{
  "repository": "eclipse-openvsx/openvsx",
  "commit_source": "git_rev_parse",
  "commit_sha": "e92a1a7a448be08570cc4c4969717ed3e2260015",
  "submitted_target": {
    "target_kind": "git_tag",
    "commit_sha": "e92a1a7a448be08570cc4c4969717ed3e2260015",
    "version": "v1.0.1",
    "ref": "v1.0.1",
    "display": "eclipse-openvsx/openvsx@v1.0.1 (vulnerable; parent repro target)"
  },
  "variant_target": {
    "target_kind": "git_tag",
    "commit_sha": "e92a1a7a448be08570cc4c4969717ed3e2260015",
    "version": "v1.0.1",
    "ref": "v1.0.1",
    "display": "eclipse-openvsx/openvsx@v1.0.1 (alternate trigger reproduces here)"
  },
  "fixed_version_tested": {
    "target_kind": "git_tag",
    "commit_sha": "9491f32a6d459a4d499c5028d37c0d0386771e9f",
    "version": "v1.0.2",
    "ref": "v1.0.2",
    "display": "eclipse-openvsx/openvsx@v1.0.2 (fixed; variant does NOT reproduce -> not a bypass)",
    "variant_reproduced": false
  },
  "build_identity": {
    "spring_boot_version": "3.5.14",
    "start_class": "org.eclipse.openvsx.RegistryApplication",
    "vuln_jar": "bundle/logs/openvsx-server-v1.0.1.jar",
    "fixed_jar": "bundle/logs/openvsx-server-v1.0.2.jar",
    "runtime_jdk": "eclipse-temurin:25-jdk",
    "database": "postgres:16.2"
  },
  "resolution_method": "git clone --branch <tag> --depth 1 https://github.com/eclipse-openvsx/openvsx.git; git rev-parse HEAD; git describe --tags",
  "notes": "Both tags resolved to exact commits via git rev-parse. The variant reproduces on v1.0.1 (e92a1a7a) and is mitigated on v1.0.2 (9491f32a). Source trees cached at /data/pruva/project-cache/.../repo (v1.0.1) and repo-fixed (v1.0.2); build provenance confirmed by matching HttpHeadersUtil.class size in the jars (v1.0.1=2134B stub, v1.0.2=8659B with createFileResponseHeaders)."
}
