stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
docs/features/checked/scanner/trigger-method-vulnerable-function-extraction.md Normal file
View File

@@ -0,0 +1,45 @@
# Trigger Method / Vulnerable Function Extraction
## Module
Scanner
## Status
VERIFIED
## Description
Multi-language call graph extraction with guard detection and drift cause explanation. Covers entrypoint-to-sink path analysis.
## Implementation Details
- **Trigger Method Extractor**:
- `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Triggers/TriggerMethodExtractor.cs` - `TriggerMethodExtractor` extracting vulnerable trigger methods from vulnerability advisories and mapping them to call graph nodes
- `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Triggers/ITriggerMethodExtractor.cs` - Interface for trigger method extraction
- `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Models/VulnSurfaceTrigger.cs` - `VulnSurfaceTrigger` model for extracted trigger methods
- **Vulnerable Function Matching**:
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/VulnerableFunctionMatcher.cs` - `VulnerableFunctionMatcher` matching binary functions against known vulnerable function signatures
- **Guard Detection**:
- `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/GuardDetector.cs` - `GuardDetector` detecting guard conditions (null checks, feature flags, auth checks) that protect vulnerable paths
- **Drift Cause Explanation**:
- `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Services/DriftCauseExplainer.cs` - `DriftCauseExplainer` explaining why reachability changed (new dependency, updated call path, removed guard)
- `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Services/ReachabilityDriftDetector.cs` - `ReachabilityDriftDetector` detecting reachability changes between scan versions
- **Tests**:
- `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces.Tests/TriggerMethodExtractorTests.cs` - Trigger extraction tests
- `src/Scanner/__Tests/StellaOps.Scanner.ReachabilityDrift.Tests/DriftCauseExplainerTests.cs` - Drift cause explanation tests
## E2E Test Plan
- [ ] Extract trigger methods from a Java vulnerability advisory (e.g., log4j) and verify the vulnerable methods are correctly identified
- [ ] Verify `VulnerableFunctionMatcher` matches binary symbols against known vulnerable function signatures
- [ ] Verify `GuardDetector` detects authentication guards that protect vulnerable call paths
- [ ] Verify `DriftCauseExplainer` correctly explains why a previously unreachable vulnerability became reachable (e.g., new transitive dependency)
- [ ] Verify entrypoint-to-sink path analysis produces a complete path from HTTP endpoint to vulnerable function
- [ ] Verify trigger method extraction works across Java, Python, JavaScript, and .NET ecosystems
---
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |