43 lines
3.1 KiB
Markdown
43 lines
3.1 KiB
Markdown
# Dataflow-Aware Diffs (Entrypoint-to-Sink Reachability)
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Semantic entrypoint orchestrator with dataflow boundary analysis, data boundary mapping, and service security dataflow analyzer for entrypoint-to-sink reachability.
|
|
|
|
## Implementation Details
|
|
- **Semantic Entrypoint Orchestrator**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypointOrchestrator.cs` - Orchestrates semantic entrypoint analysis across languages
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ISemanticEntrypointAnalyzer.cs` - Interface for semantic analysis
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntryTraceAnalyzer.cs` - Trace analyzer for dataflow
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypoint.cs` - Entrypoint model
|
|
- **Data Boundary Analysis**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/DataBoundaryMapper.cs` - Maps data flow boundaries
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/DataFlowBoundary.cs` - Data flow boundary model
|
|
- **Capability & Threat Detection**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/CapabilityDetector.cs` - Detects capabilities (network, file, crypto, etc.)
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/ThreatVectorInferrer.cs` - Infers threat vectors from entrypoint-to-sink paths
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/CapabilityClass.cs` - Capability class model
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ThreatVector.cs` - Threat vector model
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ApplicationIntent.cs` - Application intent model
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticConfidence.cs` - Confidence scoring
|
|
- **Language Adapters**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/DotNetSemanticAdapter.cs`
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/JavaSemanticAdapter.cs`
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/NodeSemanticAdapter.cs`
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/PythonSemanticAdapter.cs`
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/GoSemanticAdapter.cs`
|
|
- **Service Security**: `src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/` - Service-level dataflow security analysis
|
|
|
|
## E2E Test Plan
|
|
- [ ] Scan a container image with a web application and verify entrypoint-to-sink dataflow paths are detected
|
|
- [ ] Verify `DataBoundaryMapper` identifies data flow boundaries (e.g., user input -> database, network -> filesystem)
|
|
- [ ] Verify `CapabilityDetector` identifies application capabilities (network access, file I/O, crypto usage)
|
|
- [ ] Verify `ThreatVectorInferrer` infers threat vectors from detected dataflow paths
|
|
- [ ] Verify language-specific semantic adapters work for .NET, Java, Node.js, Python, and Go applications
|
|
- [ ] Verify dataflow-aware diff results appear in the scan report
|