stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
docs/features/checked/scanner/reachability-status-classification.md Normal file
View File

@@ -0,0 +1,44 @@
# Reachability Status Classification (R0-R3/UNREACHABLE through REACHABLE_PROVEN)
## Module
Scanner
## Status
VERIFIED
## Description
Reachability classification with multiple tiers (unreachable, possibly reachable, reachable static, reachable proven) and confidence scoring with deterministic modifiers.
## Implementation Details
- **Reachability Models**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyReachabilityModels.cs` - Defines reachability status tiers (R0=UNREACHABLE, R1=POSSIBLY_REACHABLE, R2=REACHABLE_STATIC, R3=REACHABLE_PROVEN) with confidence scoring
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityPolicy.cs` - `ReachabilityPolicy` configures classification thresholds and tier boundaries
- **Static Analysis**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/StaticReachabilityAnalyzer.cs` - `StaticReachabilityAnalyzer` performs static call graph analysis for R2 classification
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ConditionalReachabilityAnalyzer.cs` - `ConditionalReachabilityAnalyzer` handles conditional reachability (feature flags, config-dependent paths)
- **Combiner**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachGraphReachabilityCombiner.cs` - `ReachGraphReachabilityCombiner` combines static and runtime signals for final classification
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/VulnerabilityReachabilityFilter.cs` - `VulnerabilityReachabilityFilter` filters vulnerabilities based on reachability status
- **Reporting**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReporter.cs` - Reporter for reachability classification results
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReport.cs` - Report model
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityReportBuilder.cs` - Builder for constructing reports
## E2E Test Plan
- [ ] Scan a container with a vulnerability in unreachable code and verify it is classified as R0 (UNREACHABLE)
- [ ] Scan a container with a vulnerability in statically reachable code (call graph path exists) and verify R2 (REACHABLE_STATIC)
- [ ] Verify runtime-confirmed reachability (observed call) promotes classification to R3 (REACHABLE_PROVEN)
- [ ] Verify conditional reachability (behind feature flag or config) is classified as R1 (POSSIBLY_REACHABLE) with appropriate confidence
- [ ] Verify confidence scores are computed deterministically for the same input
- [ ] Verify the vulnerability filter correctly suppresses R0 findings from default result sets
---
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |