save checkpoint
This commit is contained in:
master
@@ -253,10 +253,13 @@ When `scanner.events.enabled = true`, the WebService serialises the signed repor
|
||||
* Record `name`, `version` (epoch/revision), `arch`, source package where present, and **declared file lists**.
|
||||
|
||||
> **Data flow note:** Each OS analyzer now writes its canonical output into the shared `ScanAnalysisStore` under
|
||||
> `analysis.os.packages` (raw results), `analysis.os.fragments` (per-analyzer layer fragments), and contributes to
|
||||
> `analysis.layers.fragments` (the aggregated view consumed by emit/diff pipelines). Helpers in
|
||||
> `ScanAnalysisCompositionBuilder` convert these fragments into SBOM composition requests and component graphs so the
|
||||
> diff/emit stages no longer reach back into individual analyzer implementations.
|
||||
> `analysis.os.packages` (raw results), `analysis.os.fragments` (per-analyzer layer fragments), and contributes to
|
||||
> `analysis.layers.fragments` (the aggregated view consumed by emit/diff pipelines). Helpers in
|
||||
> `ScanAnalysisCompositionBuilder` convert these fragments into SBOM composition requests and component graphs so the
|
||||
> diff/emit stages no longer reach back into individual analyzer implementations.
|
||||
> RPM and DPKG changelog evidence now also emits deterministic vendor metadata keys
|
||||
> `vendor.changelogBugRefs` and `vendor.changelogBugToCves` for Debian `Closes`, `RHBZ#`, and Launchpad `LP` bug-to-CVE
|
||||
> correlation traces used during backport triage.
|
||||
|
||||
**B) Language ecosystems (installed state only)**
|
||||
|
||||
@@ -321,8 +324,9 @@ The **BinaryLookupStageExecutor** enriches scan results with binary-level vulner
|
||||
* **Identity Extraction**: For each ELF/PE/Mach-O binary, extract Build-ID, file SHA256, and architecture. Generate a `binary_key` for catalog lookups.
|
||||
* **Build-ID Catalog Lookup**: Query the BinaryIndex known-build catalog using Build-ID as primary key. Returns CVE matches with high confidence (>=0.95) when the exact binary version is indexed.
|
||||
* **Fingerprint Matching**: For binaries not in the catalog, compute position-independent fingerprints (basic-block, CFG, string-refs) and match against the vulnerability corpus. Returns similarity scores and confidence.
|
||||
* **Fix Status Detection**: For each CVE match, query distro-specific backport information to determine if the vulnerability was fixed via distro patch. Methods: `changelog`, `patch_analysis`, `advisory`.
|
||||
* **Valkey Cache**: All lookups are cached with configurable TTL (default 1 hour for identities, 30 minutes for fingerprints). Target cache hit rate: >80% for repeat scans.
|
||||
* **Fix Status Detection**: For each CVE match, query distro-specific backport information to determine if the vulnerability was fixed via distro patch. Methods: `changelog`, `patch_analysis`, `advisory`.
|
||||
* **Valkey Cache**: All lookups are cached with configurable TTL (default 1 hour for identities, 30 minutes for fingerprints). Target cache hit rate: >80% for repeat scans.
|
||||
* **Runtime wiring (2026-02-12)**: `BinaryLookupStageExecutor` now publishes unified mapped findings to `analysis.binary.findings`, Build-ID to PURL lookup results to `analysis.binary.buildid.mappings`, and patch verification output to `analysis.binary.patchverification.result`.
|
||||
|
||||
**BinaryFindingMapper** converts matches to standard findings format with `BinaryFindingEvidence`:
|
||||
```csharp
|
||||
|
||||
Reference in New Issue
Block a user