35 lines
2.6 KiB
Markdown
35 lines
2.6 KiB
Markdown
# Trigger Method / Vulnerable Function Extraction
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Multi-language call graph extraction with guard detection and drift cause explanation. Covers entrypoint-to-sink path analysis.
|
|
|
|
## Implementation Details
|
|
- **Trigger Method Extractor**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Triggers/TriggerMethodExtractor.cs` - `TriggerMethodExtractor` extracting vulnerable trigger methods from vulnerability advisories and mapping them to call graph nodes
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Triggers/ITriggerMethodExtractor.cs` - Interface for trigger method extraction
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/Models/VulnSurfaceTrigger.cs` - `VulnSurfaceTrigger` model for extracted trigger methods
|
|
- **Vulnerable Function Matching**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/VulnerableFunctionMatcher.cs` - `VulnerableFunctionMatcher` matching binary functions against known vulnerable function signatures
|
|
- **Guard Detection**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/GuardDetector.cs` - `GuardDetector` detecting guard conditions (null checks, feature flags, auth checks) that protect vulnerable paths
|
|
- **Drift Cause Explanation**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Services/DriftCauseExplainer.cs` - `DriftCauseExplainer` explaining why reachability changed (new dependency, updated call path, removed guard)
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.ReachabilityDrift/Services/ReachabilityDriftDetector.cs` - `ReachabilityDriftDetector` detecting reachability changes between scan versions
|
|
- **Tests**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces.Tests/TriggerMethodExtractorTests.cs` - Trigger extraction tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.ReachabilityDrift.Tests/DriftCauseExplainerTests.cs` - Drift cause explanation tests
|
|
|
|
## E2E Test Plan
|
|
- [ ] Extract trigger methods from a Java vulnerability advisory (e.g., log4j) and verify the vulnerable methods are correctly identified
|
|
- [ ] Verify `VulnerableFunctionMatcher` matches binary symbols against known vulnerable function signatures
|
|
- [ ] Verify `GuardDetector` detects authentication guards that protect vulnerable call paths
|
|
- [ ] Verify `DriftCauseExplainer` correctly explains why a previously unreachable vulnerability became reachable (e.g., new transitive dependency)
|
|
- [ ] Verify entrypoint-to-sink path analysis produces a complete path from HTTP endpoint to vulnerable function
|
|
- [ ] Verify trigger method extraction works across Java, Python, JavaScript, and .NET ecosystems
|