{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://stella-ops.org/schemas/scanner-entrytrace-baseline.schema.json", "title": "StellaOps Scanner EntryTrace Baseline Schema", "description": "Schema for EntryTrace heuristics, baseline configurations, and entry point detection. Unblocks SCANNER-ENTRYTRACE-18-503 through 18-508 (5+ tasks).", "type": "object", "definitions": { "EntryTraceConfig": { "type": "object", "description": "EntryTrace configuration", "required": ["config_id", "language"], "properties": { "config_id": { "type": "string" }, "language": { "type": "string", "enum": ["java", "python", "javascript", "typescript", "go", "ruby", "php", "csharp", "rust"], "description": "Target language" }, "version": { "type": "string" }, "entry_point_patterns": { "type": "array", "items": { "$ref": "#/definitions/EntryPointPattern" } }, "framework_configs": { "type": "array", "items": { "$ref": "#/definitions/FrameworkConfig" } }, "heuristics": { "$ref": "#/definitions/HeuristicsConfig" }, "exclusions": { "$ref": "#/definitions/ExclusionConfig" } } }, "EntryPointPattern": { "type": "object", "description": "Pattern for detecting entry points", "required": ["pattern_id", "type", "pattern"], "properties": { "pattern_id": { "type": "string" }, "type": { "type": "string", "enum": ["annotation", "decorator", "function_name", "class_name", "file_pattern", "import_pattern", "ast_pattern"], "description": "Pattern type" }, "pattern": { "type": "string", "description": "Regex or AST pattern" }, "confidence": { "type": "number", "minimum": 0, "maximum": 1, "description": "Confidence level for this pattern" }, "entry_type": { "type": "string", "enum": ["http_endpoint", "grpc_method", "cli_command", "event_handler", "scheduled_job", "message_consumer", "test_method"], "description": "Type of entry point detected" }, "framework": { "type": "string", "description": "Associated framework (e.g., spring, express, django)" }, "metadata_extraction": { "$ref": "#/definitions/MetadataExtraction" } } }, "MetadataExtraction": { "type": "object", "description": "Rules for extracting metadata from entry points", "properties": { "http_method": { "type": "string", "description": "Pattern to extract HTTP method" }, "route_path": { "type": "string", "description": "Pattern to extract route path" }, "parameters": { "type": "string", "description": "Pattern to extract parameters" }, "auth_required": { "type": "string", "description": "Pattern to detect auth requirements" } } }, "FrameworkConfig": { "type": "object", "description": "Framework-specific configuration", "required": ["framework_id", "name"], "properties": { "framework_id": { "type": "string" }, "name": { "type": "string" }, "version_range": { "type": "string", "description": "Supported version range (semver)" }, "detection_patterns": { "type": "array", "items": { "type": "string" }, "description": "Patterns to detect framework usage" }, "entry_patterns": { "type": "array", "items": { "type": "string" }, "description": "Entry point pattern IDs for this framework" }, "router_file_patterns": { "type": "array", "items": { "type": "string" }, "description": "Glob patterns for router/route files" }, "controller_patterns": { "type": "array", "items": { "type": "string" }, "description": "Patterns to identify controller classes" } } }, "HeuristicsConfig": { "type": "object", "description": "Heuristics configuration for entry point detection", "properties": { "enable_static_analysis": { "type": "boolean", "default": true }, "enable_dynamic_hints": { "type": "boolean", "default": false, "description": "Use runtime hints if available" }, "confidence_threshold": { "type": "number", "minimum": 0, "maximum": 1, "default": 0.7, "description": "Minimum confidence to report entry point" }, "max_depth": { "type": "integer", "minimum": 1, "default": 10, "description": "Maximum call graph depth to analyze" }, "timeout_seconds": { "type": "integer", "default": 300, "description": "Analysis timeout per file" }, "scoring_weights": { "$ref": "#/definitions/ScoringWeights" } } }, "ScoringWeights": { "type": "object", "description": "Weights for confidence scoring", "properties": { "annotation_match": { "type": "number", "default": 