🛑 Problem Statement
The SignalProcessor calculates injection_surface risk, but the core engine currently lacks a spatial correlation between public API routes (arch_api) and database transactions (db_hooks or state_mutation).
Currently, prism.py implements brilliant spatial correlations for RCE Funnels (correlating high_risk_execution with io), but Database Injection relies on flat probabilistic guessing. A file might contain public API routes and database hooks, but if they don't intersect physically or functionally, there is no direct injection funnel, leading to artificially inflated SAST exposure scores.
🎯 Objective
Implement a spatial tracker to deterministically identify when a public-facing API router directly invokes a database query or state mutation within the same execution block. This will mathematically prove the existence of an injection surface and eliminate false positives.
🛠️ Proposed Implementation
- Add Correlation: In
prism.py's coding_analysis loop, implement:
_correlate_signals(targets=spatial_map["arch_api"], dampeners=spatial_map["db_hooks"], max_distance=100)
- Amplifier Logic: If an intersection is detected, increment a new
amplified_sql_injection metric within the structural extraction payload.
- Processor Integration: Feed this deterministic metric into the
injection_surface equation in signal_processor.py to dramatically scale the risk weight only when the physical funnel is proven.
✅ Acceptance Criteria
🛑 Problem Statement
The
SignalProcessorcalculatesinjection_surfacerisk, but the core engine currently lacks a spatial correlation between public API routes (arch_api) and database transactions (db_hooksorstate_mutation).Currently,
prism.pyimplements brilliant spatial correlations for RCE Funnels (correlatinghigh_risk_executionwithio), but Database Injection relies on flat probabilistic guessing. A file might contain public API routes and database hooks, but if they don't intersect physically or functionally, there is no direct injection funnel, leading to artificially inflated SAST exposure scores.🎯 Objective
Implement a spatial tracker to deterministically identify when a public-facing API router directly invokes a database query or state mutation within the same execution block. This will mathematically prove the existence of an injection surface and eliminate false positives.
🛠️ Proposed Implementation
prism.py'scoding_analysisloop, implement:_correlate_signals(targets=spatial_map["arch_api"], dampeners=spatial_map["db_hooks"], max_distance=100)amplified_sql_injectionmetric within the structural extraction payload.injection_surfaceequation insignal_processor.pyto dramatically scale the risk weight only when the physical funnel is proven.✅ Acceptance Criteria
prism.pysuccessfully maps the physical distance between API boundaries and DB hooks.amplified_sql_injectioncorrectly registers when signals intersect within the 100-character threshold.signal_processor.pyweights Injection Surface Risk dynamically based on deterministic proof.