save checkpoint
This commit is contained in:
master
@@ -0,0 +1,30 @@
|
||||
# 8-State Reachability Lattice
|
||||
|
||||
## Module
|
||||
ReachGraph
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Reachability infrastructure exists with triage integration, but the full 8-state lattice model (U/SR/SU/RO/RU/CR/CU/X) with mathematical state transitions as described is not fully implemented as a distinct subsystem.
|
||||
|
||||
## What's Implemented
|
||||
- **LatticeState enum**: `src/__Libraries/StellaOps.Reachability.Core/LatticeState.cs` -- full 8-state model defined: Unknown (U), StaticReachable (SR), StaticUnreachable (SU), RuntimeObserved (RO), RuntimeUnobserved (RU), ConfirmedReachable (CR), ConfirmedUnreachable (CU), Contested (X); includes VEX mapping and confidence ranges per state
|
||||
- **ReachabilityLattice state machine**: `src/__Libraries/StellaOps.Reachability.Core/ReachabilityLattice.cs` -- `FrozenDictionary` transition table with evidence accumulation; transitions from all states including conflict detection (X state when static and runtime evidence contradict); confidence delta per transition
|
||||
- **ConfidenceCalculator**: `src/__Libraries/StellaOps.Reachability.Core/ConfidenceCalculator.cs` -- confidence score computation
|
||||
- **IReachabilityIndex**: `src/__Libraries/StellaOps.Reachability.Core/IReachabilityIndex.cs` -- `QueryHybridAsync` returns `HybridReachabilityResult` with lattice state
|
||||
- **HybridReachabilityResult**: `src/__Libraries/StellaOps.Reachability.Core/HybridReachabilityResult.cs` -- includes lattice state, confidence, and VEX recommendation
|
||||
|
||||
## What's Missing
|
||||
- The lattice state machine is implemented as a library but not fully integrated as a distinct subsystem with its own API surface for triage workflows
|
||||
- Triage-specific UI for lattice state visualization and manual state overrides
|
||||
- Lattice state persistence and audit trail for state transitions
|
||||
|
||||
## Implementation Plan
|
||||
- Expose lattice state transitions as an API for triage integration
|
||||
- Build UI for lattice state visualization and manual overrides
|
||||
- Add persistence layer for state transition history and audit trail
|
||||
|
||||
## Related Documentation
|
||||
- Source: See feature catalog
|
||||
@@ -0,0 +1,30 @@
|
||||
# CVE-to-Symbol Mapping Service
|
||||
|
||||
## Module
|
||||
ReachGraph
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
CVE-to-symbol mapping service with controller endpoint and service interface for reachability analysis in the ReachGraph module.
|
||||
|
||||
## Implementation Details
|
||||
- **ICveSymbolMappingService interface**: `src/__Libraries/StellaOps.Reachability.Core/CveMapping/ICveSymbolMappingService.cs` -- `GetMappingsForCveAsync`, `GetMappingsForPackageAsync`, `SearchBySymbolAsync`, `AddOrUpdateMappingAsync`, `AnalyzePatchAsync`, `EnrichFromOsvAsync`, `GetStatsAsync`
|
||||
- **CveSymbolMappingService**: `src/__Libraries/StellaOps.Reachability.Core/CveMapping/CveSymbolMappingService.cs` -- core implementation
|
||||
- **CveMappingController**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Controllers/CveMappingController.cs` -- REST API at `v1/cve-mappings` with endpoints: GET `{cveId}`, GET `by-package?purl=`, GET `by-symbol?symbol=`, POST (upsert), POST `analyze-patch`, POST `{cveId}/enrich`, GET `stats`; rate limiting (`reachgraph-read`/`reachgraph-write`); response caching (1h for reads, 5m for stats)
|
||||
- **CveSymbolMapping model**: `src/__Libraries/StellaOps.Reachability.Core/CveMapping/CveSymbolMapping.cs` -- CVE-to-symbol mapping with PURL, `VulnerableSymbol`, `MappingSource` (OSV/NVD/Manual/PatchAnalysis/Vendor), confidence score, `VulnerabilityType`, affected/fixed versions
|
||||
- **VulnerableSymbol**: `src/__Libraries/StellaOps.Reachability.Core/CveMapping/VulnerableSymbol.cs` -- symbol with canonical ID, file path, line range
|
||||
- **Patch analysis**: `src/__Libraries/StellaOps.Reachability.Core/CveMapping/IPatchSymbolExtractor.cs`, `FunctionBoundaryDetector.cs`, `GitDiffExtractor.cs`, `UnifiedDiffParser.cs` -- extract vulnerable symbols from commits/patches
