stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
2170a58734104fa86d3aa906cbfaf583d30104c8
git.stella-ops.org/docs/reachability/gates.md
master 2170a58734
Some checks failed
Lighthouse CI / Lighthouse Audit (push) Waiting to run
Details
Lighthouse CI / Axe Accessibility Audit (push) Waiting to run
Details
Manifest Integrity / Validate Schema Integrity (push) Waiting to run
Details
Manifest Integrity / Validate Contract Documents (push) Waiting to run
Details
Manifest Integrity / Validate Pack Fixtures (push) Waiting to run
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Waiting to run
Details
Manifest Integrity / Verify Merkle Roots (push) Waiting to run
Details
Policy Lint & Smoke / policy-lint (push) Waiting to run
Details
Policy Simulation / policy-simulate (push) Waiting to run
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details
Add comprehensive security tests for OWASP A02, A05, A07, and A08 categories 
- Implemented tests for Cryptographic Failures (A02) to ensure proper handling of sensitive data, secure algorithms, and key management.
- Added tests for Security Misconfiguration (A05) to validate production configurations, security headers, CORS settings, and feature management.
- Developed tests for Authentication Failures (A07) to enforce strong password policies, rate limiting, session management, and MFA support.
- Created tests for Software and Data Integrity Failures (A08) to verify artifact signatures, SBOM integrity, attestation chains, and feed updates.
2025-12-16 16:40:44 +02:00

4.6 KiB
Raw Blame History

Gate Detection for Reachability Scoring

Sprint: SPRINT_3405_0001_0001 Module: Scanner Reachability / Signals

Overview

Gate detection identifies protective controls in code paths that reduce the likelihood of vulnerability exploitation. When a vulnerable function is protected by authentication, feature flags, admin-only checks, or configuration gates, the reachability score is reduced proportionally.

Gate Types

Gate Type Multiplier Description
AuthRequired 30% Code path requires authentication
FeatureFlag 20% Code path behind a feature flag
AdminOnly 15% Code path requires admin/elevated role
NonDefaultConfig 50% Code path requires non-default configuration

Multiplier Stacking

Multiple gate types stack multiplicatively:

Auth (30%) × Feature Flag (20%) = 6%
Auth (30%) × Admin (15%) = 4.5%
All four gates = ~0.45% (floored to 5%)

A minimum floor of 5% prevents scores from reaching zero.

Detection Methods

AuthGateDetector

Detects authentication requirements:

C# Patterns:

  • [Authorize] attribute
  • User.Identity.IsAuthenticated checks
  • HttpContext.User access
  • JWT/Bearer token validation

Java Patterns:

  • @PreAuthorize, @Secured annotations
  • SecurityContextHolder.getContext()
  • Spring Security filter chains

Go Patterns:

  • Middleware patterns (authMiddleware, RequireAuth)
  • Context-based auth checks

JavaScript/TypeScript Patterns:

  • Express.js passport middleware
  • JWT verification middleware
  • Session checks

FeatureFlagDetector

Detects feature flag guards:

Patterns:

  • LaunchDarkly: ldClient.variation(), ld.boolVariation()
  • Split.io: splitClient.getTreatment()
  • Unleash: unleash.isEnabled()
  • Custom: featureFlags.isEnabled(), isFeatureEnabled()

AdminOnlyDetector

Detects admin/role requirements:

Patterns:

  • [Authorize(Roles = "Admin")]
  • User.IsInRole("Admin")
  • @RolesAllowed("ADMIN")
  • RBAC middleware checks

ConfigGateDetector

Detects configuration-based gates:

Patterns:

  • Environment variable checks (process.env.ENABLE_FEATURE)
  • Configuration file conditionals
  • Runtime feature toggles
  • Debug-only code paths

Output Contract

DetectedGate

interface DetectedGate {
  type: 'AuthRequired' | 'FeatureFlag' | 'AdminOnly' | 'NonDefaultConfig';
  detail: string;           // Human-readable description
  guardSymbol: string;      // Symbol where gate was detected
  sourceFile?: string;      // Source file location
  lineNumber?: number;      // Line number
  confidence: number;       // 0.0-1.0 confidence score
  detectionMethod: string;  // Detection algorithm used
}

GateDetectionResult

interface GateDetectionResult {
  gates: DetectedGate[];
  hasGates: boolean;
  primaryGate?: DetectedGate;  // Highest confidence gate
  combinedMultiplierBps: number; // Basis points (10000 = 100%)
}

Integration

RichGraph Edge Annotation

Gates are annotated on RichGraphEdge objects:

public sealed record RichGraphEdge
{
    // ... existing properties ...
    
    /// <summary>Gates detected on this edge</summary>
    public IReadOnlyList<DetectedGate> Gates { get; init; } = [];
    
    /// <summary>Combined gate multiplier in basis points</summary>
    public int GateMultiplierBps { get; init; } = 10000;
}

ReachabilityReport

Gates are included in the reachability report:

{
  "vulnId": "CVE-2024-0001",
  "reachable": true,
  "score": 7.5,
  "adjustedScore": 2.25,
  "gates": [
    {
      "type": "AuthRequired",
      "detail": "[Authorize] attribute on controller",
      "guardSymbol": "MyController.VulnerableAction",
      "confidence": 0.95
    }
  ],
  "gateMultiplierBps": 3000
}

Configuration

appsettings.json

{
  "Reachability": {
    "GateMultipliers": {
      "AuthRequiredMultiplierBps": 3000,
      "FeatureFlagMultiplierBps": 2000,
      "AdminOnlyMultiplierBps": 1500,
      "NonDefaultConfigMultiplierBps": 5000,
      "MinimumMultiplierBps": 500
    }
  }
}

Metrics

Metric Description
scanner.gates_detected_total Total gates detected by type
scanner.gate_reduction_applied Histogram of multiplier reductions
scanner.gated_vulns_total Vulnerabilities with gates detected

Related Documentation