2.2 KiB
2.2 KiB
Static SBOM Call-Graph Pruning
Module
ReachGraph
Status
IMPLEMENTED
Description
SBOM-based reachability filtering is implemented as a pipeline stage in the Scanner worker, with dependency reachability reporting and ReachGraph storage.
Implementation Details
- IReachabilityIndex:
src/__Libraries/StellaOps.Reachability.Core/IReachabilityIndex.cs--QueryStaticAsyncfor static call-graph reachability analysis;QueryHybridAsyncwith batch support for SBOM-wide analysis - ReachabilityIndex:
src/__Libraries/StellaOps.Reachability.Core/ReachabilityIndex.cs-- implementation using adapters for graph and signals data - LatticeState.StaticReachable / StaticUnreachable:
src/__Libraries/StellaOps.Reachability.Core/LatticeState.cs-- static analysis determines SR or SU lattice state for each symbol - ReachabilityLattice:
src/__Libraries/StellaOps.Reachability.Core/ReachabilityLattice.cs-- transitions from Unknown to StaticReachable (confidence 0.30) or StaticUnreachable (confidence 0.40) based on call graph evidence - SymbolRef:
src/__Libraries/StellaOps.Reachability.Core/SymbolRef.cs-- symbol reference for graph queries - Symbol canonicalization:
src/__Libraries/StellaOps.Reachability.Core/Symbols/SymbolCanonicalizer.cs,SymbolMatcher.cs-- language-aware symbol normalization for accurate graph matching - ReachGraphStoreService:
src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphStoreService.cs-- stores pruned/filtered reachability graphs - ReachGraphSliceService:
src/ReachGraph/StellaOps.ReachGraph.WebService/Services/ReachGraphSliceService.cs-- slice queries for accessing filtered results by package - Tests:
src/__Libraries/__Tests/StellaOps.Reachability.Core.Tests/ - Source: Feature matrix scan
E2E Test Plan
- Verify static call-graph analysis correctly identifies reachable symbols (SR state)
- Test unreachable symbols are pruned with StaticUnreachable (SU) state
- Verify SBOM-based batch query prunes findings for all packages in SBOM
- Test symbol canonicalization handles cross-language symbol formats
- Verify pruned results are stored in ReachGraph and queryable via slice API