stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
01dae8d402355e64d025d6a184a42123ca2177b1
git.stella-ops.org/docs/features/checked/binaryindex/vulnerable-binaries-database.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

2.9 KiB
Raw Blame History

Vulnerable Binaries Database (BinaryIndex Module)

Module

BinaryIndex

Status

VERIFIED

Description

Dedicated BinaryIndex module with web service, worker, and library structure for binary vulnerability detection independent of package metadata.

Implementation Details

  • Modules: src/BinaryIndex/StellaOps.BinaryIndex.WebService/, src/BinaryIndex/StellaOps.BinaryIndex.Worker/, src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/
  • Key Classes:
    • Web Service: ResolutionController (Controllers/ResolutionController.cs) - vulnerability resolution API; GoldenSetController - golden set management API; PatchCoverageController - patch coverage API; BinaryIndexOpsController - ops health/bench/cache endpoints
    • Worker: ReproducibleBuildJob (Jobs/ReproducibleBuildJob.cs) - background worker for build verification
    • Persistence: BinaryVulnerabilityService (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Services/BinaryVulnerabilityService.cs) - vulnerability detection service with match method mapping and corpus query integration
    • Cache: CachedBinaryVulnerabilityService (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Cache/CachedBinaryVulnerabilityService.cs) - Valkey-backed caching layer
    • Analysis: SignatureMatcher, TaintGateExtractor, ReachGraphBinaryReachabilityService (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/)
    • Ensemble: EnsembleDecisionEngine (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/) - multi-tier vulnerability classification
  • Program Entry: Program.cs (src/BinaryIndex/StellaOps.BinaryIndex.WebService/Program.cs) - configures services, resolution caching, rate limiting

E2E Test Plan

  • Query the database for a known vulnerable binary (by Build-ID) and verify vulnerability is detected
  • Submit a binary for analysis and verify detection works independent of package metadata
  • Verify web service endpoints are accessible: resolution, golden set, patch coverage, ops
  • Verify worker job processes reproducible build verification in the background
  • Verify cached lookups improve performance on repeated queries
  • Verify ensemble decision engine combines all matching signals for final vulnerability classification

Verification

  • Run: docs/qa/feature-checks/runs/binaryindex/vulnerable-binaries-database/run-002/
  • Date (UTC): 2026-02-12
  • Tier 0: Source and symbol checks passed, including Worker project buildability and WebService fallback wiring.
  • Tier 1: Build and test gates passed for Analysis, Builders, Cache, Ensemble, Persistence, WebService, Worker, and related test projects.
  • Tier 2: API checks passed for ops/config, golden set listing, patch coverage, invalid payload handling (400), single and batch resolution, and repeated cache-backed resolution replay (fromCache=true).