fix: nlqa-flow-003 ground truth schema + sec-cve-003 verifier rewrite

- nlqa-flow-003: Convert `pattern` (string) to `patterns` (array) and add
  missing `weight` field on all 21 ground truth items. Without this, the
  weighted_checklist scorer crashes with KeyError at runtime.

- sec-cve-003: Replace custom bash scorer with standard Python-based
  weighted_checklist template. Old scorer wrote to /logs/result.json
  (wrong path), used exit 1 on missing output (verifier crash), and
  used non-standard ground truth fields (value/path/function/code/event).
  New scorer writes to /logs/verifier/reward.txt, exits 0 on all paths,
  and ground truth converted to standard patterns/weight schema.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: LoCoBench Bot

benchmarks/ccb_nlqa/nlqa-flow-003/tests/ground_truth.json

@@ -7,94 +7,115 @@
   },
   "required_findings": [
     {
-      "pattern": "(?i)(ApplicationController|appcontroller\\.go).*reconcil",
-      "description": "ApplicationController triggers reconciliation cycle"
+      "patterns": ["(?i)(ApplicationController|appcontroller\\.go).*reconcil"],
+      "description": "ApplicationController triggers reconciliation cycle",
+      "weight": 1.0
     },
     {
-      "pattern": "(?i)(GenerateManifests|repository\\.go).*manifest",
-      "description": "RepoServer GenerateManifests() renders manifests from Git"
+      "patterns": ["(?i)(GenerateManifests|repository\\.go).*manifest"],
+      "description": "RepoServer GenerateManifests() renders manifests from Git",
+      "weight": 1.0
     },
     {
-      "pattern": "(?i)(ManifestRequest|ManifestResponse)",
-      "description": "ManifestRequest/Response data structures for controller-reposerver communication"
+      "patterns": ["(?i)(ManifestRequest|ManifestResponse)"],
+      "description": "ManifestRequest/Response data structures for controller-reposerver communication",
+      "weight": 1.0
     },
     {
-      "pattern": "(?i)(diff\\.go|Diff\\(\\)|StateDiff|Normalize)",
-      "description": "Diff engine computes difference between desired and live state"
+      "patterns": ["(?i)(diff\\.go|Diff\\(\\)|StateDiff|Normalize)"],
+      "description": "Diff engine computes difference between desired and live state",
+      "weight": 1.0
     },
     {
-      "pattern": "(?i)(DiffResult|ResourceDiff)",
-      "description": "DiffResult data structure represents out-of-sync resources"
+      "patterns": ["(?i)(DiffResult|ResourceDiff)"],
+      "description": "DiffResult data structure represents out-of-sync resources",
+      "weight": 1.0
     },
     {
-      "pattern": "(?i)(3-way diff|last-applied-configuration)",
-      "description": "3-way diff algorithm compares live, desired, and last-applied state"
+      "patterns": ["(?i)(3-way diff|last-applied-configuration)"],
+      "description": "3-way diff algorithm compares live, desired, and last-applied state",
+      "weight": 1.0
     },
     {
-      "pattern": "(?i)(sync.*phase|PreSync|PostSync|wave)",
-      "description": "Sync phases (PreSync, Sync, PostSync) and waves orchestrate resource application"
+      "patterns": ["(?i)(sync.*phase|PreSync|PostSync|wave)"],
+      "description": "Sync phases (PreSync, Sync, PostSync) and waves orchestrate resource application",
+      "weight": 1.0
     },
     {
-      "pattern": "(?i)(kubectl apply|server-side apply|SSA)",
-      "description": "Sync strategy: kubectl apply (client-side) or server-side apply"
+      "patterns": ["(?i)(kubectl apply|server-side apply|SSA)"],
+      "description": "Sync strategy: kubectl apply (client-side) or server-side apply",
+      "weight": 1.0
     }
   ],
   "file_references": [
     {
-      "pattern": "controller/appcontroller\\.go",
-      "description": "ApplicationController reconciliation loop"
+      "patterns": ["controller/appcontroller\\.go"],
+      "description": "ApplicationController reconciliation loop",
+      "weight": 1.0
     },
     {
-      "pattern": "reposerver/repository/repository\\.go",
-      "description": "RepoServer manifest generation"
+      "patterns": ["reposerver/repository/repository\\.go"],
+      "description": "RepoServer manifest generation",
+      "weight": 1.0
     },
     {
-      "pattern": "util/diff/diff\\.go",
-      "description": "Diff engine for state comparison"
+      "patterns": ["util/diff/diff\\.go"],
+      "description": "Diff engine for state comparison",
+      "weight": 1.0
     },
     {
-      "pattern": "pkg/apis/application/v1alpha1/",
-      "description": "Application CRD definitions (SyncPolicy, SyncOperation, ApplicationStatus)"
+      "patterns": ["pkg/apis/application/v1alpha1/"],
+      "description": "Application CRD definitions (SyncPolicy, SyncOperation, ApplicationStatus)",
+      "weight": 1.0
     },
     {
-      "pattern": "util/argo/",
-      "description": "Sync operation utilities"
+      "patterns": ["util/argo/"],
+      "description": "Sync operation utilities",
+      "weight": 1.0
     },
     {
-      "pattern": "cmd/argocd-application-controller/",
-      "description": "Application controller command entry point"
+      "patterns": ["cmd/argocd-application-controller/"],
+      "description": "Application controller command entry point",
+      "weight": 1.0
     }
   ],
   "causal_chain": [
     {
-      "pattern": "(?i)(git.*clone|git.*fetch|revision|commit.*SHA)",
-      "description": "Step 1: Git repository fetch at specified revision"
+      "patterns": ["(?i)(git.*clone|git.*fetch|revision|commit.*SHA)"],
+      "description": "Step 1: Git repository fetch at specified revision",
+      "weight": 1.0
     },
     {
-      "pattern": "(?i)(Helm|Kustomize|CMP|plugin).*render",
-      "description": "Step 2: Config management tool renders raw manifests"
+      "patterns": ["(?i)(Helm|Kustomize|CMP|plugin).*render"],
+      "description": "Step 2: Config management tool renders raw manifests",
+      "weight": 1.0
     },
     {
-      "pattern": "(?i)(normalize|strip.*metadata|ignore.*difference)",
-      "description": "Step 3: Resource normalization before comparison"
+      "patterns": ["(?i)(normalize|strip.*metadata|ignore.*difference)"],
+      "description": "Step 3: Resource normalization before comparison",
+      "weight": 1.0
     },
     {
-      "pattern": "(?i)(diff.*result|out-of-sync|created|modified|deleted)",
-      "description": "Step 4: Diff computation produces list of changes"
+      "patterns": ["(?i)(diff.*result|out-of-sync|created|modified|deleted)"],
+      "description": "Step 4: Diff computation produces list of changes",
+      "weight": 1.0
     },
     {
-      "pattern": "(?i)(apply|sync.*operation|cluster.*update)",
-      "description": "Step 5: Sync operation applies changes to Kubernetes cluster"
+      "patterns": ["(?i)(apply|sync.*operation|cluster.*update)"],
+      "description": "Step 5: Sync operation applies changes to Kubernetes cluster",
+      "weight": 1.0
     }
   ],
   "negative_checks": [
     {
-      "pattern": "(?i)(Flux|Spinnaker|Jenkins)",
-      "description": "Should NOT mention other CD tools (Flux, Spinnaker, Jenkins) — Argo CD has unique architecture"
+      "patterns": ["(?i)(Flux|Spinnaker|Jenkins)"],
+      "description": "Should NOT mention other CD tools (Flux, Spinnaker, Jenkins) — Argo CD has unique architecture",
+      "weight": 1.0
     },
     {
-      "pattern": "(?i)(push.*git|write.*git|git.*commit.*cluster)",
-      "description": "Should NOT claim Argo CD writes cluster state back to Git — it's pull-based, not push-based"
+      "patterns": ["(?i)(push.*git|write.*git|git.*commit.*cluster)"],
+      "description": "Should NOT claim Argo CD writes cluster state back to Git — it's pull-based, not push-based",
+      "weight": 1.0
     }
   ]
 }

benchmarks/ccb_security/sec-cve-003/tests/ground_truth.json

@@ -1,167 +1,128 @@
 {
-  "task_id": "sec-cve-003",
-  "cve_id": "CVE-2023-39325",
-  "vulnerability_type": "uncontrolled_resource_consumption",
-  "severity": "high",
-  "cvss_score": 7.5,
-
+  "weights": {
+    "required_findings": 0.40,
+    "file_references": 0.20,
+    "causal_chain": 0.20,
+    "negative_checks": 0.10
+  },
   "required_findings": [
     {
-      "type": "vulnerable_function",
-      "value": "processHeaders",
-      "file": "http2/server.go",
-      "weight": 0.20,
-      "description": "The processHeaders function directly spawns handler goroutines without checking limits"
+      "patterns": ["(?i)processHeaders"],
