stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
1bf6bbf3955ecbd8d20f5eeb767da5c7f8324b57
git.stella-ops.org/docs/features/unchecked/binaryindex/vulnerable-binaries-database.md

2.3 KiB
Raw Blame History

Vulnerable Binaries Database (BinaryIndex Module)

Module

BinaryIndex

Status

IMPLEMENTED

Description

Dedicated BinaryIndex module with web service, worker, and library structure for binary vulnerability detection independent of package metadata.

Implementation Details

  • Modules: src/BinaryIndex/StellaOps.BinaryIndex.WebService/, src/BinaryIndex/StellaOps.BinaryIndex.Worker/, src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/
  • Key Classes:
    • Web Service: ResolutionController (Controllers/ResolutionController.cs) - vulnerability resolution API; GoldenSetController - golden set management API; PatchCoverageController - patch coverage API; BinaryIndexOpsController - ops health/bench/cache endpoints
    • Worker: ReproducibleBuildJob (Jobs/ReproducibleBuildJob.cs) - background worker for build verification
    • Persistence: BinaryVulnerabilityService (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Services/BinaryVulnerabilityService.cs) - vulnerability detection service with match method mapping and corpus query integration
    • Cache: CachedBinaryVulnerabilityService (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Cache/CachedBinaryVulnerabilityService.cs) - Valkey-backed caching layer
    • Analysis: SignatureMatcher, TaintGateExtractor, ReachGraphBinaryReachabilityService (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/)
    • Ensemble: EnsembleDecisionEngine (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/) - multi-tier vulnerability classification
  • Program Entry: Program.cs (src/BinaryIndex/StellaOps.BinaryIndex.WebService/Program.cs) - configures services, resolution caching, rate limiting

E2E Test Plan

  • Query the database for a known vulnerable binary (by Build-ID) and verify vulnerability is detected
  • Submit a binary for analysis and verify detection works independent of package metadata
  • Verify web service endpoints are accessible: resolution, golden set, patch coverage, ops
  • Verify worker job processes reproducible build verification in the background
  • Verify cached lookups improve performance on repeated queries
  • Verify ensemble decision engine combines all matching signals for final vulnerability classification