Refactor code structure for improved readability and maintainability; optimize performance in key functions.

2025-12-22 19:06:31 +02:00
parent dfaa2079aa
commit 0536a4f7d4
1443 changed files with 109671 additions and 7840 deletions
--- a/docs/api/unknowns-api.md
+++ b/docs/api/unknowns-api.md
@@ -57,6 +57,18 @@ Returns paginated list of unknowns, optionally sorted by score.
      "id": "unk-12345678-abcd-1234-5678-abcdef123456",
      "artifactDigest": "sha256:abc123...",
      "artifactPurl": "pkg:oci/myapp@sha256:abc123",
+      "reasonCode": "Reachability",
+      "reasonCodeShort": "U-RCH",
+      "remediationHint": "Run reachability analysis",
+      "detailedHint": "Execute call-graph analysis to determine if vulnerable code paths are reachable from application entrypoints.",
+      "automationCommand": "stella analyze --reachability",
+      "evidenceRefs": [
+        {
+          "type": "reachability",
+          "uri": "proofs/unknowns/unk-12345678/evidence.json",
+          "digest": "sha256:0a1b2c..."
+        }
+      ],
      "reasons": ["missing_vex", "ambiguous_indirect_call"],
      "blastRadius": {
        "dependents": 15,
@@ -118,6 +130,18 @@ Returns detailed information about a specific unknown.
  "id": "unk-12345678-abcd-1234-5678-abcdef123456",
  "artifactDigest": "sha256:abc123...",
  "artifactPurl": "pkg:oci/myapp@sha256:abc123",
+  "reasonCode": "Reachability",
+  "reasonCodeShort": "U-RCH",
+  "remediationHint": "Run reachability analysis",
+  "detailedHint": "Execute call-graph analysis to determine if vulnerable code paths are reachable from application entrypoints.",
+  "automationCommand": "stella analyze --reachability",
+  "evidenceRefs": [
+    {
+      "type": "reachability",
+      "uri": "proofs/unknowns/unk-12345678/evidence.json",
+      "digest": "sha256:0a1b2c..."
+    }
+  ],
  "reasons": ["missing_vex", "ambiguous_indirect_call"],
  "reasonDetails": [
    {
@@ -270,15 +294,15 @@ Returns aggregate statistics about unknowns.

 ## Reason Codes

-| Code | Description |
-|------|-------------|
-| `missing_vex` | No VEX statement for vulnerability |
-| `ambiguous_indirect_call` | Indirect call target unresolved |
-| `incomplete_sbom` | SBOM missing component data |
-| `unknown_platform` | Platform not recognized |
-| `missing_advisory` | No advisory data for CVE |
-| `conflicting_evidence` | Multiple conflicting data sources |
-| `stale_data` | Data exceeds freshness threshold |
+| Code | Short Code | Description |
+|------|------------|-------------|
+| `Reachability` | `U-RCH` | Call path analysis is indeterminate. |
+| `Identity` | `U-ID` | Ambiguous package identity or missing digest. |
+| `Provenance` | `U-PROV` | Cannot map binary artifact to source repository. |
+| `VexConflict` | `U-VEX` | VEX statements conflict or applicability data is missing. |
+| `FeedGap` | `U-FEED` | Required advisory/feed coverage missing or stale. |
+| `ConfigUnknown` | `U-CONFIG` | Runtime configuration or feature flags not observable. |
+| `AnalyzerLimit` | `U-ANALYZER` | Language or framework not supported by analyzer. |

 ## Score Calculation