stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/binary-sbom-and-build-id-to-purl-mapping.md

3.8 KiB
Raw Blame History

Binary SBOM and Build-ID to PURL Mapping

Module

Scanner

Status

IMPLEMENTED

Description

Binary call graph extraction, patch verification with signature stores and evidence models, and binary index service extensions for the scanner worker.

Implementation Details

  • Binary Call Graph Extraction:
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/BinaryCallGraphExtractor.cs - Extracts call graphs from native binaries
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/DependencyInjection/CallGraphServiceCollectionExtensions.cs - DI registration
  • Patch Verification:
    • src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/IPatchVerificationOrchestrator.cs - Orchestrator interface
    • src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/PatchVerificationOrchestrator.cs - Orchestrates patch verification workflow
    • src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Services/IPatchSignatureStore.cs - Interface for patch signature storage
    • src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Services/InMemoryPatchSignatureStore.cs - In-memory signature store implementation
    • src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Services/EvidenceIdGenerator.cs - Generates evidence IDs for patch verification results
  • Patch Verification Models:
    • src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationResult.cs - Result model
    • src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationEvidence.cs - Evidence model
    • src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationContext.cs - Context model
    • src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationStatus.cs - Status enum
    • src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/PatchVerificationOptions.cs - Options
    • src/Scanner/__Libraries/StellaOps.Scanner.PatchVerification/Models/DsseEnvelopeRef.cs - DSSE envelope reference
  • Worker Integration:
    • src/Scanner/StellaOps.Scanner.Worker/Extensions/BinaryIndexServiceExtensions.cs - BinaryIndexServiceExtensions registering IBinaryVulnerabilityService, IBinaryFeatureExtractor
    • src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryLookupStageExecutor.cs - Binary lookup stage during scan
    • src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryVulnerabilityAnalyzer.cs - Binary vulnerability analysis
    • src/Scanner/StellaOps.Scanner.Worker/Processing/BinaryFindingMapper.cs - Maps binary findings to unified finding model
  • Build-ID Index:
    • src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/OfflineBuildIdIndex.cs - Offline build-ID to PURL index
    • src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/IBuildIdIndex.cs - Interface for build-ID index
    • src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/BuildIdIndexEntry.cs - Index entry model
    • src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/BuildIdLookupResult.cs - Lookup result model

E2E Test Plan

  • Scan a container image with native binaries containing ELF build-IDs and verify build-ID to PURL mapping resolves correctly
  • Verify binary call graph extraction produces a valid call graph for native binaries via BinaryCallGraphExtractor
  • Trigger patch verification on a scanned binary and verify PatchVerificationOrchestrator produces evidence with status and signature references
  • Verify binary vulnerability findings are mapped to the unified finding model and appear in scan results
  • Verify the offline build-ID index (OfflineBuildIdIndex) can resolve build-IDs without network access
  • Export scan results as SBOM and verify binary components include PURL identifiers derived from build-ID mapping