Scanner Integration for Binary Analysis

Module

BinaryIndex

IMPLEMENTED

Binary vulnerability analysis integrated into the scanner worker pipeline with patch verification and build provenance reproducibility verification.

Modules: src/BinaryIndex/, src/Scanner/
Key Classes:
- BinaryVulnerabilityService (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Persistence/Services/BinaryVulnerabilityService.cs) - core binary vulnerability detection service used by scanner pipeline; queries ICorpusQueryService for function matches
- CachedBinaryVulnerabilityService (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Cache/CachedBinaryVulnerabilityService.cs) - cached decorator with LookupByDeltaSignatureAsync for scanner integration
- ResolutionService (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Resolution/ResolutionService.cs) - resolves whether a CVE is fixed based on binary-level evidence
- ReproducibleBuildJob (src/BinaryIndex/StellaOps.BinaryIndex.Worker/Jobs/ReproducibleBuildJob.cs) - worker job for build provenance verification
- EnsembleDecisionEngine (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Ensemble/EnsembleDecisionEngine.cs) - multi-tier matching for scanner-detected vulnerabilities
Integration Points: Scanner pipeline calls IBinaryVulnerabilityService to enrich findings with binary-level patch verification

Trigger a scanner scan on a container with known binaries and verify binary analysis runs automatically
Verify scanner findings are enriched with binary-level patch status (Fixed, Vulnerable, Unknown)
Verify CachedBinaryVulnerabilityService caches scanner lookups for performance
Verify build provenance verification runs as a background worker job
Verify ensemble decision engine produces consistent results when called from scanner pipeline
Verify binary analysis results are included in scanner output findings