stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add comprehensive security tests for OWASP A02, A05, A07, and A08 categories
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Details
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details

Browse Source 
- Implemented tests for Cryptographic Failures (A02) to ensure proper handling of sensitive data, secure algorithms, and key management.
- Added tests for Security Misconfiguration (A05) to validate production configurations, security headers, CORS settings, and feature management.
- Developed tests for Authentication Failures (A07) to enforce strong password policies, rate limiting, session management, and MFA support.
- Created tests for Software and Data Integrity Failures (A08) to verify artifact signatures, SBOM integrity, attestation chains, and feed updates.
This commit is contained in:
master
2025-12-16 16:40:19 +02:00
parent 415eff1207
commit 2170a58734
206 changed files with 30547 additions and 534 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
docs/schemas/evidence-predicate.schema.json Normal file
View File

@@ -0,0 +1,52 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/evidence.stella/v1.json",
"title": "Evidence Predicate Schema",
"description": "Schema for evidence.stella/v1 predicate type - raw evidence from scanner or feed",
"type": "object",
"required": [
"source",
"sourceVersion",
"collectionTime",
"sbomEntryId",
"rawFinding",
"evidenceId"
],
"properties": {
"source": {
"type": "string",
"minLength": 1,
"description": "Scanner or feed name that produced this evidence"
},
"sourceVersion": {
"type": "string",
"pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+.*$",
"description": "Version of the source tool"
},
"collectionTime": {
"type": "string",
"format": "date-time",
"description": "UTC timestamp when evidence was collected"
},
"sbomEntryId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}:pkg:.+",
"description": "Reference to the SBOM entry this evidence relates to"
},
"vulnerabilityId": {
"type": "string",
"pattern": "^(CVE-[0-9]{4}-[0-9]+|GHSA-.+)$",
"description": "CVE or vulnerability identifier if applicable"
},
"rawFinding": {
"type": ["object", "string"],
"description": "Pointer to or inline representation of raw finding data"
},
"evidenceId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Content-addressed ID of this evidence (hash of canonical JSON)"
}
},
"additionalProperties": false
}

52
docs/schemas/proofspine-predicate.schema.json Normal file
View File

@@ -0,0 +1,52 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/proofspine.stella/v1.json",
"title": "Proof Spine Predicate Schema",
"description": "Schema for proofspine.stella/v1 predicate type - merkle-aggregated proof bundle",
"type": "object",
"required": [
"sbomEntryId",
"evidenceIds",
"reasoningId",
"vexVerdictId",
"policyVersion",
"proofBundleId"
],
"properties": {
"sbomEntryId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}:pkg:.+",
"description": "The SBOM entry ID this proof spine covers"
},
"evidenceIds": {
"type": "array",
"items": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"minItems": 1,
"description": "Sorted list of evidence IDs included in this proof bundle"
},
"reasoningId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "The reasoning ID linking evidence to verdict"
},
"vexVerdictId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "The VEX verdict ID for this entry"
},
"policyVersion": {
"type": "string",
"pattern": "^v[0-9]+\\.[0-9]+\\.[0-9]+$",
"description": "Version of the policy used"
},
"proofBundleId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Content-addressed ID of this proof bundle (merkle root)"
}
},
"additionalProperties": false
}

65
docs/schemas/reasoning-predicate.schema.json Normal file
View File

@@ -0,0 +1,65 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/reasoning.stella/v1.json",
"title": "Reasoning Predicate Schema",
"description": "Schema for reasoning.stella/v1 predicate type - policy evaluation trace",
"type": "object",
"required": [
"sbomEntryId",
"evidenceIds",
"policyVersion",
"inputs",
"reasoningId"
],
"properties": {
"sbomEntryId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}:pkg:.+",
"description": "The SBOM entry ID this reasoning applies to"
},
"evidenceIds": {
"type": "array",
"items": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"minItems": 1,
"description": "Evidence IDs that were considered in this reasoning"
},
"policyVersion": {
"type": "string",
"pattern": "^v[0-9]+\\.[0-9]+\\.[0-9]+$",
"description": "Version of the policy used for evaluation"
},
"inputs": {
"type": "object",
"required": ["currentEvaluationTime"],
"properties": {
"currentEvaluationTime": {
"type": "string",
"format": "date-time",
"description": "The evaluation time used for temporal reasoning"
},
"severityThresholds": {
"type": "object",
"description": "Severity thresholds applied during evaluation"
},
"latticeRules": {
"type": "object",
"description": "Lattice rules used for status merging"
}
},
"additionalProperties": false
},
"intermediateFindings": {
"type": "object",
"description": "Intermediate findings from the evaluation"
},
"reasoningId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Content-addressed ID of this reasoning"
}
},
"additionalProperties": false
}

