{
  "repository": "github.com/juicedata/juicefs",
  "commit_source": "git_rev_parse",
  "commit_sha": "a46979cdd4082217081ee99b931ddc53d038e47a",
  "submitted_target": {
    "target_kind": "git_commit",
    "commit_sha": "f60a90fc0ad52d2bb1f44f38a04d55044fc91d50",
    "version": "1.3.1",
    "ref": null,
    "display": "JuiceFS <= 1.3.1 vulnerable parent commit f60a90fc (before fix)"
  },
  "variant_target": {
    "target_kind": "git_commit",
    "commit_sha": "a46979cdd4082217081ee99b931ddc53d038e47a",
    "version": "1.4.0-dev+unknown",
    "ref": "main",
    "display": "JuiceFS fixed commit a46979cd (PR #7214) — variant reproduced on this exact commit"
  },
  "build_identity": {
    "binary_path": "/data/pruva/project-cache/7ad83e4b-d63b-4731-bc8c-ea459a1a8720/juicefs-fixed",
    "built_from_commit": "a46979cdd4082217081ee99b931ddc53d038e47a",
    "go_version": "go1.25.0 linux/amd64",
    "build_command": "go build -o <bin> ."
  },
  "verification": {
    "git_rev_parse_HEAD": "a46979cdd4082217081ee99b931ddc53d038e47a",
    "fix_pr": "#7214",
    "fix_subject": "cmd: use a dedicated ServeMux to avoid exposing pprof/metrics",
    "fixed_version_txt": "bundle/logs/vuln_variant/fixed_version.txt"
  },
  "notes": "The variant was tested against the exact fix commit a46979cd (git rev-parse HEAD of the project-cache repo). The fix's own diff for cmd/main.go is empty, confirming the debug agent (cmd/main.go:336) was not modified by the fix; the variant reproduces on this fixed commit."
}
