# Trigger Method / Vulnerable Function Extraction

## Module
Scanner

## Status
VERIFIED

## Description
Multi-language call graph extraction with guard detection and drift cause explanation. Covers entrypoint-to-sink path analysis.

## Implementation Details
- **Trigger Method Extractor**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Triggers/TriggerMethodExtractor.cs` - `TriggerMethodExtractor` extracting vulnerable trigger methods from vulnerability advisories and mapping them to call graph nodes
  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Triggers/ITriggerMethodExtractor.cs` - Interface for trigger method extraction
  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Models/VulnSurfaceTrigger.cs` - `VulnSurfaceTrigger` model for extracted trigger methods
- **Vulnerable Function Matching**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/VulnerableFunctionMatcher.cs` - `VulnerableFunctionMatcher` matching binary functions against known vulnerable function signatures
- **Guard Detection**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/GuardDetector.cs` - `GuardDetector` detecting guard conditions (null checks, feature flags, auth checks) that protect vulnerable paths
- **Drift Cause Explanation**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Services/DriftCauseExplainer.cs` - `DriftCauseExplainer` explaining why reachability changed (new dependency, updated call path, removed guard)
  - `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Services/ReachabilityDriftDetector.cs` - `ReachabilityDriftDetector` detecting reachability changes between scan versions
- **Tests**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces.Tests/TriggerMethodExtractorTests.cs` - Trigger extraction tests
  - `src/Scanner/__Tests/StellaOps.Scanner.ReachabilityDrift.Tests/DriftCauseExplainerTests.cs` - Drift cause explanation tests

## E2E Test Plan
- [ ] Extract trigger methods from a Java vulnerability advisory (e.g., log4j) and verify the vulnerable methods are correctly identified
- [ ] Verify `VulnerableFunctionMatcher` matches binary symbols against known vulnerable function signatures
- [ ] Verify `GuardDetector` detects authentication guards that protect vulnerable call paths
- [ ] Verify `DriftCauseExplainer` correctly explains why a previously unreachable vulnerability became reachable (e.g., new transitive dependency)
- [ ] Verify entrypoint-to-sink path analysis produces a complete path from HTTP endpoint to vulnerable function
- [ ] Verify trigger method extraction works across Java, Python, JavaScript, and .NET ecosystems

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |