# Multi-Language Call Graph Extractors and Analyzers (.NET, Go, Java, JS, Python, Ruby, PHP, Bun, Deno) ## Module Scanner ## Status IMPLEMENTED ## Description Call graph extractors for .NET, Go, Java, JavaScript, Python, Ruby, PHP, Bun, and Deno. .NET has dedicated language analyzer with entrypoint resolver and capability scanner. Includes capability scanning, sink matching, and binary call graph extraction. ## Implementation Details - **Extractor Framework**: - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/ICallGraphExtractor.cs` - `ICallGraphExtractor` interface for language-specific call graph extraction - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/ICallGraphExtractorRegistry.cs` - `ICallGraphExtractorRegistry` for registering and resolving extractors by language - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/CallGraphExtractorRegistry.cs` - Registry implementation - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/GuardDetector.cs` - Detects security guards (auth, admin, feature flags) in call paths - **Per-Language Extractors** (each with extractor, entrypoint classifier, and sink matcher): - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/DotNet/DotNetCallGraphExtractor.cs` - .NET call graph via Cecil IL analysis - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Go/GoCallGraphExtractor.cs` - Go call graph via SSA analysis - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Java/JavaCallGraphExtractor.cs` - Java call graph via bytecode analysis - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/JavaScript/JavaScriptCallGraphExtractor.cs` - JavaScript call graph - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Node/NodeCallGraphExtractor.cs` - Node.js call graph with Babel parsing - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Python/PythonCallGraphExtractor.cs` - Python call graph via AST - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Ruby/RubyCallGraphExtractor.cs` - Ruby call graph - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Php/PhpCallGraphExtractor.cs` - PHP call graph - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Bun/BunCallGraphExtractor.cs` - Bun call graph - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Deno/DenoCallGraphExtractor.cs` - Deno call graph - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/BinaryCallGraphExtractor.cs` - Binary (ELF/PE) call graph via disassembly - **Sink Matchers** (per-language): - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Go/GoSinkMatcher.cs`, `Java/JavaSinkMatcher.cs`, `JavaScript/JsSinkMatcher.cs`, `Python/PythonSinkMatcher.cs`, `Ruby/RubySinkMatcher.cs`, `Php/PhpSinkMatcher.cs`, `Bun/BunSinkMatcher.cs`, `Deno/DenoSinkMatcher.cs` - **Entrypoint Classifiers** (per-language): - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Go/GoEntrypointClassifier.cs`, `Java/JavaEntrypointClassifier.cs`, `JavaScript/JsEntrypointClassifier.cs`, `Python/PythonEntrypointClassifier.cs`, `Ruby/RubyEntrypointClassifier.cs`, `Php/PhpEntrypointClassifier.cs`, `Bun/BunEntrypointClassifier.cs`, `Deno/DenoEntrypointClassifier.cs`, `Binary/BinaryEntrypointClassifier.cs` - **Reachability Analysis**: - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Analysis/ReachabilityAnalyzer.cs` - `ReachabilityAnalyzer` determines reachability from entrypoints to vulnerable sinks - **Caching**: - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Caching/ICallGraphCacheService.cs` - Cache interface for call graph results - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Caching/ValkeyCallGraphCacheService.cs` - Valkey-backed cache for call graph data ## E2E Test Plan - [ ] Scan a multi-language container image and verify call graphs are extracted for each detected language runtime - [ ] Verify .NET call graph extraction identifies entrypoints (controllers, Main) and traces calls to vulnerable methods - [ ] Verify Go call graph extraction uses SSA analysis to resolve interface dispatch targets - [ ] Verify Java call graph extraction analyzes bytecode to extract method call relationships - [ ] Verify sink matchers correctly identify known dangerous functions (e.g., `Runtime.exec`, `eval`, `os.system`) in each language - [ ] Verify entrypoint classifiers correctly identify web handlers, CLI entry points, and background workers - [ ] Verify the reachability analyzer produces reachability verdicts by tracing paths from entrypoints through call graphs to vulnerable sinks - [ ] Verify call graph caching avoids re-extraction on rescan of unchanged layers