Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

src/Scanner/StellaOps.Scanner.WebService/Options/ScannerWebServiceOptions.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Generic;
+using StellaOps.Configuration;
 using StellaOps.Scanner.Storage;
 
 namespace StellaOps.Scanner.WebService.Options;
@@ -76,6 +77,11 @@ public sealed class ScannerWebServiceOptions
     /// </summary>
     public EventsOptions Events { get; set; } = new();
 
+    /// <summary>
+    /// Sovereign cryptography configuration for this host.
+    /// </summary>
+    public StellaOpsCryptoOptions Crypto { get; set; } = new();
+
     /// <summary>
     /// Runtime ingestion configuration.
     /// </summary>

src/Scanner/StellaOps.Scanner.WebService/Program.cs

@@ -48,13 +48,15 @@ builder.Configuration.AddStellaOpsDefaults(options =>
 
 var contentRoot = builder.Environment.ContentRootPath;
 
-var bootstrapOptions = builder.Configuration.BindOptions<ScannerWebServiceOptions>(
-    ScannerWebServiceOptions.SectionName,
-    (opts, _) =>
-    {
-        ScannerWebServiceOptionsPostConfigure.Apply(opts, contentRoot);
-        ScannerWebServiceOptionsValidator.Validate(opts);
-    });
+var bootstrapOptions = builder.Configuration.BindOptions<ScannerWebServiceOptions>(
+    ScannerWebServiceOptions.SectionName,
+    (opts, _) =>
+    {
+        ScannerWebServiceOptionsPostConfigure.Apply(opts, contentRoot);
+        ScannerWebServiceOptionsValidator.Validate(opts);
+    });
+
+builder.Services.AddStellaOpsCrypto(bootstrapOptions.Crypto);
 
 builder.Services.AddOptions<ScannerWebServiceOptions>()
     .Bind(builder.Configuration.GetSection(ScannerWebServiceOptions.SectionName))

src/Scanner/StellaOps.Scanner.WebService/Services/SurfacePointerService.cs

@@ -7,6 +7,7 @@ using System.Text.Json;
 using System.Text.Json.Serialization;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using StellaOps.Cryptography;
 using StellaOps.Scanner.Storage;
 using StellaOps.Scanner.Storage.Catalog;
 using StellaOps.Scanner.Storage.ObjectStore;
@@ -36,6 +37,7 @@ internal sealed class SurfacePointerService : ISurfacePointerService
     private readonly ISurfaceEnvironment _surfaceEnvironment;
     private readonly TimeProvider _timeProvider;
     private readonly ILogger<SurfacePointerService> _logger;
+    private readonly ICryptoHash _hash;
 
     public SurfacePointerService(
         LinkRepository linkRepository,
@@ -43,7 +45,8 @@ internal sealed class SurfacePointerService : ISurfacePointerService
         IOptionsMonitor<ScannerWebServiceOptions> optionsMonitor,
         ISurfaceEnvironment surfaceEnvironment,
         TimeProvider timeProvider,
-        ILogger<SurfacePointerService> logger)
+        ILogger<SurfacePointerService> logger,
+        ICryptoHash hash)
     {
         _linkRepository = linkRepository ?? throw new ArgumentNullException(nameof(linkRepository));
         _artifactRepository = artifactRepository ?? throw new ArgumentNullException(nameof(artifactRepository));
@@ -51,6 +54,7 @@ internal sealed class SurfacePointerService : ISurfacePointerService
         _surfaceEnvironment = surfaceEnvironment ?? throw new ArgumentNullException(nameof(surfaceEnvironment));
         _timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
         _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        _hash = hash ?? throw new ArgumentNullException(nameof(hash));
     }
 
     public async Task<SurfacePointersDto?> TryBuildAsync(string imageDigest, CancellationToken cancellationToken)
@@ -275,15 +279,9 @@ internal sealed class SurfacePointerService : ISurfacePointerService
             ? string.Empty
             : value.Trim().TrimEnd('/');
 
