semi implemented and features implemented save checkpoint

2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
--- a/docs/features/unchecked/scanner/compositional-library-aware-call-graph-reachability.md
+++ b/docs/features/unchecked/scanner/compositional-library-aware-call-graph-reachability.md
@@ -0,0 +1,36 @@
+# Compositional Library-Aware Call-Graph Reachability
+
+## Module
+Scanner
+
+## Status
+IMPLEMENTED
+
+## Description
+Multi-layer reachability analysis combining call-graph extraction, dependency-aware analysis, surface-aware analysis, and conditional reachability with ReachGraph integration.
+
+## Implementation Details
+- **Dependency-Aware Reachability**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ConditionalReachabilityAnalyzer.cs` - Conditional reachability analysis considering library dependencies
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyReachabilityModels.cs` - Models for dependency-aware reachability
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachGraphReachabilityCombiner.cs` - Combines ReachGraph data with local reachability analysis
+- **Dependency Reporting**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReporter.cs` - Generates dependency reachability reports
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReport.cs` - Report model
+- **Surface-Aware Analysis**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Surfaces/SurfaceAwareReachabilityAnalyzer.cs` - Surface-aware reachability analysis combining attack surface with call graph
+- **Call Graph Extraction** (multi-language):
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/` - Multi-language call graph extractors
+- **Worker Integration**:
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/Reachability/ReachabilityBuildStageExecutor.cs` - Builds reachability during scan
+  - `src/Scanner/StellaOps.Scanner.Worker/Processing/Reachability/SbomReachabilityStageExecutor.cs` - SBOM-level reachability analysis
+- **API**:
+  - `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ReachabilityEndpoints.cs` - `ReachabilityEndpoints` for querying reachability results
+
+## E2E Test Plan
+- [ ] Scan an image with a multi-library application and verify call graph extraction captures inter-library calls
+- [ ] Verify `ConditionalReachabilityAnalyzer` considers conditional dependencies (optional/feature-flagged)
+- [ ] Verify `SurfaceAwareReachabilityAnalyzer` combines attack surface data with call graph to produce accurate reachability verdicts
+- [ ] Verify `ReachGraphReachabilityCombiner` integrates external ReachGraph data with local analysis
+- [ ] Query reachability results via `GET /api/v1/scans/{scanId}/reachability` and verify library-aware paths are included
+- [ ] Verify the dependency reachability report includes per-library reachability status