3.9 KiB
3.9 KiB
Semantic Entrypoint Engine
Module
Scanner
Status
IMPLEMENTED
Description
Classifies entrypoints with semantic meaning (ApplicationIntent, CapabilityClass flags, ThreatVector, DataFlowBoundary) to enable risk-aware prioritization beyond pure reachability. Includes per-language semantic adapters for Python, Java, Node, .NET, and Go.
Implementation Details
- Semantic Models:
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypoint.cs-SemanticEntrypointmodel combining ApplicationIntent, CapabilityClass, ThreatVector, and DataFlowBoundarysrc/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ApplicationIntent.cs-ApplicationIntentenum classifying the purpose of an entrypoint (e.g., WebApi, CLI, Worker, Scheduler)src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/CapabilityClass.cs-CapabilityClassflags for entrypoint capabilities (e.g., NetworkAccess, FileSystem, Crypto, ProcessExec)src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ThreatVector.cs-ThreatVectorenum classifying potential threat exposure (e.g., External, Internal, Privileged)src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/DataFlowBoundary.cs-DataFlowBoundaryenum classifying data flow trust boundaries
- Orchestrator:
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypointOrchestrator.cs-SemanticEntrypointOrchestratorcoordinating analysis across per-language adapterssrc/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntryTraceAnalyzer.cs-SemanticEntryTraceAnalyzerperforming semantic classificationsrc/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ISemanticEntrypointAnalyzer.cs- Interface for semantic analysis
- Analysis Components:
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/ThreatVectorInferrer.cs-ThreatVectorInferrerinferring threat vectors from entrypoint characteristicssrc/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/DataBoundaryMapper.cs-DataBoundaryMappermapping data flow boundariessrc/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/CapabilityDetector.cs-CapabilityDetectordetecting capability flags
- Per-Language Adapters:
src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/PythonSemanticAdapter.cs- Python semantic adapter (Flask, Django, FastAPI patterns)src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/JavaSemanticAdapter.cs- Java semantic adapter (Spring, Jakarta patterns)src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/NodeSemanticAdapter.cs- Node.js semantic adapter (Express, Fastify patterns)src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/DotNetSemanticAdapter.cs- .NET semantic adapter (ASP.NET, gRPC patterns)src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/GoSemanticAdapter.cs- Go semantic adapter (net/http, gin patterns)
E2E Test Plan
- Analyze a Python Flask web application entrypoint and verify it is classified with ApplicationIntent=WebApi, ThreatVector=External, and appropriate CapabilityClass flags
- Analyze a Java Spring Boot scheduler entrypoint and verify ApplicationIntent=Scheduler with Internal threat vector
- Verify
CapabilityDetectorcorrectly identifies NetworkAccess, FileSystem, and Crypto capabilities from code patterns - Verify
ThreatVectorInferrerdistinguishes between externally-exposed and internal-only entrypoints - Verify
DataBoundaryMappercorrectly classifies trust boundary crossings (e.g., user input to database, network to filesystem) - Verify the orchestrator aggregates results from all per-language adapters into a unified semantic entrypoint classification