stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/features/unimplemented/scanner/bun-call-graph-extractor.md
master 9911b7d73c save checkpoint
2026-02-12 21:02:43 +02:00

2.2 KiB
Raw Blame History

Bun Call Graph Extractor

Module

Scanner

Status

PARTIALLY_IMPLEMENTED

Description

Static call graph extraction for Bun runtime JavaScript/TypeScript codebases, extending the multi-language extractor framework with Bun-specific entrypoint detection and sink matching.

Implementation Details

  • Call Graph Extractor:
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Bun/BunCallGraphExtractor.cs - Static call graph extraction for Bun runtime codebases
  • Entrypoint Detection:
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Bun/BunEntrypointClassifier.cs - Classifies Bun-specific entrypoints (e.g., Bun.serve, macros, plugins)
  • Sink Matching:
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Bun/BunSinkMatcher.cs - Matches Bun-specific security-sensitive sinks (file I/O, shell exec, FFI, etc.)
  • DI Registration:
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/DependencyInjection/CallGraphServiceCollectionExtensions.cs

E2E Test Plan

  • Scan a container image containing a Bun application with Bun.serve entrypoints
  • Verify call graph extraction produces nodes for Bun-specific entrypoints (HTTP handlers, macros, plugins)
  • Verify BunSinkMatcher identifies Bun-specific sinks (e.g., Bun.file, Bun.spawn, Bun.ffi)
  • Verify the extracted call graph links entrypoints to sinks through the application code
  • Verify call graph data is available in reachability analysis via GET /api/v1/scans/{scanId}/reachability
  • Verify TypeScript and JavaScript files are both analyzed correctly in mixed Bun projects

Verification Findings

  • run-001 Tier 0 confirmed Bun extractor source files and key classes exist.
  • Tier 1 build/tests passed (CallGraph tests 173/173), including new focused Bun extractor positive/negative behavior tests.
  • Code review and Tier 2 semantic checks failed (missing_code):
    • Bun extractor is not registered in AddCallGraphServices, so runtime registry selection does not expose language bun.
    • Source-mode extraction currently emits Bun entrypoint/sink nodes but no call edges linking entrypoints to sinks; edge construction exists only in trace-file mode.