doctor enhancements, setup, enhancements, ui functionality and design consolidation and , test projects fixes , product advisory attestation/rekor and delta verfications enhancements

2026-01-19 09:02:59 +02:00
parent 8c4bf54aed
commit 17419ba7c4
809 changed files with 170738 additions and 12244 deletions
--- a/docs/modules/policy/gates/reachable-cve.md
+++ b/docs/modules/policy/gates/reachable-cve.md
@@ -0,0 +1,104 @@
+# Reachable CVE Gate
+
+**Gate ID:** `reachable-cve`
+
+Blocks only CVEs with confirmed reachable code paths from application entry points. This gate leverages Stella's reachability analysis to distinguish exploitable vulnerabilities from those in unreachable code.
+
+## How It Works
+
+1. Evaluates CVE findings against reachability analysis results
+2. Filters to only reachable CVEs (code path exists from entry point to vulnerable function)
+3. Applies severity threshold to reachable CVEs
+4. Blocks if reachable CVEs exceed severity threshold
+
+## Configuration
+
+```json
+{
+  "Policy": {
+    "Gates": {
+      "ReachableCve": {
+        "Enabled": true,
+        "SeverityThreshold": 7.0,
+        "RequireCompleteReachability": false,
+        "TreatUnknownAsReachable": false,
+        "BlockOnReachabilityError": false,
+        "Environments": {
+          "production": {
+            "SeverityThreshold": 4.0,
+            "TreatUnknownAsReachable": true
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+### Options
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `Enabled` | bool | `true` | Whether the gate is active |
+| `SeverityThreshold` | double | `7.0` | CVSS score threshold for reachable CVEs |
+| `RequireCompleteReachability` | bool | `false` | Require reachability analysis for all components |
+| `TreatUnknownAsReachable` | bool | `false` | Treat CVEs with unknown reachability as reachable |
+| `BlockOnReachabilityError` | bool | `false` | Fail gate if reachability analysis fails |
+| `Environments` | dict | `{}` | Per-environment overrides |
+
+## Reachability States
+
+| State | Description | Default Behavior |
+|-------|-------------|------------------|
+| `Reachable` | Code path confirmed from entry point | Subject to severity threshold |
+| `NotReachable` | No code path found | Allowed (not blocked) |
+| `Unknown` | Reachability not analyzed | Depends on `TreatUnknownAsReachable` |
+| `Partial` | Some paths reachable | Treated as reachable |
+
+## Example Gate Results
+
+**Pass:**
+```
+Reachable CVE check passed. 8 CVE(s) found, 2 reachable, none above threshold 7.0
+```
+
+**Pass (no reachable):**
+```
+Reachable CVE check passed. 15 CVE(s) found, 0 reachable (all in unreachable code)
+```
+
+**Fail:**
+```
+Reachable high-severity CVE(s) found: CVE-2024-1234 (CVSS: 9.1, reachable via /api/upload), CVE-2024-5678 (CVSS: 7.5, reachable via /auth/login)
+```
+
+## CLI Usage
+
+```bash
+# Evaluate reachable CVE gate
+stella policy evaluate --gate reachable-cve --image myapp:v1.2.3
+
+# With specific severity threshold
+stella policy evaluate --gate reachable-cve --severity 9.0 --image myapp:v1.2.3
+
+# Treat unknown as reachable (conservative)
+stella policy evaluate --gate reachable-cve --treat-unknown-reachable --image myapp:v1.2.3
+```
+
+## Integration with Reachability Analysis
+
+This gate requires reachability analysis results from the Stella Scanner. Ensure images are scanned with reachability enabled:
+
+```bash
+stella scan --image myapp:v1.2.3 --reachability
+```
+
+Reachability analysis examines:
+- Container entry points (ENTRYPOINT, CMD)
+- Exposed ports and expected protocols
+- Call graphs from entry points to vulnerable functions
+- Language-specific dependency loading patterns
+
+---
+
+*Last updated: 2026-01-19.*