# SBOM Dependency Reachability Inference (Scanner-Integrated) ## Module Scanner ## Status IMPLEMENTED ## Description Scanner pipeline stage that infers reachability for SBOM components by combining dependency graph analysis with reach-graph call-graph data, producing dependency-level reachability reports with conditional analysis. Distinct from the known "Reachability Core Library" and "Call Graph Construction" features which focus on function-level call graphs; this performs SBOM-component-level dependency reachability inference as a scanner stage. ## Implementation Details - **Scanner Pipeline Stage**: - `src/Scanner/StellaOps.Scanner.Worker/Processing/Reachability/SbomReachabilityStageExecutor.cs` - `SbomReachabilityStageExecutor` scanner pipeline stage that orchestrates SBOM-level dependency reachability inference - **Dependency Graph Analysis**: - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyGraphBuilder.cs` - `DependencyGraphBuilder` constructs dependency graphs from SBOM components - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/StaticReachabilityAnalyzer.cs` - `StaticReachabilityAnalyzer` performs static reachability analysis on the dependency graph - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ConditionalReachabilityAnalyzer.cs` - `ConditionalReachabilityAnalyzer` performs conditional reachability analysis (e.g., only reachable if certain features are enabled) - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/EntryPointDetector.cs` - `EntryPointDetector` identifies entry points in the dependency graph - **Reach-Graph Integration**: - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachGraphReachabilityCombiner.cs` - `ReachGraphReachabilityCombiner` combines reach-graph call-graph data with dependency-level analysis - **Reporting**: - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReport.cs` - `DependencyReachabilityReport` model for component-level reachability results - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReporter.cs` - `DependencyReachabilityReporter` generates human-readable reports from reachability analysis - **Policy & Filtering**: - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityPolicy.cs` - `ReachabilityPolicy` defining rules for reachability classification - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityPolicyLoader.cs` - Loads reachability policies from configuration - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/VulnerabilityReachabilityFilter.cs` - `VulnerabilityReachabilityFilter` filters vulnerability findings based on reachability status - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityReportBuilder.cs` - Builds structured reachability reports - **Models**: - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyReachabilityModels.cs` - Data models for dependency reachability analysis - **Tests**: - `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/DependencyReachabilityReporterTests.cs` - Unit tests for reporting - `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/DependencyReachabilityIntegrationTests.cs` - Integration tests for the full pipeline ## E2E Test Plan - [ ] Run the `SbomReachabilityStageExecutor` on an SBOM with known dependency graph and verify each component receives a reachability classification - [ ] Verify the `ConditionalReachabilityAnalyzer` correctly identifies dependencies that are only reachable under specific feature configurations - [ ] Verify the `ReachGraphReachabilityCombiner` augments dependency-level analysis with function-level call-graph evidence from the reach-graph - [ ] Verify the `DependencyReachabilityReport` includes per-component reachability status, evidence chain, and confidence scores - [ ] Verify the `VulnerabilityReachabilityFilter` correctly suppresses vulnerability findings for unreachable dependencies - [ ] Verify the stage executor integrates into the scanner worker pipeline and passes results to downstream stages