# Binary SBOM and Build-ID to PURL Mapping ## Module Scanner ## Status VERIFIED ## Description Binary call graph extraction, offline Build-ID to PURL correlation, patch verification orchestration, and unified binary finding mapping are wired into Scanner worker execution with deterministic Tier 1/Tier 2 evidence. ## Implementation Details - **Binary call graph extraction**: - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/BinaryCallGraphExtractor.cs` - **Patch verification engine + contracts**: - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/IPatchVerificationOrchestrator.cs` - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/PatchVerificationOrchestrator.cs` - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/DependencyInjection/ServiceCollectionExtensions.cs` - **Build-ID index**: - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/IBuildIdIndex.cs` - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/OfflineBuildIdIndex.cs` - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/BuildIdLookupResult.cs` - **Worker runtime wiring**: - `src/Scanner/StellaOps.Scanner.Worker/Extensions/BinaryIndexServiceExtensions.cs` - registers patch verification services in worker binary integration path. - `src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryLookupStageExecutor.cs` - publishes mapped binary findings for downstream gating. - executes Build-ID index batch lookup and stores mapping output. - executes patch verification orchestration and stores verification result. - `src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryFindingMapper.cs` - runtime call path now exercised from binary lookup stage. - **Shared analysis contracts**: - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Contracts/ScanAnalysisKeys.cs` - added binary build-id mapping and patch-verification analysis keys. - **Worker validation test**: - `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/BinaryLookupStageExecutorTests.cs` ## E2E Test Plan - [x] Scan a container image with native binaries containing ELF build-IDs and verify Build-ID to PURL mapping runtime path executes. - [x] Verify binary call graph extraction behavior via `BinaryCallGraphExtractor` tests. - [x] Verify patch verification orchestration behavior executes with patch-data and no-patch-data paths. - [x] Verify binary vulnerability findings are mapped into unified finding objects for downstream stages. - [x] Verify offline Build-ID index resolves exact mappings without network access. - [x] Verify worker runtime wiring includes patch verification, build-id lookup, and finding mapping call sites. ## Verification - Run ID: `run-002` - Date (UTC): 2026-02-12 - Tier 0: Source verification passed (`tier0-source-check.json`). - Tier 1: Build, focused behavior tests, and code-review semantic wiring checks passed (`tier1-build-check.json`, `tier1-code-review.json`). - Tier 2: Integration/e2e summary passed, including runtime wiring parity checks (`tier2-integration-check.json`, `tier2-e2e-check.json`).