-    private static string ComputeDigest(ReadOnlySpan<byte> payload)
+    private string ComputeDigest(ReadOnlySpan<byte> payload)
     {
-        Span<byte> hash = stackalloc byte[32];
-        if (!SHA256.TryHashData(payload, hash, out _))
-        {
-            using var sha = SHA256.Create();
-            hash = sha.ComputeHash(payload.ToArray());
-        }
-
-        return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
+        var hex = _hash.ComputeHashHex(payload, HashAlgorithms.Sha256);
+        return $"sha256:{hex}";
     }
 }

src/Scanner/StellaOps.Scanner.WebService/TASKS.md

@@ -4,6 +4,7 @@
 |----|--------|----------|------------|-------------|---------------|
 | SCAN-REPLAY-186-001 | TODO | Scanner WebService Guild | REPLAY-CORE-185-001 | Implement scan `record` mode producing replay manifests/bundles, capture policy/feed/tool hashes, and update `docs/modules/scanner/architecture.md` referencing `docs/replay/DETERMINISTIC_REPLAY.md` Section 6. | API/worker integration tests cover record mode; docs merged; replay artifacts stored per spec. |
 | SCANNER-SURFACE-02 | DONE (2025-11-05) | Scanner WebService Guild | SURFACE-FS-02 | Publish Surface.FS pointers (CAS URIs, manifests) via scan/report APIs and update attestation metadata.<br>2025-11-05: Surface pointers projected through scan/report endpoints, orchestrator samples + DSSE fixtures refreshed with manifest block, readiness tests updated to use validator stub. | OpenAPI updated; clients regenerated; integration tests validate pointer presence and tenancy. |
+| SCANNER-CRYPTO-90-001 | TODO | Scanner WebService Guild, Security Guild | SEC-CRYPTO-90-003, SEC-CRYPTO-90-004 | Route hashing/signing flows (`ScanIdGenerator`, `ReportSigner`, Sbomer Buildx plugin) through `ICryptoProviderRegistry` so sovereign deployments can select `ru.cryptopro.csp` / `ru.pkcs11` providers. Reference `docs/security/crypto-routing-audit-2025-11-07.md`. | Config toggles verified for default + RU bundles; report/scan APIs emit signatures via registry-backed providers; regression tests updated. |
 | SCANNER-ENV-02 | TODO (2025-11-06) | Scanner WebService Guild, Ops Guild | SURFACE-ENV-02 | Wire Surface.Env helpers into WebService hosting (cache roots, feature flags) and document configuration.<br>2025-11-02: Cache root resolution switched to helper; feature flag bindings updated; Helm/Compose updates pending review.<br>2025-11-05 14:55Z: Aligning readiness checks, docs, and Helm/Compose templates with Surface.Env outputs and planning test coverage for configuration fallbacks.<br>2025-11-06 17:05Z: Surface.Env documentation/README refreshed; warning catalogue captured for ops handoff.<br>2025-11-06 07:45Z: Helm values (dev/stage/prod/airgap/mirror) and Compose examples updated with `SCANNER_SURFACE_*` defaults plus rollout warning note in `deploy/README.md`.<br>2025-11-06 07:55Z: Paused; follow-up automation captured under `DEVOPS-OPENSSL-11-001/002` and pending Surface.Env readiness tests. | Service uses helper; env table documented; helm/compose templates updated. |
 > 2025-11-05 19:18Z: Added configurator to project wiring and unit test ensuring Surface.Env cache root is honoured.
 | SCANNER-SECRETS-02 | DONE (2025-11-06) | Scanner WebService Guild, Security Guild | SURFACE-SECRETS-02 | Replace ad-hoc secret wiring with Surface.Secrets for report/export operations (registry and CAS tokens).<br>2025-11-02: Export/report flows now depend on Surface.Secrets stub; integration tests in progress.<br>2025-11-06: Restarting work to eliminate file-based secrets, plumb provider handles through report/export services, and extend failure/rotation tests.<br>2025-11-06 21:40Z: Added configurator + storage post-config to hydrate artifact/CAS credentials from `cas-access` secrets with unit coverage.<br>2025-11-06 23:58Z: Registry & attestation secrets now resolved via Surface.Secrets (options + tests updated); dotnet test suites executed with .NET 10 RC2 runtime where available. | Secrets fetched through shared provider; unit/integration tests cover rotation + failure cases. |