Add comprehensive tests for PathConfidenceScorer, PathEnumerator, ShellSymbolicExecutor, and SymbolicState
- Implemented unit tests for PathConfidenceScorer to evaluate path scoring under various conditions, including empty constraints, known and unknown constraints, environmental dependencies, and custom weights. - Developed tests for PathEnumerator to ensure correct path enumeration from simple scripts, handling known environments, and respecting maximum paths and depth limits. - Created tests for ShellSymbolicExecutor to validate execution of shell scripts, including handling of commands, branching, and environment tracking. - Added tests for SymbolicState to verify state management, variable handling, constraint addition, and environment dependency collection.
This commit is contained in:
StellaOps Bot
@@ -55,6 +55,87 @@ Located in `Mesh/`:
|
||||
- `DockerComposeParser`: Parser for Docker Compose v2/v3 files.
|
||||
- `MeshEntrypointAnalyzer`: Orchestrator for mesh analysis with security metrics and blast radius analysis.
|
||||
|
||||
### Speculative Execution (Sprint 0413)
|
||||
Located in `Speculative/`:
|
||||
- `SymbolicValue`: Algebraic type for symbolic values (Concrete, Symbolic, Unknown, Composite).
|
||||
- `SymbolicState`: Execution state with variable bindings, path constraints, and terminal commands.
|
||||
- `PathConstraint`: Branch predicate constraint with kind classification and env dependency tracking.
|
||||
- `ExecutionPath`: Complete execution path with constraints, commands, and reachability confidence.
|
||||
- `ExecutionTree`: All paths from symbolic execution with branch coverage metrics.
|
||||
- `BranchPoint`: Decision point in the script with coverage statistics.
|
||||
- `BranchCoverage`: Coverage metrics (total, covered, infeasible, env-dependent branches).
|
||||
- `ISymbolicExecutor`: Interface for symbolic execution of shell scripts.
|
||||
- `ShellSymbolicExecutor`: Implementation that explores all if/elif/else and case branches.
|
||||
- `IConstraintEvaluator`: Interface for path feasibility evaluation.
|
||||
- `PatternConstraintEvaluator`: Pattern-based evaluator for common shell conditionals.
|
||||
- `PathEnumerator`: Systematic path exploration with grouping by terminal command.
|
||||
- `PathConfidenceScorer`: Confidence scoring with multi-factor analysis.
|
||||
|
||||
### Binary Intelligence (Sprint 0414)
|
||||
Located in `Binary/`:
|
||||
- `CodeFingerprint`: Record for binary function fingerprinting with algorithm, hash, and metrics.
|
||||
- `FingerprintAlgorithm`: Enum for fingerprint types (BasicBlockHash, ControlFlowGraph, StringReferences, ImportReferences, Combined).
|
||||
- `FunctionSignature`: Record for extracted binary function metadata (name, offset, size, calling convention, basic blocks, references).
|
||||
- `BasicBlock`: Record for control flow basic block with offset, size, and instruction count.
|
||||
- `SymbolInfo`: Record for recovered symbol information with confidence and match method.
|
||||
- `SymbolMatchMethod`: Enum for how symbols were recovered (DebugInfo, ExactFingerprint, FuzzyFingerprint, PatternMatch, etc.).
|
||||
- `AlternativeMatch`: Record for secondary symbol match candidates.
|
||||
- `SourceCorrelation`: Record for mapping binary code to source packages/files.
|
||||
- `CorrelationEvidence`: Flags enum for evidence types (FingerprintMatch, SymbolName, StringPattern, ImportReference, SourcePath, ExactMatch).
|
||||
- `BinaryAnalysisResult`: Aggregate result with functions, recovered symbols, source correlations, and vulnerable matches.
|
||||
- `BinaryArchitecture`: Enum for CPU architectures (X86, X64, ARM, ARM64, RISCV32, RISCV64, WASM, Unknown).
|
||||
- `BinaryFormat`: Enum for binary formats (ELF, PE, MachO, WASM, Raw, Unknown).
|
||||
- `BinaryAnalysisMetrics`: Metrics for analysis coverage and timing.
|
||||
- `VulnerableFunctionMatch`: Match of a binary function to a known-vulnerable OSS function.
|
||||
- `VulnerabilitySeverity`: Enum for vulnerability severity levels.
|
||||
- `IFingerprintGenerator`: Interface for generating fingerprints from function signatures.
|
||||
- `BasicBlockFingerprintGenerator`, `ControlFlowFingerprintGenerator`, `CombinedFingerprintGenerator`: Implementations.
|
||||
- `FingerprintGeneratorFactory`: Factory for creating fingerprint generators.
|
||||
- `IFingerprintIndex`: Interface for fingerprint lookup with exact and similarity matching.
|
||||
- `InMemoryFingerprintIndex`: O(1) exact match, O(n) similarity search implementation.
|
||||
- `VulnerableFingerprintIndex`: Extends index with vulnerability tracking.
|
||||
- `FingerprintMatch`: Result record with source package, version, vulnerability associations, and similarity score.
|
||||
- `FingerprintIndexStatistics`: Statistics about the fingerprint index.
|
||||
- `ISymbolRecovery`: Interface for recovering symbol names from stripped binaries.
|
||||
- `PatternBasedSymbolRecovery`: Heuristic-based recovery using known patterns.
|
||||
- `FunctionPattern`: Record for function signature patterns (malloc, strlen, OpenSSL, zlib, etc.).
