stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
5d5e80b2e443d61f74451920405b4e894ef28b4e
git.stella-ops.org/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Layer3/ILayer3Analyzer.cs
master 5d5e80b2e4 stabilize tests
2026-02-01 21:37:40 +02:00

207 lines
5.9 KiB
C#
Raw Blame History

// SPDX-License-Identifier: BUSL-1.1
// Copyright (c) StellaOps
using StellaOps.Scanner.Reachability.Stack;
using System.Collections.Immutable;
namespace StellaOps.Scanner.Reachability.Layer3;
/// <summary>
/// Layer 3 analyzer: Runtime gating detection.
/// Determines if any feature flag, configuration, or environment condition
/// blocks execution of the vulnerable code path.
/// </summary>
public interface ILayer3Analyzer
{
/// <summary>
/// Analyzes whether runtime conditions gate (block) execution of a call path.
/// </summary>
/// <param name="path">The call path to analyze for gating conditions</param>
/// <param name="context">Runtime context (config, env vars, etc.)</param>
/// <param name="ct">Cancellation token</param>
/// <returns>Layer 3 gating analysis result</returns>
Task<ReachabilityLayer3> AnalyzeAsync(
CallPath path,
RuntimeContext context,
CancellationToken ct = default);
/// <summary>
/// Analyzes gating for multiple paths and aggregates results.
/// </summary>
/// <param name="paths">Call paths to analyze</param>
/// <param name="context">Runtime context</param>
/// <param name="ct">Cancellation token</param>
/// <returns>Aggregated Layer 3 result</returns>
Task<ReachabilityLayer3> AnalyzeMultipleAsync(
ImmutableArray<CallPath> paths,
RuntimeContext context,
CancellationToken ct = default);
}
/// <summary>
/// Runtime context - configuration and environment affecting execution.
/// </summary>
public sealed record RuntimeContext
{
/// <summary>Environment variables</summary>
public ImmutableDictionary<string, string> EnvironmentVariables { get; init; } =
ImmutableDictionary<string, string>.Empty;
/// <summary>Configuration values from files/services</summary>
public ImmutableDictionary<string, ConfigValue> Configuration { get; init; } =
ImmutableDictionary<string, ConfigValue>.Empty;
/// <summary>Feature flags and their states</summary>
public ImmutableDictionary<string, FeatureFlag> FeatureFlags { get; init; } =
ImmutableDictionary<string, FeatureFlag>.Empty;
/// <summary>Build/compile-time configuration</summary>
public BuildConfiguration? BuildConfig { get; init; }
/// <summary>Platform information</summary>
public PlatformInfo? Platform { get; init; }
/// <summary>Process capabilities/privileges</summary>
public ImmutableArray<string> Capabilities { get; init; } = [];
}
/// <summary>
/// A configuration value.
/// </summary>
public sealed record ConfigValue(
string Key,
string? Value,
ConfigValueSource Source,
bool IsSecret
);
/// <summary>
/// Source of a configuration value.
/// </summary>
public enum ConfigValueSource
{
EnvironmentVariable,
ConfigFile,
CommandLine,
RemoteService,
Default,
Unknown
}
/// <summary>
/// A feature flag.
/// </summary>
public sealed record FeatureFlag(
string Name,
bool IsEnabled,
FeatureFlagSource Source,
string? Description
);
/// <summary>
/// Source of a feature flag.
/// </summary>
public enum FeatureFlagSource
{
CompileTime,
ConfigFile,
RemoteService,
EnvironmentVariable,
Default,
Unknown
}
/// <summary>
/// Build/compile-time configuration.
/// </summary>
public sealed record BuildConfiguration
{
/// <summary>Whether this is a debug build</summary>
public bool IsDebugBuild { get; init; }
/// <summary>Defined preprocessor symbols</summary>
public ImmutableArray<string> DefineConstants { get; init; } = [];
/// <summary>Target framework</summary>
public string? TargetFramework { get; init; }
/// <summary>Build mode (Debug, Release, etc.)</summary>
public string? BuildMode { get; init; }
}
/// <summary>
/// Platform information.
/// </summary>
public sealed record PlatformInfo
{
/// <summary>Operating system</summary>
public required string OS { get; init; }
/// <summary>OS version</summary>
public string? OSVersion { get; init; }
/// <summary>Architecture (x64, arm64, etc.)</summary>
public required string Architecture { get; init; }
/// <summary>Whether running in container</summary>
public bool IsContainer { get; init; }
/// <summary>Container runtime if applicable</summary>
public string? ContainerRuntime { get; init; }
}
/// <summary>
/// Input for Layer 3 analysis.
/// </summary>
public sealed record Layer3AnalysisInput
{
public required CallPath Path { get; init; }
public required RuntimeContext Context { get; init; }
public Layer3AnalysisOptions? Options { get; init; }
}
/// <summary>
/// Options for Layer 3 analysis.
/// </summary>
public sealed record Layer3AnalysisOptions
{
/// <summary>Detect feature flag patterns in code</summary>
public bool DetectFeatureFlags { get; init; } = true;
/// <summary>Detect environment variable checks</summary>
public bool DetectEnvVarChecks { get; init; } = true;
/// <summary>Detect configuration value checks</summary>
public bool DetectConfigChecks { get; init; } = true;
/// <summary>Detect platform checks</summary>
public bool DetectPlatformChecks { get; init; } = true;
/// <summary>Detect capability/privilege checks</summary>
public bool DetectCapabilityChecks { get; init; } = true;
/// <summary>Feature flag patterns to detect (regex)</summary>
public ImmutableArray<string> FeatureFlagPatterns { get; init; } = [
@"FeatureFlags?\.",
@"IsFeatureEnabled",
@"Feature\.IsEnabled",
@"LaunchDarkly",
@"Unleash",
@"ConfigCat"
];
/// <summary>Known blocking conditions</summary>
public ImmutableArray<KnownGatingPattern> KnownPatterns { get; init; } = [];
}
/// <summary>
/// A known gating pattern to detect.
/// </summary>
public sealed record KnownGatingPattern(
string Pattern,
GatingType Type,
string Description,
bool IsBlockingByDefault
);
Reference in New Issue View Git Blame Copy Permalink