stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/features/unchecked/scanner/threat-vector-inference-and-capability-detection.md Normal file
View File

@@ -0,0 +1,29 @@
# Threat Vector Inference and Capability Detection
## Module
Scanner
## Status
IMPLEMENTED
## Description
Automated inference of threat vectors from entrypoint characteristics, capability detection (network, file system, crypto, IPC), and data flow boundary mapping for security surface assessment.
## Implementation Details
- **Threat Vector Inference**:
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/ThreatVectorInferrer.cs` - `ThreatVectorInferrer` inferring threat vectors (External, Internal, Privileged) from entrypoint characteristics and exposure patterns
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ThreatVector.cs` - `ThreatVector` enum defining threat vector classifications
- **Capability Detection**:
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/CapabilityDetector.cs` - `CapabilityDetector` detecting entrypoint capabilities (NetworkAccess, FileSystem, Crypto, ProcessExec, IPC) from code patterns
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/CapabilityClass.cs` - `CapabilityClass` flags enum for detected capabilities
- **Data Flow Boundary Mapping**:
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/DataBoundaryMapper.cs` - `DataBoundaryMapper` mapping data flow trust boundaries between entrypoints and downstream services
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/DataFlowBoundary.cs` - `DataFlowBoundary` enum defining trust boundary types
## E2E Test Plan
- [ ] Analyze an HTTP-exposed entrypoint and verify `ThreatVectorInferrer` classifies it as "External" threat vector
- [ ] Analyze an internal-only service and verify it is classified as "Internal" threat vector
- [ ] Verify `CapabilityDetector` identifies NetworkAccess capability for entrypoints making HTTP calls
- [ ] Verify `CapabilityDetector` identifies FileSystem capability for entrypoints performing file I/O
- [ ] Verify `DataBoundaryMapper` correctly identifies trust boundary crossings (e.g., user input -> database query)
- [ ] Verify all three analysis components (threat vector, capability, data flow boundary) produce deterministic results for the same code patterns