Add Canonical JSON serialization library with tests and documentation

- Implemented CanonJson class for deterministic JSON serialization and hashing. - Added unit tests for CanonJson functionality, covering various scenarios including key sorting, handling of nested objects, arrays, and special characters. - Created project files for the Canonical JSON library and its tests, including necessary package references. - Added README.md for library usage and API reference. - Introduced RabbitMqIntegrationFactAttribute for conditional RabbitMQ integration tests.
2025-12-19 15:35:00 +02:00
parent 43882078a4
commit 951a38d561
192 changed files with 27550 additions and 2611 deletions
--- a/src/Scanner/AGENTS.md
+++ b/src/Scanner/AGENTS.md
@@ -45,6 +45,71 @@ The Scanner module now includes Smart-Diff foundation primitives:
 - Emits to Attestor module for DSSE envelope wrapping
 - Consumed by Findings Ledger for triage decisions

+## Reachability Drift (Sprint 3600)
+
+Reachability Drift Detection tracks function-level reachability changes between scans:
+
+### Libraries
+- `StellaOps.Scanner.ReachabilityDrift` - Drift detection engine, API models, attestation
+- `StellaOps.Scanner.CallGraph` - Language-specific call graph extractors
+- `StellaOps.Scanner.VulnSurfaces` - Vulnerability surface computation (trigger methods)
+
+### Key Types
+- `ReachabilityDriftResult` - Drift analysis output (newly reachable, mitigated paths)
+- `DriftedSink` - Sink that changed reachability state with cause attribution
+- `DriftCause` - Causal explanation (guard removed, new route, code change)
+- `CompressedPath` - Compact path representation (entrypoint → key nodes → sink)
+- `ReachabilityConfidenceTier` - Confirmed/Likely/Present/Unreachable tiers
+
+### Predicate Schema
+- URI: `stellaops.dev/predicates/reachability-drift@v1`
+- DSSE-signed attestations for drift evidence chain
+
+### Call Graph Support
+- **.NET**: Roslyn semantic analysis (`DotNetCallGraphExtractor`)
+- **Node.js**: Babel AST analysis (`NodeCallGraphExtractor`)
+- **Future**: Java (ASM), Go (SSA), Python (AST)
+
+### Entrypoint Detection
+- ASP.NET Core: `[HttpGet]`, `[Route]`, minimal APIs
+- Express/Fastify: route handlers
+- Background: `IHostedService`, `BackgroundService`
+- CLI: `Main`, command handlers
+
+### Drift API Endpoints
+- `POST /api/drift/analyze` - Compute drift between two scans
+- `GET /api/drift/{driftId}` - Retrieve drift result
+- `GET /api/drift/{driftId}/paths` - Get detailed paths
+
+### Testing
+- Unit tests: `src/Scanner/__Tests/StellaOps.Scanner.ReachabilityDrift.Tests/`
+- Benchmark cases: `bench/reachability-benchmark/`
+- Golden fixtures: deterministic path compression, DSSE output
+
+## Vulnerability Surfaces (Sprint 3700)
+
+Compute vulnerability surfaces by diffing vulnerable vs fixed package versions:
+
+### Libraries
+- `StellaOps.Scanner.VulnSurfaces` - Surface builder, method fingerprinting, trigger extraction
+
+### Key Types
+- `VulnSurface` - Computed surface with sink methods and triggers
+- `VulnSurfaceSink` - Method that changed in security fix
+- `VulnSurfaceTrigger` - Public API that can reach sink
+- `MethodFingerprint` - Stable method identity across versions
+
+### Per-Ecosystem Support
+- **NuGet**: Cecil IL fingerprinting
+- **npm**: Babel AST fingerprinting
+- **Maven**: ASM bytecode fingerprinting
+- **PyPI**: Python AST fingerprinting
+
+### Integration with Reachability
+- `ISurfaceQueryService` - Query triggers for CVE during scan
+- Confidence tiers: Confirmed (trigger reachable) > Likely (API reachable) > Present (dep only)
+- Path witnesses include surface evidence for audit trail
+
 ## Engineering Rules
 - Target `net10.0`; prefer latest C# preview allowed in repo.
 - Offline-first: no new external network calls; use cached feeds (`/local-nugets`).