0.9 }, "naming_convention": { "type": "number", "default": 0.6 }, "file_location": { "type": "number", "default": 0.5 }, "import_analysis": { "type": "number", "default": 0.7 }, "call_graph_centrality": { "type": "number", "default": 0.4 } } }, "ExclusionConfig": { "type": "object", "description": "Exclusion rules", "properties": { "exclude_paths": { "type": "array", "items": { "type": "string" }, "description": "Glob patterns to exclude" }, "exclude_packages": { "type": "array", "items": { "type": "string" }, "description": "Package names to exclude" }, "exclude_test_files": { "type": "boolean", "default": true }, "exclude_generated": { "type": "boolean", "default": true } } }, "EntryPoint": { "type": "object", "description": "Detected entry point", "required": ["entry_id", "type", "location"], "properties": { "entry_id": { "type": "string" }, "type": { "type": "string", "enum": ["http_endpoint", "grpc_method", "cli_command", "event_handler", "scheduled_job", "message_consumer", "test_method"] }, "name": { "type": "string" }, "location": { "$ref": "#/definitions/CodeLocation" }, "confidence": { "type": "number", "minimum": 0, "maximum": 1 }, "framework": { "type": "string" }, "http_metadata": { "$ref": "#/definitions/HttpMetadata" }, "parameters": { "type": "array", "items": { "$ref": "#/definitions/ParameterInfo" } }, "reachable_vulnerabilities": { "type": "array", "items": { "type": "string" }, "description": "CVE IDs reachable from this entry point" }, "call_paths": { "type": "array", "items": { "$ref": "#/definitions/CallPath" } }, "detection_method": { "type": "string", "description": "Pattern ID that detected this entry" } } }, "CodeLocation": { "type": "object", "description": "Source code location", "required": ["file_path"], "properties": { "file_path": { "type": "string" }, "line_start": { "type": "integer" }, "line_end": { "type": "integer" }, "column_start": { "type": "integer" }, "column_end": { "type": "integer" }, "function_name": { "type": "string" }, "class_name": { "type": "string" }, "package_name": { "type": "string" } } }, "HttpMetadata": { "type": "object", "description": "HTTP endpoint metadata", "properties": { "method": { "type": "string", "enum": ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"] }, "path": { "type": "string" }, "path_parameters": { "type": "array", "items": { "type": "string" } }, "query_parameters": { "type": "array", "items": { "type": "string" } }, "consumes": { "type": "array", "items": { "type": "string" } }, "produces": { "type": "array", "items": { "type": "string" } }, "auth_required": { "type": "boolean" }, "auth_scopes": { "type": "array", "items": { "type": "string" } } } }, "ParameterInfo": { "type": "object", "description": "Entry point parameter", "properties": { "name": { "type": "string" }, "type": { "type": "string" }, "source": { "type": "string", "enum": ["path", "query", "header", "body", "form", "cookie"] }, "required": { "type": "boolean" }, "tainted": { "type": "boolean", "description": "Whether this is a potential taint source" } } }, "CallPath": { "type": "object", "description": "Call path from entry point to vulnerability", "properties": { "target_vulnerability": { "type": "string", "description": "CVE ID or vulnerability identifier" }, "path_length": { "type": "integer" }, "calls": { "type": "array", "items": { "$ref": "#/definitions/CallSite" } }, "confidence": { "type": "number", "minimum": 0, "maximum": 1 } } }, "CallSite": { "type": "object", "description": "Individual call in call path", "properties": { "caller": { "type": "string" }, "callee": { "type": "string" }, "location": { "$ref": "#/definitions/CodeLocation" }, "call_type": { "type": "string", "enum": ["direct", "virtual", "interface", "reflection", "lambda"] } } }, "BaselineReport": { "type": "object", "description": "EntryTrace baseline analysis report", "required": ["report_id", "scan_id", "entry_points"], "properties": { "report_id": { "type": "string", "format": "uuid" }, "scan_id": { "type": "string" }, "generated_at": { "type": "string", "format": "date-time" }, "config_used": { "type": "string", "description": "Config ID