stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
docs/features/unchecked/binaryindex/scanner-integration-for-binary-analysis.md Normal file
View File

@@ -0,0 +1,28 @@
# Scanner Integration for Binary Analysis
## Module
BinaryIndex
## Status
IMPLEMENTED
## Description
Binary vulnerability analysis integrated into the scanner worker pipeline with patch verification and build provenance reproducibility verification.
## Implementation Details
- **Modules**: `src/BinaryIndex/`, `src/Scanner/`
- **Key Classes**:
- `BinaryVulnerabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Services/BinaryVulnerabilityService.cs`) - core binary vulnerability detection service used by scanner pipeline; queries `ICorpusQueryService` for function matches
- `CachedBinaryVulnerabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Cache/CachedBinaryVulnerabilityService.cs`) - cached decorator with `LookupByDeltaSignatureAsync` for scanner integration
- `ResolutionService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Resolution/ResolutionService.cs`) - resolves whether a CVE is fixed based on binary-level evidence
- `ReproducibleBuildJob` (`src/BinaryIndex/StellaOps.BinaryIndex.Worker/Jobs/ReproducibleBuildJob.cs`) - worker job for build provenance verification
- `EnsembleDecisionEngine` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/EnsembleDecisionEngine.cs`) - multi-tier matching for scanner-detected vulnerabilities
- **Integration Points**: Scanner pipeline calls `IBinaryVulnerabilityService` to enrich findings with binary-level patch verification
## E2E Test Plan
- [ ] Trigger a scanner scan on a container with known binaries and verify binary analysis runs automatically
- [ ] Verify scanner findings are enriched with binary-level patch status (Fixed, Vulnerable, Unknown)
- [ ] Verify `CachedBinaryVulnerabilityService` caches scanner lookups for performance
- [ ] Verify build provenance verification runs as a background worker job
- [ ] Verify ensemble decision engine produces consistent results when called from scanner pipeline
- [ ] Verify binary analysis results are included in scanner output findings