chore: Archive completed SPRINT_4400 implementations
Archive SPRINT_4400_0001_0001 (Signed Delta Verdict Attestation) and SPRINT_4400_0001_0002 (Reachability Subgraph Attestation) as all tasks are completed and verified. Completed implementations: - DeltaVerdictPredicate, DeltaVerdictStatement, DeltaVerdictBuilder - DeltaVerdictOciPublisher with OCI referrer support - CLI commands: delta compute --sign, delta verify, delta push - ReachabilitySubgraph format with normalization - ReachabilitySubgraphPredicate, ReachabilitySubgraphStatement - ReachabilitySubgraphExtractor and ReachabilitySubgraphPublisher - CLI: stella reachability show with DOT/Mermaid export - Comprehensive integration tests for both features 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
@@ -0,0 +1,107 @@
|
||||
# Sprint 4400_0001_0001 <20> Signed Delta Verdict Attestation
|
||||
|
||||
## Topic & Scope
|
||||
- Create a signed attestation format for Smart-Diff deltas so semantic risk changes are portable, auditable, and verifiable.
|
||||
- Moat thesis: "We explain what changed in exploitable surface area, not what changed in CVE count."
|
||||
- **Working directory:** `src/Scanner/` (primary), `src/Attestor/`, `src/Cli/`.
|
||||
- Evidence: delta verdict predicate + builder + OCI referrer push + CLI diff sign/verify + SARIF linkage + tests.
|
||||
|
||||
### Background
|
||||
Smart-Diff (MaterialRiskChangeDetector) exists with R1-R4 rules and priority scoring. Gap: results are not attestable.
|
||||
|
||||
### Deliverables
|
||||
#### D1: Delta Verdict Attestation Predicate
|
||||
- Define `delta-verdict.stella/v1` predicate type.
|
||||
- Include changes detected, priority score, evidence references.
|
||||
|
||||
#### D2: Delta Verdict Builder
|
||||
- Build delta attestation from `MaterialRiskChangeResult`.
|
||||
- Link to before/after proof spines.
|
||||
- Include graph revision IDs.
|
||||
|
||||
#### D3: OCI Delta Push
|
||||
- Push delta verdict as OCI referrer.
|
||||
- Support linking to two image manifests (before/after).
|
||||
|
||||
#### D4: CLI Integration
|
||||
- `stella diff --sign --push` flow.
|
||||
- `stella diff verify` command.
|
||||
|
||||
### Acceptance Criteria
|
||||
1. AC1: Delta verdict is a signed in-toto statement.
|
||||
2. AC2: Delta can be pushed as OCI referrer.
|
||||
3. AC3: `stella diff verify` validates signature and content.
|
||||
4. AC4: Attestation links to both scan verdicts.
|
||||
|
||||
### Technical Notes
|
||||
```json
|
||||
{
|
||||
"_type": "https://in-toto.io/Statement/v1",
|
||||
"subject": [
|
||||
{"digest": {"sha256": "<image-before>"}},
|
||||
{"digest": {"sha256": "<image-after>"}}
|
||||
],
|
||||
"predicateType": "delta-verdict.stella/v1",
|
||||
"predicate": {
|
||||
"beforeRevisionId": "...",
|
||||
"afterRevisionId": "...",
|
||||
"hasMaterialChange": true,
|
||||
"priorityScore": 1750,
|
||||
"changes": [
|
||||
{
|
||||
"rule": "R1_ReachabilityFlip",
|
||||
"findingKey": {"vulnId": "CVE-2024-1234", "purl": "..."},
|
||||
"direction": "increased",
|
||||
"reason": "Reachability changed from false to true"
|
||||
}
|
||||
],
|
||||
"beforeVerdictDigest": "sha256:...",
|
||||
"afterVerdictDigest": "sha256:...",
|
||||
"comparedAt": "2025-12-22T00:00:00Z"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Documentation Updates
|
||||
- Add delta verdict to attestation catalog.
|
||||
- Update Smart-Diff documentation.
