Add SBOM, symbols, traces, and VEX files for CVE-2022-21661 SQLi case

- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images.
- Added symbols.json detailing function entry and sink points in the WordPress code.
- Included runtime traces for function calls in both reachable and unreachable scenarios.
- Developed OpenVEX files indicating vulnerability status and justification for both cases.
- Updated README for evaluator harness to guide integration with scanner output.

src/Signals/StellaOps.Signals/Program.cs

@@ -1,4 +1,5 @@
-using System.IO;
+using System.IO;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.Extensions.Options;
 using MongoDB.Driver;
@@ -93,23 +94,34 @@ builder.Services.AddSingleton<IMongoDatabase>(sp =>
     return mongoClient.GetDatabase(databaseName);
 });
 
-builder.Services.AddSingleton<IMongoCollection<CallgraphDocument>>(sp =>
-{
-    var opts = sp.GetRequiredService<IOptions<SignalsOptions>>().Value;
-    var database = sp.GetRequiredService<IMongoDatabase>();
-    var collection = database.GetCollection<CallgraphDocument>(opts.Mongo.CallgraphsCollection);
-    EnsureCallgraphIndexes(collection);
-    return collection;
-});
-
-builder.Services.AddSingleton<ICallgraphRepository, MongoCallgraphRepository>();
-builder.Services.AddSingleton<ICallgraphArtifactStore, FileSystemCallgraphArtifactStore>();
-builder.Services.AddSingleton<ICallgraphParser>(new SimpleJsonCallgraphParser("java"));
-builder.Services.AddSingleton<ICallgraphParser>(new SimpleJsonCallgraphParser("nodejs"));
-builder.Services.AddSingleton<ICallgraphParser>(new SimpleJsonCallgraphParser("python"));
-builder.Services.AddSingleton<ICallgraphParser>(new SimpleJsonCallgraphParser("go"));
-builder.Services.AddSingleton<ICallgraphParserResolver, CallgraphParserResolver>();
-builder.Services.AddSingleton<ICallgraphIngestionService, CallgraphIngestionService>();
+builder.Services.AddSingleton<IMongoCollection<CallgraphDocument>>(sp =>
+{
+    var opts = sp.GetRequiredService<IOptions<SignalsOptions>>().Value;
+    var database = sp.GetRequiredService<IMongoDatabase>();
+    var collection = database.GetCollection<CallgraphDocument>(opts.Mongo.CallgraphsCollection);
+    EnsureCallgraphIndexes(collection);
+    return collection;
+});
+
+builder.Services.AddSingleton<IMongoCollection<ReachabilityFactDocument>>(sp =>
+{
+    var opts = sp.GetRequiredService<IOptions<SignalsOptions>>().Value;
+    var database = sp.GetRequiredService<IMongoDatabase>();
+    var collection = database.GetCollection<ReachabilityFactDocument>(opts.Mongo.ReachabilityFactsCollection);
+    EnsureReachabilityFactIndexes(collection);
+    return collection;
+});
+
+builder.Services.AddSingleton<ICallgraphRepository, MongoCallgraphRepository>();
+builder.Services.AddSingleton<ICallgraphArtifactStore, FileSystemCallgraphArtifactStore>();
+builder.Services.AddSingleton<ICallgraphParser>(new SimpleJsonCallgraphParser("java"));
+builder.Services.AddSingleton<ICallgraphParser>(new SimpleJsonCallgraphParser("nodejs"));
+builder.Services.AddSingleton<ICallgraphParser>(new SimpleJsonCallgraphParser("python"));
+builder.Services.AddSingleton<ICallgraphParser>(new SimpleJsonCallgraphParser("go"));
+builder.Services.AddSingleton<ICallgraphParserResolver, CallgraphParserResolver>();
+builder.Services.AddSingleton<ICallgraphIngestionService, CallgraphIngestionService>();
+builder.Services.AddSingleton<IReachabilityFactRepository, MongoReachabilityFactRepository>();
+builder.Services.AddSingleton<IReachabilityScoringService, ReachabilityScoringService>();
 
 if (bootstrap.Authority.Enabled)
 {
@@ -239,10 +251,40 @@ signalsGroup.MapPost("/runtime-facts", (HttpContext context, SignalsOptions opti
         ? Results.StatusCode(StatusCodes.Status501NotImplemented)
         : failure ?? Results.Unauthorized()).WithName("SignalsRuntimeIngest");
 
