagation landed."
}
]
}
Reference in a new issue View git blame Copy permalink