Quiet Scans Validation (Reachability + VEX + Dedup)

Module

Scanner

VERIFIED

Reachability gates and VEX candidate emission are tested and integrated into the SmartDiff pipeline for quieter scan results.

Reachability Gate Bridge:
- src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/ReachabilityGateBridge.cs - ReachabilityGateBridge integrates reachability gate verdicts into the SmartDiff pipeline to suppress unreachable findings
VEX Candidate Emission:
- src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexCandidateEmitter.cs - VexCandidateEmitter generates VEX candidates for findings that can be auto-resolved
- src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexCandidateModels.cs - Models for VEX candidate data
- src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/VexEvidence.cs - VEX evidence supporting auto-resolution decisions
SmartDiff Pipeline:
- src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/SmartDiffPredicate.cs - SmartDiffPredicate applies reachability and VEX filters for quieter results
- src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/Repositories.cs - Repository interfaces for SmartDiff detection data

Scan an image with vulnerabilities in unreachable code paths and verify findings are suppressed by reachability gates
Verify VEX candidate emission generates auto-resolution candidates for backported patches
Verify the SmartDiff pipeline deduplicates findings that appear in both old and new scan results
Verify the combination of reachability gates + VEX candidates + deduplication produces significantly fewer actionable findings
Verify suppressed findings are still accessible with their suppression reason when queried explicitly