48 lines
2.8 KiB
Markdown
48 lines
2.8 KiB
Markdown
# Compositional Library-Aware Call-Graph Reachability
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
Multi-layer reachability analysis combining call-graph extraction, dependency-aware analysis, surface-aware analysis, and conditional reachability with ReachGraph integration.
|
|
|
|
## Implementation Details
|
|
- **Dependency-Aware Reachability**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ConditionalReachabilityAnalyzer.cs` - Conditional reachability analysis considering library dependencies
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyReachabilityModels.cs` - Models for dependency-aware reachability
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachGraphReachabilityCombiner.cs` - Combines ReachGraph data with local reachability analysis
|
|
- **Dependency Reporting**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReporter.cs` - Generates dependency reachability reports
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReport.cs` - Report model
|
|
- **Surface-Aware Analysis**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Surfaces/SurfaceAwareReachabilityAnalyzer.cs` - Surface-aware reachability analysis combining attack surface with call graph
|
|
- **Call Graph Extraction** (multi-language):
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/` - Multi-language call graph extractors
|
|
- **Worker Integration**:
|
|
- `src/Scanner/StellaOps.Scanner.Worker/Processing/Reachability/ReachabilityBuildStageExecutor.cs` - Builds reachability during scan
|
|
- `src/Scanner/StellaOps.Scanner.Worker/Processing/Reachability/SbomReachabilityStageExecutor.cs` - SBOM-level reachability analysis
|
|
- **API**:
|
|
- `src/Scanner/StellaOps.Scanner.WebService/Endpoints/ReachabilityEndpoints.cs` - `ReachabilityEndpoints` for querying reachability results
|
|
|
|
## E2E Test Plan
|
|
- [ ] Scan an image with a multi-library application and verify call graph extraction captures inter-library calls
|
|
- [ ] Verify `ConditionalReachabilityAnalyzer` considers conditional dependencies (optional/feature-flagged)
|
|
- [ ] Verify `SurfaceAwareReachabilityAnalyzer` combines attack surface data with call graph to produce accurate reachability verdicts
|
|
- [ ] Verify `ReachGraphReachabilityCombiner` integrates external ReachGraph data with local analysis
|
|
- [ ] Query reachability results via `GET /api/v1/scans/{scanId}/reachability` and verify library-aware paths are included
|
|
- [ ] Verify the dependency reachability report includes per-library reachability status
|
|
|
|
---
|
|
|
|
## Verification
|
|
|
|
| Check | Result |
|
|
|-------|--------|
|
|
| Tier 0 - Source files exist | PASS |
|
|
| Tier 1 - Build + code review | PASS |
|
|
| Tier 2 - Integration tests | PASS |
|
|
| Verified | 2026-02-13T18:10:00Z |
|