new advisories work and features gaps work

2026-01-14 18:39:19 +02:00
parent 95d5898650
commit 15aeac8e8b
148 changed files with 16731 additions and 554 deletions
--- a/policies/path-gates-advanced.yaml
+++ b/policies/path-gates-advanced.yaml
@@ -0,0 +1,150 @@
+# Path-Level Reachability Gates Policy
+# Sprint: SPRINT_20260112_007_POLICY_path_gate_inputs (PW-POL-003)
+#
+# Demonstrates path-level gates using pathHash, nodeHashes, and runtime freshness.
+# Requires scanner path witness evidence with node hash fields.
+
+apiVersion: policy.stellaops.io/v1
+kind: PolicyPack
+metadata:
+  name: path-gates-advanced
+  version: 1.0.0
+  description: |
+    Advanced policy pack demonstrating path-level reachability gates.
+    Uses pathHash, nodeHashes, and runtime evidence freshness for fine-grained control.
+    Sprint: SPRINT_20260112_007_POLICY_path_gate_inputs
+
+spec:
+  settings:
+    defaultAction: warn
+    requirePathWitness: true
+    runtimeFreshnessMaxHours: 24
+    trustedEntrypoints:
+      - "main"
+      - "api.handler"
+      - "web.controller"
+
+  rules:
+    # Block if a specific vulnerable path is reachable and confirmed at runtime
+    - name: block-runtime-confirmed-path
+      description: "Block paths confirmed reachable at runtime with CRITICAL vulns"
+      priority: 100
+      match:
+        severity: CRITICAL
+        reachability:
+          status: reachable
+          observedAtRuntime: true
+      action: block
+      message: "Runtime-confirmed reachable path to CRITICAL {cve} via {pathHash}"
+
+    # Require fresh runtime evidence for high-severity findings
+    - name: require-fresh-runtime-evidence
+      description: "Require runtime evidence younger than threshold for HIGH vulns"
+      priority: 95
+      match:
+        severity: HIGH
+        reachability:
+          status: reachable
+          pathHash:
+            exists: true
+          runtimeEvidenceAge:
+            gt: ${settings.runtimeFreshnessMaxHours}h
+      action: warn
+      message: "Runtime evidence for {cve} is stale ({runtimeEvidenceAge} hours old)"
+
+    # Allow paths with trusted entry nodes
+    - name: allow-trusted-entrypoints
+      description: "Allow paths starting from trusted entrypoints"
+      priority: 90
+      match:
+        severity:
+          - MEDIUM
+          - LOW
+        reachability:
+          status: reachable
+          entryNodeHash:
+            in: ${settings.trustedEntrypoints}
+      action: allow
+      log: true
+      message: "Vulnerability {cve} reachable from trusted entrypoint - allowed"
+
+    # Block paths with specific node hashes in critical code areas
+    - name: block-critical-node-paths
+      description: "Block paths through critical code nodes"
+      priority: 85
+      match:
+        severity:
+          - CRITICAL
+          - HIGH
+        reachability:
+          nodeHashes:
+            contains_any:
+              - ${critical.authentication_handler}
+              - ${critical.payment_processor}
+              - ${critical.data_exporter}
+      action: block
+      message: "Vulnerability {cve} path traverses critical node {matchedNodeHash}"
+
+    # Warn if path witness is missing for reachable findings
+    - name: warn-missing-path-witness
+      description: "Warn when reachable finding lacks path witness"
+      priority: 80
+      match:
+        severity:
+          - CRITICAL
+          - HIGH
+          - MEDIUM
+        reachability:
+          status: reachable
+          pathHash:
+            exists: false
+      action: warn
+      message: "Reachable {cve} lacks path witness - reanalysis recommended"
+
+    # Aggregate gate: block if too many runtime-confirmed paths
+    - name: fail-on-runtime-confirmed-count
+      description: "Block deployment if too many runtime-confirmed vulns"
+      priority: 75
+      type: aggregate
+      match:
+        runtimeConfirmedCount:
+          gt: 5
+      action: block
+      message: "Too many runtime-confirmed vulnerabilities ({runtimeConfirmedCount} > 5)"
+
+    # Allow paths not observed at runtime with reduced confidence
+    - name: allow-static-only-paths
+      description: "Allow static-only reachable paths with warning"
+      priority: 70
+      match:
+        severity:
+          - HIGH
+          - MEDIUM
+        reachability:
+          status: reachable
+          observedAtRuntime: false
+          confidence:
+            lt: 0.7
+      action: warn
+      message: "Static-only path to {cve} (confidence {confidence}) - review recommended"
+
+    # Path hash pinning: allow specific known-safe paths
+    - name: allow-pinned-safe-paths
+      description: "Allow paths matching known-safe path hashes"
+      priority: 65
+      match:
+        reachability:
+          pathHash:
+            in: ${known_safe_paths}
+      action: allow
+      message: "Path {pathHash} matches known-safe path - allowed"
+
+  # Variables for path hash references
+  variables:
+    critical:
+      authentication_handler: "sha256:auth-handler-node-hash"
+      payment_processor: "sha256:payment-proc-node-hash"
+      data_exporter: "sha256:data-export-node-hash"
+    known_safe_paths:
+      - "sha256:validated-path-1"
+      - "sha256:validated-path-2"