+      "description": "The processHeaders function directly spawns handler goroutines without checking limits",
+      "weight": 2.0
     },
     {
-      "type": "vulnerable_pattern",
-      "value": "go sc.runHandler",
-      "context": "unbounded goroutine creation",
-      "weight": 0.15,
-      "description": "Direct goroutine spawning without tracking or limiting active handlers"
+      "patterns": ["(?i)go\\s+sc\\.runHandler", "(?i)runHandler"],
+      "description": "Direct goroutine spawning without tracking or limiting active handlers",
+      "weight": 1.5
     },
     {
-      "type": "missing_check",
-      "value": "handler_goroutine_limit",
-      "context": "no enforcement of MaxConcurrentStreams on handler goroutines",
-      "weight": 0.15,
-      "description": "The vulnerability exists because handler goroutines are not counted or limited"
+      "patterns": ["(?i)(handler.*goroutine.*limit|MaxConcurrentStreams.*handler|limit.*handler)"],
+      "description": "The vulnerability exists because handler goroutines are not counted or limited",
+      "weight": 1.5
     },
     {
-      "type": "vulnerability_type",
-      "value": "denial_of_service",
-      "context": "resource exhaustion via rapid stream reset",
-      "weight": 0.10,
-      "description": "HTTP/2 rapid reset attack causing unbounded goroutine accumulation"
+      "patterns": ["(?i)(denial.of.service|DoS|resource.exhaustion)"],
+      "description": "HTTP/2 rapid reset attack causing unbounded goroutine accumulation",
+      "weight": 1.0
     },
     {
-      "type": "attack_vector",
-      "value": "rst_stream",
-      "context": "RST_STREAM frees stream slots while handlers keep running",
-      "weight": 0.10,
-      "description": "Attacker rapidly creates streams and resets them to spawn unbounded handlers"
+      "patterns": ["(?i)(RST_STREAM|rapid.reset|rst.stream)"],
+      "description": "Attacker rapidly creates streams and resets them to spawn unbounded handlers",
+      "weight": 1.0
     },
     {
-      "type": "affected_component",
-      "value": "http2_server",
-      "context": "golang.org/x/net/http2 package",
-      "weight": 0.10,
-      "description": "The http2 server implementation in x/net"
+      "patterns": ["(?i)(http2.*server|x/net/http2|golang.org/x/net)"],
+      "description": "The http2 server implementation in x/net",
+      "weight": 1.0
     }
   ],
-
   "file_references": [
     {
-      "path": "http2/server.go",
-      "relevance": "primary",
-      "weight": 0.10,
-      "description": "Contains the vulnerable processHeaders and runHandler functions"
+      "patterns": ["http2/server\\.go"],
+      "description": "Contains the vulnerable processHeaders and runHandler functions",
+      "weight": 2.0
     },
     {
-      "path": "http2/frame.go",
-      "relevance": "supporting",
-      "weight": 0.05,
-      "description": "Defines RST_STREAM frame handling used in the attack"
+      "patterns": ["http2/frame\\.go"],
+      "description": "Defines RST_STREAM frame handling used in the attack",
+      "weight": 1.0
     },
     {
-      "path": "http2/transport.go",
-      "relevance": "supporting",
-      "weight": 0.05,
-      "description": "HTTP/2 stream management, relevant for understanding stream lifecycle"
+      "patterns": ["http2/transport\\.go"],
+      "description": "HTTP/2 stream management, relevant for understanding stream lifecycle",
+      "weight": 1.0
     }
   ],
-
   "causal_chain": [
     {
-      "step": 1,
-      "function": "serve",
-      "file": "http2/server.go",
-      "description": "Main server loop processes incoming HTTP/2 frames"
+      "patterns": ["(?i)(serve|server.*loop|incoming.*frame)"],
+      "description": "Step 1: Main server loop processes incoming HTTP/2 frames",
+      "weight": 1.0
     },
     {
-      "step": 2,
-      "function": "processHeaders",
-      "file": "http2/server.go",
-      "description": "Processes HEADERS frame and spawns handler goroutine"
+      "patterns": ["(?i)(processHeaders|HEADERS.*frame)"],
+      "description": "Step 2: Processes HEADERS frame and spawns handler goroutine",
+      "weight": 1.0
     },
     {
-      "step": 3,
-      "code": "go sc.runHandler(rw, req, handler)",
