stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs/features/unchecked/attestor/micro-witness-evidence.md Normal file
View File

@@ -0,0 +1,32 @@
# Micro-Witness Evidence (Function-Level)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Complete micro-witness system with binary refs, CVE refs, function-level evidence, verdict models, and tooling metadata for fine-grained reachability proof.
## Implementation Details
- **Binary Micro-Witness Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryMicroWitnessPredicate.cs` -- complete micro-witness combining binary ref, CVE ref, function evidence, SBOM ref, tooling, and verdicts.
- **Binary Reference**: `Predicates/MicroWitnessBinaryRef.cs` -- identifies the binary artifact (name, version, digest, architecture).
- **CVE Reference**: `Predicates/MicroWitnessCveRef.cs` -- CVE identifier with CVSS score, affected function, and advisory URL.
- **Function Evidence**: `Predicates/MicroWitnessFunctionEvidence.cs` -- function-level evidence with call-stack depth, reachability status, and code location.
- **SBOM Reference**: `Predicates/MicroWitnessSbomRef.cs` -- links micro-witness to an SBOM component entry (component name, version, bom-ref).
- **Tooling Metadata**: `Predicates/MicroWitnessTooling.cs` -- captures the analysis tool (name, version, language, analysis type).
- **Verdicts**: `Predicates/MicroWitnessVerdicts.cs` -- per-function reachability verdicts (Reachable, Unreachable, Unknown) with confidence.
- **Micro-Witness Statement**: `Statements/BinaryMicroWitnessStatement.cs` -- in-toto statement wrapping the micro-witness predicate.
- **Reachability Witness**: `Statements/ReachabilityWitnessPayload.cs` (with `.Path`) -- witness payload with call path data. `ReachabilityWitnessStatement.cs` -- in-toto wrapper.
- **Call Path Nodes**: `Statements/WitnessCallPathNode.cs`, `WitnessPathNode.cs` -- individual nodes in the witness call path.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/BinaryMicroWitnessPredicateTests.cs`
## E2E Test Plan
- [ ] Create a `BinaryMicroWitnessPredicate` with a `MicroWitnessBinaryRef`, `MicroWitnessCveRef`, and three `MicroWitnessFunctionEvidence` entries at different call-stack depths; verify the predicate is well-formed
- [ ] Create `MicroWitnessVerdicts` with Reachable, Unreachable, and Unknown verdicts for different functions and verify each verdict has a confidence score
- [ ] Verify `MicroWitnessTooling` captures language-specific analysis tools (e.g., Java call graph analyzer vs Python AST analyzer)
- [ ] Verify `MicroWitnessSbomRef` correctly links the witness to an SBOM component by bom-ref
- [ ] Build a `BinaryMicroWitnessStatement` and sign it into a DSSE envelope; verify the statement structure
- [ ] Create a `ReachabilityWitnessPayload` with a call path of 5 `WitnessCallPathNode` entries and verify path traversal from entrypoint to sink
- [ ] Verify function evidence at call-stack depth 0 (entrypoint) through depth N (vulnerable function) and confirm depth tracking is accurate