-signalsGroup.MapPost("/reachability/recompute", (HttpContext context, SignalsOptions options) =>
-    Program.TryAuthorize(context, SignalsPolicies.Admin, options.Authority.AllowAnonymousFallback, out var failure)
-        ? Results.StatusCode(StatusCodes.Status501NotImplemented)
-        : failure ?? Results.Unauthorized()).WithName("SignalsReachabilityRecompute");
+signalsGroup.MapPost("/reachability/recompute", async Task<IResult> (
+    HttpContext context,
+    SignalsOptions options,
+    ReachabilityRecomputeRequest request,
+    IReachabilityScoringService scoringService,
+    CancellationToken cancellationToken) =>
+{
+    if (!Program.TryAuthorize(context, SignalsPolicies.Admin, options.Authority.AllowAnonymousFallback, out var failure))
+    {
+        return failure ?? Results.Unauthorized();
+    }
+
+    try
+    {
+        var fact = await scoringService.RecomputeAsync(request, cancellationToken).ConfigureAwait(false);
+        return Results.Ok(new
+        {
+            fact.Id,
+            fact.CallgraphId,
+            subject = fact.Subject,
+            fact.EntryPoints,
+            fact.States,
+            fact.ComputedAt
+        });
+    }
+    catch (ReachabilityScoringValidationException ex)
+    {
+        return Results.BadRequest(new { error = ex.Message });
+    }
+    catch (ReachabilityCallgraphNotFoundException ex)
+    {
+        return Results.NotFound(new { error = ex.Message });
+    }
+}).WithName("SignalsReachabilityRecompute");
 
 app.Run();
 
@@ -286,11 +328,11 @@ public partial class Program
         return false;
     }
 
-    internal static void EnsureCallgraphIndexes(IMongoCollection<CallgraphDocument> collection)
-    {
-        ArgumentNullException.ThrowIfNull(collection);
-
-        try
+    internal static void EnsureCallgraphIndexes(IMongoCollection<CallgraphDocument> collection)
+    {
+        ArgumentNullException.ThrowIfNull(collection);
+
+        try
         {
             var indexKeys = Builders<CallgraphDocument>.IndexKeys
                 .Ascending(document => document.Component)
@@ -307,7 +349,31 @@ public partial class Program
         }
         catch (MongoCommandException ex) when (string.Equals(ex.CodeName, "IndexOptionsConflict", StringComparison.Ordinal))
         {
-            // Index already exists with different options – ignore to keep startup idempotent.
-        }
-    }
-}
+            // Index already exists with different options – ignore to keep startup idempotent.
+        }
+    }
+
+    internal static void EnsureReachabilityFactIndexes(IMongoCollection<ReachabilityFactDocument> collection)
+    {
+        ArgumentNullException.ThrowIfNull(collection);
+
+        try
+        {
+            var subjectIndex = new CreateIndexModel<ReachabilityFactDocument>(
+                Builders<ReachabilityFactDocument>.IndexKeys.Ascending(doc => doc.SubjectKey),
+                new CreateIndexOptions { Name = "reachability_subject_key_unique", Unique = true });
+
+            collection.Indexes.CreateOne(subjectIndex);
+
+            var callgraphIndex = new CreateIndexModel<ReachabilityFactDocument>(
+                Builders<ReachabilityFactDocument>.IndexKeys.Ascending(doc => doc.CallgraphId),
+                new CreateIndexOptions { Name = "reachability_callgraph_lookup" });
+
+            collection.Indexes.CreateOne(callgraphIndex);
+        }
+        catch (MongoCommandException ex) when (string.Equals(ex.CodeName, "IndexOptionsConflict", StringComparison.Ordinal))
+        {
+            // Ignore when indexes already exist with different options to keep startup idempotent.
+        }
+    }
+}