save checkpoint
This commit is contained in:
master
@@ -0,0 +1,49 @@
|
||||
# Build Provenance Verification Module with SLSA Level Evaluator
|
||||
|
||||
## Module
|
||||
Scanner
|
||||
|
||||
## Status
|
||||
PARTIALLY_IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Scanner stage that evaluates SLSA provenance levels (L0-L4) for artifacts, verifies builder identity against trusted builder lists, checks reproducibility claims, and builds provenance chains. Integrates as a dedicated pipeline stage in the scanner worker.
|
||||
|
||||
## Implementation Details
|
||||
- **Core Analyzer**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildProvenanceAnalyzer.cs` - Main orchestrator for build provenance analysis
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/BuildProvenanceServiceCollectionExtensions.cs` - DI registration
|
||||
- **SLSA Level Evaluation**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/SlsaLevelEvaluator.cs` - Evaluates SLSA provenance levels (L0-L4)
|
||||
- **Builder Verification**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuilderVerifier.cs` - Verifies builder identity against trusted builder lists
|
||||
- **Reproducibility**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/ReproducibilityVerifier.cs` - Checks reproducibility claims
|
||||
- **Provenance Chain**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildProvenanceChainBuilder.cs` - Builds provenance chains linking build steps
|
||||
- **Additional Verifiers**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildInputIntegrityChecker.cs` - Verifies integrity of build inputs
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildConfigVerifier.cs` - Verifies build configuration
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/SourceVerifier.cs` - Verifies source provenance
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildProvenancePatternMatcher.cs` - Pattern matching for provenance artifacts
|
||||
- **Policy**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Policy/BuildProvenancePolicyLoader.cs` - Loads build provenance policies
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Policy/BuildProvenancePolicy.cs` - Policy model
|
||||
- **Models**: `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Models/BuildProvenanceModels.cs`
|
||||
- **Reporting**: `src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Reporting/BuildProvenanceReportFormatter.cs`
|
||||
- **Worker Stage**: `src/Scanner/StellaOps.Scanner.Worker/Processing/BuildProvenance/BuildProvenanceStageExecutor.cs`
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Scan an artifact with SLSA L1 provenance and verify `SlsaLevelEvaluator` assigns level L1
|
||||
- [ ] Scan an artifact with full SLSA L3 provenance (signed, non-falsifiable) and verify level L3 assignment
|
||||
- [ ] Provide a trusted builder list and verify `BuilderVerifier` validates/rejects builder identities
|
||||
- [ ] Scan an artifact with reproducibility claims and verify `ReproducibilityVerifier` validates them
|
||||
- [ ] Verify `BuildProvenanceChainBuilder` links build steps into a verifiable chain
|
||||
- [ ] Verify build provenance findings appear in scan report with SLSA level, builder identity, and chain details
|
||||
- [ ] Scan an artifact with no provenance and verify it is assigned SLSA L0
|
||||
|
||||
## Verification Findings
|
||||
- `run-001` Tier 0 confirmed all declared files and key symbols exist.
|
||||
- Tier 1 builds and focused tests passed (`18/18`), but code review failed semantic parity for the no-provenance runtime path.
|
||||
- `BuildProvenanceStageExecutor` currently returns early when SBOM has no `buildInfo` and no `formulation`, so the worker pipeline does not emit a `BuildProvenanceReport` for the claimed SLSA L0 assignment path.
|
||||
- Tier 2 targeted behavioral checks passed at library level, but runtime worker-stage contract parity failed for no-provenance handling and stage-level behavioral coverage.
|
||||
@@ -0,0 +1,35 @@
|
||||
# Bun Call Graph Extractor
|
||||
|
||||
## Module
|
||||
Scanner
|
||||
|
||||
## Status
|
||||
PARTIALLY_IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Static call graph extraction for Bun runtime JavaScript/TypeScript codebases, extending the multi-language extractor framework with Bun-specific entrypoint detection and sink matching.
|
||||
|
||||
## Implementation Details
|
||||
- **Call Graph Extractor**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Bun/BunCallGraphExtractor.cs` - Static call graph extraction for Bun runtime codebases
|
||||
- **Entrypoint Detection**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Bun/BunEntrypointClassifier.cs` - Classifies Bun-specific entrypoints (e.g., `Bun.serve`, macros, plugins)
|
||||
- **Sink Matching**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Bun/BunSinkMatcher.cs` - Matches Bun-specific security-sensitive sinks (file I/O, shell exec, FFI, etc.)
