Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

src/Signals/StellaOps.Signals/Persistence/ICallgraphRepository.cs

@@ -7,7 +7,9 @@ namespace StellaOps.Signals.Persistence;
 /// <summary>
 /// Persists normalized callgraphs.
 /// </summary>
-public interface ICallgraphRepository
-{
-    Task<CallgraphDocument> UpsertAsync(CallgraphDocument document, CancellationToken cancellationToken);
-}
+public interface ICallgraphRepository
+{
+    Task<CallgraphDocument> UpsertAsync(CallgraphDocument document, CancellationToken cancellationToken);
+
+    Task<CallgraphDocument?> GetByIdAsync(string id, CancellationToken cancellationToken);
+}

src/Signals/StellaOps.Signals/Persistence/IReachabilityFactRepository.cs

@@ -0,0 +1,12 @@
+using System.Threading;
+using System.Threading.Tasks;
+using StellaOps.Signals.Models;
+
+namespace StellaOps.Signals.Persistence;
+
+public interface IReachabilityFactRepository
+{
+    Task<ReachabilityFactDocument> UpsertAsync(ReachabilityFactDocument document, CancellationToken cancellationToken);
+
+    Task<ReachabilityFactDocument?> GetBySubjectAsync(string subjectKey, CancellationToken cancellationToken);
+}

src/Signals/StellaOps.Signals/Persistence/MongoCallgraphRepository.cs

@@ -19,11 +19,11 @@ internal sealed class MongoCallgraphRepository : ICallgraphRepository
         this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
     }
 
-    public async Task<CallgraphDocument> UpsertAsync(CallgraphDocument document, CancellationToken cancellationToken)
-    {
-        ArgumentNullException.ThrowIfNull(document);
-
-        var filter = Builders<CallgraphDocument>.Filter.Eq(d => d.Component, document.Component)
+    public async Task<CallgraphDocument> UpsertAsync(CallgraphDocument document, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(document);
+
+        var filter = Builders<CallgraphDocument>.Filter.Eq(d => d.Component, document.Component)
             & Builders<CallgraphDocument>.Filter.Eq(d => d.Version, document.Version)
             & Builders<CallgraphDocument>.Filter.Eq(d => d.Language, document.Language);
 
@@ -42,7 +42,18 @@ internal sealed class MongoCallgraphRepository : ICallgraphRepository
             document.Id = result.UpsertedId.AsObjectId.ToString();
         }
 
-        logger.LogInformation("Upserted callgraph {Language}:{Component}:{Version} (id={Id}).", document.Language, document.Component, document.Version, document.Id);
-        return document;
-    }
-}
+        logger.LogInformation("Upserted callgraph {Language}:{Component}:{Version} (id={Id}).", document.Language, document.Component, document.Version, document.Id);
+        return document;
+    }
+
+    public async Task<CallgraphDocument?> GetByIdAsync(string id, CancellationToken cancellationToken)
+    {
+        if (string.IsNullOrWhiteSpace(id))
+        {
+            throw new ArgumentException("Callgraph id is required.", nameof(id));
+        }
+
+        var filter = Builders<CallgraphDocument>.Filter.Eq(d => d.Id, id);
+        return await collection.Find(filter).FirstOrDefaultAsync(cancellationToken).ConfigureAwait(false);
+    }
+}

src/Signals/StellaOps.Signals/Persistence/MongoReachabilityFactRepository.cs

@@ -0,0 +1,53 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using MongoDB.Driver;
+using StellaOps.Signals.Models;
+
+namespace StellaOps.Signals.Persistence;
+
+internal sealed class MongoReachabilityFactRepository : IReachabilityFactRepository
+{
+    private readonly IMongoCollection<ReachabilityFactDocument> collection;
+    private readonly ILogger<MongoReachabilityFactRepository> logger;
+
+    public MongoReachabilityFactRepository(
+        IMongoCollection<ReachabilityFactDocument> collection,
+        ILogger<MongoReachabilityFactRepository> logger)
+    {
+        this.collection = collection ?? throw new ArgumentNullException(nameof(collection));
+        this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    public async Task<ReachabilityFactDocument> UpsertAsync(ReachabilityFactDocument document, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(document);
+        if (string.IsNullOrWhiteSpace(document.SubjectKey))
+        {
+            throw new ArgumentException("Subject key is required.", nameof(document));
+        }
+
+        var filter = Builders<ReachabilityFactDocument>.Filter.Eq(d => d.SubjectKey, document.SubjectKey);
+        var options = new ReplaceOptions { IsUpsert = true };
+        var result = await collection.ReplaceOneAsync(filter, document, options, cancellationToken).ConfigureAwait(false);
+        if (result.UpsertedId != null)
+        {
+            document.Id = result.UpsertedId.AsObjectId.ToString();
+        }
+
+        logger.LogInformation("Upserted reachability fact for subject {SubjectKey} (callgraph={CallgraphId}).", document.SubjectKey, document.CallgraphId);
+        return document;
+    }
+
+    public async Task<ReachabilityFactDocument?> GetBySubjectAsync(string subjectKey, CancellationToken cancellationToken)
+    {
+        if (string.IsNullOrWhiteSpace(subjectKey))
+        {
+            throw new ArgumentException("Subject key is required.", nameof(subjectKey));
+        }
+
+        var filter = Builders<ReachabilityFactDocument>.Filter.Eq(d => d.SubjectKey, subjectKey);
+        return await collection.Find(filter).FirstOrDefaultAsync(cancellationToken).ConfigureAwait(false);
+    }
+}