-      "file": "http2/server.go",
-      "description": "VULNERABLE: Spawns handler goroutine without checking limit"
+      "patterns": ["(?i)(runHandler|spawn.*goroutine|go\\s+sc)"],
+      "description": "Step 3: Spawns handler goroutine without checking limit (VULNERABLE)",
+      "weight": 1.0
     },
     {
-      "step": 4,
-      "event": "RST_STREAM received",
-      "description": "Attacker sends RST_STREAM to free stream slot"
+      "patterns": ["(?i)(RST_STREAM|reset.*stream|stream.*reset)"],
+      "description": "Step 4: Attacker sends RST_STREAM to free stream slot",
+      "weight": 1.0
     },
     {
-      "step": 5,
-      "event": "stream slot freed",
-      "description": "Stream slot becomes available, but handler goroutine continues running"
+      "patterns": ["(?i)(stream.*slot.*free|handler.*continue|goroutine.*accumul)"],
+      "description": "Step 5: Stream slot freed but handler goroutine continues running",
+      "weight": 1.0
     },
     {
-      "step": 6,
-      "event": "rapid repetition",
-      "description": "Attacker repeats steps 2-5 rapidly to accumulate handler goroutines"
-    },
-    {
-      "step": 7,
-      "impact": "resource exhaustion",
-      "description": "Unbounded handler goroutines consume CPU and memory, causing DoS"
+      "patterns": ["(?i)(rapid.*repeat|unbounded|exhaust|CPU|memory|DoS)"],
+      "description": "Step 6-7: Rapid repetition causes unbounded goroutine accumulation and resource exhaustion",
+      "weight": 1.0
     }
   ],
-
   "negative_checks": [
     {
-      "type": "wrong_component",
-      "value": "TLS layer",
-      "weight": 0.05,
-      "description": "The vulnerability is NOT in TLS, it's in HTTP/2 stream handling"
+      "patterns": ["(?i)\\bTLS\\b.*\\b(layer|vulnerab|bug|flaw)"],
+      "description": "The vulnerability is NOT in TLS, it's in HTTP/2 stream handling",
+      "weight": 1.0
     },
     {
-      "type": "wrong_component",
-      "value": "HTTP/1.1",
-      "weight": 0.05,
-      "description": "The vulnerability is specific to HTTP/2, not HTTP/1.1"
+      "patterns": ["(?i)\\bHTTP/1\\.1\\b.*\\b(vulnerab|affect|bug|flaw)"],
+      "description": "The vulnerability is specific to HTTP/2, not HTTP/1.1",
+      "weight": 1.0
     },
     {
-      "type": "wrong_vulnerability_type",
-      "value": "buffer overflow",
-      "weight": 0.05,
-      "description": "This is NOT a memory corruption bug, it's resource exhaustion"
+      "patterns": ["(?i)\\bbuffer\\s+overflow\\b"],
+      "description": "This is NOT a memory corruption bug, it's resource exhaustion",
+      "weight": 1.0
     },
     {
-      "type": "wrong_attack_vector",
-      "value": "malformed headers",
-      "weight": 0.05,
-      "description": "Attack uses valid HTTP/2 frames (RST_STREAM), not malformed input"
+      "patterns": ["(?i)\\bmalformed\\s+headers?\\b.*\\b(attack|exploit|vuln)"],
+      "description": "Attack uses valid HTTP/2 frames (RST_STREAM), not malformed input",
+      "weight": 1.0
     },
     {
-      "type": "wrong_fix",
-      "value": "input validation",
-      "weight": 0.05,
-      "description": "Fix is not about validating input, but limiting concurrent handler goroutines"
+      "patterns": ["(?i)\\binput\\s+validation\\b.*\\bfix\\b"],
+      "description": "Fix is not about validating input, but limiting concurrent handler goroutines",
+      "weight": 1.0
     }
   ],
-
-  "remediation_keywords": [
-    "limit handler goroutines",
-    "enforce MaxConcurrentStreams on handlers",
-    "queue deferred handlers",
-    "track active handler count",
-    "backpressure mechanism",
-    "scheduleHandler function",
-    "curHandlers counter",
-    "unstartedHandlers queue"
-  ],
-
   "metadata": {
+    "task_id": "sec-cve-003",
+    "cve_id": "CVE-2023-39325",
+    "vulnerability_type": "uncontrolled_resource_consumption",
+    "severity": "high",
+    "cvss_score": 7.5,
     "fix_commit": "b225e7ca6dde1ef5a5ae5ce922861bda011cfabd",
     "vulnerable_commit": "88194ad8ab44a02ea952c169883c3f57db6cf9f4",
     "fix_version": "v0.17.0",
     "vulnerable_version": "v0.16.0",
-    "disclosure_date": "2023-10-10",
     "also_known_as": "CVE-2023-44487",
     "attack_name": "HTTP/2 Rapid Reset"
   }