|
||||
- **OSV enrichment**: `src/__Libraries/StellaOps.Reachability.Core/CveMapping/IOsvEnricher.cs`, `OsvEnricher.cs` -- enrich mappings from OSV database
|
||||
- **Tests**: `src/ReachGraph/__Tests/StellaOps.ReachGraph.WebService.Tests/ReachGraphApiIntegrationTests.cs`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify GET `v1/cve-mappings/{cveId}` returns symbol mappings with PURL, confidence, and evidence URI
|
||||
- [ ] Test GET `by-package?purl=` returns all CVE mappings for a given package
|
||||
- [ ] Verify GET `by-symbol?symbol=&language=` searches by symbol name with optional language filter
|
||||
- [ ] Test POST upsert creates/updates mappings idempotently
|
||||
- [ ] Verify POST `analyze-patch` extracts vulnerable symbols from diff content
|
||||
- [ ] Test POST `{cveId}/enrich` retrieves and persists OSV-sourced mappings
|
||||
- [ ] Verify GET `stats` returns corpus statistics (total mappings, unique CVEs/packages, average confidence)
|
||||
@@ -0,0 +1,30 @@
|
||||
# Reachability Analysis with Call Graph Evidence
|
||||
|
||||
## Module
|
||||
ReachGraph
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Reachability analysis is implemented with a dedicated ReachGraph backend service, frontend reachability explanation views, and witness path components showing call graph evidence traces.
|
||||
|
||||
## Implementation Details
|
||||
- **ReachGraphController**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Controllers/ReachGraphController.cs` -- REST API at `v1/reachgraphs` with slice queries supporting call graph evidence; GET `{digest}/slice` with `q` (package), `cve`, `entrypoint`, `file` query parameters
|
||||
- **IReachGraphSliceService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/IReachGraphSliceService.cs` -- `SliceByPackageAsync`, `SliceByCveAsync` (returns `CveSliceResponse` with `Sinks` and `Paths`), `SliceByEntrypointAsync`, `SliceByFileAsync`
|
||||
- **ReachGraphSliceService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphSliceService.cs` -- cached slice computation with `IReachGraphCache`
|
||||
- **ReachabilityPath model**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Models/ReachGraphContracts.cs` -- `Entrypoint`, `Sink`, `Hops` (call chain), `Edges` (graph edges showing evidence trace)
|
||||
- **CveSliceResponse**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Models/ReachGraphContracts.cs` -- extends `SliceQueryResponse` with `Sinks` and `Paths` for call graph evidence
|
||||
- **IReachabilityIndex**: `src/__Libraries/StellaOps.Reachability.Core/IReachabilityIndex.cs` -- unified facade with `QueryStaticAsync`, `QueryRuntimeAsync`, `QueryHybridAsync` combining static call graph with runtime evidence
|
||||
- **EvidenceUriBuilder**: `src/__Libraries/StellaOps.Reachability.Core/EvidenceUriBuilder.cs` -- builds URIs for evidence artifacts
|
||||
- **Frontend**: reachability explanation views and witness path components in `src/Web/`
|
||||
- **Tests**: `src/ReachGraph/__Tests/StellaOps.ReachGraph.WebService.Tests/ReachGraphApiIntegrationTests.cs`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify CVE slice returns reachability paths with entrypoint-to-sink hops
|
||||
- [ ] Test call graph evidence trace includes edge types and evidence URIs
|
||||
- [ ] Verify package slice shows upstream/downstream reachability with configurable depth
|
||||
- [ ] Test entrypoint slice traces all paths from a given entrypoint
|
||||
- [ ] Verify file-based slice returns reachability for symbols in a specific file
|
||||
- [ ] Test frontend reachability explanation view renders witness paths correctly
|
||||
@@ -0,0 +1,34 @@
|
||||
# Reachability-Aware Vulnerability Analysis (Multi-Layer)
|
||||
|
||||
## Module
|
||||
ReachGraph
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Multi-layer reachability with source (Layer1/2/3), binary mapping, and runtime correlation. Lattice-based states and hybrid results combining static and runtime analysis.
