stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9b58589ba01342d5df7ab3bbfd7370cc970cdd21
git.stella-ops.org/docs/features/unchecked/scanner/3-bit-reachability-gate.md

3.1 KiB
Raw Blame History

3-Bit Reachability Gate

Module

Scanner

Status

IMPLEMENTED

Description

Gate-based reachability system with multiple gate detectors (auth, admin-only, feature flags, non-default config), gate multiplier calculator, and rich graph annotation for gate-aware reachability.

Implementation Details

  • Gate Detectors (each implements IGateDetector):
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/AuthGateDetector.cs - Detects authentication gates on paths
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/AdminOnlyDetector.cs - Detects admin-only access restrictions
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/FeatureFlagDetector.cs - Detects feature flag conditions
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/NonDefaultConfigDetector.cs - Detects non-default configuration gates
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/FileSystemCodeContentProvider.cs - Provides file system code content for detection
  • Gate Composition & Scoring:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/CompositeGateDetector.cs - Combines multiple gate detectors
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/GateMultiplierCalculator.cs - Calculates gate multipliers for risk scoring
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/GateModels.cs - Gate data models
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/GatePatterns.cs - Pattern matching rules for gate detection
  • Rich Graph Annotation:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/RichGraphGateAnnotator.cs - Annotates rich graphs with gate information
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraph.cs - Core rich graph model
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraphWriter.cs - Writes gate-annotated rich graphs
  • SmartDiff Integration:
    • src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/ReachabilityGateBridge.cs - Bridges gate detection into smart diff analysis
  • PR Gate:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Cache/PrReachabilityGate.cs - PR-level reachability gate evaluation

E2E Test Plan

  • Set up a scan target image containing a web application with authenticated routes, admin-only endpoints, feature-flagged code, and non-default config paths
  • Trigger a scan via POST /api/v1/scans with reachability analysis enabled
  • Verify each gate detector identifies its respective gate type in the reachability graph via GET /api/v1/scans/{scanId}/reachability
  • Verify GateMultiplierCalculator reduces risk scores for gated paths (auth-gated vulns score lower than ungated)
  • Verify the rich graph response includes gate annotations on affected nodes and edges
  • Verify SmartDiff output includes gate-aware reachability context via the ReachabilityGateBridge
  • Verify PR gate evaluation correctly blocks/allows based on gate-modified reachability status