stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docs/features/checked/scanner/macos-bundle-inspector-with-capability-overlays.md Normal file
View File

@@ -0,0 +1,40 @@
# macOS Bundle Inspector with Capability Overlays
## Module
Scanner
## Status
VERIFIED
## Description
Inspects macOS .app/.framework bundles, parsing Info.plist for metadata and entitlements for security capability analysis (sandbox, hardened runtime, network access flags).
## Implementation Details
- **Bundle Analyzer**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/MacOsBundleAnalyzer.cs` - `MacOsBundleAnalyzer` inspects macOS .app/.framework bundles, extracting metadata and security capabilities
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/MacOsBundleAnalyzerPlugin.cs` - Plugin registration for the macOS bundle analyzer
- **Parsers**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/InfoPlistParser.cs` - `InfoPlistParser` parses Info.plist files for bundle metadata (CFBundleIdentifier, version, minimum OS)
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/EntitlementsParser.cs` - `EntitlementsParser` parses entitlements XML for security capability analysis (sandbox, hardened runtime, network access)
- **Mach-O Analysis**:
- `src/Scanner/StellaOps.Scanner.Analyzers.Native/MachOReader.cs` - `MachOReader` reads Mach-O binary format headers and load commands
- `src/Scanner/StellaOps.Scanner.Analyzers.Native/MachOCodeSignature.cs` - `MachOCodeSignature` extracts code signature information from Mach-O binaries
## E2E Test Plan
- [ ] Scan a container image containing a macOS .app bundle and verify Info.plist metadata is extracted (bundle identifier, version, minimum OS version)
- [ ] Verify entitlements are parsed and security capabilities (sandbox, hardened runtime) are identified
- [ ] Verify network access entitlements (com.apple.security.network.client/server) are detected and reported as capability overlays
- [ ] Verify .framework bundles are also inspected with the same metadata extraction
- [ ] Verify Mach-O code signature information is extracted and linked to the bundle analysis
- [ ] Verify bundles without entitlements are handled gracefully with appropriate defaults
---
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |