stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
94ea6c5e88b5bf03a1916f5abaf61d2289dbb1b8
git.stella-ops.org/src/Scanner/AGENTS.md
master 951a38d561 Add Canonical JSON serialization library with tests and documentation 
- Implemented CanonJson class for deterministic JSON serialization and hashing.
- Added unit tests for CanonJson functionality, covering various scenarios including key sorting, handling of nested objects, arrays, and special characters.
- Created project files for the Canonical JSON library and its tests, including necessary package references.
- Added README.md for library usage and API reference.
- Introduced RabbitMqIntegrationFactAttribute for conditional RabbitMQ integration tests.
2025-12-19 15:35:00 +02:00

6.6 KiB
Raw Blame History

AGENTS · Scanner Module

Roles

  • Backend / Analyzer Engineer: .NET 10 (preview) for analyzers, worker, web service, plug-ins; keep outputs deterministic.
  • QA / Bench Engineer: Adds golden fixtures, regression tests, and perf/determinism benchmarks under __Tests / __Benchmarks.
  • Docs Touches (light): Update module docs under src/Scanner/docs when behavior/contracts change; mirror in sprint notes.

Required Reading

  • docs/README.md
  • docs/07_HIGH_LEVEL_ARCHITECTURE.md
  • docs/modules/platform/architecture-overview.md
  • docs/modules/scanner/architecture.md
  • docs/reachability/DELIVERY_GUIDE.md (sections 5.55.9 for native/JS/PHP updates)
  • docs/reachability/purl-resolved-edges.md
  • docs/reachability/patch-oracles.md
  • docs/product-advisories/14-Dec-2025 - Smart-Diff Technical Reference.md (for Smart-Diff predicates)
  • Current sprint file (e.g., docs/implplan/SPRINT_401_reachability_evidence_chain.md).

Working Directory & Boundaries

  • Primary scope: src/Scanner/** (analyzers, worker, web service, plugins, __Libraries, __Tests, __Benchmarks, docs).
  • Avoid cross-module edits unless sprint explicitly permits; note any cross-module change in sprint tracker.
  • Keep fixtures minimal/deterministic; store under src/Scanner/__Tests/Fixtures or __Benchmarks.

Smart-Diff Contracts (Sprint 3500)

The Scanner module now includes Smart-Diff foundation primitives:

Libraries

  • StellaOps.Scanner.SmartDiff - Core Smart-Diff predicate models and serialization
  • StellaOps.Scanner.Reachability - Reachability gate computation with 3-bit class

Key Types

  • SmartDiffPredicate - Attestation predicate for differential scans
  • ReachabilityGate - 3-bit class (0-7) indicating entry/sink reachability
  • SinkCategory - Taxonomy of sensitive sinks (file, network, crypto, etc.)
  • SinkRegistry - Registry of known sinks with category mappings

Predicate Schema

  • URI: stellaops.dev/predicates/smart-diff@v1
  • Schema: docs/schemas/stellaops-smart-diff.v1.schema.json
  • DSSE-signed predicates for evidence chain

Integration Points

  • Integrates with StellaOps.Policy.Suppression for pre-filter rules
  • Emits to Attestor module for DSSE envelope wrapping
  • Consumed by Findings Ledger for triage decisions

Reachability Drift (Sprint 3600)

Reachability Drift Detection tracks function-level reachability changes between scans:

Libraries

  • StellaOps.Scanner.ReachabilityDrift - Drift detection engine, API models, attestation
  • StellaOps.Scanner.CallGraph - Language-specific call graph extractors
  • StellaOps.Scanner.VulnSurfaces - Vulnerability surface computation (trigger methods)

Key Types

  • ReachabilityDriftResult - Drift analysis output (newly reachable, mitigated paths)
  • DriftedSink - Sink that changed reachability state with cause attribution
  • DriftCause - Causal explanation (guard removed, new route, code change)
  • CompressedPath - Compact path representation (entrypoint → key nodes → sink)
  • ReachabilityConfidenceTier - Confirmed/Likely/Present/Unreachable tiers

