52 lines
3.0 KiB
Markdown
52 lines
3.0 KiB
Markdown
# Binary SBOM and Build-ID to PURL Mapping
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
Binary call graph extraction, offline Build-ID to PURL correlation, patch verification orchestration, and unified binary finding mapping are wired into Scanner worker execution with deterministic Tier 1/Tier 2 evidence.
|
|
|
|
## Implementation Details
|
|
- **Binary call graph extraction**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/BinaryCallGraphExtractor.cs`
|
|
- **Patch verification engine + contracts**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/IPatchVerificationOrchestrator.cs`
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/PatchVerificationOrchestrator.cs`
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/DependencyInjection/ServiceCollectionExtensions.cs`
|
|
- **Build-ID index**:
|
|
- `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/IBuildIdIndex.cs`
|
|
- `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/OfflineBuildIdIndex.cs`
|
|
- `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/BuildIdLookupResult.cs`
|
|
- **Worker runtime wiring**:
|
|
- `src/Scanner/StellaOps.Scanner.Worker/Extensions/BinaryIndexServiceExtensions.cs`
|
|
- registers patch verification services in worker binary integration path.
|
|
- `src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryLookupStageExecutor.cs`
|
|
- publishes mapped binary findings for downstream gating.
|
|
- executes Build-ID index batch lookup and stores mapping output.
|
|
- executes patch verification orchestration and stores verification result.
|
|
- `src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryFindingMapper.cs`
|
|
- runtime call path now exercised from binary lookup stage.
|
|
- **Shared analysis contracts**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Core/Contracts/ScanAnalysisKeys.cs`
|
|
- added binary build-id mapping and patch-verification analysis keys.
|
|
- **Worker validation test**:
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/BinaryLookupStageExecutorTests.cs`
|
|
|
|
## E2E Test Plan
|
|
- [x] Scan a container image with native binaries containing ELF build-IDs and verify Build-ID to PURL mapping runtime path executes.
|
|
- [x] Verify binary call graph extraction behavior via `BinaryCallGraphExtractor` tests.
|
|
- [x] Verify patch verification orchestration behavior executes with patch-data and no-patch-data paths.
|
|
- [x] Verify binary vulnerability findings are mapped into unified finding objects for downstream stages.
|
|
- [x] Verify offline Build-ID index resolves exact mappings without network access.
|
|
- [x] Verify worker runtime wiring includes patch verification, build-id lookup, and finding mapping call sites.
|
|
|
|
## Verification
|
|
- Run ID: `run-002`
|
|
- Date (UTC): 2026-02-12
|
|
- Tier 0: Source verification passed (`tier0-source-check.json`).
|
|
- Tier 1: Build, focused behavior tests, and code-review semantic wiring checks passed (`tier1-build-check.json`, `tier1-code-review.json`).
|
|
- Tier 2: Integration/e2e summary passed, including runtime wiring parity checks (`tier2-integration-check.json`, `tier2-e2e-check.json`).
|