stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docs/features/unchecked/policy/vex-format-normalization.md Normal file
View File

@@ -0,0 +1,40 @@
# VEX Format Normalization (CycloneDX, OpenVEX, CSAF)
## Module
Policy
## Status
IMPLEMENTED
## Description
Normalizers for CSAF and OpenVEX formats to convert heterogeneous VEX statements into the unified trust lattice representation.
## Implementation Details
- **TrustLatticeEngine**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/TrustLatticeEngine.cs`
- Three VEX format normalizers integrated into evaluation pipeline:
- CycloneDX normalizer: converts CycloneDX VEX analysis states to K4 claims
- OpenVEX normalizer: converts OpenVEX status to K4 claims
- CSAF normalizer: converts CSAF product status to K4 claims
- All normalizers produce unified claim objects for K4 lattice evaluation
- Format-specific metadata preserved in claim provenance
- **K4Lattice**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/K4Lattice.cs`
- Unified representation: Unknown=0, True=1, False=2, Conflict=3
- `FromSupport()` maps normalized evidence to K4 values
- **ClaimBuilder**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/TrustLatticeEngine.cs`
- Fluent API for building claims from any format:
- Assert(cve).Present(component).Mitigated() -> K4 True
- Assert(cve).Present(component).Applies() -> K4 False (affected)
- Assert(cve).Present(component).Fixed() -> K4 True (fixed version)
- Assert(cve).Present(component).Misattributed() -> K4 True (not applicable)
- **Trust lattice directory**: `src/Policy/__Libraries/StellaOps.Policy/TrustLattice/` (15 files total)
## E2E Test Plan
- [ ] Normalize CycloneDX VEX with status "not_affected" and justification "code_not_reachable"; verify K4 True claim with correct provenance
- [ ] Normalize OpenVEX with status "affected"; verify K4 False claim
- [ ] Normalize CSAF with status "known_affected" and remediation "vendor_fix"; verify K4 claim reflects affected + fix available
- [ ] Normalize CycloneDX VEX with status "fixed"; verify K4 True claim (vulnerability fixed)
- [ ] Normalize all 3 formats for same CVE; merge via ClaimScoreMerger; verify deterministic result
- [ ] Normalize VEX with invalid format; verify error handling (parse failure does not crash pipeline)
- [ ] Verify format-specific metadata preserved: CycloneDX justification, OpenVEX statement, CSAF product_status
- [ ] Normalize VEX from unknown format; verify treated as Unknown K4 value
- [ ] Verify all normalizers produce claims compatible with K4Lattice.Join() and Meet()