Deterministic Reachability — Product Moat (Nov 2025)

Source: internal advisory “23-Nov-2025 - Where Stella Ops Can Truly Lead”. Supersedes/extends archived binary reachability advisories (18-Nov-2025 - Binary-Reachability-Engine, Encoding Binary Reachability with PURL-Resolved Edges, CSharp-Binary-Analyzer). This page is the canonical, high-level articulation of our reachability moat for architects, PMM, and field teams. Detailed schemas live in docs/reachability/evidence-schema.md and docs/reachability/hybrid-attestation.md.

Why it matters

Most scanners list every CVE; reachability asks whether vulnerable code is actually callable.
Competitors infer paths and rarely sign evidence; we prove paths with deterministic graphs and attestations.
Outcome targets: ≥40% fewer noisy vulns shown; ≥25% faster triage via explainable “why” paths.

Moat elements

Deterministic call-graphs per artifact
- Stable node IDs: purl@version!build-id!symbol-signature (or code offset when stripped).
- Stable edge IDs: SHA256(nodeA||nodeB||tool-version||inputs-hash).
- Graph hash: BLAKE3 over canonical JSON; locked by manifest.
Signed evidence
- Graph-level DSSE for every scan (mandatory).
- Optional edge-bundle DSSE (≤512 edges) for runtime/init/contested edges; Rekor publish capped. See docs/reachability/hybrid-attestation.md.
Explainability
- Each finding carries call-chain + per-edge reason + VEX gate decision + layer attribution.
Container layer provenance
- Track file-to-layer mapping; show “introduced in layer X from base Y”.
Replayability
- Determinism manifest locks feeds, toolchain hashes, analyzer flags; replay yields identical graph and attestations.

Minimal architecture slice

Sbomer/Scanner: emit SBOM + symbol maps + per-layer file index; capture Build-IDs.
Cartographer: build deterministic call-graphs (language + native), output EdgeList.jsonl with stable IDs.
Attestor: wrap graph (and edge bundles when emitted) into DSSE; log digests to Rekor/mirror.
Vexer/Policy: evaluate lattice, produce OpenVEX with linked edge proofs.
Ledger: retain manifests and DSSE; mirror to Rekor where allowed.

Practical spec (condensed)

Node fields: symbol_id, code_id, purl, build_id, symbol_digest, lang, evidence[].
Edge fields: from, to, kind (direct|plt|runtime|init), purl, symbol_digest, reason, confidence, evidence[].
Roots: exports, entrypoints, .init_array/.ctors/TLS callbacks, plugin hooks.
Attestation layout:
- Graph: cas://reachability/graphs/{blake3} + {blake3}.dsse (Rekor always).
- Edge bundle: cas://reachability/edges/{graph_hash}/{bundle_id}[.dsse] (Rekor optional, capped).

Example: Edge-bundle DSSE payload (abridged)

{
  "graph_hash": "blake3:...",
  "bundle_reason": "runtime-hit",
  "edges": [{
    "edge_id": "sha256:...",
    "from": "sym:...caller",
    "to": "sym:...callee",
    "reason": "plt",
    "purl": "pkg:deb/openssl@3.0.2?arch=amd64",
    "symbol_digest": "sha256:...",
    "revoked": false
  }]
}

Field cheat sheet (for sprint readers)

graph_hash — BLAKE3 of canonical graph JSON.
bundle_reason — runtime-hit | init-root | contested | third-party.
edge_id — sha256(from||to||reason||tool-version||inputs-hash).
revoked — when true, policy/Signals must drop this edge before reachability scoring.
purl + symbol_digest — bind edge to SBOM component and callee identity.

Quick wins (ship order)

Capture Build-IDs in Scanner and thread into symbol_id/code_id.
Emit Graph Determinism Manifest (feeds + toolchain hashes) per scan.
Turn on edge-bundle DSSE for runtime/init edges first; keep Rekor cap low.
Surface “why path” + layer attribution in CLI/UI explainers.

APIs (strawman)

POST /graph/edges: attest — idempotent; same inputs → same edge IDs.
GET /findings/:id/proof — returns call-chain + Rekor inclusion proofs.
GET /vex/:artifact — streams OpenVEX with embedded proofs.

4.3 KiB Raw Blame History Unescape Escape