|
||||
|
||||
## Implementation Details
|
||||
- **IReachabilityIndex**: `src/__Libraries/StellaOps.Reachability.Core/IReachabilityIndex.cs` -- unified facade: `QueryStaticAsync` (Layer 1-3 source analysis), `QueryRuntimeAsync` (runtime correlation), `QueryHybridAsync` (combines static + runtime with lattice state)
|
||||
- **ReachabilityIndex**: `src/__Libraries/StellaOps.Reachability.Core/ReachabilityIndex.cs` -- default implementation combining adapters
|
||||
- **HybridReachabilityResult**: `src/__Libraries/StellaOps.Reachability.Core/HybridReachabilityResult.cs` -- hybrid result with lattice state, confidence, VEX recommendation
|
||||
- **StaticReachabilityResult**: `src/__Libraries/StellaOps.Reachability.Core/StaticReachabilityResult.cs` -- static analysis result
|
||||
- **RuntimeReachabilityResult**: `src/__Libraries/StellaOps.Reachability.Core/RuntimeReachabilityResult.cs` -- runtime observation result
|
||||
- **LatticeState enum**: `src/__Libraries/StellaOps.Reachability.Core/LatticeState.cs` -- 8-state lattice (U/SR/SU/RO/RU/CR/CU/X)
|
||||
- **ReachabilityLattice**: `src/__Libraries/StellaOps.Reachability.Core/ReachabilityLattice.cs` -- state machine with `FrozenDictionary` transitions, evidence accumulation, confidence scoring
|
||||
- **ConfidenceCalculator**: `src/__Libraries/StellaOps.Reachability.Core/ConfidenceCalculator.cs` -- confidence computation
|
||||
- **IReachGraphAdapter**: `src/__Libraries/StellaOps.Reachability.Core/IReachGraphAdapter.cs` -- adapter for ReachGraph data
|
||||
- **ISignalsAdapter**: `src/__Libraries/StellaOps.Reachability.Core/ISignalsAdapter.cs` -- adapter for runtime signals
|
||||
- **HybridQueryOptions**: `src/__Libraries/StellaOps.Reachability.Core/HybridQueryOptions.cs` -- query options for hybrid analysis
|
||||
- **Symbol infrastructure**: `src/__Libraries/StellaOps.Reachability.Core/Symbols/` -- `SymbolCanonicalizer`, `SymbolMatcher`, normalizers (DotNet, Java, Native, Script)
|
||||
- **Tests**: `src/__Libraries/__Tests/StellaOps.Reachability.Core.Tests/`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify static reachability query (Layer 1-3) returns call graph path evidence
|
||||
- [ ] Test runtime reachability query correlates observed execution with observation window
|
||||
- [ ] Verify hybrid query combines static and runtime into lattice state with confidence
|
||||
- [ ] Test multi-layer analysis transitions correctly through lattice states
|
||||
- [ ] Verify batch query for CVE vulnerability analysis returns results for all symbols
|
||||
- [ ] Test symbol canonicalization across languages (Java, .NET, native, script)
|
||||
@@ -0,0 +1,36 @@
|
||||
# Reachability Core Library with Unified Query Interface
|
||||
|
||||
## Module
|
||||
ReachGraph
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
ReachGraph has a web service with store and slice services, but the unified `IReachabilityIndex` facade combining static + runtime evidence is not present as a distinct library.
|
||||
|
||||
## What's Implemented
|
||||
- **IReachabilityIndex interface**: `src/__Libraries/StellaOps.Reachability.Core/IReachabilityIndex.cs` -- unified facade with `QueryStaticAsync`, `QueryRuntimeAsync`, `QueryHybridAsync`, `QueryBatchAsync`; this IS the unified query interface
|
||||
- **ReachabilityIndex**: `src/__Libraries/StellaOps.Reachability.Core/ReachabilityIndex.cs` -- default implementation combining `IReachGraphAdapter` and `ISignalsAdapter`
|
||||
- **IReachGraphAdapter**: `src/__Libraries/StellaOps.Reachability.Core/IReachGraphAdapter.cs` -- adapter for static call graph data
|
||||
- **ISignalsAdapter**: `src/__Libraries/StellaOps.Reachability.Core/ISignalsAdapter.cs` -- adapter for runtime signal data
|
||||
- **HybridReachabilityResult**: `src/__Libraries/StellaOps.Reachability.Core/HybridReachabilityResult.cs` -- hybrid query result with lattice state
|
||||
- **HybridQueryOptions**: `src/__Libraries/StellaOps.Reachability.Core/HybridQueryOptions.cs` -- configurable query options
|
||||
- **StaticReachabilityResult / RuntimeReachabilityResult**: individual layer results
|
||||
- **SymbolRef, ConfidenceCalculator, EvidenceUriBuilder**: supporting types
|
||||
- **ServiceCollectionExtensions**: `src/__Libraries/StellaOps.Reachability.Core/ServiceCollectionExtensions.cs` -- DI registration
|
||||
- **Tests**: `src/__Libraries/__Tests/StellaOps.Reachability.Core.Tests/`
|
||||
|
||||
## What's Missing
|
||||
- The `IReachabilityIndex` facade exists but the ReachGraph web service (`src/ReachGraph/`) does not use it directly; the web service has its own store/slice/replay services
|
||||
- Missing: adapter implementations that wire `IReachabilityIndex` to the ReachGraph store and Signals services
|
||||
- Missing: unified query endpoint in the web service that delegates to `IReachabilityIndex`
|
||||
|
||||
## Implementation Plan
|
||||
- Implement `IReachGraphAdapter` backed by `IReachGraphStoreService`
|
||||
- Implement `ISignalsAdapter` backed by the Signals runtime data
|
||||
- Add unified query endpoint in ReachGraph web service that delegates to `IReachabilityIndex`
|
||||
- Wire up DI registration via `ServiceCollectionExtensions`
|
||||
|
||||
## Related Documentation
|
||||
- Source: See feature catalog
|
||||
@@ -0,0 +1,28 @@
|
||||
# Reachability Fallback Mechanisms
|
||||
|
||||
## Module
|
||||
ReachGraph
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
ReachGraph service with slice and replay capabilities for reachability analysis with deterministic replay support.
|
||||
|
||||
## Implementation Details
|
||||
- **IReachGraphStoreService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/IReachGraphStoreService.cs` -- `UpsertAsync`, `GetByDigestAsync`, `ListByArtifactAsync`, `DeleteAsync` for graph storage with fallback
|
||||
- **ReachGraphStoreService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphStoreService.cs` -- coordinates between `IReachGraphRepository` (persistence), `IReachGraphCache` (caching), and `IReachGraphSignerService` (signing); supports digest-based idempotent upserts
|
||||
- **IReachGraphSliceService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/IReachGraphSliceService.cs` -- multi-dimensional slice queries (by-package, by-CVE, by-entrypoint, by-file) with configurable depth and direction
|
||||
- **ReachGraphSliceService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphSliceService.cs` -- cached slice computation; falls back to full graph loading when cache misses
|
||||
- **IReachGraphReplayService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/IReachGraphReplayService.cs` -- deterministic replay as fallback verification mechanism
|
||||
- **ReachGraphReplayService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphReplayService.cs` -- replays computation from SBOM, VEX, callgraph, and runtime facts inputs; compares computed digest against expected
|
||||
- **PaginationService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/PaginationService.cs` -- cursor-based pagination for large result sets
|
||||
- **Tests**: `src/ReachGraph/__Tests/StellaOps.ReachGraph.WebService.Tests/ReachGraphApiIntegrationTests.cs`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify graph retrieval falls back from cache to database when cache misses
|
||||
- [ ] Test slice queries degrade gracefully when full graph is not available
|
||||
- [ ] Verify replay verification provides fallback for determinism validation
|
||||
- [ ] Test idempotent upsert handles concurrent writes without data loss
|
||||
- [ ] Verify pagination handles large result sets with cursor-based navigation
|
||||
@@ -0,0 +1,28 @@
|
||||
# Reachability Replay Verification
|
||||
|
||||
## Module
|
||||
ReachGraph
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Replay verification service for reachability computations is implemented in the ReachGraph module.
