stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/features/checked/scanner/binary-sbom-and-build-id-to-purl-mapping.md
master 9911b7d73c save checkpoint
2026-02-12 21:02:43 +02:00

3.0 KiB
Raw Blame History

Binary SBOM and Build-ID to PURL Mapping

Module

Scanner

Status

VERIFIED

Description

Binary call graph extraction, offline Build-ID to PURL correlation, patch verification orchestration, and unified binary finding mapping are wired into Scanner worker execution with deterministic Tier 1/Tier 2 evidence.

Implementation Details

  • Binary call graph extraction:
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/BinaryCallGraphExtractor.cs
  • Patch verification engine + contracts:
    • src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/IPatchVerificationOrchestrator.cs
    • src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/PatchVerificationOrchestrator.cs
    • src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/DependencyInjection/ServiceCollectionExtensions.cs
  • Build-ID index:
    • src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/IBuildIdIndex.cs
    • src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/OfflineBuildIdIndex.cs
    • src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/BuildIdLookupResult.cs
  • Worker runtime wiring:
    • src/Scanner/StellaOps.Scanner.Worker/Extensions/BinaryIndexServiceExtensions.cs
      • registers patch verification services in worker binary integration path.
    • src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryLookupStageExecutor.cs
      • publishes mapped binary findings for downstream gating.
      • executes Build-ID index batch lookup and stores mapping output.
      • executes patch verification orchestration and stores verification result.
    • src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryFindingMapper.cs
      • runtime call path now exercised from binary lookup stage.
  • Shared analysis contracts:
    • src/Scanner/__Libraries/StellaOps.Scanner.Core/Contracts/ScanAnalysisKeys.cs
      • added binary build-id mapping and patch-verification analysis keys.
  • Worker validation test:
    • src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/BinaryLookupStageExecutorTests.cs

E2E Test Plan

  • Scan a container image with native binaries containing ELF build-IDs and verify Build-ID to PURL mapping runtime path executes.
  • Verify binary call graph extraction behavior via BinaryCallGraphExtractor tests.
  • Verify patch verification orchestration behavior executes with patch-data and no-patch-data paths.
  • Verify binary vulnerability findings are mapped into unified finding objects for downstream stages.
  • Verify offline Build-ID index resolves exact mappings without network access.
  • Verify worker runtime wiring includes patch verification, build-id lookup, and finding mapping call sites.

Verification

  • Run ID: run-002
  • Date (UTC): 2026-02-12
  • Tier 0: Source verification passed (tier0-source-check.json).
  • Tier 1: Build, focused behavior tests, and code-review semantic wiring checks passed (tier1-build-check.json, tier1-code-review.json).
  • Tier 2: Integration/e2e summary passed, including runtime wiring parity checks (tier2-integration-check.json, tier2-e2e-check.json).