save checkpoint

2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
--- a/docs/features/checked/scanner/symbol-mappers-for-net-jvm-node-python.md
+++ b/docs/features/checked/scanner/symbol-mappers-for-net-jvm-node-python.md
@@ -0,0 +1,53 @@
+# Symbol Mappers for .NET/JVM/Node/Python
+
+## Module
+Scanner
+
+## Status
+VERIFIED
+
+## Description
+Symbol mapping with sink matchers and entrypoint classifiers exists for Java, Python, JavaScript, and Node ecosystems.
+
+## Implementation Details
+- **Java Symbol Mapping**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Java/JavaCallGraphExtractor.cs` - `JavaCallGraphExtractor` building call graphs from Java bytecode
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Java/JavaSinkMatcher.cs` - `JavaSinkMatcher` matching Java methods against known vulnerability sinks (e.g., SQL injection, command injection, deserialization)
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Java/JavaEntrypointClassifier.cs` - `JavaEntrypointClassifier` classifying Java entrypoints (Spring Controllers, Servlets, main methods)
+- **Python Symbol Mapping**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Python/PythonCallGraphExtractor.cs` - `PythonCallGraphExtractor` building call graphs from Python AST
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Python/PythonSinkMatcher.cs` - `PythonSinkMatcher` matching Python functions against known vulnerability sinks
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Python/PythonEntrypointClassifier.cs` - `PythonEntrypointClassifier` classifying Python entrypoints (Flask routes, Django views, CLI entry)
+- **JavaScript Symbol Mapping**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/JavaScript/JavaScriptCallGraphExtractor.cs` - `JavaScriptCallGraphExtractor` building call graphs from JavaScript/TypeScript
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/JavaScript/JsSinkMatcher.cs` - `JsSinkMatcher` matching JS functions against known vulnerability sinks
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/JavaScript/JsEntrypointClassifier.cs` - `JsEntrypointClassifier` classifying JavaScript entrypoints (Express routes, event handlers)
+- **.NET Symbol Mapping**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/DotNet/DotNetCallGraphExtractor.cs` - `DotNetCallGraphExtractor` building call graphs from .NET assemblies
+- **PHP Symbol Mapping**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Php/PhpCallGraphExtractor.cs` - `PhpCallGraphExtractor` building call graphs from PHP
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Php/PhpSinkMatcher.cs` - `PhpSinkMatcher` matching PHP functions against vulnerability sinks
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Php/PhpEntrypointClassifier.cs` - `PhpEntrypointClassifier` classifying PHP entrypoints
+- **Ruby Symbol Mapping**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Ruby/RubyCallGraphExtractor.cs` - `RubyCallGraphExtractor` building call graphs from Ruby
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Ruby/RubySinkMatcher.cs` - `RubySinkMatcher` matching Ruby methods against vulnerability sinks
+  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Ruby/RubyEntrypointClassifier.cs` - `RubyEntrypointClassifier` classifying Ruby entrypoints (Rails controllers, Rack apps)
+
+## E2E Test Plan
+- [ ] Extract a Java call graph and verify `JavaSinkMatcher` correctly identifies SQL injection sinks (e.g., `Statement.executeQuery`)
+- [ ] Verify `JavaEntrypointClassifier` correctly classifies Spring `@RequestMapping` methods as HTTP entrypoints
+- [ ] Extract a Python call graph and verify `PythonSinkMatcher` identifies dangerous function calls (e.g., `eval`, `subprocess.call`)
+- [ ] Verify `JsSinkMatcher` identifies Node.js sinks like `child_process.exec` and `eval`
+- [ ] Verify `.NET` call graph extraction handles both framework-dependent and self-contained applications
+- [ ] Verify all sink matchers and entrypoint classifiers produce deterministic results for the same input
+
+---
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source files exist | PASS |
+| Tier 1 - Build + code review | PASS |
+| Tier 2 - Integration tests | PASS |
+| Verified | 2026-02-13T18:10:00Z |