|
||||
- **DI Registration**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/DependencyInjection/CallGraphServiceCollectionExtensions.cs`
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Scan a container image containing a Bun application with `Bun.serve` entrypoints
|
||||
- [ ] Verify call graph extraction produces nodes for Bun-specific entrypoints (HTTP handlers, macros, plugins)
|
||||
- [ ] Verify `BunSinkMatcher` identifies Bun-specific sinks (e.g., `Bun.file`, `Bun.spawn`, `Bun.ffi`)
|
||||
- [ ] Verify the extracted call graph links entrypoints to sinks through the application code
|
||||
- [ ] Verify call graph data is available in reachability analysis via `GET /api/v1/scans/{scanId}/reachability`
|
||||
- [ ] Verify TypeScript and JavaScript files are both analyzed correctly in mixed Bun projects
|
||||
|
||||
## Verification Findings
|
||||
- `run-001` Tier 0 confirmed Bun extractor source files and key classes exist.
|
||||
- Tier 1 build/tests passed (CallGraph tests `173/173`), including new focused Bun extractor positive/negative behavior tests.
|
||||
- Code review and Tier 2 semantic checks failed (`missing_code`):
|
||||
- Bun extractor is not registered in `AddCallGraphServices`, so runtime registry selection does not expose language `bun`.
|
||||
- Source-mode extraction currently emits Bun entrypoint/sink nodes but no call edges linking entrypoints to sinks; edge construction exists only in trace-file mode.
|
||||
58
docs/features/unimplemented/scanner/bun-language-analyzer.md
Normal file
58
docs/features/unimplemented/scanner/bun-language-analyzer.md
Normal file
@@ -0,0 +1,58 @@
|
||||
# Bun Language Analyzer
|
||||
|
||||
## Module
|
||||
Scanner
|
||||
|
||||
## Status
|
||||
PARTIALLY_IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Full language analyzer for the Bun JavaScript runtime including bun.lockb binary lockfile parser, installed package collector, workspace/monorepo support, scope classification (dev/prod/peer), symlink safety checks, CLI verbs, and WebService endpoints for Worker integration.
|
||||
|
||||
## Implementation Details
|
||||
- **Analyzer Plugin**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/BunAnalyzerPlugin.cs` - Plugin entry point for Bun analyzer
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/BunLanguageAnalyzer.cs` - Main language analyzer implementation
|
||||
- **Lockfile Parsing**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunLockParser.cs` - Parses `bun.lockb` binary lockfiles
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunLockData.cs` - Parsed lock data model
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunLockEntry.cs` - Individual lock entry model
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunLockInventory.cs` - Inventory built from lockfile
|
||||
- **Package Collection**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunInstalledCollector.cs` - Collects installed packages from filesystem
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunDeclaredDependencyCollector.cs` - Collects declared dependencies from package.json
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunPackage.cs` - Package model
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunPackageNormalizer.cs` - Package normalization
|
||||
- **Scope & Classification**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunLockScopeClassifier.cs` - Classifies dependencies as dev/prod/peer
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunInputClassification.cs` - Input file classification
|
||||
- **Workspace/Monorepo**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunWorkspaceHelper.cs` - Workspace and monorepo support
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunProjectDiscoverer.cs` - Discovers Bun projects in filesystem
|
||||
- **Input & Config**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunInputNormalizer.cs` - Normalizes input for determinism
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunConfigHelper.cs` - Configuration helpers
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunVersionSpec.cs` - Version specification parsing
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/Internal/BunEvidenceHasher.cs` - Evidence hashing for determinism
|
||||
- **Worker Integration**:
|
||||
- `src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/BunPackageInventoryBuilder.cs` - Builds package inventory during scan
|
||||
- **Storage**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Services/BunPackageInventoryStore.cs` - Package inventory store
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/BunPackageInventoryRepository.cs` - Repository
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Catalog/BunPackageInventoryDocument.cs` - Document model
|
||||
- **WebService**: `src/Scanner/StellaOps.Scanner.WebService/Contracts/BunContracts.cs` - API contracts for Bun scan results
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Scan a container image containing a Bun project with `bun.lockb` and verify all packages are parsed correctly
|
||||
- [ ] Verify scope classification distinguishes dev, prod, and peer dependencies
|
||||
- [ ] Scan a Bun workspace/monorepo and verify all workspace packages are discovered and analyzed
|
||||
- [ ] Verify installed package collection from node_modules matches lockfile data
|
||||
- [ ] Verify the scan results include PURL identifiers for all Bun packages
|
||||
- [ ] Verify symlink safety checks flag potentially unsafe symlinks in node_modules
|
||||
- [ ] Verify Bun scan results are available via the WebService API contracts
|
||||
|
||||
## Verification Findings
|
||||
- `run-001` Tier 0 confirmed listed Bun analyzer, worker, storage, and WebService contract files are present.
|
||||
- Tier 1 builds succeeded for analyzer/worker/storage/webservice/Bun test projects, but Bun deterministic suite failed (`98/115` passed) with 17 golden hash mismatches.
|
||||
- Code review found feature-contract mismatch: runtime classifies `bun.lockb` as unsupported remediation-only input instead of parsing binary lockfile package inventory.
|
||||
- Tier 2 targeted behavioral checks captured both paths: remediation on `bun.lockb` passes, while standard deterministic Bun analysis remains failing; feature terminalized as `not_implemented`.
|
||||
@@ -0,0 +1,43 @@
|
||||
# Canonical Node-Hash and Path-Hash Recipes for Reachability
|
||||
|
||||
## Module
|
||||
Scanner
|
||||
|
||||
## Status
|
||||
PARTIALLY_IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Canonical node-hash (PURL/symbol normalization + SHA-256) and path-hash (top-K selection + PathFingerprint) recipes for deterministic static/runtime evidence joins. Extended PathWitness, RichGraph, SARIF export with hash fields.
|
||||
|
||||
## Implementation Details
|
||||
- **Path Witness with Hash Fields**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs` - `PathWitness` model with node-hash and path-hash fields
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitnessBuilder.cs` - `PathWitnessBuilder` computes canonical hashes during witness construction
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IPathWitnessBuilder.cs` - Interface
|
||||
- **Rich Graph Integration**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraph.cs` - RichGraph model extended with hash fields on nodes
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Ordering/DeterministicGraphOrderer.cs` - Deterministic ordering for canonical hash computation
|
||||
- **Witness Matching & Verification**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessMatcher.cs` - Matches witnesses using canonical hashes for deterministic joins
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessSchema.cs` - Schema validation for witness hash fields
|
||||
- **Slice Integration**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceExtractor.cs` - Slice extraction with path-hash for top-K selection
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Slices/SliceModels.cs` - Slice models with hash fields
|
||||
- **Subgraph Extraction**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Subgraph/ReachabilitySubgraphModels.cs` - Subgraph models with hash fields
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Scan an image and verify PathWitness results include canonical node-hash fields (SHA-256 of normalized PURL/symbol)
|
||||
- [ ] Verify path-hash is computed using top-K selection and PathFingerprint algorithm
|
||||
- [ ] Run the same scan twice and verify node-hash and path-hash values are deterministically identical
|
||||
- [ ] Verify RichGraph response includes hash fields on nodes via `GET /api/v1/scans/{scanId}/reachability`
|
||||
- [ ] Verify static/runtime evidence join works correctly using canonical hashes as join keys
|
||||
- [ ] Verify SARIF export includes hash fields in reachability-related results
|
||||
|
||||
## Verification Findings
|
||||
- `run-001` Tier 0 confirmed all listed reachability files/classes exist.
|
||||
- Tier 1 build/tests passed for reachability library and focused tests (`24/24`), including node-hash/path-hash emission and deterministic replay checks.
|
||||
- Code review and Tier 2 semantic checks failed (`missing_code`):
|
||||
- `PathWitnessBuilder` advertises top-K node hashes, but `PathHash` is computed from all node hashes and does not use a PathFingerprint recipe.
|
||||
- `RichGraph` defines `NodeHash` on nodes, but `RichGraphBuilder` does not populate it during node construction.
|
||||
- `Slices/SliceExtractor` and `Slices/SliceModels` currently contain no path-hash/node-hash fields for documented slice integration claims.
|
||||
Reference in New Issue
Block a user