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Dependencies: MaterialRiskChangeDetector (exists), SPRINT_4300_0001_0001 (OCI referrer push foundation).
|
||||
- Concurrency: No known conflicts in 44xx; safe to run in parallel with non-Scanner/Attestor/CLI changes.
|
||||
|
||||
## Documentation Prerequisites
|
||||
- `docs/README.md`
|
||||
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
|
||||
- `docs/modules/platform/architecture-overview.md`
|
||||
- `docs/modules/scanner/architecture.md`
|
||||
- `docs/modules/attestor/architecture.md`
|
||||
- `docs/modules/cli/architecture.md`
|
||||
- `docs/product-advisories/14-Dec-2025 - Smart-Diff Technical Reference.md`
|
||||
|
||||
## Delivery Tracker
|
||||
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|
||||
| --- | --- | --- | --- | --- | --- |
|
||||
| 1 | DELTA-001 | DONE | Predicate schema + statement location | Attestor Guild | Define `DeltaVerdictStatement` predicate. |
|
||||
| 2 | DELTA-002 | DONE | DELTA-001 | Scanner Guild | Create `DeltaVerdictBuilder`. |
|
||||
| 3 | DELTA-003 | DONE | Proof spine access | Scanner Guild | Implement before/after proof spine linking. |
|
||||
| 4 | DELTA-004 | DONE | OCI referrer push foundation | Scanner Guild | Add delta verdict to OCI pusher. |
|
||||
| 5 | DELTA-005 | DONE | DELTA-002 | CLI Guild | Implement `stella diff --sign`. |
|
||||
| 6 | DELTA-006 | DONE | DELTA-005 | CLI Guild | Implement `stella diff verify`. |
|
||||
| 7 | DELTA-007 | DONE | DELTA-002 | Scanner Guild | Add SARIF output with attestation reference. |
|
||||
| 8 | DELTA-008 | DONE | All above | QA Guild | Integration tests. |
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2025-12-22 | Sprint created; awaiting staffing. | Planning |
|
||||
| 2025-12-22 | Normalized sprint file to standard template; no semantic changes. | Planning |
|
||||
| 2025-12-22 | DELTA-001 through DELTA-007 completed. Implemented: DeltaVerdictPredicate, DeltaVerdictStatement, DeltaVerdictBuilder, DeltaVerdictOciPublisher, CLI verify/push commands, SARIF attestation reference support. Fixed pre-existing bug in DeltaSigningService. | Implementation |
|
||||
| 2025-12-22 | DELTA-008 completed. Added integration tests in DeltaVerdictAttestationTests.cs covering build/sign, verify, OCI attachment, serialization round-trip, and predicate validation. | Implementation |
|
||||
|
||||
## Decisions & Risks
|
||||
- DELTA-004 depends on OCI referrer push foundations (SPRINT_4300_0001_0001); if unavailable, delta push is blocked.
|
||||
- Proof spine linking requires accessible before/after spines; fall back to optional links if not available.
|
||||
|
||||
## Next Checkpoints
|
||||
- TBD
|
||||
@@ -0,0 +1,109 @@
|
||||
# Sprint 4400_0001_0002 <20> Reachability Subgraph Attestation
|
||||
|
||||
## Topic & Scope
|
||||
- Package reachability analysis results as a standalone, attestable subgraph artifact that can be stored, transferred, and verified without the full scan context.
|
||||
- Moat thesis: "We provide proof of exploitability in this artifact, not just a badge."
|
||||
- **Working directory:** `src/Signals/` (primary), `src/Scanner/`, `src/Attestor/`.
|
||||
- Evidence: subgraph format + predicate + extractor + OCI push + CLI viewer + tests.
|
||||
|
||||
### Background
|
||||
Current implementation has `ReachabilityWitnessStatement` for single path witness, `PathWitnessBuilder` for call path construction, and `CallPath` models. Gap: no standalone reachability subgraph as a portable artifact.
|
||||
|
||||
### Deliverables
|
||||
#### D1: Reachability Subgraph Format
|
||||
- Define graph serialization format (nodes, edges, metadata).
|
||||
- Include entrypoints, symbols, call edges, gates.
|
||||
- Support partial graphs (per finding).
|
||||
|
||||
#### D2: Subgraph Attestation Predicate
|
||||
- Define `reachability-subgraph.stella/v1` predicate.
|
||||
- Include graph digest, finding keys covered, analysis metadata.
|
||||
|
||||
#### D3: Subgraph Builder
|
||||
- Extract relevant subgraph from full call graph.
|
||||
- Prune to reachable paths only.
|
||||
- Include boundary detection results.
|
||||
|
||||
#### D4: OCI Subgraph Push
|
||||
- Push subgraph as OCI artifact.
|
||||
- Link to SBOM and verdict.
|
||||
|
||||
#### D5: Subgraph Viewer
|
||||
- CLI command to inspect subgraph.
|
||||
- Visualize call paths to vulnerable symbols.