used for analysis" }, "entry_points": { "type": "array", "items": { "$ref": "#/definitions/EntryPoint" } }, "statistics": { "$ref": "#/definitions/BaselineStatistics" }, "frameworks_detected": { "type": "array", "items": { "type": "string" } }, "analysis_duration_ms": { "type": "integer" }, "digest": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" } } }, "BaselineStatistics": { "type": "object", "description": "Baseline analysis statistics", "properties": { "total_entry_points": { "type": "integer" }, "by_type": { "type": "object", "additionalProperties": { "type": "integer" } }, "by_framework": { "type": "object", "additionalProperties": { "type": "integer" } }, "by_confidence": { "type": "object", "properties": { "high": { "type": "integer" }, "medium": { "type": "integer" }, "low": { "type": "integer" } } }, "files_analyzed": { "type": "integer" }, "files_skipped": { "type": "integer" }, "reachable_vulnerabilities": { "type": "integer" } } } }, "properties": { "configs": { "type": "array", "items": { "$ref": "#/definitions/EntryTraceConfig" } }, "baseline_reports": { "type": "array", "items": { "$ref": "#/definitions/BaselineReport" } } }, "examples": [ { "configs": [ { "config_id": "java-spring-baseline", "language": "java", "version": "1.0.0", "entry_point_patterns": [ { "pattern_id": "spring-request-mapping", "type": "annotation", "pattern": "@(Get|Post|Put|Delete|Patch|Request)Mapping", "confidence": 0.95, "entry_type": "http_endpoint", "framework": "spring", "metadata_extraction": { "http_method": "annotation.name.replace('Mapping', '').toUpperCase()", "route_path": "annotation.value || annotation.path" } }, { "pattern_id": "spring-rest-controller", "type": "annotation", "pattern": "@RestController", "confidence": 0.9, "entry_type": "http_endpoint", "framework": "spring" }, { "pattern_id": "spring-scheduled", "type": "annotation", "pattern": "@Scheduled", "confidence": 0.95, "entry_type": "scheduled_job", "framework": "spring" } ], "framework_configs": [ { "framework_id": "spring-boot", "name": "Spring Boot", "version_range": ">=2.0.0", "detection_patterns": [ "org.springframework.boot", "@SpringBootApplication" ], "entry_patterns": ["spring-request-mapping", "spring-rest-controller", "spring-scheduled"], "router_file_patterns": ["**/controller/**/*.java", "**/rest/**/*.java"], "controller_patterns": [".*Controller$", ".*Resource$"] } ], "heuristics": { "enable_static_analysis": true, "enable_dynamic_hints": false, "confidence_threshold": 0.7, "max_depth": 15, "timeout_seconds": 600, "scoring_weights": { "annotation_match": 0.95, "naming_convention": 0.6, "file_location": 0.5, "import_analysis": 0.7, "call_graph_centrality": 0.4 } }, "exclusions": { "exclude_paths": ["**/test/**", "**/generated/**"], "exclude_packages": ["org.springframework.test"], "exclude_test_files": true, "exclude_generated": true } } ], "baseline_reports": [ { "report_id": "550e8400-e29b-41d4-a716-446655440000", "scan_id": "scan-2025-12-06-001", "generated_at": "2025-12-06T10:00:00Z", "config_used": "java-spring-baseline", "entry_points": [ { "entry_id": "ep-001", "type": "http_endpoint", "name": "getUserById", "location": { "file_path": "src/main/java/com/example/UserController.java", "line_start": 25, "line_end": 35, "function_name": "getUserById", "class_name": "UserController", "package_name": "com.example" }, "confidence": 0.95, "framework": "spring", "http_metadata": { "method": "GET", "path": "/api/users/{id}", "path_parameters": ["id"], "auth_required": true }, "parameters": [ { "name": "id", "type": "Long", "source": "path", "required": true, "tainted": true } ], "reachable_vulnerabilities": ["CVE-2023-1234"], "detection_method": "spring-request-mapping" } ], "statistics": { "total_entry_points": 45, "by_type": { "http_endpoint": 40, "scheduled_job": 3, "message_consumer": 2 }, "by_framework": { "spring": 45 }, "by_confidence": { "high": 38, "medium": 5, "low": 2 }, "files_analyzed": 120, "files_skipped": 15, "reachable_vulnerabilities": 12 }, "frameworks_detected": ["spring-boot"], "analysis_duration_ms": 45000, "digest": "sha256:entry123def456789012345678901234567890123456789012345678901234entry" } ] } ] }