stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/reachability-subgraph-extraction-and-proof-of-exposure.md

2.3 KiB
Raw Blame History

Reachability Subgraph Extraction and Proof of Exposure

Module

Scanner

Status

IMPLEMENTED

Description

Full subgraph extraction for reachability proofs with witness tracking, explanation generation, and proof spine building.

Implementation Details

  • Subgraph Extraction:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Subgraph/ReachabilitySubgraphExtractor.cs - ReachabilitySubgraphExtractor extracts full subgraphs for reachability proofs including all nodes and edges on paths from entrypoints to vulnerable sinks
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/SubgraphExtractor.cs - Base subgraph extraction logic
  • Witness Tracking:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs - PathWitness records witnessed reachability paths
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeObservation.cs - RuntimeObservation records runtime-observed call events with stack samples
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IRuntimeWitnessGenerator.cs - Interface for generating runtime witnesses
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeWitnessRequest.cs - Request model for witness generation
  • Attestation:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilitySubgraphPublisher.cs - Publishes proof-of-exposure subgraphs as attestations
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/ReachabilityWitnessPublisher.cs - Publishes witness records as attestations
  • Resolver: src/Scanner/__Libraries/StellaOps.Scanner.Reachability/IReachabilityResolver.cs - Interface for resolving reachability queries

E2E Test Plan

  • Extract a subgraph for a specific vulnerability and verify it contains all nodes and edges from entrypoint to vulnerable sink
  • Verify witness tracking records runtime-observed call events that confirm reachability
  • Verify proof-of-exposure subgraphs are publishable as DSSE-signed attestations
  • Verify the subgraph includes gate annotations (auth, admin-only) on intermediate nodes
  • Verify explanation generation produces human-readable descriptions of the exposure path
  • Verify the reachability resolver correctly queries subgraphs for specific CVE/component pairs