|
||||
|
||||
## Implementation Details
|
||||
- **IReachGraphReplayService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/IReachGraphReplayService.cs` -- `ReplayAsync(ReplayRequest, tenantId)` for deterministic replay verification
|
||||
- **ReachGraphReplayService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphReplayService.cs` -- recomputes graph from inputs (SBOM, VEX, callgraph, runtime facts), compares digest using `ReachGraphDigestComputer`; reports `ReplayDivergence` (NodesAdded, NodesRemoved, EdgesChanged) on mismatch
|
||||
- **ReplayRequest model**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Models/ReachGraphContracts.cs` -- `ExpectedDigest`, `ReplayInputs` (SBOM, VEX, callgraph, runtime facts), optional `ReachGraphScope`
|
||||
- **ReplayResponse model**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Models/ReachGraphContracts.cs` -- `Match` (bool), `ComputedDigest`, `ExpectedDigest`, `DurationMs`, `InputsVerified` (per-input verification), `Divergence` (detailed diff)
|
||||
- **ReachGraphController replay endpoint**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Controllers/ReachGraphController.cs` -- POST `v1/reachgraphs/replay` with rate limiting
|
||||
- **NodeHashRecipe**: `src/__Libraries/StellaOps.Reachability.Core/NodeHashRecipe.cs` -- deterministic node hashing
|
||||
- **PathHashRecipe**: `src/__Libraries/StellaOps.Reachability.Core/PathHashRecipe.cs` -- deterministic path hashing
|
||||
- **Tests**: `src/ReachGraph/__Tests/StellaOps.ReachGraph.WebService.Tests/ReachGraphApiIntegrationTests.cs`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify replay from identical inputs produces matching digest (deterministic)
|
||||
- [ ] Test replay with modified SBOM detects divergence with accurate node/edge diff
|
||||
- [ ] Verify InputsVerified reports individual input verification status
|
||||
- [ ] Test replay duration is reported in milliseconds for performance monitoring
|
||||
- [ ] Verify replay endpoint handles missing original graph with appropriate error
|
||||
@@ -0,0 +1,38 @@
|
||||
# ReachGraph Slice Query REST APIs
|
||||
|
||||
## Module
|
||||
ReachGraph
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
REST API layer for ReachGraph with slice queries by package, CVE, entrypoint, and file path. Includes replay endpoint for deterministic verification, pagination service, and store service. While "ReachGraph Service" is known, the specific slice query API layer with multi-dimensional querying (by-package, by-CVE, by-entrypoint, by-file) is a distinct shipped capability.
