Add property-based tests for SBOM/VEX document ordering and Unicode normalization determinism

- Implement `SbomVexOrderingDeterminismProperties` for testing component list and vulnerability metadata hash consistency. - Create `UnicodeNormalizationDeterminismProperties` to validate NFC normalization and Unicode string handling. - Add project file for `StellaOps.Testing.Determinism.Properties` with necessary dependencies. - Introduce CI/CD template validation tests including YAML syntax checks and documentation content verification. - Create validation script for CI/CD templates ensuring all required files and structures are present.
2025-12-26 15:17:15 +02:00
parent 7792749bb4
commit 907783f625
354 changed files with 79727 additions and 1346 deletions
--- a/src/Scanner/AGENTS.md
+++ b/src/Scanner/AGENTS.md
@@ -65,10 +65,42 @@ Reachability Drift Detection tracks function-level reachability changes between
 - URI: `stellaops.dev/predicates/reachability-drift@v1`
 - DSSE-signed attestations for drift evidence chain

-### Call Graph Support
- **.NET**: Roslyn semantic analysis (`DotNetCallGraphExtractor`)
- **Node.js**: placeholder trace ingestion (`NodeCallGraphExtractor`); Babel integration pending (Sprint 3600.0004)
- **Planned**: Java (ASM), Go (SSA), Python (AST) extractors exist but are not registered yet
+### Call Graph Extractors (Sprint 20251226-005)
+
+All language-specific call graph extractors are now registered in `CallGraphExtractorRegistry` via DI:
+
+| Language | Extractor | Analysis Method | Key Sinks Detected |
+|----------|-----------|-----------------|-------------------|
+| **.NET** | `DotNetCallGraphExtractor` | Roslyn semantic analysis | SQL injection, deserialization, command execution |
+| **Java** | `JavaCallGraphExtractor` | ASM bytecode parsing | SQL, LDAP, XXE, deserialization, SSRF, template injection |
+| **Node.js** | `NodeCallGraphExtractor` | Babel AST / stella-callgraph-node tool | eval, child_process, fs, SQL templates |
+| **Python** | `PythonCallGraphExtractor` | Python AST analysis | subprocess, pickle, eval, SQL string formatting |
+| **Go** | `GoCallGraphExtractor` | SSA analysis via external tool | os/exec, database/sql, net/http |
+
+**Registry Usage:**
+```csharp
+// Inject the registry
+ICallGraphExtractorRegistry registry;
+
+// Get extractor by language
+var extractor = registry.GetExtractor("java");
+if (extractor is not null)
+{
+    var request = new CallGraphExtractionRequest(scanId, "java", "/path/to/target");
+    var snapshot = await extractor.ExtractAsync(request, cancellationToken);
+}
+
+// Check if language is supported
+if (registry.IsLanguageSupported("python"))
+{
+    // ...
+}
+```
+
+**DI Registration:**
+```csharp
+services.AddCallGraphServices(configuration);
+```

 ### Entrypoint Detection
 - ASP.NET Core: `[HttpGet]`, `[Route]`, minimal APIs