stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/surface-aware-reachability-analysis-with-confidence-tiers.md

3.0 KiB
Raw Blame History

Surface-Aware Reachability Analysis with Confidence Tiers

Module

Scanner

Status

IMPLEMENTED

Description

Reachability analysis that factors in attack surface boundaries (HTTP, gRPC, internal) and classifies findings into confidence tiers (Confirmed, Likely, Present, Unreachable), providing structured boundary proof extraction from multiple sources (rich graph, gateway config, K8s network policies, IaC).

Implementation Details

  • Surface-Aware Analyzer:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Surfaces/SurfaceAwareReachabilityAnalyzer.cs - SurfaceAwareReachabilityAnalyzer combining reachability analysis with attack surface boundary information for confidence-tiered classification
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Surfaces/ReachabilityConfidenceTier.cs - ReachabilityConfidenceTier enum (Confirmed, Likely, Present, Unreachable)
  • Boundary Proof Extractors:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/IBoundaryProofExtractor.cs - Interface for extracting boundary proofs from different sources
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/CompositeBoundaryExtractor.cs - CompositeBoundaryExtractor aggregating proofs from multiple boundary sources
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/RichGraphBoundaryExtractor.cs - RichGraphBoundaryExtractor extracting boundaries from rich dependency graphs
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/GatewayBoundaryExtractor.cs - GatewayBoundaryExtractor extracting boundaries from API gateway configurations
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/K8sBoundaryExtractor.cs - K8sBoundaryExtractor extracting boundaries from Kubernetes NetworkPolicy resources
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/IacBoundaryExtractor.cs - IacBoundaryExtractor extracting boundaries from Infrastructure-as-Code definitions
  • Semantic Extensions:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraphSemanticExtensions.cs - Semantic extension methods for rich graph boundary analysis
  • DI Registration:
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryServiceCollectionExtensions.cs - DI registration for boundary extractors

E2E Test Plan

  • Analyze a vulnerability with function-level reachability and HTTP boundary exposure and verify it is classified as "Confirmed" confidence tier
  • Verify a vulnerability reachable in code but behind an API gateway with authentication is classified as "Likely" rather than "Confirmed"
  • Verify a vulnerability present in the SBOM but not reachable in the call graph is classified as "Present"
  • Verify boundary proofs from Kubernetes NetworkPolicy correctly restrict the attack surface assessment
  • Verify the CompositeBoundaryExtractor aggregates proofs from rich graph, gateway, K8s, and IaC sources into a unified boundary assessment
  • Verify confidence tier classification is deterministic for the same inputs