stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
docs/features/unchecked/attestor/reachability-aware-vulnerability-prioritization.md Normal file
View File

@@ -0,0 +1,34 @@
# Reachability-Aware Vulnerability Prioritization (Competitive Differentiator)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Reachability witness payload with path information, micro-witness function evidence and verdicts, DSSE-signed reachability witnesses, and ground-truth reachability datasets for validation.
## Implementation Details
- **Reachability Witness Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs` (with `.Path`) -- witness payload with call path from entrypoint to vulnerable function.
- **Reachability Witness Statement**: `Statements/ReachabilityWitnessStatement.cs` -- in-toto statement for DSSE signing.
- **Micro-Witness Function Evidence**: `Predicates/MicroWitnessFunctionEvidence.cs` -- function-level evidence with call-stack depth and reachability status.
- **Micro-Witness Verdicts**: `Predicates/MicroWitnessVerdicts.cs` -- per-function verdicts (Reachable, Unreachable, Unknown) with confidence scores.
- **Micro-Witness Binary Ref**: `Predicates/MicroWitnessBinaryRef.cs` -- binary artifact reference.
- **Micro-Witness CVE Ref**: `Predicates/MicroWitnessCveRef.cs` -- CVE reference with affected function.
- **Micro-Witness Tooling**: `Predicates/MicroWitnessTooling.cs` -- analysis tool metadata (language, tool name, version).
- **Binary Micro-Witness Predicate**: `Predicates/BinaryMicroWitnessPredicate.cs` -- complete micro-witness combining all references.
- **Witness Call Path Nodes**: `Statements/WitnessCallPathNode.cs` -- call path node. `WitnessPathNode.cs` -- generic path node.
- **Witness Gate Info**: `Statements/WitnessGateInfo.cs` -- security gates along the path.
- **VEX Integration**: `Generators/VexProofIntegrator.cs` -- uses reachability evidence to prioritize VEX decisions.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/BinaryMicroWitnessPredicateTests.cs`, `ReachabilityWitnessTests.cs`
## E2E Test Plan
- [ ] Create a `ReachabilityWitnessPayload` with a reachable call path and verify it can prioritize a CVE as high-priority
- [ ] Create a `MicroWitnessVerdicts` entry with "Unreachable" for a critical CVE and verify it deprioritizes the finding
- [ ] Create function evidence with `MicroWitnessFunctionEvidence` at call-stack depth 0 through 5 and verify depth tracking
- [ ] Sign a `ReachabilityWitnessStatement` into a DSSE envelope and verify the signature
- [ ] Build a complete `BinaryMicroWitnessPredicate` with binary ref, CVE ref, function evidence, and SBOM ref; verify all fields
- [ ] Verify `MicroWitnessTooling` distinguishes between language-specific tools (Java call graph vs Python AST analyzer)
- [ ] Integrate reachability evidence into a VEX decision via `VexProofIntegrator`: unreachable function -> "not_affected" status
- [ ] Create witnesses for multiple CVEs on the same component and verify per-CVE prioritization