4.2 KiB
4.2 KiB
SBOM Dependency Reachability Inference (Scanner-Integrated)
Module
Scanner
Status
IMPLEMENTED
Description
Scanner pipeline stage that infers reachability for SBOM components by combining dependency graph analysis with reach-graph call-graph data, producing dependency-level reachability reports with conditional analysis. Distinct from the known "Reachability Core Library" and "Call Graph Construction" features which focus on function-level call graphs; this performs SBOM-component-level dependency reachability inference as a scanner stage.
Implementation Details
- Scanner Pipeline Stage:
src/Scanner/StellaOps.Scanner.Worker/Processing/Reachability/SbomReachabilityStageExecutor.cs-SbomReachabilityStageExecutorscanner pipeline stage that orchestrates SBOM-level dependency reachability inference
- Dependency Graph Analysis:
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyGraphBuilder.cs-DependencyGraphBuilderconstructs dependency graphs from SBOM componentssrc/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/StaticReachabilityAnalyzer.cs-StaticReachabilityAnalyzerperforms static reachability analysis on the dependency graphsrc/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ConditionalReachabilityAnalyzer.cs-ConditionalReachabilityAnalyzerperforms conditional reachability analysis (e.g., only reachable if certain features are enabled)src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/EntryPointDetector.cs-EntryPointDetectoridentifies entry points in the dependency graph
- Reach-Graph Integration:
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachGraphReachabilityCombiner.cs-ReachGraphReachabilityCombinercombines reach-graph call-graph data with dependency-level analysis
- Reporting:
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReport.cs-DependencyReachabilityReportmodel for component-level reachability resultssrc/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReporter.cs-DependencyReachabilityReportergenerates human-readable reports from reachability analysis
- Policy & Filtering:
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityPolicy.cs-ReachabilityPolicydefining rules for reachability classificationsrc/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityPolicyLoader.cs- Loads reachability policies from configurationsrc/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/VulnerabilityReachabilityFilter.cs-VulnerabilityReachabilityFilterfilters vulnerability findings based on reachability statussrc/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityReportBuilder.cs- Builds structured reachability reports
- Models:
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyReachabilityModels.cs- Data models for dependency reachability analysis
- Tests:
src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/DependencyReachabilityReporterTests.cs- Unit tests for reportingsrc/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/DependencyReachabilityIntegrationTests.cs- Integration tests for the full pipeline
E2E Test Plan
- Run the
SbomReachabilityStageExecutoron an SBOM with known dependency graph and verify each component receives a reachability classification - Verify the
ConditionalReachabilityAnalyzercorrectly identifies dependencies that are only reachable under specific feature configurations - Verify the
ReachGraphReachabilityCombineraugments dependency-level analysis with function-level call-graph evidence from the reach-graph - Verify the
DependencyReachabilityReportincludes per-component reachability status, evidence chain, and confidence scores - Verify the
VulnerabilityReachabilityFiltercorrectly suppresses vulnerability findings for unreachable dependencies - Verify the stage executor integrates into the scanner worker pipeline and passes results to downstream stages