Predicate Schema

  • URI: stellaops.dev/predicates/reachability-drift@v1
  • DSSE-signed attestations for drift evidence chain

Call Graph Support

  • .NET: Roslyn semantic analysis (DotNetCallGraphExtractor)
  • Node.js: Babel AST analysis (NodeCallGraphExtractor)
  • Future: Java (ASM), Go (SSA), Python (AST)

Entrypoint Detection

  • ASP.NET Core: [HttpGet], [Route], minimal APIs
  • Express/Fastify: route handlers
  • Background: IHostedService, BackgroundService
  • CLI: Main, command handlers

Drift API Endpoints

  • POST /api/drift/analyze - Compute drift between two scans
  • GET /api/drift/{driftId} - Retrieve drift result
  • GET /api/drift/{driftId}/paths - Get detailed paths

Testing

  • Unit tests: src/Scanner/__Tests/StellaOps.Scanner.ReachabilityDrift.Tests/
  • Benchmark cases: bench/reachability-benchmark/
  • Golden fixtures: deterministic path compression, DSSE output

Vulnerability Surfaces (Sprint 3700)

Compute vulnerability surfaces by diffing vulnerable vs fixed package versions:

Libraries

  • StellaOps.Scanner.VulnSurfaces - Surface builder, method fingerprinting, trigger extraction

Key Types

  • VulnSurface - Computed surface with sink methods and triggers
  • VulnSurfaceSink - Method that changed in security fix
  • VulnSurfaceTrigger - Public API that can reach sink
  • MethodFingerprint - Stable method identity across versions

Per-Ecosystem Support

  • NuGet: Cecil IL fingerprinting
  • npm: Babel AST fingerprinting
  • Maven: ASM bytecode fingerprinting
  • PyPI: Python AST fingerprinting

Integration with Reachability

  • ISurfaceQueryService - Query triggers for CVE during scan
  • Confidence tiers: Confirmed (trigger reachable) > Likely (API reachable) > Present (dep only)
  • Path witnesses include surface evidence for audit trail

Engineering Rules

  • Target net10.0; prefer latest C# preview allowed in repo.
  • Offline-first: no new external network calls; use cached feeds (/local-nugets).
  • Determinism: stable ordering, UTC ISO-8601 timestamps, no DateTime.Now/random without seed; normalize path separators.
  • Logging: structured (ILogger message templates); avoid secrets/paths leakage.
  • Security: no executing untrusted payloads; keep analyzers pure; include redaction guidance for runtime capture adapters.
  • Native analyzers: capture .note.gnu.build-id when present and thread into SymbolID/code_id; add synthetic roots for .preinit_array/.init_array/_init; emit purl+symbol-digest on call edges; emit Unknowns when symbol→purl or edges are unresolved.
  • Tests: keep patch-oracle fixtures deterministic (strip binaries; stable compilers); add/maintain tests/reachability/patch-oracles/** when touching native analyzers.

Testing & Verification

  • Default: dotnet test src/Scanner/StellaOps.Scanner.sln.
  • Add/extend tests in src/Scanner/__Tests/**; golden outputs should be deterministic (sorted keys, stable ordering).
  • Benchmarks under src/Scanner/__Benchmarks/**; document input and expected ceilings in comments.
  • Cover multi-RID, trimmed/NativeAOT, self-contained vs framework-dependent cases where applicable.
  • Smart-Diff: Run schema validation tests (SmartDiffSchemaValidationTests) for predicate contract changes.

Workflow Expectations

  • Mirror task state in sprint tracker (TODO → DOING → DONE/BLOCKED); note blockers with the specific decision needed.
  • Keep resolvers/analyzers parametric on environment data (RID, TFM, search paths); avoid host-global state.
  • When adding DI/manifest registrations, ensure restart-time and worker compatibility; update module docs if contracts change.