# Binary SBOM and Build-ID to PURL Mapping

## Module
Scanner

## Status
IMPLEMENTED

## Description
Binary call graph extraction, patch verification with signature stores and evidence models, and binary index service extensions for the scanner worker.

## Implementation Details
- **Binary Call Graph Extraction**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/BinaryCallGraphExtractor.cs` - Extracts call graphs from native binaries
  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/DependencyInjection/CallGraphServiceCollectionExtensions.cs` - DI registration
- **Patch Verification**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/IPatchVerificationOrchestrator.cs` - Orchestrator interface
  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/PatchVerificationOrchestrator.cs` - Orchestrates patch verification workflow
  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Services/IPatchSignatureStore.cs` - Interface for patch signature storage
  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Services/InMemoryPatchSignatureStore.cs` - In-memory signature store implementation
  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Services/EvidenceIdGenerator.cs` - Generates evidence IDs for patch verification results
- **Patch Verification Models**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationResult.cs` - Result model
  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationEvidence.cs` - Evidence model
  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationContext.cs` - Context model
  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationStatus.cs` - Status enum
  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationOptions.cs` - Options
  - `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/DsseEnvelopeRef.cs` - DSSE envelope reference
- **Worker Integration**:
  - `src/Scanner/StellaOps.Scanner.Worker/Extensions/BinaryIndexServiceExtensions.cs` - `BinaryIndexServiceExtensions` registering `IBinaryVulnerabilityService`, `IBinaryFeatureExtractor`
  - `src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryLookupStageExecutor.cs` - Binary lookup stage during scan
  - `src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryVulnerabilityAnalyzer.cs` - Binary vulnerability analysis
  - `src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryFindingMapper.cs` - Maps binary findings to unified finding model
- **Build-ID Index**:
  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/OfflineBuildIdIndex.cs` - Offline build-ID to PURL index
  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/IBuildIdIndex.cs` - Interface for build-ID index
  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/BuildIdIndexEntry.cs` - Index entry model
  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/BuildIdLookupResult.cs` - Lookup result model

## E2E Test Plan
- [ ] Scan a container image with native binaries containing ELF build-IDs and verify build-ID to PURL mapping resolves correctly
- [ ] Verify binary call graph extraction produces a valid call graph for native binaries via `BinaryCallGraphExtractor`
- [ ] Trigger patch verification on a scanned binary and verify `PatchVerificationOrchestrator` produces evidence with status and signature references
- [ ] Verify binary vulnerability findings are mapped to the unified finding model and appear in scan results
- [ ] Verify the offline build-ID index (`OfflineBuildIdIndex`) can resolve build-IDs without network access
- [ ] Export scan results as SBOM and verify binary components include PURL identifiers derived from build-ID mapping