45 lines
2.9 KiB
Markdown
45 lines
2.9 KiB
Markdown
# Reachability Status Classification (R0-R3/UNREACHABLE through REACHABLE_PROVEN)
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
Reachability classification with multiple tiers (unreachable, possibly reachable, reachable static, reachable proven) and confidence scoring with deterministic modifiers.
|
|
|
|
## Implementation Details
|
|
- **Reachability Models**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyReachabilityModels.cs` - Defines reachability status tiers (R0=UNREACHABLE, R1=POSSIBLY_REACHABLE, R2=REACHABLE_STATIC, R3=REACHABLE_PROVEN) with confidence scoring
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityPolicy.cs` - `ReachabilityPolicy` configures classification thresholds and tier boundaries
|
|
- **Static Analysis**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/StaticReachabilityAnalyzer.cs` - `StaticReachabilityAnalyzer` performs static call graph analysis for R2 classification
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ConditionalReachabilityAnalyzer.cs` - `ConditionalReachabilityAnalyzer` handles conditional reachability (feature flags, config-dependent paths)
|
|
- **Combiner**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachGraphReachabilityCombiner.cs` - `ReachGraphReachabilityCombiner` combines static and runtime signals for final classification
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/VulnerabilityReachabilityFilter.cs` - `VulnerabilityReachabilityFilter` filters vulnerabilities based on reachability status
|
|
- **Reporting**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReporter.cs` - Reporter for reachability classification results
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReport.cs` - Report model
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityReportBuilder.cs` - Builder for constructing reports
|
|
|
|
## E2E Test Plan
|
|
- [ ] Scan a container with a vulnerability in unreachable code and verify it is classified as R0 (UNREACHABLE)
|
|
- [ ] Scan a container with a vulnerability in statically reachable code (call graph path exists) and verify R2 (REACHABLE_STATIC)
|
|
- [ ] Verify runtime-confirmed reachability (observed call) promotes classification to R3 (REACHABLE_PROVEN)
|
|
- [ ] Verify conditional reachability (behind feature flag or config) is classified as R1 (POSSIBLY_REACHABLE) with appropriate confidence
|
|
- [ ] Verify confidence scores are computed deterministically for the same input
|
|
- [ ] Verify the vulnerability filter correctly suppresses R0 findings from default result sets
|
|
|
|
---
|
|
|
|
## Verification
|
|
|
|
| Check | Result |
|
|
|-------|--------|
|
|
| Tier 0 - Source files exist | PASS |
|
|
| Tier 1 - Build + code review | PASS |
|
|
| Tier 2 - Integration tests | PASS |
|
|
| Verified | 2026-02-13T18:10:00Z |
|