save checkpoint

2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
--- a/docs/features/checked/binaryindex/scanner-integration-for-binary-analysis.md
+++ b/docs/features/checked/binaryindex/scanner-integration-for-binary-analysis.md
@@ -0,0 +1,28 @@
+# Scanner Integration for Binary Analysis
+
+## Module
+BinaryIndex
+
+## Status
+IMPLEMENTED
+
+## Description
+Binary vulnerability analysis integrated into the scanner worker pipeline with patch verification and build provenance reproducibility verification.
+
+## Implementation Details
+- **Modules**: `src/BinaryIndex/`, `src/Scanner/`
+- **Key Classes**:
+  - `BinaryVulnerabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Services/BinaryVulnerabilityService.cs`) - core binary vulnerability detection service used by scanner pipeline; queries `ICorpusQueryService` for function matches
+  - `CachedBinaryVulnerabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Cache/CachedBinaryVulnerabilityService.cs`) - cached decorator with `LookupByDeltaSignatureAsync` for scanner integration
+  - `ResolutionService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Resolution/ResolutionService.cs`) - resolves whether a CVE is fixed based on binary-level evidence
+  - `ReproducibleBuildJob` (`src/BinaryIndex/StellaOps.BinaryIndex.Worker/Jobs/ReproducibleBuildJob.cs`) - worker job for build provenance verification
+  - `EnsembleDecisionEngine` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/EnsembleDecisionEngine.cs`) - multi-tier matching for scanner-detected vulnerabilities
+- **Integration Points**: Scanner pipeline calls `IBinaryVulnerabilityService` to enrich findings with binary-level patch verification
+
+## E2E Test Plan
+- [ ] Trigger a scanner scan on a container with known binaries and verify binary analysis runs automatically
+- [ ] Verify scanner findings are enriched with binary-level patch status (Fixed, Vulnerable, Unknown)
+- [ ] Verify `CachedBinaryVulnerabilityService` caches scanner lookups for performance
+- [ ] Verify build provenance verification runs as a background worker job
+- [ ] Verify ensemble decision engine produces consistent results when called from scanner pipeline
+- [ ] Verify binary analysis results are included in scanner output findings