|
||||
|
||||
## Implementation Details
|
||||
- **ReachGraphController**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Controllers/ReachGraphController.cs` -- REST API at `v1/reachgraphs` with full CRUD and slice queries:
|
||||
- POST `/` -- upsert graph (idempotent by BLAKE3 digest)
|
||||
- GET `/{digest}` -- retrieve full graph (cached 24h, ETag support)
|
||||
- GET `/{digest}/slice?q=` -- slice by package PURL with wildcards, configurable depth/direction
|
||||
- GET `/{digest}/slice?cve=` -- slice by CVE with sinks and reachability paths
|
||||
- GET `/{digest}/slice?entrypoint=` -- slice by entrypoint (max depth 10)
|
||||
- GET `/{digest}/slice?file=` -- slice by file path
|
||||
- POST `/replay` -- deterministic replay verification
|
||||
- GET `/by-artifact/{artifactDigest}` -- list graphs for artifact
|
||||
- DELETE `/{digest}` -- admin delete
|
||||
- **IReachGraphSliceService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/IReachGraphSliceService.cs` -- four slice methods with configurable depth
|
||||
- **ReachGraphSliceService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphSliceService.cs` -- cached slice computation
|
||||
- **SliceQueryResponse model**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Models/ReachGraphContracts.cs` -- `SchemaVersion`, `SliceQuery` (type/query/cve/entrypoint/file/depth/direction), `Nodes`, `Edges`, counts
|
||||
- **CveSliceResponse**: extends `SliceQueryResponse` with `Sinks` and `ReachabilityPath` (entrypoint-to-sink hops with edges)
|
||||
- **PaginationService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/PaginationService.cs` -- cursor-based pagination for large slices
|
||||
- **Tests**: `src/ReachGraph/__Tests/StellaOps.ReachGraph.WebService.Tests/ReachGraphApiIntegrationTests.cs`, `ReachGraphTestFactory.cs`
|
||||
- **Source**: SPRINT_1227_0012_0002_BE_reachgraph_store.md
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify package slice returns subgraph with nodes/edges at configurable depth (default 3)
|
||||
- [ ] Test CVE slice returns sinks and reachability paths with hop sequences
|
||||
- [ ] Verify entrypoint slice traces all downstream paths (max depth 10)
|
||||
- [ ] Test file-based slice returns reachability for all symbols in a file
|
||||
- [ ] Verify direction parameter filters upstream/downstream/both edges
|
||||
- [ ] Test by-artifact listing returns all graphs for an artifact digest
|
||||
- [ ] Verify response caching (24h for full graph, slice-specific cache keys)
|
||||
@@ -0,0 +1,29 @@
|
||||
# Static SBOM Call-Graph Pruning
|
||||
|
||||
## Module
|
||||
ReachGraph
|
||||
|
||||
## Status
|
||||
IMPLEMENTED
|
||||
|
||||
## Description
|
||||
SBOM-based reachability filtering is implemented as a pipeline stage in the Scanner worker, with dependency reachability reporting and ReachGraph storage.
|
||||
|
||||
## Implementation Details
|
||||
- **IReachabilityIndex**: `src/__Libraries/StellaOps.Reachability.Core/IReachabilityIndex.cs` -- `QueryStaticAsync` for static call-graph reachability analysis; `QueryHybridAsync` with batch support for SBOM-wide analysis
|
||||
- **ReachabilityIndex**: `src/__Libraries/StellaOps.Reachability.Core/ReachabilityIndex.cs` -- implementation using adapters for graph and signals data
|
||||
- **LatticeState.StaticReachable / StaticUnreachable**: `src/__Libraries/StellaOps.Reachability.Core/LatticeState.cs` -- static analysis determines SR or SU lattice state for each symbol
|
||||
- **ReachabilityLattice**: `src/__Libraries/StellaOps.Reachability.Core/ReachabilityLattice.cs` -- transitions from Unknown to StaticReachable (confidence 0.30) or StaticUnreachable (confidence 0.40) based on call graph evidence
|
||||
- **SymbolRef**: `src/__Libraries/StellaOps.Reachability.Core/SymbolRef.cs` -- symbol reference for graph queries
|
||||
- **Symbol canonicalization**: `src/__Libraries/StellaOps.Reachability.Core/Symbols/SymbolCanonicalizer.cs`, `SymbolMatcher.cs` -- language-aware symbol normalization for accurate graph matching
|
||||
- **ReachGraphStoreService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphStoreService.cs` -- stores pruned/filtered reachability graphs
|
||||
- **ReachGraphSliceService**: `src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphSliceService.cs` -- slice queries for accessing filtered results by package
|
||||
- **Tests**: `src/__Libraries/__Tests/StellaOps.Reachability.Core.Tests/`
|
||||
- **Source**: Feature matrix scan
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Verify static call-graph analysis correctly identifies reachable symbols (SR state)
|
||||
- [ ] Test unreachable symbols are pruned with StaticUnreachable (SU) state
|
||||
- [ ] Verify SBOM-based batch query prunes findings for all packages in SBOM
|
||||
- [ ] Test symbol canonicalization handles cross-language symbol formats
|
||||
- [ ] Verify pruned results are stored in ReachGraph and queryable via slice API
|
||||
Reference in New Issue
Block a user