# Vulnerable Code Fingerprint Matching (CFG + Basic Block + String Refs Ensemble)

## Module
BinaryIndex

## Status
VERIFIED
## Description
Function-level vulnerability detection independent of package metadata using an ensemble of fingerprint algorithms: basic block hashing, control flow graph fingerprinting, and string reference fingerprinting. Combined generator provides multi-algorithm similarity matching with configurable thresholds. Includes pre-seeded fingerprints for high-impact CVEs in OpenSSL, glibc, zlib, and curl.

## Implementation Details
- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/`
- **Key Classes**:
  - `SignatureMatcher` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/SignatureMatcher.cs`) - matches vulnerability signatures using fingerprint index
  - `EnsembleDecisionEngine` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/EnsembleDecisionEngine.cs`) - combines CFG, basic block, string ref, and ML embedding fingerprints with configurable weights
  - `FunctionAnalysisBuilder` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/FunctionAnalysisBuilder.cs`) - assembles multi-algorithm fingerprint inputs
  - `SemanticFingerprintGenerator` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/SemanticFingerprintGenerator.cs`) - KSG-based semantic fingerprinting
  - `CallNgramGenerator` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/CallNgramGenerator.cs`) - call-sequence fingerprinting
  - `BinaryVulnerabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Services/BinaryVulnerabilityService.cs`) - vulnerability lookup with pre-seeded fingerprints
- **Models**: `SignatureIndexModels` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/Models/`) - fingerprint index models
- **Source**: SPRINT_20251226_013_BINIDX_fingerprint_factory.md

## E2E Test Plan
- [x] Match a known vulnerable function (e.g., OpenSSL Heartbleed) against pre-seeded fingerprints and verify detection
- [x] Verify multi-algorithm ensemble: CFG fingerprint + basic block hash + string refs all contribute to match score
- [x] Verify configurable threshold: adjust threshold to 0.8 and verify borderline matches are excluded
- [x] Verify pre-seeded fingerprints exist for high-impact CVEs (OpenSSL, glibc, zlib, curl)
- [x] Verify false positive rate: submit clean binary functions and verify no false matches
- [x] Verify `EnsembleDecisionEngine` weight tuning affects match outcomes

## Verification
- Verified on 2026-02-12 via run `run-002`.
- Tier 0 source/symbol checks: pass.
- Tier 1 build/tests/code-review: pass (`420/420` tests).
- Tier 2 behavioral verification: pass (golden signature behavior, threshold behavior, and pre-seeded package coverage including openssl/glibc/zlib/curl).
- Run evidence: `docs/qa/feature-checks/runs/binaryindex/vulnerable-code-fingerprint-matching/run-002/`.