stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
768386fc62cb5891c8d8213b26feaefd0c9ec1f5
git.stella-ops.org/docs/features/checked/scanner/dataflow-aware-diffs.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

3.3 KiB
Raw Blame History

Dataflow-Aware Diffs (Entrypoint-to-Sink Reachability)

Module

Scanner

Status

VERIFIED

Description

Semantic entrypoint orchestrator with dataflow boundary analysis, data boundary mapping, and service security dataflow analyzer for entrypoint-to-sink reachability.

Implementation Details

  • Semantic Entrypoint Orchestrator:
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypointOrchestrator.cs - Orchestrates semantic entrypoint analysis across languages
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ISemanticEntrypointAnalyzer.cs - Interface for semantic analysis
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntryTraceAnalyzer.cs - Trace analyzer for dataflow
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypoint.cs - Entrypoint model
  • Data Boundary Analysis:
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/DataBoundaryMapper.cs - Maps data flow boundaries
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/DataFlowBoundary.cs - Data flow boundary model
  • Capability & Threat Detection:
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/CapabilityDetector.cs - Detects capabilities (network, file, crypto, etc.)
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/ThreatVectorInferrer.cs - Infers threat vectors from entrypoint-to-sink paths
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/CapabilityClass.cs - Capability class model
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ThreatVector.cs - Threat vector model
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ApplicationIntent.cs - Application intent model
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticConfidence.cs - Confidence scoring
  • Language Adapters:
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/DotNetSemanticAdapter.cs
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/JavaSemanticAdapter.cs
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/NodeSemanticAdapter.cs
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/PythonSemanticAdapter.cs
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/GoSemanticAdapter.cs
  • Service Security: src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/ - Service-level dataflow security analysis

E2E Test Plan

  • Scan a container image with a web application and verify entrypoint-to-sink dataflow paths are detected
  • Verify DataBoundaryMapper identifies data flow boundaries (e.g., user input -> database, network -> filesystem)
  • Verify CapabilityDetector identifies application capabilities (network access, file I/O, crypto usage)
  • Verify ThreatVectorInferrer infers threat vectors from detected dataflow paths
  • Verify language-specific semantic adapters work for .NET, Java, Node.js, Python, and Go applications
  • Verify dataflow-aware diff results appear in the scan report

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z