feat: Implement IsolatedReplayContext for deterministic audit replay

- Added IsolatedReplayContext class to provide an isolated environment for replaying audit bundles without external calls. - Introduced methods for initializing the context, verifying input digests, and extracting inputs for policy evaluation. - Created supporting interfaces and options for context configuration. feat: Create ReplayExecutor for executing policy re-evaluation and verdict comparison - Developed ReplayExecutor class to handle the execution of replay processes, including input verification and verdict comparison. - Implemented detailed drift detection and error handling during replay execution. - Added interfaces for policy evaluation and replay execution options. feat: Add ScanSnapshotFetcher for fetching scan data and snapshots - Introduced ScanSnapshotFetcher class to retrieve necessary scan data and snapshots for audit bundle creation. - Implemented methods to fetch scan metadata, advisory feeds, policy snapshots, and VEX statements. - Created supporting interfaces for scan data, feed snapshots, and policy snapshots.
2025-12-23 07:46:34 +02:00
parent e47627cfff
commit 7e384ab610
77 changed files with 153346 additions and 209 deletions
--- a/src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Node/NodeCallGraphExtractor.cs
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Node/NodeCallGraphExtractor.cs
@@ -217,7 +217,7 @@ public sealed class NodeCallGraphExtractor : ICallGraphExtractor
                    IsEntrypoint: false,
                    EntrypointType: null,
                    IsSink: true,
-                    SinkCategory: sink.Category));
+                    SinkCategory: MapSinkCategory(sink.Category)));

                // Add edge from caller to sink
                var callerNodeId = CallGraphNodeIds.Compute(sink.Caller);
@@ -299,10 +299,15 @@ public sealed class NodeCallGraphExtractor : ICallGraphExtractor
        "file_read" or "path_traversal" => SinkCategory.PathTraversal,
        "weak_crypto" or "crypto_weak" => SinkCategory.CryptoWeak,
        "ldap_injection" => SinkCategory.LdapInjection,
-        "nosql_injection" or "nosql" => SinkCategory.NoSqlInjection,
+        "nosql_injection" or "nosql" => SinkCategory.SqlRaw, // Map to SQL as closest category
        "xss" or "template_injection" => SinkCategory.TemplateInjection,
-        "log_injection" or "log_forging" => SinkCategory.LogForging,
-        "regex_dos" or "redos" => SinkCategory.ReDos,
+        "log_injection" or "log_forging" => SinkCategory.LogInjection,
+        "regex_dos" or "redos" => SinkCategory.CodeInjection, // Map to code injection as closest
+        "code_injection" or "eval" => SinkCategory.CodeInjection,
+        "xxe" => SinkCategory.XxeInjection,
+        "xpath_injection" => SinkCategory.XPathInjection,
+        "open_redirect" => SinkCategory.OpenRedirect,
+        "reflection" => SinkCategory.Reflection,
        _ => null
    };