|
||||
|
||||
### Acceptance Criteria
|
||||
1. AC1: Subgraph captures all paths to vulnerable symbols.
|
||||
2. AC2: Subgraph is a signed attestation.
|
||||
3. AC3: Subgraph can be pushed as OCI artifact.
|
||||
4. AC4: CLI can visualize subgraph.
|
||||
|
||||
### Technical Notes
|
||||
```json
|
||||
{
|
||||
"version": "1.0",
|
||||
"findingKeys": ["CVE-2024-1234@pkg:npm/lodash@4.17.20"],
|
||||
"nodes": [
|
||||
{"id": "n1", "type": "entrypoint", "symbol": "main.handler"},
|
||||
{"id": "n2", "type": "call", "symbol": "lodash.merge"},
|
||||
{"id": "n3", "type": "vulnerable", "symbol": "lodash._baseAssign"}
|
||||
],
|
||||
"edges": [
|
||||
{"from": "n1", "to": "n2", "type": "call"},
|
||||
{"from": "n2", "to": "n3", "type": "call"}
|
||||
],
|
||||
"gates": [
|
||||
{"nodeId": "n1", "gateType": "http", "boundary": "public"}
|
||||
],
|
||||
"analysisMetadata": {
|
||||
"analyzer": "node-callgraph-v2",
|
||||
"confidence": 0.95,
|
||||
"completeness": "partial"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Documentation Updates
|
||||
- Add reachability subgraph specification.
|
||||
- Update attestation type catalog.
|
||||
- Create reachability proof guide.
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Dependencies: ReachabilityWitnessStatement (exists), CallPath (exists).
|
||||
- Concurrency: No known conflicts in 44xx; safe to run in parallel with non-Signals/Scanner/Attestor changes.
|
||||
|
||||
## Documentation Prerequisites
|
||||
- `docs/README.md`
|
||||
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
|
||||
- `docs/modules/platform/architecture-overview.md`
|
||||
- `docs/modules/scanner/architecture.md`
|
||||
- `docs/modules/attestor/architecture.md`
|
||||
- `docs/modules/signals/unknowns/2025-12-01-unknowns-registry.md`
|
||||
- `docs/reachability/DELIVERY_GUIDE.md`
|
||||
|
||||
## Delivery Tracker
|
||||
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|
||||
| --- | --- | --- | --- | --- | --- |
|
||||
| 1 | SUBG-001 | DONE | Subgraph schema draft | Scanner Guild | Define `ReachabilitySubgraph` serialization format. |
|
||||
| 2 | SUBG-002 | DONE | SUBG-001 | Attestor Guild | Create `ReachabilitySubgraphStatement` predicate. |
|
||||
| 3 | SUBG-003 | DONE | Call graph access | Scanner Guild | Implement `SubgraphExtractor` from call graph. |
|
||||
| 4 | SUBG-004 | DONE | SUBG-002 + SUBG-003 | Scanner Guild | Add subgraph to attestation pipeline. |
|
||||
| 5 | SUBG-005 | DONE | OCI referrer push foundation | Scanner Guild | Implement OCI subgraph push. |
|
||||
| 6 | SUBG-006 | DONE | SUBG-001 | CLI Guild | Create `stella reachability show` command. |
|
||||
| 7 | SUBG-007 | DONE | SUBG-006 | CLI Guild | Add DOT/Mermaid export for visualization. |
|
||||
| 8 | SUBG-008 | DONE | All above | QA Guild | Integration tests with real call graphs. |
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2025-12-22 | Sprint created; awaiting staffing. | Planning |
|
||||
| 2025-12-22 | Normalized sprint file to standard template; no semantic changes. | Planning |
|
||||
| 2025-12-22 | SUBG-001 through SUBG-007 completed. Implemented: ReachabilitySubgraph serialization format with normalizer, ReachabilitySubgraphPredicate, ReachabilitySubgraphStatement, ReachabilitySubgraphExtractor, ReachabilitySubgraphPublisher (CAS + attestation), CLI `stella reachability show` command, DOT/Mermaid export. | Implementation |
|
||||
| 2025-12-22 | SUBG-008 completed. Added integration tests in ReachabilitySubgraphAttestationTests.cs covering subgraph structure, normalization, serialization, DOT/Mermaid export, and analysis metadata validation. | Implementation |
|
||||
|
||||
## Decisions & Risks
|
||||
- OCI referrer support varies by registry; ensure fallback paths or clear error messages for SUBG-005.
|
||||
- Large subgraphs may impact push size; consider pruning defaults and deterministic ordering.
|
||||
|
||||
## Next Checkpoints
|
||||
- TBD
|
||||
Reference in New Issue
Block a user