stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9ca2de05dff9c7db11eb49df6d4e47bbfe7a99f6
git.stella-ops.org/docs/features/unchecked/scanner/reachability-subgraph-extraction-and-proof-of-exposure.md

33 lines
2.3 KiB
Markdown
Raw Blame History

# Reachability Subgraph Extraction and Proof of Exposure
## Module
Scanner
## Status
IMPLEMENTED
## Description
Full subgraph extraction for reachability proofs with witness tracking, explanation generation, and proof spine building.
## Implementation Details
- **Subgraph Extraction**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Subgraph/ReachabilitySubgraphExtractor.cs` - `ReachabilitySubgraphExtractor` extracts full subgraphs for reachability proofs including all nodes and edges on paths from entrypoints to vulnerable sinks
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/SubgraphExtractor.cs` - Base subgraph extraction logic
- **Witness Tracking**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs` - `PathWitness` records witnessed reachability paths
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeObservation.cs` - `RuntimeObservation` records runtime-observed call events with stack samples
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IRuntimeWitnessGenerator.cs` - Interface for generating runtime witnesses
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeWitnessRequest.cs` - Request model for witness generation
- **Attestation**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilitySubgraphPublisher.cs` - Publishes proof-of-exposure subgraphs as attestations
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityWitnessPublisher.cs` - Publishes witness records as attestations
- **Resolver**: `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/IReachabilityResolver.cs` - Interface for resolving reachability queries
## E2E Test Plan
- [ ] Extract a subgraph for a specific vulnerability and verify it contains all nodes and edges from entrypoint to vulnerable sink
- [ ] Verify witness tracking records runtime-observed call events that confirm reachability
- [ ] Verify proof-of-exposure subgraphs are publishable as DSSE-signed attestations
- [ ] Verify the subgraph includes gate annotations (auth, admin-only) on intermediate nodes
- [ ] Verify explanation generation produces human-readable descriptions of the exposure path
- [ ] Verify the reachability resolver correctly queries subgraphs for specific CVE/component pairs
Reference in New Issue View Git Blame Copy Permalink