stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save progress

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-20 12:15:16 +02:00
parent 439f10966b
commit 0ada1b583f
95 changed files with 12400 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docs/moat.md
View File

@@ -103,6 +103,22 @@ rekor: { entries: ["<uuid>", ...] } # optional (offline allowed)
Turn VEX merging and severity logic into **programmable, testable algebra** with explainability.
### Trust Algebra Foundation (Implemented 2025-12)
The lattice engine uses **Belnap K4 four-valued logic** to aggregate heterogeneous security claims:
* **K4 Values**: Unknown (⊥), True (T), False (F), Conflict ()
* **Security Atoms**: Six orthogonal propositions per Subject:
- PRESENT: component instance exists in artifact
- APPLIES: vulnerability applies to component (version match)
- REACHABLE: vulnerable code reachable from entrypoint
- MITIGATED: controls prevent exploitation
- FIXED: remediation applied
- MISATTRIBUTED: false positive indicator
* **Claim Resolution**: Multiple VEX sources (CycloneDX, OpenVEX, CSAF) normalized to atoms, aggregated with conflict detection, then disposition selected via priority rules.
* **Implementation**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/` (110 tests passing)
### Model
* **Domain:** partial order over vulnerability states: