Here’s a tight idea I think you’ll like: **make every VEX “non‑affected” verdict explain itself with provable, symbol‑level evidence**—not just “package X isn’t reachable,” but “function `Foo::bar()` (the vulnerable sink) is never called in any admissible execution of image Y,” backed by cryptographic provenance. --- # Why this matters (quickly) * **Trust**: Auditors and customers can verify why you suppressed a CVE. * **Quiet scanner**: Fewer false alarms because decisions cite concrete call‑paths (or their absence). * **Moat**: Competitors stop at file/package reachability; you show **function‑level** proof tied to in‑toto attestations. --- # Core concept (plain) Blend two things: 1. **Deterministic symbol reachability** (per language): build minimal call graphs and mark whether the vulnerable symbol is callable from your app’s entrypoints. 2. **in‑toto‑anchored provenance**: sign the *inputs and reasoning* (rules, SBOM slice, call‑graph hash, evidence artifacts), so the verdict can be independently re‑verified. Result: each VEX decision is a **verifiable mini‑proof**. --- # What the evidence looks like (per CVE/component) * **Symbol set**: canonical IDs of vulnerable functions (e.g., `pkg@ver#Type::Method(sig)`). * **Call‑graph digest**: hash of pruned call graph from app entrypoints to those symbols. * **Evidence**: * Static: “No path from any entrypoint → {vuln symbols} (k=0).” * Optional runtime: sampled traces (EventPipe/JFR/eBPF) show **0 hits** to symbols/guards. * **Context**: build inputs (SBOM, lockfiles, compile units), framework models used, versions. * **Attestation**: in‑toto/DSSE signed bundle with reproducible scan manifest. --- # Minimal prototype this week (Scanner reachability scorer) 1. **Symbol mappers (MVP)** * .NET: read PDB + IL to enumerate `MethodDef` symbols; map NuGet pkg → assembly → methods. * JVM: JAR index + method table (from ASM); map Maven coords → classes → methods. 2. **Entrypoint discovery** * Docker CMD/ENTRYPOINT → process launch → managed main(s) (ASP.NET Program.Main, Spring Boot main). 3. **Shallow call‑graph** (no fancy points‑to yet): * Direct calls + common framework handoffs (ASP.NET routing → controller; Spring @RequestMapping → handler). 4. **Vuln ↔ symbol alignment** * Heuristics: match GHSA/OSV “affected functions” or patch diff to infer symbol names; fallback to package‑scope verdict with a flag “symbol‑inferred: false”. 5. **Decision object** * `ReachabilityDecision.json` with: entrypoints, symbol set, path_count, notes, hashes. 6. **Attest** * Emit `reachability.intoto.jsonl` (subject = image digest + SBOM component + symbol digest). Cosign with your test key. 7. **VEX output** * OpenVEX statement reason: `component_not_present` or `vulnerable_code_not_in_execute_path` with `justification_url` → small HTML report (signed). --- # Data & schemas to add * `Scanner.Reachability/` * `SymbolIndex` (pkg → assemblies/classes/methods) * `EntryPoints` (per image, normalized) * `CallGraphPruned` (edges + hash) * `Decision` (path_count, evidence, versions) * `Authority` * Key management for DSSE; policy to **require** reachability evidence for “non‑affected”. --- # Language roadmap (fast win → harder) * **Week 1–2:** .NET + JVM shallow graphs + ASP.NET/Spring models. * **Week 3–4:** Node/TS (TS compiler API), Go (SSA), Python (import graph + common web frameworks). * **Stretch:** Rust/Swift (MIR/SIL summaries), native (symbols + coarse edges), Shell (exec chain). --- # Where to surface it (UX) * VEX details panel: “Non‑affected (0 call paths)” → expand → show entrypoints, collapsed edge list, trace hit‑counts, and “Verify attestation” button. * CLI: `stella scan --explain CVE-XYZ --verify-attestation`. --- # Guardrails * If symbol mapping is uncertain, **do not** claim “non‑affected”; downgrade to “under review” with rationale. * Cache symbol indexes per package version; keep the call‑graph pruned to entrypoint cones for speed. * Everything reproducible: the **scan manifest** (feeds, rule versions, hashes) must recreate the same decision bit‑for‑bit. --- If you want, I can draft the exact C# namespaces, interfaces, and the OpenVEX + in‑toto payloads you can drop into `Scanner.Reachability` and `Authority.Attest`.