CVE-2019-10219: executable affected-version certificate for GHSA

[hypergalois]

CVE-2019-10219: executable affected-version certificate for GHSA

Requested Check

Please review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.

Grouped Route

• candidate: CVE-2019-10219
• route URL: https://github.com/github/advisory-database
• targets: GHSA
• route kinds: claim-source
• priority: P0
• grouped queue rows: 1
• P0 rows in group: 1

Evidence Summary

• projection-loss versions: 6
• source-disagreement versions: 7
• report paths: external_validation_reports/CVE-2019-10219_external_validation_report.md

Target-Specific Packets

Target	Route kind	Priority	Reason	Body	SHA-256
GHSA	claim-source	P0	claim-source projection excludes witness-vulnerable versions	external_validation_submissions/CVE-2019-10219__GHSA.md	9d0c749fe586c86095bd1bd83e828eca5b71d7c160843ad653fad8e28d645090

Reproduction

make cve-2019-10219
make interval-certificates topology-theorem order-sensitivity version-dags
make case-certificates verify-certificates validate-artifact

Evidence Details

Only the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.

Packet: GHSA / claim-source

• target-specific body SHA-256: 9d0c749fe586c86095bd1bd83e828eca5b71d7c160843ad653fad8e28d645090
• target-specific report: external_validation_reports/CVE-2019-10219_external_validation_report.md

Executable Certificate

• candidate: CVE-2019-10219
• bitstring: 011111111001100
• minimum interval cover: 2
• V-S-V witnesses: 1
• zero-error single intervals: 0
• full-recall false-positive lower bound: 2
• zero-false-positive false-negative lower bound: 2

Projection-Loss Coordinates

• org.hibernate:hibernate-validator:5.1.3.Final
  • version: 5.1.3.Final
  • claim projection decisions: GHSA:namespace_missing
  • excluding sources: GHSA
  • detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate
• org.hibernate:hibernate-validator:5.2.5.Final
  • version: 5.2.5.Final
  • claim projection decisions: GHSA:namespace_missing
  • excluding sources: GHSA
  • detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate
• org.hibernate:hibernate-validator:5.3.6.Final
  • version: 5.3.6.Final
  • claim projection decisions: GHSA:namespace_missing
  • excluding sources: GHSA
  • detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate
• org.hibernate:hibernate-validator:5.4.2.Final
  • version: 5.4.2.Final
  • claim projection decisions: GHSA:namespace_missing
  • excluding sources: GHSA
  • detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate
• org.hibernate:hibernate-validator:5.4.3.Final
  • version: 5.4.3.Final
  • claim projection decisions: GHSA:namespace_missing
  • excluding sources: GHSA
  • detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate
• org.hibernate.validator:hibernate-validator:6.1.0.Alpha6
  • version: 6.1.0.Alpha6
  • claim projection decisions: GHSA:fixed
  • excluding sources: GHSA
  • detail: GHSA: version equals GHSA first_patched_version

Source Disagreements

• versions with source disagreement: 4.3.2.Final, 5.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6

Public Evidence Bundle

• URL: https://gist.github.com/hypergalois/e7077b83b2dbb66313dd9cc387d14c0c
• SHA-256: 66c88a27a195f6fac936b4a836147d05a884c708bc2d76f9c663d8963ba4c8d4