44 lines
2.5 KiB
Markdown
44 lines
2.5 KiB
Markdown
# Reachability Subgraph Extraction and Proof of Exposure
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
Full subgraph extraction for reachability proofs with witness tracking, explanation generation, and proof spine building.
|
|
|
|
## Implementation Details
|
|
- **Subgraph Extraction**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Subgraph/ReachabilitySubgraphExtractor.cs` - `ReachabilitySubgraphExtractor` extracts full subgraphs for reachability proofs including all nodes and edges on paths from entrypoints to vulnerable sinks
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/SubgraphExtractor.cs` - Base subgraph extraction logic
|
|
- **Witness Tracking**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs` - `PathWitness` records witnessed reachability paths
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeObservation.cs` - `RuntimeObservation` records runtime-observed call events with stack samples
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IRuntimeWitnessGenerator.cs` - Interface for generating runtime witnesses
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeWitnessRequest.cs` - Request model for witness generation
|
|
- **Attestation**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilitySubgraphPublisher.cs` - Publishes proof-of-exposure subgraphs as attestations
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityWitnessPublisher.cs` - Publishes witness records as attestations
|
|
- **Resolver**: `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/IReachabilityResolver.cs` - Interface for resolving reachability queries
|
|
|
|
## E2E Test Plan
|
|
- [ ] Extract a subgraph for a specific vulnerability and verify it contains all nodes and edges from entrypoint to vulnerable sink
|
|
- [ ] Verify witness tracking records runtime-observed call events that confirm reachability
|
|
- [ ] Verify proof-of-exposure subgraphs are publishable as DSSE-signed attestations
|
|
- [ ] Verify the subgraph includes gate annotations (auth, admin-only) on intermediate nodes
|
|
- [ ] Verify explanation generation produces human-readable descriptions of the exposure path
|
|
- [ ] Verify the reachability resolver correctly queries subgraphs for specific CVE/component pairs
|
|
|
|
---
|
|
|
|
## Verification
|
|
|
|
| Check | Result |
|
|
|-------|--------|
|
|
| Tier 0 - Source files exist | PASS |
|
|
| Tier 1 - Build + code review | PASS |
|
|
| Tier 2 - Integration tests | PASS |
|
|
| Verified | 2026-02-13T18:10:00Z |
|