wtwhite
commented
1 year ago Agreed, it's on my list!
FTR in the scripts I have been running, I automatically determined what to specify for testSignalWhenVulnerable (via -sig success|failure on the command line) for each CVE by running mvn clean test in the corresponding xshady subdirectory, and assuming that its exit code there (0 or 1) corresponded to “vulnerable”.
Regarding CVE-2022-38751, my scripts have accordingly been specifying -sig success 😅
We should add those files to all project, otherwise the experiments might be prone to using incorrect signal settings. Note CVE-2022-38751 -- we did not use this in the initial experiments as it was too similar to another CVE we did use, but this is still in the repo and not from vul4j, so for this the signal must be
success.