43 lines
4.2 KiB
Markdown
43 lines
4.2 KiB
Markdown
# SBOM Dependency Reachability Inference (Scanner-Integrated)
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Scanner pipeline stage that infers reachability for SBOM components by combining dependency graph analysis with reach-graph call-graph data, producing dependency-level reachability reports with conditional analysis. Distinct from the known "Reachability Core Library" and "Call Graph Construction" features which focus on function-level call graphs; this performs SBOM-component-level dependency reachability inference as a scanner stage.
|
|
|
|
## Implementation Details
|
|
- **Scanner Pipeline Stage**:
|
|
- `src/Scanner/StellaOps.Scanner.Worker/Processing/Reachability/SbomReachabilityStageExecutor.cs` - `SbomReachabilityStageExecutor` scanner pipeline stage that orchestrates SBOM-level dependency reachability inference
|
|
- **Dependency Graph Analysis**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyGraphBuilder.cs` - `DependencyGraphBuilder` constructs dependency graphs from SBOM components
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/StaticReachabilityAnalyzer.cs` - `StaticReachabilityAnalyzer` performs static reachability analysis on the dependency graph
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ConditionalReachabilityAnalyzer.cs` - `ConditionalReachabilityAnalyzer` performs conditional reachability analysis (e.g., only reachable if certain features are enabled)
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/EntryPointDetector.cs` - `EntryPointDetector` identifies entry points in the dependency graph
|
|
- **Reach-Graph Integration**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachGraphReachabilityCombiner.cs` - `ReachGraphReachabilityCombiner` combines reach-graph call-graph data with dependency-level analysis
|
|
- **Reporting**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReport.cs` - `DependencyReachabilityReport` model for component-level reachability results
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/Reporting/DependencyReachabilityReporter.cs` - `DependencyReachabilityReporter` generates human-readable reports from reachability analysis
|
|
- **Policy & Filtering**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityPolicy.cs` - `ReachabilityPolicy` defining rules for reachability classification
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityPolicyLoader.cs` - Loads reachability policies from configuration
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/VulnerabilityReachabilityFilter.cs` - `VulnerabilityReachabilityFilter` filters vulnerability findings based on reachability status
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/ReachabilityReportBuilder.cs` - Builds structured reachability reports
|
|
- **Models**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Dependencies/DependencyReachabilityModels.cs` - Data models for dependency reachability analysis
|
|
- **Tests**:
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/DependencyReachabilityReporterTests.cs` - Unit tests for reporting
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/DependencyReachabilityIntegrationTests.cs` - Integration tests for the full pipeline
|
|
|
|
## E2E Test Plan
|
|
- [ ] Run the `SbomReachabilityStageExecutor` on an SBOM with known dependency graph and verify each component receives a reachability classification
|
|
- [ ] Verify the `ConditionalReachabilityAnalyzer` correctly identifies dependencies that are only reachable under specific feature configurations
|
|
- [ ] Verify the `ReachGraphReachabilityCombiner` augments dependency-level analysis with function-level call-graph evidence from the reach-graph
|
|
- [ ] Verify the `DependencyReachabilityReport` includes per-component reachability status, evidence chain, and confidence scores
|
|
- [ ] Verify the `VulnerabilityReachabilityFilter` correctly suppresses vulnerability findings for unreachable dependencies
|
|
- [ ] Verify the stage executor integrates into the scanner worker pipeline and passes results to downstream stages
|