stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/features/unchecked/scanner/macos-bundle-inspector-with-capability-overlays.md Normal file
View File

@@ -0,0 +1,29 @@
# macOS Bundle Inspector with Capability Overlays
## Module
Scanner
## Status
IMPLEMENTED
## Description
Inspects macOS .app/.framework bundles, parsing Info.plist for metadata and entitlements for security capability analysis (sandbox, hardened runtime, network access flags).
## Implementation Details
- **Bundle Analyzer**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/MacOsBundleAnalyzer.cs` - `MacOsBundleAnalyzer` inspects macOS .app/.framework bundles, extracting metadata and security capabilities
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/MacOsBundleAnalyzerPlugin.cs` - Plugin registration for the macOS bundle analyzer
- **Parsers**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/InfoPlistParser.cs` - `InfoPlistParser` parses Info.plist files for bundle metadata (CFBundleIdentifier, version, minimum OS)
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/EntitlementsParser.cs` - `EntitlementsParser` parses entitlements XML for security capability analysis (sandbox, hardened runtime, network access)
- **Mach-O Analysis**:
- `src/Scanner/StellaOps.Scanner.Analyzers.Native/MachOReader.cs` - `MachOReader` reads Mach-O binary format headers and load commands
- `src/Scanner/StellaOps.Scanner.Analyzers.Native/MachOCodeSignature.cs` - `MachOCodeSignature` extracts code signature information from Mach-O binaries
## E2E Test Plan
- [ ] Scan a container image containing a macOS .app bundle and verify Info.plist metadata is extracted (bundle identifier, version, minimum OS version)
- [ ] Verify entitlements are parsed and security capabilities (sandbox, hardened runtime) are identified
- [ ] Verify network access entitlements (com.apple.security.network.client/server) are detected and reported as capability overlays
- [ ] Verify .framework bundles are also inspected with the same metadata extraction
- [ ] Verify Mach-O code signature information is extracted and linked to the bundle analysis
- [ ] Verify bundles without entitlements are handled gracefully with appropriate defaults