|
||||
- `BinaryIntelligenceAnalyzer`: Orchestrator coordinating fingerprinting, symbol recovery, source correlation, and vulnerability matching.
|
||||
- `BinaryIntelligenceOptions`: Configuration for analysis (algorithm, thresholds, parallelism).
|
||||
- `VulnerableFunctionMatcher`: Matches binary functions against known-vulnerable function corpus.
|
||||
- `VulnerableFunctionMatcherOptions`: Configuration for matching thresholds.
|
||||
- `FingerprintCorpusBuilder`: Builds fingerprint corpus from known OSS packages for later matching.
|
||||
|
||||
### Predictive Risk Scoring (Sprint 0415)
|
||||
Located in `Risk/`:
|
||||
- `RiskScore`: Record with OverallScore, Category, Confidence, Level, Factors, and ComputedAt.
|
||||
- `RiskCategory`: Enum for risk dimensions (Exploitability, Exposure, Privilege, DataSensitivity, BlastRadius, DriftVelocity, SupplyChain, Unknown).
|
||||
- `RiskLevel`: Enum for severity classification (Negligible, Low, Medium, High, Critical).
|
||||
- `RiskFactor`: Record for individual contributing factors with name, category, score, weight, evidence, and source ID.
|
||||
- `BusinessContext`: Record with environment, IsInternetFacing, DataClassification, CriticalityTier, ComplianceRegimes, and RiskMultiplier.
|
||||
- `DataClassification`: Enum for data sensitivity (Public, Internal, Confidential, Restricted, Unknown).
|
||||
- `SubjectType`: Enum for risk subject types (Image, Container, Service, Fleet).
|
||||
- `RiskAssessment`: Aggregate record with subject, scores, factors, context, recommendations, and timestamps.
|
||||
- `RiskTrend`: Record for tracking risk over time with snapshots and trend direction.
|
||||
- `RiskSnapshot`: Point-in-time risk score for trend analysis.
|
||||
- `TrendDirection`: Enum (Improving, Stable, Worsening, Volatile, Insufficient).
|
||||
- `IRiskScorer`: Interface for computing risk scores from entrypoint intelligence.
|
||||
- `IRiskContributor`: Interface for individual risk contributors (semantic, temporal, mesh, binary, vulnerability).
|
||||
- `RiskContext`: Record aggregating all signal sources for risk computation.
|
||||
- `VulnerabilityReference`: Record for known vulnerabilities with severity, CVSS, exploit status.
|
||||
- `SemanticRiskContributor`: Risk from capabilities and threat vectors.
|
||||
- `TemporalRiskContributor`: Risk from drift patterns and rapid changes.
|
||||
- `MeshRiskContributor`: Risk from exposure, blast radius, and vulnerable paths.
|
||||
- `BinaryRiskContributor`: Risk from vulnerable function usage in binaries.
|
||||
- `VulnerabilityRiskContributor`: Risk from known CVEs and exploitability.
|
||||
- `CompositeRiskScorer`: Combines all contributors with weighted scoring and business context adjustment.
|
||||
- `CompositeRiskScorerOptions`: Configuration for weights and thresholds.
|
||||
- `RiskExplainer`: Generates human-readable risk explanations with recommendations.
|
||||
- `RiskReport`: Record with assessment, explanation, and recommendations.
|
||||
- `RiskAggregator`: Fleet-level risk aggregation and trending.
|
||||
- `FleetRiskSummary`: Summary statistics across fleet (count by level, top risks, trend).
|
||||
- `RiskSummaryItem`: Individual subject summary for fleet views.
|
||||
- `EntrypointRiskReport`: Complete report combining entrypoint graph with risk assessment.
|
||||
|
||||
## Observability & Security
|
||||
- No dynamic assembly loading beyond restart-time plug-in catalog.
|
||||
- Structured logs include `scanId`, `imageDigest`, `layerDigest`, `command`, `reason`.
|
||||
@@ -67,6 +148,9 @@ Located in `Mesh/`:
|
||||
- Parser fuzz seeds captured for regression; interpreter tracers validated with sample scripts for Python, Node, Java launchers.
|
||||
- **Temporal tests**: `Temporal/TemporalEntrypointGraphTests.cs`, `Temporal/InMemoryTemporalEntrypointStoreTests.cs`.
|
||||
- **Mesh tests**: `Mesh/MeshEntrypointGraphTests.cs`, `Mesh/KubernetesManifestParserTests.cs`, `Mesh/DockerComposeParserTests.cs`, `Mesh/MeshEntrypointAnalyzerTests.cs`.
|
||||
- **Speculative tests**: `Speculative/SymbolicStateTests.cs`, `Speculative/ShellSymbolicExecutorTests.cs`, `Speculative/PathEnumeratorTests.cs`, `Speculative/PathConfidenceScorerTests.cs`.
|
||||
- **Binary tests**: `Binary/CodeFingerprintTests.cs`, `Binary/FingerprintIndexTests.cs`, `Binary/SymbolRecoveryTests.cs`, `Binary/BinaryIntelligenceIntegrationTests.cs`.
|
||||
- **Risk tests** (TODO): `Risk/RiskScoreTests.cs`, `Risk/RiskContributorTests.cs`, `Risk/CompositeRiskScorerTests.cs`.
|
||||
|
||||
## Required Reading
|
||||
- `docs/modules/scanner/architecture.md`
|
||||
|
||||
Reference in New Issue
Block a user