# Dataflow-Aware Diffs (Entrypoint-to-Sink Reachability)

## Module
Scanner

## Status
VERIFIED

## Description
Semantic entrypoint orchestrator with dataflow boundary analysis, data boundary mapping, and service security dataflow analyzer for entrypoint-to-sink reachability.

## Implementation Details
- **Semantic Entrypoint Orchestrator**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypointOrchestrator.cs` - Orchestrates semantic entrypoint analysis across languages
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ISemanticEntrypointAnalyzer.cs` - Interface for semantic analysis
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntryTraceAnalyzer.cs` - Trace analyzer for dataflow
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypoint.cs` - Entrypoint model
- **Data Boundary Analysis**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/DataBoundaryMapper.cs` - Maps data flow boundaries
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/DataFlowBoundary.cs` - Data flow boundary model
- **Capability & Threat Detection**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/CapabilityDetector.cs` - Detects capabilities (network, file, crypto, etc.)
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/ThreatVectorInferrer.cs` - Infers threat vectors from entrypoint-to-sink paths
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/CapabilityClass.cs` - Capability class model
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ThreatVector.cs` - Threat vector model
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ApplicationIntent.cs` - Application intent model
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticConfidence.cs` - Confidence scoring
- **Language Adapters**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/DotNetSemanticAdapter.cs`
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/JavaSemanticAdapter.cs`
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/NodeSemanticAdapter.cs`
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/PythonSemanticAdapter.cs`
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/GoSemanticAdapter.cs`
- **Service Security**: `src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/` - Service-level dataflow security analysis

## E2E Test Plan
- [ ] Scan a container image with a web application and verify entrypoint-to-sink dataflow paths are detected
- [ ] Verify `DataBoundaryMapper` identifies data flow boundaries (e.g., user input -> database, network -> filesystem)
- [ ] Verify `CapabilityDetector` identifies application capabilities (network access, file I/O, crypto usage)
- [ ] Verify `ThreatVectorInferrer` infers threat vectors from detected dataflow paths
- [ ] Verify language-specific semantic adapters work for .NET, Java, Node.js, Python, and Go applications
- [ ] Verify dataflow-aware diff results appear in the scan report

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |