Skip to content

data: add config-vuln annotation suite for entry-00241..244#19

Open
perhaps468 wants to merge 1 commit into
Tencent:mainfrom
perhaps468:feat/config-vuln-annotation
Open

data: add config-vuln annotation suite for entry-00241..244#19
perhaps468 wants to merge 1 commit into
Tencent:mainfrom
perhaps468:feat/config-vuln-annotation

Conversation

@perhaps468

Copy link
Copy Markdown

概述

Closes [#8]
本 PR 新增了 Dockerfile 类配置漏洞(非污点流型 CWE-250)的标注规范与配套工具链,针对 GHSA-w7j5-j98m-w679entry-00241..244 共 4 条样本,将 trace 由 7 节点折叠为 1 节点,critical_operation 由单点 sink 改为整结构性缺陷范围。

变更内容

• 新增 data/config_vuln_annotation.md(规范文档,约 137 行)
◦ §2 标注原则:entry_point / critical_operation / trace 取值与反例
◦ §3 本次 4 条样本的"前 → 后"对照表
◦ §4 验收检查表 8 条
◦ §7 12 条硬约束复核报告
• 新增 scripts/data_fixes/gen_config_vuln_fixed.py(幂等生成器)
◦ 从 entries.jsonl baseline 仅替换 4 条目标 entry
◦ 输出 fixed JSONL + diff CSV
• 新增 scripts/data_fixes/verify_config_vuln_fixes.py(只读复核器)
◦ 6 轮独立校验:upstream fetch / schema / {file,line,code} 字符匹配 / desc 质量 / diff-CSV 一致 / 生成器幂等
• 新增生成产物
data/entries.config_vuln.fixed.jsonl(408 行,仅 4 条目标 entry 被替换)
data/config_vuln_diff.csv(16 行 = 4 entry × 4 字段,含原始/修复两侧 JSON)

说明

• 不修改 data/entries.jsonl baseline,修复结果独立输出便于按需合并
• 未引入 SCHEMA 新顶层字段(lineint | "start-end"code 用多行,约定均已存在)

• 本地复核命令:

python scripts/data_fixes/gen_config_vuln_fixed.py
python scripts/data_fixes/verify_config_vuln_fixes.py

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant