diff --git a/benchmark/data/tasks/ecvebench-rustracts-001.json b/benchmark/data/tasks/ecvebench-rustracts-001.json new file mode 100644 index 00000000..c6299b92 --- /dev/null +++ b/benchmark/data/tasks/ecvebench-rustracts-001.json @@ -0,0 +1,35 @@ +{ + "task_id": "ecvebench-rustracts-001", + "ghsa_id": "GHSA-xwxc-j97j-84gf", + "codebase": { + "repo": "https://github.com/hyyking/rustracts", + "language": "rust", + "ecosystem": "rust", + "commit": "c15541d7968aea40d06dadd5e2c5cb57b4d6d341" + }, + "hints": { + "L0": null, + "L1": { + "area": "Concurrency trait implementations and thread-safety guarantees for smart pointer types" + }, + "L2": { + "description": "A data race vulnerability exists where a smart pointer type unconditionally implements the Send trait without requiring the inner type to be Sync. This allows concurrent access to non-Sync data from multiple threads, leading to undefined behavior such as data races." + }, + "L3": { + "area": "Thread-safety trait bounds for weak reference types in the shared ownership smart pointer module", + "description": "A data race vulnerability exists where a weak reference smart pointer type unconditionally implements the Send trait without requiring the inner type to be Sync. This allows enclosing non-Sync data and accessing it concurrently from multiple threads via child references, leading to undefined behavior including data races and potential memory corruption." + } + }, + "ground_truth": { + "vulnerable": true, + "vuln_class": "race-condition", + "cvss": 8.1, + "reason": "LockWeak unconditionally implements Send without requiring T: Sync, allowing concurrent access to non-Sync data from multiple threads, which causes undefined behavior such as data races.", + "locations": [ + { + "file": "parc/src/lib.rs", + "function": null + } + ] + } +} diff --git a/benchmark/internal/metadata/GHSA-xwxc-j97j-84gf.json b/benchmark/internal/metadata/GHSA-xwxc-j97j-84gf.json new file mode 100644 index 00000000..5cac2790 --- /dev/null +++ b/benchmark/internal/metadata/GHSA-xwxc-j97j-84gf.json @@ -0,0 +1,8 @@ +{ + "ghsa_id": "GHSA-xwxc-j97j-84gf", + "post_patch_commit": "5e43ee86e6a67153ff65da2051f6eb0a77f2c6b8", + "noisy_patch": false, + "curation_notes": "Patch is PR #6 (merged as 5e43ee8) in hyyking/rustracts. Only one source file changed: parc/src/lib.rs. The fix adds a Sync bound to the unsafe Send impl for LockWeak, preventing concurrent access to non-Sync data. Pre-assigned class race-condition (CWE-362) is correct — the vulnerability is an unsound Send impl enabling data races. Location derived directly from the patch diff; no sibling files exist in parc/src/.", + "dataset_version": "0.1.0", + "snapshot_date": "2026-04-26" +}