stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
7bdfcd505579fec64434405bcc5cb3c286364e67
git.stella-ops.org/docs/features/checked/scanner/trigger-method-vulnerable-function-extraction.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.8 KiB
Raw Blame History

Trigger Method / Vulnerable Function Extraction

Module

Scanner

Status

VERIFIED

Description

Multi-language call graph extraction with guard detection and drift cause explanation. Covers entrypoint-to-sink path analysis.

Implementation Details

  • Trigger Method Extractor:
    • src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Triggers/TriggerMethodExtractor.cs - TriggerMethodExtractor extracting vulnerable trigger methods from vulnerability advisories and mapping them to call graph nodes
    • src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Triggers/ITriggerMethodExtractor.cs - Interface for trigger method extraction
    • src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Models/VulnSurfaceTrigger.cs - VulnSurfaceTrigger model for extracted trigger methods
  • Vulnerable Function Matching:
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/VulnerableFunctionMatcher.cs - VulnerableFunctionMatcher matching binary functions against known vulnerable function signatures
  • Guard Detection:
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/GuardDetector.cs - GuardDetector detecting guard conditions (null checks, feature flags, auth checks) that protect vulnerable paths
  • Drift Cause Explanation:
    • src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Services/DriftCauseExplainer.cs - DriftCauseExplainer explaining why reachability changed (new dependency, updated call path, removed guard)
    • src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Services/ReachabilityDriftDetector.cs - ReachabilityDriftDetector detecting reachability changes between scan versions
  • Tests:
    • src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces.Tests/TriggerMethodExtractorTests.cs - Trigger extraction tests
    • src/Scanner/__Tests/StellaOps.Scanner.ReachabilityDrift.Tests/DriftCauseExplainerTests.cs - Drift cause explanation tests

E2E Test Plan

  • Extract trigger methods from a Java vulnerability advisory (e.g., log4j) and verify the vulnerable methods are correctly identified
  • Verify VulnerableFunctionMatcher matches binary symbols against known vulnerable function signatures
  • Verify GuardDetector detects authentication guards that protect vulnerable call paths
  • Verify DriftCauseExplainer correctly explains why a previously unreachable vulnerability became reachable (e.g., new transitive dependency)
  • Verify entrypoint-to-sink path analysis produces a complete path from HTTP endpoint to vulnerable function
  • Verify trigger method extraction works across Java, Python, JavaScript, and .NET ecosystems

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z