96
docs/schemas/sbom-linkage-predicate.schema.json Normal file
View File

@@ -0,0 +1,96 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/sbom-linkage/v1.json",
"title": "SBOM Linkage Predicate Schema",
"description": "Schema for sbom-linkage/v1 predicate type - SBOM-to-component linkage",
"type": "object",
"required": [
"sbom",
"generator",
"generatedAt"
],
"properties": {
"sbom": {
"type": "object",
"required": ["id", "format", "specVersion", "mediaType", "sha256"],
"properties": {
"id": {
"type": "string",
"minLength": 1,
"description": "Unique identifier of the SBOM"
},
"format": {
"type": "string",
"enum": ["CycloneDX", "SPDX"],
"description": "Format of the SBOM"
},
"specVersion": {
"type": "string",
"description": "Specification version"
},
"mediaType": {
"type": "string",
"description": "MIME type of the SBOM document"
},
"sha256": {
"type": "string",
"pattern": "^[a-f0-9]{64}$",
"description": "SHA-256 digest of the SBOM content"
},
"location": {
"type": "string",
"description": "Optional location URI (oci:// or file://)"
}
},
"additionalProperties": false
},
"generator": {
"type": "object",
"required": ["name", "version"],
"properties": {
"name": {
"type": "string",
"minLength": 1,
"description": "Name of the generator tool"
},
"version": {
"type": "string",
"description": "Version of the generator tool"
}
},
"additionalProperties": false
},
"generatedAt": {
"type": "string",
"format": "date-time",
"description": "UTC timestamp when this linkage was generated"
},
"incompleteSubjects": {
"type": "array",
"items": {
"type": "object",
"required": ["name", "reason"],
"properties": {
"name": {
"type": "string",
"description": "Name or identifier of the incomplete subject"
},
"reason": {
"type": "string",
"description": "Reason why the subject is incomplete"
}
},
"additionalProperties": false
},
"description": "Subjects that could not be fully resolved"
},
"tags": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Arbitrary tags for classification or filtering"
}
},
"additionalProperties": false
}

123
docs/schemas/verdict-receipt-predicate.schema.json Normal file
View File

@@ -0,0 +1,123 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/verdict.stella/v1.json",
"title": "Verdict Receipt Predicate Schema",
"description": "Schema for verdict.stella/v1 predicate type - final surfaced decision receipt",
"type": "object",
"required": [
"graphRevisionId",
"findingKey",
"rule",
"decision",
"inputs",
"outputs",
"createdAt"
],
"properties": {
"graphRevisionId": {
"type": "string",
"pattern": "^grv_sha256:[a-f0-9]{64}$",
"description": "The graph revision ID this verdict was computed from"
},
"findingKey": {
"type": "object",
"required": ["sbomEntryId", "vulnerabilityId"],
"properties": {
"sbomEntryId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}:pkg:.+",
"description": "The SBOM entry ID for the component"
},
"vulnerabilityId": {
"type": "string",
"pattern": "^(CVE-[0-9]{4}-[0-9]+|GHSA-.+)$",
"description": "The vulnerability ID"
}
},
"additionalProperties": false
},
"rule": {
"type": "object",
"required": ["id", "version"],
"properties": {
"id": {
"type": "string",
"minLength": 1,
"description": "Unique identifier of the rule"
},
"version": {
"type": "string",
"description": "Version of the rule"
}
},
"additionalProperties": false
},
"decision": {
"type": "object",
"required": ["status", "reason"],
"properties": {
"status": {
"type": "string",
"enum": ["block", "warn", "pass"],
"description": "Status of the decision"
},
"reason": {
"type": "string",
"minLength": 1,
"description": "Human-readable reason for the decision"
}
},
"additionalProperties": false
},
"inputs": {
"type": "object",
"required": ["sbomDigest", "feedsDigest", "policyDigest"],
"properties": {
"sbomDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Digest of the SBOM used"
},
"feedsDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Digest of the advisory feeds used"
},
"policyDigest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Digest of the policy bundle used"
}
},
"additionalProperties": false
},
"outputs": {
"type": "object",
"required": ["proofBundleId", "reasoningId", "vexVerdictId"],
"properties": {
"proofBundleId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "The proof bundle ID containing the evidence chain"
},
"reasoningId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "The reasoning ID explaining the decision"
},
"vexVerdictId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "The VEX verdict ID for this finding"
}
},
"additionalProperties": false
},
"createdAt": {
"type": "string",
"format": "date-time",
"description": "UTC timestamp when this verdict was created"
}
},
"additionalProperties": false
}

54
docs/schemas/vex-verdict-predicate.schema.json Normal file
View File

@@ -0,0 +1,54 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/cdx-vex.stella/v1.json",
"title": "VEX Verdict Predicate Schema",
"description": "Schema for cdx-vex.stella/v1 predicate type - VEX verdict with provenance",
"type": "object",
"required": [
"sbomEntryId",
"vulnerabilityId",
"status",
"justification",
"policyVersion",
"reasoningId",
"vexVerdictId"
],
"properties": {
"sbomEntryId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}:pkg:.+",
"description": "The SBOM entry ID this verdict applies to"
},
"vulnerabilityId": {
"type": "string",
"pattern": "^(CVE-[0-9]{4}-[0-9]+|GHSA-.+)$",
"description": "The vulnerability ID (CVE, GHSA, etc.)"
},
"status": {
"type": "string",
"enum": ["not_affected", "affected", "fixed", "under_investigation"],
"description": "VEX status"
},
"justification": {
"type": "string",
"minLength": 1,
"description": "Justification for the VEX status"
},
"policyVersion": {
"type": "string",
"pattern": "^v[0-9]+\\.[0-9]+\\.[0-9]+$",
"description": "Version of the policy used"
},
"reasoningId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Reference to the reasoning that led to this verdict"
},
"vexVerdictId": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "Content-addressed ID of this VEX verdict"
}
},
"additionalProperties": false
}