stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/multi-language-call-graph-extractors-and-analyzers.md

4.7 KiB
Raw Blame History

Multi-Language Call Graph Extractors and Analyzers (.NET, Go, Java, JS, Python, Ruby, PHP, Bun, Deno)

Module

Scanner

Status

IMPLEMENTED

Description

Call graph extractors for .NET, Go, Java, JavaScript, Python, Ruby, PHP, Bun, and Deno. .NET has dedicated language analyzer with entrypoint resolver and capability scanner. Includes capability scanning, sink matching, and binary call graph extraction.

Implementation Details

  • Extractor Framework:
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/ICallGraphExtractor.cs - ICallGraphExtractor interface for language-specific call graph extraction
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/ICallGraphExtractorRegistry.cs - ICallGraphExtractorRegistry for registering and resolving extractors by language
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/CallGraphExtractorRegistry.cs - Registry implementation
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/GuardDetector.cs - Detects security guards (auth, admin, feature flags) in call paths
  • Per-Language Extractors (each with extractor, entrypoint classifier, and sink matcher):
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/DotNet/DotNetCallGraphExtractor.cs - .NET call graph via Cecil IL analysis
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Go/GoCallGraphExtractor.cs - Go call graph via SSA analysis
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Java/JavaCallGraphExtractor.cs - Java call graph via bytecode analysis
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/JavaScript/JavaScriptCallGraphExtractor.cs - JavaScript call graph
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Node/NodeCallGraphExtractor.cs - Node.js call graph with Babel parsing
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Python/PythonCallGraphExtractor.cs - Python call graph via AST
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Ruby/RubyCallGraphExtractor.cs - Ruby call graph
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Php/PhpCallGraphExtractor.cs - PHP call graph
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Bun/BunCallGraphExtractor.cs - Bun call graph
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Deno/DenoCallGraphExtractor.cs - Deno call graph
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/BinaryCallGraphExtractor.cs - Binary (ELF/PE) call graph via disassembly
  • Sink Matchers (per-language):
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Go/GoSinkMatcher.cs, Java/JavaSinkMatcher.cs, JavaScript/JsSinkMatcher.cs, Python/PythonSinkMatcher.cs, Ruby/RubySinkMatcher.cs, Php/PhpSinkMatcher.cs, Bun/BunSinkMatcher.cs, Deno/DenoSinkMatcher.cs
  • Entrypoint Classifiers (per-language):
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Go/GoEntrypointClassifier.cs, Java/JavaEntrypointClassifier.cs, JavaScript/JsEntrypointClassifier.cs, Python/PythonEntrypointClassifier.cs, Ruby/RubyEntrypointClassifier.cs, Php/PhpEntrypointClassifier.cs, Bun/BunEntrypointClassifier.cs, Deno/DenoEntrypointClassifier.cs, Binary/BinaryEntrypointClassifier.cs
  • Reachability Analysis:
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Analysis/ReachabilityAnalyzer.cs - ReachabilityAnalyzer determines reachability from entrypoints to vulnerable sinks
  • Caching:
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Caching/ICallGraphCacheService.cs - Cache interface for call graph results
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Caching/ValkeyCallGraphCacheService.cs - Valkey-backed cache for call graph data

E2E Test Plan

  • Scan a multi-language container image and verify call graphs are extracted for each detected language runtime
  • Verify .NET call graph extraction identifies entrypoints (controllers, Main) and traces calls to vulnerable methods
  • Verify Go call graph extraction uses SSA analysis to resolve interface dispatch targets
  • Verify Java call graph extraction analyzes bytecode to extract method call relationships
  • Verify sink matchers correctly identify known dangerous functions (e.g., Runtime.exec, eval, os.system) in each language
  • Verify entrypoint classifiers correctly identify web handlers, CLI entry points, and background workers
  • Verify the reachability analyzer produces reachability verdicts by tracing paths from entrypoints through call graphs to vulnerable sinks
  • Verify call graph caching avoids re-extraction on rescan of unchanged layers