stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
b851aa8300b7febfb2e661443c8e39df13fa4e22
git.stella-ops.org/docs/features/checked/scanner/compositional-library-aware-call-graph-reachability.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.8 KiB
Raw Blame History

Compositional Library-Aware Call-Graph Reachability

Module

Scanner

Status

VERIFIED

Description

Multi-layer reachability analysis combining call-graph extraction, dependency-aware analysis, surface-aware analysis, and conditional reachability with ReachGraph integration.

Implementation Details

  • Dependency-Aware Reachability:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ConditionalReachabilityAnalyzer.cs - Conditional reachability analysis considering library dependencies
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyReachabilityModels.cs - Models for dependency-aware reachability
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachGraphReachabilityCombiner.cs - Combines ReachGraph data with local reachability analysis
  • Dependency Reporting:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReporter.cs - Generates dependency reachability reports
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReport.cs - Report model
  • Surface-Aware Analysis:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Surfaces/SurfaceAwareReachabilityAnalyzer.cs - Surface-aware reachability analysis combining attack surface with call graph
  • Call Graph Extraction (multi-language):
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/ - Multi-language call graph extractors
  • Worker Integration:
    • src/Scanner/StellaOps.Scanner.Worker/Processing/Reachability/ReachabilityBuildStageExecutor.cs - Builds reachability during scan
    • src/Scanner/StellaOps.Scanner.Worker/Processing/Reachability/SbomReachabilityStageExecutor.cs - SBOM-level reachability analysis
  • API:
    • src/Scanner/StellaOps.Scanner.WebService/Endpoints/ReachabilityEndpoints.cs - ReachabilityEndpoints for querying reachability results

E2E Test Plan

  • Scan an image with a multi-library application and verify call graph extraction captures inter-library calls
  • Verify ConditionalReachabilityAnalyzer considers conditional dependencies (optional/feature-flagged)
  • Verify SurfaceAwareReachabilityAnalyzer combines attack surface data with call graph to produce accurate reachability verdicts
  • Verify ReachGraphReachabilityCombiner integrates external ReachGraph data with local analysis
  • Query reachability results via GET /api/v1/scans/{scanId}/reachability and verify library-aware paths are included
  • Verify the dependency reachability report includes per-library reachability status

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z