Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
2025-11-08 20:53:45 +02:00
parent 515975edc5
commit 536f6249a6
837 changed files with 37279 additions and 14675 deletions
--- a/src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/CompositeScanAnalyzerDispatcherTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/CompositeScanAnalyzerDispatcherTests.cs
@@ -22,7 +22,8 @@ using StellaOps.Scanner.Surface.Secrets;
 using StellaOps.Scanner.Surface.Validation;
 using StellaOps.Scanner.Worker.Diagnostics;
 using StellaOps.Scanner.Worker.Processing;
-using Xunit;
+using StellaOps.Scanner.Worker.Tests.TestInfrastructure;
+using Xunit;
 using WorkerOptions = StellaOps.Scanner.Worker.Options.ScannerWorkerOptions;

 namespace StellaOps.Scanner.Worker.Tests;
@@ -108,7 +109,8 @@ public sealed class CompositeScanAnalyzerDispatcherTests
                languageCatalog,
                options,
                loggerFactory.CreateLogger<CompositeScanAnalyzerDispatcher>(),
-                metrics);
+                metrics,
+                new TestCryptoHash());

            var lease = new TestJobLease(metadata);
            var context = new ScanJobContext(lease, TimeProvider.System, TimeProvider.System.GetUtcNow(), CancellationToken.None);
--- a/src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/EntryTraceExecutionServiceTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/EntryTraceExecutionServiceTests.cs
@@ -19,6 +19,7 @@ using StellaOps.Scanner.Surface.Secrets;
 using StellaOps.Scanner.Surface.Validation;
 using StellaOps.Scanner.Worker.Options;
 using StellaOps.Scanner.Worker.Processing;
+using StellaOps.Scanner.Worker.Tests.TestInfrastructure;
 using Xunit;

 namespace StellaOps.Scanner.Worker.Tests;
@@ -166,7 +167,8 @@ public sealed class EntryTraceExecutionServiceTests : IDisposable
        ISurfaceCache? surfaceCache = null,
        ISurfaceValidatorRunner? surfaceValidator = null,
        ISurfaceSecretProvider? surfaceSecrets = null,
-        ISurfaceEnvironment? surfaceEnvironment = null)
+        ISurfaceEnvironment? surfaceEnvironment = null,
+        ICryptoHash? hash = null)
    {
        var workerOptions = new ScannerWorkerOptions();
        var entryTraceOptions = new EntryTraceAnalyzerOptions();
@@ -176,6 +178,7 @@ public sealed class EntryTraceExecutionServiceTests : IDisposable
        surfaceCache ??= new InMemorySurfaceCache();
        surfaceValidator ??= new NoopSurfaceValidatorRunner();
        surfaceSecrets ??= new StubSurfaceSecretProvider();
+        hash ??= new TestCryptoHash();
        var serviceProvider = new ServiceCollection()
            .AddSingleton<ISurfaceEnvironment>(surfaceEnvironment)
            .BuildServiceProvider();
@@ -192,7 +195,8 @@ public sealed class EntryTraceExecutionServiceTests : IDisposable
            surfaceEnvironment,
            surfaceCache,
            surfaceSecrets,
-            serviceProvider);
+            serviceProvider,
+            hash);
    }

    private static ScanJobContext CreateContext(IReadOnlyDictionary<string, string> metadata)
--- a/src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/SurfaceManifestStageExecutorTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/SurfaceManifestStageExecutorTests.cs
@@ -7,7 +7,6 @@ using System.Text.Json;
 using System.Text.Json.Serialization;
 using System.Threading;
 using System.Threading.Tasks;
-using System.Security.Cryptography;
 using Microsoft.Extensions.Logging.Abstractions;
 using StellaOps.Scanner.Core.Contracts;
 using StellaOps.Scanner.EntryTrace;
@@ -18,6 +17,7 @@ using StellaOps.Scanner.Worker.Processing;
 using StellaOps.Scanner.Worker.Processing.Surface;
 using StellaOps.Scanner.Worker.Tests.TestInfrastructure;
 using Xunit;
+using StellaOps.Cryptography;

 namespace StellaOps.Scanner.Worker.Tests;

@@ -34,12 +34,14 @@ public sealed class SurfaceManifestStageExecutorTests
        using var listener = new WorkerMeterListener();
        listener.Start();

+        var hash = new DefaultCryptoHash();
        var executor = new SurfaceManifestStageExecutor(
            publisher,
            cache,
            environment,
            metrics,
-            NullLogger<SurfaceManifestStageExecutor>.Instance);
+            NullLogger<SurfaceManifestStageExecutor>.Instance,
+            hash);

        var context = CreateContext();

@@ -68,12 +70,14 @@ public sealed class SurfaceManifestStageExecutorTests
        using var listener = new WorkerMeterListener();
        listener.Start();

+        var hash = new DefaultCryptoHash();
        var executor = new SurfaceManifestStageExecutor(
            publisher,
            cache,
            environment,
            metrics,
-            NullLogger<SurfaceManifestStageExecutor>.Instance);
+            NullLogger<SurfaceManifestStageExecutor>.Instance,
+            hash);

        var context = CreateContext();
        PopulateAnalysis(context);
--- a/src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/TestInfrastructure/TestCryptoHash.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/TestInfrastructure/TestCryptoHash.cs
@@ -0,0 +1,47 @@
+using System;
+using System.IO;
+using System.Security.Cryptography;
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Cryptography;
+
+namespace StellaOps.Scanner.Worker.Tests.TestInfrastructure;
+
+internal sealed class TestCryptoHash : ICryptoHash
+{
+    public byte[] ComputeHash(ReadOnlySpan<byte> data, string? algorithmId = null)
+    {
+        using var algorithm = CreateAlgorithm(algorithmId);
+        return algorithm.ComputeHash(data.ToArray());
+    }
+
+    public string ComputeHashHex(ReadOnlySpan<byte> data, string? algorithmId = null)
+        => Convert.ToHexString(ComputeHash(data, algorithmId)).ToLowerInvariant();
+
+    public string ComputeHashBase64(ReadOnlySpan<byte> data, string? algorithmId = null)
+        => Convert.ToBase64String(ComputeHash(data, algorithmId));
+
+    public async ValueTask<byte[]> ComputeHashAsync(Stream stream, string? algorithmId = null, CancellationToken cancellationToken = default)
+    {
+        using var algorithm = CreateAlgorithm(algorithmId);
+        await using var buffer = new MemoryStream();
+        await stream.CopyToAsync(buffer, cancellationToken).ConfigureAwait(false);
+        return algorithm.ComputeHash(buffer.ToArray());
+    }
+
+    public async ValueTask<string> ComputeHashHexAsync(Stream stream, string? algorithmId = null, CancellationToken cancellationToken = default)
+    {
+        var bytes = await ComputeHashAsync(stream, algorithmId, cancellationToken).ConfigureAwait(false);
+        return Convert.ToHexString(bytes).ToLowerInvariant();
+    }
+
+    private static HashAlgorithm CreateAlgorithm(string? algorithmId)
+    {
+        return algorithmId?.ToUpperInvariant() switch
+        {
+            null or "" or HashAlgorithms.Sha256 => SHA256.Create(),
+            HashAlgorithms.Sha512 => SHA512.Create(),
+            _ => throw new NotSupportedException($"Test crypto hash does not support algorithm {algorithmId}.")
+        };
+    }
+}