stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9ca2de05dff9c7db11eb49df6d4e47bbfe7a99f6
git.stella-ops.org/docs/features/unchecked/scanner/reachability-status-classification.md

2.7 KiB
Raw Blame History

Reachability Status Classification (R0-R3/UNREACHABLE through REACHABLE_PROVEN)

Module

Scanner

Status

IMPLEMENTED

Description

Reachability classification with multiple tiers (unreachable, possibly reachable, reachable static, reachable proven) and confidence scoring with deterministic modifiers.

Implementation Details

  • Reachability Models:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyReachabilityModels.cs - Defines reachability status tiers (R0=UNREACHABLE, R1=POSSIBLY_REACHABLE, R2=REACHABLE_STATIC, R3=REACHABLE_PROVEN) with confidence scoring
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityPolicy.cs - ReachabilityPolicy configures classification thresholds and tier boundaries
  • Static Analysis:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/StaticReachabilityAnalyzer.cs - StaticReachabilityAnalyzer performs static call graph analysis for R2 classification
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ConditionalReachabilityAnalyzer.cs - ConditionalReachabilityAnalyzer handles conditional reachability (feature flags, config-dependent paths)
  • Combiner:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachGraphReachabilityCombiner.cs - ReachGraphReachabilityCombiner combines static and runtime signals for final classification
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/VulnerabilityReachabilityFilter.cs - VulnerabilityReachabilityFilter filters vulnerabilities based on reachability status
  • Reporting:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReporter.cs - Reporter for reachability classification results
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReport.cs - Report model
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityReportBuilder.cs - Builder for constructing reports

E2E Test Plan

  • Scan a container with a vulnerability in unreachable code and verify it is classified as R0 (UNREACHABLE)
  • Scan a container with a vulnerability in statically reachable code (call graph path exists) and verify R2 (REACHABLE_STATIC)
  • Verify runtime-confirmed reachability (observed call) promotes classification to R3 (REACHABLE_PROVEN)
  • Verify conditional reachability (behind feature flag or config) is classified as R1 (POSSIBLY_REACHABLE) with appropriate confidence
  • Verify confidence scores are computed deterministically for the same input
  • Verify the vulnerability filter correctly suppresses R0 findings from default result sets